Vulnerability Summary for the Week of July 16, 2012

Released
Jul 23, 2012
Document ID
SB12-205

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product		DescriptionPublished CVSS ScoreSource & Patch Info
cisco -- linksys_playerpt_activex_controlStack-based buffer overflow in the SetSource method in the Cisco Linksys PlayerPT ActiveX control 1.0.0.15 in PlayerPT.ocx on the Cisco WVC200 Wireless-G PTZ Internet video camera allows remote attackers to execute arbitrary code via a long URL in the first argument (aka the sURL argument).2012-07-199.3CVE-2012-0284
curtis_galloway -- libexifBuffer overflow in the exif_entry_format_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image.2012-07-137.5CVE-2012-2814
curtis_galloway -- libexifOff-by-one error in the exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image.2012-07-137.5CVE-2012-2840
curtis_galloway -- libexifInteger underflow in the exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote attackers to execute arbitrary code via vectors involving a crafted buffer-size parameter during the formatting of an EXIF tag, leading to a heap-based buffer overflow.2012-07-137.5CVE-2012-2841
eucalyptus -- eucalyptusThe Walrus service in Eucalyptus 2.0.3 and 3.0.x before 3.0.2 allows remote attackers to gain administrator privileges via a crafted REST request.2012-07-177.5CVE-2012-3240
eucalyptus -- eucalyptusThe VMware Broker in Eucalyptus 2.0.3 and 3.0.x before 3.0.2 does not properly authenticate SOAP requests, which allows remote attackers to execute arbitrary VMware Broker API commands.2012-07-177.5CVE-2012-3241
florian_weber -- spacesThe Spaces module 6.x-3.x before 6.x-3.4 for Drupal does not enforce permissions on non-object pages, which allows remote attackers to obtain sensitive information and possibly have other impacts via unspecified vectors to the (1) Spaces or (2) Spaces OG module.2012-07-187.5CVE-2012-2303
johnsoncontrols -- network_controllerThe Johnson Controls CK721-A controller with firmware before SSM4388_03.1.0.14_BB allows remote attackers to perform arbitrary actions via crafted packets to TCP port 41014 (aka the download port).2012-07-167.5CVE-2012-2607
moodle -- moodlelib/formslib.php in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 does not properly handle multiple instances of a form element, which has unspecified impact and remote attack vectors.2012-07-177.5CVE-2012-0801
mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2012-07-189.3CVE-2012-1948
mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2012-07-189.3CVE-2012-1949
mozilla -- firefoxUse-after-free vulnerability in the nsSMILTimeValueSpec::IsEventBased function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code by interacting with objects used for SMIL Timing.2012-07-1810.0CVE-2012-1951
mozilla -- firefoxThe nsTableFrame::InsertFrames function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly perform a cast of a frame variable during processing of mixed row-group and column-group frames, which might allow remote attackers to execute arbitrary code via a crafted web site.2012-07-189.3CVE-2012-1952
mozilla -- firefoxThe ElementAnimations::EnsureStyleRuleFor function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (buffer over-read, incorrect pointer dereference, and heap-based buffer overflow) or possibly execute arbitrary code via a crafted web site.2012-07-189.3CVE-2012-1953
mozilla -- firefoxUse-after-free vulnerability in the nsDocument::AdoptNode function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via vectors involving multiple adoptions and empty documents.2012-07-1810.0CVE-2012-1954
mozilla -- firefoxUse-after-free vulnerability in the nsGlobalWindow::PageHidden function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 might allow remote attackers to execute arbitrary code via vectors related to focused content.2012-07-189.3CVE-2012-1958
mozilla -- firefoxUse-after-free vulnerability in the JSDependentString::undepend function in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via vectors involving strings with multiple dependencies.2012-07-1810.0CVE-2012-1962
mozilla -- firefoxMozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not properly implement the JavaScript sandbox utility, which allows remote attackers to execute arbitrary JavaScript code with improper privileges via a javascript: URL.2012-07-1810.0CVE-2012-1967
openjpeg -- openjpegMultiple heap-based buffer overflows in the j2k_read_sot function in j2k.c in OpenJPEG 1.5 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted (1) tile number or (2) tile length in a JPEG 2000 image file.2012-07-1810.0CVE-2012-3358
oracle -- application_express_listenerUnspecified vulnerability in the Oracle Application Express Listener component in Oracle Application Express Listener 1.1-ea, 1.1.1, 1.1.2, and 1.1.3 allows remote attackers to affect confidentiality via unknown vectors.2012-07-177.8CVE-2012-1740
