Total
5222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2011-2196 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Soa Platform, Jboss Enterprise Web Platform and 1 more | 2024-02-28 | 6.8 MEDIUM | N/A |
jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484. | |||||
CVE-2011-1184 | 1 Apache | 1 Tomcat | 2024-02-28 | 5.0 MEDIUM | N/A |
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. | |||||
CVE-2010-1206 | 1 Mozilla | 2 Firefox, Seamonkey | 2024-02-28 | 4.3 MEDIUM | N/A |
The startDocumentLoad function in browser/base/content/browser.js in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, does not properly implement the Same Origin Policy in certain circumstances related to the about:blank document and a document that is currently loading, which allows (1) remote web servers to conduct spoofing attacks via vectors involving a 204 (aka No Content) status code, and allows (2) remote attackers to conduct spoofing attacks via vectors involving a window.stop call. | |||||
CVE-2011-4773 | 2 Android, Anguanjia | 2 Android, Anguanjia | 2024-02-28 | 5.8 MEDIUM | N/A |
The AnGuanJia (com.anguanjia.safe) application 2.10.343 for Android does not properly protect data, which allows remote attackers to read or modify SMS messages and a contact list via a crafted application. | |||||
CVE-2011-1550 | 2 Gentoo, Novell | 2 Logrotate, Opensuse Factory | 2024-02-28 | 6.3 MEDIUM | N/A |
The default configuration of logrotate on SUSE openSUSE Factory uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories for the (1) cobbler, (2) inn, (3) safte-monitor, and (4) uucp packages. | |||||
CVE-2011-3006 | 1 Mcafee | 1 Saas Endpoint Protection | 2024-02-28 | 6.8 MEDIUM | N/A |
The MyAsUtil ActiveX control in MyAsUtil5.2.0.603.dll in McAfee SaaS Endpoint Protection 5.2.1 and earlier allows remote attackers to bypass the MyASUtil.SecureObjectFactory.CreateSecureObject domain execution policy using a cross-site scripting (XSS) attack, execute arbitrary code using the MyASUtil.InstallInfo.RunUserProgram function, and possibly conduct other unspecified attacks. | |||||
CVE-2011-5060 | 1 Roderich Schupp | 1 Par-packer Module | 2024-02-28 | 3.3 LOW | N/A |
The par_mktmpdir function in the PAR module before 1.003 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program, a different vulnerability in a different package than CVE-2011-4114. | |||||
CVE-2010-2744 | 1 Microsoft | 6 Windows 2003 Server, Windows 7, Windows Server 2003 and 3 more | 2024-02-28 | 7.2 HIGH | N/A |
The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 do not properly manage a window class, which allows local users to gain privileges by creating a window, then using (1) the SetWindowLongPtr function to modify the popup menu structure, or (2) the SwitchWndProc function with a switch window information pointer, which is not re-initialized when a WM_NCCREATE message is processed, aka "Win32k Window Class Vulnerability." | |||||
CVE-2011-4202 | 1 Restorepoint | 1 Restorepoint | 2024-02-28 | 7.2 HIGH | N/A |
The Tadasoft Restorepoint 3.2 evaluation image uses weak permissions (www write access) for unspecified scripts, which allows local users to gain privileges by modifying a script file. | |||||
CVE-2011-4705 | 2 Android, Ming | 2 Android, Blacklist Free | 2024-02-28 | 5.8 MEDIUM | N/A |
The Ming Blacklist Free (vc.software.blacklist) application 1.8.1 and 1.9.2.1 for Android does not properly protect data, which allows remote attackers to read or modify blacklists and a contact list via a crafted application that launches a "data-flow attack." | |||||
CVE-2010-4768 | 1 Otrs | 1 Otrs | 2024-02-28 | 6.0 MEDIUM | N/A |
Open Ticket Request System (OTRS) before 2.3.5 does not properly disable hidden permissions, which allows remote authenticated users to bypass intended queue access restrictions in opportunistic circumstances by visiting a ticket, related to a certain ordering of permission-set and permission-remove operations involving both hidden permissions and other permissions. | |||||
CVE-2004-2767 | 1 Novell | 2 Netware, Netware Ftp Server | 2024-02-28 | 4.3 MEDIUM | N/A |
NWFTPD.nlm before 5.04.25 in the FTP server in Novell NetWare does not promptly close DS sessions, which allows remote attackers to cause a denial of service (connection slot exhaustion) by establishing many FTP sessions that persist for the lifetime of a DS session. | |||||
CVE-2006-7240 | 1 Gnome | 1 Power Manager | 2024-02-28 | 7.2 HIGH | N/A |
gnome-power-manager 2.14.0 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. | |||||
CVE-2011-1602 | 1 Cisco | 15 Skinny Client Control Protocol Software, Unified Ip Phone 7906, Unified Ip Phone 7911g and 12 more | 2024-02-28 | 6.6 MEDIUM | N/A |
The su utility on Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.0.3 allows local users to gain privileges via unspecified vectors, aka Bug ID CSCtf07426. | |||||
CVE-2011-5078 | 1 Sybase | 1 M-business Anywhere | 2024-02-28 | 6.5 MEDIUM | N/A |
The web administration interface in the server in Sybase M-Business Anywhere 6.7 before ESD# 3 and 7.0 before ESD# 7 does not require admin authentication for unspecified scripts, which allows remote authenticated users to list or delete user accounts, modify passwords, or read log files via HTTP requests, aka Bug IDs 678497 and 678499. | |||||
CVE-2011-2999 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2024-02-28 | 4.3 MEDIUM | N/A |
Mozilla Firefox before 3.6.23 and 4.x through 5, Thunderbird before 6.0, and SeaMonkey before 2.3 do not properly handle "location" as the name of a frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, a different vulnerability than CVE-2010-0170. | |||||
CVE-2011-2165 | 1 Watchguard | 1 Xcs | 2024-02-28 | 6.8 MEDIUM | N/A |
The STARTTLS implementation in WatchGuard XCS 9.0 and 9.1 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. | |||||
CVE-2010-3707 | 1 Dovecot | 1 Dovecot | 2024-02-28 | 5.5 MEDIUM | N/A |
plugins/acl/acl-backend-vfile.c in Dovecot 1.2.x before 1.2.15 and 2.0.x before 2.0.5 interprets an ACL entry as a directive to add to the permissions granted by another ACL entry, instead of a directive to replace the permissions granted by another ACL entry, in certain circumstances involving more specific entries that occur after less specific entries, which allows remote authenticated users to bypass intended access restrictions via a request to read or modify a mailbox. | |||||
CVE-2011-2368 | 1 Mozilla | 1 Firefox | 2024-02-28 | 10.0 HIGH | N/A |
The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not properly restrict write operations, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. | |||||
CVE-2011-4679 | 1 Vtiger | 1 Vtiger Crm | 2024-02-28 | 4.0 MEDIUM | N/A |
vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. |