Total
5482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-5055 | 1 Otrs | 1 Otrs | 2025-04-11 | 3.5 LOW | N/A |
|
Open Ticket Request System (OTRS) before 2.4.4 grants ticket access on the basis of single-digit substrings of the CustomerID value, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by visiting a ticket, as demonstrated by leveraging the CustomerID 12 account to read tickets that should be available only to CustomerID 1 or CustomerID 2.
|
|||||
| CVE-2013-4548 | 1 Openbsd | 1 Openssh | 2025-04-11 | 6.0 MEDIUM | N/A |
|
The mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address.
|
|||||
| CVE-2012-3739 | 1 Apple | 1 Iphone Os | 2025-04-11 | 2.1 LOW | N/A |
|
The Passcode Lock implementation in Apple iOS before 6 allows physically proximate attackers to bypass an intended passcode requirement via vectors involving use of the camera.
|
|||||
| CVE-2011-1828 | 1 Evan Dandrea | 1 Usb-creator | 2025-04-11 | 2.1 LOW | N/A |
|
usb-creator-helper in usb-creator before 0.2.28.3 does not enforce intended PolicyKit restrictions, which allows local users to perform arbitrary unmount operations via the UnmountFile method in a dbus-send command.
|
|||||
| CVE-2010-2353 | 2 Drupal, Yves Chedemois | 2 Drupal, Cck | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The Node Reference module in Content Construction Kit (CCK) module 6.x before 6.x-2.7 for Drupal does not perform access checks for the source field in the backend URL for the autocomplete widget, which allows remote attackers to discover titles and IDs of controlled nodes.
|
|||||
| CVE-2013-2263 | 1 Citrix | 1 Access Gateway | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Unspecified vulnerability in Citrix Access Gateway Standard Edition 5.0.x before 5.0.4.223524 allows remote attackers to access network resources via unknown attack vectors.
|
|||||
| CVE-2012-2949 | 2 Google, Zte | 2 Android, Score M | 2025-04-11 | 10.0 HIGH | N/A |
|
The ZTE sync_agent program for Android 2.3.4 on the Score M device uses a hardcoded ztex1609523 password to control access to commands, which allows remote attackers to gain privileges via a crafted application.
|
|||||
| CVE-2012-4452 | 1 Oracle | 1 Mysql | 2025-04-11 | 2.1 LOW | N/A |
|
MySQL 5.0.88, and possibly other versions and platforms, allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_rea ...
Show More |
|||||
| CVE-2013-0479 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2025-04-11 | 4.0 MEDIUM | N/A |
|
IBM Sterling B2B Integrator 5.1 and 5.2 and Sterling File Gateway 2.1 and 2.2 do not properly restrict file types and extensions, which allows remote authenticated users to bypass intended access restrictions via a crafted filename.
|
|||||
| CVE-2012-5471 | 1 Moodle | 1 Moodle | 2025-04-11 | 6.5 MEDIUM | N/A |
|
The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout.
|
|||||
| CVE-2012-5298 | 1 Mavili Guestbook Project | 1 Mavili Guestbook | 2025-04-11 | 5.0 MEDIUM | N/A |
|
Mavili Guestbook, as released in November 2007, stores guestbook.mdb under the web root with insufficient access control, which allows remote attackers to read the database via a direct request.
|
|||||
| CVE-2010-0401 | 1 Openttd | 1 Openttd | 2025-04-11 | 6.5 MEDIUM | N/A |
|
OpenTTD before 1.0.1 accepts a company password for authentication in response to a request for the server password, which allows remote authenticated users to bypass intended access restrictions or cause a denial of service (daemon crash) by sending a company password packet.
|
|||||
| CVE-2011-2584 | 1 Cisco | 1 Show And Share | 2025-04-11 | 7.5 HIGH | N/A |
|
Cisco Show and Share 5(2), 5.2(1), and 5.2(2) before 5.2(2.1) allows remote attackers to access the (1) Encoders and Pull Configurations, (2) Push Configurations, (3) Video Encoding Formats, and (4) Transcoding administration pages, and cause a denial of service (live event outage) or obtain potentially sensitive information, via unspecified vectors, aka Bug ID CSCto73758.
|
|||||
| CVE-2013-4672 | 1 Symantec | 3 Web Gateway, Web Gateway Appliance 8450, Web Gateway Appliance 8490 | 2025-04-11 | 7.2 HIGH | N/A |
|
The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 has an incorrect sudoers file, which allows local users to bypass intended access restrictions via a command.