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle JRockit component in Oracle Fusion Middleware 28.2.3 and before, and 27.7.2 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.2012-07-1710.0CVE-2012-3135
osisoft -- pi_opc_da_interfaceStack-based buffer overflow in OSIsoft PI OPC DA Interface before 2.3.20.9 allows remote authenticated users to execute arbitrary code by sending packet data during the processing of messages associated with OPC items.2012-07-208.5CVE-2012-3008
php -- phpUnspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."2012-07-2010.0CVE-2012-2688
postgresql -- postgresqlCRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.2012-07-187.5CVE-2012-0868
rubygems -- mail_gemThe Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.2012-07-187.5CVE-2012-2140
smc -- smc8024l2_switchThe web interface on the SMC SMC8024L2 switch allows remote attackers to bypass authentication and obtain administrative access via a direct request to a .html file under (1) status/, (2) system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9) security/, (10) igmps/, or (11) snmp/.2012-07-1910.0CVE-2012-2974
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 8 allows remote attackers to affect availability, related to TCP/IP.2012-07-177.8CVE-2012-3120
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows remote attackers to affect availability, related to TCP/IP.2012-07-177.1CVE-2012-3125
tridium -- niagra_ax_frameworkTridium Niagara AX Framework does not properly store credential data, which allows context-dependent attackers to bypass intended access restrictions by using the stored information for authentication.2012-07-167.5CVE-2012-4028
zingiri -- zingiri_web_shopMultiple unspecified vulnerabilities in the Zingiri Web Shop plugin before 2.4.0 for WordPress have unknown impact and attack vectors.2012-07-1810.0CVE-2012-4033

Back to top


Medium Vulnerabilities

Primary
Vendor -- Product		DescriptionPublished CVSS ScoreSource & Patch Info
andreas_gohr -- dokuwikiCross-site scripting (XSS) vulnerability in the tpl_mediaFileList function in inc/template.php in DokuWiki before 2012-01-25b allows remote attackers to inject arbitrary web script or HTML via the ns parameter in a medialist action to lib/exe/ajax.php.2012-07-134.3CVE-2012-0283
christos_zoulas -- filefile before 5.11 and libmagic allow remote attackers to cause a denial of service (crash) via a crafted Composite Document File (CDF) file that triggers (1) an out-of-bounds read or (2) an invalid pointer dereference.2012-07-174.3CVE-2012-1571
curtis_galloway -- libexifThe exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image.2012-07-136.4CVE-2012-2812
curtis_galloway -- libexifThe exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image.2012-07-136.4CVE-2012-2813
curtis_galloway -- libexifThe mnote_olympus_entry_get_value function in olympus/mnote-olympus-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (divide-by-zero error) via an image with crafted EXIF tags that are not properly handled during the formatting of EXIF maker note tags.2012-07-135.0CVE-2012-2837
curtis_galloway -- exifInteger overflow in the jpeg_data_load_data function in jpeg-data.c in libjpeg in exif 0.6.20 allows remote attackers to cause a denial of service (buffer over-read and application crash) or obtain potentially sensitive information via a crafted JPEG file.2012-07-136.4CVE-2012-2845
emc -- celerra_network_serverEMC Celerra Network Server 6.x before 6.0.61.0, VNX 7.x before 7.0.53.2, and VNXe 2.0 and 2.1 before 2.1.3.19077 (aka MR1 SP3.2) and 2.2 before 2.2.0.19078 (aka MR2 SP0.2) do not properly implement NFS access control, which allows remote authenticated users to read or modify files via a (1) NFSv2, (2) NFSv3, or (3) NFSv4 request.2012-07-166.5CVE-2012-2282
hp -- assetmanagerMultiple cross-site scripting (XSS) vulnerabilities in HP AssetManager 5.20, 5.21, 5.22, and 9.30 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2012-07-164.3CVE-2012-2021
ibm -- lotus_protector_for_mail_securityMultiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in IBM Lotus Protector for Mail Security 2.1, 2.5, 2.5.1, and 2.8 and IBM ISS Proventia Network Mail Security System allow remote attackers to inject arbitrary web script or HTML via the query string.2012-07-204.3CVE-2012-2955
johnsoncontrols -- pegasys_p2000_server_softwareThe Johnson Controls Pegasys P2000 server with software before 3.11 allows remote attackers to trigger false alerts via crafted packets to TCP port 41013 (aka the upload port), a different vulnerability than CVE-2012-2607.2012-07-165.0CVE-2012-4026
moodle -- moodleCross-site request forgery (CSRF) vulnerability in Moodle 1.9.x before 1.9.11 allows remote attackers to hijack the authentication of unspecified victims for requests that modify an RSS feed in an RSS block.2012-07-166.8CVE-2011-4133
