CVE-2012-2494

MEDIUM Year: 2012
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-20
View all →

Vulnerability Description

The VPN downloader implementation in the WebLaunch feature in Cisco AnyConnect Secure Mobility Client 2.x before 2.5 MR6 and 3.x before 3.0 MR8 does not compare the timestamp of offered software to the timestamp of installed software, which allows remote attackers to force a version downgrade by using (1) ActiveX or (2) Java components to offer signed code that corresponds to an older software release, aka Bug ID CSCtw48681.

Related Vulnerabilities

CVE-2015-8747

CRITICAL
CVSS:10.0(Critical)

The multifilesystem storage backend in Radicale before 1.1 allows remote attackers to read or write to arbitrary files via a crafted component name.

CWE-202015

CVE-2017-10918

CRITICAL
CVSS:10.0(Critical)

Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privileged host OS access, aka XSA-222.

CWE-202017

CVE-2017-16845

CRITICAL
CVSS:10.0(Critical)

hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access.

CWE-202017

CVE-2017-5226

CRITICAL
CVSS:10.0(Critical)

When executing a program via the bubblewrap sandbox, the nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an at...

CWE-202017

CVE-2017-7213

CRITICAL
CVSS:10.0(Critical)

Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors.

CWE-202017

CVE-2019-11708

CRITICAL
CVSS:10.0(Critical)

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised...

CWE-202019