|
|||||
| CVE-2011-5097 | 1 Opscode | 1 Chef | 2025-04-11 | 5.5 MEDIUM | N/A |
|
chef-server-api/app/controllers/cookbooks.rb in Chef Server in Chef before 0.9.18, and 0.10.x before 0.10.2, does not require administrative privileges for the update and destroy methods, which allows remote authenticated users to (1) upload cookbooks via a knife cookbook upload command or (2) delete cookbooks via a knife cookbook delete command.
|
|||||
| CVE-2014-1903 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2025-04-11 | 7.5 HIGH | N/A |
|
admin/libraries/view.functions.php in FreePBX 2.9 before 2.9.0.14, 2.10 before 2.10.1.15, 2.11 before 2.11.0.23, and 12 before 12.0.1alpha22 does not restrict the set of functions accessible to the API handler, which allows remote attackers to execute arbitrary PHP code via the function and args parameters to admin/config.php.
|
|||||
| CVE-2013-2934 | 1 Citrix | 1 Cloudportal Services Manager | 2025-04-11 | 10.0 HIGH | N/A |
|
Citrix CloudPortal Services Manager (aka Cortex) 10.0 before Cumulative Update 3 does not properly restrict access to web services, which has unspecified impact and attack vectors, a different vulnerability than other CVEs listed in CTX137162.
|
|||||
| CVE-2010-5190 | 1 Bluecoat | 16 Proxysg, Proxysg Sg210-10, Proxysg Sg210-25 and 13 more | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The Active Content Transformation functionality in Blue Coat ProxySG before SGOS 4.3.4.2, 5.x before SGOS 5.4.5.1, 5.5 before SGOS 5.5.4.1, and 6.x before SGOS 6.1.2.1 allows remote attackers to bypass JavaScript detection via HTML entities.
|
|||||
| CVE-2010-1067 | 1 Hasmir Alic | 1 E-membres | 2025-04-11 | 5.0 MEDIUM | N/A |
|
E-membres 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/bdEMembres.mdb.
|
|||||
| CVE-2013-0798 | 2 Google, Mozilla | 2 Android, Firefox | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Mozilla Firefox before 20.0 on Android uses world-writable and world-readable permissions for the app_tmp installation directory in the local filesystem, which allows attackers to modify add-ons before installation via an application that leverages the time window during which app_tmp is used.
|
|||||
| CVE-2012-4907 | 1 Google | 2 Android, Chrome | 2025-04-11 | 9.3 HIGH | N/A |
|
Google Chrome before 18.0.1025308 on Android does not properly restrict access from JavaScript code to Android APIs, which allows remote attackers to have an unspecified impact via a crafted web page.
|
|||||
| CVE-2011-1404 | 1 Mahara | 1 Mahara | 2025-04-11 | 4.0 MEDIUM | N/A |
|
Mahara before 1.3.6 does not properly restrict the data in responses to AJAX calls, which allows remote authenticated users to obtain sensitive information via a request associated with (1) blocktype/myfriends/myfriends.json.php, (2) json/usersearch.php, (3) group/membersearchresults.json.php, or (4) json/friendsearch.php, as demonstrated by information about friends and e-mail addresses.
|
|||||
| CVE-2012-1966 | 1 Mozilla | 1 Firefox | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not have the same context-menu restrictions for data: URLs as for javascript: URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
|
|||||
| CVE-2010-1207 | 1 Mozilla | 2 Firefox, Thunderbird | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 do not properly implement read restrictions for CANVAS elements, which allows remote attackers to obtain sensitive cross-origin information via vectors involving reference retention and node deletion.
|
|||||
| CVE-2013-6436 | 1 Redhat | 1 Libvirt | 2025-04-11 | 2.1 LOW | N/A |
|
The lxcDomainGetMemoryParameters method in lxc/lxc_driver.c in libvirt 1.0.5 through 1.2.0 does not properly check the status of LXC guests when reading memory tunables, which allows local users to cause a denial of service (NULL pointer dereference and libvirtd crash) via a guest in the shutdown status, as demonstrated by the "virsh memtune" command.
|
|||||
| CVE-2013-4707 | 1 Dlink | 2 Des-3810, Des-3810 Firmware | 2025-04-11 | 6.3 MEDIUM | N/A |
|
The SSH implementation on D-Link Japan DES-3810 devices with firmware before R2.20.011 allows remote authenticated users to cause a denial of service (device hang) by leveraging login access.
|
|||||
| CVE-2010-2685 | 1 Customerparadigm | 1 Pagedirector Cms | 2025-04-11 | 7.5 HIGH | N/A |
|
siteadmin/adduser.php in Customer Paradigm PageDirector CMS does not properly restrict access, which allows remote attackers to bypass intended restrictions and add administrative users via a direct request.
