Cross-site scripting (XSS) vulnerability in the Advertisement module 6.x-2.x before 6.x-2.3 for Drupal, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via v...

The backend in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1 does not properly check privileges, which allows remote authenticated users to query arbitrary information via a (1) SOAP o...

libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated...

MantisBT before 1.2.11 does not check the delete_attachments_threshold permission when form_security_validation is set to OFF, which allows remote authenticated users with certain privileges to bypass...

virt-edit in libguestfs before 1.18.0 does not preserve the permissions from the original file and saves the new file with world-readable permissions when editing, which might allow local guest users ...

Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiVie...

Red Hat Network (RHN) Configuration Client (rhncfg-client) in rhncfg before 5.10.27-8 uses weak permissions (world-readable) for /var/log/rhncfg-actions, which allows local users to obtain sensitive i...

389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers t...

Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling...

The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlin...

Buffer overflow in the SQLDriverConnect function in unixODBC 2.3.1 allows local users to cause a denial of service (crash) via a long string in the DRIVER option. NOTE: this issue might not be a vulne...

Buffer overflow in the SQLDriverConnect function in unixODBC 2.0.10, 2.3.1, and earlier allows local users to cause a denial of service (crash) via a long string in the FILEDSN option. NOTE: this issu...

Cross-site scripting (XSS) vulnerability in FeedDemon before 4.0, when the feed preview option is enabled, allows remote attackers to inject arbitrary web script or HTML via a feed.

SEIL routers with firmware SEIL/x86 1.00 through 2.35, SEIL/X1 2.30 through 3.75, SEIL/X2 2.30 through 3.75, and SEIL/B1 2.30 through 3.75, when the http-proxy and application-gateway features are ena...

The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1)...

Multiple cross-site scripting (XSS) vulnerabilities in GuestAccess.jsp in the Guest/Contractor access component in the administrative interface in Bradford Network Sentry before 5.3.3 allow remote aut...

The Xelex MobileTrack application 2.3.7 and earlier for Android uses hardcoded credentials, which allows remote attackers to obtain sensitive information via an unencrypted (1) FTP or (2) HTTP session...

Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnera...

The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. NOTE: some of these details...

The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, allow remote attac...

The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, allow remote attac...

The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, provide different ...

Intuit QuickBooks 2009 through 2012 might allow remote attackers to obtain pathname information via the qbwc://docontrol/GetCompanyFile functionality.

Absolute path traversal vulnerability in the intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Inte...