LiveActive security incident?Get immediate response
CVE archive

December 2011

Browse CVE records published in December 2011, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 358 matching CVEs · Page 3 of 8.

Unknown · CVSS Not scored

CVE-2011-5035: Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application...

Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.

Published Dec 30, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-5046: The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 an...

The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability."

Published Dec 30, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-5004: Unrestricted file upload vulnerability in models/importcsv.php in the Fabrik (com_fabrik) component before...

Unrestricted file upload vulnerability in models/importcsv.php in the Fabrik (com_fabrik) component before 2.1.1 for Joomla! allows remote authenticated users with Manager privileges to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

Published Dec 25, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-5042: Cross-site scripting (XSS) vulnerability in inc/lib/lib.base.php in SASHA 0.2.0 allows remote attackers to...

Cross-site scripting (XSS) vulnerability in inc/lib/lib.base.php in SASHA 0.2.0 allows remote attackers to inject arbitrary web script or HTML via the instructors parameter. NOTE: the original disclosure also mentions the section_title parameter, but this was disputed by the vendor and retracted by the original researcher.

Published Dec 30, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-5012: Heap-based buffer overflow in the Reflection FTP Client (rftpcom.dll 7.2.0.106 and possibly other versions)...

Heap-based buffer overflow in the Reflection FTP Client (rftpcom.dll 7.2.0.106 and possibly other versions), as used in Attachmate Reflection 2008, Reflection 2011 R1 before 15.3.2.569 and R1 SP1 before, Reflection 2011 R2 before 15.4.1.327, Reflection Windows Client 7.2 SP1 before hotfix 7.2.1186, and Reflection 14.1 SP1 before 14.1.1.206, allows remote FTP servers to execute arbitrary code via a long directory name in a response to a LIST command.

Published Dec 25, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-5025: Multiple cross-site scripting (XSS) vulnerabilities in the wiki application in Yaws 1.88 allow remote attac...

Multiple cross-site scripting (XSS) vulnerabilities in the wiki application in Yaws 1.88 allow remote attackers to inject arbitrary web script or HTML via (1) the tag parameter to editTag.yaws, (2) the index parameter to showOldPage.yaws, (3) the node parameter to allRefsToMe.yaws, or (4) the text parameter to editPage.yaws.

Published Dec 29, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4971: Multiple integer signedness errors in the (1) process_bin_sasl_auth, (2) process_bin_complete_sasl_auth, (3...

Multiple integer signedness errors in the (1) process_bin_sasl_auth, (2) process_bin_complete_sasl_auth, (3) process_bin_update, and (4) process_bin_append_prepend functions in Memcached 1.4.5 and earlier allow remote attackers to cause a denial of service (crash) via a large body length value in a packet.

Published Dec 12, 2013 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-5011: Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier...

Multiple cross-site request forgery (CSRF) vulnerabilities in xt:Commerce 3.0.4 SP2.1 and possibly earlier allow remote attackers to hijack the authentication of Admins for requests that (1) set a New user to Admin via the cID parameter to a statusconfirm action in admin/customers.php and (2) grant permissions to users via the cID parameter to a save action in admin/accounting.php.

Published Dec 25, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4855: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 omits the Content-Type header's charset...

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving admin/customer-service-plan/list/reset-search/true/ and certain other files. NOTE: it is possible that only clients, not the Plesk product, could be affected by this issue.

Published Dec 16, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4852: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates web pages containing external...

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates web pages containing external links in response to GET requests with query strings for enterprise/mobile-monitor/ and certain other files, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue.

Published Dec 16, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4859: The Schneider Electric Quantum Ethernet Module, as used in the Quantum 140NOE771* and 140CPU65* modules, th...

The Schneider Electric Quantum Ethernet Module, as used in the Quantum 140NOE771* and 140CPU65* modules, the Premium TSXETY* and TSXP57* modules, the M340 BMXNOE01* and BMXP3420* modules, and the STB DIO STBNIC2212 and STBNIP2* modules, uses hardcoded passwords for the (1) AUTCSE, (2) AUT_CSE, (3) fdrusers, (4) ftpuser, (5) loader, (6) nic2212, (7) nimrohs2212, (8) nip2212, (9) noe77111_v500, (10) ntpupdate, (11) pcfactory, (12) sysdiag, (13) target, (14) test, (15) USER, and (16) webserver accounts, which makes it easier for remote attackers to obtain access via the (a) TELNET, (b) Windriver Debug, or (c) FTP port.

Published Dec 17, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4862: Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applic...

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

Published Dec 25, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4848: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes a submitted password within an...

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by password handling in certain files under client@1/domain@1/backup/local-repository/.

Published Dec 16, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4851: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates a password form field without...

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates a password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation, as demonstrated by forms in server/google-tools/ and certain other files.

Published Dec 16, 2011 · Updated Aug 7, 2024

Unknown · CVSS Not scored

CVE-2011-4856: The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 sends incorrect Content-Type headers for...

The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 sends incorrect Content-Type headers for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving admin/health/parameters and certain other files. NOTE: it is possible that only clients, not the Plesk product, could be affected by this issue.

Published Dec 16, 2011 · Updated Aug 7, 2024