Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts.20060912 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Publisher Font Parsing VulnerabilitySecurity Advisory : CT12-09-2006-2MS06-05419951ADV-2006-356521863TA06-255AVU#4062361016825publisher-pub-code-execution(28648)HPSBST02134oval:org.mitre.oval:def:5901548Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation.MS06-003VU#25214616197ADV-2006-01191836820060110 Microsoft Outlook Critical Vulnerability20060110 Microsoft Exchange Critical VulnerabilityTA06-010A10154611015460oval:org.mitre.oval:def:1082oval:org.mitre.oval:def:1165oval:org.mitre.oval:def:1316oval:org.mitre.oval:def:1456oval:org.mitre.oval:def:1485oval:org.mitre.oval:def:624 win-tnef-overflow(22878)330331Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors.http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspxMS06-014TA06-101AVU#23481217462ADV-2006-1319195831015894ADV-2006-24522071924517oval:org.mitre.oval:def:1204oval:org.mitre.oval:def:1323oval:org.mitre.oval:def:1511oval:org.mitre.oval:def:1742oval:org.mitre.oval:def:1778 20797 mdac-rdsdataspace-execute-code(25006) ie-wscriptshell-command-execution(29915)20070729 Exploit In Internet Explorer20070730 RE: Exploit In Internet Explorer20070730 Re: Exploit In Internet Explorer20070731 Re: Exploit In Internet Explorer20522164Microsoft PowerPoint 2000 in Office 2000 SP3 has an interaction with Internet Explorer that allows remote attackers to obtain sensitive information via a PowerPoint presentation that attempts to access objects in the Temporary Internet Files Folder (TIFF).MS06-010VU#96362816634ADV-2006-0579101563218865powerpoint-tiff-information-disclosure(24490)oval:org.mitre.oval:def:1555Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.MS06-00620060214 Microsoft Windows Media Player Plugin Buffer Overflow VulnerabilityVU#692060TA06-045A16644ADV-2006-0575101562818852win-mediaplayer-plugin-embed-bo(24493)oval:org.mitre.oval:def:1559Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 2000 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data.TA06-045AVU#291396MS06-00520060214 [EEYEB-20051017] Windows Media Player BMP Heap Overflow20060215 Windows Media Player BMP Heap Overflow (MS06-005)16633ADV-2006-0574101562718835win-media-player-bmp-bo(24488)oval:org.mitre.oval:def:1256oval:org.mitre.oval:def:1578oval:org.mitre.oval:def:1598oval:org.mitre.oval:def:1661423Buffer overflow in GIFIMP32.FLT, as used in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted GIF image that triggers memory corruption when it is parsed.MS06-039VU#66856418915ADV-2006-275721013TA06-192A101647020060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerabilityoval:org.mitre.oval:def:21 20060712 NSFOCUS SA2006-04 : Microsoft Office GIF Filter Buffer Overflow Vulnerability 27146The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box.MS06-00920060215 Security advisory: Windows IME Vulnerability (MS06-009)VU#73984416643ADV-2006-0578101563118859win-korean-ime-privilege-elevation(24492)oval:org.mitre.oval:def:1595oval:org.mitre.oval:def:1650oval:org.mitre.oval:def:1664oval:org.mitre.oval:def:1688oval:org.mitre.oval:def:727Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E in attacks against PowerPoint.MS06-012VU#682820101576619138TA06-073A20060314 SYMSA-2006-001: Buffer overflow in Microsoft Office 2000, Office XP (2002), and Office 2003 Routing Slip Metadata17000ADV-2006-095023903office-routing-slip-bo(25009)1923820060819 New PowerPoint 0-day and Trojan - FAQ document ready20060822 Major updates in PowerPoint FAQ document - not a 0-day issue101672020060822 Major updates in PowerPoint FAQ document - not a 0-day issue20060919 New PowerPoint 0-day Trojan in the wild20059ADV-2006-3678powerpoint-presentation-code-execution(29009)20060919 Microsoft PowerPoint 0-day Vulnerability FAQ - September written20060919 New PowerPoint 0-day Trojan in the wild1016886oval:org.mitre.oval:def:1504oval:org.mitre.oval:def:1553oval:org.mitre.oval:def:1653oval:org.mitre.oval:def:79820060422 PowerPoint Phishing TrojanHeap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression.MS06-002VU#91593016194ADV-2006-01181882918365TA06-010A1015459183911831120060110 [EEYEB-2000801] - Windows Embedded Open Type (EOT) Font Heap Overflow VulnerabilityEEYEB20050801oval:org.mitre.oval:def:1126oval:org.mitre.oval:def:1185oval:org.mitre.oval:def:1462oval:org.mitre.oval:def:1491oval:org.mitre.oval:def:698oval:org.mitre.oval:def:714 win-embedded-fonts-bo(23922)Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability."MS06-015TA06-101A17464ADV-2006-132019606VU#641460245161015897win-explorer-com-code-execution(25554)oval:org.mitre.oval:def:1191oval:org.mitre.oval:def:1448oval:org.mitre.oval:def:1679oval:org.mitre.oval:def:1743oval:org.mitre.oval:def:1764Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207.MS06-008VU#3889001663618857ADV-2006-05771015630msrpc-webclient-message-bo(24491)oval:org.mitre.oval:def:1220oval:org.mitre.oval:def:1547oval:org.mitre.oval:def:1602oval:org.mitre.oval:def:683oval:org.mitre.oval:def:716Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values.20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing VulnerabilityMS06-01617459ADV-2006-1321196171015898oval:org.mitre.oval:def:1611oval:org.mitre.oval:def:1682oval:org.mitre.oval:def:1769oval:org.mitre.oval:def:1771oval:org.mitre.oval:def:1780oval:org.mitre.oval:def:1791oval:org.mitre.oval:def:812 20060411 ZDI-06-007: Microsoft Windows Address Book (WAB) File Format Parsing Vulnerability outlook-express-wab-bo(25535)691Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters.MS06-017ADV-2006-13221962320060412 Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting1745210158951015896oval:org.mitre.oval:def:1748 fpse-html-xss(25537)704** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-3899. Reason: This candidate is a duplicate of CVE-2005-3899. Notes: All CVE users should reference CVE-2005-3899 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Heap-based buffer overflow in the encodeURI and decodeURI functions in the kjs JavaScript interpreter engine in KDE 3.2.0 through 3.5.0 allows remote attackers to execute arbitrary code via a crafted, UTF-8 encoded URI.20060119 [KDE Security Advisory] kjs encodeuri/decodeuri heap overflowADV-2006-026518500DSA-948MDKSA-2006:019RHSA-2006:0184SUSE-SA:2006:0031854018561GLSA-200601-11USN-245-118552185591857016325226591015512kde-kjs-bo(24242)18899FLSA:178606SSA:2006-045-0518583MDKSA-2006:019364An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability."[funsec] 20060110 Another WMF flaw without a Microsoft patchVU#31295616516ADV-2006-046918729MS06-004TA06-045A1891222976oval:org.mitre.oval:def:1638Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability."MS06-007TA06-018AVU#83928416645ADV-2006-057618853TA06-045A1015629win-igmpv3-dos(24489)oval:org.mitre.oval:def:1310oval:org.mitre.oval:def:1425oval:org.mitre.oval:def:1647oval:org.mitre.oval:def:1662oval:org.mitre.oval:def:6781599Unspecified vulnerability in Microsoft PowerPoint in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP1 and SP2, Office 2004 for Mac, and v. X for Mac allows user-assisted attackers to execute arbitrary code via a PowerPoint document with a malformed record, which triggers memory corruption.MS06-028VU#19008918382ADV-2006-232520633TA06-164A101628726435powerpoint-record-bo(26784)oval:org.mitre.oval:def:1069oval:org.mitre.oval:def:1836oval:org.mitre.oval:def:1984Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.20060131 Windows Access Control DemystifiedVU#953860ADV-2006-0417win-auth-users-insecure-permissions(24463)101559518756MS06-01110157651931319238oval:org.mitre.oval:def:1671oval:org.mitre.oval:def:1696Multiple unspecified vulnerabilities in Adobe Flash Player 8.0.22.0 and earlier allow remote attackers to execute arbitrary code via a crafted SWF file.17106ADV-2006-095219218RHSA-2006:026823908macromedia-swf-code-execution(25005)TA06-075AVU#945060101577019259SUSE-SA:2006:015GLSA-200603-201919819328MS06-020TA06-129AADV-2006-1744APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-1779oval:org.mitre.oval:def:1894oval:org.mitre.oval:def:1922 ADV-2006-1262 20045APPLE-SA-2007-12-17TA07-352AADV-2007-423828136Stack-based buffer overflow in Microsoft Windows Media Player 9 and 10 allows remote attackers to execute arbitrary code via a PNG image with a large chunk size.20060613 Windows Media Player PNG Chunk Decoding Stack-Based Buffer OverflowMS06-02418385ADV-2006-232220626TA06-164AVU#608020101628426430win-media-player-png-bo(26788)oval:org.mitre.oval:def:1230oval:org.mitre.oval:def:1729oval:org.mitre.oval:def:1805oval:org.mitre.oval:def:1807oval:org.mitre.oval:def:1820oval:org.mitre.oval:def:1974Buffer overflow in Microsoft Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows local and possibly remote attackers to execute arbitrary code via crafted Active Server Pages (ASP).MS06-034VU#39558818858ADV-2006-2752101646621006iis-asp-bo(26796)TA06-192Aoval:org.mitre.oval:def:435 20060718 ASP.DLL Include File Buffer Overflow 27152Unspecified vulnerability in Microsoft Exchange allows remote attackers to execute arbitrary code via e-mail messages with crafted (1) vCal or (2) iCal Calendar properties.MS06-019TA06-129AVU#30345217908ADV-2006-174325338101604820029exchange-calendar-code-execution(25556)oval:org.mitre.oval:def:1818oval:org.mitre.oval:def:1996oval:org.mitre.oval:def:2035Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers.20060314 ZDI-06-004: Microsoft Excel File Format Parsing VulnerabilityMS06-012VU#339878101576619138TA06-073Aexcel-parsing-format-file-bo(25225)ADV-2006-09502389919238oval:org.mitre.oval:def:1158oval:org.mitre.oval:def:1411oval:org.mitre.oval:def:1509oval:org.mitre.oval:def:1635583Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption.MS06-012VU#235774101576619138TA06-073Aexcel-description-bo(25227)ADV-2006-09501923823900oval:org.mitre.oval:def:1522oval:org.mitre.oval:def:1570oval:org.mitre.oval:def:1579oval:org.mitre.oval:def:1633585586Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption.MS06-012VU#123222101576619138TA06-073A2390116181ADV-2006-0950excel-graphic-bo(25229)19238oval:org.mitre.oval:def:1401oval:org.mitre.oval:def:1510oval:org.mitre.oval:def:1630oval:org.mitre.oval:def:1666Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption.MS06-012VU#104302101576619138TA06-073A17101excel-record-bo(25228)20060315 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow Vulnerability20060314 [xfocus-SD-060314]Microsoft Office Excel Buffer Overflow VulnerabilityADV-2006-09502390219238oval:org.mitre.oval:def:1327oval:org.mitre.oval:def:1525oval:org.mitre.oval:def:1750oval:org.mitre.oval:def:763589Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7.Successful exploitation requires that the Indexing service is accessible through IIS.MS06-05319927ADV-2006-356421861TA06-255AVU#1088841016826ms-indexing-service-xss(28651)20061001 Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053]20061002 IE UXSS (Universal XSS in IE, was Re: Microsoft Internet Information Services UTF-7 XSS Vulnerability [MS06-053])HPSBST02134oval:org.mitre.oval:def:535Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via a crafted PNG image that triggers memory corruption when it is parsed.MS06-03918913VU#459388ADV-2006-275721013TA06-192A1016470oval:org.mitre.oval:def:163 27147Heap-based buffer overflow in the CRpcIoManagerServer::BuildContext function in msdtcprx.dll for Microsoft Distributed Transaction Coordinator (MSDTC) for Windows NT 4.0 and Windows 2000 SP2 and SP3 allows remote attackers to execute arbitrary code via a long fifth argument to the BuildContextW or BuildContext opcode, which triggers a bug in the