Medium · CVSS 6.9
AUTOMGEN versions up to and including 8.0.0.7 (also referenced as 8.022) contain a vulnerability in that project file handling frees an object and subsequently dereferences the stale pointer when processing certain malformed fields. The dangling-pointer use enables an attacker to influence an indirect call through attacker-controlled memory, resulting in denial-of-service. In some conditions, remote code execution may be possible.
Published Nov 12, 2025 · Updated May 14, 2026
High · CVSS 8.8 · CISA KEV
Unspecified vulnerability in the TrueType font parsing engine in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document or web page, as exploited in the wild in November 2011 by Duqu, aka "TrueType Font Parsing Vulnerability."
Published Nov 4, 2011 · Updated Oct 22, 2025
High · CVSS 7.3
Untrusted search path vulnerability in Windows Mail and Windows Meeting Space in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .eml or .wcinv file, aka "Windows Mail Insecure Library Loading Vulnerability."
Published Nov 8, 2011 · Updated Jun 4, 2025
Critical · CVSS 9.8
Integer overflow in the TCP/IP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code by sending a sequence of crafted UDP packets to a closed port, aka "Reference Counter Overflow Vulnerability."
Published Nov 8, 2011 · Updated Oct 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Pligg before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Nov 3, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in the web console in Zenprise Device Manager 6.x through 6.1.8 allows remote attackers to hijack the authentication of administrators for requests that wipe mobile devices.
Published Nov 21, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in the RV20 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via unknown vectors.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted video dimensions in an MP4 file.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
CiviCRM 4.0.5 and 4.1.1 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Published Nov 6, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in index.php in JAKCMS 2.0.4.1, and possibly other versions before 2.2.6 2011-09-23, allows remote attackers to inject arbitrary web script or HTML via the userpost parameter in a PM request, related to tinymce. NOTE: some of these details are obtained from third party information.
Published Nov 28, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Stack-based buffer overflow in the xdrDecodeString function in XNFS.NLM in Novell NetWare 6.5 SP8 allows remote attackers to execute arbitrary code or cause a denial of service (abend or NFS outage) via long packets.
Published Nov 30, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows remote attackers to execute arbitrary code via a crafted packet.
Published Nov 21, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The D-Link DIR-685 router, when certain WPA and WPA2 configurations are used, does not maintain an encrypted wireless network during transfer of a large amount of network traffic, which allows remote attackers to obtain sensitive information or bypass authentication via a Wi-Fi device.
Published Nov 22, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a malformed header in an MP4 file.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in man2html.cgi.c in man2html 1.6, and possibly other version, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to error messages.
Published Nov 17, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
PayPal WPS ToolKit does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Published Nov 6, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The get_dataroot_image_path function in lib/file.php in Mahara before 1.4.1 does not properly validate uploaded image files, which allows remote attackers to cause a denial of service (memory consumption) via a (1) large or (2) invalid image.
Published Nov 15, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Services_Twitter 0.6.3 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Published Nov 6, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface on the Dell KACE K2000 System Deployment Appliance allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Nov 12, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Nov 23, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Mahara before 1.4.1, when MNet (aka the Moodle network feature) is used, allows remote authenticated users to gain privileges via a jump to an XMLRPC target.
Published Nov 15, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Array index error in the RV30 codec in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via unspecified vectors.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The UPnP IGD implementation in the Broadcom UPnP stack on the Cisco Linksys WRT54G with firmware before 4.30.5, WRT54GS v1 through v3 with firmware before 4.71.1, and WRT54GS v4 with firmware before 1.06.1 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability.
Published Nov 22, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Investintech.com SlimPDF Reader does not properly restrict the arguments to unspecified function calls, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document.
Published Nov 1, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Dell KACE K2000 System Deployment Appliance allows remote attackers to execute arbitrary commands by leveraging database write access.
Published Nov 12, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
OWASP HTML Sanitizer (aka owasp-java-html-sanitizer) before 88, when JavaScript is disabled, allows user-assisted remote attackers to obtain potentially sensitive information via a crafted FORM element within a NOSCRIPT element.
Published Nov 17, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the RSS/Atom feed-reader implementation in Iwate Portal Bar allows remote attackers to inject arbitrary web script or HTML via a crafted feed.
Published Nov 9, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K with firmware before 3.25, Edimax 6114Wg, Canyon-Tech CN-WF512 with firmware 1.83, Canyon-Tech CN-WF514 with firmware 2.08, Sitecom WL-153 with firmware before 1.39, and Sweex LB000021 with firmware 3.15 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability.
Published Nov 22, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted sample size in a RealAudio file.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in eClient 7.3.2.3 in Enspire Distribution Management Solution 7.3.2.7 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Published Nov 1, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message.
Published Nov 17, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The RV10 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via a crafted sample height.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in SKYARC MTCMS before 5.252, and the MultiFileUploader 0.44 and earlier, DuplicateEntry 1.2 and earlier, MailPack 1.741 and earlier, and AutoTagging 0.08 and earlier plugins for Movable Type, allows remote attackers to hijack the authentication of arbitrary users for requests that modify data.
Published Nov 3, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
tmhOAuth before 0.61 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Published Nov 6, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Moneris eSelectPlus 2.03 PHP API does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Published Nov 6, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Apple WebObjects 5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Nov 9, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) URI attributes and (2) the External Feed component, as demonstrated by the guid element in an RSS feed.
Published Nov 15, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K with firmware before 3.25, Edimax 6114Wg, Canyon-Tech CN-WF512 with firmware 1.83, Canyon-Tech CN-WF514 with firmware 2.08, Sitecom WL-153 with firmware before 1.39, and Sweex LB000021 with firmware 3.15 allows remote attackers to execute arbitrary commands via shell metacharacters.
Published Nov 22, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a malformed AAC file.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted QCELP stream.
Published Nov 24, 2011 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via an invalid codec name.
Published Nov 24, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in wp-postratings.php in the WP-PostRatings plugin 1.50, 1.61, and probably other versions before 1.62 for WordPress allows remote authenticated users with the Author role to execute arbitrary SQL commands via the id attribute of the ratings shortcode when creating a post. NOTE: some of these details are obtained from third party information.
Published Nov 30, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Cook codec in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via crafted channel data.
Published Nov 24, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in CourseForum ProjectForum 7.0.1.3038 allows remote attackers to inject arbitrary web script or HTML via a crafted name of an object within a more object on a wiki page.
Published Nov 3, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Integer underflow in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted width value in an MPG file.
Published Nov 24, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SKYARC MTCMS before 5.252, and the MultiFileUploader 0.44 and earlier, DuplicateEntry 1.2 and earlier, MailPack 1.741 and earlier, and AutoTagging 0.08 and earlier plugins for Movable Type, uses weak permissions, which allows remote authenticated users to modify files and settings via unspecified vectors.
Published Nov 3, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
google-checkout-php-sample-code before 1.3.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Published Nov 6, 2012 · Updated Sep 16, 2024
Unknown · CVSS Not scored
QIS_wizard.htm on the ASUS RT-N56U router with firmware before 1.0.1.4o allows remote attackers to obtain the administrator password via a flag=detect request.
Published Nov 21, 2011 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in spell-check-savedicts.php in the SpellChecker module in Xinha, as used in WikiWig 5.01 and possibly other products, allow remote attackers to inject arbitrary web script or HTML via the (1) to_p_dict or (2) to_r_list parameter. NOTE: this issue might be related to the htmlarea plugin and CVE-2013-5670.
Published Nov 5, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Web Administrator component in GE Intelligent Platforms Proficy Historian 4.x and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Published Nov 2, 2011 · Updated Sep 16, 2024