Total
5222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2012-0657 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2024-02-28 | 2.1 LOW | N/A |
Quartz Composer in Apple Mac OS X before 10.7.4, when the RSS Visualizer screensaver is enabled, allows physically proximate attackers to bypass screen locking and launch a Safari process via unspecified vectors. | |||||
CVE-2013-1737 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2024-02-28 | 5.0 MEDIUM | N/A |
Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly identify the "this" object during use of user-defined getter methods on DOM proxies, which might allow remote attackers to bypass intended access restrictions via vectors involving an expando object. | |||||
CVE-2012-5469 | 2 Phpmyadmin, Wordpress | 2 Phpmyadmin, Wordpress | 2024-02-28 | 7.5 HIGH | N/A |
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. | |||||
CVE-2013-4310 | 1 Apache | 1 Struts | 2024-02-28 | 5.8 MEDIUM | N/A |
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. | |||||
CVE-2013-1063 | 2 Canonical, Evan Dandrea | 2 Ubuntu Linux, Usb-creator | 2024-02-28 | 4.6 MEDIUM | N/A |
usb-creator 0.2.47 before 0.2.47.1, 0.2.40 before 0.2.40ubuntu2, and 0.2.38 before 0.2.38.2 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. | |||||
CVE-2012-6120 | 1 Redhat | 2 Openstack Essex, Openstack Folsom | 2024-02-28 | 2.1 LOW | N/A |
Red Hat OpenStack Essex and Folsom creates the /var/log/puppet directory with world-readable permissions, which allows local users to obtain sensitive information such as Puppet log files. | |||||
CVE-2013-2777 | 2 Apple, Todd Miller | 2 Mac Os X, Sudo | 2024-02-28 | 4.4 MEDIUM | N/A |
sudo before 1.7.10p5 and 1.8.x before 1.8.6p6, when the tty_tickets option is enabled, does not properly validate the controlling terminal device, which allows local users with sudo permissions to hijack the authorization of another terminal via vectors related to a session without a controlling terminal device and connecting to the standard input, output, and error file descriptors of another terminal. NOTE: this is one of three closely-related vulnerabilities that were originally assigned CVE-2013-1776, but they have been SPLIT because of different affected versions. | |||||
CVE-2012-2337 | 1 Todd Miller | 1 Sudo | 2024-02-28 | 7.2 HIGH | N/A |
sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax, which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host that has an IPv4 address. | |||||
CVE-2013-1693 | 1 Mozilla | 4 Firefox, Firefox Esr, Thunderbird and 1 more | 2024-02-28 | 4.3 MEDIUM | N/A |
The SVG filter implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 allows remote attackers to read pixel values, and possibly bypass the Same Origin Policy and read text from a different domain, by observing timing differences in execution of filter code. | |||||
CVE-2013-3689 | 1 Brickom | 7 100ap Device Firmware, Fb-100ap, Md-100ap and 4 more | 2024-02-28 | 7.8 HIGH | N/A |
Brickcom FB-100Ap, WCB-100Ap, MD-100Ap, WFB-100Ap, OB-100Ae, OSD-040E, and possibly other camera models with firmware 3.0.6.16C1 and earlier, do not properly restrict access to configfile.dump, which allow remote attackers to obtain sensitive information (user names, passwords, and configurations) via a get action. | |||||
CVE-2013-0529 | 1 Ibm | 1 Sterling Connect Direct User Interface | 2024-02-28 | 5.0 MEDIUM | N/A |
The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 through 1.5.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||||
CVE-2012-2354 | 1 Moodle | 1 Moodle | 2024-02-28 | 4.0 MEDIUM | N/A |
Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capability requirement and read arbitrary messages by using the "Recent conversations" feature with a modified parameter in a URL. | |||||
CVE-2012-2680 | 2 Redhat, Trevor Mckay | 2 Enterprise Mrg, Cumin | 2024-02-28 | 5.0 MEDIUM | N/A |
Cumin before 0.1.5444, as used in Red Hat Enterprise Messaging, Realtime, and Grid (MRG) 2.0, does not properly restrict access to resources, which allows remote attackers to obtain sensitive information via unspecified vectors related to (1) "web pages," (2) "export functionality," and (3) "image viewing." | |||||
CVE-2013-0337 | 1 F5 | 1 Nginx | 2024-02-28 | 7.5 HIGH | N/A |
The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files. | |||||
CVE-2012-4466 | 1 Ruby-lang | 1 Ruby | 2024-02-28 | 5.0 MEDIUM | N/A |
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. | |||||
CVE-2013-3280 | 1 Emc | 1 Rsa Authentication Agent | 2024-02-28 | 7.5 HIGH | N/A |
EMC RSA Authentication Agent 7.1.x before 7.1.2 for Web for Internet Information Services has a fail-open design, which allows remote attackers to bypass intended access restrictions via vectors that trigger an agent crash. | |||||
CVE-2013-5482 | 1 Cisco | 1 Prime Lan Management Solution | 2024-02-28 | 4.3 MEDIUM | N/A |
Cisco Prime LAN Management Solution (LMS) does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCug77823. | |||||
CVE-2013-4677 | 1 Symantec | 1 Backup Exec | 2024-02-28 | 4.3 MEDIUM | N/A |
Symantec Backup Exec 2010 R3 before 2010 R3 SP3 and 2012 before SP2 uses weak permissions (Everyone: Read and Everyone: Change) for backup data files, which allows local users to obtain sensitive information or modify the outcome of a restore via direct access to these files. | |||||
CVE-2012-2340 | 2 Drupal, Geoff Davies | 2 Drupal, Contact Forms | 2024-02-28 | 3.5 LOW | N/A |
The Contact Forms module 7.x-1.x before 7.x-1.2 for Drupal does not specify sufficiently restrictive permissions, which allows remote authenticated users with the "access the site-wide contact form" permission to modify the module settings via unspecified vectors. | |||||
CVE-2012-2291 | 3 Apple, Emc, Hp | 4 Mac Os X, Avamar, Avamar Plugin and 1 more | 2024-02-28 | 7.2 HIGH | N/A |
EMC Avamar Client 4.x, 5.x, and 6.x on HP-UX and Mac OS X, and the EMC Avamar plugin 4.x, 5.x, and 6.x for Oracle, uses world-writable permissions for cache directories, which allows local users to gain privileges via an unspecified symlink attack. |