moodle -- moodleCross-site scripting (XSS) vulnerability in the tag autocomplete functionality in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2012-07-164.3CVE-2011-4278
moodle -- moodleMoodle 2.0.x before 2.0.2 does not use the forceloginforprofiles setting for course-profiles access control, which makes it easier for remote attackers to obtain potentially sensitive information via vectors involving use of a search engine, as demonstrated by the search functionality of Google, Yahoo!, Wrensoft Zoom, MSN, Yandex, and AltaVista.2012-07-165.0CVE-2011-4279
moodle -- moodleCross-site scripting (XSS) vulnerability in the Spike PHPCoverage (aka spikephpcoverage) library, as used in Moodle 2.0.x before 2.0.2 and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2012-07-164.3CVE-2011-4280
moodle -- moodleMultiple cross-site request forgery (CSRF) vulnerabilities in Moodle 2.0.x before 2.0.2 allow remote attackers to hijack the authentication of arbitrary users for requests that mark the completion of (1) an activity or (2) a course.2012-07-166.8CVE-2011-4281
moodle -- moodleMultiple cross-site scripting (XSS) vulnerabilities in the course-tags functionality in tag/coursetags_more.php in Moodle 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) sort or (2) show parameter.2012-07-164.3CVE-2011-4282
moodle -- moodleMoodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 places an IMS enterprise enrolment file in the course-files area, which allows remote attackers to obtain sensitive information via a request for imsenterprise-enrol.xml.2012-07-165.0CVE-2011-4283
moodle -- moodleMoodle 2.0.x before 2.0.2 allows remote attackers to obtain sensitive information from a myprofile (aka My profile) block by visiting a user-context page.2012-07-165.0CVE-2011-4284
moodle -- moodleThe default configuration of Moodle 2.0.x before 2.0.2 has an incorrect setting of the moodle/course:delete capability, which allows remote authenticated users to delete arbitrary courses by leveraging the teacher role.2012-07-165.5CVE-2011-4285
moodle -- moodleMultiple cross-site scripting (XSS) vulnerabilities in the media-filter implementation in filter/mediaplugin/filter.php in Moodle 1.9.x before 1.9.11 and 2.0.x before 2.0.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) Flash Video (aka FLV) files and (2) YouTube videos.2012-07-164.3CVE-2011-4286
moodle -- moodleadmin/uploaduser_form.php in Moodle 2.0.x before 2.0.3 does not force password changes for autosubscribed users, which makes it easier for remote attackers to obtain access by leveraging knowledge of the initial password of a new user.2012-07-166.8CVE-2011-4287
moodle -- moodleMoodle 1.9.x before 1.9.12 and 2.0.x before 2.0.3 does not properly implement associations between teachers and groups, which allows remote authenticated users to read quiz reports of arbitrary students by leveraging the teacher role.2012-07-164.0CVE-2011-4288
moodle -- moodleMoodle 2.0.x before 2.0.3 does not recognize the configuration setting that makes e-mail addresses visible only to course members, which allows remote authenticated users to obtain sensitive address information by reading a full profile page.2012-07-164.0CVE-2011-4289
moodle -- moodleMultiple cross-site scripting (XSS) vulnerabilities in lib/weblib.php in Moodle 1.9.x before 1.9.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to URL encoding.2012-07-164.3CVE-2011-4290
moodle -- moodleMoodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted ratings operations.2012-07-164.0CVE-2011-4291
moodle -- moodleMoodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations.2012-07-164.0CVE-2011-4292
moodle -- moodleThe theme implementation in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 triggers duplicate caching of Cascading Style Sheets (CSS) and JavaScript content, which allows remote attackers to bypass intended access restrictions and write to an operating-system temporary directory via unspecified vectors.2012-07-166.4CVE-2011-4293
moodle -- moodleThe error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.2012-07-165.8CVE-2011-4294
moodle -- moodleThe moodle_enrol_external:role_assign function in enrol/externallib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 does not have an authorization check, which allows remote authenticated users to gain privileges by making a role assignment.2012-07-166.5CVE-2011-4295
moodle -- moodlelib/db/access.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 assigns incorrect capabilities to the course-creator role, which allows remote authenticated users to modify course filters by leveraging this role.2012-07-165.5CVE-2011-4296
moodle -- moodlecomment/lib.php in Moodle 2.0.x before 2.0.4 and 2.1.x before 2.1.1 does not properly restrict comment capabilities, which allows remote attackers to post a comment by leveraging the guest role and operating on a front-page activity.2012-07-166.4CVE-2011-4297
