The file watch implementation in the audit subsystem (auditctl -w) in the Red Hat Enterprise Linux (RHEL) 4 kernel 2.6.9 allows local users to cause a denial of service (kernel panic) by replacing a watched file, which does not cause the watch on the old inode to be dropped.Successful exploitation requires that the attacker previously created a watch for a file.RHSA-2007:008524300227371017705Multiple heap-based buffer overflows in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allow user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file in which values to loop counters are not properly handled in the (1) WP3TablesGroup::_readContents and (2) WP5DefinitionGroup_DefineTablesSubGroup::WP5DefinitionGroup_DefineTablesSubGroup functions. NOTE: the integer overflow has been split into CVE-2007-1466.This vulnerability has been addressed by the vendor through a product update: http://sourceforge.net/projects/libwpd/ ADV-2007-09762450720070316 Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities20070316 rPSA-2007-0057-1 libwpdDSA-1268DSA-1270FEDORA-2007-350MDKSA-2007:063MDKSA-2007:064RHSA-2007:0055SUSE-SA:2007:023USN-437-123006ADV-2007-1032101778924557245722458024573245812459324465GLSA-200704-0724794102863ADV-2007-133924856GLSA-200704-1224906MDKSA-2007:063MDKSA-2007:064SSA-2007-085-02245882461324591pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password hash, as stored in /etc/passwd or /etc/shadow, has only two characters.[fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes[fedora-devel-list] 20070122 Re: rawhide report: 20070120 changes[pam-list] 20070123 Linux-PAM 0.99.7.1 released SUSE-SR:2007:003 22204 ADV-2007-0323 23858 linuxpam-pamunix-security-bypass(31739)The NFS client implementation in the kernel in Red Hat Enterprise Linux (RHEL) 3, when a filesystem is mounted with the noacl option, checks permissions for the open system call via vfs_permission (mode bits) data rather than an NFS ACCESS call to the server, which allows local client processes to obtain a false success status from open calls that the server would deny, and possibly obtain sensitive information about file permissions on the server, as demonstrated in a root_squash environment. NOTE: it is uncertain whether any scenarios involving this issue cross privilege boundaries.Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.20070309 Buffer Overflow in Linux Drivers for Omnikey CardMan 4040 (CVE-2007-0005)FEDORA-2007-335FEDORA-2007-336RHSA-2007:009922870ADV-2007-0872330232443624518kernel-cardman4040drivers-bo(32880) MDKSA-2007:078 24777 24901 DSA-1286 2507820070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:078USN-486-1USN-489-1256912613326139The key serial number collision avoidance code in the key_alloc_serial function in Linux kernel 2.6.9 up to 2.6.20 allows local users to cause a denial of service (crash) via vectors that trigger a null dereference, as originally reported as "spinlock CPU recursion."The scheme for selecting serial numbers was changed from incrementing a counter to random number selection, increasing the likelihood of a serial number collision.MDKSA-2007:060RHSA-2007:0085RHSA-2007:0099SUSE-SA:2007:02122539241092425924300244292448224547USN-451-12475220070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:047MDKSA-2007:06025691MDKSA-2007:047gnucash 2.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files.24225 FEDORA-2007-256 MDKSA-2007:046 22610 ADV-2007-0653 24226 24317 gnucash-symlink(32558)Integer underflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, SeaMonkey before 1.0.8, Thunderbird before 1.5.0.10, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via a crafted SSLv2 server message containing a public key that is too short to encrypt the "Master Secret", which results in a heap-based overflow.SSA:2007-066-03SSA:2007-066-04SSA:2007-066-05102945SUSE-SA:2007:022ADV-2007-21412559724406244552445624457243422558820070223 Mozilla Network Security Services SSLv2 Client Integer Underflow Vulnerability20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-278FEDORA-2007-279FEDORA-2007-281FEDORA-2007-293GLSA-200703-18GLSA-200703-22MDKSA-2007:050MDKSA-2007:052RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-1USN-431-1VU#37781222694ADV-2007-0719ADV-2007-0718321051017696242382425224253242772428724290242052432824333243432432024293243952438424389244102452224562nss-mastersecret-bo(32666)102856ADV-2007-1165 24703 20070301-01-P 24650DSA-1336FEDORA-2007-308FEDORA-2007-309MDKSA-2007:05020070202-01-PHPSBUX02153Stack-based buffer overflow in the SSLv2 support in Mozilla Network Security Services (NSS) before 3.11.5, as used by Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, SeaMonkey before 1.0.8, and certain Sun Java System server products before 20070611, allows remote attackers to execute arbitrary code via invalid "Client Master Key" length values.SSA:2007-066-03SSA:2007-066-04SSA:2007-066-05102945SUSE-SA:2007:022ADV-2007-21412559724406244552445624457243422558820070223 Mozilla Network Security Services SSLv2 Server Stack Overflow Vulnerability20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-278FEDORA-2007-279GLSA-200703-18GLSA-200703-22MDKSA-2007:050MDKSA-2007:052RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-1USN-431-1VU#592796ADV-2007-0719ADV-2007-071832106101769624253242772428724290243332434324293243952438424389244102452224562nss-clientmasterkey-bo(32663)102856ADV-2007-11652470320070301-01-P24650DSA-1336FEDORA-2007-308FEDORA-2007-309MDKSA-2007:05020070202-01-PHPSBUX02153The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.RHSA-2007:0019 DSA-1256 MDKSA-2007:039 SUSE-SR:2007:002 USN-415-1 22209 ADV-2007-0331 1017552 23884 23933 23935 24010 24006 24095 23984MDKSA-2007:039The web portal interface in Citrix Access Gateway (aka Citrix Advanced Access Control) before Advanced Edition 4.5 HF1 places a session ID in the URL, which allows context-dependent attackers to hijack sessions by reading "residual information", including the a referer log, browser history, or browser cache.20071022 Corsaire Security Advisory - Citrix Access Gateway session ID disclosure issue24975ADV-2007-2583101843526143citrix-access-unspeci-information-disclosure(35510)Sun JRE 5.0 before update 14 allows remote attackers to cause a denial of service (Internet Explorer crash) via an object tag with an encoded applet and an undefined name attribute, which triggers a NULL pointer dereference in jpiexp32.dll when the applet is decoded and passed to the JVM.20080108 Corsaire Security Advisory: Sun J2RE DoS issue27185sun-java-jpiexp32-dos(39549)3527ChainKey Java Code Protection allows attackers to decompile Java class files via a Java class loader with a modified defineClass method that saves the bytecode to a file before it is passed to the JVM.20070112 Corsaire Security Advisory: ChainKey Java Code Protection Bypass issue20070112 Re: Corsaire Security Advisory: ChainKey Java Code Protection Bypass issueBuffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI.Exploit 3064218291017461VU#442497ADV-2007-000123540quicktime-rtsp-url-bo(31203) 3064 APPLE-SA-2007-01-23 TA07-005A 31023Stack-based buffer overflow in MoviePlay 4.76 allows remote attackers to execute arbitrary code via a long filename in a LST file.21840229594051Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.23592[vlc-devel] 20070102 Security hole in VLC media player for Mac...ADV-2007-00261017464vlcmediaplayer-udp-format-string(31226)21852 DSA-1252 GLSA-200701-24 SUSE-SA:2007:013 23829 23910 23971Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (18) Virtual CD; (19) Cheetah CD and DVD Burner; (20) Mystik Media AudioEdit Deluxe, Blaze Media, and others; (21) Power Audio Editor; (22) DanDans Digital Media Full Audio Converter, Music Editing Master, and others; (23) Xrlly Software Text to Speech Makerand Arial Sound Recorder / Audio Converter; (24) Absolute Sound Recorder, Video to Audio Converter, and MP3 Splitter; (25) Easy Ringtone Maker; (26) RecordNRip; (27) McFunSoft iPod Audio Studio, Audio Recorder for Free, and others; (28) MP3 WAV Converter; (29) BearShare 6.0.2.26789; and (30) Oracle Siebel SimBuilder and CRM 7.x. 23534 23535 23536 23541 23542 23544 23546 23548 23550 23554 23558 23560 23561 23562 23565 23745 23753 23795 nctaudiofile2-multiple-bo(31707) 22196 23892 2292220070124 Re: Secunia Research: NCTsoft Products NCTAudioFile2 ActiveXControl Buffer Overflow20070124 Secunia Research: NCTsoft Products NCTAudioFile2 ActiveX ControlBuffer Overflow20070124 Secunia Research: Sienzo Digital Music Mentor NCTAudioFile2ActiveX Control Buffer Overflow2599326046261002610128407ADV-2007-0310234752349323532235432355123552235532355723568VU#2927132348523495235112351623530Multiple heap-based buffer overflows in rumpusd in Rumpus 5.1 and earlier (1) allow remote authenticated users to execute arbitrary code via a long LIST command and other unspecified requests to the FTP service, and (2) allow remote attackers to execute arbitrary code via unspecified requests to the HTTP service. 23842 rumpus-ftp-service-bo(31594)Heap-based buffer overflow in the SFTP protocol handler for Panic Transmit (Transmit.app) up to 3.5.5 allows remote attackers to execute arbitrary code via a long ftps:// URL.ADV-2007-027323861 3160 transmit-url-handler-bo(31673)Format string vulnerability in Apple iChat 3.1.6 allows remote attackers to cause a denial of service (null pointer dereference and application crash) and possibly execute arbitrary code via format string specifiers in an aim:// URI.ADV-2007-0274 APPLE-SA-2007-02-15 TA07-047A VU#794752 22146 1017661 24198 ichat-aim-format-string(31679)Untrusted search path vulnerability in writeconfig in Apple Mac OS X 10.4.8 allows local users to gain privileges via a modified PATH that points to a malicious launchctl program.3160523793macos-writeconfig-privilege-escalation(31677)APPLE-SA-2007-04-1922148ADV-2007-1470101794124966TA07-109AADV-2007-0074The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. APPLE-SA-2007-02-15 TA07-047A VU#315856 22188 32695 1017542 23846 24198 macos-inputmanager-privilege-escalation(31676)ADV-2007-0074Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability."20070109 Microsoft Windows VML Element Integer Overflow VulnerabilityMS07-004929969VU#12208421930ADV-2007-010531250101748923677ie-vml-record-bo(31287)ADV-2007-0129TA07-009A20070116 MS07-004 VML Integer Overflow Exploit20070117 Re: MS07-004 VML Integer Overflow ExploitHPSBST02184oval:org.mitre.oval:def:1058The MFC component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 and Visual Studio .NET 2000, 2002 SP1, 2003, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. NOTE: this might be due to a stack-based buffer overflow in the the AfxOleSetEditMenu function in MFC42u.dll.MS07-012VU#93204122476ADV-2007-058131887101763824150TA07-044Aoval:org.mitre.oval:def:157The OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption.MS07-011 VU#497756 22483 ADV-2007-0580 31885 1017637 24147TA07-044Aoval:org.mitre.oval:def:540Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption.MS07-002VU#74996421856ADV-2007-01031017487TA07-009AHPSBST0218431255oval:org.mitre.oval:def:119Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used.MS07-002VU#493185ADV-2007-01032195223676TA07-009AHPSBST02184312491017485oval:org.mitre.oval:def:768Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability."MS07-00221877ADV-2007-01031017487TA07-009AHPSBST0218431256oval:org.mitre.oval:def:1102Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory.20070109 Microsoft Excel Invalid Column Heap Corruption VulnerabilityMS07-002VU#30283621925ADV-2007-01031017487TA07-009AHPSBST0218431257oval:org.mitre.oval:def:323Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries.20070109 Microsoft Excel Long Palette Heap Overflow VulnerabilityMS07-002VU#62553221922ADV-2007-01031017487TA07-009AHPSBST0218431258oval:org.mitre.oval:def:753Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file.MS07-003VU#47690021931ADV-2007-0104101748823674TA07-009AHPSBST0218431252oval:org.mitre.oval:def:516Buffer overflow in the Advanced Search (Finder.exe) feature of Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability."MS07-003VU#27186021936ADV-2007-010410174882367420070111 Computer Terrorism (UK) :: Incident Response Centre - Microsoft Outlook VulnerabilityTA07-009AHPSBST0218431254oval:org.mitre.oval:def:153Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, 2004 for Mac, and Works Suite 2004, 2005, and 2006 does not properly handle data in a certain array, which allows user-assisted remote attackers to execute arbitrary code, aka the "Word Array Overflow Vulnerability."MS07-024VU#26077723804ADV-2007-1709101801334387HPSBST02214TA07-128Aoval:org.mitre.oval:def:1737Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.20070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)TA07-089AVU#1916092465920070330 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)20070330 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)20070331 RE: [Full-disclosure] 0-day ANI vulnerability in Microsoft Windows(CVE-2007-0038)20070331 Re: 0-day ANI vulnerability in Microsoft Windows (CVE-2007-0038)3634windows-ani-code-execution(33301)MS07-017TA07-093AADV-2007-121520070402 More information on ZERT patch for ANI 0day HPSBST0220620070402 MS announces out-of-band patch for ANI 0dayTA07-100A33629oval:org.mitre.oval:def:18542542The Exchange Collaboration Data Objects (EXCDO) functionality in Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 allows remote attackers to cause a denial of service (crash) via an Internet Calendar (iCal) file containing multiple X-MICROSOFT-CDO-MODPROPS (MODPROPS) properties in which the second MODPROPS is longer than the first, which triggers a NULL pointer dereference and an unhandled exception.MS07-02623808ADV-2007-171110180152518320070508 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039)20070509 Exchange Calendar MODPROPS Denial of Service (CVE-2007-0039)HPSBST02214TA07-128A34390oval:org.mitre.oval:def:1593exchange-ical-dos(33888)The LDAP service in Windows Active Directory in Microsoft Windows 2000 Server SP4, Server 2003 SP1 and SP2, Server 2003 x64 Edition and SP2, and Server 2003 for Itanium-based Systems SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted LDAP request with an unspecified number of "convertible attributes."MS07-03920070710 Microsoft Windows Active Directory Remote Code ExecutionSSRT071446TA07-191AVU#48790524800ADV-2007-2481oval:org.mitre.oval:def:2012101835526002The PE Loader service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer" and unvalidated message lengths, probably a buffer overflow.MS07-040SSRT071446TA07-191A24778ADV-2007-2482oval:org.mitre.oval:def:2093101835626003ms-dotnet-pe-loader-bo(34637)Interpretation conflict in ASP.NET in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows remote attackers to access configuration files and obtain sensitive information, and possibly bypass security mechanisms that try to constrain the final substring of a string, via %00 characters, related to use of %00 as a string terminator within POSIX functions but a data character within .NET strings, aka "Null Byte Termination Vulnerability."MS07-040SSRT071446TA07-191AADV-2007-2482oval:org.mitre.oval:def:2070101835626003The Just In Time (JIT) Compiler service in Microsoft .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving an "unchecked buffer," probably a buffer overflow, aka ".NET JIT Compiler Vulnerability".MS07-040SSRT071446TA07-191A24811ADV-2007-2482oval:org.mitre.oval:def:1873101835626003ms-dotnet-jit-bo(34639)Adobe Acrobat Reader Plugin before 8.0.0 for the Firefox, Internet Explorer, and Opera web browsers allows remote attackers to force the browser to make unauthorized requests to other web sites via a URL in the (1) FDF, (2) xml, and (3) xfdf AJAX request parameters, following the # (hash) character, aka "Universal CSRF and session riding."20070103 Adobe Acrobat Reader Plugin - Multiple VulnerabilitiesADV-2007-00321017469adobe-acrobat-pdf-csrf(31266)21858GLSA-200701-16SUSE-SA:2007:01123812238822090RHSA-2008:014429065Multiple cross-site scripting (XSS) vulnerabilities in Adobe Acrobat Reader Plugin before 8.0.0 for Mozilla Firefox, Microsoft Internet Explorer 6 SP1, Opera 8.5.4 build 770, and Opera 9.10.8679 on Windows allow remote attackers to inject arbitrary JavaScript and conduct other attacks via a .pdf URL with a javascript: or res: URI with (1) FDF, (2) XML, and (3) XFDF AJAX parameters, or (4) an arbitrarily named name=URI anchor identifier, aka "Universal XSS (UXSS)."244572090HPSBUX0215320070103 Adobe Acrobat Reader Plugin - Multiple Vulnerabilities20070103 RE: [WEB SECURITY] Universal XSS with PDF files: highly dangerous20070103 Re: Universal XSS with PDF files: highly dangerous20070103 Re: [WEB SECURITY] Universal XSS with PDF files: highly dangerous20070103 Universal XSS with PDF files: highly dangerousVU#815960ADV-2007-0032101746923483adobe-acrobat-pdf-xss(31271)RHSA-2007:0017218582369120070104 Universal PDF XSS After PartyGLSA-200701-16RHSA-2007:0021102847SUSE-SA:2007:011ADV-2007-095723812238772388224533SSA:2007-066-05Double free vulnerability in the Adobe Acrobat Reader Plugin before 8.0.0, as used in Mozilla Firefox 1.5.0.7, allows remote attackers to execute arbitrary code by causing an error via a javascript: URI call to document.write in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.20070103 Adobe Acrobat Reader Plugin - Multiple VulnerabilitiesADV-2007-00321017469adobe-acrobat-msvcrt-code-execution(31272)RHSA-2007:001723691 GLSA-200701-16 RHSA-2007:0021 102847 SUSE-SA:2007:011 ADV-2007-0957 23812 23877 23882 245332090CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the (1) FDF, (2) XML, or (3) XFDF AJAX request parameters.ADV-2007-00321017469adobe-acrobat-xmlhttp-response-splitting(31291)SUSE-SA:2007:01123882Adobe Acrobat Reader Plugin before 8.0.0, when used with Internet Explorer, allows remote attackers to cause a denial of service (memory consumption) via a long sequence of # (hash) characters appended to a PDF URL.20070103 Adobe Acrobat Reader Plugin - Multiple VulnerabilitiesADV-2007-00321017469adobe-acrobat-character-dos(31273)GLSA-200701-16SUSE-SA:2007:01123812238822090Geckovich TaskTracker Pro 1.5 and earlier allows remote attackers to add administrative or other accounts via an Add action with a modified GroupID in a direct request to Customize.asp.2184723564tasktrackerpro-customize-auth-bypass(31235)** DISPUTED ** PHP remote file inclusion vulnerability in index.php in OpenPinboard 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the language parameter. NOTE: this issue has been disputed by the developer and a third party, since the variable is set before use. CVE analysis suggests that there is a small time window of risk before the installation is complete.20070103 OpenPinboard <= Remote File Include20070103 Re: OpenPinboard <= Remote File IncludeFormat string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed.20070104 DMA[2007-0104a] - 'iLife iPhoto Photocasing Format String Vulnerability'21871ADV-2007-005723615iphoto-xmltitle-format-string(31281)3080APPLE-SA-2007-03-13SQL injection vulnerability in haberdetay.asp in Vizayn Haber allows remote attackers to execute arbitrary SQL commands via the id parameter.21836ADV-2007-001523576vicayn-haberdetay-sql-injection(31213)SQL injection vulnerability in detail.asp in ASP SiteWare autoDealer 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the iPro parameter.21833ADV-2007-001623572autodealer-detail-sql-injection(31219)Cross-site scripting (XSS) vulnerability in gbrowse.php in Belchior Foundry vCard PRO allows remote attackers to inject arbitrary web script or HTML via the sortby parameter.20070101 vBulletin vCard PRO XSS21844vcard-gbrowse-xss(31182)Directory traversal vulnerability in formbankcgi.exe/AbfrageForm in Formbankserver 1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-001223539formbankserver-name-directory-traversal(31214) 3063Multiple cross-site scripting (XSS) vulnerabilities in AShop Deluxe 4.5 and AShop Administration Panel allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter to (a) ashop/catalogue.php and (b) ashop/basket.php, the (2) exp parameter to ashop/catalogue.php, the (3) searchstring parameter to (c) ashop/search.php, the (4) checkout and (5) action parameters to (d) ashop/shipping.php, the cat parameter to (f) cart-path/admin/editcatalogue.php, and the (7) resultpage parameter to (g) cart-path/admin/salesadmin.php.20070101 AShop Shopping Cart Multiple XSS Vulnerabilities21845ADV-2007-002823547ashop-multiple-scripts-xss(31178)2091Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access.20070103 Multiple Vulnerabilities in Cisco Clean AccessADV-2007-0030101746523617Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file.20070103 Multiple Vulnerabilities in Cisco Clean AccessADV-2007-003010174652355632579Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allows remote user-assisted attackers to execute arbitrary code and list filesystem contents via a QuickTime movie (.MOV) with an HREF Track (HREFTrack) that contains an automatic action tag with a local URI, which is executed in a local zone during preview, as exploited by a MySpace worm.VU#304064 APPLE-SA-2007-03-05Stack-based buffer overflow in the Message Queuing Server (Cam.exe) in CA (formerly Computer Associates) Message Queuing (CAM / CAFT) software before 1.11 Build 54_4 on Windows and NetWare, as used in CA Advantage Data Transport, eTrust Admin, certain BrightStor products, certain CleverPath products, and certain Unicenter products, allows remote attackers to execute arbitrary code via a crafted message to TCP port 3104.20070724 CA Message Queuing Server (Cam.exe) Overflow25051ADV-2007-263826190systems-management-bo(32234)20070725 [CAID 35527]: CA Message Queuing (CAM / CAFT) Buffer Overflow Vulnerability1018449The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed packet that triggers "corrupt stack memory."20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities25729dhcp-malformed-packet-bo(33101)20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23USN-543-1ADV-2007-32291018717268902769427706Integer overflow in the ISC dhcpd 3.0.x before 3.0.7 and 3.1.x before 3.1.1; and the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528; allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a malformed DHCP packet with a large dhcp-max-message-size that triggers a stack-based buffer overflow, related to servers configured to send many DHCP options to clients.20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities25729dhcp-param-overflow(33102)20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23USN-543-1ADV-2007-32291018717268902769427706GLSA-200808-0531396Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.20070919 VMWare DHCP Server Remote Code Execution Vulnerabilities25729dhcp-param-underflow(33103)20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23USN-543-1ADV-2007-32291018717268902769427706Heap-based buffer overflow in Windows Media Format Runtime 7.1, 9, 9.5, 9.5 x64 Edition, 11, and Windows Media Services 9.1 for Microsoft Windows 2000, XP, Server 2003, and Vista allows user-assisted remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file.MS07-068HPSBST0229926776ADV-2007-4183101907428034TA07-345AVU#319385oval:org.mitre.oval:def:3622Heap-based buffer overflow in Object Linking and Embedding (OLE) Automation in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, Office 2004 for Mac, and Visual basic 6.0 SP6 allows remote attackers to execute arbitrary code via a crafted script request.MS08-008TA08-043C27661ADV-2008-0510101937328902HPSBST02314oval:org.mitre.oval:def:5388The kernel in Microsoft Windows 2000 SP4, XP SP2, and Server 2003, when ICMP Router Discovery Protocol (RDP) is enabled, allows remote attackers to cause a denial of service via fragmented router advertisement ICMP packets that trigger an out-of-bounds read, aka "Windows Kernel TCP/IP/ICMP Vulnerability."MS08-00128297TA08-008A20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS VulnerabilitiesHPSBST0230427139ADV-2008-00691019166win-tcpip-icmp-dos(39254)oval:org.mitre.oval:def:5271Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x before 6.5.6, and 7.0.x before 7.0.3 allows remote attackers to cause a denial of service (daemon crash) via requests for URLs that reference certain files.24307ADV-2007-204625542domino-unspecified-dos(34689)1018189IBM Lotus Domino 7.0.x before 7.0.3 does not revalidate the signature on a signed scheduled agent after the agent is modified, which allows remote authenticated users to gain privileges via a modified agent in a server database.24322ADV-2007-206325520domino-signature-privilege-escalation(34718)Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, Server 2003, and Vista allows remote attackers to cause a denial of service (CPU consumption) and possibly execute arbitrary code via crafted (1) IGMPv3 and (2) MLDv2 packets that trigger memory corruption, aka "Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability."MS08-00128297TA08-008A20070108 Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS VulnerabilitiesVU#11508327100win-ssm-igmp-bo(39452)win-ssm-mld-bo(39453)HPSBST02304ADV-2008-00691019166oval:org.mitre.oval:def:5370Integer overflow in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, allows remote attackers to execute arbitrary code via a crafted SWF file with a negative Scene Count value, which passes a signed comparison, is used as an offset of a NULL pointer, and triggers a buffer overflow.RHSA-2008:0221TA08-100A1019811SUSE-SA:2008:0222976320080408 Adobe Flash Player Invalid Pointer VulnerabilityGLSA-200804-2144282multimedia-file-integer-overflow(37277)VU#1595232869529865APPLE-SA-2008-05-28238305TA08-150ATA08-149AVU#39547329386ADV-2008-1662ADV-2008-1697ADV-2008-17241020114304043043030507AspBB stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for db/aspbb.mdb.20070102 AspBB Remote Password Disclosureaspbb-aspbb-info-disclosure(31230)2100Openforum stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing user passwords via a direct request for openforum.mdb.20070102 Openforum Remote password Disclosureopenforum-openforum-password-disclosure(31209)2099lblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a certain file in admin/db/newFolder/.20070102 lblog Remote Password Disclosure1017462lblog-newfolder-information-disclosure(31229)2098BattleBlog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/blankmaster.mdb.20070101 BattleBlog Database Download Vulnerabilitybattleblog-blankmaster-info-disclosure(31224)2097rblog stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) data/admin.mdb or (2) data/rblog.mdb.20070101 rblog Database Download Vulnerability23538rblog-database-info-disclosure(31200)2102** DISPUTED ** Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. NOTE: the impact of this issue has been disputed by a reliable third party and the vendor, who states that exploitation is limited "only to local administrators who have write access to the server configuration files." CVE concurs with the dispute.-- Official Vendor Statement from the FreeRADIUS Server project This issue is not a security vulnerability. The exploit is available only to local administrators who have write access to the server configuration files. As such, this issue has no security impact on any system running FreeRADIUS. -- Official Vendor Statement from the FreeRADIUS Server project 20070102 FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution20070103 Re: FreeRadius 1.1.3 SMB_Handle_Type SMB_Connect_Server arbitrary code execution1017463freeradius-smbconnectserver-bo(31248)20070211 FreeRADIUS dispute of CVE-2007-0080Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possibly other versions allows local users to provide a Trojan horse iphlpapi.dll to SKPF by placing it in the installation directory.20070101 Kerio Fake 'iphlpapi' DLL injection Vulnerability21828kerio-directory-code-execution(31232)333562095users_adm/start1.php in IMGallery 2.5 and earlier does not properly handle files with multiple extensions, which allows remote authenticated users to upload and execute arbitrary PHP scripts.21827ADV-2007-0010imgallery-start1-file-upload(31237) 3049Cross-site scripting (XSS) vulnerability in Nuked Klan 1.7 and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a getURL statement in a .swf file, as demonstrated by "Remote Cookie Disclosure." NOTE: it could be argued that this is an issue in Shockwave instead of Nuked Klan.20070102 Nuked Klan <= 1.7 Remote Cookie Disclosure Exploit218502101** DISPUTED ** Buffer overflow in the Windows NT Message Compiler (MC) 1.00.5239 on Microsoft Windows XP allows local users to gain privileges via a long MC-filename. NOTE: this issue has been disputed by a reliable third party who states that the compiler is not a privileged program, so privilege boundaries cannot be crossed.20070102 Windows NT Message Compiler 1.00.5239 arbitrary code execution20070103 Re: Windows NT Message Compiler 1.00.5239 arbitrary code executionUnspecified vulnerability in sys/dev/pci/vga_pci.c in the VGA graphics driver for wscons in OpenBSD 3.9 and 4.0, when the kernel is compiled with the PCIAGP option and a non-AGP device is being used, allows local users to gain privileges via unspecified vectors, possibly related to agp_ioctl NULL pointer reference.[openbsd-cvs] 20070103 Re: CVS: cvs.openbsd.org: src[3.9] 017: SECURITY FIX: January 3, 2007[4.0] 007: SECURITY FIX: January 3, 2007101746823608[openbsd-cvs] 20070103 CVS: cvs.openbsd.org: wwwADV-2007-0043openbsd-vga-privilege-escalation(31276)32574** DISPUTED ** The Apache HTTP Server, when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal.20070103 a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)** DISPUTED ** Microsoft Internet Information Services (IIS), when accessed through a TCP connection with a large window size, allows remote attackers to cause a denial of service (network bandwidth consumption) via a Range header that specifies multiple copies of the same fragment. NOTE: the severity of this issue has been disputed by third parties, who state that the large window size required by the attack is not normally supported or configured by the server, or that a DDoS-style attack would accomplish the same goal.20070103 a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)20070104 Re: a cheesy Apache / IIS DoS vuln (+a question)Multiple directory traversal vulnerabilities in openmedia allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) src parameter to page.php or the (2) format parameter to search_form.php.20070102 openmedia local read fileopenmedia-page-directory-traversal(31258)2103jgbbs stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/bbs.mdb.20070103 jgbbsjgbbs-bbs-information-disclosure(31274)WineGlass stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/data.mdb.20070103 WineGlass ADV-2007-003723594newsCMSlite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for newsCMS.mdb.newscmslite-newscms-info-disclosure(31222) 3066SQL injection vulnerability in productdetail.asp in E-SMARTCART 1.0 allows remote attackers to execute arbitrary SQL commands via the product_id parameter.23610ADV-2007-0036esmartcart-productdetail-sql-injection(31243) 3074SQL injection vulnerability in page.php in Simple Web Content Management System allows remote attackers to execute arbitrary SQL commands via the id parameter.20070103 Simple Web Content Management System SQL Injection ExploitADV-2007-004023590swcms-page-sql-injection(31261)30762106Sven Moderow GuestBook 0.3a stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for (1) gbook97.mdb or (2) gbook.mdb in ~db/.20070103 GuestBook v0.3a Remote Password Disclosureguestbook-gbook-information-disclosure(31245)2105phpMyAdmin 2.9.1.1 allows remote attackers to obtain sensitive information via a direct request for themes/darkblue_orange/layout.inc.php, which reveals the path in an error message.20070102 Inforamtion Discloser Vulnerabilities in phpMyAdminphpmyadmin-darkblueorange-path-disclosure(31223)MDKSA-2007:1992104CarbonCommunities stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for DataBase/Carbon2.4d.mdb.ADV-2007-0038carboncommunities-carbon2-info-disclosure(31253)Multiple stack-based buffer overflows in the (1) LoadTree and (2) ReadHeader functions in PAISO.DLL 1.7.3.0 (1.7.3 beta) in ConeXware PowerArchiver 2006 9.64.02 allow user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories.20070104 PowerArchiver PAISO.DLL Buffer OverflowADV-2007-00412355920070104 [vuln.sg] PowerArchiver PAISO.DLL Buffer Overflow Vulnerabilitypowerarchiver-loadtree-readheader-bo(31263)Directory traversal vulnerability in language.php in VerliAdmin 0.