Total
5252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2010-3093 | 1 Drupal | 1 Drupal | 2025-04-11 | 3.5 LOW | N/A |
| The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue. | |||||
| CVE-2013-1285 | 1 Microsoft | 7 Windows 7, Windows 8, Windows Server 2003 and 4 more | 2025-04-11 | 7.2 HIGH | N/A |
| The USB kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, and Windows Server 2012 do not properly handle objects in memory, which allows physically proximate attackers to execute arbitrary code by connecting a crafted USB device, aka "Windows USB Descriptor Vulnerability," a different vulnerability than CVE-2013-1286 and CVE-2013-1287. | |||||
| CVE-2010-1066 | 1 The-ghost | 1 Ar Web Content Manager | 2025-04-11 | 5.0 MEDIUM | N/A |
| AR Web Content Manager (AWCM) 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for control/db_backup.php. | |||||
| CVE-2011-3215 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2025-04-11 | 2.1 LOW | N/A |
| The kernel in Apple Mac OS X before 10.7.2 does not properly prevent FireWire DMA in the absence of a login, which allows physically proximate attackers to bypass intended access restrictions and discover a password by making a DMA request in the (1) loginwindow, (2) boot, or (3) shutdown state. | |||||
| CVE-2012-4470 | 2 Drupal, Philip Ludlam | 2 Drupal, Listhandler | 2025-04-11 | 7.5 HIGH | N/A |
| The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact. | |||||
| CVE-2013-0318 | 2 Banckle Chat Project, Drupal | 2 Banckle Chat, Drupal | 2025-04-11 | 10.0 HIGH | N/A |
| The admin page in the Banckle Chat module for Drupal does not properly restrict access, which allows remote attackers to bypass intended restrictions via unspecified vectors. | |||||
| CVE-2013-5137 | 1 Apple | 1 Iphone Os | 2025-04-11 | 2.6 LOW | N/A |
| IOKit in Apple iOS before 7 allows attackers to send user-interface events to the foreground app by leveraging control over a background app and using the (1) task-completion API or (2) VoIP API. | |||||
| CVE-2013-4987 | 1 Pineapp | 1 Mail-secure | 2025-04-11 | 8.5 HIGH | N/A |
| PineApp Mail-SeCure before 3.70 allows remote authenticated users to gain privileges by leveraging console access and providing shell metacharacters in a "system ping" command. | |||||
| CVE-2011-2677 | 1 Cybozu | 1 Office | 2025-04-11 | 5.5 MEDIUM | N/A |
| Cybozu Office before 8.0.0 allows remote authenticated users to bypass intended access restrictions and access sensitive information (time card and attendance) via unspecified vectors related to manipulation of a URL. | |||||
| CVE-2010-4549 | 2 Ibm, Nokia | 2 Lotus Notes Traveler, S60 | 2025-04-11 | 4.0 MEDIUM | N/A |
| IBM Lotus Notes Traveler before 8.5.1.3 on the Nokia s60 device successfully performs a Replace Data operation for a prohibited application, which allows remote authenticated users to bypass intended access restrictions via this operation. | |||||
| CVE-2013-1697 | 1 Mozilla | 3 Firefox, Thunderbird, Thunderbird Esr | 2025-04-11 | 9.3 HIGH | N/A |
| The XrayWrapper implementation in Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 does not properly restrict use of DefaultValue for method calls, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site that triggers use of a user-defined (1) toString or (2) valueOf method. | |||||
| CVE-2010-1916 | 2 S9y, Xinha | 2 Serendipity, Wysiwyg Editor | 2025-04-11 | 7.5 HIGH | N/A |
| The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin. | |||||
| CVE-2010-5089 | 1 Silverstripe | 1 Silverstripe | 2025-04-11 | 4.3 MEDIUM | N/A |
| SilverStripe before 2.4.2 does not properly restrict access to pages in draft mode, which allows remote attackers to obtain sensitive information. | |||||
| CVE-2012-5675 | 1 Adobe | 1 Coldfusion | 2025-04-11 | 4.4 MEDIUM | N/A |
| Adobe ColdFusion 9.0 through 9.0.2, and 10, allows local users to bypass intended shared-hosting sandbox permissions via unspecified vectors. | |||||
| CVE-2013-4401 | 1 Redhat | 1 Libvirt | 2025-04-11 | 8.5 HIGH | N/A |
| The virConnectDomainXMLToNative API function in libvirt 1.1.0 through 1.1.3 checks for the connect:read permission instead of the connect:write permission, which allows attackers to gain domain:write privileges and execute Qemu binaries via crafted XML. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2011-1984 | 1 Microsoft | 3 Windows 2003 Server, Windows Server 2003, Windows Server 2008 | 2025-04-11 | 7.2 HIGH | N/A |
| WINS in Microsoft Windows Server 2003 SP2 and Server 2008 SP2, R2, and R2 SP1 allows local users to gain privileges by sending crafted packets over the loopback interface, aka "WINS Local Elevation of Privilege Vulnerability." | |||||
| CVE-2010-5297 | 1 Wordpress | 1 Wordpress | 2025-04-11 | 2.1 LOW | N/A |
| WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. | |||||
| CVE-2013-1801 | 1 John Nunemaker | 1 Httparty | 2025-04-11 | 7.5 HIGH | N/A |
| The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156. | |||||
| CVE-2013-0685 | 1 Invensys | 1 Wonderware Information Server | 2025-04-11 | 9.3 HIGH | N/A |
| Invensys Wonderware Information Server (WIS) 4.0 SP1SP1, 4.5- Portal, and 5.0- Portal does not restrict unspecified size and amount values, which allows remote attackers to execute arbitrary code or cause a denial of service (resource consumption) via unknown vectors. | |||||
| CVE-2012-5539 | 2 Drupal, Organic Groups Project | 2 Drupal, Organic Groups | 2025-04-11 | 3.5 LOW | N/A |
| The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is waiting to be approved. | |||||