moodle -- moodlemod/wiki/pagelib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 allows remote authenticated users to discover the username of a wiki creator by visiting the history and deletion user interface.2012-07-204.0CVE-2011-4581
moodle -- moodleOpen redirect vulnerability in the Calendar set page in Moodle 2.1.x before 2.1.3 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via a redirection URL.2012-07-204.9CVE-2011-4582
moodle -- moodleMoodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 displays web service tokens associated with (1) disabled services and (2) users who no longer have authorization, which allows remote authenticated users to have an unspecified impact by reading these tokens.2012-07-206.5CVE-2011-4583
moodle -- moodleThe MNET authentication functionality in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote authenticated users to impersonate other user accounts by using the Login As feature in conjunction with a remote MNET single sign-on capability, as demonstrated by a Mahara site.2012-07-204.0CVE-2011-4584
moodle -- moodlelogin/change_password.php in Moodle 1.9.x before 1.9.15 does not use https for the change-password form even if the httpslogin option is enabled, which allows remote attackers to obtain credentials by sniffing the network.2012-07-205.0CVE-2011-4585
moodle -- moodleCRLF injection vulnerability in calendar/set.php in the Calendar subsystem in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.2012-07-205.0CVE-2011-4586
moodle -- moodlelib/moodlelib.php in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle certain zero values in the password policy, which makes it easier for remote attackers to obtain access by leveraging the possible existence of user accounts that have unchangeable blank passwords.2012-07-206.8CVE-2011-4587
moodle -- moodleThe ip_in_range function in mnet/lib.php in MNET in Moodle 1.9.x before 1.9.15 uses an incorrect data type, which allows remote attackers to bypass intended IP address restrictions via an XMLRPC request.2012-07-205.0CVE-2011-4588
moodle -- moodlebackup/moodle2/restore_stepslib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not check for the moodle/course:changeidnumber privilege during handling of course ID numbers, which allows remote authenticated users to overwrite ID numbers via a restore action.2012-07-205.5CVE-2011-4589
moodle -- moodleThe web services implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly consider the maintenance-mode state and account attributes during login attempts, which allows remote authenticated users to bypass intended access restrictions by connecting to a webservice server.2012-07-204.0CVE-2011-4590
moodle -- moodleCross-site scripting (XSS) vulnerability in the print_object function in lib/datalib.php in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3, when a developer debugging script is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors involving object states.2012-07-204.3CVE-2011-4591
moodle -- moodleThe command-line cron implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly interact with IP blocking, which might allow remote attackers to bypass intended IP address restrictions by leveraging a configuration in which IP blocking was disabled to restore cron functionality.2012-07-205.0CVE-2011-4592
moodle -- moodleMoodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, and 2.1.x before 2.1.3 does not properly handle user/action_redir group messages, which allows remote authenticated users to discover e-mail addresses by visiting the messaging interface.2012-07-204.0CVE-2011-4593
moodle -- moodlemod/forum/user.php in Moodle 1.9.x before 1.9.16 allows remote authenticated users to obtain the names and other details of arbitrary user accounts by searching for posts.2012-07-174.0CVE-2012-0792
moodle -- moodleMoodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote attackers to view the profile images of arbitrary user accounts via unspecified vectors.2012-07-175.0CVE-2012-0793
moodle -- moodleThe rc4encrypt function in lib/moodlelib.php in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 uses a hardcoded password of nfgjeingjk, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by reading this script's source code within the open-source software distribution.2012-07-175.0CVE-2012-0794
moodle -- moodleMoodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 does not validate e-mail address settings, which allows remote authenticated users to have an unspecified impact via a crafted address.2012-07-176.5CVE-2012-0795
moodle -- moodleclass.phpmailer.php in the PHPMailer library, as used in Moodle 1.9.x before 1.9.16, 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 and other products, allows remote authenticated users to inject arbitrary e-mail headers via vectors involving a crafted (1) From: or (2) Sender: header.2012-07-174.0CVE-2012-0796