NdrAllocate function, aka the MSDTC Invalid Memory Access Vulnerability.20060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap OverflowMS06-01817906ADV-2006-17422000020060511 Microsoft MSDTC NdrAllocate Validation Vulnerability101604720060509 [EEYEB20051011A] - Microsoft Distributed Transaction Coordinator Heap Overflow20060510 Microsoft MSDTC NdrAllocate Validation Vulnerability25335oval:org.mitre.oval:def:1222oval:org.mitre.oval:def:1477oval:org.mitre.oval:def:1908msdtc-network-message-dos(25559)863The netlink_rcv_skb function in af_netlink.c in Linux kernel 2.6.14 and 2.6.15 allows local users to cause a denial of service (infinite loop) via a nlmsg_len field of 0.2006-00041641418482 ADV-2006-0220 kernel-afnetlink-dos(24202)388ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows remote attackers to cause a denial of service (memory corruption or crash) via an inbound PPTP_IN_CALL_REQUEST packet that causes a null pointer to be used in an offset calculation.2006-00041641418482 ADV-2006-0220 kernel-pptpincallrequest-dos(24203)388ip_nat_pptp in the PPTP NAT helper (netfilter/ip_nat_helper_pptp.c) in Linux kernel 2.6.14, and other versions, allows local users to cause a denial of service (memory corruption or crash) via a crafted outbound packet that causes an incorrect offset to be calculated from pointer arithmetic when non-linear SKBs (socket buffers) are used.2006-00041641418482 ADV-2006-0220 kernel-pptpnathelper-dos(24204)388Integer overflow in the do_replace function in netfilter for Linux before 2.6.16-rc3, when using "virtualization solutions" such as OpenVZ, allows local users with CAP_NET_ADMIN rights to cause a buffer overflow in the copy_from_user function.Linux kernel version 2.6.16 has been released to address this issue.1717819330ADV-2006-1046linux-netfilter-doreplace-overflow(25400)DSA-109720671USN-302-120716DSA-1103ADV-2006-255420914RHSA-2006:05752146522417Race condition in the do_add_counters function in netfilter for Linux kernel 2.6.16 allows local users with CAP_NET_ADMIN capabilities to read kernel memory by triggering the race condition in a way that produces a size value that is inconsistent with allocated memory, which leads to a buffer over-read in IPT_ENTRY_ITERATE.ADV-2006-18932018518113linux-doaddcounters-race-condition(26583)DSA-109720671DSA-1103ADV-2006-255420914USN-311-12099125697RHSA-2006:06892229222945 21476GNOME Evolution 2.4.2.1 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a text e-mail with a large number of URLs, possibly due to unknown problems in gtkhtml.20060301 Evolution Emailer DoS16889ADV-2006-0801190491909416899 evolution-email-dos(25050)Unspecified vulnerability in (1) apreq_parse_headers and (2) apreq_parse_urlencoded functions in Apache2::Request (Libapreq2) before 2.07 allows remote attackers cause a denial of service (CPU consumption) via unknown attack vectors that result in quadratic computational complexity.1884616710ADV-2006-0645DSA-100019139GLSA-200604-0819658 libapreq2-parsing-dos(24917)737Buffer overflow in the realpath function in nfs-server rpc.mountd, as used in SUSE Linux 9.1 through 10.0, allows local users to execute arbitrary code via unspecified vectors involving mount requests and symlinks.SuSE-SA:2006:00516388ADV-2006-03481861418638nfs-rpcmountd-realpath-bo(24347)DSA-97518889Unspecified vulnerability in context.py in Albatross web application toolkit before 1.33 allows remote attackers to execute arbitrary commands via unspecified vectors involving template files and the "handling of submitted form fields".DSA-94216252ADV-2006-0196184571849622451 albatross-context-command-execution(24130)crawl before 4.0.0 does not securely call programs when saving and loading games, which allows local users to gain privileges.DSA-94916337ADV-2006-0303185452269018573crawl-insecure-command-execution(24262)squid_redirect script in adzapper before 2006-01-29 allows remote attackers to cause a denial of service (CPU consumption) via a URL with a large number of trailing / (forward slashes), which might produce inefficient regular expressions.DSA-966ADV-2006-049118771187771655822900 adzapper-squid-redirect-dos(24640)packets.c in Freeciv 2.0 before 2.0.8 allows remote attackers to cause a denial of service (server crash) via crafted packets with negative compressed size values.ADV-2006-08381912020060306 Out of memory crash in Freeciv 2.0.7MDKSA-2006:05316975GLSA-200603-119253DSA-99419227freeciv-packets-dos(25166)MDKSA-2006:053Francesco Stablum tcpick 0.2.1 allows remote attackers to cause a denial of service (segmentation fault) via certain fragmented packets, possibly involving invalid headers and an attacker-controlled payload length. NOTE: this issue might be a buffer overflow or overread.17665ADV-2006-1466 tcpick-writec-dos(26090)gpg in GnuPG before 1.4.2.2 does not properly verify non-detached signatures, which allows attackers to inject unsigned data via a data packet that is not associated with a control packet, which causes the check for concatenated signatures to report that the signature is valid, a different vulnerability than CVE-2006-0455.20060313 GnuPG does not detect injection of unsigned data[gnupg-announce] 20060309 [Announce] GnuPG does not detect injection of unsigned dataDSA-993GLSA-200603-08USN-264-117058ADV-2006-091523790101574919173FEDORA-2006-1471920319244RHSA-2006:02662006-0014192311924919287MDKSA-2006:055SUSE-SA:2006:014191971923219234SSA:2006-072-0220060401-01-U19532FLSA-2006:185355 gnupg-nondetached-sig-verification(25184)MDKSA-2006:055450568snmptrapfmt in Debian 3.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary log file.DSA-10131718219318snmptrapfmt-log-temprary-file(25442)Buffer overflow in playlistimport.cpp in Kaffeine Player 0.4.2 through 0.7.1 allows user-assisted attackers to execute arbitrary code via long HTTP request headers when Kaffeine is "fetching remote playlists", which triggers the overflow in the http_peek function.17372ADV-2006-122919525DSA-102320060405 [Kaffeine Security Advisory] Heap based buffer overflow in http_peek()GLSA-200604-04MDKSA-2006:065SUSE-SR:2006:008USN-268-110158631954019542195491955719571kaffeine-http-peek-bo(25631)MDKSA-2006:065The attachment scrubber (Scrubber.py) in Mailman 2.1.5 and earlier, when using Python's library email module 2.5, allows remote attackers to cause a denial of service (mailing list delivery failure) via a multipart MIME message with a single part that has two blank lines between the first boundary and the end boundary.MDKSA-2006:061173111015851DSA-102719545SUSE-SR:2006:008USN-267-1195221957124367RHSA-2006:04862062420060602-01-U20782MDKSA-2006:061Imager (libimager-perl) before 0.50 allows user-assisted attackers to cause a denial of service (segmentation fault) by writing a 2- or 4-channel JPEG image (or a 2-channel TGA image) to a scalar, which triggers a NULL pointer dereference.DSA-1028195771741519575ADV-2006-1294imager-jpeg-tga-dos(25717)The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to cause a denial of service (firewall crash) via ICMP IP fragments that match a reset, reject or unreach action, which leads to an access of an uninitialized pointer.FreeBSD-SA-06:041620918378223191015477ipfw-icmp-fragment-dos(24073)The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable filenames and does not confirm which file is being written, which allows local users to overwrite arbitrary files via a symlink attack when ee invokes ispell.FreeBSD-SA-06:021620718404223201015469ee-ispell-op-symlink(24074)Double free vulnerability in the authentication and authentication token alteration code in PAM-MySQL 0.6.x before 0.6.2 and 0.7.x before 0.7pre3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted passwords, which lead to a double free of a pointer that was created by the pam_get_item function. NOTE: this issue only occurs in certain configurations in which there are multiple PAM modules, PAM-MySQL is not evaluated first, and there are no requisite modules before PAM-MySQL.VU#69390916564ADV-2006-04901015603185982299422995GLSA-200606-1820690Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to bypass the Kill bit settings for dangerous ActiveX controls via unknown vectors involving crafted HTML, which can expose the browser to attacks that would otherwise be prevented by the Kill bit setting. NOTE: CERT/CC claims that MS05-054 fixes this issue, but it is not described in MS05-054.VU#99829716409ie-activex-killbit-bypass(24379)23657Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations.20060322 Sendmail Remote Signal Handling VulnerabilityRHSA-2006:0264RHSA-2006:0265ADV-2006-1049ADV-2006-105120060322 sendmail vuln advisories (CVE-2006-0058)DSA-1015GLSA-200603-21MDKSA-2006:058OpenPKG-SA-2006.007TA06-081AVU#834865193421936319367FLSA:186277FreeBSD-SA-06:13SUSE-SA:2006:017HPSBUX02108[3.8] 006: SECURITY FIX: March 25, 200610226217192ADV-2006-1068ADV-2006-1072240371015801193681940419407193491936019361smtp-timeout-bo(24584)NetBSD-SA2006-010ADV-2006-1139ADV-2006-1157193941945019466IY82992IY82993IY82994SSA:2006-081-0120060302-01-P20060401-01-U1953319532FEDORA-2006-193FEDORA-2006-194Q-15119345193461935619676102324ADV-2006-152919774SCOSA-2006.2420243HPSBTU02116ADV-2006-2189ADV-2006-249020723HPSBUX02108oval:org.mitre.oval:def:1689MDKSA-2006:058612743Heap-based buffer overflow in the ISO Transport Service over TCP (RFC 1006) implementation of LiveData ICCP Server before 5.00.035 allows remote attackers to cause a denial of service or execute arbitrary code via malformed packets.This vulnerability is addressed in the following product release: LiveData, ICCP Server, 5.00.035VU#190617VU#190617ADV-2006-183018010101611320146livedata-iccp-rfc1006-bo(26490)Cross-site scripting (XSS) vulnerability in phpBB 2.0.19, when "Allowed HTML tags" is enabled, allows remote attackers to inject arbitrary web script or HTML via a permitted HTML tag with ' (single quote) characters and active attributes such as onmouseover, a variant of CVE-2005-4357.ADV-2006-005122672PHP remote file include vulnerability in includes/orderSuccess.inc.php in CubeCart allows remote attackers to execute arbitrary PHP code via a URL in the glob[rootDir] parameter.ADV-2006-0016 1398SQL injection vulnerability in (1) functions.php, (2) functions_update.php, and (3) functions_display.php in VEGO Web Forum 1.26 and earlier allows remote attackers to execute arbitrary SQL commands via the theme_id parameter in index.php.20060101 [eVuln] VEGO Web Forum SQL Injection VulnerabilityADV-2006-0003182731610722140315SQL injection vulnerability in index.php in PHPjournaler 1.0 allows remote attackers to execute arbitrary SQL commands via the readold parameter.20060101 [eVuln] PHPjournaler SQL Injection VulnerabilityADV-2006-0006182651611122149SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.ADV-2006-0004182722213916108SQL injection vulnerability in Primo Cart 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) q parameter to search.php and (2) email parameter to user.php.ADV-2006-000818264161252214622147Cross-site scripting (XSS) vulnerability in addentry.php in Chipmunk Guestbook 1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the homepage parameter.20060101 [eVuln] Chipmunk Guestbook XSS Vulnerability161121827019087** DISPUTED ** Drupal allows remote attackers to conduct cross-site scripting (XSS) attacks via an IMG tag with an unusual encoded Javascript function name, as demonstrated using variations of the alert() function. NOTE: a followup by the vendor suggests that the issue does not exist in 4.5.6 or 4.6.4 when "Filtered HTML" is enabled, and since "Full HTML" would not filter HTML by design, perhaps this should not be included in CVE.20060102 Drupal all versiyon xss cehennem.org20060103 Re: Drupal all versiyon xss cehennem.orgThe ebuild for pinentry before 0.7.2-r2 on Gentoo Linux sets setgid bits for pinentry programs, which allows local users to read or overwrite arbitrary files as gid 0.GLSA-200601-01161201828422211Buffer overflow in termsh on SCO OpenServer 5.0.7 allows remote attackers to execute arbitrary code via a long -o command line argument. NOTE: this is probably a different vulnerability than CVE-2005-0351 since it involves a distinct attack vector.20060102 SCO Openserver 5.0.x exploit16122Cross-site scripting (XSS) vulnerability in DiscusWare Discus Freeware 3.10.5 and Professional 3.10.