Total
5457 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-4152 | 2 Springsource, Vmware | 2 Spring Framework, Spring Framework | 2025-04-11 | 6.8 MEDIUM | N/A |
| The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. | |||||
| CVE-2011-4944 | 1 Python | 1 Python | 2025-04-11 | 1.9 LOW | N/A |
| Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file. | |||||
| CVE-2008-7277 | 1 Otrs | 1 Otrs | 2025-04-11 | 6.5 MEDIUM | N/A |
| Open Ticket Request System (OTRS) before 2.3.0-beta4 checks for the rw permission, instead of the configured merge permission, during authorization of merge operations, which might allow remote authenticated users to bypass intended access restrictions by merging two tickets. | |||||
| CVE-2012-4566 | 1 Uninett | 1 Radsecproxy | 2025-04-11 | 6.4 MEDIUM | N/A |
| The DTLS support in radsecproxy before 1.6.2 does not properly verify certificates when there are configuration blocks with CA settings that are unrelated to the block being used for verifying the certificate chain, which might allow remote attackers to bypass intended access restrictions and spoof clients, a different vulnerability than CVE-2012-4523. | |||||
| CVE-2011-2429 | 6 Adobe, Apple, Google and 3 more | 6 Flash Player, Mac Os X, Android and 3 more | 2025-04-11 | 5.0 MEDIUM | N/A |
| Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and Solaris, and before 10.3.186.7 on Android, allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, related to a "security control bypass." | |||||
| CVE-2010-0791 | 1 Ncpfs | 1 Ncpfs | 2025-04-11 | 2.1 LOW | N/A |
| The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs 2.2.6 do not properly create lock files, which allows local users to cause a denial of service (application failure) via unspecified vectors that trigger the creation of a /etc/mtab~ file that persists after the program exits. | |||||
| CVE-2013-2506 | 1 Spreecommerce | 1 Spree | 2025-04-11 | 4.0 MEDIUM | N/A |
| app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves. | |||||
| CVE-2011-4718 | 1 Php | 1 Php | 2025-04-11 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. | |||||
| CVE-2010-0230 | 1 Suse | 2 Opensuse, Suse Linux | 2025-04-11 | 7.5 HIGH | N/A |
| SUSE Linux Enterprise 10 SP3 (SLE10-SP3) and openSUSE 11.2 configures postfix to listen on all network interfaces, which might allow remote attackers to bypass intended access restrictions. | |||||
| CVE-2013-6128 | 1 Wellintech | 1 Kingview | 2025-04-11 | 5.8 MEDIUM | N/A |
| The KCHARTXYLib.KChartXY ActiveX control in KChartXY.ocx before 65.30.30000.10002 in WellinTech KingView before 6.53 does not properly restrict SaveToFile method calls, which allows remote attackers to create or overwrite arbitrary files, and subsequently execute arbitrary programs, via the single pathname argument, as demonstrated by a directory traversal attack. | |||||
| CVE-2010-2199 | 1 Rpm | 1 Rpm | 2025-04-11 | 7.2 HIGH | N/A |
| lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade or deletion of the file in an RPM package removal, which might allow local users to bypass intended access restrictions by creating a hard link to a vulnerable file that has a POSIX ACL, a related issue to CVE-2010-2059. | |||||
| CVE-2011-3440 | 1 Apple | 2 Ipad2, Iphone Os | 2025-04-11 | 1.2 LOW | N/A |
| The Passcode Lock feature in Apple iOS before 5.0.1 on the iPad 2 does not properly implement the locked state, which allows physically proximate attackers to access data by opening a Smart Cover during power-off confirmation. | |||||
| CVE-2013-1672 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Thunderbird and 1 more | 2025-04-11 | 6.9 MEDIUM | N/A |
| The Mozilla Maintenance Service in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 on Windows allows local users to bypass integrity verification and gain privileges via vectors involving junctions. | |||||
| CVE-2012-1429 | 8 Aladdin, Comodo, Emsisoft and 5 more | 9 Esafe, Comodo Antivirus, Anti-malware and 6 more | 2025-04-11 | 4.3 MEDIUM | N/A |
| The ELF file parser in Bitdefender 7.2, Comodo Antivirus 7424, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0, F-Secure Anti-Virus 9.0.16160.0, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, and nProtect Anti-Virus 2011-01-17.01 allows remote attackers to bypass malware detection via an ELF file with a ustar character sequence at a certain location. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. | |||||
| CVE-2012-0475 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2025-04-11 | 2.6 LOW | N/A |
| Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 do not properly construct the Origin and Sec-WebSocket-Origin HTTP headers, which might allow remote attackers to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or (2) WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields. | |||||
| CVE-2013-1977 | 1 Openstack | 1 Devstack | 2025-04-11 | 2.1 LOW | N/A |
| OpenStack devstack uses world-readable permissions for keystone.conf, which allows local users to obtain sensitive information such as the LDAP password and admin_token secret by reading the file. | |||||
| CVE-2012-0680 | 1 Apple | 1 Safari | 2025-04-11 | 5.0 MEDIUM | N/A |
| Apple Safari before 6.0 does not properly handle the autocomplete attribute of a password input element, which allows remote attackers to bypass authentication by leveraging an unattended workstation. | |||||
| CVE-2011-1740 | 1 Emc | 1 Avamar | 2025-04-11 | 7.7 HIGH | N/A |
| EMC Avamar 4.x, 5.0.x, and 6.0.x before 6.0.0-592 allows remote authenticated users to modify client data or obtain sensitive information about product activities by leveraging privileged access to a different domain. | |||||
| CVE-2011-1548 | 2 Debian, Gentoo | 2 Linux, Logrotate | 2025-04-11 | 6.3 MEDIUM | N/A |
| The default configuration of logrotate on Debian GNU/Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by /var/log/postgresql/. | |||||
| CVE-2013-5548 | 1 Cisco | 1 Ios | 2025-04-11 | 4.3 MEDIUM | N/A |
| The IKEv2 implementation in Cisco IOS, when AES-GCM or AES-GMAC is used, allows remote attackers to bypass certain IPsec anti-replay features via IPsec tunnel traffic, aka Bug ID CSCuj47795. | |||||