LiveActive security incident?Get immediate response
CVE archive

November 2012

Browse CVE records published in November 2012, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 483 matching CVEs · Page 1 of 10.

Critical · CVSS 10

CVE-2012-5862: Sinapsi eSolar Hard-Coded Password

These Sinapsi devices store hard-coded passwords in the PHP file of the device. By using the hard-coded passwords in the device, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access.

Published Nov 23, 2012 · Updated Jul 8, 2025

Critical · CVSS 9.4

CVE-2012-5864: Sinapsi eSolar Improper Authentication

These Sinapsi devices do not check if users that visit pages within the device have properly authenticated. By directly visiting the pages within the device, attackers can gain unauthorized access with administrative privileges.

Published Nov 23, 2012 · Updated Jul 8, 2025

Critical · CVSS 10

CVE-2012-5863: Sinapsi eSolar OS Command Injection

These Sinapsi devices do not check for special elements in commands sent to the system. By accessing certain pages with administrative privileges that do not require authentication within the device, attackers can execute arbitrary, unexpected, or dangerous commands directly onto the operating system.

Published Nov 23, 2012 · Updated Jul 8, 2025

High · CVSS 7.8

CVE-2012-5861: Sinapsi eSolar SQL Injection

These Sinapsi devices do not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication within the device, attackers can leak information from the device. This could allow the attacker to compromise confidentiality.

Published Nov 23, 2012 · Updated Jul 8, 2025

Unknown · CVSS Not scored

CVE-2012-4502: Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of...

Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit.

Published Nov 5, 2013 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-5823: Open Source Classifieds does not verify that the server hostname matches a domain name in the subject's Com...

Open Source Classifieds does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function.

Published Nov 4, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-5799: The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a do...

The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function.

Published Nov 4, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-6665: Directory traversal vulnerability in index.php in phpMoneyBooks 1.0.4 allows remote attackers to read arbit...

Directory traversal vulnerability in index.php in phpMoneyBooks 1.0.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, a different vulnerability than CVE-2012-1669. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this issue might have been fixed in 1.0.3.

Published Nov 17, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-5781: Amazon Elastic Load Balancing API Tools does not verify that the server hostname matches a domain name in t...

Amazon Elastic Load Balancing API Tools does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default JDK X509TrustManager.

Published Nov 4, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-4469: Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7...

Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.2 for Drupal, when "Log failed hashcash" is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid token, which is not properly handled when administrators use the Database logging module.

Published Nov 30, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-4601: Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated us...

Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1) user_groups[] parameter to admin/code/tce_edit_test.php or (2) subject_id parameter to admin/code/tce_show_all_questions.php.

Published Nov 23, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-5801: The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subje...

The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function.

Published Nov 4, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-6661: Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random...

Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, does not reseed the pseudo-random number generator (PRNG), which makes it easier for remote attackers to guess the value via unspecified vectors. NOTE: this issue was SPLIT from CVE-2012-5508 due to different vulnerability types (ADT2).

Published Nov 3, 2014 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-6051: Google CityHash computes hash values without properly restricting the ability to trigger hash collisions pr...

Google CityHash computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack.

Published Nov 28, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-5806: The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name i...

The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805.

Published Nov 4, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-5805: The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in...

The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different vulnerability than CVE-2012-5806.

Published Nov 4, 2012 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2012-2211: Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8....

Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php. NOTE: some of these details are obtained from third party information.

Published Nov 22, 2012 · Updated Sep 16, 2024