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a URL, which is not properly sanitized from the resulting error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.161192215318283SQL injection vulnerability in profile.php in PHPenpals allows remote attackers to execute arbitrary SQL commands via the personalID parameter.20060101 [eVuln] PHPenpals SQL Injection Vulnerabilit16109ADV-2006-00052215018269Direct static code injection vulnerability in phpBook 1.3.2 and earlier allows remote attackers to execute arbitrary PHP code via the e-mail field (mail variable) in a new message, which is written to a PHP file.20060101 [eVuln] phpBook PHP Code Execution (phpbook)16106ADV-2006-000218268PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.20060101 [eVuln] oaBoard PHP Code Execution (oaboard)1610520060530 OaBoard 1.0 Remote File inclusion20060531 Re: OaBoard 1.0 Remote File inclusion1016211Off-by-one error in the getfattr function in File::ExtAttr before 0.03 allows attackers to trigger a buffer overflow via unspecified attack vectors.16118ADV-2006-00131825322160Multiple cross-site scripting (XSS) vulnerabilities in B-net Software 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) shout variables to (a) shout.php, or the (3) title and (4) message variables to (b) guestbook.php.20060102 [eVuln] B-net Software Multiple XSS Vulnerabilities1611418271ADV-2006-0018221902219120060825 Re: [eVuln] B-net Software Multiple XSS Vulnerabilities316SQL injection vulnerability in auth.php in ScozNet ScozBook BETA 1.1 allows remote attackers to execute arbitrary SQL commands via the username field (adminname variable).20060102 [eVuln] ScozBook 'adminname' Authentication Bypass 16115ADV-2006-0027222213188476Cross-site scripting (XSS) vulnerability in vBulletin 3.5.2, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the title of an event, which is not properly filtered by (1) calendar.php and (2) reminder.php.20060101 [KAPDA::#19] - Html Injection in vBulletin 3.5.216116ADV-2006-00331829920060108 Html_Injection in vBulletin 3.5.22221022220ialmnt5.sys in the ialmrnt5 display driver in Intel Graphics Accelerator Driver 6.14.10.4308 allows attackers to cause a denial of service (crash or screen resolution change) via a long text field, as demonstrated using a long window title.161271828620060102 Buffer Overflow vulnerability in Windows Display Manager [Suspected]20060103 Re: Buffer Overflow vulnerability in Windows Display Manager [Suspected]ADV-2006-001722196Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program.USN-246-118607MDKSA-2006:0241271718261GLSA-200602-06RHSA-2006:017818851188711015623GLSA-200602-13.xml1903020060301-01-U19183SUSE-SR:2006:00619408SSA:2006-045-03DSA-12132299820061127 rPSA-2006-0218-1 ImageMagick23090MDKSA-2006:024500231321ADV-2008-041228800Format string vulnerability in the logging code of SMS Server Tools (smstools) 1.14.8 and earlier allows local users to execute arbitrary code via unspecified attack vectors.DSA-93016188183431835722287smstools-logging-format-string(24034)Cross-site scripting vulnerability in index.php in raSMP 2.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the $_SERVER[HTTP_USER_AGENT] variable (User-Agent header).16138ADV-2006-003022198182921015432[VIM] 20060116 vendor ack/fix: 22198: raSMP index.php User-Agent Field XSS (fwd)SQL injection vulnerability in Nkads 1.0 alfa 3 allows remote attackers to execute arbitrary SQL commands via the (1) usuario_nkads_admin or (2) password_nkads_admin parameters.ADV-2006-00401830222206Cross-site scripting vulnerability in index.php in Next Generation Image Gallery 0.0.1 Lite Edition allows remote attackers to inject arbitrary web script or HTML via the page parameter.ADV-2006-00371830922202SQL injection vulnerability in (1) pages.php and (2) detail.php in Lizard Cart CMS 1.04 allows remote attackers to execute arbitrary SQL commands via the id parameter.20060104 [eVuln] Lizard Cart CMS SQL Injection Vulnerability16140ADV-2006-00291829722199222001015435314SQL injection vulnerability in intouch.lib.php in inTouch 0.5.1 Alpha allows remote attackers to execute arbitrary SQL commands via the user parameter.20060101 [eVuln] inTouch Authentication Bypass16110ADV-2006-002622382intouch-intouch-sql-injection(23954)Buffer overflow in ESRI ArcPad 7.0.0.156 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a .amp file with a COORDSYS tag with a long string attribute.16136ADV-2006-00321829422208Directory traversal vulnerability in index.php in IDV Directory Viewer before 2005.1 allows remote attackers to view arbitrary directory contents via a .. (dot dot) in the dir parameter.ADV-2006-00311829816137Cross-site scripting (XSS) vulnerability in webmail in Open-Xchange 0.8.1-6 and earlier, with "Inline HTML" enabled, allows remote attackers to inject arbitrary web script or HTML via e-mail attachments, which are rendered inline.20060103 Open Xchange XSSADV-2006-0034182851015431** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0992, CVE-2006-0158. Reason: this candidate was intended for one issue, but a typo caused it to be associated with a Novell/Groupwise issue. In addition, this issue was a duplicate of a SiteSuite issue that was also assigned CVE-2006-0158. Notes: All CVE users should consult CVE-2006-0992 and CVE-2006-0158 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.709Cross-site scripting (XSS) vulnerability in index.php in @Card ME PHP allows remote attackers to inject arbitrary web script or HTML via the cat parameter.ADV-2006-00391830622203PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-002817373dm-crypt in Linux kernel 2.6.15 and earlier does not clear a structure before it is freed, which leads to a memory disclosure that could allow local users to obtain sensitive information about a cryptographic key.[linux-kernel] 20060104 [Patch 2.6] dm-crypt: zero key before freeing it[linux-kernel] 20060104 [Patch 2.6] dm-crypt: Zero key material before free to avoid information leakADV-2006-023518487USN-244-12006-000416301MDKSA-2006:040RHSA-2006:013222418101574019160kernel-dmcrypt-information-disclosure(24189)FLSA:157459-4DSA-101719374FEDORA-2006-1021852718774SUSE-SA:2006:02820398MDKSA-2006:040388wan/sdla.c in Linux kernel 2.6.x before 2.6.11 and 2.4.x before 2.4.29 does not require the CAP_SYS_RAWIO privilege for an SDLA firmware upgrade, with unknown impact and local attack vectors. NOTE: further investigation suggests that this issue requires root privileges to exploit, since it is protected by CAP_NET_ADMIN; thus it might not be a vulnerability, although capabilities provide finer distinctions between privilege levels.USN-244-116304MDKSA-2006:04418977DSA-10171937418527Stack-based buffer overflow in the create_named_pipe function in libmysql.c in PHP 4.3.10 and 4.4.x before 4.4.3 for Windows allows attackers to execute arbitrary code via a long (1) arg_host or (2) arg_unix_socket argument, as demonstrated by a long named pipe variable in the host argument to the mysql_connect function.20060105 Windows PHP 4.x '0-day' buffer overflow16145ADV-2006-0046182752223220060105 Windows PHP 4.x 20060108 RE: Windows PHP 4.x The dupfdopen function in sys/kern/kern_descrip.c in OpenBSD 3.7 and 3.8 allows local users to re-open arbitrary files by using setuid programs to access file descriptors using /dev/fd/.[3.7] 20060105 008: SECURITY FIX: January 5, 20061614418296222311015437PHP remote file include vulnerability in (1) include/templates/categories/default.php and (2) certain other include/templates/categories/ PHP scripts in Valdersoft Shopping Cart 3.0 allows remote attackers to execute arbitrary code via a URL in the catalogDocumentRoot parameter.16126 1401Buffer overflow in NicoFTP 3.0.1.19 and earlier might allow local users to execute arbitrary code via a long string in the "Name of site" field of an FTP account. NOTE: because this program executes with the privileges of the invoking user, and because remote programs do not normally have the ability to create or modify FTP accounts in this program, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.20060102 NicoFTP Stack Overflow317Multiple cross-site scripting (XSS) vulnerabilities in sBLOG 0.7.1 Beta 20051202 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p and (2) keyword parameters in (a) index.php and (b) search.php.ADV-2006-00412237322374sblog-multiple-scripts-xss(23979)Cross-site scripting (XSS) vulnerability in TinyPHPForum (TPF) 3.6 and earlier allows remote attackers to inject arbitrary web script via a javascript: scheme in an "[a]" bbcode tag, possibly the txt parameter to action.php.20060105 [eVuln] TinyPHPForum Multiple VulnerabilitiesADV-2006-005418293222561015436320TinyPHPForum 3.6 and earlier stores the (1) users/[USERNAME].hash and (2) users/[USERNAME].email files under the web root with insufficient access control, which allows remote attackers to list all registered users and possibly obtain other sensitive information.20060105 [eVuln] TinyPHPForum Multiple VulnerabilitiesADV-2006-00541829322257101543620060417 Tiny PHP forum - vulns tinyphpforum-users-information-disclosure(24016)320Directory traversal vulnerability in TinyPHPForum 3.6 and earlier allows remote attackers to create a new user account, create a new topic, or view the profile of a user account, as demonstrated via a .. (dot dot) in the uname parameter to profile.php.20060105 [eVuln] TinyPHPForum Multiple VulnerabilitiesADV-2006-00541829316163222581015436320PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on Windows, allows remote attackers to cause a denial of service (postmaster exit and no new connections) via a large number of simultaneous connection requests.[pgsql-announce] 20060109 CRITICAL RELEASE: Minor Releases to Fix DoS Vulnerability20060111 PostgreSQL security releases 8.0.6 and 8.1.216201ADV-2006-0114101548218419 postgresql-connection-request-dos(24049)327gdi/driver.c and gdi/printdrv.c in Wine 20050930, and other versions, implement the SETABORTPROC GDI Escape function call for Windows Metafile (WMF) files, which allows attackers to execute arbitrary code, the same vulnerability as CVE-2005-4560 but in a different codebase.