LiveActive security incident?Get immediate response
CVE archive

May 2011

Browse CVE records published in May 2011, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 380 matching CVEs · Page 4 of 8.

Unknown · CVSS Not scored

CVE-2011-2158: The SmarterTools SmarterStats 6.0 web server sends incorrect Content-Type headers for certain resources, wh...

The SmarterTools SmarterStats 6.0 web server sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/frmSite.aspx, (2) Admin/frmSites.aspx, (3) Admin/frmViewReports.aspx, (4) App_Themes/AboutThisFolder.txt, (5) Client/frmViewReports.aspx, (6) Temp/AboutThisFolder.txt, (7) default.aspx, (8) login.aspx, or (9) certain .jpg URIs under Temp/. NOTE: it is possible that only clients, not the SmarterStats product, could be affected by this issue.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2214: Unspecified vulnerability in the Open Database Connectivity (ODBC) component in 7T Interactive Graphical SC...

Unspecified vulnerability in the Open Database Connectivity (ODBC) component in 7T Interactive Graphical SCADA System (IGSS) before 9.0.0.11143 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 20222, which triggers memory corruption related to an "invalid structure being used."

Published May 31, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2151: The (1) Admin/frmEmailReportSettings.aspx, (2) Admin/frmGeneralSettings.aspx, (3) Admin/frmSite.aspx, (4) C...

The (1) Admin/frmEmailReportSettings.aspx, (2) Admin/frmGeneralSettings.aspx, (3) Admin/frmSite.aspx, (4) Client/frmUser.aspx, and (5) Login.aspx components in the SmarterTools SmarterStats 6.0 web server accept cleartext passwords, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2152: The SmarterTools SmarterStats 6.0 web server generates web pages containing external links in response to G...

The SmarterTools SmarterStats 6.0 web server generates web pages containing external links in response to GET requests with query strings for (1) Client/frmViewReports.aspx or (2) UserControls/Popups/frmHelp.aspx, which makes it easier for remote attackers to obtain sensitive information by reading (a) web-server access logs or (b) web-server Referer logs, related to a "cross-domain Referer leakage" issue.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2153: Login.aspx in the SmarterTools SmarterStats 6.0 web server supports URLs containing txtUser and txtPass par...

Login.aspx in the SmarterTools SmarterStats 6.0 web server supports URLs containing txtUser and txtPass parameters in the query string, which makes it easier for context-dependent attackers to discover credentials by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, related to a "cross-domain Referer leakage" issue.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2148: Admin/frmSite.aspx in the SmarterTools SmarterStats 6.0 web server allows remote attackers to execute arbit...

Admin/frmSite.aspx in the SmarterTools SmarterStats 6.0 web server allows remote attackers to execute arbitrary commands via vectors involving a leading and trailing & (ampersand) character, and (1) an STTTState cookie, (2) the ctl00%24MPH%24txtAdminNewPassword_SettingText parameter, (3) the ctl00%24MPH%24txtSmarterLogDirectory parameter, (4) the ctl00%24MPH%24ucSiteSeoSearchEngineSettings%24chklistEngines_SettingCheckBox%2414 parameter, (5) the ctl00%24MPH%24ucSiteSeoSettings%24txtSeoMaxKeywords_SettingText parameter, or (6) the ctl00_MPH_grdLogLocations_HiddenLSR parameter, related to an "OS command injection" issue.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2150: The SmarterTools SmarterStats 6.0 web server does not properly validate string data that is intended for st...

The SmarterTools SmarterStats 6.0 web server does not properly validate string data that is intended for storage in an XML document, which allows remote attackers to cause a denial of service (parsing error and daemon pause) via vectors involving (1) certain cookies in a SiteInfoLookup action to Admin/frmSites.aspx, or certain (2) cookies or (3) parameters to (a) Client/frmViewOverviewReport.aspx, (b) Client/frmViewReports.aspx, or (c) Services/SiteAdmin.asmx, as demonstrated by a ]]>> string, related to an "XML injection" issue.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2159: The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which mig...