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by language.php.ADV-2007-0035verliadmin-language-file-include(31241) 3075Race condition in the msxml3 module in Microsoft Internet Explorer 6 allows remote attackers to cause a denial of service (application crash) via many nested tags in an XML document in an IFRAME, when synchronous document rendering is frequently disrupted with asynchronous events, as demonstrated using a JavaScript timer, which can trigger null pointer dereferences or memory corruption.20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)20070104 RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)20070104 Concurrency strikes MSIE (potentially exploitable msxml3 flaws)218722365520070104 Re: RE: [Full-disclosure] Concurrency strikes MSIE (potentially exploitablemsxml3 flaws)The Perforce client does not restrict the set of files that it overwrites upon receiving a request from the server, which allows remote attackers to overwrite arbitrary files by modifying the client config file on the server, or by operating a malicious server.20070104 Perforce client: security hole by designCross-site request forgery (CSRF) vulnerability in SPINE allows remote attackers to perform unauthorized actions as administrators via unspecified vectors. NOTE: some of these details are obtained from third party information.ADV-2007-004223537spine-unspecified-csrf(31283)The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Preview, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node.21910multiple-vendor-pdf-code-execution(31364)ADV-2007-0930101774924479TA07-072AThe Adobe PDF specification 1.3, as implemented by Adobe Acrobat before 8.0.0, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node.21910multiple-vendor-pdf-code-execution(31364)ADV-2007-0930101774924479TA07-072AThe Adobe PDF specification 1.3, as implemented by (a) xpdf 3.0.1 patch 2, (b) kpdf in KDE before 3.5.5, (c) poppler before 0.5.4, and other products, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node.21910multiple-vendor-pdf-code-execution(31364)20070116 [KDE Security Advisory] kpdf/kword/xpdf denial of service vulnerabilityMDKSA-2007:018MDKSA-2007:020MDKSA-2007:022MDKSA-2007:019MDKSA-2007:021MDKSA-2007:024SUSE-SR:2007:003USN-410-1USN-410-2ADV-2007-0203ADV-2007-0212ADV-2007-0244ADV-2007-09301017514101774923799237912380823813238152384423839238762420424479MDKSA-2007:019MDKSA-2007:021MDKSA-2007:024TA07-072AStack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request.20070105 Multiple Vulnerabilities in Cisco Secure Access Control Server21900ADV-2007-0068101747523629cisco-acs-csadmin-bo(31323)VU#74424932642Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request.20070105 Advisory 01/2007: WordPress CSRF Protection XSS Vulnerability21893ADV-2007-0061235952114WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7.Successful exploitation requires that the "mbstring" extension be enabled. This vulnerability is addressed in the following product release: WordPress, WordPress, 2.0.620070105 Advisory 02/2007: WordPress Trackback Charset Decoding SQL Injection Vulnerability21907ADV-2007-006123595OpenPKG-SA-2007.005wordpress-mbstring-security-bypass(31297)GLSA-200701-10237412112nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles.21886ADV-2007-0064101747123619novell-profile-security-bypass(31343)wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks.20070103 Wordpress <= 2.x dictionnary & Bruteforce attackADV-2007-006223621wordpress-account-enumeration(31262)GLSA-200701-10237412113Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Access Manager Identity Server before 3.0.0-1013 allows remote attackers to inject arbitrary web script or HTML via the IssueInstant parameter, which is not properly handled in the resulting error message.21921ADV-2007-0073236541017483Buffer overflow in Resco Photo Viewer for PocketPC 4.11 and 6.01, as used in mobile devices running Windows Mobile 5.0, 2003, and 2003SE, allows remote attackers to execute arbitrary code via a crafted PNG image.21920ADV-2007-007223658SQL injection vulnerability in cats.asp in createauction allows remote attackers to execute arbitrary SQL commands via the catid parameter.20070107 createauction (cats.asp) Remote SQL Injection Vulnerability21929createauction-cats-sql-injection(31356)2111Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote authenticated users to cause a denial of service (reset or reboot) via (1) a long traffic class argument to the "class show" command or (2) a long POLICY parameter value in clastree.htm.20070108 Packeteer PacketWise CLI overflow DoS21933ADV-2007-009823685packetshaper-argument-dos(31357)2110Sun Java System Content Delivery Server 5.0 and 5.0 PU1 allows remote attackers to obtain sensitive information regarding "content details" via unspecified vectors.10276421908ADV-2007-007623630sun-java-cds-info-disclosure(31345)Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the Username to login.php, which is injected into an error message in security.log.php, which can then be accessed using viewlog.php.20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit20070108 Source verify - Coppermine Photo Gallery <= 1.4.10 code injection2107Digger Solutions Intranet Open Source (IOS) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for data/intranet.mdb.20070105 Intranet Open Source Remote Password Disclosure intranet-intranet-info-disclosure(31308)2109DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 10.4.8 does not properly validate Bill of Materials (BOM) files, which allows attackers to gain privileges via a BOM file under /Library/Receipts/, which triggers arbitrary file permission changes upon execution of a diskutil permission repair operation.21899ADV-2007-007423653Multiple absolute path traversal vulnerabilities in EditTag 1.2 allow remote attackers to read arbitrary files via an absolute pathname in the file parameter to (1) edittag.cgi, (2) edittag.pl, (3) edittag_mp.cgi, or (4) edittag_mp.pl.20070105 Multiple bugs in EditTag218907950Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 allow remote attackers to inject arbitrary web script or HTML via the plain parameter to (1) mkpw_mp.cgi, (2) mkpw.pl, or (3) mkpw.cgi.20070105 Multiple bugs in EditTag218917950Acunetix Web Vulnerability Scanner (WVS) 4.0 Build 20060717 and earlier allows remote attackers to cause a denial of service (application crash) via multiple HTTP requests containing invalid Content-Length values.21898acunetix-content-length-dos(31279) 3078Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter.20070105 RI Blog 1.3 XSS Vuln.21880ADV-2007-008323657riblog-search-xss(31317)2108Multiple SQL injection vulnerabilities in Coppermine Photo Gallery 1.4.10 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via (1) the cat parameter to albmgr.php, and possibly (2) the gid parameter to usermgr.php; (3) the start parameter to db_ecard.php; and the albumid parameter to unspecified files, related to the (4) filename_to_title and (5) del_titles functions.20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit218943085258462123Unrestricted file upload vulnerability in Uber Uploader 4.2 allows remote attackers to upload and execute arbitrary PHP scripts by naming them with a .phtml extension, which bypasses the .php extension check but is still executable on some server configurations.20070105 Uber Uploader 4.2 Arbitrary File Upload Vulnerabilityuber-uploader-phtml-file-upload(31303)2116Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist.20070105 [DRUPAL-SA-2007-002] Drupal 4.6.11 / 4.7.5 fixes DoS issue21895ADV-2007-0051235862115Kaspersky Labs Antivirus Engine 6.0 for Windows and 5.5-10 for Linux before 20070102 enter an infinite loop upon encountering an invalid NumberOfRvaAndSizes value in the Optional Windows Header of a portable executable (PE) file, which allows remote attackers to cause a denial of service (CPU consumption) by scanning a crafted PE file.20070105 Kaspersky Antivirus Scan Engine PE File Denial of Service Vulnerability2357521901ADV-2007-00671017476kaspersky-antivirus-pe-dos(31315)Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker.20070105 Opera Software Opera Web Browser JPG Image DHT Marker Heap Corruption VulnerabilityADV-2007-0060236131017473opera-jpeg-dht-bo(31305)GLSA-200701-08SUSE-SA:2007:0092373923771The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call.20070105 Opera Software Opera Web Browser createSVGTransformFromMatrix Object Typecasting VulnerabilityADV-2007-0060236131017473GLSA-200701-08SUSE-SA:2007:0092373923771SQL injection vulnerability in info_book.asp in Digirez 3.4 and earlier allows remote attackers to execute arbitrary SQL commands via the book_id parameter.ADV-2007-005323606SQL injection vulnerability in main.asp in LocazoList 2.01a beta5 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatID parameter.locazolist-main-sql-injection(31242)ADV-2007-0052 3073SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.21873ADV-2007-00552360220070105 IG Calendar SQL Injectionigcalendar-user-sql-injection(31300) 3082JAMWiki before 0.5.0 does not properly check permissions during moves of "read-only or admin-only topics," which allows remote attackers to make unauthorized changes to the wiki.2363421879jamwiki-permission-security-bypass(31296)SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.ADV-2007-00562360420070105 IG Shop remote code execution21874igshop-compareproduct-sql-injection(31299) 3083Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter.ADV-2007-0056Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. NOTE: a later report and CVE analysis indicate that the vulnerability is present in 1.4.ADV-2007-00562360420070105 IG Shop remote code execution21875igshop-cartpage-code-execution(31301)308320070619 iG Shop 1.4 eval Inclusion Vulnerability20070618 Dup: iG Shop 1.4 (page.php) Remote Code Execution ExploitPHP remote file inclusion vulnerability in inc/init.inc.php in Aratix 0.2.2 beta 11 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the current_path parameter.20070108 Source verify of Aratix RFIADV-2007-0054aratix-init-file-include(31282) 3079Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information.20070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixesADV-2007-005020070105 [DRUPAL-SA-2007-001] Drupal 4.6.11 / 4.7.5 fixes XSS issuedrupal-core-unspecified-xss(31311)Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ Serene Bach 2.05R and earlier, and 2.08D and earlier in the 2.08 series; and (2) sb 1.13D and earlier, and 1.18R and earlier in the 1.18 series; allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2362321884ADV-2007-00651017470serene-bach-unspecified-xss(31302)formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begins with (1) AbfrageForm or (2) EingabeForm, allows remote attackers to cause a denial of service (daemon crash) via multiple requests containing many /../ sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.23539formbankserver-formbank-dos(31216)Unspecified vulnerability in the DECnet-Plus 7.3-2 feature in DECnet/OSI 7.3-2 for OpenVMS ALPHA, and the DECnet-Plus 7.3 feature in DECnet/OSI 7.3 for OpenVMS VAX, allows attackers to obtain "unintended privileged access to data and system resources" via unspecified vectors, related to (1) [SYSEXE]CTF$UI.EXE, (2) [SYSMSG]CTF$MESSAGES.EXE, (3) [SYSHLP]CTF$HELP.HLB, and (4) [SYSMGR]CTF$STARTUP.COM.23636ADV-2007-0063SQL injection vulnerability in down.asp in Kolayindir Download (Yenionline) allows remote attackers to execute arbitrary SQL commands via the id parameter.20070105 Kolayindir Download (Yenionline) (tr) SqL Injection Vuln.21889ADV-2007-007923645kolayindirdownload-down-sql-injection(31320)2122Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Link Directory 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter.20070106 Yet Another Link Directory v1.021904ADV-2007-008223646yald-yald-xss(31322)2121SQL injection vulnerability in orange.asp in ShopStoreNow E-commerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the CatID parameter.20070106 shopstorenow (orange.asp) sql injection21905ADV-2007-008023642shopstorenow-orange-sql-injection(31313)2120Multiple PHP remote file inclusion vulnerabilities in NUNE News Script 2.0pre2 allow remote attackers to execute arbitrary PHP code via a URL in the custom_admin_path parameter to (1) index.php or (2) archives.php.ADV-2007-00782363520070107 NUNE News Script (custom_admin_path) Remote File Include Vulnerablitynune-index-archives-file-include(31312)Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Quote And Ordering System 1.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the ordernum parameter.23652qos-search-xss(31321) 3089PHP remote file inclusion vulnerability in bn_smrep1.php in BinGoPHP News (BP News) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the bnrep parameter, a different vector than CVE-2006-4648 and CVE-2006-4649.1017477bingo-bnsmrep1-file-include(31328)Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) delete-announce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) client-results.php.20070106 Fix & Chips CMS v1.0ADV-2007-008123625fixandchips-multiple-scripts-xss(31319)32646326473264832649326502119Cuyahoga before 1.0.1 installs the FCKEditor component with an incorrect deny statement in a Web.config file, which allows remote attackers to upload files when these privileges were intended only for the Administrator and Editor roles.2366221927Format string vulnerability in OmniGroup OmniWeb 5.5.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in the Javascript alert function.ADV-2007-00752362421911omniweb-alert-format-string(31324)20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS 3098EMembersPro 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for users.mdb.20070107 EMembersPro 1.0 Remote Password Disclosure Vulnerabilityememberspro-users-info-disclosure(31329)2118Multiple PHP remote file inclusion vulnerabilities in index.php in Dayfox Blog allow remote attackers to execute arbitrary PHP code via a URL in the (1) page, (2) subject, and (3) q parameters.20070107 Dayfox Blog Remote File Include Vuln.ADV-2007-009923661dayfoxblog-index-file-include(31336)2117MitiSoft stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for access_MS/MitiSoft.mdb.20070107 MitiSoft Remote Password Disclosure Vulnerabilitymitisoft-mitisoft-info-disclosure(31341)OhhASP stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/OhhASP.mdb.20070106 ohhASP Remote Password Disclosureohhasp-ohhasp-info-disclosure(31342)AJLogin 3.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for ajlogin.mdb.20070107 AJLogin v3.5 Remote Password Disclosure Vulnerabilityajlogin-ajlogin-info-disclosure(31331)2127Webulas stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/db.mdb.20070107 Webulas Remote Password Disclosure Vulnerabilitywebulas-db-info-disclosure(31338)2126HarikaOnline 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for harikaonline.mdb.20070107 HarikaOnline v2.0 Remote Password Disclosure Vulnerabilityharikaonline-harikaonline-info-disclosure(31339)2125M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb.20070107 M-Core Remote Password Disclosure Vulnerabilitymcore-uyelik-info-disclosure(31340)2124Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index.[neon] 20070107 invalid chars cause sigserv in neonMDKSA-2007:01322035ADV-2007-01722376323751 [cadaver] 20070123 release 0.22.5 SUSE-SR:2007:002 ADV-2007-0362 23984Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename.MDKSA-2007:00421959ADV-2007-0117ADV-2007-0118geoip-geoipupdate-directory-traversal(31383) USN-412-1 23880 23906MDKSA-2007:004Stack-based buffer overflow in the LiveJournal support (hooks/ljhook.cc) in CenterICQ 4.9.11 through 4.21.0, when using unofficial LiveJournal servers, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by adding the victim as a friend and using long (1) username and (2) real name strings.Failed exploitation attempts will likely result in a denial-of-service condition.20070107 TK53 Advisory #1: CenterICQ remote DoS buffer overflow in LiveJournal handling21932centericq-username-bo(31330)GLSA-200701-20ADV-2007-030610175452129The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as used by multiple HP products, uses insecure SERVICE_CHANGE_CONFIG DACL permissions, which allows local users to gain privileges and execute arbitrary programs, as demonstrated by modifying the binpath argument, a related issue to CVE-2006-0023.20070108 HP Multiple Products PML Driver Local Privilege Escalation21935ADV-2007-009423663pml-driver-config-privilege-escalation(31361)2128Unsanity Application Enhancer (APE) 2.0.2 installs with insecure permissions for the (1) ApplicationEnhancer binary and the (2) /Library/Frameworks/ApplicationEnhancer.framework directory, which allows local users to gain privileges by modifying or replacing the binary or library files.2195123649ape-appenhancer-privilege-escalation(31349)SecureKit Steganography 1.7.1 and 1.8 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing the last 20 bytes of the JPEG image with alternate password information.20070106 Cracking Steganography Application in less than ONE minute2363920070107 A Major design Bug in Steganography 1.7.x, 1.8 (latest) (Updated Version)steganography-password-security-bypass(31378)Camouflage 1.2.1 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing certain bytes of the JPEG image with alternate password information.219392357820070107 A Major design Bug in Camouflage 1.2.1 (latest)camouflage-password-security-bypass(31375)Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind.10271321964ADV-2007-011023700solaris-rpcbind-dos(31366)1017492 24056oval:org.mitre.oval:def:2210The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack.FreeBSD-SA-07:0122011237301017505Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search Engine), as distributed with other aliases, allow remote attackers to execute arbitrary PHP code via a URL in the INC parameter in (1) config_admin.php, (2) config_main.php, (3) config_member.php, and (4) mysql_config.php in config/; (5) admin.php and (6) index.php in admini/; (7) paypalipn/ipnprocess.php; (8) index.php and (9) registration.php in members/; and (10) ppcbannerclick.php and (11) ppcclick.php in main/.20070109 ppc engine Multiple file inclusion20070109 21961demoppc-inc-file-include(31355) 3104 33444 33445 33446 33447 33448 33449 33450 33451 33452 33453 334542134The Tape Engine service in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allows remote attackers to execute arbitrary code via certain data in opnum 0xBF in an RPC request, which is directly executed.VU#662400ADV-2007-015423648brightstor-tapeengine-code-execution(31442)20070111 ZDI-07-002: CA BrightStor ARCserve Backup Tape Engine Code Execution Vulnerability101750620070111 LS-20061002 - Computer Associates BrightStor ARCserve Backup Remote Code Execution Vulnerability20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow Vulnerabilities22010Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service, or opnum (3) 0xCF in the Tape Engine service.20070111 Computer Associates BrightStor ARCserve Backup RPC Engine PFC Request Buffer Overflow Vulnerability20070111 ZDI-07-003: CA BrightStor ARCserve Backup Message Engine Buffer Overflow VulnerabilityVU#180336ADV-2007-01542364820070111 ZDI-07-004: CA BrightStor ARCserve Backup Tape Engine Buffer Overflow VulnerabilityVU#15103222005220061017506brightstor-messageengine-rpc-bo(31443)brightstor-tapeengine-rpc-bo(31433)20070111 [CAID 34955, 34956, 34957, 34958, 34959, 34817]: CA BrightStor ARCserve Backup Multiple Overflow VulnerabilitiesPHP remote file inclusion vulnerability in index.php in AllMyVisitors 0.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the AMV_serverpath parameter.21917allmyvisitors-index-file-include(31316) 3097PHP remote file inclusion vulnerability in index.php in AllMyLinks 0.5.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AML_opensite parameter.21916allmylinks-index-file-include(31314) 3096Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.3.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the AMG_serverpath parameter to (1) comments.php and (2) signin.php; and possibly via a URL in unspecified parameters to (3) include/submit.inc.php, (4) admin/index.php, (5) include/cm_submit.inc.php, and (6) index.php.21918allmyguests-multiple-file-include(31310) 3093Directory traversal vulnerability in index.php in L2J Statistik Script 0.09 and earlier, when register_globals is enabled and magic_quotes is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php.21914l2j-statistik-index-file-include(31309)ADV-2007-0097 3091Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ActiveX Control in Sina UC2006 and earlier allow remote attackers to execute arbitrary code via a long string in the (1) astrVerion parameter to the SendChatRoomOpt function or (2) the astrDownDir parameter to the SendDownLoadFile function.20070109 Sina UC ActiveX Multiple Remote Stack OverflowADV-2007-00932363820070109 Sina UC ActiveX Multiple Remote Stack Overflow21958sinauc-sendchatroomopt-bo(31348)sinauc-senddownloadfile-bo(31350)Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter.2365621953b2evolution-login-xss(31368)DSA-156830093Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter.20070108 GForge Cross Site Scripting vulnerability21946101748223675gforge-words-xss(31346)2133DSA-147528598Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.21956ADV-2007-009623647mediawiki-ajax-unspecified-xss(31359) SUSE-SR:2007:006 24889PHP remote file inclusion vulnerability in info.php in Easy Banner Pro 2.8 allows remote attackers to execute arbitrary PHP code via a URL in the s[phppath] parameter.20070108 Easy Banner Pro Version 2.8 <= Remote File Inclusion21967easybannerpro-info-file-include(31374)2132SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the subid parameter.20070109 Re: PHPKit 1.6.1 RC2 (faq/faq.php) Remote SQL Injection Exploit219622131Stack-based buffer overflow in EF Commander 5.75 allows user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories, which produces a large filename that triggers the overflow.2365921969efcommander-iso-pathname-bo(31365)PHP remote file inclusion vulnerability in include/common_function.php in magic photo storage website allows remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter.20070108 magic photo storage website Remote File Inclusion21965ADV-2007-013623687magicphotostorage-config-file-include(31347)Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date.20070108 magic photo storage website Multiple Remote File Inclusion21965 32668 33411 33412 33413 33414 33415 33416 33417 33418 33419 33420 33421 33422 33423 33425 33426 33427 33428 33429 33430 33431 33433 33435 33436 33437 33438 33439 33432 334342136Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Server 4.x allows remote attackers to inject arbitrary web script or HTML via the NS-max-records parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.2197723605Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to obtain unauthorized access to public methods via a crafted request that bypasses the include/exclude checks.21955ADV-2007-009523641dwr-include-exclude-security-bypass(31377)Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch.21955ADV-2007-009523641dwr-servlet-engine-dos(31382)Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory236272364332740327413274232743327393273732738F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory2362623640F5 FirePass 5.4 through 5.5.1 does not properly enforce host access restrictions when a client uses a single integer (dword) representation of an IP address ("dotless IP address"), which allows remote authenticated users to connect to the FirePass administrator console and certain other network resources.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory2364032734** DISPUTED ** PHP remote file inclusion vulnerability in index.php in GeoBB Georgian Bulletin Board allows remote attackers to execute arbitrary PHP code via a URL in the action parameter. NOTE: CVE disputes this issue, since GeoBB 1.0 sets $action to a whitelisted value.20070107 GeoBB Georgian Bulletin Board Remote File Include Vuln.20070110 Dispute of GeoBB RFIgeobb-index-file-include(31335)2141PHP remote file inclusion vulnerability in edit_address.php in edit-x ecommerce allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter.20070109 edit-x ecommerce (include_dir) Remote File include21974ADV-2007-0158editx-editaddress-file-include(31384)2139Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section.20070105 MkPortal Admin XSSmkportal-admin-xss(31304)2138Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack.20070104 MkPortal 2137FON La Fonera routers do not properly limit DNS service access by unauthenticated clients, which allows remote attackers to tunnel traffic via DNS requests for hosts that should not be accessible before authentication.20070106 FON Router allows anonymous web access20070107 Re: FON Router allows anonymous web accessadmin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensitive information via a direct request with an MK_PATH=1 query string, which reveals the path in an error message.20070108 MKPortal Full Path Disclosuremkportal-admin-path-disclosure(31333)my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account.2195720070106 NNL-Labs & MNIN - F5 FirePass Security Advisory2362732736SQL injection vulnerability in admin_check_user.asp in Motionborg Web Real Estate 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (txtUserName parameter) and possibly other parameters. NOTE: some details were obtained from third party information.21963motionborg-admincheckuser-sql-injection(31360)ADV-2007-014323531 3105Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption.20070111 DMA[2007-0107a] OmniWeb Javascript Alert Format String Vulnerabiity and DMA[2007-0109a] Apple Finder Disk Image Volume Label Overflow / DoS21980ADV-2007-0140macos-finder-dos(31410)APPLE-SA-2007-02-15TA07-047AVU#24088010176622419832714The JTapi Gateway process in Cisco Unified Contact Center Enterprise, Unified Contact Center Hosted, IP Contact Center Enterprise, and Cisco IP Contact Center Hosted 5.0 through 7.1 allows remote attackers to cause a denial of service (repeated process restart) via a certain TCP session on the JTapi server port.20070110 Cisco Unified Contact Center and IP Contact Center JTapi Gateway Vulnerability21988ADV-2007-0138101749923710The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via "an invalid value in a DLSw message... during the capabilities exchange."20070110 DLSw Vulnerability21990ADV-2007-0139101749823697PHP remote file inclusion vulnerability in template.php in Geoffrey Golliher Axiom Photo/News Gallery (axiompng) 0.8.6 allows remote attackers to execute arbitrary PHP code via a URL in the baseAxiomPath parameter.20070110 source verify - Axiom RFIADV-2007-01072197223715axiom-template-file-include(31372) 3108Buffer overflow in the cmd_usr function in ftp-gw in TIS Internet Firewall Toolkit (FWTK) allows remote attackers to execute arbitrary code via a long destination hostname (dest).219601017481tisfwtk-ftpgw-bo(31363)SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lang parameter.20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit2192623637ADV-2007-0137 31032135Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors.2370221987MDKSA-2007:199Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information,ADV-2007-01252370221987phpmyadmin-unspecified-xss(31387)MDKSA-2007:199Directory traversal vulnerability in admin/skins.php for @lex Guestbook 4.0.2 and earlier allows remote attackers to create files in arbitrary directories via ".." sequences in the (1) aj_skin and (2) skin_edit parameters. NOTE: this can be leveraged for file inclusion by creating a skin file in the lang directory, then referencing that file via the lang parameter to index.php, which passes a sanity check in livre_include.php.20070107 @lex Guestbook <= 4.0.2 Remote Command Execution Exploit2192631032135Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to read arbitrary files via unknown vectors.HPSBMA02175220091017503 ADV-2007-01532140Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac does not correctly check the properties of certain documents and warn the user of macro content, which allows user-assisted remote attackers to execute arbitrary code.MS07-01422477ADV-2007-05831017639TA07-044A34385oval:org.mitre.oval:def:700Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a Word file with a malformed drawing object, which leads to memory corruption.MS07-01422482ADV-2007-05831017639TA07-044Aoval:org.mitre.oval:def:187The Window Image Acquisition (WIA) Service in Microsoft Windows XP SP2 allows local users to gain privileges via unspecified vectors involving an "unchecked buffer," probably a buffer overflow.MS07-007 22499 ADV-2007-0576 31889 1017634 24132TA07-044Aoval:org.mitre.oval:def:186The hardware detection functionality in the Windows Shell in Microsoft Windows XP SP2 and Professional, and Server 2003 SP1 allows local users to gain privileges via an unvalidated parameter to a function related to the "detection and registration of new hardware."MS07-006 VU#240796 22481 ADV-2007-0575 31890 1017633 24126TA07-044Aoval:org.mitre.oval:def:224Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails, which allows remote attackers to execute arbitrary code via a crafted base64-encoded MIME e-mail message.MS07-026 VU#343145 23809 ADV-2007-1711 1018015 25183HPSBST02214TA07-128A34391oval:org.mitre.oval:def:1890exchange-mime-base64-code-execution(33889)The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows 2000 SP3, XP SP2 and Professional, 2003 SP1 allows remote attackers to execute arbitrary code via unspecified functions, related to uninitialized parameters.MS07-008VU#56375622478ADV-2007-057731884101763524136TA07-044Aoval:org.mitre.oval:def:125Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a .XLS BIFF file with a malformed Named Graph record, which results in memory corruption.MS07-023 20070508 ZDI-07-026: Microsoft Excel BIFF File Format Named Graph Record Parsing Stack Overflow Vulnerability 23760 ADV-2007-1708 1018012 25150HPSBST02214TA07-128A34393oval:org.mitre.oval:def:1971excel-biff-file-bo(33913)wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted section length headers, aka "Microsoft Works File Converter Input Validation Vulnerability."MS08-011TA08-043C27657ADV-2008-051310193862890420080208 Microsoft Office Works Converter Heap Overflow VulnerabilityHPSBST02314oval:org.mitre.oval:def:5309The wininet.dll FTP client code in Microsoft Internet Explorer 5.01 and 6 might allow remote attackers to execute arbitrary code via an FTP server response of a specific length that causes a terminating null byte to be written outside of a buffer, which causes heap corruption.MS07-01620070213 Microsoft 'wininet.dll' FTP Reply Null Termination Heap Corruption VulnerabilityVU#61356422489ADV-2007-05843189210176422415620070309 MS07-016 FTP Response DOS PoCTA07-044Aoval:org.mitre.oval:def:1141Microsoft Internet Explorer 5.01 and 6 allows remote attackers to execute arbitrary code by instantiating certain COM objects from Urlmon.dll, which triggers memory corruption during a call to the IObjectSafety function.MS07-03320070612 Microsoft License Manager and urlmon.dll COM Object Interaction Invalid Memory Access VulnerabilityHPSBST02231TA07-163A24372ADV-2007-2153oval:org.mitre.oval:def:1084101823525627webbrowser-object-code-execution(32106)Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects from (1) Msb1fren.dll, (2) Htmlmm.ocx, and (3) Blnmgrps.dll as ActiveX controls, which allows remote attackers to execute arbitrary code via unspecified vectors, a different issue than CVE-2006-4697.MS07-016VU#77178822504ADV-2007-0584318933189431895101764324156ie-com-activex-code-execution(32427)TA07-044Aoval:org.mitre.oval:def:257Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2000 SP3, and 2003 SP1 and SP2 allows remote attackers to execute arbitrary scripts, spoof content, or obtain sensitive information via certain UTF-encoded, script-based e-mail attachments, involving an "incorrectly handled UTF character set label".MS07-026 VU#124113 23806 ADV-2007-1711 1018015 25183HPSBST02214TA07-128A34389oval:org.mitre.oval:def:1371exchange-utf-xss(33887)Integer overflow in the IMAP (IMAP4) support in Microsoft Exchange Server 2000 SP3 allows remote attackers to cause a denial of service (service hang) via crafted literals in an IMAP command, aka the "IMAP Literal Processing Vulnerability."MS07-02623810ADV-2007-171110180152518320070508 Microsoft Exchange Server 2000 IMAP Literal Processing DoS VulnerabilityHPSBST02214TA07-128A34392oval:org.mitre.oval:def:2054exchange-imap-command-dos(33890)Directory traversal vulnerability in the EmChartBean server side component for Oracle Application Server 10g allows remote attackers to read arbitrary files via unknown vectors, probably "\.." sequences in the beanId parameter. NOTE: this is likely a duplicate of another CVE that Oracle addressed in CPU Jan 2007, but due to lack of details by Oracle, it is unclear which BugID this issue is associated with, so the other CVE cannot be determined. Possibilities include EM02 (CVE-2007-0292) or EM05 (CVE-2007-0293).20070115 SYMSA-2007-001: Oracle Application Server 10g - Directory Traversal220272379420070131 Oracle 10g R2 Enterprise Manager Directory Traversal101752222083SQL injection vulnerability in shared/code/cp_functions_downloads.php in Nicola Asuni All In One Control Panel (AIOCP) before 1.3.009 allows remote attackers to execute arbitrary SQL commands via the download_category parameter.23726SQL injection vulnerability in shopgiftregsearch.