[Dailydave] 20060105 WMF goes away :<ADV-2006-009818323GLSA-200601-091845120060117 ERRATA: [ GLSA 200601-09 ] Wine: Windows Metafile SETABORTPROC vulnerabilityMDKSA-2006:014SUSE-SR:2006:00218549DSA-95418578 win-wmf-execute-code(23846)MDKSA-2006:014SQL injection vulnerability in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the viewID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0108.161591832422252 timecancms-sql-injection(24014)SQL injection vulnerability in mcl_login.asp in Timecan CMS allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Due to the unavailability of the original source, it cannot be determined if this is the same issue as identified by CVE-2006-0107.ADV-2006-00782225322252 timecancms-sql-injection(24014)Cross-site scripting vulnerability in category.php in Modular Merchant Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the cat parameter.16160ADV-2006-00761832022243[VIM] 20060214 vendor ack/fix 22243: Modular Merchant Marketplace Shopping Cart category.php cat Variable XSS (fwd)Cross-site scripting (XSS) vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to inject arbitrary web script via the email parameter.20060106 [eVuln] Proyecto Domus 'email' XSS Vulnerability16154ADV-2006-00731832722263 domus-escribir-xss(24020)Cross-site scripting vulnerability in index.php in Boxcar Media Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) parent or (2) pg parameter.ADV-2006-008022360boxcar-index-xss(24019)Cross-site scripting (XSS) vulnerability in index.php in Enhanced Simple PHP Gallery 1.7 allows remote attackers to inject arbitrary web script or HTML via the dir parameter.ADV-2006-00362220118310Enhanced Simple PHP Gallery 1.7 allows remote attackers to obtain the full path of the application via a direct request to sp_helper_functions.php, which leaks the pathname in an error message.1831022417The vCard functions in Joomla! 1.0.5 use predictable sequential IDs for vcards and do not restrict access to them, which allows remote attackers to obtain valid e-mail addresses to conduct spam attacks by modifying the contact_id parameter to index2.php.16185ADV-2006-009718361 joomla-vcard-information-disclosure(24042)Multiple SQL injection vulnerabilities in OnePlug Solutions OnePlug CMS allow remote attackers to execute arbitrary SQL commands via the (1) Press_Release_ID parameter in press/details.asp, (2) Service_ID parameter in services/details.asp, and (3) Product_ID parameter in products/details.asp.16155ADV-2006-007918325222482224922250Cross-site scripting vulnerability search.inetstore in iNETstore Ebusiness Software 2.0 allows remote attackers to inject arbitrary web script or HTML via the searchterm parameter.16156ADV-2006-0075183222225120060126 Re: [OSVDB Mods] iNETstore E Commerce Solution - Cross Site Scripting[VIM] 20060127 vendor confirms versions: iNETstore E Commerce Solution - Cross Site Scripting (fwd)Buffer overflow in IBM Lotus Notes and Domino Server before 6.5.5 allows attackers to cause a denial of service (router crash or hang) via unspecified vectors involving "CD to MIME Conversion".1615818328ADV-2006-0081 lotus-cdtomime-dos(24205)Unspecified vulnerability in IBM Lotus Notes and Domino Server before 6.5.5, when running on AIX, allows attackers to cause a denial of service (deep recursion leading to stack overflow and crash) via long formulas.1615818328ADV-2006-0081 lotus-long-formula-bo(24206)Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 have unknown impact and attack vectors, due to "potential security issues" as identified by SPR numbers (1) GPKS6C9J67 in Agents, (2) JGAN6B6TZ3 and (3) KSPR699NBP in the Router, (4) GPKS5YQGPT in Security, or (5) HSAO6BNL6Y in the Web Server. NOTE: vector 3 is related to an issue in NROUTER in IBM Lotus Notes and Domino Server before 6.5.4 FP1, 6.5.5, and 7.0, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted vCal meeting request sent via SMTP (aka SPR# KSPR699NBP).1615818328ADV-2006-008120060626 SYMSA-2006-006: Lotus Domino SMTP Based Denial of Service18020ADV-2006-2564101639020855domino-smtp-nrouter-dos(27413) lotus-multiple-unspecified(24207) lotus-web-unspecified-xss(24211)Multiple unspecified vulnerabilities in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (application crash) via multiple vectors, involving (1) a malformed message sent to an "Out Of Office" agent (SPR LPEE6DMQWJ), (2) the compact command (RTIN5U2SAJ), (3) malformed bitmap images (MYAA6FH5HW), (4) the "Delete Attachment" action (YPHG6844LD), (5) parsing certificates from a remote Certificate Table (AELE6DZFJW), and (6) creating a SSL key ring with the Domino Administration client (NSUA4FQPTN).1615818328ADV-2006-0081 lotus-bmp-dos(24214) lotus-certificate-parsing-dos(24216) lotus-compact-dos(24213) lotus-delete-attachment-dos(24215) lotus-outofoffice-dos(24212) lotus-ssl-keyring-dos(24217)Multiple memory leaks in IBM Lotus Notes and Domino Server before 6.5.5 allow attackers to cause a denial of service (memory consumption and crash) via unknown vectors related to (1) unspecified vectors during the SSL handshake (SPR# MKIN67MQVW), (2) the stash file during the SSL handshake (SPR# MKIN693QUT), and possibly other vectors. NOTE: due to insufficient information in the original vendor advisory, it is not clear whether there is an attacker role in other memory leaks that are specified in the advisory.1615818328ADV-2006-0081 lotus-ssl-handshake-dos(24223)Cross-site scripting (XSS) vulnerability in Public/Index.asp in Aquifer CMS allows remote attackers to inject arbitrary web script or HTML via the Keyword parameter.Vendor provided solution: "Liquid Development has identified this vulnerability in all shipping versions of AquiferCMS and coded a software fix. The fix will be included in all releases of AquiferCMS built on or after January 24, 2006. Customers should contact Liquid Development to obtain the fix for this vulnerability. For more information visit www.aquifercms.com." 16162ADV-2006-00741832622247[VIM] 20060124 vendor ack/fix: Aquifer CMS Index.asp Keyword Variable XSS (fwd)Multiple SQL injection vulnerabilities in ADN Forum 1.0b allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter in index.php and (2) pagid parameter in verpag.php, and possibly other vectors.20060105 [eVuln] ADNForum Multiple Vulnerabilities16157ADV-2006-00771015445183002224022241Cross-site scripting (XSS) vulnerability in crear.php in ADN Forum 1.0b allows remote attackers to inject arbirary web script or HTML via the titulo parameter, which is used by the "Topic name" field.20060105 [eVuln] ADNForum Multiple Vulnerabilities16157ADV-2006-007718300222421015445Unspecified vulnerability in appserv/main.php in AppServ 2.4.5 allows remote attackers to include arbitrary files via the appserv_root parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. There is not enough detail from these third party sources to know whether this is directory traversal, remote file include, or another issue.ADV-2006-0053222281816316166rxvt-unicode before 6.3, on certain platforms that use openpty and non-Unix pty devices such as Linux and most BSD platforms, does not maintain the intended permissions of tty devices, which allows local users to gain read and write access to the devices.ADV-2006-00522222318301Directory traversal vulnerability in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote authenticated users to rename the folders of other users via a .. (dot dot) in the RENAME command.20060104 Rockliffe Directory Transversal Vulnerability20060105 Re: Rockliffe Directory Transversal Vulnerability2222918318ADV-2006-0055Buffer overflow in the IMAP service of Rockliffe MailSite before 6.1.22.1 allows remote attackers to have an unknown impact via unknown attack vectors.20060104 Rockliffe Directory Transversal Vulnerabilityrockliffe-imap-unspecified-bo(39991)Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid usernames via user requests to TCP port 106.20060104 Rockliffe Mailsite User Enumeration Flaw18318ADV-2006-005522230Mail Management Agent (MAILMA) (aka Mail Management Server) in Rockliffe MailSite 7.0.3.1 and earlier allows remote attackers to attempt authentication with an unlimited number of user account names and passwords without denying connections, limiting the rate of connections, or locking out an account.20060104 Rockliffe Mailsite User Enumeration FlawboastMachine 3.1 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php and (2) side_menu.php, which reveals the path in an error message.20060105 [ECHO_ADV_25$2006] Full path disclosure on boastMachine v3.1Directory traversal vulnerability in webftp.php in SysCP WebFTP 1.2.6 and possibly earlier allows remote attackers to include and execute arbitrary local PHP scripts, and possibly read other types of files, via a .. (dot dot) and a trailing null in the webftp_language parameter.20060104 SysCP WebFTP local file inclusion vulnerability16175ADV-2006-009018355 webftp-language-file-include(24018)Multiple directory traversal vulnerabilities in AIX 5.3 ML03 allow local users to determine the existence of files and read partial contents of certain files via a .. (dot dot) in the argument to (1) getCommand.new (aka getCommand) and (2) getShell, a different vulnerability than CVE-2005-4273.20060101 [xfocus-SD-060101]AIX getCommand&getShell two vulnerabilities10154291610216103Cross-site scripting (XSS) vulnerability in register.php in TheWebForum (twf) 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the www parameter.20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass16161ADV-2006-009310154501839222295 thewebforum-register-xss(24007)SQL injection vulnerability in login.php in TheWebForum (twf) 1.2.1 allows remote attackers to execute arbitrary SQL commands and bypass login authentication via the username parameter (aka the u variable).20060106 [eVuln] TheWebForum Script Insertion and Authentication Bypass16161ADV-2006-009310154501839222294thewebforum-login-sql-injection(24027)321Multiple cross-site scripting (XSS) vulnerabilities in the guestbook module in modules.php in Phanatic Softwares Chimera Web Portal System 0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) comment_poster, (2) comment_poster_email, (3) comment_poster_homepage, and (4) comment_text parameters.20060101 [eVuln] Chimera Web Portal System Multiple VulnerabilitiesADV-2006-002516113SQL injection vulnerability in linkcategory.php in Phanatic Softwares Chimera Web Portal System 0.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.20060101 [eVuln] Chimera Web Portal System Multiple VulnerabilitiesADV-2006-00251611322420chimera-linkcategory-sql-injection(23963)aMSN (aka Alvaro's Messenger) allows remote attackers to cause a denial of service (client hang and termination of client's instant-messaging session) by repeatedly sending crafted data to the default file-transfer port (TCP 6891).22186The send-private-message functionality (send-private-message.asp) in PD9 Software MegaBBS 2.1 allows remote attackers to read private messages of other users via a modified replyid parameter.16168ADV-2006-0095183421015452 megabbs-sendprivatemessage-disclosure(24050)Cross-site scripting (XSS) vulnerability in post.php in NavBoard V16 Stable(2.6.0) and V17beta2 allows remote attackers to inject arbitrary web script or HTML via the (1) b, (2) textlarge, and (3) url bbcode tags.20060107 [eVuln] NavBoard BBcode XSS Vulnerability16165ADV-2006-00921834522277 navboard-post-xss(24021)Qualcomm Eudora Internet Mail Server (EIMS) before 3.2.8 allows remote attackers to cause a denial of service (crash) via (1) malformed NTLM authentication requests, or a malformed (2) Incoming Mail X or (3) Temporary Mail file.ADV-2006-00991835616179 eims-corrupted-mail-dos(24033) eims-ntlm-auth-dos(24032)Cross-site scripting (XSS) vulnerability in andromeda.php in Andromeda 1.9.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the s parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2006-00961835916183 andromeda-script-xss(24031)Microsoft Windows Graphics Rendering Engine (GRE) allows remote attackers to corrupt memory and cause a denial of service (crash) via a WMF file containing (1) ExtCreateRegion or (2) ExtEscape function calls with arguments with inconsistent lengths.20060107 Microsoft Windows GRE WMF Format Multiple Memory Overrun Vulnerabilities20060109 [UPDATE]Microsoft Windows GRE WMF Format Multiple Unauthorized Memory Access Vulnerabilities16167ADV-2006-01151015453 win-gre-wmf-dos(24044)The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function.1617420060109 New PEAR / Apache2Triad Exploit18390ADV-2006-0148gopear-proxy-redirection(24076)The kernfs_xread function in kernfs in NetBSD 1.6 through 2.1, and OpenBSD 3.8, does not properly validate file offsets against negative 32-bit values that occur as a result of truncation, which allows local users to read arbitrary kernel memory and gain privileges via the lseek system call.NetBSD-SA2006-00116173183882229320060202 [SLAB] NetBSD / OpenBSD kernfs_xread patch evasion18712 netbsd-kernfs-memory-disclosure(24035)405The server.