moodle -- moodleThe webservices functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 allows remote authenticated users to bypass the deleted status and continue using a server via a token.2012-07-175.5CVE-2012-0797
moodle -- moodleThe self-enrolment functionality in Moodle 2.1.x before 2.1.4 and 2.2.x before 2.2.1 allows remote authenticated users to obtain the manager role by leveraging the teacher role.2012-07-175.5CVE-2012-0798
moodle -- moodleMoodle 2.0.x before 2.0.7 and 2.1.x before 2.1.4, when an anonymous front-page forum is enabled, allows remote attackers to obtain session keys for their sessions by visiting the front page.2012-07-174.3CVE-2012-0799
mozilla -- firefoxThe drag-and-drop implementation in Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 allows remote attackers to spoof the address bar by canceling a page load.2012-07-186.4CVE-2012-1950
mozilla -- firefoxMozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 allow remote attackers to spoof the address bar via vectors involving history.forward and history.back calls.2012-07-186.8CVE-2012-1955
mozilla -- firefoxAn unspecified parser-utility class in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly handle EMBED elements within description elements in RSS feeds, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a feed.2012-07-184.3CVE-2012-1957
mozilla -- firefoxMozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not consider the presence of same-compartment security wrappers (SCSW) during the cross-compartment wrapping of objects, which allows remote attackers to bypass intended XBL access restrictions via crafted content.2012-07-185.0CVE-2012-1959
mozilla -- firefoxThe qcms_transform_data_rgb_out_lut_sse2 function in the QCMS implementation in Mozilla Firefox 4.x through 13.0, Thunderbird 5.0 through 13.0, and SeaMonkey before 2.11 might allow remote attackers to obtain sensitive information from process memory via a crafted color profile that triggers an out-of-bounds read operation.2012-07-185.0CVE-2012-1960
mozilla -- firefoxMozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not properly handle duplicate values in X-Frame-Options headers, which makes it easier for remote attackers to conduct clickjacking attacks via a FRAME element referencing a web site that produces these duplicate values.2012-07-184.3CVE-2012-1961
mozilla -- firefoxThe Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation.2012-07-184.3CVE-2012-1963
mozilla -- firefoxThe certificate-warning functionality in browser/components/certerror/content/aboutCertError.xhtml in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.10 does not properly handle attempted clickjacking of the about:certerror page, which allows man-in-the-middle attackers to trick users into adding an unintended exception via an IFRAME element.2012-07-184.0CVE-2012-1964
mozilla -- firefoxMozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not properly establish the security context of a feed: URL, which allows remote attackers to bypass unspecified cross-site scripting (XSS) protection mechanisms via a feed:javascript: URL.2012-07-184.3CVE-2012-1965
mozilla -- firefoxMozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not have the same context-menu restrictions for data: URLs as for javascript: URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.2012-07-184.3CVE-2012-1966
mysql -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier and 5.5.23 and earlier allows remote authenticated users to affect availability, related to GIS Extension.2012-07-174.0CVE-2012-0540
mysql -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.22 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.2012-07-174.0CVE-2012-1689
mysql -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.1.62 and earlier, and 5.5.23 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.2012-07-174.0CVE-2012-1734
mysql -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.2012-07-176.8CVE-2012-1735
mysql -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier allows remote authenticated users to affect availability via unknown vectors.2012-07-174.0CVE-2012-1756
mysql -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB.2012-07-174.0CVE-2012-1757
openjpeg -- openjpegThe tcd_free_encode function in tcd.c in OpenJPEG 1.3 through 1.5 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted tile information in a Gray16 TIFF image, which causes insufficient memory to be allocated and leads to an "invalid free."2012-07-186.8CVE-2009-5030
oracle -- fusion_middlewareUnspecified vulnerability in the Portal component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect integrity via unknown vectors.2012-07-174.3CVE-2011-3562
oracle -- sun_glassfish_enterprise_serverUnspecified vulnerability in Oracle GlassFish Enterprise Server 3.0.1 and 3.1.1 allows remote attackers to affect confidentiality and integrity, related to JSF.2012-07-176.4CVE-2011-4358