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to execute arbitrary SQL commands via the LoginLastname parameter.23699vpasp-shopgift-sql-injection(31447) 3115Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.23699vpasp-shopcustadmin-xss(31449) 3115SQL injection vulnerability in wbsearch.aspx in uniForum 4 and earlier allows remote attackers to execute arbitrary SQL commands via the "by User" field (aka the TXbyuser parameter).21966uniforum-wbsearch-sql-injection(31362) 20070125 uniForum <= v4 (wbsearch.aspx) Remote SQL Injection Vulnerability 3106 23827slocate 3.1 does not properly manage database entries that specify names of files in protected directories, which allows local users to obtain the names of private files. NOTE: another researcher reports that the issue is not present in slocate 2.7.20070110 Re: slocate leaks filenames of protected directories20070110 slocate leaks filenames of protected directories20070111 Re: slocate leaks filenames of protected directories2198920070112 Re: slocate leaks filenames of protected directories USN-425-1The DataCollector service in EIQ Networks Network Security Analyzer allows remote attackers to cause a denial of service (service crash) via a (1) &CONNECTSERVER& (2) &ADDENTRY& (3) &FIN& (4) &START& (5) &LOGPATH& (6) &FWADELTA& (7) &FWALOG& (8) &SETSYNCHRONOUS& (9) &SETPRGFILE&, or (10) &SETREPLYPORT& string to TCP port 10618, which triggers a NULL pointer dereference.20070110 EIQ Networks Network Security Analyzer DoS Vulnerability21994ADV-2007-014723693eiq-datacollector-dos(31428)Integer overflow in the ffs_mountfs function in Mac OS X 10.4.8 and FreeBSD 6.1 allows local users to cause a denial of service (panic) and possibly gain privileges via a crafted DMG image that causes "allocation of a negative size buffer" leading to a heap-based buffer overflow, a related issue to CVE-2006-5679. NOTE: a third party states that this issue does not cross privilege boundaries in FreeBSD because only root may mount a filesystem.21993ADV-2007-014123703[freebsd-security] 20070114 MOAB advisoriesmacos-ffsmountfs-bo(31409) ADV-2007-0930 32684 1017751 24479APPLE-SA-2007-03-13TA07-072A** DISPUTED ** PHP remote file inclusion vulnerability in install.php in CS-Cart 1.3.3 allows remote attackers to execute arbitrary PHP code via a URL in the install_dir parameter. NOTE: CVE and third parties dispute this vulnerability because install_dir is defined before use.20070109 CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability20070110 [bogus] [ahmed_labib_hilmy at yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd)cscart-install-file-include(31408)Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, when nofollow is disabled and unmoderated comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Comments field.23669ADV-2007-0142PHP remote file inclusion vulnerability in routines/fieldValidation.php in Jshop Server 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the jssShopFileSystem parameter.2199520070110 Jshop Server 1.3jshop-fieldvalidation-file-include(31425) 31132146wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress.21983wordpress-tbid-sql-injection(31385) 3109** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0243. Reason: This candidate is a duplicate of CVE-2007-0243. Notes: All CVE users should reference CVE-2007-0243 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.20070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption VulnerabilityVU#38828922085Stack-based buffer overflow in the glibtop_get_proc_map_s function in libgtop before 2.14.6 (libgtop2) allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a process with a long filename that is mapped in its address space, which triggers the overflow in gnome-system-monitor.USN-407-1ADV-2007-0185ADV-2007-01872373623777DSA-1255GLSA-200701-17MDKSA-2007:0232205423814238402387224015libgtop2-glibtopbo(31522)RHSA-2007:0765101852626367Double free vulnerability in the _ATPsndrsp function in Apple Mac OS X 10.4.8, and possibly other versions, allows remote attackers to cause a denial of service (kernel panic) and possibly execute arbitrary code via a crafted AppleTalk request that triggers a heap-based buffer overflow.22041ADV-2007-01911017513237083130ADV-2007-093032687101775124479APPLE-SA-2007-03-13TA07-072AThe ndeb-binary feature in Lookup (lookup-el) allows local users to overwrite arbitrary files via a symlink attack on temporary files.DSA-12692437724590 23026 1017792 lookup-ndebbinary-symlink(33052)GLSA-200712-0728023Stack-based buffer overflow in filter\starcalc\scflt.cxx in the StarCalc parser in OpenOffice.org (OOo) Office Suite before 2.2, and 1.x before 1.1.5 Patch, allows user-assisted remote attackers to execute arbitrary code via a document with a long Note.DSA-1270ADV-2007-10321017799RHSA-2007:0033RHSA-2007:0069102794SUSE-SA:2007:023USN-444-1ADV-2007-111724465245502464624647openoffice-starcalc-bo(33112)MDKSA-2007:0732467620070404 High Risk Vulnerability in OpenOffice 24810 GLSA-200704-12 24906230672458824613OpenOffice.org (OOo) Office Suite allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a prepared link in a crafted document.DSA-1270ADV-2007-10321017799 RHSA-2007:0033 RHSA-2007:0069 102807 SUSE-SA:2007:023 USN-444-1 22812 ADV-2007-1117 24465 24550 24646 24647 openoffice-shell-command-execution(33113) MDKSA-2007:073 24676 24810 GLSA-200704-12 249062458824613Cross-site scripting (XSS) vulnerability in Zope 2.10.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a HTTP GET request.ADV-2007-1041 23084 24017 zope-unspecifiedget-xss(33187) DSA-1275 24713 SUSE-SR:2007:011 25239The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters. MDKSA-2007:074 MDKSA-2007:075 MDKSA-2007:076 23269 ADV-2007-1212 24727 24699 24705 SSA:2007-093-03 USN-452-1 24726 24847 qt-utf8-xss(33397) SUSE-SR:2007:006 24797 24889 24759 DSA-1292 25263FEDORA-2007-703MDKSA-2007:074MDKSA-2007:075MDKSA-2007:076RHSA-2007:0909RHSA-2007:088320070901-01-P26857268042710827275Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption.10276020070117 ZDI-07-005: Sun Microsystems Java GIF File Parsing Memory Corruption VulnerabilityVU#388289ADV-2007-02112375720070121 Sun Microsystems Java GIF File Parsing Memory Corruption Vulnerability Prove Of Concept ExploitGLSA-200702-07GLSA-200702-08HPSBUX0219622085ADV-2007-09361017520242022418924468jre-gif-bo(31537)RHSA-2007:0166RHSA-2007:016724993BEA07-172.00ADV-2007-181425283RHSA-2007:0956SUSE-SA:2007:045TA07-022A260492611927203266452158APPLE-SA-2007-12-14ADV-2007-422428115RHSA-2008:0261pptpgre.c in PoPToP Point to Point Tunneling Server (pptpd) before 1.3.4 allows remote attackers to cause a denial of service (PPTP connection tear-down) via (1) GRE packets with out-of-order sequence numbers or (2) certain GRE packets that are processed using a wrong pointer and improperly dequeued.DSA-128823886ADV-2007-1743 SUSE-SR:2007:010 25220 GLSA-200705-18 2007-0017 USN-459-1 1018064 25255SUSE-SR:2007:019USN-459-226987Heap-based buffer overflow in OpenOffice.org (OOo) 2.2.1 and earlier allows remote attackers to execute arbitrary code via a RTF file with a crafted prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten.DSA-130720070613 High risk vulnerability in OpenOffice RTF parserGLSA-200707-02MDKSA-2007:144RHSA-2007:040620070602-01-P102917SUSE-SA:2007:037USN-482-124450ADV-2007-2166ADV-2007-2229101823925648256502567325705258622589425905260102602226476openoffice-rtf-bo(34843)plugins/scmcvs/www/cvsweb.php in the CVSWeb CGI in GForge 4.5.16 before 20070524, aka gforge-plugin-scmcvs, allows remote attackers to execute arbitrary commands via shell metacharacters in the PATH_INFO.DSA-129724141ADV-2007-19422539525416gforge-cvsweb-code-execution(34510)squid/src/ftp.c in Squid before 2.6.STABLE7 allows remote FTP servers to cause a denial of service (core dump) via crafted FTP directory listing responses, possibly related to the (1) ftpListingFinish and (2) ftpHtmlifyListEntry functions.23767FEDORA-2007-092GLSA-200701-22MDKSA-2007:026SUSE-SA:2007:0122007-0003USN-414-122079ADV-2007-0199238102380523837238892392123946squid-multiple-dos(31523)MDKSA-2007:026The aclMatchExternal function in Squid before 2.6.STABLE7 allows remote attackers to cause a denial of service (crash) by causing an external_acl queue overload, which triggers an infinite loop.23767 GLSA-200701-22 MDKSA-2007:026 SUSE-SA:2007:012 USN-414-1 22203 ADV-2007-0199 23805 23889 23921 23946 squid-externalacl-dos(31525)MDKSA-2007:026Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites 3.0 allows remote attackers to inject arbitrary web script or HTML via the o parameter.20070111 Nwom topsites v3.0220122149index.php in Nwom topsites 3.0 allows remote attackers to obtain potentially sensitive information via a ' (quote) character in the o parameter, which forces a SQL error.20070111 Nwom topsites v3.0220122149Integer underflow in the DecodeGRE function in src/decode.c in Snort 2.6.1.2 allows remote attackers to trigger dereferencing of certain memory locations via crafted GRE packets, which may cause corruption of log files or writing of sensitive information into log files.20070111 Calyptix Security Advisory CX-2007-001 - Snort 2.6.1.2 Integer Underflow Vulnerability22004 ADV-2007-0152 10175072165Unspecified vulnerability in easy-content filemanager allows remote attackers to upload or modify arbitrary files via unspecified vectors.20070111 easy-content filemanager** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven.Format string vulnerability in the errors_create_window function in errors.c in xine-ui allows attackers to execute arbitrary code via unknown vectors.20070111 Xine-ui format string Vulnerabilties.2200223709xineui-errorscreatewindow-format-string(31505) GLSA-200701-18 MDKSA-2007:027 23891MDKSA-2007:027MDKSA-2007:15423931XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017.20070110 VLC Format String Vulnerability also in XINE MDKSA-2007:027MDKSA-2007:027MDKSA-2007:1542225223931VideoLAN VLC 0.8.6a allows remote attackers to cause a denial of service (application crash) via a crafted .wmv file.22003 vlcmediaplayer-wmv-dos(31515)** DISPUTED ** Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. As of 20070120, the original researcher has released demonstration code.20070111 Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability22014ADV-2007-01552371320070112 Lies? [Was: Re: Digital Armaments Security Pre-Advisory11.01.2007: Grsecurity Kernel PaX - Local root vulnerability]101750920070120 Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability20070309 Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX VulnerabilityCross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information.220072373323738 21971 ADV-2007-0156 ADV-2007-0157 quickcart-p-xss(31475)Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to obtain sensitive information via a invalid cat parameter to boxx/knowledgebase.asp, which reveals the path in an error message.20070111 Ezboxx multiple vulnerabilities.ADV-2007-0208** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Naig 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the this_path parameter. NOTE: a reliable third party disputes this vulnerability because this_path is defined before use.20070112 Naig <= 0.5.2 (this_path) Remote File Include Vulnerability20070112 Fwd: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability 20070113 Re: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability2145snews.php in sNews 1.5.30 and earlier does not properly exit when authentication fails, which allows remote attackers to perform unauthorized administrative actions, as demonstrated by changing an administrative password via the changeup task, and by uploading PHP code via the imagefile parameter.2202523746 3116 snews-image-file-upload(31535)WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix.20070112 Wordpress disclosure of Table Prefix WeaknessUnspecified vulnerability in Total Commander before 6.5.6 allows user-assisted remote attackers to delete arbitrary files and corrupt a filesystem via a crafted RAR file. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.22033Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.This vulnerability is addressed in the following product release: WinZip, WinZip, 9.0 SR122020Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal System Beta 0.7.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pic parameter to custom/piczoom.asp, (2) the nocatname parameter to boxx/user-upload.asp, or (3) the iid parameter to indexes/newscomments.asp.20070111 Ezboxx multiple vulnerabilities. ADV-2007-0208 23759SQL injection vulnerability in boxx/ShowAppendix.asp in Ezboxx Portal System Beta 0.7.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the iid parameter.20070111 Ezboxx multiple vulnerabilities. ADV-2007-0208 23759The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries.[freebsd-security] 20070114 MOAB advisories22036ADV-2007-0171ADV-2007-09303268610177512372124479APPLE-SA-2007-03-13TA07-072AMultiple unspecified vulnerabilities in Oracle Database 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) the Advanced Queuing component and sys.dbms_aqsys.dbms_aq privileges (DB01), (2) Advanced Replication and sys.dbms_repcat_untrusted (DB07), and (3) Oracle Text and ctxload (DB15). NOTE: Oracle has not publicly claims by reliable researchers that DB01 is for SQL injection in the SYS.DBMS_AQ_INV package, and DB07 is for a buffer overflow in the UNREGISTER_SNAPSHOT procedure in the DBMS_REPCAT_UNTRUSTED package.TA07-017AVU#2217882379420070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070124 Oracle Buffer Overflow in DBMS_REPCAT_UNTRUSTED.UNREGISTER_SNAPSHOT1017522oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to the Change Data Capture and sys.dbms_cdc_subscribe privileges, aka DB02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via the GET_PROPERTY function in SYS.DBMS_DRS, aka DB03.TA07-017A2379420070124 Oracle Buffer Overflow in DBMS_DRS.GET_PROPERTY1017522oracle-cpu-jan2007(31541)20070718 Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03)22083Unspecified vulnerability in Oracle Database 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors related to the Log Miner component and sys.dbms_log_mnr privileges, aka DB04. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the ADD_LOGFILE procedure for the SYS.DBMS_LOGMNR package that allows code execution.TA07-017A2379420070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070124 Oracle Buffer Overflow in DBMS_LOGMNR.ADD_LOGFILE1017522oracle-cpu-jan2007(31541)22083Multiple buffer overflows in MDSYS.MD in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via unspecified vectors involving certain public procedures, aka DB05.TA07-017A2379420070124 Oracle Multiple Buffer Overflows and DoS attacks in public procedures of MDSYS.MD1017522oracle-cpu-jan2007(31541)20070718 Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12)22083Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to XMLDB, aka DB06. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that DB06 is for multiple cross-site scripting (XSS) vulnerabilities.TA07-017A237941017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10.1.0.5 have unknown impact and attack vectors related to (1) Export and sys.dbms_logrep_util (DB08), and (2) Oracle Streams and sys.dbms_capture_adm_internal privileges (DB09). NOTE: Oracle has not disputed reliable researcher claims that DB08 is for a buffer overflow in the GET_OBJECT_NAME procedure in the DBMS_LOGREP_UTIL package, and DB09 is for buffer overflows in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION procedures in SYS.DBMS_CAPTURE_ADM_INTERNAL.TA07-017A2379420070125 Re: Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME20070125 Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070129 Re: Re: Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL20070124 Oracle Buffer Overflow in DBMS_LOGREP_UTIL.GET_OBJECT_NAME20070124 Oracle Buffer Overflows in DBMS_CAPTURE_ADM_INTERNAL1017522oracle-cpu-jan2007(31541)22083Cross-site scripting (XSS) vulnerability in Oracle Reports Web Cartridge (RWCGI60) in the Workflow Cartridge component, as used in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 10.1.2; and Oracle E-Business Suite and Applications 11.5.10CU2; allows remote authenticated users to inject arbitrary HTML or web script via the genuser parameter to rwcgi60, aka OWF01.TA07-017A2379420070117 [ISecAuditors Security Advisories] Oracle Reports Web Cartridge (RWCGI60) vulnerable to XSS1017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4 and 9.0.1.5 have unknown impact and attack vectors related to (1) Advanced Security Option and oklist or okdstry (DB10), (2) Oracle Net Services (DB13), and (3) Recovery Manager and oklist (DB16).TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Database client-only 10.1.0.4 has unknown impact and attack vectors related to the Export component and expdp or impdp, aka DB11.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) NLS Runtime and lmsgen (DB12), and (2) Oracle Text and ctxkbtc (DB14).TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle HTTP Server 9.2.0.8 and Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, aka (1) OHS01, (2) OHS02, (3) OHS05, (4) OHS06, and (5) OHS07.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN01. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that OPMN01 is for a buffer overflow in Oracle Notification Service (ONS).TA07-017A237941017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle HTTP Server 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3, 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1, and 10.1.3.0; and Collaboration Suite 9.0.4.2 and 10.1.2; have unknown impact and attack vectors related to the Oracle HTTP Server, aka (1) OHS03 and (2) OHS04.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle HTTP Server 9.0.1.5, Application Server 9.0.4.2 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to the Oracle Process Mgmt & Notification component, aka OPMN02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 9.0.4.3 and Collaboration Suite 9.0.4.2 has unknown impact and attack vectors related to Oracle Containers for J2EE, aka OC4J02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.3 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2, have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J03 and (2) OC4J04.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; Collaboration Suite 9.0.4.2 and 10.1.2; and E-Business Suite and Applications 11.5.10CU2 has unknown impact and attack vectors related to Oracle Reports Developer, aka REP01.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 10.1.2.0.2 and 10.1.3.0, and Collaboration Suite 10.1.2, has unknown impact and attack vectors related to Containers for J2EE, aka OC4J07.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 9.0.4.3, 10.1.2.0.0, and 10.1.2.0.2; and Collaboration Suite 9.0.4.2 and 10.1.2; has unknown impact and attack vectors related to Containers for J2EE, aka OC4J08.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Application Server 10.1.4.0 has unknown impact and attack vectors related to Oracle Internet Directory, aka OID01.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0.4.2 have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J01, (2) OC4J05, and (3) OC4J06.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors related to (1) Application Object Library (APPS01), (2) Human Resources (APPS03), (3) Payables (APPS04), (4) Trading Community Architecture (APPS05), and (5) Web Applications Desktop Integrator (APPS06).TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle E-Business Suite and Applications 6.2.3 has unknown impact and attack vectors related to Oracle Exchange, aka APPS02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 have unknown impact and attack vectors related to Oracle Agent, aka (1) EM01 and (2) EM02. NOTE: EM05 might be related to CVE-2007-0222.TA07-017A237941017522oracle-cpu-jan2007(31541)22083Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 and 10.2.0.1 have unknown impact and attack vectors related to (1) Oracle Agent (EM03) and (2) EM04 and (3) EM05 in Enterprise Manager Console. NOTE: EM05 might be related to CVE-2007-0222.TA07-017A237941017522oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle Enterprise Manager 10.2.0.1 has unknown impact and attack vectors related to Database Cloning & Data Guard Management, aka EM06.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13 and 8.47.11 has unknown impact and attack vectors in PeopleTools, aka PSE01.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.13, 8.47.11, and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE02.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083Unspecified vulnerability in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.47.11 and 8.48.06 has unknown impact and attack vectors in PeopleTools, aka PSE03.TA07-017A23794 1017522 oracle-cpu-jan2007(31541)22083PHP remote file inclusion vulnerability in show.php in LunarPoll, when register_globals is enabled, allows remote attackers execute arbitrary PHP code via a URL in the PollDir parameter.20070112 LunarPoll (PollDir) Remote File Include Vulnerabilities20070112 Source Verify of LunarPoll PollDir RFI22024 3117 ADV-2007-0177 1017510 23760 lunarpoll-show-file-include(31472)2152Integer overflow in the byte_swap_sbin function in bsd/ufs/ufs/ufs_byte_order.c in Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service (kernel panic) by mounting a crafted Unix File System (UFS) DMG image, which triggers an invalid pointer dereference.23725VU#515792ADV-2007-093031653101775124479APPLE-SA-2007-03-13TA07-072APHP remote file inclusion vulnerability in i-accueil.php in TLM CMS 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter.Successful exploitation requires that "register_globals" is enabled.Exploit 311822021ADV-2007-017623722PHP remote file inclusion vulnerability in _admin/admin_menu.php in FdWeB Espace Membre 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.Successful exploitation requires that "register_globals" is enabled.Exploit 312322040ADV-2007-017823743Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters to (b) Members1.aspx.20070115 InstantForum.NET Multiple Cross-Site Scripting Vulnerability2205223787 ADV-2007-0227 instantforum-multiple-scripts-xss(31521)2164Multiple unspecified vulnerabilities in Zina 1.0rc1 and earlier have unknown impact and attack vectors related to "Potential security bugs."22049ADV-2007-0181SQL injection vulnerability in duyuru.asp in MiNT Haber Sistemi 2.7 allows remote attackers to execute arbitrary SQL commands via the id parameter.ADV-2007-0175237563120SQL injection vulnerability in etkinlikbak.asp in Okul Web Otomasyon Sistemi 4.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.20070115 Okul Web Otomasyon Sistemi (etkinlikbak.asp) SQL Injection Vulnerability2206023755 3135 ADV-2007-02062151SQL injection vulnerability in visu_user.asp in Digiappz DigiAffiliate 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.22039ADV-2007-017923744PHP remote file inclusion vulnerability in include/common.php in Poplar Gedcom Viewer 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[rootPath] parameter.22038ADV-2007-017423761Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles.2205123718SQL injection vulnerability in blocks/block-Old_Articles.php in Francisco Burzi PHP-Nuke 7.9 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter.20070113 PHP-Nuke <= 7.9 Old-Articles Block 220371017511 23748 phpnuke-blockoldarticles-sql-injection(31482)2153BMC Remedy Action Request System 5.01.02 Patch 1267 generates different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to determine valid account names.20070115 Remedy Action Request System 5.01.02 - User Enumeration2206623775 20070116 Re: Remedy Action Request System 5.01.02 - User Enumeration ADV-2007-0204 1017515 rars-login-information-disclosure(31527)2162Texas Imperial Software WFTPD and WFTPD Pro Server 3.25 and earlier allow remote attackers to cause a denial of service (application crash) via a long SITE ADMIN command.22046 3126 wftpd-admn-dos(31517)wcSimple Poll stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password hashes via a direct request for password.txt.20070114 wcSimple Poll (password.txt) Remote Password Disclosure Vulnerablity2157Unspecified vulnerability in GONICUS System Administration (GOsa) before 2.5.8 allows remote authenticated users to modify certain settings, including the admin password, via crafted POST requests.