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PHPOpenChat, (7) MAXdev MD-Pro, and (8) MediaBeez, when the MySQL root password is empty, allows remote attackers to execute arbitrary SQL commands via the sql parameter.16187ADV-2006-0101ADV-2006-0102ADV-2006-0103ADV-2006-0104ADV-2006-01051741818254182671826018276182332229020060202 Bug for libs in php link directory 2.0ADV-2006-044718720ADV-2006-0370DSA-1029DSA-1030DSA-103119555195901959120060409 PhpOpenChat 3.0.x ADODB Server.php ADV-2006-1304ADV-2006-13051956319600GLSA-200604-07ADV-2006-14191969919691adodb-server-command-execution(24051)20070418 MediaBeez Sql query Execution .. Wear isn't ?? :)24954713Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (8) Simplog, allows remote attackers to execute arbitrary PHP functions via the do parameter, which is saved in a variable that is then executed as a function, as demonstrated using phpinfo.ADV-2006-0101ADV-2006-0102ADV-2006-0103ADV-2006-0104174181825418267182601827618233DSA-1029DSA-1030DSA-103119555195901959120060409 PhpOpenChat 3.0.x ADODB Server.php 20060412 Simplog <=0.9.2 multiple vulnerabilitiesADV-2006-1305ADV-2006-13321960019628GLSA-200604-0722291 19691 adodb-tmssql-command-execution(24052)NetSarang Xlpd 2.1 allows remote attackers to cause a denial of service (crash) via a large number of connections from the same IP address.161641015444 xlpd-connection-dos(24041)Cross-site scripting (XSS) vulnerability in SimpBook 1.0, with html_enable on (the default), allows remote attackers to inject arbitrary web script or HTML via the message field.20060106 SimpBook 'message' Remote Cross-Site Scripting Vulnerability1015451Multiple format string vulnerabilities in the auth_ldap_log_reason function in Apache auth_ldap 1.6.0 and earlier allows remote attackers to execute arbitrary code via various vectors, including the username.20060109 Digital Armaments Security Advisory 01.09.2006: Apache auth_ldap module Multiple Format Strings Vulnerability16177RHSA-2006:0179ADV-2006-011718382184051015456DSA-952MDKSA-2006:0171841218568 apache-authldap-format-string(24030)sudo 1.6.8 and other versions does not clear the PYTHONINSPECT environment variable, which allows limited local users to gain privileges via a Python script, a variant of CVE-2005-4158.USN-235-2161841835818363DSA-946SUSE-SR:2006:00218549189062006-001018558SSA:2006-045-0819016MDKSA-2006:15921692MDKSA-2006:159Cross-site scripting (XSS) in search_result.php in phpChamber 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the needle parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16180ADV-2006-00941836022282phpchamber-searchresult-xss(24029)427BB 2.2 and 2.2.1 verifies authentication credentials based on the username, authenticated, and usertype cookies, which allows remote attackers to bypass authentication by using a valid username and usertype and setting the authenticated cookie.20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)16178ADV-2006-00911835422274427bb-scripts-security-bypass(24038)SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 allows remote attackers to execute arbitrary SQL commands via the ForumID parameter.20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)16169ADV-2006-00911835422275427bb-showthread-sql-injection(24039)Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and 2.2.1 allows remote attackers to inject arbitrary Javascript via a new message with a url bbcode tag containing a javascript URI.20060107 [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)ADV-2006-00911835422276427bb-posts-xss(24040)Cross-site scripting (XSS) vulnerability in Foxrum 4.0.4f allows remote attackers to inject arbitrary Javascript via the javascript URI in bbcode url tags in (1) addpost1.php and (2) addtopic1.php.20060109 [eVuln] Foxrum BBCode XSS Vulnerabilty16172ADV-2006-012118386 foxrum-bbcode-xss(24043)325settings.php in Reamday Enterprises Magic News Plus 1.0.3 allows remote attackers to change the administrator password via a change action that specifies identical values for the passwd and admin_password parameters, then declares the new password string in the new_passwd and confirm_passwd parameters.1618218601SQL injection vulnerability in index.php in CyberDoc SiteSuite CMS allows remote attackers to execute arbitrary SQL commands via the page parameter.ADV-2006-00382220518305SQL injection vulnerability in escribir.php in Foro Domus 2.10 allows remote attackers to execute arbitrary SQL commands via the email parameter. NOTE: the provenance of this information is unknown, although it may be based on post-disclosure analysis of CVE-2006-0110; the details are obtained solely from third party information.ADV-2006-00732226418327 domus-escribir-sql-injection(24017)SQL injection vulnerability in add_post.php3 in Venom Board 1.22 allows remote attackers to execute arbitrary SQL commands via the (1) parent, (2) root, and (3) topic_id parameters to post.php3.20060109 [eVuln] Venom Board SQL Injection Vulnerability1617620060109 [eVuln] Venom Board SQL Injection VulnerabilityADV-2006-01221838322297venomboard-addpost-sql-injection(24046)326Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780.101933ADV-2006-011318371101545519087oval:org.mitre.oval:def:1534Heap-based buffer overflow in libclamav/upx.c in Clam Antivirus (ClamAV) before 0.88 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted UPX files.16191ADV-2006-0116183791015457GLSA-200601-0718453VU#38590820060112 ZDI-06-001: Clam AntiVirus UPX Unpacking Code Execution VulnerabilityDSA-947MDKSA-2006:0162006-000222318184781854818463 clamav-libclamav-upx-bo(24047)MDKSA-2006:016342SQL injection vulnerability in the search module (modules/Search/index.php) of PHPNuke EV 7.7 -R1 allows remote attackers to execute arbitrary SQL commands via the query parameter, which is used by the search field. NOTE: This is a different vulnerability than CVE-2005-3792.16186ADV-2006-01202231618394phgstats.inc.php in phgstats before 0.5.1, if register_globals is enabled, allows remote attackers to include arbitrary files and execute arbitrary PHP code by modifying the PHGDIR variable.ADV-2006-012318346phgstats-php-file-include(24062)2230217469Cross-site scripting (XSS) vulnerability in the DataForm Entries functionality in Plain Black WebGUI before 6.8.4 (gamma) allows remote attackers to inject arbitrary Javascript via the (1) url and (2) name field of the default email form.ADV-2006-012618372webgui-forms-xss(24053)Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stores temporary copies of files in the Norton Protected Recycle Bin NProtect directory, which is hidden from the FindFirst and FindNext Windows APIs and allows remote attackers to hide arbitrary files from virus scanners and other products.ADV-2006-0143101546218402systemworks-nprotect-hidden(24061)SQL injection vulnerability in MyPhPim 01.05 allows remote attackers to execute arbitrary SQL commands via the (1) cal_id parameter in calendar.php3 and the (2) password field on the login page.ADV-2006-01471839916210myphpim-calendar-sql-injection(24066)myphpim-login-sql-injection(24075)20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities2232422325Cross-site scripting (XSS) vulnerability in MyPhPim 01.05 allows remote attackers to inject arbitrary web script or HTML via the description field on the "Create New todo" page.ADV-2006-01471839916210myphpim-todo-xss(24071)20060111 [eVuln] MyPhPim Multiple SQL Injection and XSS Vulnerabilities22326addresses.php3 in MyPhPim 01.05 does not restrict uploaded files, which allows remote attackers to execute arbitrary PHP code via the pdbfile variable, then directly accessing those files from the uploads directory.16208ADV-2006-01471839920060111 [eVuln] MyPhPim Arbitrary File Uploadmyphpim-addresses-file-upload(24070)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0035. Reason: This candidate is a duplicate of CVE-2006-0035. Notes: All CVE users should reference CVE-2006-0035 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.PHP remote file include vulnerability in index.php in OrjinWeb E-commerce allows remote attackers to execute arbitrary code via a URL in the page parameter. NOTE: it is not clear, but OrjinWeb might be an application service, in which case it should not be included in CVE.20060106 Orjinweb E-commerce1619922387orjinweb-url-file-include(24097)Cross-site scripting (XSS) vulnerability in the file manager utility in Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to inject arbitrary web script or HTML in an uploaded page, which is published without a check for hostile scripting.20060110 Multiple Vulnerabilities in Hummingbird Collaboration16195ADV-2006-014518411 hummingbird-enterprise-xss(24067)Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to misrepresent the type and name of a file via modified doc_ext and id parameters, which might trick a user into downloading dangerous or unexpected content.20060110 Multiple Vulnerabilities in Hummingbird Collaboration16195ADV-2006-014518411 hummingbird-enterprise-file-download(24068)Hummingbird Collaboration (aka Hummingbird Enterprise Collaboration) 5.21 and earlier allows remote attackers to obtain sensitive information (intranet IP addresses and enumerations of valid parameter values) via a direct request to hc, which reveals the information in an error message or a cookie.20060110 Multiple Vulnerabilities in Hummingbird Collaboration16195ADV-2006-014518411 hummingbird-enterprise-information-disclosure(24069)328Cross-site scripting (XSS) vulnerability in search_form.asp in Web Wiz Forums 6.34 allows remote attackers to inject arbitrary web script or HTML via the search parameter.20060109 Advisory:XSS vulnerability on WebWiz Forums <= 6.34 (search_form.asp)1619620060111 Advisory:XSS vulnerability on WebWiz Forums <= 6.34 (search_form.asp)22398webwizforums-searchform-xss(24048)Buffer overflow in certain functions in src/fileio.c and src/unix/fileio.c in xmame before 11 January 2006 may allow local users to gain privileges via a long (1) -lang, (2) -ctrlr, (3) -pb, or (4) -rec argument on many operating systems, and via a long (5) -jdev argument on Ubuntu Linux.20060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation.1620320060110 mysec.org Security Advisory : Xmame buffer overflow, with a possibility of privilege escalation xmame-multiple-parameters-bo(24102)Multiple buffer overflows in Cray UNICOS 9.0.2.2 might allow local users to gain privileges by (1) invoking /usr/bin/script with a long command line argument or (2) setting the -c option of /etc/nu to the name of a file containing a long line.20060110 SUID root overflows in UNICOS and partial shellcode16205 unicos-command-line-bo(24276)Format string vulnerability in /bin/ftp in UNICOS 9.0.2.2 allows local users to have an unknown impact via format string specifiers in the quote command. NOTE: because the program is not setuid and not normally called from remote programs, there may not be a typical attack vector for the issue that crosses privilege boundaries. Therefore this may not be a vulnerability.20060110 SUID root overflows in UNICOS and partial shellcode16205 unicos-ftp-format-string(24277)The Cisco IP Phone 7940 