LiveActive security incident?Get immediate response
CVE archive

July 2012

Browse CVE records published in July 2012, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 491 matching CVEs · Page 1 of 10.

Critical · CVSS 9.3

CVE-2012-10021: D-Link DIR-605L Captcha Handling Buffer Overflow

A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of sprintf() when processing user-supplied CAPTCHA data via the FILECODE parameter in /goform/formLogin. A remote unauthenticated attacker can exploit this to execute arbitrary code with root privileges on the device.

Published Jul 31, 2025 · Updated May 14, 2026

High · CVSS 7.8 · CISA KEV

CVE-2012-1854: Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Go...

Untrusted search path vulnerability in VBE6.dll in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Microsoft Visual Basic for Applications (VBA); and Summit Microsoft Visual Basic for Applications SDK allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Visual Basic for Applications Insecure Library Loading Vulnerability," as exploited in the wild in July 2012.

Published Jul 10, 2012 · Updated Apr 14, 2026

Critical · CVSS 9.8

CVE-2012-10019: Front-end Editor < 2.3 - Arbitrary File Upload

The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Published Jul 19, 2025 · Updated Apr 8, 2026

Critical · CVSS 9.8

CVE-2012-10020: FoxyPress <= 0.4.2.1 - Arbitrary File Upload

The FoxyPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadify.php file in versions up to, and including, 0.4.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.

Published Jul 22, 2025 · Updated Apr 8, 2026

High · CVSS 7.4

CVE-2012-3372: The default configuration of Cyberoam UTM appliances uses the same Certification Authority certificate and...

The default configuration of Cyberoam UTM appliances uses the same Certification Authority certificate and same private key across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging the presence of the Cyberoam_SSL_CA certificate in a list of trusted root certification authorities. NOTE: the vendor disputes the significance of this issue because the appliance "does not allow import or export of the foresaid private key.

Published Jul 9, 2012 · Updated Jan 27, 2025

Critical · CVSS 9.8

CVE-2012-1891: Heap-based buffer overflow in Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2 and Windows Data Acce...

Heap-based buffer overflow in Microsoft Data Access Components (MDAC) 2.8 SP1 and SP2 and Windows Data Access Components (WDAC) 6.0 allows remote attackers to execute arbitrary code via crafted XML data that triggers access to an uninitialized object in memory, aka "ADO Cachesize Heap Overflow RCE Vulnerability."

Published Jul 10, 2012 · Updated Oct 17, 2024

Unknown · CVSS Not scored

CVE-2012-2486: The Cisco Discovery Protocol (CDP) implementation on Cisco TelePresence Multipoint Switch before 1.9.0, Cis...

The Cisco Discovery Protocol (CDP) implementation on Cisco TelePresence Multipoint Switch before 1.9.0, Cisco TelePresence Immersive Endpoint Devices before 1.9.1, Cisco TelePresence Manager before 1.9.0, and Cisco TelePresence Recording Server before 1.8.1 allows remote attackers to execute arbitrary code by leveraging certain adjacency and sending a malformed CDP packet, aka Bug IDs CSCtz40953, CSCtz40947, CSCtz40965, and CSCtz40953.

Published Jul 12, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-3005: Untrusted search path vulnerability in Invensys Wonderware InTouch 2012 and earlier, as used in Wonderware...

Untrusted search path vulnerability in Invensys Wonderware InTouch 2012 and earlier, as used in Wonderware Application Server, Wonderware Information Server, Foxboro Control Software, InFusion CE/FE/SCADA, InBatch, and Wonderware Historian, allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.

Published Jul 26, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-3887: AirDroid before 1.0.7 beta uses a cleartext base64 format for data transfer that is documented as an "Encry...

AirDroid before 1.0.7 beta uses a cleartext base64 format for data transfer that is documented as an "Encrypted Transmission" feature, which allows remote attackers to obtain sensitive information by sniffing the local wireless network, as demonstrated by the SMS message content sent to the sdctl/sms/send/single/ URI.

Published Jul 26, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-3829: Joomla!

Joomla! 2.5.3 allows remote attackers to obtain the installation path via the Host HTTP Header.

Published Jul 3, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-6580: Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ens...

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for remote attackers to spoof details of a message's origin or interfere with encryption-policy auditing via an e-mail message to a queue's address.

Published Jul 24, 2013 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-3836: Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.0 allow remote attackers to in...

Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) groupname parameter in a savecategory in the users module; (2) virtual_filename, (3) branch, (4) contact_person, (5) street, (6) city, (7) province, (8) postal, (9) country, (10) tollfree, (11) phone, (12) fax, or (13) mobile parameter in a saveitem action in the contacts module; (14) title parameter in a savecategory action in the menus module; (15) firstname or (16) lastname in a saveitem action in the users module; (17) meta_key or (18) meta_description in a saveitem action in the blog module; or (19) the PATH_INFO to admin/index.php.

Published Jul 3, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-1493: F5 BIG-IP appliances 9.x before 9.4.8-HF5, 10.x before 10.2.4, 11.0.x before 11.0.0-HF2, and 11.1.x before...

F5 BIG-IP appliances 9.x before 9.4.8-HF5, 10.x before 10.2.4, 11.0.x before 11.0.0-HF2, and 11.1.x before 11.1.0-HF3, and Enterprise Manager before 2.1.0-HF2, 2.2.x before 2.2.0-HF1, and 2.3.x before 2.3.0-HF3, use a single SSH private key across different customers' installations and do not properly restrict access to this key, which makes it easier for remote attackers to perform SSH logins via the PubkeyAuthentication option.

Published Jul 9, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-2674: Multiple integer overflows in the (1) chk_malloc, (2) leak_malloc, and (3) leak_memalign functions in libc/...

Multiple integer overflows in the (1) chk_malloc, (2) leak_malloc, and (3) leak_memalign functions in libc/bionic/malloc_debug_leak.c in Bionic (libc) for Android, when libc.debug.malloc is set, make it easier for context-dependent attackers to perform memory-related attacks such as buffer overflows via a large size value, which causes less memory to be allocated than expected.

Published Jul 25, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-6581: Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remot...

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and trigger outbound e-mail messages signed by an arbitrary stored secret key, by leveraging a UI e-mail signing privilege.

Published Jul 24, 2013 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-1163: Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to exec...

Integer overflow in the _zip_readcdir function in zip_open.c in libzip 0.10 allows remote attackers to execute arbitrary code via the size and offset values for the central directory in a zip archive, which triggers "improper restrictions of operations within the bounds of a memory buffer" and an information leak.

Published Jul 12, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-4043: Cross-site scripting (XSS) vulnerability in global-protect/login.esp in Palo Alto Networks Global Protect P...

Cross-site scripting (XSS) vulnerability in global-protect/login.esp in Palo Alto Networks Global Protect Portal, Global Protect Gateway, and SSL VPN portals 3.1.x through 3.1.11 and 4.0.x through 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the inputStr parameter in a Login action.

Published Jul 26, 2012 · Updated Sep 17, 2024