[gosa] 20070115 GOsa 2.5.8 released (security fixes!)ADV-2007-020723749 gosa-unspecified-data-manipulation(31516)Multiple PHP remote file inclusion vulnerabilities in Article System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_DIR parameter to (1) forms.php, (2) issue_edit.php, (3) client.php, and (4) classes.php.22017article-system-includedir-file-include(31446) 3114Multiple buffer overflows in FileZilla before 2.2.30a allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors related to (1) Options.cpp when sotring settings in the registry, and (2) the transfer queue (QueueCtrl.cpp). NOTE: some of these details are obtained from third party information.Failed exploit attempts may result in a application level denial-of-service condition.Release Name: 2.2.30a22057ADV-2007-0183filezilla-options-queuectrl-bo(31500)Multiple SQL injection vulnerabilities in All In One Control Panel (AIOCP) 1.3.010 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) xuser_name parameter to shared/code/cp_authorization.php, and the (2) did parameter to public/code/cp_downloads.php, different vectors than CVE-2007-0223.20070112 AIOCP Login Bypass Vulnerability20070112 AIOCP SQL Injection Vulnerability22032ADV-2007-0190237402166Format string vulnerability in the LogMessage function in FileZilla before 3.0.0-beta5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted arguments. NOTE: some of these details are obtained from third party information.22063ADV-2007-0182filezilla-logmessage-format-string(31497)The do_hfs_truncate function in Mac OS X 10.4.8 allows context-dependent attackers to cause a denial of service (kernel panic) via a crafted HFS+ filesystem in a DMG image, which causes an access of an invalid vnode structure during file removal.23742ADV-2007-0171 APPLE-SA-2007-03-13 ADV-2007-0930 32685 1017759 24479TA07-072AMultiple stack-based buffer overflows in the Motive ActiveEmailTest.EmailData (ActiveUtils EmailData) ActiveX control in ActiveUtils.dll in Motive Service Activation Manager 5.1 and Self Service Manager 5.1 and earlier allow remote attackers to execute arbitrary code via unspecified vectors.MS07-045VU#74723325312ADV-2007-2881101857126481Multiple buffer overflows in (a) an ActiveX control (iftw.dll) and (b) Netscape plug-in (npiftw32.dll) for Macrovision (formerly InstallShield) InstallFromTheWeb allow remote attackers to execute arbitrary code via crafted HTML documents.VU#181041ADV-2007-070524285InstallshieldInstallfromtheweb-activex-bo(32645)Buffer overflow in the Update Service Agent ActiveX Control in isusweb.dll for Macrovision FLEXnet Connect (formerly InstallShield Update Service) allows remote attackers to execute arbitrary code via the Download method.VU#847993ADV-2007-070624270macrovision-updateservice-activex-bo(32678)Multiple stack-based buffer overflows in the Intuit QuickBooks Online Edition ActiveX control before 10 allow remote attackers to execute arbitrary code via unspecified vectors.VU#9074812554426659quickbooks-activex-bo(36462)Buffer overflow in the SetLanguage function in Research In Motion (RIM) TeamOn Import Object ActiveX control (TOImport.dll) allows remote attackers to execute arbitrary code via unspecified vectors.MS07-027VU#869641 23331 ADV-2007-1716 25218 rim-toimport-activex-bo(34182)HPSBST02214TA07-128AMultiple buffer overflows in the LizardTech DjVu Browser Plug-in before 6.1.1 allow remote attackers to execute arbitrary code via unspecified vectors.20070215 Lizardtech DjVu Browser Plug-in - Multiple VulnerabilitiesVU#5223932256924149 ADV-2007-0618 djvu-browser-multiple-bo(32510)2259Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document.Successful exploitation requires that OfficeScan client was installed using web deployment.The vendor has issued a fix (7.0 Security Patch - Build 1344; 7.3 Security Patch - Build 1241). VU#78436922585ADV-2007-0638101766424193Multiple stack-based buffer overflows in the PhotoChannel Networks PNI Digital Media Photo Upload Plugin ActiveX control before 2.0.0.10, as used by multiple retailers, allow remote attackers to execute arbitrary code via unspecified vectors.This vulnerability is addressed in the following product release: PhotoChannel, PNI Digital Media Photo Upload Plugin ActiveX control, 2.0.0.10VU#85476925685ADV-2007-3181101870126830photochannel-photo-upload-bo(36643)The DWUpdateService ActiveX control in the agent (agent.exe) in Macrovision FLEXnet Connect 6.0 and Update Service 3.x to 5.x allows remote attackers to execute arbitrary commands via (1) the Execute method, and obtain the exit status using (2) the GetExitCode method.VU#524681ADV-2007-201725501macrovision-dwupdate-command-execution(34660)download.php in Joonas Viljanen JV2 Folder Gallery allows remote attackers to read sensitive files via a relative pathname in the file parameter, as demonstrated by config/gallerysetup.php. NOTE: this issue might be resultant from a directory traversal vulnerability.ADV-2007-018023724 3125Buffer overflow in wsbho2k0.dll, as used by wsftpurl.exe, in Ipswitch WS_FTP 2007 Professional allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long ftp:// URL in an HTML document, and possibly other vectors.20070112 Ipswitch WS_FTP 2007 Professional 20070114 Re: Ipswitch WS_FTP 2007 Professional 20070116 Re: Ipswitch WS_FTP 2007 Professional 220622160Cross-site scripting (XSS) vulnerability in liens.php3 in liens_dynamiques 2.1 allows remote attackers to inject arbitrary web script or HTML by using the ajouter=1 query string and the add menu.20070114 liens_dynamiques xss and admin authentification22070 liensdynamiques-liens-xss(31528)(1) admin/adminlien.php3 and (2) admin/modif.php3 in liens_dynamiques 2.1 do not require authentication, which allows remote attackers to perform unauthorized administrative actions using a direct request.20070114 liens_dynamiques xss and admin authentification22068Agnitum Outpost Firewall PRO 4.0 allows local users to bypass access restrictions and insert Trojan horse drivers into the product's installation directory by creating links using FileLinkInformation requests with the ZwSetInformationFile function, as demonstrated by modifying SandBox.sys.20070115 Outpost Bypassing Self-Protection using file links Vulnerability22069 outpostfirewall-zwset-privilege-escalation(31529)2163Unspecified vulnerability in the SIP module in InGate Firewall and SIParator before 4.5.1 allows remote attackers to conduct replay attacks on the authentication mechanism via unknown vectors.2208023737ADV-2007-0209 ingate-sip-security-bypass(31546)Multiple directory traversal vulnerabilities in Jax Petition Book 1.0.3.06 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the languagepack parameter to (1) jax_petitionbook.php or (2) smileys.php.20070114 Jax Petition Book (languagepack) Remote File Include Vulnerabilities20070115 Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities20070116 Re: Jax Petition Book (languagepack) Remote File Include Vulnerabilities22072 ADV-2007-0220 23784 petitionbook-language-file-include(31543)2161Undercover.app/Contents/Resources/uc in Rixstep Undercover allows local users to overwrite arbitrary files, probably related to a race condition.20070115 Rixstep aren't as leet as they thought they were22071Directory traversal vulnerability in sesskglogadmin.php in KGB 1.9 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the skinnn parameter, as demonstrated by invoking kg.php with a postek parameter containing PHP code, which is injected into a file in the kg directory, and then included by sesskglogadmin.php.22065 3134 ADV-2007-0228 23768 kgb-sesskglogadmin-file-include(31508)Heap-based buffer overflow in Dream FTP Server allows remote attackers to execute arbitrary code via a USER command with a large number of format string specifiers, which triggers the overflow during processing of the Server Log.23731SQL injection vulnerability in index.php (aka the login form) in Scriptme SMe FileMailer 1.21 allows remote attackers to execute arbitrary SQL commands via the Password field (ps parameter). NOTE: some of these details are obtained from third party information.20070116 [x0n3-h4ck] SmE FileMailer 1.21 Remote Sql Injextion Exploit20070117 Source VERIFY of SMe FileMailer 1.21 SQL injection237662154SQL injection vulnerability in inc/header.inc.php in ThWboard 3.0b2.84-php5 and earlier allows remote attackers to execute arbitrary SQL commands via the board[styleid] parameter to index.php.23735 3124Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.1 and earlier, when Microsoft Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a CSS style in the convcharset parameter to the top-level URI, a different vulnerability than CVE-2005-0992.20070112 Re: xss in phpmyadmin <= 2.8.120070112 xss in phpmyadmin <= 2.8.1WebCore in Apple WebKit build 18794 allows remote attackers to cause a denial of service (null dereference and application crash) via a TD element with a large number in the ROWSPAN attribute, as demonstrated by a crash of OmniWeb 5.5.3 on Mac OS X 10.4.8, a different vulnerability than CVE-2006-2019.22059OpenBSD before 20070116 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via certain IPv6 ICMP (aka ICMP6) echo request packets.[3.9] 018: RELIABILITY FIX: January 16, 2007[4.0] 008: RELIABILITY FIX: January 16, 2007220871017518 2383032935Multiple format string vulnerabilities in (1) _invitedToRoom: and (2) _invitedToDirectChat: in Colloquy 2.1 and earlier allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in the channel name of an INVITE request, related to the implementation of AlertSheet and AlertPanel in Apple AppKit.22086238013139ADV-2007-023832688The (1) Activity Monitor.app/Contents/Resources/pmTool, (2) Keychain Access.app/Contents/Resources/kcproxy, and (3) ODBC Administrator.app/Contents/Resources/iodbcadmintool programs in /Applications/Utilities/ in Mac OS X 10.4.8 have weak permissions (writable by admin group), which allows local admin users to gain root privileges by modifying a program and then performing permissions repair via diskutil. 3136 macosx-applications-privilege-escalation(31530) 32700 32701 32702SQL injection vulnerability in index.php in SmE FileMailer 1.21 allows remote attackers to execute arbitrary SQL commands via the us parameter.20070117 Source VERIFY of SMe FileMailer 1.21 SQL injectionADV-2007-0221 smefilemailer-login-sql-injection(31533)The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' character in certain messages, tickets, or Wiki entries.An SQL injection via this technique is somewhat limited as is_eow() bails on whitespace. So while one _can_ do an SQL injection, one is limited to SQL queries containing only characters which get past the function isspace(3). This effectively limits attacks to SQL commands like "VACUUM".Successful remote unauthenticated exploit requires that CVSTrac is explicitly configured to allow anonymous users to add tickets (it is not by default).20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerability20070129 CVSTrac 2.0.0 Denial of Service (DoS) vulnerabilityOpenPKG-SA-2007.008ADV-2007-0398 22296 239402192Stack-based buffer overflow in the IASystemInfo.dll ActiveX control in (1) InterActual Player 2.60.12.0717, (2) Roxio CinePlayer 3.2, (3) WinDVD 7.0.27.172, and possibly other products, allows remote attackers to execute arbitrary code via a long ApplicationType property.ADV-2007-1042ADV-2007-10432303223075interactual-iasysteminfo-bo(33186)VU#9229692455620070321 Secunia Research: InterActual Player / CinePlayer IASystemInfo.dllActiveX Control Buffer Overflow23071Directory traversal vulnerability in upgrade.php in nicecoder.com INDEXU 5.x allows remote attackers to include arbitrary local files via a .. (dot dot) in the gateway parameter.20070116 vulnerability script indexu all versions indexu-upgrade-file-include(31539)Multiple SQL injection vulnerabilities in (a) index.php and (b) dl.php in SmE FileMailer 1.21 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ps, (2) us, (3) f, or (4) code parameter. NOTE: the us vector in index.php is already covered by CVE-2007-0346. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-0221 smefilemailer-login-sql-injection(31533)Microsoft Windows XP and Windows Server 2003 do not properly handle user logoff, which might allow local users to gain the privileges of a previous system user, possibly related to user profile unload failure. NOTE: it is not clear whether this is an issue in Windows itself, or an interaction with another product. The issue might involve ZoneAlarm not being able to terminate processes when it cannot prompt the user.20070117 Re: Windows logoff bug possible security vulnerability and exploit.20070117 Windows logoff bug possible security vulnerability and exploit.20070118 Re: Windows logoff bug possible security vulnerability and exploit.20070123 Re: Windows logoff bug possible security vulnerability and exploit.20070211 Windows logoff bug solution possibly.Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file composed of lines that begin with an integer followed by a space and a long string.20070117 Microsoft Help Workshop .CNT contents files buffer overflow vulnerability 3149 22100 1017530 23862 ms-help-workshop-cnt-bo(31555)2156Cross-site scripting (XSS) vulnerability in (1) index.php and (2) login.php in myBloggie 2.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO string.20070117 [x0n3-h4ck] myBloggie 2.1.5 XSS exploit22097 1017531 mybloggie-indexlogin-xss(31554)2155SQL injection vulnerability in email.php in MGB OpenSource Guestbook 0.5.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.20070118 vendor ACK for MGB Guestbook issue22094 3141 ADV-2007-0232 23825 mgb-email-sql-injection(31551)Buffer overflow in the Apple Minimal SLP v2 Service Agent (slpd) in Mac OS X 10.4.11 and earlier, including 10.4.8, allows local users, and possibly remote attackers, to gain privileges and possibly execute arbitrary code via a registration request with an invalid attr-list field.315122101ADV-2007-023932693101753323796macos-slpd-bo(31562)APPLE-SA-2008-02-11TA08-043B1019359The Common Controls Replacement Project (CCRP) FolderTreeview (FTV) ActiveX control (ccrpftv6.ocx) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long CCRP.RootFolder property value.22092 3142 ie-ccrp-dos(31549)Directory traversal vulnerability in the AVM IGD CTRL Service in Fritz!DSL 02.02.29 allows remote attackers to read arbitrary files via ..%5C (URL-encoded dot dot backslash) sequences in a URI requested from the AR7 webserver.20070117 Flaw in AVM UPNP service for windows22093 ADV-2007-0236 23774 fritz-avm-directory-traversal(31556)2159Unspecified vulnerability in the FTP server implementation in HP Jetdirect firmware x.20.nn through x.24.nn allows remote attackers to cause a denial of service via unknown vectors.HPSBPI0218523802 22105 ADV-2007-0233 1017532 hp-jetdirect-unspecified-dos(31589)PHP remote file inclusion vulnerability in frontpage.php in Uberghey CMS 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the setup_folder parameter.20070118 source verify: Uberghey CMS 0.3.1 RFIADV-2007-0230 3147 22098 uberghey-frontpage-file-include(31553)PHP remote file inclusion vulnerability in lang/index.php in Oreon 1.2.3 RC4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.ADV-2007-0229 20070211 Oreon1.2.x Series Exploit Coded 3150 22107 oreon-index-file-include(31568)PHP remote file inclusion vulnerability in mep/frame.php in PHPMyphorum 1.5a allows remote attackers to execute arbitrary PHP code via a URL in the chem parameter.ADV-2007-0231 3145 22099 phpmyphorum-frame-file-include(31552)Cross-site scripting (XSS) vulnerability in the RSS feed component in FreshReader before 1.0.07010600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to tag attributes.23806 22106 ADV-2007-0241 freshreader-rssfeed-xss(31566)Cross-site scripting (XSS) vulnerability in admin-search.php in (1) Openads for PostgreSQL (aka phpPgAds) before 2.0.10 and (2) Openads (aka phpAdsNew) before 2.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.23720 22124 ADV-2007-0240 openads-unspecified-xss(31570)Multiple cross-site scripting (XSS) vulnerabilities in nicecoder.com INDEXU 5.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) error_msg parameter to (a) suggest_category.php; the (2) u parameter to (b) user_detail.php; the (3) friend_name, (4) friend_email, (5) error_msg, (6) my_name, (7) my_email, and (8) id parameters to (c) tell_friend.php; the (9) error_msg, (10) email, (11) name, and (12) subject parameters to (d) sendmail.php; the (13) email, (14) error_msg, and (15) username parameters to (e) send_pwd.php; the (16) keyword parameter to (f) search.php; the (17) error_msg, (18) username, (19) password, (20) password2, and (21) email parameters to (g) register.php; the (22) url, (23) contact_name, and (24) email parameters to (h) power_search.php; the (25) path and (26) total parameters to (i) new.php; the (27) query parameter to (j) modify.php; the (28) error_msg parameter to (k) login.php; the (29) error_msg and (30) email parameters to (l) mailing_list.php; the (31) gateway parameter to (m) upgrade.php; and another unspecified vector.20070116 vulnerability script indexu all versions2208423764ADV-2007-022232838328403284132842328433284432845328463284732848328493285032851indexu-multiple-scripts-xss(31538)Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.009 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this is probably a different vulnerability than CVE-2006-5830.ADV-2007-018923732aiocp-unspecified-xss(31486)Untrusted search path vulnerability in Rumpus 5.1 and earlier allows local users to gain privileges via a modified PATH that points to a malicious ipfw program. 23842 rumpus-ipfw-privilege-escalation(31597)Rumpus 5.1 and earlier has weak permissions for certain files and directories under /usr/local/Rumpus, including the configuration file, which allows local users to have an unknown impact by creating, modifying, or deleting files. 23842Stack-based buffer overflow in mbse-bbs 0.70 and earlier allows local users to execute arbitrary code via a long string in the MBSE_ROOT environment variable.22112 20070118 mbsebbs 0.70.0 & below local root exploit 3154 mbsebbs-mbuseradd-bo(31639)SQL injection vulnerability in phpBP RC3 (2.204) and earlier allows remote attackers to execute arbitrary SQL commands via the comment forum. 3153 phpbp-comment-sql-injection(31622)Unrestricted file upload vulnerability in index.php in phpBP RC3 (2.204) and earlier allows remote administrators to inject arbitrary PHP code into an upload/banners/ file via a banners add operation that uploads the PHP code through an image_form parameter specifying a multiple-extension filename such as .jpg.vil.gif.php, which is stored in upload/banners/ under a different name, and executable via a direct request. NOTE: a separate SQL injection issue could be leveraged to make this vulnerability reachable by remote unauthenticated attackers. 3153 phpbp-banner-file-upload(31619)A certain ActiveX control in the Common Controls Replacement Project (CCRP) CCRP BrowseDialog Server (ccrpbds6.dll) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long CCRP_BDc.SelectedFolder property value.22110 3155Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 7.9 allow remote attackers to execute arbitrary SQL commands via (1) the active parameter in admin/modules/modules.php; the (2) ad_class, (3) imageurl, (4) clickurl, (5) ad_code, or (6) position parameter in modules/Advertising/admin/index.php; or unspecified vectors in the (7) advertising, (8) weblinks, or (9) reviews section.20070118 The vulnerabilities festival !22116 20070204 Sql injection bugs in PHP-NukeMultiple SQL injection vulnerabilities in Joomla! 1.5.0 Beta allow remote attackers to execute arbitrary SQL commands via (1) the searchword parameter in certain files; the where parameter in (2) plugins/search/content.php or (3) plugins/search/weblinks.php; the text parameter in (4) plugins/search/contacts.php, (5) plugins/search/categories.php, or (6) plugins/search/sections.php; or (7) the email parameter in database/table/user.php, which is not properly handled by the check function.20070118 The vulnerabilities festival !22122 20070204 Sql injection bugs in Joomla and MamboSQL injection vulnerability in (1) Joomla! 1.0.11 and 1.5 Beta, and (2) Mambo 4.6.1, allows remote attackers to execute arbitrary SQL commands via the id parameter when cancelling content editing.20070118 The vulnerabilities festival !19734 20070204 Sql injection bugs in Joomla and MamboJoomla! 1.5.0 Beta allows remote attackers to obtain sensitive information via a direct request for (1) plugins/user/example.php; (2) gmail.php, (3) example.php, or (4) ldap.php in plugins/authentication/; (5) modules/mod_mainmenu/menu.php; or other unspecified PHP scripts, which reveals the path in various error messages, related to a jimport function call at the beginning of each script.20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and MamboCross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.20070118 The vulnerabilities festival !22123 20070204 Sql injection bugs in Virtuemart and Letterman 24058Multiple SQL injection vulnerabilities in Xoops 2.0.16 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in kernel/group.php in core, (2) the lid parameter in class/table_broken.php in the Weblinks module, and other unspecified vectors.20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Xoops 2.0.16 + Weblinks module 22399Multiple SQL injection vulnerabilities in DocMan 1.3 RC2 allow attackers to execute arbitrary SQL commands via unspecified vectors.20070118 The vulnerabilities festival !Cross-site scripting (XSS) vulnerability in DocMan 1.3 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.20070118 The vulnerabilities festival !DocMan 1.3 RC2 allows remote attackers to obtain sensitive information (the full path) via unspecified vectors.20070118 The vulnerabilities festival !Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these issues.20070118 The vulnerabilities festival !Multiple SQL injection vulnerabilities in letterman.class.php in the Letterman 1.2.3 (com_letterman) component for Joomla! before 1.0.12 allow remote attackers to execute arbitrary SQL commands via the id parameter, related to the (1) lm_sendMail, (2) saveNewsletter, and (3) cancelNewsletter functions.20070118 The vulnerabilities festival !22117 20070204 Sql injection bugs in Virtuemart and Letterman** DISPUTED ** WDaemon 9.5.4 allows remote attackers to access the /WorldClient.dll URI on TCP port 3000, which has unknown impact. NOTE: The researcher reports that the vendor response was "this is not a security bug."20070118 The vulnerabilities festival !Cross-site scripting (XSS) vulnerability in preview in the reviews section in PostNuke 0.764 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.20070118 The vulnerabilities festival !22119The faq section in PostNuke 0.764 allows remote attackers to obtain sensitive information (the full path) via "unvalidated output" in FAQ/index.php, possibly involving an undefined id_cat variable.20070118 The vulnerabilities festival !Unspecified vulnerability in the rating section in PostNuke 0.764 has unknown impact and attack vectors, related to "an interesting bug."20070118 The vulnerabilities festival !SQL injection vulnerability in models/category.php in the Weblinks component for Joomla! SVN 20070118 (com_weblinks) allows remote attackers to execute arbitrary SQL commands via the catid parameter.20070118 The vulnerabilities festival ! 20070204 Sql injection bugs in Joomla and MamboSQL injection vulnerability in search.php in Woltlab Burning Board (wBB) 1.0.2 and earlier, and 2.3.6 and earlier in the 2.x series, allows remote attackers to execute arbitrary SQL commands via the boardids[1] and other board[] parameters.wbb-search-sql-injection(31550) 3143 3144Directory traversal vulnerability in ArsDigita Community System (ACS) 3.4.10 and earlier, and ArsDigita Community Education Solution (ACES) 1.1, allows remote attackers to read arbitrary files via .%252e/ (double-encoded dot dot slash) sequences in the URI.20070118 Directory Traversal in ArsDigita Community System22121 ADV-2007-0286 acs-url-directory-traversal(31613)Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 allows remote attackers to inject arbitrary web script or HTML via the tag parameter.20070118 [x0n3-h4ck] sabros.us 1.7 XSS Exploit22115 20070118 [x0n3-h4ck] sabros.us 1.7 XSS Exploit 23824 sabros-index-xss(31600)2170Format string vulnerability in the log creation functionality of BitDefender Client Professional Plus 8.02 allows attackers to execute arbitrary code via certain scan job settings.20070119 Layered Defense Research Advisory: BitDefender Client 8.02 Format String VulnerabilityADV-2007-0253 20070119 Layered Defense Research Advisory: BitDefender Client 8.02 Format String Vulnerability 22128 bitdefender-scanjob-format-string(31608)IBM AIX 5.3 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.20070118 Multiple OS kernel insecure handling of stdio file descriptor20070118 Re: Multiple OS kernel insecure handling of stdio file descriptorSun Solaris 9 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.20070118 Multiple OS kernel insecure handling of stdio file descriptor20070118 Re: Multiple OS kernel insecure handling of stdio file descriptorHP HP-UX B11.11 does not properly verify the status of file descriptors before setuid execution, which allows local users to gain privileges by closing file descriptor 0, 1, or 2 and then invoking a setuid program, a variant of CVE-2002-0572.20070118 Multiple OS kernel insecure handling of stdio file descriptor20070118 Re: Multiple OS kernel insecure handling of stdio file descriptorPHP remote file inclusion vulnerability in libraries/grab_globals.lib.php in ComVironment 4.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter.22108 3152 ADV-2007-0266 comvironment-grabglobals-file-include(31564)Unspecified vulnerability in HP-UX B.11.23, when running IPFilter in combination with PHNE_34474, allows remote attackers to cause a denial of service (system crash) via unspecified vectors.HPSBUX0218122103ADV-2007-0234101752723800 hp-ipfilter-dos(31565)The Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.3 and Adaptive Security Device Manager (ASDM) before 5.2(2.54) do not validate the SSL/TLS certificates or SSH public keys when connecting to devices, which allows remote attackers to spoof those devices to obtain sensitive information or generate incorrect information.20070118 SSL/TLS Certificate and SSH Public Key Validation Vulnerability 22111 ADV-2007-0245 1017535 1017536 23836 cisco-csmars-asdm-device-spoofing(31567)Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in Arnaud Guyonne (aka Arnotic) a-forum allow remote attackers to inject arbitrary web script or HTML via the (1) Sujet or (2) Pseudo field.20070119 a-forum xss20070122 a-forum xss - who? what? where?aforum-unspecified-xss(31610)Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action.20070120 SMF 20070121 Re: SMF "index.php?action=pm" Cross Site-Scripting 20070122 Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting 20070126 Re: Re: Re: Re: SMF "index.php?action=pm" Cross Site-Scripting 20070202 Re: SMF "index.php?action=pm" Cross Site-Scripting 22143 smf-pm-xss(31612)2169Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.20070120 Login Manager Multiple HTML Injections loginmanager-memberlist-xss(31614)2167SQL injection vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to execute arbitrary SQL commands via the init_row parameter.20070120 Login Manager Multiple HTML Injections2167Cross-site scripting (XSS) vulnerability in admin/edit_member.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter.20070120 Paypal Subscription Manager Multiple HTML Injections psm-editmember-xss(31618)2168SQL injection vulnerability in admin/memberlist.php in Easebay Resources Paypal Subscription Manager allows remote attackers to execute arbitrary SQL commands via the keyword parameter.20070120 Paypal Subscription Manager Multiple HTML Injections psm-memberlist-sql-injection(31616)2168bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a (1) .po or (2) .mo file.23826 22134 django-po-code-execution(31627)The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.2382622138django-request-session-hijacking(31628)Multiple buffer overflows in the (1) main function in (a) client.c, and the (2) server_setup and (3) server_client_connect functions in (b) server.c in gxine 0.5.9 and earlier allow local users to cause a denial of service (daemon crash) or gain privileges via a long HOME environment variable. NOTE: some of these details are obtained from third party information.ADV-2007-0259 gxine-serversetup-serverclient-bo(31604)Cross-site scripting (XSS) vulnerability in Operation/User.pm in Plain Black WebGUI before 7.3.5 (beta) allows remote attackers to inject arbitrary web script or HTML via the username parameter during anonymous registration, a different vector than CVE-2007-0308. NOTE: it is possible that a separate "WikiPage titles" issue was also fixed.22114ADV-2007-024223754webgui-username-xss(31573)BEA Weblogic Server 8.1 through 8.1 SP4 does not properly validate client certificates when reusing cached connections, which allows remote attackers to obtain access via an untrusted X.509 certificate.BEA07-135.00ADV-2007-021310175192375022082BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP4, and 9.0 initial release does not encrypt passwords stored in the JDBCDataSourceFactory MBean Properties, which allows local administrative users to read the cleartext password.BEA07-136.00ADV-2007-021310175252375022082Unspecified vulnerability in the thread management in BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1, when T3 authentication is used, allows remote attackers to cause a denial of service (thread and system hang) via unspecified "sequences of events."BEA07-137.00ADV-2007-021310175252375022082BEA WebLogic Server 8.1 through 8.1 SP5, 9.0, 9.1, and 9.2 Gold, when WS-Security is used, does not properly validate certificates, which allows remote attackers to conduct a man-in-the-middle (MITM) attack.BEA07-138.00ADV-2007-021310175252375022082BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP7, and 8.1 through 8.1 SP5 allows remote attackers to read arbitrary files inside the class-path property via .ear or exploded .ear files that use the manifest class-path property to point to utility jar files.BEA07-139.00ADV-2007-021310175252375022082BEA WebLogic Server 8.1 through 8.1 SP5 stores cleartext data in a backup of config.xml after offline editing, which allows local users to obtain sensitive information by reading this backup file.BEA07-140.00ADV-2007-021310175252375022082BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, and 9.0 allows remote attackers to cause a denial of service (server hang) via certain requests that cause muxer threads to block when processing error pages.BEA07-141.00ADV-2007-021310175252375022082BEA WebLogic Server 8.1 through 8.1 SP5 does not properly enforce access control after a dynamic update and dynamic redeployment of an application that is implemented through exploded jars, which allows attackers to bypass intended access restrictions.BEA07-142.00ADV-2007-021310175252375022082The WSEE runtime (WS-Security runtime) in BEA WebLogic Server 9.0 and 9.1 does not verify credentials when decrypting client messages, which allows remote attackers to bypass application security.BEA07-143.00ADV-2007-021310175252375022082BEA WebLogic Server 7.0 through 7.0 SP7, 8.1 through 8.1 SP5, 9.0, and 9.1, when using the WebLogic Server 6.1 compatibility realm, allows attackers to execute certain EJB container persistence operations with an administrative identity.BEA07-144.00ADV-2007-021310175252375022082BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a security policy that declares permissions for EJB methods that have array parameters, which allows remote attackers to obtain unauthorized access to these methods.BEA07-145.00ADV-2007-021310175252375022082The BEA WebLogic Server proxy plug-in before June 2006 for the Apache HTTP Server does not properly handle protocol errors, which allows remote attackers to cause a denial of service (server outage).BEA07-146.00ADV-2007-021310175252375022082BEA WebLogic Server 9.0, 9.1, and 9.2 Gold allows remote attackers to obtain sensitive information via malformed HTTP requests, which reveal data from previous requests.BEA07-147.00ADV-2007-021310175252375022082BEA WebLogic Server 6.1 through 6.1 SP7, and 7.0 through 7.0 SP7 allows remote attackers to cause a denial of service (disk consumption) via requests containing malformed headers, which cause a large amount of data to be written to the server log.BEA07-148.00ADV-2007-021310175252375022082BEA WebLogic Server 9.0, 9.1, and 9.2 Gold, when running on Solaris 9, allows remote attackers to cause a denial of service (server inaccessibility) via manipulated socket connections.BEA07-150.00ADV-2007-021310175252375022082BEA WebLogic Portal 9.2 does not properly handle when an administrator deletes entitlements for a role, which causes other role entitlements to be "inadvertently affected," which has an unknown impact.BEA07-151.00ADV-2007-021323750 101752122082Unspecified vulnerability in the BEA WebLogic Server proxy plug-in for Netscape Enterprise Server before September 2006 for Netscape Enterprise Server allow remote attackers to cause a denial of service via certain requests that trigger errors that lead to a server being marked as unavailable, hosting web server failure, or CPU consumption.BEA07-152.00ADV-2007-021310175252375022082Unspecified vulnerability in BEA WebLogic Platform and Server 8.1 through 8.1 SP5, and JRockit 1.4.2 R4.5 and earlier, allows attackers to gain privileges via unspecified vectors, related to an "overflow condition," probably a buffer overflow.BEA07-155.00ADV-2007-0213101752523750BEA WebLogic Portal 9.2, when running in a WebLogic Server clustered environment using WebLogic Portal entitlements, does not properly propagate entitlement policy changes if the changes are made on a managed server while the Administrative Server is unavailable, which might allow attackers to bypass intended restrictions.BEA07-156.00ADV-2007-021323750 101752122082Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file with a long HLP field in the OPTIONS section.20070119 Help project files (.HPJ) buffer overflow vulnerability in Microsoft Help Workshop22135 238622177Unspecified vulnerability in the chtbl_lookup function in hash.c for WzdFTPD 8.0 and earlier allows remote attackers to cause a denial of service via a crafted FTP command, probably due to a NULL pointer dereference.20070119 WzdFTPD < 8.1 Denial of service20070119 WzdFTPD < 8.1 Denial of service1017537wzdftpd-ftp-dos(31599) ADV-2007-0277 238522171DivXBrowserPlugin (aka DivX Web Player) npdivx32.dll, as distributed with DivX Player 6.4.1, allows remote attackers to cause a denial of service (Internet Explorer 7 crash) by invoking the GoWindowed method for a certain instance of the ActiveX object.22133divx-divxbrowserplugin-dos(31601) 3157The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and earlier kernel allows local users to cause a denial of service (memory corruption) via a large mappingCount value.20070119 [RISE-2007001] Apple Mac OS X 10.4.x kernel shared_region_map_file_np() memory corruption vulnerability ADV-2007-0275 1017538 23823 macos-sharedregionmapfilenp-dos(31645)329422178AVM Fritz!Box 7050, and possibly other product models, allows remote attackers to cause a denial of service (VoIP application crash) via a zero-length UDP packet to the SIP port (port 5060).20070119 DoS against AVM Fritz!Box 7050 (and others)20070119 DoS against AVM Fritz!Box 7050 (and others)22130 20070123 Re: DoS against AVM Fritz!Box 7050 (and others) ADV-2007-0272 23868 fritzbox-udp-packet-dos(31633)BEA AquaLogic Service Bus 2.0, 2.1, and 2.5 does not properly reject malformed request messages to a proxy service, which might allow remote attackers to bypass authorization policies and route requests to back-end services or conduct other unauthorized activities.BEA07-157.0010175232378622082Unspecified vulnerability in BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2, when using Active Directory LDAP for authentication, allows remote authenticated users to access the server even after the account has been disabled.BEA07-154.0010175242378622082BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2 does not properly set the severity level of audit events when the system load is high, which might make it easier for attackers to avoid detection.BEA07-153.002378622082T-Com Speedport 500V routers with firmware 1.31 allow remote attackers to bypass authentication and reconfigure the device via a LOGINKEY=TECOM cookie value.20070119 Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 20070121 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 20070122 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 20070216 Re: Virginity Security Advisory 2007-001 : T-Com Speedport 500V Login bypass 22160 23853 tcom-login-authentication-bypass(31621)Barron McCann X-Kryptor Driver BMS1446HRR (Xgntr BMS1351 Install BMS1472) in X-Kryptor Secure Client does not drop privileges when launching an Explorer window in response to a help command, which allows local users to gain LocalSystem privileges via interactive use of Explorer.22424ADV-2007-049624045Multiple cross-site scripting (XSS) vulnerabilities in the sample Cache' Server Page (CSP) scripts in InterSystems Cache' allow remote attackers to inject arbitrary web script or HTML via (1) the TO parameter to loop.csp, (2) the VALUE parameter to cookie.csp, and (3) the PAGE parameter to showsource.csp in csp/samples/; and allow remote authenticated users to inject arbitrary web script or HTML via (4) the ERROR parameter to csp/samples/xmlclasseserror.csp, and unspecified vectors in (5) object.csp and (6) lotteryhistory.csp in csp/samples/.Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to execute arbitrary commands via unknown vectors.HPSBMA021761017504 ADV-2007-0153Unspecified vulnerability in IBM OS/400 R530 and R535 has unknown impact and remote attack vectors, related to an "Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is possible that this issue is related to CVE-2004-0230, but this is not certain.MA33861MA3386123765Multiple buffer overflows in the CDDBControl ActiveX control in Gracenote CDDB before 20070418 allow remote attackers to execute arbitrary code via long values for certain Proxy configuration parameters.The vendor has address this issue with the following information: http://www.gracenote.com/corporate/FAQs.html/faqset=update/page=023567101793722924 20070420 ZDI-07-021: GraceNote CDDBControl ActiveX Buffer Overflow Vulnerability ADV-2007-1475 cddbcontrol-activex-bo(33773)Stack-based buffer overflow in the print provider library (cpprov.dll) in Citrix Presentation Server 4.0, MetaFrame Presentation Server 3.0, and MetaFrame XP 1.0 allows local users and remote attackers to execute arbitrary code via long arguments to the (1) EnumPrintersW and (2) OpenPrinter functions.20070124 ZDI-07-006: Citrix Metaframe Presentation Server Print Provider Buffer Overflow Vulnerability22217ADV-2007-0328101755323869Heap-based buffer overflow in the arj.ppl module in the OnDemand Scanner in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to execute arbitrary code via crafted ARJ archives.ADV-2007-126824778 20070405 ZDI-07-013: Kaspersky AntiVirus Engine ARJ Archive Parsing Heap Overflow Vulnerability 23346 1017882 1017883 kaspersky-arj-bo(33489)Stack-based buffer overflow in magentproc.exe for Hewlett-Packard Mercury LoadRunner Agent 8.0 and 8.1, Performance Center Agent 8.0 and 8.1, and Monitor over Firewall 8.1 allows remote attackers to execute arbitrary code via a packet with a long server_ip_name field to TCP port 54345, which triggers the overflow in mchan.dll.HPSBGN02187 20070208 ZDI-07-007: HP Mercury LoadRunner Agent Stack Overflow Vulnerability VU#303012 R-123 22487 ADV-2007-0535 1017611 1017612 1017613 24112 mercury-multiple-agent-bo(32390)Heap-based buffer overflow in the Decomposer component in multiple Symantec products allows remote attackers to execute arbitrary code via multiple crafted CAB archives.24282ADV-2007-250826053The fopen function in PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI.20070125 PHP 5.2.0 safe_mode bypass (by Writing Mode)222612175Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200.20070131 Remote Unauthenticated Code Execution CA BrightStor ARCserve Backup20070131 Remote Unauthenticated Code Execution II CA BrightStor ARCserve Backup for Laptops & DesktopsVU#357308VU#6112762234022342ADV-2007-031431593238971017548Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.2296020070314 SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversalADV-2007-0975tomcat-proxy-directory-traversal(32988)SUSE-SR:2007:00524732GLSA-200705-0325106RHSA-2007:032725280APPLE-SA-2007-07-31HPSBUX02262RHSA-2007:0360SUSE-SR:2007:01525159ADV-2007-2732ADV-2007-3087ADV-2007-33862623526660270372446MDKSA-2007:241[Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1ADV-2008-00652836520080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1RHSA-2008:0261239312ADV-2008-19793090830899Apache SpamAssassin before 3.1.8 allows remote attackers to cause a denial of service via long URLs in malformed HTML, which triggers "massive memory usage."Upgrade to SpamAssassin version 3.1.8RHSA-2007:0075101766624250242562426524307spamassassin-url-dos(32536)SUSE-SR:2007:00624889FEDORA-2007-242FEDORA-2007-241ADV-2007-0628225842419724200GLSA-200703-02MDKSA-2007:049RHSA-2007:0074smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop.20070205 [SAMBA-SECURITY] CVE-2007-0452: Potential DoS against smbd in Samba 3.0.6 - 3.0.23d 20070207 rPSA-2007-0026-1 samba samba-swat DSA-1257 FEDORA-2007-219 FEDORA-2007-220 GLSA-200702-01 MDKSA-2007:034 RHSA-2007:0060 RHSA-2007:0061 SSA:2007-038-01 SUSE-SA:2007:016 2007-0007 USN-419-1 22395 ADV-2007-0483 1017587 24021 24060 24030 24067 24101 24046 24151 24145 24076 24140 24188 samba-smbd-filerename-dos(32301) HPSBUX02204 ADV-2007-1278 24792MDKSA-2007:03420070201-01-P242842219200588Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions.20070205 [SAMBA-SECURITY] CVE-2007-0453: Buffer overrun in nss_winbind.so.1 on Solaris 20070207 rPSA-2007-0026-1 samba samba-swat SSA:2007-038-01 2007-0007 22410 ADV-2007-0483 1017589 24043 24101 24151 samba-winbind-bo(32231)OpenPKG-SA-2007.012Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping.20070205 [SAMBA-SECURITY] CVE-2007-0454: Format string bug in afsacl.so VFS plugin2240320070207 rPSA-2007-0026-1 samba samba-swatDSA-1257GLSA-200702-01MDKSA-2007:034SSA:2007-038-012007-0007USN-419-1VU#649732ADV-2007-0483101758824021240602406724101240462415124145samba-afsacl-format-string(32304)MDKSA-2007:034OpenPKG-SA-2007.012Buffer overflow in the gdImageStringFTEx function in gdft.c in GD Graphics Library 2.0.33 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted string with a JIS encoded font.ADV-2007-040023916[security-announce] 20070208 rPSA-2007-0028-1 gdFEDORA-2007-150MDKSA-2007:035MDKSA-2007:036MDKSA-2007:0382007-000722289240222405224053241072414324151RHSA-2007:01552492420070418 rPSA-2007-0073-1 php php-mysql php-pgsqlRHSA-2007:0153RHSA-2007:01622496524945MDKSA-2007:109USN-473-125575RHSA-2008:014629157Unspecified vulnerability in the LLT dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors.22352ADV-2007-044324016FEDORA-2007-207MDKSA-2007:033RHSA-2007:0066101758124011240252408424515wireshark-lltdissector-dos(32056)20070301-01-P2465024970Unspecified vulnerability in the IEEE 802.11 dissector in Wireshark (formerly Ethereal) 0.10.14 through 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors.22352ADV-2007-044324016FEDORA-2007-207MDKSA-2007:033RHSA-2007:0066101758124011240252408424515wireshark-ieeedissector-dos(32055)20070301-01-P2465024970Unspecified vulnerability in the HTTP dissector in Wireshark (formerly Ethereal) 0.99.3 and 0.99.4 allows remote attackers to cause a denial of service (application crash) via unspecified vectors, a different issue than CVE-2006-5468.22352ADV-2007-044324016FEDORA-2007-207MDKSA-2007:033RHSA-2007:0066101758124011240252408424515wireshark-httpdissector-dos(32054)20070301-01-P2465024970packet-tcp.c in the TCP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.4 allows remote attackers to cause a denial of service (application crash or hang) via fragmented HTTP packets.22352ADV-2007-044324016 FEDORA-2007-207 MDKSA-2007:033 RHSA-2007:0066 1017581 24011 24025 24084 24515 wireshark-tcpdissector-dos(32053) 20070301-01-P 24650 24970Multiple buffer overflows in ulogd for SUSE Linux 9.3 up to 10.1, and possibly other distributions, have unknown impact and attack vectors related to "improper string length calculations."SUSE-SR:2007:00123863GLSA-200703-17MDKSA-2007:0282213924524MDKSA-2007:028Multiple memory leaks in the Dazuko anti-virus helper module before 2.3.2 allow attackers to cause a denial of service (memory consumption) via unknown vectors.SUSE-SR:2007:001The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT image with a malformed Alpha RGB (ARGB) record, which triggers memory corruption. 22207 ADV-2007-0337 32696 23859 macos-argb-dos(31698)Format string vulnerability in Apple Software Update 2.0.5 on Mac OS X 10.4.8 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in (1) SWUTMP or (2) SUCATALOG filenames, or using the (3) application/x-apple.sucatalog+xml MIME type.ADV-2007-0337 APPLE-SA-2007-03-13 22222 ADV-2007-0930 32703 1017755 24479TA07-072AThe _CFNetConnectionWillEnqueueRequests function in CFNetwork 129.19 on Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to cause a denial of service (application crash) via a crafted HTTP 301 response, which results in a NULL pointer dereference.32002224932704macos-cfnetwork-dos(31837)APPLE-SA-2007-11-14TA07-319A26444ADV-2007-386827643Format string vulnerability in Apple Installer 2.1.5 on Mac OS X 10.4.8 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a (1) PKG, (2) DISTZ, or (3) MPKG package filename.22272 macos-installer-format-string(31883) APPLE-SA-2007-04-19 ADV-2007-1470 1017940 24966 32705TA07-109ATelestream Flip4Mac Windows Media Components for Quicktime 2.1.0.33 allows remote attackers to execute arbitrary code via a crafted ASF_File_Properties_Object size field in a WMV file, which triggers memory corruption.22286ADV-2007-038923958 32697crashdump in Apple Mac OS X 10.4.8 allows local users in the admin group to modify arbitrary files or gain privileges via a symlink attack on application logs in /Library/Logs/CrashReporter/.ADV-2007-0930101775124479macos-crashreporterd-privilege-escalation(31888)APPLE-SA-2007-03-13TA07-072AVU#36311232706Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (MSVC) in Microsoft Visual Studio 6.0 SP6 allows user-assisted remote attackers to execute arbitrary code via a long file path in the "1 TYPELIB MOVEABLE PURE" option in an RC file.20070122 Microsoft Visual C++ (.RC) resource files buffer overflow vulnerability23856 ADV-2007-0296 visualstudio-rc-bo(31665)2172The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages.ADV-2007-0295 20070121 RubyGems 0.9.0 and earlier installation exploit 20070121 RubyGems 0.9.0 and earlier installation exploit rubygems-extractfiles-file-overwrite(31688) SUSE-SR:2007:004Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors.102773 22190 ADV-2007-0317 1017546 23821 solaris-tip-privilege-escalation(31669)oval:org.mitre.oval:def:2038sre/params.php in the Integrity Clientless Security (ICS) component in Check Point Connectra NGX R62 3.x and earlier before Security Hotfix 5, and possibly VPN-1 NGX R62, allows remote attackers to bypass security requirements via a crafted Report parameter, which returns a valid ICSCookie authentication token.20070122 Check Point Connectra End Point security bypass20070122 Re: [Full-disclosure] Check Point Connectra End Point security bypass20070122 Check Point Connectra End Point security bypassADV-2007-0276checkpoint-params-security-bypass(31646)10175592384710175602179Multiple race conditions in Smb4K before 0.8.0 allow local users to (1) modify arbitrary files via unspecified manipulations of Smb4K's lock file, which is not properly handled by the remove_lock_file function in core/smb4kfileio.cpp, and (2) add lines to the sudoers file via a symlink attack on temporary files, which isn't properly handled by the writeFile function in core/smb4kfileio.cpp.[smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes releasedADV-2007-039323937 GLSA-200703-09 MDKSA-2007:042 SUSE-SR:2007:002 22299 23984 24111 24469MDKSA-2007:042The writeFile function in core/smb4kfileio.cpp in Smb4K before 0.8.0 does not preserve /etc/sudoers permissions across modifications, which allows local users to obtain sensitive information (/etc/sudoers contents) by reading this file.[smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes releasedADV-2007-039323937 GLSA-200703-09 MDKSA-2007:042 SUSE-SR:2007:002 22299 23984 24111 24469MDKSA-2007:042Smb4K before 0.8.0 allow local users, when present on the Smb4K sudoers list, to kill arbitrary processes, related to a "design issue with smb4k_kill."[smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes releasedADV-2007-039323937 GLSA-200703-09 MDKSA-2007:042 SUSE-SR:2007:002 22299 23984 24111 24469MDKSA-2007:042Multiple stack-based buffer overflows in utilities/smb4k_*.cpp in Smb4K before 0.8.0 allow local users, when present on the Smb4K sudoers list, to gain privileges via unspecified vectors related to the args variable and unspecified other variables, in conjunction with the sudo configuration.[smb4k-announce] 20061221 Smb4K 0.8.0 and security fixes releasedADV-2007-039323937 GLSA-200703-09 MDKSA-2007:042 SUSE-SR:2007:002 22299 23984 24111 24469MDKSA-2007:042The gencert.sh script, when installing OpenLDAP before 2.1.30-r10, 2.2.x before 2.2.28-r7, and 2.3.x before 2.3.30-r2 as an ebuild in Gentoo Linux, does not create temporary directories in /tmp securely during emerge, which allows local users to overwrite arbitrary files via a symlink attack.GLSA-200701-1923881 22195 ADV-2007-0305Cross-site scripting (XSS) vulnerability in Openads 2.0.x before 2.0.10, 2.3 before 2.3.31 (aka Max Media Manager before 0.3.31-alpha-pr2), and phpAdsNew/phpPgAds before 2.0.9-pr1 allows remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in admin-search.php and (2) affiliate-search.php. NOTE: this issue may overlap CVE-2007-0363.ADV-2007-031520070126 [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed20070127 Re: [OPENADS-SA-2007-002] Max Media Manager v0.1.29 and v0.3.30 vulnerability fixed20070124 [OPENADS-SA-2007-001] phpAdsNew and phpPgAds 2.0.9-pr1 vulnerability fixedWebCore on Apple Mac OS X 10.3.9 and 10.4.10, as used in Safari, does not properly parse HTML comments in TITLE elements, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment.20070123 Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerabilitysafari-html-xss(31846)APPLE-SA-2007-07-3125159ADV-2007-273210184942389326235Memory leak in the TCP listener in Cisco IOS 9.x, 10.x, 11.x, and 12.x allows remote attackers to cause a denial of service by sending crafted TCP traffic to an IPv4 address on the IOS device.20070124 Crafted TCP Packet Can Cause Denial of ServiceVU#21791222208ADV-2007-0329101755123867cisco-tcp-ipv4-dos(31716)TA07-024ACisco IOS 9.x, 10.x, 11.x, and 12.x and IOS XR 2.0.x, 3.0.x, and 3.2.x allows remote attackers to cause a denial of service or execute arbitrary code via a crafted IP option in the IP header in a (1) ICMP, (2) PIMv2, (3) PGM, or (4) URD packet.20070124 Crafted IP Option VulnerabilityVU#341288ADV-2007-0329101755523867cisco-ip-option-code-execution(31725)TA07-024A22211Cisco IOS allows remote attackers to cause a denial of service (crash) via a crafted IPv6 Type 0 Routing header.20070124 IPv6 Routing Header VulnerabilityVU#274760ADV-2007-0329101755023867cisco-ios-ipv6-type0-dos(31715)TA07-024A22210cgi-bin/main in Sun Ray Server Software 2.0 and 3.0 before 20070123 allows local users to obtain the utadmin password by reading a web server's log file, or by conducting a different, unspecified local attack.102779 22192 ADV-2007-0316 1017547 23900 sunray-utadmin-information-disclosure(31700)Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) show_owned.php or (2) show_joined.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.23865 22180 enthusiast-show-xss(31667)Multiple SQL injection vulnerabilities in Enthusiast 3.1 allow remote attackers to execute arbitrary SQL commands via the cat parameter to (1) show_owned.php, (2) show_joined.php, and possibly other files. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.23865 22180 enthusiast-show-sql-injection(31666)PHP remote file inclusion vulnerability in defines.php in WebChat 0.77 allows remote attackers to execute arbitrary PHP code via a URL in the WEBCHATPATH parameter.webchat-definesphp-file-include(31624) 316920030303 WebChat (PHP)700010061938206** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Openads (aka phpAdsNew) 2.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) phpAds_geoPlugin parameter to libraries/lib-remotehost.inc, the (2) filename parameter to admin/report-index, or the (3) phpAds_config[my_footer] parameter to admin/lib-gui.inc. NOTE: the vendor has disputed this issue, stating that the relevant variables are used within function definitions.20070120 phpAdsNew 2.0.7 Remote File Include20070122 Re: phpAdsNew 2.0.7 Remote File Include20070124 Re: phpAdsNew 2.0.7 Remote File Include217422172** DISPUTED ** PHP remote file inclusion vulnerability in index.php in FreeForum 0.9.0 allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter. NOTE: this issue has been disputed by third party researchers, stating that fpath variable is initialized before being used.20070121 FreeForum 0.9.0 <=- (index.php fpath) Remote File Include Vulnerability20070124 Re: FreeForum 0.9.0 <=- (index.php fpath) Remote File Include VulnerabilityThe Huawei Versatile Routing Platform 1.43 2500E-003 firmware on the Quidway R1600 Router, and possibly other models, allows remote attackers to cause a denial of service (device crash) via a long show arp command.20070118 The Quidway Router local DOSquidway-arp-dos(31641)2176PHP remote file inclusion vulnerability in includes/functions.visohotlink.php in VisoHotlink 1.01 and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.ADV-2007-028523878visohotlink-functions-file-include(31654) 22171index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensitive information (the full path) via an invalid listingID parameter in a listingview action.20070121 Full Path Disclosure in Open-Realty ( v2.3.4 ) openrealty-index-path-disclosure(31657)PHP remote file inclusion vulnerability in up.php in Sky GUNNING MySpeach 3.0.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the my_ms[root] parameter, a different vector than CVE-2006-4630. NOTE: Some of these details are obtained from third party information.ADV-2007-026923850Multiple SQL injection vulnerabilities in gallery.php in webSPELL 4.01.02 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) galleryID parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-0270 webspell-gallery-sql-injection(31632)Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context."20070125 BIND remote exploit (low severity) [Fwd: Internet Systems Consortium Security Advisory.][bind-announce] 20070125 Internet Systems Consortium Security Advisory.ADV-2007-034923904 20070125 BIND remote exploit (low severity) [Fwd: Internet Systems Consortium Security Advisory.] FEDORA-2007-147 FEDORA-2007-164 FreeBSD-SA-07:02 GLSA-200702-06 MDKSA-2007:030 OpenPKG-SA-2007.007 RHSA-2007:0057 SSA:2007-026-01 SUSE-SA:2007:014 2007-0005 USN-418-1 22229 23972 23924 23943 23974 23977 24054 24014 24048 24129 24203 HPSBTU02207 ADV-2007-1401 24950 24930APPLE-SA-2007-05-24HPSBUX02219MDKSA-2007:030NetBSD-SA2007-003ADV-2007-1939ADV-2007-2163ADV-2007-231510175612540225649ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error, aka the "DNSSEC Validation" vulnerability.Syccessful exploitation requires that the victim has enabled dnssec validation in named.conf by specifying trusted-keys.[bind-announce] 20070125 Internet Systems Consortium Security Advisory.23904DSA-1254FEDORA-2007-147FEDORA-2007-164FreeBSD-SA-07:02GLSA-200702-06MDKSA-2007:030OpenPKG-SA-2007.007RHSA-2007:0044RHSA-2007:0057SSA:2007-026-01SUSE-SA:2007:0142007-0005USN-418-122231101757323972239242394423943239742397724054240142408324048241292420324648HPSBTU02207ADV-2007-1401249502493020070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerIY95618IY95619IY96144IY96324APPLE-SA-2007-05-24HPSBUX02219MDKSA-2007:030NetBSD-SA2007-00320070201-01-P102969ADV-2007-1939ADV-2007-2002ADV-2007-2163ADV-2007-2245ADV-2007-2315ADV-2007-322925402256492571524284254822690927706bind-rrsets-dos(31838)PHP remote file inclusion vulnerability in include/config.inc.php in PhpSherpa allows remote attackers to execute arbitrary PHP code via a URL in the racine parameter.ADV-2007-026323817PHP remote file inclusion vulnerability in lib/nl/nl.php in Neon Labs Website (nlws) 3.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the g_strRootDir parameter.ADV-2007-0268 3163PHP remote file inclusion vulnerability in upload/top.php in Upload-Service 1.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the maindir parameter.ADV-2007-026523845 20070123 [ECHO_ADV_62$2007] Upload Service 1.0 remote file inclusion 22189 uploadservice-top-file-include(31634)PHP remote file inclusion vulnerability in up.php in MySpeach 2.1 beta and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the my[root] parameter. 3165PHP remote file inclusion vulnerability in config.php in Sangwan Kim phpIndexPage 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[inc_path] parameter.Exploit 3164ADV-2007-026731642216123992PHP remote file inclusion vulnerability in include/includes.php in Bradabra 2.0.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter.ADV-2007-026423851PHP remote file inclusion vulnerability in index.php in Mafia Scum Tools 2.0.0 in Matthew Wardrop Advanced Random Generators (adv-random-gen) allows remote attackers to execute arbitrary PHP code via a URL in the gen parameter.Exploit 3171ADV-2007-0271317122151mafiascum-index-file-include(31637)SQL injection vulnerability in gallery.php in webSPELL 4.01.02 allows remote attackers to execute arbitrary SQL commands via the picID parameter, a different vector than CVE-2007-0492.ADV-2007-0270 3172 22149 webspell-gallery-sql-injection(31632)Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local users to execute arbitrary commands via unknown vectors.102728ADV-2007-0287101754123885solaris-kcmscalibrate-privilege-escalation(31668) 22175oval:org.mitre.oval:def:1495Eval injection vulnerability in poll_frame.php in Vote! Pro 4.0, and possibly other scripts, allows remote attackers to execute arbitrary code via the poll_id parameter, which is supplied to an eval function call, a different vulnerability type than CVE-2005-4632.ADV-2007-030023834 3180Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue.ADV-2007-0312 22224 23887 projecttracking-extension-file-upload(31729)The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests.ADV-2007-0312 22224 23887 projecttracking-access-weak-security(31727)SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles.ADV-2007-031323895 22202 acidfree-albums-sql-injection(31724)PHP remote file inclusion vulnerability in lib/selectlang.php in BBClone 0.31 allows remote attackers to execute arbitrary PHP code via a URL in the BBC_LANGUAGE_PATH parameter.ADV-2007-031823874 3183Multiple unspecified vulnerabilities in MaklerPlus before 1.2 have unknown impact and attack vectors, possibly relating to cross-site scripting (XSS) in the slogan parameter in main.tpl, or information leaks in error messages.ADV-2007-032123864 22206 maklerplus-multiple-unspecified(31734)Multiple buffer overflows in (1) graphs.c, (2) output.c, and (3) preserve.c in AWFFull 3.7.1 and earlier have unknown impact and attack vectors. NOTE: some of these details are obtained from third party information. NOTE: There may not be any attack vector that crosses privilege boundaries.[AWFFULL] 20070123 Regarding the fixes in 3.7.2ADV-2007-0320 23831 awffull-multiple-bo(31731)Multiple PHP remote file inclusion vulnerabilities in phpXMLDOM (phpXD) 0.3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) dom.php, (2) dtd.php, or (3) parser.php in include/.23875 3184 22201 ADV-2007-0309 phpxd-path-file-include(31726)Hitachi TP1/LiNK 05-00 through 05-03-/F, 03-04 through 03-06-/K, and 03-00 through 03-03-/H; and TP1/Server Base 05-00 through 05-00-/M, 03-01-E through 03-01-FD, 03-01 through 03-01-DB, and 05-03; allow attackers to cause a denial of service (process crash) via invalid data to an OpenTP1 port.ADV-2007-0325 22223 23866Hitachi HiRDB Datareplicator 7HiRDB, 7(64), 6, 6(64), 5.0, and 5.0(64); and various products that bundle HiRDB Datareplicator; allows attackers to cause a denial of service (CPU consumption) via certain data.ADV-2007-0327 22244 23816 hitachi-hirdb-request-dos(31735)Multiple cross-site scripting (XSS) vulnerabilities in multiple Hitachi Web Server, uCosminexus, and Cosminexus products before 20070124 allow remote attackers to inject arbitrary web script or HTML via (1) HTTP Expect headers or (2) image maps.ADV-2007-0326 23843Unspecified vulnerability in Microsoft Word allows user-assisted remote attackers to execute arbitrary code on Word 2000, and cause a denial of service on Word 2003, via unknown attack vectors that trigger memory corruption, as exploited by Trojan.Mdropper.W and later by Trojan.Mdropper.X, a different issue than CVE-2006-6456, CVE-2006-5994, and CVE-2006-6561.22225MS07-014VU#41222522328ADV-2007-0350101756423950word-document-code-execution(31834)TA07-044Aoval:org.mitre.oval:def:528Yana Framework before 2.8.5a allows remote authenticated users with permissions to modify a guestbook profile to modify or delete arbitrary guestbook profiles via unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.3161523855yana-unspecified-security-bypass(31671)Scriptsez Random PHP Quote 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password information via a direct request for pwd.txt.20070123 RANDOM PHP QUOTE 1.0 (pwd.txt) Remote Password Disclosur 23888 randomphpquote-pwd-information-disclosure(31696)2184Scriptsez Smart PHP Subscriber (aka subscribe) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain encoded passwords via a direct request for pwd.txt.20070123 subscribe (pwd.txt) Remote Password Disclosur23886 subscriber-pwd-information-disclosure(31701)2183Cross-site scripting (XSS) vulnerability in memcp.php in XMB U2U Instant Messenger allows remote authenticated users to inject arbitrary web script or HTML via the recipient field.20070120 XMB u2u-memcp-xss(31661)2182SQL injection vulnerability in banner.php in Unique Ads (UDS) 1.x allows remote attackers to execute arbitrary SQL commands via the bid parameter.20070121 SQL Injection in Unique Ads ( UDS )uniqueads-banner-sql-injection(31660)2181The Sony Ericsson K700i and W810i phones allow remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.20070123 Bluetooth DoS by obex push20070123 Re: Bluetooth DoS by obex push [readable]2180The Motorola MOTORAZR V3 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.20070123 Bluetooth DoS by obex push20070123 Re: Bluetooth DoS by obex push [readable]2180The Nokia N70 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.20070123 Bluetooth DoS by obex push20070123 Re: Bluetooth DoS by obex push [readable]2180The LG Chocolate KG800 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push.20070123 Bluetooth DoS by obex push20070123 Re: Bluetooth DoS by obex push [readable]2180Multiple buffer overflows in Nickolas Grigoriadis Mini Web server (MiniWebsvr) before 0.05 have unknown impact and attack vectors.ADV-2007-0294Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the URL (PATH_INFO) to (1) articles/edit.php, (2) articles/list.php, (3) blogs/list_blogs.php, or (4) blogs/rankings.php.20070122 [x0n3-h4ck] bitweaver 1.3.1 XSS Exploitbitweaver-multiple-scripts-xss(31655)2186SQL injection vulnerability in the is_remembered function in class.login.php in Website Baker 2.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the REMEMBER_KEY cookie parameter. NOTE: some of these details are obtained from third party information.20070122 SQL Injection by using Cookie Poisoning for Website Baker Version 2.6.5 and before2382822176ADV-2007-0311websitebaker-login-sql-injection(31692)2185The admin web console implemented by the Centrality Communications (aka Aredfox) PA168 chipset and firmware 1.54 and earlier, as provided by various IP phones, does not require passwords or authentication tokens when using HTTP, which allows remote attackers to connect to existing superuser sessions and obtain sensitive information (passwords and configuration data).20070123 PR06-14: IP Phones based on Centrality Communications/Aredfox PA168 chipset weak session management vulnerability 3189 ADV-2007-0346 23919 23936Cross-site scripting (XSS) vulnerability in index.html (aka the administration page) in PHP Link Directory (phpLD) 3.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted link, which is triggered when the administrator uses the "Validate Links" functionality.20070121 PHP Link Directory XSS Vulnerability version <= 3.0.6phpld-admin-xss(31662)** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Advanced Guestbook 2.4.