High · CVSS 8.6
A flaw was found in rhn-proxy. This vulnerability may allow the rhn-proxy to transmit user credentials in clear-text when it accesses RHN Satellite. This could lead to information disclosure, where sensitive authentication details are exposed to unauthorized parties.
Published Dec 2, 2019 · Updated Apr 9, 2026
Medium · CVSS 5.4
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
Published Dec 18, 2012 · Updated Apr 7, 2026
High · CVSS 7.8 · CISA KEV
Microsoft Word 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Word Viewer; Office Compatibility Pack SP2 and SP3; and Office Web Apps 2010 SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, aka "Word RTF 'listoverridecount' Remote Code Execution Vulnerability."
Published Dec 12, 2012 · Updated Oct 22, 2025
High · CVSS 8.8 · CISA KEV
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
Published Dec 30, 2012 · Updated Oct 22, 2025
High · CVSS 7.5
The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support.
Published Dec 31, 2012 · Updated Jul 10, 2025
High · CVSS 7.6
Post Oak AWAM Bluetooth Reader Traffic System does not use a sufficient source of entropy for private keys, which makes it easier for man-in-the-middle attackers to spoof a device by predicting a key value.
Published Dec 8, 2012 · Updated Jul 9, 2025
Medium · CVSS 6.1
Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.
Published Dec 18, 2012 · Updated Jul 9, 2025
High · CVSS 7.8
The Carlo Gavazzi
EOS-Box
does not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication, attackers can leak information from the device. This could allow the attacker to compromise confidentiality.
Published Dec 23, 2012 · Updated Jul 1, 2025
Critical · CVSS 10
The Carlo Gavazzi
EOS-Box
stores hard-coded passwords in the PHP file of
the device. By using the hard-coded passwords, attackers can log into
the device with administrative privileges. This could allow the attacker
to have unauthorized access.
Published Dec 23, 2012 · Updated Jul 1, 2025
Unknown · CVSS Not scored
Memory leak in Siemens Automation License Manager (ALM) 4.x and 5.x before 5.2 allows remote attackers to cause a denial of service (memory consumption) via crafted packets.
Published Dec 18, 2012 · Updated May 23, 2025
Unknown · CVSS Not scored
LibreOffice and OpenOffice automatically open embedded content
Published Dec 20, 2019 · Updated Feb 13, 2025
Medium · CVSS 5
A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.04 on WordPress. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.06 is able to address this issue. The patch is named 68af950330c3202a706f0ae9bbb52ceaa17dda9d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-248955.
Published Dec 26, 2023 · Updated Nov 21, 2024
Critical · CVSS 9
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly initialized or (2) is deleted, aka "Improper Ref Counting Use After Free Vulnerability."
Published Dec 12, 2012 · Updated Oct 17, 2024
Unknown · CVSS Not scored
The WPA2 implementation on the Belkin N900 F9K1104v1 router establishes a WPS PIN based on 6 digits of the LAN/WLAN MAC address, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading broadcast packets, a different vulnerability than CVE-2012-4366.
Published Dec 31, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Email Field module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the mailto link.
Published Dec 26, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Browser application in Android 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted market: URI in the SRC attribute of an IFRAME element.
Published Dec 10, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform and 7.3-2, 8.2, 8.3, and 8.4 on the Alpha platform does not properly implement the LOGIN and ACME_SERVER ACMELOGIN programs, which allows remote attackers to cause a denial of service via unspecified vectors.
Published Dec 13, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (crash) via vectors related to the rtp format.
Published Dec 24, 2013 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Opera Mobile application before 12.1 and Opera Mini application before 7.5 for Android do not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application.
Published Dec 26, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Loctouch application 3.4.6 and earlier for Android allows attackers to obtain sensitive information about logged locations via a crafted application that leverages read permission for system log files.
Published Dec 26, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php.
Published Dec 11, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action.
Published Dec 3, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The D-Link DCS-932L camera with firmware 1.02 allows remote attackers to discover the password via a UDP broadcast packet, as demonstrated by running the D-Link Setup Wizard and reading the _paramR["P"] value.