allows remote attackers to cause a denial of service (reboot) via a large amount of TCP SYN packets (syn flood) to arbitrary ports, as demonstrated to port 80.1620020060113 Response to Cisco IP Phone 7940 DoS Exploit posted on milw0rm.comADV-2006-020210154881847922469cisco-ipphone-synflood-dos(24117)Cross-site scripting (XSS) vulnerability in CaLogic Calendars 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the Title field on the "Adding New Event" page, and possibly other vectors, involving iframe tags.22322calogic-newevent-xss(24077)20060116 [eVuln] CaLogic Calendars Multiple XSS Vulnerabilities16206ADV-2006-014918417Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.1.3 has an undocumented administrative account with a default password, which allows local users to gain privileges via the expert command.20060111 Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS)16211ADV-2006-0154101547118424cisco-csmars-default-password(24065)22346335login.php in ACal Calendar Project 2.2.5 allows remote attackers to bypass authentication by setting the ACalAuthenticate cookie variable to "inside".ADV-2006-01522234418432acal-login-auth-bypass(24104)20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion343Direct static code injection vulnerability in edit.php in ACal Calendar Project 2.2.5 allows authenticated users to execute arbitrary PHP code via (1) the edit=header value, which modifies header.php, or (2) the edit=footer value, which modifies footer.php. NOTE: this issue might be resultant from the poor authentication as identified by CVE-2006-0182. Since the design of the product allows the administrator to edit the code, perhaps this issue should not be included in CVE, except as a consequence of CVE-2006-0182.ADV-2006-01522234518432acal-header-footer-code-execute(24107)20060112 [eVuln] ACal Authentication Bypass & PHP Code Insertion343Multiple SQL injection vulnerabilities in AspTopSites allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to goto.asp or (2) password parameter to includeloginuser.asp.ADV-2006-014618408asptopsites-goto-sql-injection(24072)2233020060110 AspTopSites SQL injectionMultiple cross-site scripting vulnerabilities in the (1) Pool or (2) News Modules in Php-Nuke allow remote attackers to inject arbitrary web script or HTML via javascript in the SRC attribute of an IMG tag.20060107 Php-Nuke Pool and News Module IMG Tag Cross Site16192ADV-2006-012518374** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-4500. Reason: This candidate is a duplicate of CVE-2005-4500. Notes: All CVE users should reference CVE-2005-4500 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.By design, Microsoft Visual Studio 2005 automatically executes code in the Load event of a user-defined control (UserControl1_Load function), which allows user-assisted attackers to execute arbitrary code by tricking the user into opening a malicious Visual Studio project file.ADV-2006-0151184091622520060113 Visual Studio Remote Code Execution visualstudio-usercontrol-code-execution(24116)webmail.php in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to inject arbitrary web pages into the right frame via a URL in the right_frame parameter. NOTE: this has been called a cross-site scripting (XSS) issue, but it is different than what is normally identified as XSS.16756ADV-2006-0689101566218985squirrelmail-webmail-xss(24847)DSA-988FEDORA-2006-133MDKSA-2006:049SUSE-SR:2006:005191311913019176GLSA-200603-0919205RHSA-2006:028319960 20060501-01-U 20210MDKSA-2006:049Buffer overflow in eStara Softphone 3.0.1.14 through 3.0.1.46 allows remote attackers to execute arbitrary code via a long attribute (aka "a") field in the SDP data of a SIP packet on UDP port 5060.This is the vendor provided solution: "eStara has released Softphone version 3.0.1.47 to resolve the buffer overflow demonstrated in parsing SDP with long "a=" lines. Licensed customers can download a new version via the email sent to them with purchase, customers testing may go back to http://www.estara.com/softphone/ to obtain a new free trial. Version information can be gathered by going to Help->About. eStara highly recommends all customers upgrade to avoid this issue. If there's further questions please email us: softphone@estara.com. eStara would like to thank ZwelL for bringing the issue to our attention."20060111 eStara Softphone SIP stack Buffer Overflow Vulnerability16213ADV-2006-0167101548118410estara-sip-sdp-bo(24090)22348Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver.102066ADV-2006-016518421162241015478solaris-unspecified-root-access(24084)19087oval:org.mitre.oval:def:702Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250.102108ADV-2006-01661842016222223471015479solaris-find-proc-dos(24085)19087oval:org.mitre.oval:def:1608SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp.ADV-2006-01641842222342aspsurvey-loginvalidate-sql-injection(24087)20060204 sql injection in ASP Survey16496414Cross-site scripting (XSS) vulnerability in the Hosting Control Panel (psoft.hsphere.CP) in Positive Software H-Sphere 2.4.3 Patch 8 and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter in a login action.20060112 H-Sphere Security VulnerabilityADV-2006-017218447hsphere-login-xss(24096)22372Cross-site scripting (XSS) vulnerability in default.asp in FogBugz 4.029, and other versions before 4.0.33, allows remote attackers to inject arbitrary web script or HTML via the dest parameter in the pgLogon page.20060112 FogBugz Cross Site Scripting Vulnerability16216ADV-2006-01741844322370fogbugz-login-xss(24103)Interpretation conflict in the MagicHTML filter in SquirrelMail 1.4.0 to 1.4.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via style sheet specifiers with invalid (1) "/*" and "*/" comments, or (2) a newline in a "url" specifier, which is processed by certain web browsers including Internet Explorer.16756ADV-2006-0689101566218985squirrelmail-magichtml-xss(24848)DSA-988FEDORA-2006-133MDKSA-2006:049SUSE-SR:2006:005191311913019176GLSA-200603-0919205RHSA-2006:028319960 20060501-01-U 20210MDKSA-2006:049Unspecified vulnerability in Serial line sniffer (aka slsnif) 0.4.4 allows local users to gain privileges via a long value of the HOME environment variable, possibly because of a buffer overflow.20060111 Serial Line Sniffer 0.4.4 Buffer Overflowslsnif-home-bo(24082)ADV-2006-021218497The XClientMessageEvent struct used in certain components of X.Org 6.8.2 and earlier, possibly including (1) the X server and (2) Xlib, uses a "long" specifier for elements of the l array, which results in inconsistent sizes in the struct on 32-bit versus 64-bit platforms, and might allow attackers to cause a denial of service (application crash) and possibly conduct other attacks.20060108 xorg server 6.8.2 and below on 64bit archCross-site scripting (XSS) vulnerability in a certain module, possibly poll or Pool, for XOOPS allows remote attackers to inject arbitrary web script or HTML via JavaScript in the SRC attribute of an IMG element in a comment.20060107 Xoops Pool Module IMG Tag Cross Site Scripting16189 xoops-pool-imagetag-xss(24091)SQL injection vulnerability in news.asp in Mini-Nuke CMS System 1.8.2 and earlier allows remote attackers to execute arbitrary SQL commands via the hid parameter.ADV-2006-01731843922384mininuke-news-sql-injection(24098)20060113 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injectionvulnerability20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability340Format string vulnerability in the error-reporting feature in the mysqli extension in PHP 5.1.0 and 5.1.1 might allow remote attackers to execute arbitrary code via format string specifiers in MySQL error messages.20060112 Advisory 02/2006: PHP ext/mysqli Format String Vulnerability16219ADV-2006-017718431php-extmysqli-format-string(24095)1015485ADV-2006-0369337Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.20060112 Multiple PHP Toolkit for PayPal Vulnerabilities16218ADV-2006-01831844422378Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for ipn/logs, which allows local users to delete or replace payment data.20060112 Multiple PHP Toolkit for PayPal Vulnerabilities16218ADV-2006-01831844422379membership.asp in Mini-Nuke CMS System 1.8.2 and earlier does not verify the old password when changing a password, which allows remote attackers to change the passwords of other members via a lostpassnew action with a modified x parameter.ADV-2006-01731843922385mininuke-membership-change-password(24101)20060113 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remoteuser password change exploit20060112 Advisory: MiniNuke CMS System <= 1.8.2 (news.asp) SQL Injection vulnerability20060129 [xpl#2] MiniNuke 1.8.2 - change member's passwrod < Perl >20060112 Advisory: MiniNuke CMS System <= 1.8.2 (membership.asp) remote user password change exploit344Multiple cross-site scripting (XSS) vulnerabilities in Wordcircle 2.17 allow remote attackers to inject arbitrary web script or HTML via (1) the "Course name" field in index.php when the frm parameter has the value "mine" and (2) possibly certain other fields in unspecified scripts.20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS VulnerabilitiesADV-2006-0185184401622722359wordcircle-index-xss(24106)345Multiple SQL injection vulnerabilities in Wordcircle 2.17 allow remote attackers to (1) execute arbitrary SQL commands and bypass authentication via the password field in the login action to index.php (involving v_login.php and s_user.php) and (2) have other unknown impact via certain other fields in unspecified scripts.20060112 [eVuln] Wordcircle Authentication Bypass16227ADV-2006-01852235818440wordcircle-login-security-bypass(24108)wordcircle-sql-injection(24105)20060112 [eVuln] Wordcircle Multiple SQL Injection & XSS Vulnerabilities345346Eval injection vulnerability in Light Weight Calendar (LWC) 1.0 (20040909) and earlier allows remote attackers to execute arbitrary PHP code via the date parameter in cal.php, which is included by index.php.162291845022376lwc-cal-execute-code(24110)[VIM] 20060318 Source VERIFY - Light Weight Calendar issue is eval injectionMultiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.ADV-2006-01771622018431php-session-response-splitting(24094)1015484MDKSA-2006:02818697ADV-2006-0369USN-261-119179GLSA-200603-2219355SUSE-SR:2006:00419012DSA-1331MDKSA-2006:02825945Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when display_errors and html_errors are on, allow remote attackers to inject arbitrary web script or HTML via inputs to PHP applications that are not filtered when they are included in the resulting error message.ADV-2006-017718431MDKSA-2006:02818697ADV-2006-036916803USN-261-119179GLSA-200603-2219355SUSE-SR:2006:00419012RHSA-2006:027619832RHSA-2006:050120222ADV-2006-2685209512125221564RHSA-2006:0549 20060501-01-U 20210MDKSA-2006:028SQL injection vulnerability in general_functions.php in TankLogger 2.4 allows remote attackers to execute arbitrary SQL commands via the (1) livestock_id parameter to showInfo.php and (2) tank_id parameter, possibly to livestock.php.ADV-2006-015320060112 [eVuln] TankLogger SQL Injection Vulnerability1622818441tanklogger-generalfunctions-sql-injection(24080)2236822369[VIM] 20060113 Verified TankLogger SQl inject by source inspection341Cross-site scripting (XSS) vulnerability in index.php in Interspire TrackPoint NX before 0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter when using the Login page.1621420060112 Interspire TrackPoint NX XSS VulnerabilityADV-2006-01751844522377trackpointnx-login-xss(24112)Cross-site scripting (XSS) vulnerability in forgotPassword.asp in Helm Hosting Control Panel 3.2.