|
|||||
| CVE-2012-1119 | 1 Mantisbt | 1 Mantisbt | 2025-04-11 | 6.4 MEDIUM | N/A |
|
MantisBT before 1.2.9 does not audit when users copy or clone a bug report, which makes it easier for remote attackers to copy bug reports without detection.
|
|||||
| CVE-2013-1696 | 1 Mozilla | 1 Firefox | 2025-04-11 | 4.0 MEDIUM | N/A |
|
Mozilla Firefox before 22.0 does not properly enforce the X-Frame-Options protection mechanism, which allows remote attackers to conduct clickjacking attacks via a crafted web site that uses the HTTP server push feature with multipart responses.
|
|||||
| CVE-2003-1594 | 1 Novell | 2 Netware, Netware Ftp Server | 2025-04-11 | 7.5 HIGH | N/A |
|
NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does not properly enforce FTPREST.TXT settings, which allows remote attackers to bypass intended access restrictions via an FTP session.
|
|||||
| CVE-2010-5072 | 1 Opera | 1 Opera Browser | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The JavaScript implementation in Opera 10.5 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method.
|
|||||
| CVE-2010-0255 | 1 Microsoft | 8 Internet Explorer, Windows 2000, Windows 2003 Server and 5 more | 2025-04-11 | 4.3 MEDIUM | N/A |
|
Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448.
|
|||||
| CVE-2013-3016 | 1 Ibm | 1 Websphere Portal | 2025-04-11 | 5.0 MEDIUM | N/A |
|
IBM WebSphere Portal 6.1, 7.0, and 8.0 allows remote attackers to access the user directory via a crafted request for a servlet, related to the serveServletsByClassnameEnabled setting.
|
|||||
| CVE-2012-2217 | 1 Htc | 14 Evo 3d, Evo 3d Software, Evo 4g and 11 more | 2025-04-11 | 6.4 MEDIUM | N/A |
|
The HTC IQRD service for Android on the HTC EVO 4G before 4.67.651.3, EVO Design 4G before 2.12.651.5, Shift 4G before 2.77.651.3, EVO 3D before 2.17.651.5, EVO View 4G before 2.23.651.1, Vivid before 3.26.502.56, and Hero does not restrict localhost access to TCP port 2479, which allows remote attackers to (1) send SMS messages, (2) obtain the Network Access Identifier (NAI) and its password, or trigger (3) popup messages or (4) tones via a crafted application that leverages the android.permiss ...
Show More |
|||||
| CVE-2012-0776 | 1 Adobe | 2 Acrobat, Acrobat Reader | 2025-04-11 | 10.0 HIGH | N/A |
|
The installer in Adobe Reader 9.x before 9.5.1 and 10.x before 10.1.3 allows attackers to bypass intended access restrictions and execute arbitrary code via unspecified vectors.
|
|||||
| CVE-2010-2198 | 1 Rpm | 1 Rpm | 2025-04-11 | 7.2 HIGH | N/A |
|
lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to gain privileges or bypass intended access restrictions by creating a hard link to a vulnerable file that has (1) POSIX file capabilities or (2) SELinux context information, a related issue to CVE-2010-2059.
|
|||||
| CVE-2010-3474 | 1 Ibm | 1 Db2 | 2025-04-11 | 5.0 MEDIUM | N/A |
|
IBM DB2 9.7 before FP3 does not perform the expected drops or invalidations of dependent functions upon a loss of privileges by the functions' owners, which allows remote authenticated users to bypass intended access restrictions via calls to these functions, a different vulnerability than CVE-2009-3471.
|
|||||
| CVE-2011-0729 | 1 Ubuntu | 1 Language-selector | 2025-04-11 | 7.2 HIGH | N/A |
|
dbus_backend/ls-dbus-backend in the D-Bus backend in language-selector before 0.6.7 does not restrict access on the basis of a PolicyKit check result, which allows local users to modify the /etc/default/locale and /etc/environment files via a (1) SetSystemDefaultLangEnv or (2) SetSystemDefaultLanguageEnv call.
|
|||||
| CVE-2012-1078 | 2 Claus Due, Typo3 | 2 Sysutils, Typo3 | 2025-04-11 | 5.0 MEDIUM | N/A |
|
The System Utilities (sysutils) extension 1.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unspecified vectors related to improper "protection" of the "backup output directory."
|
|||||
| CVE-2013-2188 | 1 Redhat | 1 Enterprise Linux | 2025-04-11 | 4.7 MEDIUM | N/A |
|
A certain Red Hat patch to the do_filp_open function in fs/namei.c in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle failure to obtain write permissions, which allows local users to cause a denial of service (system crash) by leveraging access to a filesystem that is mounted read-only.
|
|||||