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) index.php, (2) addentry.php, or (3) picture.php, a different set of vectors than CVE-2006-5804. NOTE: this issue has been disputed by third party researchers, stating that the include_path variable is instantiated before use.20070123 Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability20070123 Re: Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include VulnerabilityPHP remote file inclusion vulnerability in includes/login.php in FreeWebShop 2.2.3 and 2.2.4 before 20070123 allows remote attackers to execute arbitrary PHP code via a URL in the lang_file parameter.ADV-2007-031923898 1017549 freewebshop-login-file-include(31732)Tuan Do Uploader (aka php-uploader) 6 beta 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the administrator password hash via a direct request for userdata/user_1.txt.20070122 Uploader <= (userdata/user_1.txt) Password Disclosure Vulnerabilityuploader-userdata-info-disclosure(31683)2187The AToZed IntraWeb component 8.0 and earlier for Borland Delphi and Kylix, and IntraWeb 9.0 before build (9.0.12), allows remote attackers to cause a denial of service (thread hang or CPU consumption) via a crafted HTTP request, related to the OnBeforeDispatch function in the TIWServerController object.20070123 AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability20070125 Re: AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerabilityintraweb-component-dos(31685) 20070124 Re: AToZed Software Intraweb Component for Borland Delphi and Kylix DoS vulnerability 22185 ADV-2007-0355 23902Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking."ADV-2007-0312 22224 23908 projecttracking-unspecified-xss(31728)Multiple eval injection vulnerabilities in Vote! Pro 4.0, and possibly earlier, allow remote attackers to execute arbitrary code via requests to unspecified PHP scripts with the poll_id parameter, which is supplied to eval function calls, a different set of vectors than CVE-2007-0504. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-030023834The chroot helper in rMake for rPath Linux 1 does not drop supplemental groups, which causes packages to be installed with insecure permissions and might allow local users to gain privileges. rpath-rmake-privilege-escalation(31942)23922The KDE HTML library (kdelibs), as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to CVE-2007-0478.20070124 Re: Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerabilityGLSA-200703-10MDKSA-2007:031USN-420-122428ADV-2007-050510175912393224013240652444224463SUSE-SR:2007:00624889MDKSA-2007:031MDKSA-2007:157RHSA-2007:090927108Telligent Community Server 2.1 and earlier allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to (1) a large file, which triggers a long download session without a timeout constraint; or (2) a file with a binary content type, which is downloaded even though it cannot contain usable pingback data.20070124 DoS against Telligent Community Server20070124 Weaknesses in Pingback Design2211The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint.20070124 Multiple Remote Vulnerabilities in Wordpress20070124 Weaknesses in Pingback Design2191WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data.20070124 Multiple Remote Vulnerabilities in Wordpress20070124 Weaknesses in Pingback Design2191DSA-156430013WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing files, and in certain configurations causes a brief file excerpt to be published as a blog comment.20070124 Multiple Remote Vulnerabilities in Wordpress20070124 Weaknesses in Pingback Design2191Cross-site scripting (XSS) vulnerability in show.php in 212cafe Guestbook 4.00 beta allows remote attackers to inject arbitrary web script or HTML via the user parameter.20070121 XSS in Guestbook ( v.4.00 beta )guestbook-show-xss(31663)2190ZixForum 1.14 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for Zixforum.mdb. NOTE: a followup post suggests that this issue only occurs if the administrator does not properly follow installation directions.20070124 ZixForum <= 1.14 (Zixforum.mdb) Remote Password Disclosure Vulnerability20070124 Re: ZixForum <= 1.14 (Zixforum.mdb) Remote Password Disclosure Vulnerability2189Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949.20070124 [Aria-Security Team] MyBB Cross-Site Scripting 22205 23934 mybb-subject-field-xss(31740)DSA-149328837Maxtricity Tagger 0.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for tagger.mdb.20070124 Maxtricity Tagger Password Disclosure Vulnerability2214Toxiclab Shoutbox 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db.mdb.20070124 Toxiclab Shoutbox Password Disclosure Vulnerability2213Cross-site scripting (XSS) vulnerability in CGI-RESCUE WebFORM 4.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.23913 ADV-2007-0344KarjaSoft Sami HTTP Server 2.0.1 allows remote attackers to cause a denial of service (daemon hang) via a large number of requests for nonexistent objects.23901sami-http-request-dos(31690) 3182Cross-site scripting (XSS) vulnerability in list3.php in 212cafeBoard 6.30 Beta allows remote attackers to inject arbitrary web script or HTML via the user parameter.20070121 XSS in 212cafeBoard ( Verision 0.08 & 6.30 Beta )212cafeboard-list3-xss(31650)2212Cross-site scripting (XSS) vulnerability in search.php in 212cafeBoard 0.08 Beta allows remote attackers to inject arbitrary web script or HTML via keyword parameter.20070121 XSS in 212cafeBoard ( Verision 0.08 & 6.30 Beta )212cafeboard-search-xss(31651)2212Multiple PHP remote file inclusion vulnerabilities in cmsimple/cms.php in CMSimple 2.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pth[file][config] and (2) pth[file][image] parameters.20070120 cmsimple 2.7 Remote File Includecmsimple-cms-file-include(31658)2195Cross-site scripting (XSS) vulnerability in install/default/error404.html in Oh no! Not another CMS (Onnac) 0.0.8.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the error_url parameter.ADV-2007-0347 22256 onnac-error-xss(31795)Multiple cross-site scripting (XSS) vulnerabilities in index.inc.php in PHProxy before 0.5 beta 2 allow remote attackers to inject arbitrary web script or HTML via the (1) data[realm] and (2) _url parameters, different vectors than CVE-2004-2604. NOTE: some of these details are obtained from third party information.ADV-2007-034822255SQL injection vulnerability in print.asp in Guo Xu Guos Posting System (GPS) 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.20070125 GPS 1.2 Content Managing System (print.asp) Remote SQL Injection Vulnerability 3195 22232 ADV-2007-0353 23929 gps-print-sql-injection(31759)2209PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content.USN-417-1ADV-2007-047824033 20070206 rPSA-2007-0025-1 postgresql postgresql-server 20070208 rPSA-2007-0025-2 postgresql postgresql-server [security-announce] 20070206 rPSA-2007-0025-1 postgresql postgresql-server DSA-1261 FEDORA-2007-198 GLSA-200703-15 MDKSA-2007:037 RHSA-2007:0064 RHSA-2007:0067 RHSA-2007:0068 102825 2007-0007 USN-417-2 22387 ADV-2007-0774 1017597 24028 24057 24050 24042 24094 24151 24158 24315 24513 24577 postgresql-sqlfunctions-info-disclosure(32195) SUSE-SR:2007:010 2522020070201-01-P24284The query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 does not verify that a table is compatible with a "previously made query plan," which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content via an "ALTER COLUMN TYPE" SQL statement, which can be leveraged to read arbitrary memory from the server.USN-417-1ADV-2007-047824033 20070206 rPSA-2007-0025-1 postgresql postgresql-server 20070208 rPSA-2007-0025-2 postgresql postgresql-server [security-announce] 20070206 rPSA-2007-0025-1 postgresql postgresql-server FEDORA-2007-198 GLSA-200703-15 MDKSA-2007:037 RHSA-2007:0067 RHSA-2007:0068 102825 2007-0007 USN-417-2 22387 ADV-2007-0774 1017597 24028 24057 24050 24042 24151 24315 24513 24577 postgresql-datatype-information-disclosure(32191) SUSE-SR:2007:010 25220rMake before 1.0.4 drops root privileges in a way that retains the original supplemental groups, which might allow attackers to gain privileges via a crafted recipe file, a different vulnerability than CVE-2007-0536.PHP remote file inclusion vulnerability in modules/mail/main.php in Inter7 vHostAdmin 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the MODULES_DIR parameter.ADV-2007-0339 3191PHP remote file inclusion vulnerability in config.php in RPW 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the sql_language parameter.ADV-2007-0342 3185SQL injection vulnerability in user.asp in ASP EDGE 1.2b and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter. 20070125 ASP EDGE <= V1.2b (user.asp) Remote SQL Injection Vulnerability 3186 22212 ADV-2007-0341 23894 aspedge-user-sql-injection(31723)Multiple PHP remote file inclusion vulnerabilities in Xero Portal 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) admin_linkdb.php, (2) admin_forum_prune.php, (3) admin_extensions.php, (4) admin_board.php, (5) admin_attachments.php, or (6) admin_users.php in admin/. 20070125 Xero Portal v1.2 (phpbb_root_path) Remote File Include Vulnerablity 3192 22227 ADV-2007-0338 23952 xero-multiple-scripts-file-include(31767)Windows Explorer (explorer.exe) 6.0.2900.2180 in Microsoft Windows XP SP2 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted .avi file, which triggers the crash when the user right clicks on the file. 3190Multiple cross-site scripting (XSS) vulnerabilities in Symantec Web Security (SWS) before 3.0.1.85 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) error messages and (2) blocked page messages produced by SWS.ADV-2007-033023896221841017558symantec-html-xss(31750)The license registering interface in Symantec Web Security (SWS) before 3.0.1.85 allows attackers to cause a denial of service (CPU consumption) by submitting a large file.This vulnerablity is addressed in the following product release: Symantec, Symantec Web Security, 3.0.1.85ADV-2007-033023896 1017558CGI-Rescue Shopping Basket Professional 7.50 and earlier allows remote attackers to inject arbitrary operating system commands via unspecified vectors.2390922245SQL injection vulnerability in news_detail.asp in ASP NEWS 3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 20070125 ASP NEWS <= V3 (news_detail.asp) Remote SQL Injection Vulnerability 3187 22214 ADV-2007-0340 aspnews-newsdetail-sql-injection(31719)Cross-site scripting (XSS) vulnerability in admin.php in Interactive-Scripts.Com PHP Membership Manager 1.5 allows remote attackers to inject arbitrary web script or HTML via the _p parameter.20070126 PHP Membership Manager Cross-Site Scripting Vulnerability22263 phpmembership-admin-xss(31916)PHP remote file inclusion vulnerability in system/lib/package.php in MyPHPCommander 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the gl_root parameter.22257ADV-2007-038523890 3201 myphpcommander-package-file-include(31906)SQL injection vulnerability in xNews.php in xNews 1.3 allows remote attackers to execute arbitrary SQL commands via the id parameter in a shownews action.2228423954 xnews-xnews-sql-injection(31855)PHP remote file inclusion vulnerability in ains_main.php in Johannes Gijsbers (aka Taradino) Ad Fundum Integratable News Script (AINS) 0.02b allows remote attackers to execute arbitrary PHP code via a URL in the ains_path parameter.22259ADV-2007-0384ains-ainsmain-file-include(31850) 3202PHP remote file inclusion vulnerability in include/lib/lib_head.php in phpMyReports 3.0.11 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cfgPathModule parameter.ADV-2007-0386 3212 22290 23959 phpmyreports-libhead-file-include(31857)PHP remote file inclusion vulnerability in include/irc/phpIRC.php in Drunken:Golem Gaming Portal 0.5.1 Alpha 2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.ADV-2007-0390 3207 drunkengolem-phpirc-file-include(31873)PHP remote file inclusion vulnerability in includes/config.inc.php in nsGalPHP 0.41 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the racineTBS parameter.VIM 20070130 Source VERIFY: nsGalPHP RFI22277ADV-2007-039223969 nsgalphp-config-file-include(31861)SQL injection vulnerability in rss/show_webfeed.php in SpoonLabs Vivvo Article Management CMS (aka phpWordPress) 3.40 allows remote attackers to execute arbitrary SQL commands via the wcHeadlines parameter, a different vector than CVE-2006-4715. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.22282Multiple SQL injection vulnerabilities in the administrative login page (admin/login.asp) in ASPCode.net AdMentor allow remote attackers to execute arbitrary SQL commands via the (1) Userid and (2) Password fields.20070127 AdMentor (banners) admin SQL injection2228120070220 AdMentor Script Remote SQL injection Exploitadmentor-adminlogin-sql-injection(31908)2207PHP remote file inclusion vulnerability in xt_counter.php in Xt-Stats 2.3.x up to 2.4.0.b3 allows remote attackers to execute arbitrary PHP code via a URL in the server_base_dir parameter.20070127 Xt-Stats v.2.4.0.b3 - Remote File Include Vulnerabilities22276ADV-2007-038723967xtstats-xtcounter-file-include(31871)PHP remote file inclusion vulnerability in function.inc.php in ACGVclick 0.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.22278ADV-2007-039123970 acgvclick-function-file-include(31859)The http_open function in httpget.c in mpg123 before 0.64 allows remote attackers to cause a denial of service (infinite loop) by closing the HTTP connection early.22274ADV-2007-0366MDKSA-2007:032MDKSA-2007:032Unspecified vulnerability in the calendar component in Horde Groupware Webmail Edition before 1.0, and Groupware before 1.0, allows remote attackers to include certain files via unspecified vectors. NOTE: some of these details are obtained from third party information.[horde-announce] 20070114 Horde Groupware 1.0 (final)[horde-announce] 20070114 Horde Groupware Webmail Edition 1.0 (final)22273ADV-2007-0368horde-calendar-file-include(31849)PHP remote file inclusion vulnerability in menu.php in Foro Domus 2.10 allows remote attackers to execute arbitrary PHP code via a URL in the sesion_idioma parameter.2228523949 ADV-2007-0396 forodomus-menu-file-include(31853)PHP remote file inclusion vulnerability in functions.php in EclipseBB 0.5.0 Lite allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.22283 3214 ADV-2007-0397 eclipsebb-functions-file-include(31852) 20070418 EclipseBB Remote File InclusionSQL injection vulnerability in default.asp in ChernobiLe 1.0 allows remote attackers to execute arbitrary SQL commands via the User (username) field.Exploit 3210222803210chernobile-default-sql-injection(31939)Multiple cross-site scripting (XSS) vulnerabilities in HTTP Commander 6.0, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) LogoffMessage parameter to logofflast.aspx or the (2) txtUsername parameter to Default.aspx. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.23964 22298 httpcommander-multiple-xss(31877)PHP remote file inclusion vulnerability in membres/membreManager.php in PhP Generic Library & Framework for comm (g-neric) allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter.22287ADV-2007-0394 20070129 PhP Generic library & framework (include_path) Remote File Include Exploit 3217 phpgeneric-membremanager-file-include(31895)include/debug.php in Webfwlog 0.92 and earlier, when register_globals is enabled, allows remote attackers to obtain source code of files via the conffile parameter. NOTE: some of these details are obtained from third party information. It is likely that this issue can be exploited to conduct directory traversal attacks.Successful exploitation requires that "register_globals" is enabled.ADV-2007-0399 3222 22291 23968 webfwlog-debug-file-include(31881)The InternalUnpackBits function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT file that triggers memory corruption in the _GetSrcBits32ARGB function. NOTE: this issue might overlap CVE-2007-0462.22228VU#396820ADV-2007-0930101776024479APPLE-SA-2007-03-13TA07-072A33365SQL injection vulnerability in Forum Livre 1.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to info_user.asp. 3197Cross-site scripting (XSS) vulnerability in busca2.asp in Forum Livre 1.0 remote attackers to inject arbitrary web script or HTML via the palavra parameter. 3197PHP remote file inclusion vulnerability in configure.php in Vu Le An Virtual Path (VirtualPath) 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. 3198 22241 ADV-2007-0352 23918Cross-site scripting (XSS) vulnerability in EzDatabase 2.1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to admin/login.php and the Admin Panel Database.20070125 EzDatabase Multiple Cross-Site Scripting Vulnerability22235ezdatabase-adminpanel-xss(31768)2196Siteman 1.1.11 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing password hashes via a direct request for data/members.txt.20070125 [x0n3-h4ck] Siteman 1.1.11 Remote Md5 Hash Disclosure Vulnerability 23925 siteman-members-information-disclosure(31780)2205Siteman 2.0.x2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing password hashes via a direct request for db/siteman/users.MYD.20070125 [x0n3-h4ck] Siteman 2.0.x2 Remote Md5 Hash Disclosure Vulnerability2206Cross-site scripting (XSS) vulnerability in search in High 5 Review Site allows remote attackers to inject arbitrary web script or HTML via the q parameter (aka the search box).20070125 high5 Review script Security RiskADV-2007-036323905high5review-search-xss(31797)PHP remote file inclusion vulnerability in index/main.php in Aztek Forum 4.00 allows remote authenticated administrators to execute arbitrary PHP code via a URL in the PF[top_url] parameter.20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities ExploitAztek Forum 4.00 allows remote attackers to obtain sensitive information via a direct request to forum.php with the fid=XD query string, which reveals the path in an error message.20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities ExploitSQL injection vulnerability in forum/load.php in Aztek Forum 4.00 allows remote attackers to execute arbitrary SQL commands via the fid cookie to forum.php.20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities ExploitVariable overwrite vulnerability in common/config.php in Aztek Forum 4.00 allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as copying arbitrary files using index/common_actions.php, via vectors associated with extract operations on the (1) POST, (2) GET, (3) COOKIE, and (4) SERVER superglobal arrays.20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities ExploitSQL injection vulnerability in news_page.asp in Martyn Kilbryde Newsposter Script (aka makit news/blog poster) 3 and earlier allows remote attackers to execute arbitrary SQL commands via the uid parameter.20070125 makit news/blog poster <=v3(news_page.asp) Remote SQL Injection Vulnerability22230newsposter-newspage-sql-injection(31747) 31942208common/safety.php in Aztek Forum 4.00 allows remote attackers to enter certain data containing %22 sequences (URL encoded double quotes) and other potentially dangerous manipulations by sending a cookie, which bypasses the blacklist matching against the GET and PUT superglobal arrays.20070125 Aztek Forum 4.1 Multiple Vulnerabilities Exploit20070125 Re: Aztek Forum 4.1 Multiple Vulnerabilities ExploitBuffer overflow in libvsapi.so in the VSAPI library in Trend Micro VirusWall 3.81 for Linux, as used by IScan.BASE/vscan, allows local users to gain privileges via a long command line argument, a different vulnerability than CVE-2005-0533.20070125 Buffer overflow in VSAPI library of Trend Micro VirusWall 3.81 for Linux ADV-2007-0367 10175622204PGP Desktop before 9.5.1 does not validate data objects received over the (1) \pipe\pgpserv named pipe for PGPServ.exe or the (2) \pipe\pgpsdkserv named pipe for PGPsdkServ.exe, which allows remote authenticated users to gain privileges by sending a data object representing an absolute pointer, which causes code execution at the corresponding address.20070125 Medium Risk Vulnerability in PGP Desktop23938 VU#102465 22247 ADV-2007-0356 10175632203Cross-site scripting (XSS) vulnerability in Movable Type (MT) before 3.34 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the MTCommentPreviewIsStatic tag, which can open the "comment entry screen," a different vulnerability than CVE-2007-0231.Cross-site scripting (XSS) vulnerability in picture.php in Advanced Guestbook 2.4.2 allows remote attackers to inject arbitrary web script or HTML via the picture parameter.Successful exploitation requires that "register_globals" is enabled.20070507 Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities2387333877ADV-2007-172625153advanced-picture-index-xss(34156)2663w-agora 4.2.1 allows remote attackers to obtain sensitive information by via the (1) bn[] array parameter to index.php, which expects a string, and (2) certain parameters to delete_forum.php, which displays the path name in the resulting error message.20070319 w-agora version 4.2.1 Multiple Path Disclosure Vulnerabilities3166831669wagora-deleteforumindex-path-disclosure(33076)2461W-Agora (Web-Agora) 4.2.1, when register_globals is enabled, stores globals.inc under the web document root with insufficient access control, which allows remote attackers to obtain application path information via a direct request.20070319 w-agora version 4.2.1 Information Disclosure Vulnerability31670 20070319 w-agora version 4.2.1 Information Disclosure Vulnerability wagora-globals-information-disclosure(33073)2465Advanced Guestbook 2.4.2 allows remote attackers to obtain sensitive information via an invalid (1) GB_TBL parameter to (a) lang/codes-english.php or (b) image.php, which reveal the database name; (2) an invalid GB_DB parameter to index.php, coupled with a ../index lang cookie, which reveals the installation path; or (3) a direct request to index.php with no parameters or cookies, which reveals the installation path.Successful exploitation requires that "register_globals" is enabled.20070507 Advanced Guestbook version 2.4.2 Multiple Error Information Leak Vulnerabilities338763387833879ADV-2007-172625153advanced-multiple-script-info-disclosure(34161)2661Directory traversal vulnerability in Advanced Guestbook 2.4.2 allows remote attackers to bypass .htaccess settings, and execute arbitrary PHP local files or read arbitrary local templates, via a .. (dot dot) in a lang cookie, followed by a filename without its .php extension, as demonstrated via a request to index.php.20070507 Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability20070507 Advanced Guestbook version 2.4.2 Multiple XSS Attack Vulnerabilities23876ADV-2007-172625153advanced-index-directory-traversal(34152)2662Cross-site scripting (XSS) vulnerability in the mailform feature in CMSimple 2.7 fix1 allows remote attackers to inject arbitrary web script or HTML via the sender parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.23951 22250 cmsimple-sender-xss(31841)Multiple cross-site scripting (XSS) vulnerabilities in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) inc.page.php and (2) inc.text.php.ADV-2007-0360Multiple ActiveX controls in Microsoft Windows 2000, XP, 2003, and Vista allows remote attackers to cause a denial of service (Internet Explorer crash) by accessing the bgColor, fgColor, linkColor, alinkColor, vlinkColor, or defaultCharset properties in the (1) giffile, (2) htmlfile, (3) jpegfile, (4) mhtmlfile, (5) ODCfile, (6) pjpegfile, (7) pngfile, (8) xbmfile, (9) xmlfile, (10) xslfile, or (11) wdfile objects in (a) mshtml.dll; or the (12) TriEditDocument.TriEditDocument or (13) TriEditDocument.TriEditDocument.1 objects in (b) triedit.dll, which cause a NULL pointer dereference.20070129 Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS)20070129 Internet Explorer 7 ActiveX bgColor property NULL pointer dereference (DoS)22288ie-activex-bgcolor-dos(31867)2199The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMessage framework 428 in Apple Mac OS X 10.4.8 does not check for duplicate entries when adding newly discovered available contacts, which allows remote attackers to cause a denial of service (disrupted communication) via a flood of duplicate _presence._tcp mDNS queries.22304 3269932698The Bonjour functionality in mDNSResponder, iChat 3.1.6, and InstantMessage framework 428 in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (persistent application crash) via a crafted phsh hash attribute in a TXT key.22304 APPLE-SA-2007-02-15 32713 1017661 23945 24198Unspecified vulnerability in Hitachi JP1/HIBUN Advanced Edition Management Server and Log Server before 20070124 allows remote attackers to cause a denial of service (application stop) via unexpected data.22237ADV-2007-032423854hitachi-jp1-hibun-request-dos(31733)Directory traversal vulnerability in zen/template-functions.php in zenphoto 1.0.4 up to 1.0.6 allows remote attackers to list arbitrary directories via ".." sequences in the album parameter to index.php. 22368 ADV-2007-0470 24026 zenphoto-template-directory-traversal(32102)The SpamBlocker.dll ActiveX control in Earthlink TotalAccess is marked "safe for scripting," which allows remote attackers to add arbitrary e-mail addresses and domains to the spam blocker whitelist via the (1) AddSenderToWhitelist and (2) AddDomainToWhitelist functions.Medium complexity because phishing attack20070125 Earthlink TotalAccess ActiveX Unsafe Methods Vulnerability22238earthlink-spamblocker-security-bypass(31827)2210Unspecified vulnerability in (1) pop3d, (2) pop3ds, (3) imapd, and (4) imapds in IBM AIX 5.3.0 has unspecified impact and attack vectors, involving an "authentication vulnerability."IY9308422262ADV-2007-038223957 aix-mailservices-rlogin-security-bypass(31875)chmlib before 0.39 allows user-assisted remote attackers to execute arbitrary code via a crafted page block length in a CHM file, which triggers memory corruption.Update to version 0.39.20070126 Multiple Vendor libchm Page Block Length Memory Corruption Vulnerability101756523975 GLSA-200702-12 SUSE-SR:2007:003 22258 24335download.php in FD Script 1.3.2 and earlier allows remote attackers to read source of files under the web document root with certain extensions, including .php, via a relative pathname in the fname parameter, as demonstrated by downloading config.php.20070126 FdScript <= v1.3.2 Remote File Disclosure Vulnerability22265ADV-2007-038323947 fdscript-download-file-disclosure(31915)2197** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-6456. Reason: This candidate is a duplicate of CVE-2006-6456. It was assigned for a targeted zero-day attack, but further analysis revealed it was for an older issue. Notes: All CVE users should reference CVE-2006-6456 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.23934SQL injection vulnerability in index.php in MAXdev MDPro 1.0.76 allows remote attackers to execute arbitrary SQL commands via the startrow parameter.20070129 MDPro 1.0.76 - Multiple Remote Vulnerabilities2229323948 ADV-2007-0412 mdpro-startrow-sql-injection(31897)2198user.php in MAXdev MDPro 1.0.76 allows remote attackers to obtain the full path via a ' (quote) character, and possibly other invalid values, in the uname parameter in a userinfo operation.20070129 MDPro 1.0.76 - Multiple Remote Vulnerabilities mdpro-user-path-disclosure(31898)2198nxconfigure.sh in NoMachine NX Server before 2.1.0-18 does not validate the invoking user, which allows local users to modify server configuration keys in /usr/NX/etc/server.cfg, resulting in an unspecified denial of service.22308ADV-2007-041323993 nxserver-nxconfigure-dos(31941)The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing comments, which are not processed by "normal form validation routines."Successful exploitation requires "post comments" privileges and access to multiple input filters (not the default). DRUPAL-SA-2007-005 ADV-2007-04062396022306ADV-2007-041523990drupal-commentformaddpreview-code-execution(31940)Michael Still gtalkbot before 1.2 places username and password arguments on the command line, which allows local users to obtain sensitive information by listing the process.ADV-2007-0408 22322 23942 gtalkbot-ps-information-disclosure(31923)Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Access Manager 6.1, 6.2, 6 2005Q1 (6.3), and 7 2005Q4 (7.0) before 20070129 allow remote attackers to inject arbitrary web script or HTML via the (1) goto or (2) gx-charset parameter. NOTE: some of these details are obtained from third party information.10262122302ADV-2007-0411239791017570javaaccessserver-unspecified-xss(31936)The www_purgeList method in Plain Black WebGUI before 7.3.8 does not properly check user permissions, which allows attackers to delete unauthorized assets. NOTE: some of these details are obtained from third party information.2229423981 webgui-wwwpurgelist-data-manipulation(31905)Multiple SQL injection vulnerabilities in the generate_csv function in classes/class.news.php in X-dev xNews 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id, (2) from, and (3) q parameters, different vectors than CVE-2007-0569. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-0395SQL injection vulnerability in index.php in Eclectic Designs CascadianFAQ 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.Exploit 322722314 3227 ADV-2007-0424 31675 23965 cascadianfaq-index-sql-injection(31968)SQL injection vulnerability in artreplydelete.asp in ASP EDGE 1.3a and earlier allows remote attackers to execute arbitrary SQL commands via a username cookie, a different vector than CVE-2007-0560.ADV-2007-0341PHP remote file inclusion vulnerability in include/themes/themefunc.php in MyNews 4.2.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the myNewsConf[path][sys][index] parameter.22313 3228 ADV-2007-0423 23973 mynews-themefunc-file-include(31971)Unspecified vulnerability in Sun Solaris 10 before 20070130 allows remote attackers to cause a denial of service (system crash) via certain ICMP packets.102697VU#96723622323ADV-2007-0420101757423982solaris-icmp-dos(32010)oval:org.mitre.oval:def:1249Multiple PHP remote file inclusion vulnerabilities in EncapsCMS 0.3.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) config[path] parameter to (a) common_foot.php or (b) blogs.php, or (2) the config[theme] parameter to (c) admin/gallery_head.php.20070130 EncapsCMS 0.3.6 (common_foot.php) Remote File Include22319encapsms-config-file-include(31978) ADV-2007-0430 239872200Unspecified vulnerability in inotify before 0.3.5 has unknown impact and attack vectors, related to "access rights to watched files."22305ADV-2007-0405Directory traversal vulnerability in zd_numer.php in Galeria Zdjec 3.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the galeria parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by zd_numer.php.22324galeria-zdnumer-file-include(31967) 3225 ADV-2007-0425 23956show.php in Vlad Alexa Mancini PHPFootball 1.6 allows remote attackers to obtain sensitive information (database contents) via a % (percent) character in the dbfieldv parameter.22312phpfootball-show-information-disclosure(31976) 3226 ADV-2007-0429 23962Multiple static code injection vulnerabilities in error.php in GuppY 4.5.16 and earlier allow remote attackers to inject arbitrary PHP code into a .inc file in the data/ directory via (1) a REMOTE_ADDR cookie or (2) a cookie specifying an element of the msg array with an error number in the first dimension and 0 in the second dimension, as demonstrated by msg[999][0].101756923914guppy-mdp-command-execution(31882) 3221 ADV-2007-0421Buffer overflow in ZABBIX before 1.1.5 has unknown impact and attack vectors related to "SNMP IP addresses."22321ADV-2007-0416 24020 zabbix-snmp-bo(32038)Buffer overflow in the EnumPrintersA function in dapcnfsd.dll 0.6.4.0 in Shaffer Solutions (SSC) DiskAccess NFS Client allows remote attackers to execute arbitrary code via a long argument, an issue similar to CVE-2006-5854 and CVE-2007-0444.22301SQL injection vulnerability in tForum 2.00 in the Raymond BERTHOU script collection (aka RBL - ASP) allows remote attackers to execute arbitrary SQL commands via the (1) id and (2) pass to user_confirm.asp.20070127 RBL - ASP (scripts with db) SQL injection20070129 RBL - ASP (scripts with db) SQL injection20070131 Partial source code verify - rbl-userpass-sql-injection(31927)22350360402201Stack-based buffer overflow in Bloodshed Dev-C++ 4.9.9.2 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long line in a .cpp file.22315 3229Format string vulnerability in Apple Safari 2.0.4 (419.3) allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in filenames that are not properly handled when calling the (1) NSLog and (2) NSBeginAlertSheet Apple AppKit functions. 