LiveActive security incident?Get immediate response
CVE archive

October 2012

Browse CVE records published in October 2012, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 579 matching CVEs · Page 1 of 12.

High · CVSS 8.7

CVE-2012-10063: Nagios XI < 2012R1.3 Authenticated SQL Injection in Legacy CCM

Nagios XI versions prior to 2012R1.3 contain a SQL injection vulnerability in the legacy Core Configuration Manager (CCM) interface. Authenticated users could manipulate SQL queries by supplying crafted input to specific CCM parameters, potentially allowing access to configuration data stored in the application database. Successful exploitation could disclose or modify notification data and, in some cases, impact the application database more broadly.

Published Oct 30, 2025 · Updated Nov 24, 2025

Critical · CVSS 9.1 · CISA KEV

CVE-2012-3152: Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 1...

Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.4, 11.1.1.6, and 11.1.2.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Report Server Component. NOTE: the previous information is from the October 2012 CPU. Oracle has not commented on claims from the original researcher that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet, and that this issue occurs in earlier versions. NOTE: this can be leveraged with CVE-2012-3153 to execute arbitrary code by uploading a .jsp file.

Published Oct 16, 2012 · Updated Oct 22, 2025

High · CVSS 7.3

CVE-2012-5379: Untrusted search path vulnerability in the installation functionality in ActivePython 3.2.2.3, when install...

Untrusted search path vulnerability in the installation functionality in ActivePython 3.2.2.3, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Python27 or C:\Python27\Scripts directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the ActivePython installation

Published Oct 11, 2012 · Updated Jan 16, 2025

Unknown · CVSS Not scored

CVE-2012-4065: Eucalyptus before 3.1.1 does not properly restrict the binding of external SOAP web-services messages, whic...

Eucalyptus before 3.1.1 does not properly restrict the binding of external SOAP web-services messages, which allows remote authenticated users to bypass unspecified authorization checks and obtain direct access to a (1) Cloud Controller or (2) Walrus service via a crafted message, as demonstrated by changes to a volume, snapshot, or cloud configuration setting.

Published Oct 1, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-4483: The commons_discussion_views_default_views function in modules/features/commons_discussion/commons_discussi...

The commons_discussion_views_default_views function in modules/features/commons_discussion/commons_discussion.views_default.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions, which might allow remote attackers to obtain sensitive information via the recent comments listing.

Published Oct 31, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-5304: Static code injection vulnerability in administration/install.php in YVS Image Gallery allows remote attack...

Static code injection vulnerability in administration/install.php in YVS Image Gallery allows remote attackers to inject arbitrary PHP code into functions/db_connect.php via unspecified vectors. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation.

Published Oct 6, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-1897: Multiple cross-site request forgery (CSRF) vulnerabilities in Wolf CMS 0.75 and earlier allow remote attack...

Multiple cross-site request forgery (CSRF) vulnerabilities in Wolf CMS 0.75 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) delete users via the user id number to admin/user/delete; (2) delete pages via the page id number to admin/page/delete; delete the (3) images or (4) themes directory via the directory name to admin/plugin/file_manager/delete, and possibly other directories; or (5) logout the user via a request to admin/login/logout.

Published Oct 1, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-5386: Directory traversal vulnerability in index.php in phpPaleo 4.8b180 allows remote attackers to include and e...

Directory traversal vulnerability in index.php in phpPaleo 4.8b180 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phppaleo4_lang cookie, a different vulnerability than CVE-2012-1671. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Published Oct 11, 2012 · Updated Sep 17, 2024

Medium · CVSS 6.7

CVE-2012-5380: Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in...

Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the Ruby installation

Published Oct 11, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-6707: WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attacke...

WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.

Published Oct 19, 2017 · Updated Sep 17, 2024