LiveActive security incident?Get immediate response
CVE archive

October 2012

Browse CVE records published in October 2012, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 579 matching CVEs · Page 2 of 12.

Unknown · CVSS Not scored

CVE-2012-4709: Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote attackers to read arbitrary files, send H...

Invensys Wonderware InTouch HMI 2012 R2 and earlier allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published Oct 13, 2013 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-4115: The fabric-interconnect component in Cisco Unified Computing System (UCS) does not encrypt KVM virtual-medi...

The fabric-interconnect component in Cisco Unified Computing System (UCS) does not encrypt KVM virtual-media data, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or modify this traffic by inserting packets into the client-server data stream, aka Bug ID CSCtr72964.

Published Oct 21, 2013 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-4532: Cross-site scripting (XSS) vulnerability in modules/mod_languages/tmpl/default.php in the Language Switcher...

Cross-site scripting (XSS) vulnerability in modules/mod_languages/tmpl/default.php in the Language Switcher module for Joomla! 2.5.x before 2.5.7 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. NOTE: some of these details are obtained from third party information.

Published Oct 31, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-5328: Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33...

Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress might allow remote authenticated users to execute arbitrary SQL commands via the (1) memberid or (2) groupid parameters in a removemember action or (3) id parameter to fs-admin/fs-admin.php, or (4) edit_forum_id parameter in an edit_save_forum action to fs-admin/wpf-edit-forum-group.php.

Published Oct 8, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-5384: Multiple cross-site scripting (XSS) vulnerabilities in Craig Knudsen WebCalendar allow remote attackers to...

Multiple cross-site scripting (XSS) vulnerabilities in Craig Knudsen WebCalendar allow remote attackers to inject arbitrary web script or HTML via the (1) $name or (2) $description variables in edit_entry_handler.php, or (3) $url, (4) $tempfullname, or (5) $ext_users[] variables in view_entry.php, different vectors than CVE-2012-0846.

Published Oct 11, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-5318: Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin...

Unrestricted file upload vulnerability in uploadify/scripts/uploadify.php in the Kish Guest Posting plugin 1.2 for WordPress allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the directory specified by the folder parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1125.

Published Oct 8, 2012 · Updated Sep 16, 2024

Medium · CVSS 4.3

CVE-2012-10016: Halulu simple-download-button-shortcode Plugin Download simple-download-button_dl.php information disclosure

A vulnerability classified as problematic has been found in Halulu simple-download-button-shortcode Plugin 1.0 on WordPress. Affected is an unknown function of the file simple-download-button_dl.php of the component Download Handler. The manipulation of the argument file leads to information disclosure. It is possible to launch the attack remotely. Upgrading to version 1.1 is able to address this issue. The patch is identified as e648a8706818297cf02a665ae0bae1c069dea5f1. It is recommended to upgrade the affected component. VDB-242190 is the identifier assigned to this vulnerability.

Published Oct 16, 2023 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-5702: Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to in...

Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to index.php. NOTE: the date parameter vector is already covered by CVE-2008-3886.

Published Oct 21, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2012-5671: Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, whe...

Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server.

Published Oct 31, 2012 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2012-5701: Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators...

Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a contacts action, (3) dept_id parameter in a departments action, (4) project_id[] parameter in a project action, or (5) company_id parameter in a system action to index.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.

Published Oct 20, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2012-5695: Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (S...

Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS message.

Published Oct 20, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2012-5694: Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 all...

Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.pl; the (6) modemPhoneNo, (7) controlKey, or (8) appURLPath parameter to frameworkgui/attachMobileModem.pl; the agentsDD parameter to (9) escalatePrivileges.pl, (10) getContacts.pl, (11) getDatabase.pl, (12) sendSMS.pl, or (13) takePic.pl in frameworkgui/; or the modemNoDD parameter to (14) escalatePrivileges.pl, (15) getContacts.pl, (16) getDatabase.pl, (17) SEAttack.pl, (18) sendSMS.pl, (19) takePic.pl, or (20) CSAttack.pl in frameworkgui/.

Published Oct 20, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2012-5580: Format string vulnerability in the print_proxies function in bin/proxy.c in libproxy 0.3.1 might allow cont...

Format string vulnerability in the print_proxies function in bin/proxy.c in libproxy 0.3.1 might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in a proxy name, as demonstrated using the http_proxy environment variable or a PAC file.

Published Oct 27, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2012-5456: The Zoner AntiVirus Free application for Android does not verify that the server hostname matches a domain...

The Zoner AntiVirus Free application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, as demonstrated by a server used for updating virus signature files.

Published Oct 24, 2012 · Updated Aug 6, 2024