LiveActive security incident?Get immediate response
CVE archive

December 2012

Browse CVE records published in December 2012, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 309 matching CVEs · Page 1 of 7.

Medium · CVSS 5.4

CVE-2012-5571: Openstack keystone: openstack keystone: authorization bypass via improper ec2 token handling

A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.

Published Dec 18, 2012 · Updated Apr 7, 2026

High · CVSS 7.8 · CISA KEV

CVE-2012-2539: Microsoft Word 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Word Viewer; Office Compatibility Pack SP2 and SP3...

Microsoft Word 2003 SP3, 2007 SP2 and SP3, and 2010 SP1; Word Viewer; Office Compatibility Pack SP2 and SP3; and Office Web Apps 2010 SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, aka "Word RTF 'listoverridecount' Remote Code Execution Vulnerability."

Published Dec 12, 2012 · Updated Oct 22, 2025

High · CVSS 8.8 · CISA KEV

CVE-2012-4792: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute...

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.

Published Dec 30, 2012 · Updated Oct 22, 2025

High · CVSS 7.5

CVE-2012-4688: I-GEN opLYNX Central Authentication Bypass

The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support.

Published Dec 31, 2012 · Updated Jul 10, 2025

Medium · CVSS 6.1

CVE-2012-4898: Tropos Wireless Mesh Routers Insufficient Entropy

Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere.

Published Dec 18, 2012 · Updated Jul 9, 2025

High · CVSS 7.8

CVE-2012-6427: Carlo Gavazzi EOS Box SQL Injection

The Carlo Gavazzi EOS-Box does not check the validity of the data before executing queries. By accessing the SQL table of certain pages that do not require authentication, attackers can leak information from the device. This could allow the attacker to compromise confidentiality.

Published Dec 23, 2012 · Updated Jul 1, 2025

Critical · CVSS 10

CVE-2012-6428: Carlo Gavazzi EOS Box Hard-Coded Credentials

The Carlo Gavazzi EOS-Box stores hard-coded passwords in the PHP file of the device. By using the hard-coded passwords, attackers can log into the device with administrative privileges. This could allow the attacker to have unauthorized access.

Published Dec 23, 2012 · Updated Jul 1, 2025

Medium · CVSS 5

CVE-2012-10017: BestWebSoft Portfolio Plugin cross-site request forgery

A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.04 on WordPress. It has been classified as problematic. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 2.06 is able to address this issue. The patch is named 68af950330c3202a706f0ae9bbb52ceaa17dda9d. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-248955.

Published Dec 26, 2023 · Updated Nov 21, 2024

Unknown · CVSS Not scored

CVE-2012-6007: Cross-site scripting (XSS) vulnerability in screens/base/web_auth_custom.html on Cisco Wireless LAN Control...

Cross-site scripting (XSS) vulnerability in screens/base/web_auth_custom.html on Cisco Wireless LAN Controller (WLC) devices with software 7.2.110.0 allows remote authenticated users to inject arbitrary web script or HTML via the headline parameter, aka Bug ID CSCud65187, a different vulnerability than CVE-2012-5992.

Published Dec 19, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-5975: The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6....

The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.

Published Dec 4, 2012 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2012-3873: Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execu...

Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) data/gallery/edit.php, (2) data/guestbook/edit.php, (3) data/file/edit.php, (4) data/htmltext/edit.php, (5) data/publication/edit.php, or (6) data/event/edit.php.

Published Dec 28, 2012 · Updated Sep 17, 2024