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect integrity, related to HTML Pages.2012-07-174.3CVE-2012-1715
oracle -- siebel_crmUnspecified vulnerability in the Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Portal Framework.2012-07-175.8CVE-2012-1728
oracle -- hyperionUnspecified vulnerability in the Hyperion BI+ component in Oracle Hyperion 11.1.1.3 and earlier allows remote attackers to affect integrity via unknown vectors related to UI and Visualization.2012-07-174.3CVE-2012-1729
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Password Management.2012-07-174.3CVE-2012-1730
oracle -- siebel_crmUnspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web UI.2012-07-176.8CVE-2012-1731
oracle -- siebel_crmUnspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Framework.2012-07-174.0CVE-2012-1732
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle MapViewer component in Oracle Fusion Middleware 10.1.3.1 allows remote attackers to affect confidentiality via unknown vectors related to Oracle Maps.2012-07-175.0CVE-2012-1736
oracle -- database_serverUnspecified vulnerability in the Enterprise Manager for Oracle Database component in Oracle Database Server 11.1.0.7, 11.2.0.2, and 11.2.0.3, and Enterprise Manager Grid Control EM Base Platform 10.2.0.5, EM Base Platform 11.1.0.1, EM Plugin for DB 12.1.0.1, and EM Plugin for DB 12.1.0.2, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to DB Performance Advisories/UIs.2012-07-176.8CVE-2012-1737
oracle -- iplanet_web_serverUnspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite Java System Web Server 6.1 and Oracle iPlanet Web Server 7.0 allows remote attackers to affect availability via unknown vectors related to Web Server.2012-07-175.0CVE-2012-1738
oracle -- fusion_middlewareUnspecified vulnerability in the Enterprise Manager for Fusion Middleware component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality and integrity via unknown vectors related to User Administration Pages.2012-07-175.8CVE-2012-1741
oracle -- siebel_crmUnspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect availability via unknown vectors related to UI Framework.2012-07-175.0CVE-2012-1742
oracle -- database_serverUnspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to affect availability via unknown vectors.2012-07-175.0CVE-2012-1745
oracle -- database_serverUnspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3, when running on Windows, allows remote attackers to affect availability via unknown vectors, a different vulnerability than CVE-2012-1747.2012-07-175.0CVE-2012-1746
oracle -- database_serverUnspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3, when running on Windows, allows remote attackers to affect availability via unknown vectors, a different vulnerability than CVE-2012-1746.2012-07-175.0CVE-2012-1747
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Candidate Gateway.2012-07-174.0CVE-2012-1748
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle MapViewer component in Oracle Fusion Middleware 10.1.3.1 and 11.1.1.5 allows remote attackers to affect confidentiality via unknown vectors related to Oracle Maps.2012-07-175.0CVE-2012-1749
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to PC.2012-07-175.4CVE-2012-1753
oracle -- siebel_crmUnspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Framework.2012-07-174.0CVE-2012-1754
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle AutoVue component in Oracle Supply Chain Products Suite 20.0.2 and 20.1 allows remote authenticated users to affect availability via unknown vectors.2012-07-174.0CVE-2012-1758
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle AutoVue component in Oracle Supply Chain Products Suite 20.0.2 and 20.1 allows remote authenticated users to affect availability via unknown vectors.2012-07-174.0CVE-2012-1759
oracle -- siebel_crmUnspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect availability via unknown vectors related to UI Framework.2012-07-174.3CVE-2012-1760
oracle -- siebel_crmUnspecified vulnerability in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to UI Framework.2012-07-174.3CVE-2012-1761
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.0.20 allows remote authenticated users to affect confidentiality and integrity, related to EPERF.2012-07-175.5CVE-2012-3113
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.06, 6.0, 6.1, and 6.2 allows remote attackers to affect integrity via unknown vectors.2012-07-174.3CVE-2012-3114
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle MapViewer component in Oracle Fusion Middleware 10.1.3.1, 11.1.1.5, and 11.1.1.6 allows remote attackers to affect integrity via unknown vectors related to Install.2012-07-174.3CVE-2012-3115