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the txtEmailAddress parameter.20060112 Helm XSS Vulnerability16234ADV-2006-02031849222454helm-forgotpassword-xss(24139)Directory traversal vulnerability in OBEX Push services in Toshiba Bluetooth Stack 4.00.23(T) and earlier allows remote attackers to upload arbitrary files to arbitrary remote locations specified by .. (dot dot) sequences, as demonstrated by ..\\ sequences in the RFILE argument of ussp-push.20060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'ADV-2006-01841843720060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'1623620060113 DMA[2006-0112a] - 'Toshiba Bluetooth Stack Directory Transversal'223801015486Kolab Server 2.0.1, 2.0.2 and development versions pre-2.1-20051215 and earlier, when authenticating users via secure SMTP, stores authentication credentials in plaintext in the postfix.log file, which allows local users to gain privileges.ADV-2006-01861843822381 kolab-smtp-logging(24123)Eval injection vulnerability in ezDatabase 2.0 and earlier allows remote attackers to execute arbitrary PHP code via the db_id parameter to visitorupload.php, as demonstrated using phpinfo and include function calls.1804316237 ezdatabase-visitorupload-file-include(24136)351Cross-site scripting (XSS) vulnerability in admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to inject arbitrary web script or HTML via the cpage parameter. NOTE: this issue might be resultant from CVE-2006-0216.22352admin.php in QualityEBiz Quality PPC (QPPC) 1.0 build 1644 allows remote attackers to obtain sensitive information, possibly the installation path of the application, via unspecified "meta characters" to the cpage parameter.22353Multiple cross-site scripting (XSS) vulnerabilities in Ultimate Auction 3.67 allow remote attackers to inject arbitrary web script or HTML via the (1) item parameter in item.pl and (2) category parameter in itemlist.pl, which reflects the XSS in an error message. NOTE: the affected version might be wrong since the current version as of 20060116 is 3.6.1.16239ADV-2006-018722443224441847720060115 Ultimate Auction <=3.6716254 ultimate-auction-item-xss(24138)Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603.The original distribution of MyBulletinBoard (MyBB) to update from older versions to 1.0.2 omits or includes older versions of certain critical files, which allows attackers to conduct (1) SQL injection attacks via an attachment name that is not properly handled by inc/functions_upload.php (CVE-2005-4602), and possibly (2) other attacks related to threadmode in usercp.php.16230 mybb-usercp-script-sql-injection(24115)Multiple cross-site scripting (XSS) vulnerabilities in DCP-Portal 5.3 through 6.1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the day parameter in calendar.php and (2) the input form in search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. It is possible that this issue is resultant from an SQL injection problem in CVE-2005-4227.3 and CVE-2005-4227.13.1623220060113 DCP Portal Cross-Site Scripting Vulnerability dcpportal-calendar-search-xss(24153)SQL injection vulnerability in index.asp in the Admin Panel in Dragon Design Services Network (DDSN) cm3 content manager (CM3CMS) allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password.1623120060113 DDSN CMS Admin Panel SQL Injection Vulnerability22696cm3-login-sql-injection(24266)Cross-site scripting (XSS) vulnerability in fullview.php in AlstraSoft Template Seller Pro allows remote attackers to inject arbitrary web script or HTML via the tempid parameter.1623320060113 AlstraSoft Template Seller Pro Cross-Site Scripting Vulnerability22746template-seller-fullview-xss(24235)Directory traversal vulnerability in Shanghai TopCMM 123 Flash Chat Server Software 5.1 allows attackers to create or overwrite arbitrary files on the server via ".." (dot dot) sequences in the username field.16235ADV-2006-01982244018455 123flashchat-user-directory-traversal(24137)Buffer overflow in Library of Assorted Spiffy Things (LibAST) 0.6.1 and earlier, as used in Eterm and possibly other software, allows local users to execute arbitrary code as the utmp user via a long -X command line argument (alternative configuration file name).16350ADV-2006-031420060123 [ Rosiello Security ] Eterm-LibAST Advisory20060123 LibAST 0.7 Release Fixes Security Vulnerability20060125 Rosiello Security - Eterm-LibAST AdvisoryGLSA-200601-141858618632MDKSA-2006:029DSA-9762273518916eterm-libast-filename-bo(24303)MDKSA-2006:029373scp in OpenSSH 4.2p1 allows attackers to execute arbitrary commands via filenames that contain shell metacharacters or spaces, which are expanded twice.16369ADV-2006-030618579185952006-00041015540openssh-scp-command-execution(24305)MDKSA-2006:034186501873620060212 [3.8] 005: SECURITY FIX: February 12, 2006SuSE-SA:2006:0081879818850FLSA-2006:168935OpenPKG-SA-2006.003SSA:2006-045-0618910GLSA-200602-11USN-255-122692189641896918970RHSA-2006:004419159ADV-2006-249020723RHSA-2006:02982112920060703-01-P212622149221724RHSA-2006:069822196HPSBUX02178ADV-2006-4869232412334023680 ADV-2007-0930 24479APPLE-SA-2007-03-13MDKSA-2006:034102961TA07-072AADV-2007-2120oval:org.mitre.oval:def:11382560725936462Integer overflow in IEEE 802.11 network subsystem (ieee80211_ioctl.c) in FreeBSD before 6.0-STABLE, while scanning for wireless networks, allows remote attackers to execute arbitrary code by broadcasting crafted (1) beacon or (2) probe response frames.FreeBSD-SA-06:051629618353225371015518 bsd-ieee80211-bo(24192)Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors.102033ADV-2006-020010154921849822441224421624519087oval:org.mitre.oval:def:662 solaris-lpsched-dos(24127)The RBAC functionality in grsecurity before 2.1.8 does not properly handle when the admin role creates a service and then exits the shell without unauthenticating, which causes the service to be restarted with the admin role still active.16261ADV-2006-019918458 grsecurity-rbac-admin-privileges(24156)Unquoted Windows search path vulnerability in Wehntrust might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when Wehntrust creates the autostart key.20060116 WehnTrust - When you have to trust Wehntrust20060116 Re: [Full-disclosure] WehnTrust - When you have to trust Wehntrust16268 wehntrust-service-start-file-execution(24315)Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses a client-side check to verify a password, which allows remote attackers to gain administrator privileges via a modified client that sends certain XML requests.20060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities17637ADV-2006-146419734VU#11838820060421 Rapid7 Advisory R7-0021: Symantec Scan Engine Authentication Fundamental Design Error sse-unauth-admin-access(25972)Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications.20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key20060421 Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities17637ADV-2006-1464101597419734 sse-insecure-private-key(25973)Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, stores sensitive log and virus definition files under the web root with insufficient access control, which allows remote attackers to obtain the information via direct requests.20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability20060421 Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability20060421 [Symantec Security Advisor] Symantec Scan Engine Multiple Vulnerabilities17637ADV-2006-1464101597419734 sse-unauth-file-access(25974)758759Cross-site scripting (XSS) vulnerability in functions.php in microBlog 2.0 RC-10 allows remote attackers to inject arbitrary web script and HTML via a javascript: URI in a [url] BBcode tag.20060117 [eVuln] microBlog BBCode XSS Vulnerability162721015496microblog-functions-xss(24140)SQL injection vulnerability in index.php in microBlog 2.0 RC-10 allows remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters.20060117 [eVuln] microBlog SQL Injection Vulnerability16270ADV-2006-023922512101549618442 microblog-index-sql-injection(24132)SQL injection vulnerability in WhiteAlbum 2.5 allows remote attackers to execute arbitrary SQL commands via the dir parameter to pictures.php.20060116 White Album Sql &#304;njection biyosecurity.be1624718460ADV-2006-024122520 whitealbum-pictures-sql-injection(24271)GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment.20060117 Secunia Research: Mozilla Thunderbird Attachment SpoofingVulnerability16271ADV-2006-023015907MDKSA-2006:021 thunderbird-attachment-ext-spoofing(24164)MDKSA-2006:021Cross-site scripting (XSS) vulnerability in index.php in GTP iCommerce allows remote attackers to inject arbitrary web script or HTML via the (1) cat and (2) subcat parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16255ADV-2006-021418470 gtpicommerce-index-xss(24150)SQL injection vulnerability in wp-stats.php in GaMerZ WP-Stats 2.0 allows remote attackers to execute arbitrary SQL commands via the author parameter.16241ADV-2006-01921847122450 wpstats-script-sql-injection(24163)Multiple cross-site scripting (XSS) vulnerabilities in Simple Blog 2.1 allow remote attackers to inject arbitrary web script or HTML via (1) a comment to comments.asp and (2) possibly certain other fields in unspecified scripts.20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.116243ADV-2006-01941848822448 simpleblog-comment-xss(24154)Multiple SQL injection vulnerabilities in Simple Blog 2.1 allow remote attackers to execute arbitrary SQL commands via the month parameter in an archives view operation and possibly certain other parameters in unspecified scripts.20060114 [HSC Security Group] Multiple SQL injection/XSS in SimpleBlog 2.116243ADV-2006-01941848822447simpleblog-month-sql-injection(24155)Cross-site scripting vulnerability in WBNews 1.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Name field.20060117 XSS in WBNews < = v1.1.016277ADV-2006-023718499Cross-site scripting vulnerability in index.php in PHP Fusebox 4.0.6 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter.20060117 IndonesiaHack Advisory HTML injection in PHP Fusebox16274355Cross-site scripting (XSS) vulnerability in SMBCMS 2.1 allows remote attackers to inject arbitrary web script or HTML via the text parameter, which is used by the "Search Site" field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.16281ADV-2006-02291845422494 smbcms-sitesearch-xss(24187)** DISPUTED ** Directory traversal vulnerability in workspaces.php in phpXplorer 0.9.33 allows remote attackers to include arbitrary files via a .. (dot dot) and trailing null byte (%00) in the sShare parameter. NOTE: a followup post claims that this is not a vulnerability since the functionality of phpXplorer supports the upload of PHP files, which would not cross privilege boundaries since the PHP functionality would support read access outside the web root.20060116 Directory traversal in phpXplorer20060116 Re: Directory traversal in phpXplorer16263ADV-2006-023218518353phpxplorer-sshare-directory-traversal(39982)Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.7-pl1 allow remote attackers to inject arbitrary web script or HTML via the (3) redir, (4) productId, (5) docId, (6) act, and (7) catId parameters in index.php; and the (8) username field in a login action in index.php. NOTE: the cart.php/redir and index.php/searchStr vectors are already covered by CVE-2005-3152.16259ADV-2006-02271851922471 cubecart-index-script-xss(24177)Cross-site scripting (XSS) vulnerability in down.pl in Widexl Download Tracker 1.06 allows remote attackers to inject arbitrary web script or HTML via the ID parameter.16265ADV-2006-02131847222462 downloadtracker-down-xss(24161)Cross-site scripting (XSS) vulnerability in anyboard.cgi in Netbula Anyboard 9.