CVE-2012-2315

OpenKM 5.1.7 and earlier versions (before 5.1.8-2) suffer a privilege-escillation flaw in admin/Auth: the system does not properly enforce privileges for changing user roles via the userEdit action. Remote authenticated users can assign administrator privileges to arbitrary users. Root cause: imp...

CVE-2012-1467

CVE-2012-1467 relates to Open Journal Systems (OJS) versions prior to 2.3.7, where multiple directory traversal vulnerabilities exist in the iBrowser plugin library. Specifically, the param parameter passed to /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php can be manip...

CVE-2012-3528

Multiple cross-site scripting XSS vulnerabilities in the backend in TYPO3 4.5.x before 4.5.19, 4.6.x before 4.6.12 and 4.7.x before 4.7.4 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors...

CVE-2011-5141

Directory traversal vulnerability in exportcsv/exportcsvindex.php in Open Business Management OBM 2.4.0-rc13 and earlier allows remote authenticated users to include and execute arbitrary local files via a .. dot dot in the module parameter in an exportpage action...

DEBIAN-CVE-2012-2186

Incomplete blacklist vulnerability in main/manager.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert6, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 allows...

CVE-2012-4737

channels/chaniax2.c in Asterisk Open Source 1.8.x before 1.8.15.1 and 10.x before 10.7.1, Certified Asterisk 1.8.11 before 1.8.11-cert7, Asterisk Digiumphones 10.x.x-digiumphones before 10.7.1-digiumphones, and Asterisk Business Edition C.3.x before C.3.7.6 does not enforce ACL rules during certa...

CVE-2012-1641

The finderimport function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import...

CVE-2012-1644

The CVE-2012-1644 entry concerns the Drupal Organic Groups (OG) Vocabulary module. Affected component: OG Vocab 6.x-1.x before 6.x-1.2. Root cause: the module does not sufficiently enforce access controls on vocabularies, allowing remote authenticated users with certain administrator permissions ...

Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload

Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload Elcom CMS - Community Manager Insecure File Upload Vulnerability - Security Advisory - SOS-12-008 Release Date. 24-Aug-2012 Last Update. - Vendor Notification Date. 28-Oct-2011 Product. Elcom CMS - Community Manager Platform...

Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload

Elcom CMS - Community Manager Insecure File Upload Vulnerability - Security Advisory - SOS-12-008 Release Date. 24-Aug-2012 Last Update. - Vendor Notification Date. 28-Oct-2011 Product. Elcom CMS - Community Manager Platform. ASP.NET Affected versions. Elcom Community Manager version 7.4.10 and...

CVE-2012-2297

Multiple cross-site scripting XSS vulnerabilities in the Creative Commons module 6.x-1.x before 6.x-1.1 for Drupal allow remote authenticated users with the administer creative commons permission to inject arbitrary web script or HTML via the 1 creativecommonsusermessage or 2...

CVE-2010-5189

CVE-2010-5189 affects Blue Coat ProxySG (SGOS) prior to 4.3.4.1, 5.x prior to 5.4.5.1, 5.5 prior to 5.5.4.1, and 6.x prior to 6.1.1.1. The issue allows remote authenticated users to execute arbitrary CLI commands by leveraging read-only administrator privileges and establishing an HTTPS session. ...

CVE-2010-5090

SilverStripe

Default configuration

The installation script in Katello 1.0 and earlier does not properly generate the Application.config.secrettoken value, which causes each default installation to have the same secret token, and allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary...

CVE-2012-3503

The CVE-2012-3503 issue affects Katello 1.0 and earlier, where the katello-common installation script fails to generate a unique Application.config.secret_token. As a result, every default installation uses the same secret_token, allowing a remote attacker to create a cookie and authenticate to t...

CVE-2012-3416

Condor before 7.8.2 allows remote attackers to bypass host-based authentication and execute actions such as ALLOWADMINISTRATOR or ALLOWWRITE by connecting from a system with a spoofed reverse DNS hostname...

Elcom Community Manager 7.4.10 Shell Upload

Elcom CMS - Community Manager Insecure File Upload Vulnerability - Security Advisory - SOS-12-008 Release Date. 24-Aug-2012 Last Update. - Vendor Notification Date. 28-Oct-2011 Product. Elcom CMS - Community Manager Platform. ASP.NET Affected versions. Elcom Community Manager version 7.4.10 and...

CVE-2012-0713

The CVE-2012-0713 entry concerns IBM DB2 XML Feature information disclosure. IBM’s advisory states that IBM DB2 products (DB2 9.7, including Express/Workgroup/Enterprise editions, and DB2 Connect variants, plus affected 9.8/9.5 lines) can be exploited remotely by a user with valid credentials who...

CVE-2012-4586

McAfee Email and Web Security EWS 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway MEG 7.0 before Patch 1, accesses files with the privileges of the root user, which allows remote authenticated users to bypass intended permission settings by requesting a file...

Design/Logic Flaw

McAfee Email and Web Security EWS 5.x before 5.5 Patch 6 and 5.6 before Patch 3, and McAfee Email Gateway MEG 7.0 before Patch 1, allows remote authenticated users to reset the passwords of arbitrary administrative accounts via unspecified vectors...