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.06, 6.0, 6.1, and 6.2 allows remote authenticated users to affect confidentiality via unknown vectors.2012-07-174.0CVE-2012-3117
oracle -- peoplesoft_productsUnspecified vulnerability in the PeoleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 allows remote authenticated users to affect confidentiality, related to PANPROC.2012-07-174.0CVE-2012-3118
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.0.20 allows remote authenticated users to affect confidentiality via unknown vectors related to Candidate Gateway.2012-07-174.0CVE-2012-3119
oracle -- sun_products_suiteUnspecified vulnerability in the Solaris Cluster component in Oracle Sun Products Suite 3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Apache Tomcat Agent.2012-07-176.2CVE-2012-3126
oracle -- database_serverUnspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect availability via unknown vectors.2012-07-174.0CVE-2012-3134
phillip_lougher -- squashfsStack-based buffer overflow in the get_component function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted list file (aka a crafted file for the -ef option). NOTE: probably in most cases, the list file is a trusted file constructed by the program's user; however, there are some realistic situations in which a list file would be obtained from an untrusted remote source.2012-07-196.8CVE-2012-4024
phillip_lougher -- squashfsInteger overflow in the queue_init function in unsquashfs.c in unsquashfs in Squashfs 4.2 and earlier allows remote attackers to execute arbitrary code via a crafted block_log field in the superblock of a .sqsh file, leading to a heap-based buffer overflow.2012-07-196.8CVE-2012-4025
php -- phpThe SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.2012-07-205.0CVE-2012-3365
postgresql -- postgresqlCREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.2012-07-186.5CVE-2012-0866
postgresql -- postgresqlPostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.2012-07-184.3CVE-2012-0867
postgresql -- postgresqlPostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.2012-07-184.0CVE-2012-2655
rsa -- authentication_managerMultiple cross-site scripting (XSS) vulnerabilities in the (1) Self-Service Console and (2) Security Console in EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.2012-07-134.3CVE-2012-2278
rsa -- authentication_managerOpen redirect vulnerability in the Security Console in EMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.2012-07-136.4CVE-2012-2279
rsa -- authentication_managerEMC RSA Authentication Manager 7.1 before SP4 P14 and RSA SecurID Appliance 3.0 before SP4 P14 do not properly use frames, which allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "Cross frame scripting vulnerability."2012-07-135.0CVE-2012-2280
rubygems -- mail_gemDirectory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.3 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.2012-07-185.0CVE-2012-2139
sun -- sunosUnspecified vulnerability in Oracle Solaris 10 and 11 allows local users to affect integrity and availability, related to Logical Domains (LDOM).2012-07-175.6CVE-2012-1687
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to mailx.2012-07-174.4CVE-2012-1750
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability, related to Kernel/NFS.2012-07-174.9CVE-2012-1752
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect integrity via unknown vectors related to Branded Zone.2012-07-174.7CVE-2012-1765
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect integrity via unknown vectors related to Solaris Management Console.2012-07-174.3CVE-2012-3112
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 9 and 10 allows remote attackers to affect availability via unknown vectors related to in.tnamed.2012-07-175.0CVE-2012-3121
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect confidentiality, related to Apache HTTP Server.2012-07-175.0CVE-2012-3123
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect availability, related to Kernel/KSSL.2012-07-175.0CVE-2012-3124
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect availability, related to SCTP.2012-07-175.4CVE-2012-3127
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect confidentiality, integrity, and availability, related to Gnome PDF viewer.2012-07-175.1CVE-2012-3129
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 11 allows remote attackers to affect integrity via unknown vectors related to pkg.depotd.2012-07-174.3CVE-2012-3130
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 9, 10, and 11 allows remote attackers to affect confidentiality, related to Network/NFS.2012-07-174.3CVE-2012-3131
tridium -- niagra_ax_frameworkDirectory traversal vulnerability in Tridium Niagara AX Framework allows remote attackers to read files outside of the intended images, nav, and px folders by leveraging incorrect permissions, as demonstrated by reading the config.bog file.2012-07-165.0CVE-2012-4027