Published Dec 24, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in a TList 6 ActiveX control in Oracle Hyperion Financial Management 11.1.1.4 and 11.1.2.1.104 allows remote attackers to execute arbitrary code via unknown vectors.
Published Dec 21, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in screens/base/web_auth_custom.html on Cisco Wireless LAN Controller (WLC) devices with software 7.2.110.0 allows remote authenticated users to inject arbitrary web script or HTML via the headline parameter, aka Bug ID CSCud65187, a different vulnerability than CVE-2012-5992.
Published Dec 19, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Aptdaemon 0.43 in Ubuntu 11.10 and 12.04 LTS uses short IDs when importing PPA GPG keys from a keyserver, which allows remote attackers to install arbitrary package repository GPG keys via a man-in-the-middle (MITM) attack.
Published Dec 26, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not properly parse XML documents, which allows remote authenticated users to read arbitrary files via unspecified vectors.
Published Dec 21, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform and 7.3-2, 8.2, 8.3, and 8.4 on the Alpha platform does not properly implement the LOGIN and ACME_SERVER ACMELOGIN programs, which allows local users to cause a denial of service via unspecified vectors.
Published Dec 13, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.
Published Dec 4, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
Published Dec 4, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Title has PHP" option is enabled, allows remote authenticated users with the "Administer OM Maximenu" permission to execute arbitrary PHP code via a "Link Title," a different vulnerability than CVE-2012-5553.
Published Dec 3, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Loctouch application 3.4.6 and earlier for Android does not properly handle implicit intents, which allows attackers to obtain sensitive information about logged locations via a crafted application.
Published Dec 26, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.
Published Dec 3, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) data/gallery/edit.php, (2) data/guestbook/edit.php, (3) data/file/edit.php, (4) data/htmltext/edit.php, (5) data/publication/edit.php, or (6) data/event/edit.php.
Published Dec 28, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in the web interface in EMC RSA NetWitness Informer before 2.0.5.6 allows remote attackers to hijack the authentication of arbitrary users.
Published Dec 5, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Huawei E585 device does not validate the status of admin sessions, which allows remote attackers to obtain sensitive user information and the session ID, and modify data, by leveraging access to the LAN network.
Published Dec 19, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple directory traversal vulnerabilities on the Huawei E585 device allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the PATH_INFO of an sdcard/ request or (2) modify arbitrary files via a .. (dot dot) in the req_page parameter to en/sms.cgi.
Published Dec 19, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.
Published Dec 27, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code via a crafted application/x-amf request.
Published Dec 24, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.
Published Dec 20, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name.
Published Dec 18, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Troubleshooting Reporting System feature in AgileBits 1Password 3.9.9 might allow remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header that is not properly handled in a View Troubleshooting Report action.
Published Dec 28, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Layton Helpbox 4.4.0 allows remote authenticated users to change the login context and gain privileges via a modified (1) loggedinenduser, (2) loggedinendusername, (3) loggedinuserusergroup, (4) loggedinuser, or (5) loggedinusername cookie.
Published Dec 12, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in the Web UI in EMC Data Protection Advisor (DPA) 5.6 through SP1, 5.7 through SP1, and 5.8 through SP4 allows remote attackers to read arbitrary files via unspecified vectors.
Published Dec 26, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed.
Published Dec 3, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Layton Helpbox 4.4.0 allows remote attackers to discover cleartext credentials for the login page by sniffing the network.
Published Dec 12, 2012 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Multiple directory traversal vulnerabilities in Axway SecureTransport 5.1 SP2 and earlier allow remote authenticated users to (1) read, (2) delete, or (3) create files, or (4) list directories, via a ..%5C (encoded dot dot backslash) in a URI.
Published Dec 13, 2012 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard.
Published Dec 3, 2012 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Zero Point module 6.x-1.x before 6.x-1.18 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the path aliases.
Published Dec 26, 2012 · Updated Sep 16, 2024
Unknown · CVSS Not scored
The mov_text_decode_frame function in libavcodec/movtextdec.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via crafted 3GPP TS 26.245 data.
Published Dec 24, 2013 · Updated Sep 16, 2024