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the tK parameter in a find command.16264ADV-2006-01881846922461 netbula-anyboard-script-xss(24167)Virata-EmWeb web server 6_1_0, as used in (1) Intracom JetSpeed 500 and 520 and (2) Allied Data Technologies CopperJet 811 RouterPlus, allows remote attackers to access privileged information, such as user lists and configuration settings, via direct HTTP requests.ADV-2006-021818483 virata-emweb-unauth-access(24304)SQL injection vulnerability in viewcat.php in BitDamaged geoBlog MOD_1.0 allows remote attackers to execute arbitrary SQL commands, then steal credentials and upload files, via the cat parameter ($tmpCategory variable).16249ADV-2006-019118504224631015493 geoBlog-viewcat-sql-injection(24146)Format string vulnerability in the snmp_input function in snmptrapd in CMU SNMP utilities (cmu-snmp) allows remote attackers to execute arbitrary code by sending crafted SNMP messages to UDP port 162.20060116 Digital Armaments Security Advisory 01.16.2006: CMU SNMP utilities snmptrad Format String Vulnerability16267ADV-2006-02341852522493 cmusnmp-snmpinput-format-string(24178)Cross-site scripting (XSS) vulnerability in fom.cgi in Faq-O-Matic 2.711 allows remote attackers to inject arbitrary web script or HTML via the (1) _duration, (2) file, and (3) cmd parameters.16251ADV-2006-01891846822439 faqomatic-fom-xss(24165)SQL injection vulnerability in Benders Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via multiple parameters, as demonstrated by the (1) year, (2) month, and (3) day parameters.20060115 [eVuln] Benders Calendar SQL Injection16242ADV-2006-019010154911846222449 benderscalendar-sql-injection(24120)Buffer overflow in the Bluetooth OBEX Object Push service in "Blue Neighbors.EXE" in AmbiCom Blue Neighbors 2.50 Build 2500 and earlier allows remote attackers to execute arbitrary code via a long file name, as demonstrated via a long RFILE argument to ussp-push.ADV-2006-02191846620060120 DMA[2006-0115a] - %27AmbiCom Bluetooth Object Push Overflow%27 16258 ambicom-bluetooth-objectpush-bo(24179)366Multiple cross-site scripting (XSS) vulnerabilities in Apache Geronimo 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) time parameter to cal2.jsp and (2) any invalid parameter, which causes an XSS when the log file is viewed by the Web-Access-Log viewer.20060115 Apache Geronimo 1.0 - CSS and persistent HTML-Injectionvulnerabilities16260ADV-2006-021718485 geronimo-webaccesslog-viewer-xss(24159)geronimo-jspexamples-xss(24158)RHSA-2008:0261RHSA-2008:063031493Unquoted Windows search path vulnerability in Check Point VPN-1 SecureClient might allow local users to gain privileges via a malicious "program.exe" file in the C: folder, which is run when SecureClient attempts to launch the Sr_GUI.exe program.16290ADV-2006-025820060117 [ TZO-012006 ] Checkpoint VPN-1 SecureClient insecure usage of CreateProcess()Unspecified vulnerability in the Advanced Queuing component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499Unspecified vulnerability in the Change Data Capture component of Oracle Database server 9.2.0.7, 10.1.0.5, and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB02. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the CDC_ALLOCATE_LOCK function of the DBMS_CDC_UTILITY package.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922540oracle-january2006-update(24321)Unspecified vulnerability in the Connection Manager component of Oracle Database server 8.1.7.4 and 9.0.1.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB03.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB04 and (2) DB06 in the (a) Data Pump component; (3) DB10 in the (b) Net Listener component; and (4) DB16 in the (c) Oracle Text component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB06 is SQL injection in the GENERATE_JOB_NAME, GET_WORKERSTATUSLIST1010, GET_PARAMVALUES1010, GET_DUMPFILESET1010, GET_JOBSTATUS1010, ATTACH, and ESTABLISH_REMOTE_CONTEXT functions in DBMS_DATAPUMP.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922544oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 9.2.0.7 and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB05 in the (a) Data Pump component; (2) DB15 in the (b) Oracle Text component; (3) DB22 in the (c) Streams Apply component; (4) DB23 and (5) DB24 in the (d) Streams Capture component; and (6) DB26 in the (e) Streams Subcomponent. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB05 involves SQL injection in the (f) LONG2VARCHAR, LONG2VCMAX, LONG2VCNT, and LONG2CLOB functions in the DBMS_METADATA_UTIL package; (g) MAKE_FILTER, FETCH_VIEWS_ERROR, FETCH_FILTERS, FETCH_VIEWS, SET_FILTER_COMMON, DO_FILTER_SCRIPT, SET_TABLE_FILTERS, and MAKE_FILTER_TEXT functions in the DBMS_METADATA_INT package; and (h) GET_PREPOST_TABLE_ACT function in the DBMS_METADATA package.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499225432264322637oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB07 in the Dictionary component and (2) DB14 in the Oracle Label Security component. NOTE: Oracle has not disputed reliable researcher claims that DB07 involves plaintext storage of the TDE wallet password in a trace file by event 10053.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)20060117 Oracle Database 10g Rel. 2 - Event 10053 logs TDE wallet password in cleartextoracle-masterkey-plaintext(24168)Unspecified vulnerability in the Net Foundation Layer component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB08.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB09 in the (a) Net Listener component; and (2) DB12 and (3) DB13 in the Network Communications (RPC) component.16287VU#545804ADV-2006-024318493ADV-2006-032318608TA06-018AVU#8701721015499225472255022551oracle-january2006-update(24321)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-0259. Reason: This candidate is subsumed by CVE-2006-0259. An error during initial CVE analysis used the wrong set of affected versions for "DB10". Notes: All CVE users should reference CVE-2006-0259 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.1015499 oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB17 in the Oracle Text component and (2) DB18 in the Program Interface Network component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB17 involves SQL injection in the (a) VALIDATE_STATEMENT and BUILD_DML functions in CTXSYS.DRILOAD; (b) CLEAN_DML function in CTXSYS.DRIDML; (c) GET_ROWID function in CTXSYS.CTX_DOC; (d) BROWSE_WORDS function in CTXSYS.CTX_QUERY; and (e) ODCIINDEXTRUNCATE, ODCIINDEXDROP, and ODCIINDEXDELETE functions in CATINDEXMETHODS.16287VU#545804ADV-2006-024318493ADV-2006-03231860810154992255522639226402264122642oracle-january2006-update(24321)Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB19.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.2.0.6 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB20.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Security component of Oracle Database server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB21.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the SET_DIRECTORY_ROOT function in the DBMS_CDC_PUBLISH package.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922563oracle-january2006-update(24321)Unspecified vulnerability in the Transparent Data Encryption (TDE) Wallet component of Oracle Database server 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB27. NOTE: Oracle has not disputed a reliable researcher report that TDA stores the master key without encryption, which allows local users to obtain the key via the SGA.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)20060117 Oracle Database 10g Rel. 2- Transparent Data Encryption plaintext masterkey in SGAoracle-sga-masterkey-plaintext(24186)Unspecified vulnerability in the Upgrade & Downgrade component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB28. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the DBMS_REGISTRY package in certain parameters to the (1) IS_COMPONENT, (2) GET_COMP_OPTION, (3) DISABLE_DDL_TRIGGERS, (4) SCRIPT_EXISTS, (5) COMP_PATH, (6) GATHER_STATS, (7) NOTHING_SCRIPT, and (8) VALIDATE_COMPONENTS functions.16287VU#545804ADV-2006-024318493ADV-2006-032318608101549922566oracle-january2006-update(24321)Unspecified vulnerability in the XML Database component of Oracle Database server 9.2.0.7 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB29. NOTE: based on mutual credits by the relevant sources, it is highly likely that this issue is a buffer overflow in the (a) DBMS_XMLSCHEMA and (b) DBMS_XMLSCHEMA_INT packages, as exploitable via long arguments to (1) XDB.DBMS_XMLSCHEMA.GENERATESCHEMA or (2) XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS.16287VU#545804ADV-2006-024318493ADV-2006-032318608TA06-018AVU#8916441015499oracle-january2006-update(24321)20060126 [Argeniss] Oracle Database Buffer overflows vulnerabilities in public procedures of XDB.DBMS_XMLSCHEMA{_INT}oracle-xdbdbmx-xmlschema-bo(24376)Unspecified vulnerability in the Portal component of Oracle Application Server 9.0.4.2 and 10.1.2.0 has unspecified impact and attack vectors, as identified by Oracle Vuln# AS01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 and 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP03.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)20060117 Oracle Reports - Read parts of files via customize(fixed after 875 days)Multiple unspecified vulnerabilities in Oracle Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) OCS01, 2) OCS02, 3) OCS03, 4) OCS04, 5) OCS05, 6) OCS06, 7) OCS07, (8) OCS08, and (9) OCS09 in the (a) Email Server component; 10) OCS10 (and (11) OCS11 in the (b) Oracle Collaboration Suite Wireless & Voice (component; 12) OCS12 and (13) OCS13 in the (c) Oracle Content (Management SDK component; 14) OCS14 and (15) OCS15 in the (d) Oracle (Content Services component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS07 in the (b) Oracle Applications Framework component; (3) APPS08, (4) APPS09, (5) APPS10, and (6) APPS11 in the (c) Oracle Applications Technology Stack component; (7) APPS12 in the (d) Oracle Human Resources component; (8) APPS15 and (9) APPS16 in the (e) Oracle Marketing component; (10) APPS17 in the (f) Marketing Encyclopedia System component; (11) APPS18 in the (g) Oracle Trade Management component; and (12) APPS19 in the (h) Oracle Web Applications Desktop Integration component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.9 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS02 in the (a) CRM Technical Foundation component; (2) APPS03 in the (b) iProcurement component; and (3) APPS04, (4) APPS05, and (5) APPS06 in the Oracle Application Object Library component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 4.3 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS13 and (2) APPS14 in the Oracle iLearning component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle PeopleSoft Enterprise Portal 8.4 Bundle 15, 8.8 Bundle 10, and 8.9 Bundle 2 has unspecified impact and attack vectors, as identified by Oracle Vuln# PSE01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle JD Edwards HTML Server 8.95.F1 SP23_L1 has unspecified impact and attack vectors, as identified by Oracle Vuln# JDE01.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC01 in the Protocol Support component.16287VU#545804ADV-2006-024318493ADV-2006-0323186081015499oracle-january2006-update(24321)Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Application Server 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC02 in the Reorganize Objects & Convert Tablespace component.16