22326 32710Format string vulnerability in iPhoto 6.0.5 allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling certain Apple AppKit functions. 22326 32711Format string vulnerability in iMovie HD 6.0.3, and Safari in Apple Mac OS X 10.4 through 10.4.10, allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling the NSRunCriticalAlertPanel Apple AppKit function.22326APPLE-SA-2007-04-19ADV-2007-147024966APPLE-SA-2007-11-14TA07-109ATA07-319A26444ADV-2007-386827643Format string vulnerability in Help Viewer 3.0.0 allows remote user-assisted attackers to cause a denial of service (crash) via format string specifiers in a filename, which is not properly handled when calling the NSBeginAlertSheet Apple AppKit function. 22326 32707Cisco IOS after 12.3(14)T, 12.3(8)YC1, 12.3(8)YG, and 12.4, with voice support and without Session Initiated Protocol (SIP) configured, allows remote attackers to cause a denial of service (crash) by sending a crafted packet to port 5060/UDP.20070131 SIP Packet Reloads IOS Devices Not Configured for SIPVU#43817622330ADV-2007-042823978cisco-sip-packet-dos(31990) 1017575Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in custom/import_xml.php or (b) cross-site scripting (XSS) attacks via the rootdir parameter in interface/login/login_frame.php, via vectors associated with extract operations on the (1) POST and (2) GET superglobal arrays. NOTE: this issue was originally disputed before the extract behavior was identified in post-disclosure analysis. Also, the original report identified "Open Conference Systems," but this was an error.20070127 Open Conference Systems = 2.8.2 Remote File Inclusion20070127 Re: Open Conference Systems = 2.8.2 Remote File Inclusion20070128 Re: Open Conference Systems = 2.8.2 Remote File Inclusion20070129 Fake: Open Conference Systems = 2.8.2 Remote File Inclusion20070129 Re: Fake: Open Conference Systems = 2.8.2 Remote File Inclusion20070130 Re: Fake: Open Conference Systems = 2.8.2 Remote File Inclusion20070129 [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion] (fwd)20070131 VERIFY of RFI and XSS in OpenEMR 2.8.2 (was [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion])22346223482202Buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in teTeX might allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename. NOTE: other overflows exist but might not be exploitable, such as a heap-based overflow in the check_idx function.23872ADV-2007-1706tetex-makeindex-opensty-bo(32284)GLSA-200709-17GLSA-200711-34MDKSA-2007:10926982GLSA-200805-1330168Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Professional before 2.37 allow remote attackers to inject arbitrary Javascript script via (1) e-mail messages and (2) the ID parameter to (a) right.asp, (b) Forms/MAI/list.asp, and (c) Forms/VCF/list.asp in mewebmail/base/default/lang/EN/.20070214 Secunia Research: MailEnable Web Mail Client MultipleVulnerabilities22554ADV-2007-059523998mailenable-email-messages-xss(32476)mailenable-id-xss(32480)2258Cross-site request forgery (CSRF) vulnerability in MailEnable Professional before 2.37 allows remote attackers to modify arbitrary configurations and perform unauthorized actions as arbitrary users via a link or IMG tag.20070214 Secunia Research: MailEnable Web Mail Client MultipleVulnerabilities22554ADV-2007-0595239982258Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which triggers memory corruption.23078ADV-2007-105723986 MDKSA-2007:071 USN-445-1 24645 DSA-1277 24804 SUSE-SR:2007:006 2488920070321 Secunia Research: XMMS Integer Overflow and UnderflowVulnerabilitiesMDKSA-2007:071xmms-skinbitmap-code-execution(33205)Integer underflow in X MultiMedia System (xmms) 1.2.10 allows user-assisted remote attackers to execute arbitrary code via crafted header information in a skin bitmap image, which results in a stack-based buffer overflow.23078ADV-2007-105723986 MDKSA-2007:071 USN-445-1 24645 DSA-1277 24804 SUSE-SR:2007:006 2488920070321 Secunia Research: XMMS Integer Overflow and UnderflowVulnerabilitiesMDKSA-2007:071xmms-skinbitmap-bo(33203)The MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies eScan 8.0.671.1, and possibly other versions, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222.ADV-2007-160923809237591018007escan-mwagent-security-bypass(34009)PHP remote file inclusion vulnerability in includes/functions.php in phpBB2-MODificat 0.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.22320ADV-2007-0422 3231 phpbb2modificat-functions-file-include(31985)Unspecified vulnerability in Nexuiz 2.2.2 allows remote attackers to read and overwrite arbitrary files via the gamedir command.ADV-2007-042723963 22332 nexuiz-gamedir-information-disclosure(32040)The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESSION.22329ADV-2007-04312398323985 captcha-response-security-bypass(31994) textimage-captcha-security-bypass(31984)download.php in the MuddyDogPaws FileDownload snippet before 2.5 for MODx allows remote attackers to download arbitrary files, as demonstrated by downloading config.inc.php to obtain database credentials.22327ADV-2007-042623953Cross-site scripting (XSS) vulnerability in the IFrame module before 03.02.01 for DotNetNuke (DNN) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "Pass through values."ADV-2007-0433 22334 dotnetnuke-iframe-unspecified-xss(32037)Intel Enterprise Southbridge 2 Baseboard Management Controller (BMC), Intel Server Boards 5000XAL, S5000PAL, S5000PSL, S5000XVN, S5000VCL, S5000VSA, SC5400RA, and OEM Firmware for Intel Enterprise Southbridge Baseboard Management Controller before 20070119, when Intelligent Platform Management Interface (IPMI) is enabled, allow remote attackers to connect and issue arbitrary IPMI commands, possibly triggering a denial of service.ADV-2007-043223989 22341PHP remote file inclusion vulnerability in includes/usercp_viewprofile.php in Hailboards 1.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.22333 3236 ADV-2007-0450 24002 hailboards-usercpviewprofile-file-include(31997)SQL injection vulnerability in index.php in Eclectic Designs CascadianFAQ 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the qid parameter, a different vector than CVE-2007-0631. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-0424thttpd before 2.25b-r6 in Gentoo Linux is started from the system root directory (/) by the Gentoo baselayout 1.12.6 package, which allows remote attackers to read arbitrary files.GLSA-200701-282234924018Format string vulnerability in the SCP module in Ipswitch WS_FTP 2007 Professional might allow remote attackers to execute arbitrary commands via format string specifiers in the filename, related to the SHELL WS_FTP script command.20070126 WS_FTP 2007 Professional SCP handling format string vulnerability22275wsftp-scphandler-format-string(31865)Ipswitch WS_FTP Server 5.04 allows FTP site administrators to execute arbitrary code on the system via a long input string to the (1) iFTPAddU or (2) iFTPAddH file, or to a (3) edition module.20070201 Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities20070202 Re: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities20070202 Re: Re: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilities20070202 Re[2]: Ipswitch WS_FTP Server 5.04 multiple arbitrary code execution vulnerabilitieswsftp-iftpaddu-privilege-escalation(32176)The redirect function in Form.pm for (1) LedgerSMB before 1.1.5 and (2) SQL-Ledger allows remote authenticated users to execute arbitrary code via redirects, related to callbacks, a different issue than CVE-2006-5872.20070127 Arbitrary Code Execution in SQL-Ledger and LedgerSMB through redirectsADV-2007-040720070206 Unofficial SQL-Ledger patch for CVE-2007-0667222952217The Loopback Filesystem (LOFS) in Sun Solaris 10 allows local users in a non-global zone to move and rename files in a read-only filesystem, which could lead to a denial of service.102699 22364 ADV-2007-0462 1017582 23996 solaris-loopbackfs-dos(32140)oval:org.mitre.oval:def:1372Unspecified vulnerability in Twiki 4.0.0 through 4.1.0 allows local users to execute arbitrary Perl code via unknown vectors related to CGI session files.VU#584436 OpenPKG-SA-2007.009 22378 ADV-2007-0544 24091 twiki-cgisession-code-execution(32389)Buffer overflow in bos.rte.libc in IBM AIX 5.2 and 5.3 allows local users to execute arbitrary code via the "r-commands", possibly including (1) rdist, (2) rsh, (3) rcp, (4) rsync, and (5) rlogin.IY9430123995IY943682237022456ADV-2007-04713169610175831017607aix-rdist-bo(32184)Unspecified vulnerability in Microsoft Excel 2000, XP, 2003, and 2004 for Mac, and possibly other Office products, allows remote user-assisted attackers to execute arbitrary code via unknown attack vectors, as demonstrated by Exploit-MSExcel.h in targeted zero-day attacks.MS07-015VU#61374022383ADV-2007-0463101758424008office-unspecified-code-execution(32178)TA07-044Aoval:org.mitre.oval:def:301LGSERVER.EXE in BrightStor Mobile Backup 4.0 allows remote attackers to cause a denial of service (disk consumption and daemon hang) via a value of 0xFFFFFF7F at a certain point in an authentication negotiation packet, which writes a large amount of data to a .USX file in CA_BABLDdata\Server\data\transfer\.20070131 Remote Unauthenticated Resource Exhaustion CA Mobile BackupService22339LGSERVER.EXE in BrightStor ARCserve Backup for Laptops & Desktops r11.1 allows remote attackers to cause a denial of service (daemon crash) via a value of 0xFFFFFFFF at a certain point in an authentication negotiation packet, which results in an out-of-bounds read.20070131 Remote DOS BrightStor ARCserve Backup for Laptops & Desktops223372218Pictures and Videos on Windows Mobile 5.0 and Windows Mobile 2003 and 2003SE for Smartphones and PocketPC allows user-assisted remote attackers to cause a denial of service (device hang) via a malformed JPEG file.22343ADV-2007-0434picturesvideos-jpeg-dos(32002)A certain ActiveX control in sapi.dll (aka the Speech API) in Speech Components in Microsoft Windows Vista, when the Speech Recognition feature is enabled, allows user-assisted remote attackers to delete arbitrary files, and conduct other unauthorized activities, via a web page with an embedded sound object that contains voice commands to an enabled microphone, allowing for interaction with Windows Explorer.[dailydave] 20070130 Vista speach recognition[dailydave] 20070130 Vista speach recognition[dailydave] 20070130 Vista speach recognition[dailydave] 20070131 Vista speach recognition22359MS08-032TA08-162BSQL injection vulnerability in faq.php in ExoPHPDesk 1.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.Successful exploitation requires that "magic_quotes_gpc" is disabled.Exploit 323422338exophpdesk-faq-sql-injection(31998) 3234 ADV-2007-0452PHP remote file inclusion vulnerability in fw/class.Quick_Config_Browser.php in Cadre PHP Framework 20020724 allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[config][framework_path] parameter.20070131 [ECHO_ADV_63$2007] Cadre remote file inclusion22336cadre-classquickconfigbrowser-file-include(32005) 3237 ADV-2007-04492215SQL injection vulnerability in windows.asp in Fullaspsite Asp Hosting Sitesi allows remote attackers to execute arbitrary SQL commands via the kategori_id parameter.22347 3233 ADV-2007-0453 fullaspsite-windows-sql-injection(32020)PHP remote file inclusion vulnerability in lang/leslangues.php in Nicolas Grandjean PHPMyRing 4.1.3b and earlier allows remote attackers to execute arbitrary PHP code via a URL in the fichier parameter.22345 3238 ADV-2007-0448 phpmyring-leslangues-file-include(32033)PHP remote file inclusion vulnerability in includes/functions.php in Phpbb Tweaked 3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.22344 3235 ADV-2007-0451 24001 phpbbtweaked-functions-file-include(32024)profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, via modified values to register.php. 3239 extcalendar-profile-security-bypass(32035)PHP remote file inclusion vulnerability in theme/include_mode/template.php in JV2 Folder Gallery 3.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the galleryfilesdir parameter.24012 3240 22354 ADV-2007-0447 jv2gallery-template-file-include(32043)PHP remote file inclusion vulnerability in includes/functions.php in Omegaboard 1.0beta4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.Exploit 3242 20070201 Omegaboard v1.0b4 (phpbb_root_path) Remote File Include Exploit 20070201 Omegaboard v1.0b4 (phpbb_root_path) Remote File Include Exploit 3242 22355 ADV-2007-0445 omegaboard-functions-file-include(32057)PHP remote file inclusion vulnerability in portal.php in Cerulean Portal System 0.7b allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. 20070201 Cerulean Portal System (phpbb_root_path) Remote File Include Exploit 3243 22356 ADV-2007-0444 cerulean-portal-file-include(32058)Internet Explorer on Windows Mobile 5.0 and Windows Mobile 2003 and 2003SE for Smartphones and PocketPC allows attackers to cause a denial of service (application crash and device instability) via unspecified vectors, possibly related to a buffer overflow.22343ADV-2007-0434ie-mobile-unspecified-bo(32001)The Intel 2200BG 802.11 Wireless Mini-PCI driver 9.0.3.9 (w29n51.sys) allows remote attackers to cause a denial of service (system crash) via crafted disassociation packets, which triggers memory corruption of "internal kernel structures," a different vulnerability than CVE-2006-6651. NOTE: this issue might overlap CVE-2006-3992. 3224SQL injection vulnerability in i-search.php in Michelle's L2J Dropcalc 4 and earlier allows remote authenticated users to execute arbitrary SQL commands via the itemid parameter.22335l2j-isearch-sql-injection(32003) 3232SQL injection vulnerability in oku.asp in Hunkaray Duyuru Scripti allows remote attackers to execute arbitrary SQL commands via the id parameter. 3241 ADV-2007-0446 hds-oku-sql-injection(32042)20070607 H&uuml;nkaray Duyuru Script Remote SQL &#304;njection2436725581MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message.20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities 20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilitiesmybb-eventmembercaptcha-info-disclosure(34336)myEvent 1.6 allows remote attackers to obtain sensitive information via (1) a Log In action without a password to login.php, or an invalid (2) view[] or (3) monthno[] parameter to myevent.php, which reveals the path in various error messages.20070528 myEvent version 1.6 Multiple Path Disclosure Vulnerabilities342722744myevent-myevent-login-path-disclosure(34542)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2066. Reason: This candidate is a duplicate of CVE-2007-2066. Notes: All CVE users should reference CVE-2007-2066 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.DGNews 2.1 allows remote attackers to obtain sensitive information via a fullnews request to news.php with an invalid newsid parameter, and other unspecified vectors, which reveal the path in various error messages.20070528 DGNews version 2.1 Path Disclosure Vulnerability342262741dgnews-news-path-disclosure(34540)SQL injection vulnerability in news.php in DGNews 2.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newslist action. NOTE: this issue can produce resultant cross-site scripting (XSS).20070528 DGNews version 2.1 SQL Injection Vulnerability2420134227ADV-2007-1981254382740dgnews-news-sql-injection(34539)Cross-site scripting (XSS) vulnerability in footer.php in DGNews 2.1 allows remote attackers to inject arbitrary web script or HTML via the copyright parameter.20070528 DGNews version 2.1 XSS Attack Vulnerability2420034228ADV-2007-1981254382739dgnews-footer-xss(34537)Multiple SQL injection vulnerabilities in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: some sources mention the escape_sqlData, implode_sql, and implode_sqlIn functions, but these are protection schemes, not the vulnerable functions.20070203 FLIP SQL injection clarificationADV-2007-0454flip-multiple-sql-injection(31902)Cross-site scripting (XSS) vulnerability in error messages in Free LAN In(tra|ter)net Portal (FLIP) before 1.0-RC3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, different vectors than CVE-2007-0611.ADV-2007-0454flip-triggererrortext-xss(31900)index2.php in ACGVannu 1.3 and earlier allows remote attackers to change the password or profile of a user via a modified id parameter, related to templates/modif.html. NOTE: some of these details are obtained from third party information.22279ADV-2007-0388acgv-multiple-security-bypass(31893) 3208 24072Multiple SQL injection vulnerabilities in ACGVannu 1.3 and earlier allow remote attackers to execute arbitrary SQL commands via the id_mod parameter to templates/modif.html, and other unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-038834666PHP remote file inclusion vulnerability in includes/includes.php in Guernion Sylvain Portail Web Php (aka Gsylvain35 Portail Web, PwP) before 2.5.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the site_path parameter.20070201 php web portail [remote file include & local file include]20070201 Fwd: php web portail [remote file include & local file include]22361ADV-2007-0457portailwebphp-includes-file-include(32121)2223Directory traversal vulnerability in index.php in Guernion Sylvain Portail Web Php (aka Gsylvain35 Portail Web, PwP) allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter. NOTE: this issue was later reported for 2.5.1.1.20070201 php web portail [remote file include & local file include]20070201 Fwd: php web portail [remote file include & local file include]20070202 Local File Inclusion inconclusive in PwP (was Fwd: php web portail [remote file include & local fileinclude])20070202 Local File Inclusion inconclusive in PwP (was Fwd: php web portail [remote file include & local fileinclude])22361portailwebphp-index-file-include(32115)518227962PHP remote file inclusion vulnerability in inc/common.inc.php in Epistemon 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_path parameter.Exploit 324720070201 true: Epistemon 1.0 <= Remote File Include Vulnerability22360ADV-2007-0459 3247 24003Multiple PHP remote file inclusion vulnerabilities in phpEventMan 1.0.2 allow remote attackers to execute arbitrary PHP code via a URL in the level parameter to (1) Shared/controller/text.ctrl.php or (2) UserMan/controller/common.function.php.20070201 true: phpEventMan RFI Vuln.22358ADV-2007-046024000 3246PHP remote file inclusion vulnerability in library/StageLoader.php in WebBuilder 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[core][module_path] parameter.20070201 true: WebBuilder <= 2.0 Remote File Include VulnerabilityADV-2007-0458 3249PHP remote file inclusion vulnerability in install.php in Somery 0.4.6 allows remote attackers to execute arbitrary PHP code via a URL in the skindir parameter, a different vector than CVE-2006-4669. NOTE: the documentation says to remove install.php after installation.20070201 True: Somery 0.4.6 (skindir install.php) Remote file include 2329Cross-zone scripting vulnerability in Sleipnir 2.49 and earlier, and Portable Sleipnir 2.45 and earlier, allows remote attackers to bypass Web content zone restrictions via certain script contained in RSS data. NOTE: some of these details are obtained from third party information.ADV-2007-036423927Cross-zone scripting vulnerability in Darksky RSS bar for Internet Explorer before 1.29, RSS bar for Sleipnir before 1.29, and RSS bar for unDonut before 1.29 allows remote attackers to bypass Web content zone restrictions via certain script contained in RSS data. NOTE: some of these details are obtained from third party information.ADV-2007-0365Stack-based buffer overflow in GOM Player 2.0.12.3375 allows user-assisted remote attackers to execute arbitrary code via a .ASX file with a long URI in the "ref href" tag. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.23994 gomplayer-asx-bo(32164)cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) before 2.4.16.174 does not validate arguments that originate in user mode for the (1) NtConnectPort and (2) NtCreatePort hooked SSDT functions, which allows local users to cause a denial of service (system crash) and possibly gain privileges via invalid arguments.20070201 Comodo Multiple insufficient argument validation of hooked SSDT function Vulnerability223571017580comodofirewallpro-cmdmon-dos(32059)cmdmon.sys in Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.16.174 and earlier does not validate arguments that originate in user mode for the (1) NtCreateSection, (2) NtOpenProcess, (3) NtOpenSection, (4) NtOpenThread, and (5) NtSetValueKey hooked SSDT functions, which allows local users to cause a denial of service (system crash) and possibly gain privileges via invalid arguments.20070201 Comodo Multiple insufficient argument validation of hooked SSDT function Vulnerability223571017580comodofirewallpro-cmdmon-dos(32059)The Bonjour functionality in iChat in Apple Mac OS X 10.3.9 allows remote attackers to cause a denial of service (persistent application crash) via unspecified vectors, possibly related to CVE-2007-0614.APPLE-SA-2007-02-1524198VU#83602422304327131017661Integer overflow in Apple QuickTime before 7.1.5, when installed on Windows operating systems, allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted 3GP video file.APPLE-SA-2007-03-05 TA07-065A VU#568689 22827 ADV-2007-0825 1017725 24359 quicktime-3gpvideo-overflow(32814)Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MIDI file.APPLE-SA-2007-03-05 TA07-065A VU#822481 22827 ADV-2007-0825 1017725 24359 quicktime-midi-files-bo(32816)Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QuickTime movie file.APPLE-SA-2007-03-05 20070306 Apple QuickTime Player Remote Heap Overflow TA07-065A VU#880561 22827 22843 ADV-2007-0825 1017725 24359 quicktime-quicktime-bo(32817)Integer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QuickTime movie with a User Data Atom (UDTA) with an Atom size field with a large value.This vulnerability is addressed in latest version of Quicktime 7.1.5 APPLE-SA-2007-03-0520070306 Apple QuickTime udta ATOM Integer Overflow20070307 ZDI-07-010: Apple Quicktime UDTA Parsing Heap Overflow VulnerabilityTA07-065AVU#8618172282722844ADV-2007-0825101772524359quicktime-udta-atoms-overflow(32819)Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PICT file.APPLE-SA-2007-03-05 TA07-065A VU#448745 22827 ADV-2007-0825 1017725 24359 quicktime-pict-file-bo(32821)Stack-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QTIF file.APPLE-SA-2007-03-05TA07-065AVU#64243322827ADV-2007-0825101772524359quicktime-qtif-bo(32822)Integer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QTIF file.APPLE-SA-2007-03-05TA07-065AVU#41099322827ADV-2007-0825101772524359quicktime-qtif-overflow(32823)Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a QTIF file with a Video Sample Description containing a Color table ID of 0, which triggers memory corruption when QuickTime assumes that a color table exists.APPLE-SA-2007-03-0520070305 Apple QuickTime Color Table ID Heap Corruption Vulnerability20070306 [Reversemode Advisory] Apple Quicktime Color ID remote heap corruptionTA07-065AVU#3132252282722839ADV-2007-0825101772524359quicktime-qtif-file-bo(32826)Stack-based buffer overflow in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via an image with a crafted ColorSync profile.APPLE-SA-2007-03-13 VU#449440 22948 ADV-2007-0930 1017751 24479TA07-072A34845The CUPS service on multiple platforms allows remote attackers to cause a denial of service (service hang) via a "partially-negotiated" SSL connection, which prevents other requests from being accepted.APPLE-SA-2007-03-13FEDORA-2007-121922948ADV-2007-0930ADV-2007-0949101775024479245172453020070325 FLEA-2007-0003-1: cupsGLSA-200703-282312724660 MDKSA-2007:086 RHSA-2007:0123 24878 24895 SUSE-SR:2007:009 25119MDKSA-2007:086SUSE-SR:2007:014TA07-072A254972608326413Unspecified vulnerability in diskimages-helper in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via a crafted compressed disk image that triggers memory corruption.APPLE-SA-2007-03-13 22948 ADV-2007-0930 1017751 24479TA07-072A34846Integer overflow in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to execute arbitrary code via a crafted AppleSingleEncoding disk image.APPLE-SA-2007-03-13 VU#124280 22948 ADV-2007-0930 1017751 24479TA07-072A34847Unspecified vulnerability in the authentication feature for DirectoryService (DS Plug-Ins) for Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote authenticated LDAP users to modify the root password and gain privileges via unknown vectors.APPLE-SA-2007-03-13 VU#557064 22948 ADV-2007-0930 1017751 24479TA07-072A34848The IOKit HID interface in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 does not sufficiently limit access to certain controls, which allows local users to gain privileges by using HID device events to read keystrokes from the console.APPLE-SA-2007-03-13 22948 ADV-2007-0930 1017751 24479 macos-hid-privilege-escalation(32973) APPLE-SA-2007-04-19 ADV-2007-1470 1017942 24966TA07-072ATA07-109A34855Buffer overflow in the AirPortDriver module for AirPort in Apple Mac OS X 10.3.9 through 10.4.9, when running on hardware with the original AirPort wireless card, allows local users to execute arbitrary code by "sending malformed control commands."APPLE-SA-2007-04-19ADV-2007-1470 23569 24966TA07-109A34857The SSH key generation process in OpenSSH in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service by connecting to the server before SSH has finished creating keys, which causes the keys to be regenerated and can break trust relationships that were based on the original keys.APPLE-SA-2007-03-13 22948 ADV-2007-0930 1017756 24479 macos-openssh-dos(32975)TA07-072A34850Unspecified vulnerability in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 creates files insecurely while initializing a USB printer, which allows local users to create or overwrite arbitrary files.APPLE-SA-2007-03-13 22948 ADV-2007-0930 1017751 24479 macos-usbprinter-file-overwrite(32976)TA07-072A34849Apple File Protocol (AFP) Client in Apple Mac OS X 10.3.9 through 10.4.9 does not properly clean the environment before executing commands, which allows local users to gain privileges by setting unspecified environment variables.APPLE-SA-2007-04-19VU#312424ADV-2007-147023569101794424966TA07-109A34858Server Manager (servermgrd) in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 does not sufficiently validate authentication credentials, which allows remote attackers to bypass authentication and modify system configuration.APPLE-SA-2007-03-13 22948 ADV-2007-0930 1017751 24479 macos-servermanager-authentication-bypass(32978)TA07-072A34851Stack-based buffer overflow in the Apple-specific Samba module (SMB File Server) in Apple Mac OS X 10.4 through 10.4.8 allows context-dependent attackers to execute arbitrary code via a long ACL.APPLE-SA-2007-03-13 22948 ADV-2007-0930 1017754 24479 macos-smbfileserver-bo(32979)TA07-072A34852Unspecified vulnerability in the CoreServices daemon in CarbonCore in Apple Mac OS X 10.4 through 10.4.9 allows local users to gain privileges via unspecified vectors involving "obtaining a send right to [the] Mach task port."The vendor has addressed this issue through Mac OS software updates. APPLE-SA-2007-04-19ADV-2007-1470 23569 1017942 24966TA07-109A34859Unspecified vulnerability in ImageIO in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted RAW image that triggers memory corruption.APPLE-SA-2007-03-13 VU#873868 22948 ADV-2007-0930 1017758 24479 macos-imageio-code-execution(32974)TA07-072A34853fsck, as used by the AirPort Disk feature of the AirPort Extreme Base Station with 802.11n before Firmware Update 7.1, and by Apple Mac OS X 10.3.9 through 10.4.9, does not properly enforce password protection of a USB hard drive, which allows context-dependent attackers to list arbitrary directories or execute arbitrary code, resulting from memory corruption.APPLE-SA-2007-04-09ADV-2007-130824830233961017889airportextreme-airportdisk-info-disclosure(33527)APPLE-SA-2007-04-1923569ADV-2007-1470101794224966TA07-109AUse-after-free vulnerability in Libinfo in Apple Mac OS X 10.3.9 through 10.4.9 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors involving crafted web pages that trigger certain error conditions that are not properly reported in certain circumstances, resulting in accessing deallocated memory.APPLE-SA-2007-04-1923569ADV-2007-1470 1017942 24966TA07-109A34860Integer overflow in the RPC library in Libinfo in Apple Mac OS X 10.3.9 through 10.4.9 allows remote attackers to execute arbitrary code via crafted requests to portmap.APPLE-SA-2007-04-1923569ADV-2007-1470 1017942 24966 macos-rpc-code-execution(33782)TA07-109A34861The Login Window in Apple Mac OS X 10.3.9 through 10.4.9 does not properly check certain environment variables, which allows local users to gain privileges via unspecified vectors.APPLE-SA-2007-04-1923569ADV-2007-14701017939 24966TA07-109A34862The Login Window in Apple Mac OS X 10.4 through 10.4.9 does not display the screen saver authentication dialog in certain circumstances when waking from sleep, even though the "require a password to wake the computer from sleep" option is enabled, which allows local users to bypass authentication controls.APPLE-SA-2007-04-1923569ADV-2007-14701017939 24966TA07-109A34863The Login Window in Apple Mac OS X 10.4 through 10.4.9 displays the software update window beneath the loginwindow authentication dialog in certain circumstances related to running scheduled tasks, which allows local users to bypass authentication controls.APPLE-SA-2007-04-1923569ADV-2007-14701017939 24966TA07-109A34864Alias Manager in Apple Mac OS X 10.3.9 and 10.4.9 does not display files with the same name in mounted disk images that have the same name, which might allow user-assisted attackers to trick a user into executing malicious files.APPLE-SA-2007-05-2424144ADV-2007-193935147101812125402macos-diskimage-code-execution(34498)Buffer overflow in natd in network_cmds in Apple Mac OS X 10.3.9 through 10.4.9, when Internet Sharing is enabled, allows remote attackers to execute arbitrary code via malformed RTSP packets.APPLE-SA-2007-04-1923569ADV-2007-1470 1017942 24966TA07-109A34865The WebFoundation framework in Apple Mac OS X 10.3.9 and earlier allows subdomain cookies to be accessed by the parent domain, which allows remote attackers to obtain sensitive information.APPLE-SA-2007-04-1923569ADV-2007-1470 1017942 24966TA07-109A34866URLMount in Apple Mac OS X 10.3.9 through 10.4.9 passes the username and password credentials for mounting filesystems on SMB servers as command line arguments to the mount_sub command, which may allow local users to obtain sensitive information by listing the process.APPLE-SA-2007-04-1923569ADV-2007-1470 1017942 24966TA07-109A34867SMB in Apple Mac OS X 10.3.9 through 10.4.9 does not properly clean the environment when executing commands, which allows local users to gain privileges by setting unspecified environment variables.APPLE-SA-2007-04-1923569ADV-2007-1470 24966TA07-109A34868The Apple Security Update 2007-004 uses an incorrect configuration file for FTPServer in Apple Mac OS X Server 10.4.9, which might allow remote authenticated users to access additional directories.APPLE-SA-2007-05-01 1017990 macos-ftpserver-unauthorized-access(34001)34869Heap-based buffer overflow in the VideoConference framework in Apple Mac OS X 10.3.9 through 10.4.9 allows remote attackers to execute arbitrary code via a "crafted SIP packet when initializing an audio/video conference".APPLE-SA-2007-04-19VU#96996923569ADV-2007-1470 1017942 24966TA07-109A34870load_webdav in Apple Mac OS X 10.3.9 through 10.4.9 does not properly clean the environment when mounting a WebDAV filesystem, which allows local users to gain privileges by setting unspecified environment variables.APPLE-SA-2007-04-1923569ADV-2007-1470 VU#474969 1017942 24966TA07-109A34871Heap-based buffer overflow in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allows remote attackers to execute arbitrary code via multiple trackID values in a SETUP RTSP request.20070510 Apple Darwin Streaming Proxy Multiple VulnerabilitiesAPPLE-SA-2007-05-1023918ADV-2007-177025193 1018047 darwin-trackid-bo(34225)Multiple stack-based buffer overflows in the is_command function in proxy.c in Apple Darwin Streaming Proxy, when using Darwin Streaming Server before 5.5.5, allow remote attackers to execute arbitrary code via a long (1) cmd or (2) server value in an RTSP request.20070510 Apple Darwin Streaming Proxy Multiple VulnerabilitiesAPPLE-SA-2007-05-1023918ADV-2007-177025193 1018047 darwin-iscommand-bo(34222)Integer overflow in CoreGraphics in Apple Mac OS X 10.4 up to 10.4.9 allows remote user-assisted attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted PDF file.APPLE-SA-2007-05-2424144ADV-2007-193935146101811425402macos-pdf-bo(34499)A cleanup script in crontabs in Apple Mac OS X 10.3.9 and 10.4.9 might delete filesystems that have been mounted in /tmp, which might allow local users to cause a denial of service, related to the find command.APPLE-SA-2007-05-2424144ADV-2007-193935145101811725402macos-tmpfilesystem-dos(34500)The PPP daemon (pppd) in Apple Mac OS X 10.4.8 checks ownership of the stdin file descriptor to determine if the invoker has sufficient privileges, which allows local users to load arbitrary plugins and gain root privileges by bypassing this check.20070524 Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation VulnerabilityAPPLE-SA-2007-05-2424144ADV-2007-193935144101812425402macos-pppd-privilege-escalation(34503)Format string vulnerability in the VPN daemon (vpnd) in Apple Mac OS X 10.3.9 and 10.4.9 allows local users to execute arbitrary code via the -i parameter.APPLE-SA-2007-05-2420070529 Mac OS X vpnd local format string20070529 Re: Mac OS X vpnd local format string2414424208ADV-2007-193935143101812525402macos-vpnd-format-string(34505)Heap-based buffer overflow in Apple QuickTime before 7.1.3 allows user-assisted remote attackers to execute arbitrary code via a crafted Sample Table Sample Descriptor (STSD) atom size in a QuickTime movie.This vulnerability is addressed in the following product release: Apple, QuickTime, 7.1.320070511 TPTI-07-07: Apple QuickTime STSD Parsing Heap Overflow Vulnerability23923 quicktime-stsd-bo(34244)355742703Chicken of the VNC (cotv) 2.0 allows remote attackers to cause a denial of service (application crash) via a large computer-name size value in a ServerInit packet, which triggers a failed malloc and a resulting NULL dereference.20070202 Chicken of the VNC 2.0 remote DoS22372 3257 cotv-serverinit-dos(32166) 20070426 Re: Chicken of the VNC 2.0 remote DoS2220PHP remote file inclusion vulnerability in index.php in Miguel Nunes Call of Duty 2 (CoD2) DreamStats System 4.