wangkongbao -- cns-1000Multiple directory traversal vulnerabilities in src/acloglogin.php in Wangkongbao CNS-1000 and 1100 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) lang or (2) langid cookie to port 85.2012-07-175.0CVE-2012-4031
websitepanel -- websitepanelOpen redirect vulnerability in the login page in WebsitePanel before 1.2.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in ReturnUrl to Default.aspx.2012-07-175.8CVE-2012-4032
xnview -- xnviewMultiple heap-based buffer overflows in XnView before 1.99 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a (1) SGI32LogLum compressed TIFF image or (2) SGI32LogLum compressed TIFF image with the PhotometricInterpretation encoding set to LogL.2012-07-176.8CVE-2012-0276
xnview -- xnviewHeap-based buffer overflow in XnView before 1.99 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PCT image.2012-07-176.8CVE-2012-0277
xnview -- xnviewHeap-based buffer overflow in XnView before 1.99 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted ImageLeftPosition value in an ImageDescriptor structure in a GIF image.2012-07-176.8CVE-2012-0282
yahoo -- yahoo!_browserThe Yahoo! Japan Yahoo! Browser application 1.2.0 and earlier for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application.2012-07-164.3CVE-2012-2645

Back to top


Low Vulnerabilities

Primary
Vendor -- Product		DescriptionPublished CVSS ScoreSource & Patch Info
gnome -- rhythmbox(1) AlbumTab.py, (2) ArtistTab.py, (3) LinksTab.py, and (4) LyricsTab.py in the Context module in GNOME Rhythmbox 0.13.3 and earlier allows local users to execute arbitrary code via a symlink attack on a temporary HTML template file in the /tmp/context directory.2012-07-173.6CVE-2012-3355
moodle -- moodleThe form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device.2012-07-172.1CVE-2012-0800
openstack -- computeThe Nova scheduler in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated users to cause a denial of service (excessive database lookup calls and server hang) via a request with many repeated IDs in the os:scheduler_hints section.2012-07-173.5CVE-2012-3371
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Document Repository.2012-07-173.5CVE-2012-1727
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect confidentiality via unknown vectors related to CM.2012-07-173.5CVE-2012-1733
oracle -- e-business_suiteUnspecified vulnerability in the Oracle E-Business Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Financials Business Intelligence.2012-07-173.5CVE-2012-1739
oracle -- industry_applicationsUnspecified vulnerability in the Oracle Clinical Remote Data Capture Option component in Oracle Industry Applications 4.6.0.x, 4.6.2, and 4.6.3 allows remote authenticated users to affect confidentiality, related to HTML Surround.2012-07-172.8CVE-2012-1743
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent users to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1744
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect integrity, related to TECH.2012-07-173.5CVE-2012-1762
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect integrity, related to MCF.2012-07-173.5CVE-2012-1764
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1766
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1767
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1768
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1769
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1770
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1771
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1772
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-1773
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-3106
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-3107
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-3108
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-3109
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters.2012-07-172.1CVE-2012-3110
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect integrity, related to TECH.2012-07-173.5CVE-2012-3111
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 5.5.06, 6.0, 6.1, and 6.2 allows local users to affect confidentiality via unknown vectors.2012-07-171.9CVE-2012-3116
oracle -- netra_sparc_t3-1Unspecified vulnerability in Oracle SPARC T-Series Servers running System Firmware 8.2.0 and 8.1.4.e or earlier allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Integrated Lights Out Manager.2012-07-173.7CVE-2012-3128
sun -- sunosUnspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local users to affect availability via unknown vectors related to Kerberos/klist.2012-07-172.1CVE-2012-0563
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 8 and 9 allows local users to affect confidentiality and integrity via unknown vectors related to sort.2012-07-172.6CVE-2012-3122

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.