The SmarterTools SmarterStats 6.0 web server omits the Content-Type header for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving (1) Admin/Defaults/frmDefaultSiteSettings.aspx, (2) Admin/Defaults/frmServerDefaults.aspx, (3) Admin/frmReportSettings.aspx, (4) Admin/frmSite.aspx, (5) App_Themes/Default/ButtonBarIcons.xml, (6) App_Themes/Default/Skin.xml, (7) Client/frmImportSettings.aspx, (8) Client/frmSeoSettings.aspx, (9) Services/Web.config, (10) aspnet_client/system_web/4_0_30319/, (11) clientaccesspolicy.xml, (12) cloudscan.exe, (13) crossdomain.xml, or (14) sitemap.xml. NOTE: it is possible that only clients, not the SmarterStats product, could be affected by this issue.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2147: Openswan 2.2.x does not properly restrict permissions for (1) /var/run/starter.pid, related to starter.c in...

Openswan 2.2.x does not properly restrict permissions for (1) /var/run/starter.pid, related to starter.c in the IPsec starter, and (2) /var/lock/subsys/ipsec, which allows local users to kill arbitrary processes by writing a PID to a file, or possibly bypass disk quotas by writing arbitrary data to a file, as demonstrated by files with 0666 permissions, a different vulnerability than CVE-2011-1784.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2156: The SmarterTools SmarterStats 6.0 web server allows remote attackers to obtain directory listings via a dir...

The SmarterTools SmarterStats 6.0 web server allows remote attackers to obtain directory listings via a direct request for the (1) Admin/, (2) Admin/Defaults/, (3) Admin/GettingStarted/, (4) Admin/Popups/, (5) App_Themes/, (6) Client/, (7) Client/Popups/, (8) Services/, (9) Temp/, (10) UserControls/, (11) UserControls/PanelBarTemplates/, (12) UserControls/Popups/, (13) aspnet_client/, or (14) aspnet_client/system_web/ directory name, or (15) certain directory names under App_Themes/Default/.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2157: The (1) Admin/frmEmailReportSettings.aspx and (2) Admin/frmGeneralSettings.aspx components in the SmarterTo...

The (1) Admin/frmEmailReportSettings.aspx and (2) Admin/frmGeneralSettings.aspx components in the SmarterTools SmarterStats 6.0 web server generate web pages containing e-mail addresses, which allows remote attackers to obtain potentially sensitive information by reading the default values of form fields.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2149: Multiple SQL injection vulnerabilities in the SmarterTools SmarterStats 6.0 web server allow remote attacke...

Multiple SQL injection vulnerabilities in the SmarterTools SmarterStats 6.0 web server allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) Admin/frmSite.aspx, (2) Default.aspx, (3) Services/SiteAdmin.asmx, or (4) Client/frmViewReports.aspx; certain cookies to (5) Services/SiteAdmin.asmx or (6) login.aspx; the Referer HTTP header to (7) Services/SiteAdmin.asmx or (8) login.aspx; or (9) the User-Agent HTTP header to Services/SiteAdmin.asmx.

Published May 20, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2089: Stack-based buffer overflow in the SetActiveXGUID method in the VersionInfo ActiveX control in GenVersion.d...

Stack-based buffer overflow in the SetActiveXGUID method in the VersionInfo ActiveX control in GenVersion.dll 8.0.138.0 in the WebHMI subsystem in ICONICS BizViz 9.x before 9.22 and GENESIS32 9.x before 9.22 allows remote attackers to execute arbitrary code via a long string in the argument. NOTE: some of these details are obtained from third party information.

Published May 13, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2022: The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 do...

The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not validate a certain start parameter, which allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.

Published May 9, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-2075: Unspecified vulnerability in Google Chrome 11.0.696.65 on Windows 7 SP1 allows remote attackers to execute...

Unspecified vulnerability in Google Chrome 11.0.696.65 on Windows 7 SP1 allows remote attackers to execute arbitrary code via unknown vectors. NOTE: as of 20110510, the only disclosure is a vague advisory that possibly relates to multiple vulnerabilities or multiple products. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

Published May 10, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-1945: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digi...

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.

Published May 31, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-1926: The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, whi...

The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

Published May 23, 2011 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2011-1928: The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, a...

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.

Published May 24, 2011 · Updated Aug 6, 2024