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootpath parameter.20070202 true: DreamStats V 4.2=(index.php)=>Remote File Include22371 3251 ADV-2007-0479 24037 cod2dreamstats-index-file-include(32160)PHP remote file inclusion vulnerability in lang.php in PHPProbid 5.24 allows remote attackers to execute arbitrary PHP code via a URL in the SRC attribute of an HTML element in the lang parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.22374phpprobid-lang-file-include(32273)Multiple SQL injection vulnerabilities in EasyMoblog 0.5.1 allow remote attackers to execute arbitrary SQL commands via the (1) i or (2) post_id parameter to add_comment.php, which triggers an injection in libraries.inc.php; or (3) the i parameter to list_comments.php, which triggers an injection in libraries.inc.php.2236919370EQdkp 1.3.1 and earlier authenticates administrative requests by verifying that the HTTP Referer header specifies an admin/ URL, which allows remote attackers to read or modify account names and passwords via a spoofed Referer.20805 3252 24038 eqdkp-backup-information-disclosure(32152)PHP remote file inclusion vulnerability in config.php in phpBB ezBoard converter (ezconvert) 0.2 allows remote attackers to execute arbitrary PHP code via a URL in the ezconvert_dir parameter.20070202 true: phpBB ezBoard converter 0.2 (ezconvert_dir) Remote File Include Exploitezboard-config-file-include(32157) 3258 ADV-2007-0473PHP remote file inclusion vulnerability in includes/functions.php in phpBB++ Build 100 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.20070202 phpBB++ Build 100 (phpbb_root_path) Remote File Include Exploit 3259 22376 ADV-2007-0472 24034 phpbbplusplus-functions-file-include(32159)Cross-site scripting (XSS) vulnerability in the news comment functionality in F3Site 2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the Autor field.22379 3255 f3site-autor-xss(32188)Unrestricted file upload vulnerability in F3Site 2.1 and earlier allows remote authenticated administrators to upload and execute arbitrary PHP scripts via GIF86 header in a file in the uplf parameter, which can be later accessed via a relative pathname in the dir parameter in adm.php. 3255 f3site-adm-file-upload(32189)SQL injection vulnerability in news.php in dB Masters Curium CMS 1.03 and earlier allows remote attackers to execute arbitrary SQL commands via the c_id parameter.22373curium-news-sql-injection(32148) 3256 ADV-2007-0474 24032Stack-based buffer overflow in Remotesoft .NET Explorer 2.0.1 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long line in a .cpp file.223773254netexplorer-char-bo(32182)Cross-site scripting (XSS) vulnerability in the core in Phorum before 5.1.18 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.ADV-2007-0410phorum-core-xss(44201)Multiple cross-site scripting (XSS) vulnerabilities in the Contact Details functionality in Yahoo! Messenger 8.1.0.209 and earlier allow user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG element to the (1) First Name, (2) Last Name, and (3) Nickname fields. NOTE: some of these details are obtained from third party information.Access Complexity: Successful exploitation requires that the attacker is in the messenger list of the target.20070126 Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger20070127 RE: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger20070127 Re: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger2226923928** DISPUTED ** Cross-site scripting (XSS) vulnerability in register.php in Phorum 5.1.18 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the vendor disputes this vulnerability, stating that "The characters are escaped properly."20070129 Phorum HTML Injection Vulnerability20070129 Re: Phorum HTML Injection Vulnerability22297ADV-2007-0410Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. NOTE: this issue is due to an incomplete patch for CVE-2006-5456.20070208 rPSA-2007-0029-1 ImageMagickMDKSA-2007:041 DSA-1260 SUSE-SR:2007:003 USN-422-1 31911 24167 24196MDKSA-2007:041The utrace support in Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service (system hang) related to "MT exec + utrace_attach spin failure mode," as demonstrated by ptrace-thrash.c.RHSA-2007:016923720101797925080kernel-utracesupport-dos(34128)The Linux kernel 2.6.13 and other versions before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafted NFSACL 2 ACCESS request that triggers a free of an incorrect pointer.ADV-2007-066024215FEDORA-2007-277FEDORA-2007-291MDKSA-2007:060SUSE-SA:2007:018SUSE-SA:2007:0212262524201244002448224547kernel-nfsaclsvc-dos(32578)MDKSA-2007:07824777USN-451-12475220070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:060MDKSA-2007:07825691The Linux kernel before 2.6.9-42.0.8 in Red Hat 4.4 allows local users to cause a denial of service (kernel OOPS from null dereference) via fput in a 32-bit ioctl on 64-bit x86 systems, an incomplete fix of CVE-2005-3044.1.RHSA-2007:0488SUSE-SA:2007:053258382628927227Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine. 20070302 ZDI-07-008: Apache Tomcat JK Web Server Connector Long URL Stack Overflow Vulnerability GLSA-200703-16 RHSA-2007:0096 22791 ADV-2007-0809 1017719 24398 24558 tomcat-mapuritoworker-bo(32794)HPSBUX02262ADV-2007-33862703720080130 Cisco Wireless Control System Tomcat mod_jk.so VulnerabilityADV-2008-033128711Multiple unspecified vulnerabilities in the layout engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allow remote attackers to cause a denial of service (crash) and potentially execute arbitrary code via certain vectors.SSA:2007-066-03SSA:2007-066-04SSA:2007-066-05SUSE-SA:2007:0223211424406244552445624457243422558820070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-281FEDORA-2007-293GLSA-200703-04GLSA-200703-08GLSA-200703-18MDKSA-2007:050MDKSA-2007:052RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-1USN-431-1VU#76175622694ADV-2007-0719ADV-2007-071810176982423824252242872429024205243282433324343243202429324393243952438424389244102443724522mozilla-multiple-layout-code-execution(32704)20070301-01-P24650DSA-1336FEDORA-2007-308FEDORA-2007-309MDKSA-2007:05020070202-01-PHPSBUX02153ADV-2008-0083Heap-based buffer overflow in the _cairo_pen_init function in Mozilla Firefox 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to execute arbitrary code via a large stroke-width attribute in the clipPath element in an SVG file.20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-281FEDORA-2007-293GLSA-200703-04GLSA-200703-08GLSA-200703-18MDKSA-2007:052SUSE-SA:2007:019USN-428-1USN-431-1VU#55143622694ADV-2007-0719ADV-2007-0718101769824238242522420524328243332432024293243932438424389244102443724522firefox-strokewidth-bo(32698)FEDORA-2007-308FEDORA-2007-309SSA:2007-066-03SSA:2007-066-04SSA:2007-066-05SUSE-SA:2007:0223211324406244552445624457HPSBUX02153ADV-2008-0083The JavaScript engine in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain vectors that trigger memory corruption.Successful exploitation in Thunderbird requires that JavaScript be enabled in mail which is not the default setting. 20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-281FEDORA-2007-293GLSA-200703-04GLSA-200703-08GLSA-200703-18MDKSA-2007:050MDKSA-2007:052RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-1USN-431-1VU#26948422694ADV-2007-0719ADV-2007-071810176982423824252242872429024205243282433324343243202429324393243952438424389244102443724522mozilla-multiple-javascript-code-execution(32699)20070301-01-P24650FEDORA-2007-308FEDORA-2007-309MDKSA-2007:05020070202-01-PSSA:2007-066-03SSA:2007-066-04SSA:2007-066-05SUSE-SA:2007:022321152440624455244562445724342HPSBUX02153ADV-2008-0083The page cache feature in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 can generate hash collisions that cause page data to be appended to the wrong page cache, which allows remote attackers to obtain sensitive information or enable further attack vectors when the target page is reloaded from the cache.20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-281FEDORA-2007-293GLSA-200703-04GLSA-200703-08MDKSA-2007:050RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-122694ADV-2007-071832110101769924238242872429024205243282433324343243202429324393243952438424437mozilla-diskcache-information-disclosure(32671)20070301-01-P24650DSA-1336MDKSA-2007:05020070202-01-PSSA:2007-066-03SSA:2007-066-05SUSE-SA:2007:02224455244572434225588HPSBUX02153ADV-2008-0083GUI overlay vulnerability in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 allows remote attackers to spoof certain user interface elements, such as the host name or security indicators, via the CSS3 hotspot property with a large, transparent, custom cursor.20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-281FEDORA-2007-293GLSA-200703-04GLSA-200703-08MDKSA-2007:050RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-122694ADV-2007-071810177002423824287242902420524328243332434324320242932439324395243842443720070301-01-P24650MDKSA-2007:05020070202-01-PSSA:2007-066-03SSA:2007-066-05SUSE-SA:2007:022244552445724342HPSBUX02153ADV-2008-0083browser.js in Mozilla Firefox 1.5.x before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 uses the requesting URI to identify child windows, which allows remote attackers to conduct cross-site scripting (XSS) attacks by opening a blocked popup originating from a javascript: URI in combination with multiple frames having the same data: URI. 20070226 rPSA-2007-0040-1 firefox 20070303 rPSA-2007-0040-3 firefox thunderbird FEDORA-2007-281 FEDORA-2007-293 GLSA-200703-04 GLSA-200703-08 MDKSA-2007:050 RHSA-2007:0079 RHSA-2007:0077 RHSA-2007:0078 RHSA-2007:0097 RHSA-2007:0108 SUSE-SA:2007:019 USN-428-1 22694 ADV-2007-0718 32107 1017702 24238 24287 24290 24205 24328 24333 24343 24320 24293 24393 24395 24384 24437 mozilla-dataurl-xss(32667) 20070301-01-P 24650MDKSA-2007:05020070202-01-PSSA:2007-066-03SSA:2007-066-05SUSE-SA:2007:022244552445724342HPSBUX02153SQL injection vulnerability in login.asp for tPassword in the Raymond BERTHOU script collection (aka RBL - ASP) allows remote attackers to execute arbitrary SQL commands via the (1) User and (2) Password parameters.20070127 RBL - ASP (scripts with db) SQL injection20070129 RBL - ASP (scripts with db) SQL injection20070131 Partial source code verify - 2225PHP remote file inclusion vulnerability in previewtheme.php in Flipsource Flip 2.01-final 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the inc_path parameter.22385ADV-2007-0476 3266 flip-previewtheme-file-include(32174)SQL injection vulnerability in view.php in Noname Media Photo Galerie Standard 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.22384ADV-2007-0475 326124029photogalerie-view-sql-injection(32171)PHP remote file inclusion vulnerability in controller.php in Simple Invoices before 20070202 allows remote attackers to execute arbitrary PHP code via a URL in the (1) module or (2) view parameter. NOTE: some of these details are obtained from third party information.Successful exploitation requires that "register_globals" is enabled and "magic_quotes_gpc" is disabled.24040 22389 ADV-2007-0481 simpleinvoices-controller-file-include(32207)Cross-site scripting (XSS) vulnerability in MediaWiki 1.9.x before 1.9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "sortable tables JavaScript."24039 [MediaWiki-announce] 20070204 MediaWiki 1.9.2 released 22397 ADV-2007-0490 mediawiki-sortabletable-xss(32217)SQL injection vulnerability in Mambo before 4.5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors in cancel edit functions, possibly related to the id parameter.ADV-2007-048024044Heap-based buffer overflow in SmartFTP 2.0.1002 allows remote FTP servers to execute arbitrary code via a large banner. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.24051 22390 smartftp-banner-bo(32214)Cross-site scripting (XSS) vulnerability in Atom feeds in Bugzilla 2.20.3, 2.22.1, and 2.23.3, and earlier versions down to 2.20.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.20070203 Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.322380ADV-2007-0477101758524031 bugzilla-atom-feed-xss(32248)2222The mod_perl initialization script in Bugzilla 2.23.3 does not set the Bugzilla Apache configuration to allow .htaccess permissions to override file permissions, which allows remote attackers to obtain the database username and password via a direct request for the localconfig file.20070203 Security Advisory for Bugzilla 2.20.3, 2.22.1, and 2.23.322380ADV-2007-04771017585 bugzilla-htaccess-information-disclosure(32252)2222PHP remote file inclusion vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary PHP code via a URL in the config parameter.20070204 dvddb-0.6 media remote file include vuln.2221** DISPUTED ** SQL injection vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: this issue has been disputed by a reliable third party, who states that inc/common.php only contains function definitions.20070204 dvddb-0.6 media sql-inj. vuln.20070205 Re: dvddb-0.6 media sql-inj. vuln.20071002 Re: dvddb-0.6 media sql-inj. vuln.Multiple PHP remote file inclusion vulnerabilities in Wap Portal Server 1.x allow remote attackers to execute arbitrary PHP code via a URL in the language parameter to (1) index.php and (2) admin/index.php.20070203 Wap Portal Serve 1.* <= Remote File Inclusion wapportal-index-file-include(32196)2216Blue Coat Systems WinProxy 6.1a and 6.0 r1c, and possibly earlier, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long HTTP CONNECT request, which triggers heap corruption.20070202 Blue Coat Systems WinProxy CONNECT Method Heap Overflow VulnerabilityADV-2007-0482 22393 1017586 24049 winproxy-connect-bo(32204)PHP remote file inclusion vulnerability in theme/settings.php in bluevirus-design SMA-DB 0.3.9 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the pfad_z parameter.22391 3268 ADV-2007-0494 24035 smadb-settings-file-include(32190)Multiple cross-site scripting (XSS) vulnerabilities in Ublog Reload 1.0.5 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) login.asp; and allow remote authenticated users to inject arbitrary web script or HTML via unspecified parameters to (2) badword.asp, (3) polls.asp, and (4) users.asp.20070203 Ublog Reload Admin Panel Multiple HTML Injections22382ublog-login-xss(32185)SQL injection vulnerability in badword.asp in Ublog Reload 1.0.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.20070203 Ublog Reload Admin Panel Multiple HTML Injections22382ublog-badword-sql-injection(32187)Cross-zone vulnerability in Mozilla Firefox 1.5.0.9 considers blocked popups to have an internal zone origin, which allows user-assisted remote attackers to cross zone restrictions and read arbitrary file:// URIs by convincing a user to show a blocked popup.20070205 Firefox + popup blocker + XMLHttpRequest + srand() = oops20070205 Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops22396 20070226 rPSA-2007-0040-1 firefox 20070303 rPSA-2007-0040-3 firefox thunderbird 20070205 Firefox + popup blocker + XMLHttpRequest + srand() = oops 20070205 Re: Firefox + popup blocker + XMLHttpRequest + srand() = oops FEDORA-2007-281 FEDORA-2007-293 GLSA-200703-04 GLSA-200703-08 MDKSA-2007:050 RHSA-2007:0079 RHSA-2007:0077 RHSA-2007:0078 RHSA-2007:0097 RHSA-2007:0108 SUSE-SA:2007:019 USN-428-1 22694 ADV-2007-0718 1017702 24238 24287 24290 24205 24328 24333 24343 24320 24293 24393 24395 24384 24437 firefox-popup-security-bypass(32194) 20070301-01-P 24650MDKSA-2007:05020070202-01-PSSA:2007-066-05SUSE-SA:2007:022321082445724342HPSBUX02153ADV-2008-0083The nsExternalAppHandler::SetUpTempFile function in Mozilla Firefox 1.5.0.9 creates temporary files with predictable filenames based on creation time, which allows remote attackers to execute arbitrary web script or HTML via a crafted XMLHttpRequest.20070205 Firefox + popup blocker + XMLHttpRequest + srand() = oops20070205 Re: [Full-disclosure] Firefox + popup blocker + XMLHttpRequest + srand() = oops22396 GLSA-200703-04 GLSA-200703-08 24393 2443732108Mozilla Firefox 2.0.0.1 allows remote attackers to bypass the Phishing Protection mechanism by adding certain characters to the end of the domain name, as demonstrated by the "." and "/" characters, which is not caught by the Phishing List blacklist filter.20070206 Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.Multiple buffer overflows in STLport before 5.0.3 allow remote attackers to execute arbitrary code via unspecified vectors relating to (1) "print floats" and (2) a missing null termination in the "rope constructor."2242324024 GLSA-200703-07 ADV-2007-0498 24428 stlport-printed-floats-bo(32242) stlport-rope-constructors-bo(32244)Directory traversal vulnerability in admin/subpages.php in GGCMS 1.1.0 RC1 and earlier allows remote attackers to inject arbitrary PHP code into arbitrary files via ".." sequences in the subpageName parameter, as demonstrated by injecting PHP code into a template file.22412ADV-2007-0492ggcms-subpages-code-execution(32211) 3271The ps (/usr/ucb/ps) command on HP Tru64 UNIX 5.1 1885 allows local users to obtain sensitive information, including environment variables of arbitrary processes, via the "auxewww" argument, a similar issue to CVE-1999-1587.20070206 PS Information Leak on HP True64 Alpha OSF1 v5.1 188520070206 Re: [Full-disclosure] PS Information Leak on HP Tru64 Alpha OSF1v5.1 188520070206 PS Information Leak on HP True64 Alpha OSF1 v5.1 188524041 20070207 Re: PS Information Leak on HP True64 Alpha OSF1 v5.1 1885 1017592 tru64-ps-information-disclosure(32276) HPSBTU02179 ADV-2007-1654 25135 1018005Les News 2.2 allows remote attackers to bypass authentication and gain administrative access via a direct request for adminews/index_fr.php3, and possibly the adminews index documents for other localizations.20070204 Les News v2.2 [Admin news without password]2226Cross-site scripting (XSS) vulnerability in info.php in flashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via a channel title (aka room name) that is not properly handled by the "who's online" feature.20070205 flashChat 4.7.8 Cross Site Scripting Vulnerability22411ADV-2007-049524071flashchat-info-xss(32208)2228PHP remote file inclusion vulnerability in Mina Ajans Script allows remote attackers to execute arbitrary PHP code via a URL in the syf parameter to an unspecified PHP script.20070205 Mina Ajans Script Remote File Inclusion Vuln. mina-multiple-file-include(32243)PHP remote file inclusion vulnerability in includes/class_template.php in Categories hierarchy (aka CH or mod-CH) 2.1.2 in ptirhiikmods allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. 3270 22400 ADV-2007-0493 Ch-classtemplate-file-include(32193)PHP remote file inclusion vulnerability in MVCnPHP/BaseView.php in GeekLog 2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the glConf[path_libraries] parameter. NOTE: this might be a vulnerability in MVCnPHP rather than a vulnerability in GeekLog. 3267 22386 geeklog-baseview-file-include(32205)Microsoft Internet Explorer 6.0 SP1 on Windows 2000, and 6.0 SP2 on Windows XP, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an HTML document containing a certain JavaScript for loop with an empty loop body, possibly involving getElementById. 3272 22408SQL injection vulnerability in pms.php in Woltlab Burning Board (wBB) Lite 1.0.2pl3e and earlier allows remote authenticated users to execute arbitrary SQL commands via the pmid[0] parameter. 3262 22415 ADV-2007-0491 24027 wbblite-pms-sql-injection(32172)Cross-site scripting (XSS) vulnerability in Home production MySearchEngine allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.20070204 MysearchEngine XSS22402 mysearchengine-search-xss(32201)Multiple cross-site scripting (XSS) vulnerabilities in Adrenalin's ASP Chat allow remote attackers to inject arbitrary web script or HTML (1) via the psuedo (pseudo) field or (2) during chat.20070203 Adrenalin's ASP Chat XSS22392 adrenalin-unspecified-script-xss(32203)2233Cross-site scripting (XSS) vulnerability in images_archive.asp in Uapplication Uphotogallery 1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the s parameter. NOTE: the thumbnails.asp vector is already covered by CVE-2006-3023.20070204 Uphotogallery Multiple Cross-Site Scripting Vulnerability22404 uphotogallery-imagesarchive-xss(32229)2227The RPC Server service (catirpc.exe) in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 SP2 and earlier allows remote attackers to cause a denial of service (service crash) via a crafted TADDR2UADDR that triggers a null pointer dereference in catirpc.dll, possibly related to null credentials or verifier fields.22365ADV-2007-046124009ca-brightstor-catirpc-dos(32137)24512Cross-site scripting (XSS) vulnerability in Adobe ColdFusion web server allows remote attackers to inject arbitrary HTML or web script via the User-Agent HTTP header, which is not sanitized before being displayed in an error page.20070205 Cold Fusion Web Server XSS 0 day22401 ADV-2007-0593 1017645 24115** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0396. Reason: This candidate is a duplicate of CVE-2007-0396. Notes: All CVE users should reference CVE-2007-0396 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.HP Network Node Manager (NNM) Remote Console 7.50 assigns Everyone Full Control permission for the %PROGRAMFILES%\HP OpenView directory tree, which allows local users to gain privileges via a Trojan horse executable file or ActiveX component, or a modified bin\ovtrcsvc.exe for the HP Open View Shared Trace Service.20070208 SecurityVulns.com: HP Network Node Manager remote console weak files permissions 22475 ADV-2007-0533 1017609 24066 openview-nnm-directory-privilege-escalation(32362)Multiple PHP remote file inclusion vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to execute arbitrary PHP code via a URL in the chemin parameter to (1) mod_news/index.php, (2) mod_news/goodies.php, or (3) mod_search/index.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.22381Multiple directory traversal vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to read arbitrary files via a .. (dot dot) in the chemin parameter to (1) mod_news/index.php or (2) mod_news/goodies.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.22381umount, when running with the Linux 2.6.15 kernel on Slackware Linux 10.2, allows local users to trigger a NULL dereference and application crash by invoking the program with a pathname for a USB pen drive that was mounted and then physically removed, which might allow the users to obtain sensitive information, including core file contents.20070201 umount crash and xterm (kind of) information leak! MDKSA-2007:053 22850 1017729MDKSA-2007:053xterm on Slackware Linux 10.2 stores information that had been displayed for a different user account using the same xterm process, which might allow local users to bypass file permissions and read other users' files, or obtain other sensitive information, by reading the xterm process memory. NOTE: it could be argued that this is an expected consequence of multiple users sharing the same interactive process, in which case this is not a vulnerability.20070201 umount crash and xterm (kind of) information leak!PHP remote file inclusion vulnerability in inhalt.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the dateien[news] parameter.22430 3275 ADV-2007-0511 lightro-inhalt-file-include(32270)FlashFXP 3.4.0 build 1145 allows remote servers to cause a denial of service (CPU consumption) via a response to a PWD command that contains a long string with deeply nested directory structure, possibly due to a buffer overflow.22433 3276 flashfxp-pwdcommand-dos(32416)SQL injection vulnerability in forum.asp in Kisisel Site 2007 allows remote attackers to execute arbitrary SQL commands via the forumid parameter. 3278 22435 ADV-2007-0510 kisisel-forum-sql-injection(32422)The Alibaba Alipay PTA Module ActiveX control (PTA.DLL) allows remote attackers to execute arbitrary code via a JavaScript function that invokes the Remove method with an invalid index argument, which is used as an offset for a function call.20070207 Alibaba Alipay Remote Code Execute Vulnerability-0DAY327922446ADV-2007-052024063alipay-activex-code-execution(32367)PHP remote file inclusion vulnerability in affichearticles.php3 in MySQLNewsEngine allows remote attackers to execute arbitrary PHP code via a URL in the newsenginedir parameter.20070206 MySQLNewsEngine (affichearticles.php3) Remote File Inc. Vuln.22431 ADV-2007-0513 mysqlnewsengine-affichearticle-file-include(32266)2229avast! Server Edition before 4.7.726 does not demand a password in a certain intended context, even when a password has been set, which allows local users to bypass authentication requirements.22425ADV-2007-049924068 avast-password-security-bypass(32269)** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in the Admin Control Panel (AdminCP) in Jelsoft vBulletin 3.6.4 allow remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors related to the (1) User Group Manager, (2) User Rank Manager, (3) User Title Manager, (4) BB Code Manager, (5) Attachment Manager, (6) Calendar Manager, and (7) Forums & Moderators functions. NOTE: the vendor disputes this issue, stating that modifying HTML is an intended privilege of an administrator. NOTE: it is possible that this issue overlaps CVE-2006-6040.Vendor has stated that remotely authenticated administrators were given the ability to inject arbitrary HTML/webscript code by design.20070206 VBulletin AdminCP Index.PHP Multiple Cross-Site Scripting Vulnerability20070207 Re: VBulletin AdminCP Index.PHP Multiple Cross-Site Scripting Vulnerabilityvbulletin-admincp-index-xss(32268)24085** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Atsphp 5.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the CONF[path] parameter to (1) index.php, (2) sources/usercp.php, or (3) sources/admin.php. NOTE: Another researcher has disputed this vulnerability, noting that CONF[path] is defined before use in index.php, that CONF[path] inclusion cannot occur through a direct request to other affected files, and that usercp.php is a typo of user_cp.php.20070130 Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include20070130 Re: BOGUS: Atsphp 5.0.1 [Top Sites] [index.php] - Remote File IncludeVMware Workstation 5.5.3 34685 does not immediately change the availability of a shared clipboard when the "Enable copy and paste to and from this virtual machine" checkbox is changed, which allows local users to obtain sensitive information or conduct certain attacks that are facilitated by weaker isolation between the host and guest operating systems.20070203 Vmare workstation guest isolation weaknesses (clipboard transfer)22413VMware Workstation 5.5.3 34685, when the "Enable copy and paste to and from this virtual machine" option is enabled, preserves clipboard data on the guest operating system after it was deleted on the host operating system, which might allow local users to read clipboard contents by moving the focus back to the host operating system.20070203 Vmare workstation guest isolation weaknesses (clipboard transfer)22413Cross-site scripting (XSS) vulnerability in FlashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via the user name field when the user joins a chat room, a different vulnerability than CVE-2007-0807. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24071 flashchat-username-xss(32417)admin.php in Coppermine Photo Gallery 1.4.10, and possibly earlier, allows remote authenticated users to execute arbitrary shell commands via shell metacharacters (";" semicolon) in the "Command line options for ImageMagick" form field, when used as an option to ImageMagick's convert command. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.2240624019coppermine-admin-command-execution(32236)admin.php in Coppermine Photo Gallery 1.4.10, and possibly earlier, allows remote authenticated users to include arbitrary local and possibly remote files via the (1) "Path to custom header include" and (2) "Path to custom footer include" form fields. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.2240924019coppermine-admin-file-include(32233)PHP remote file inclusion vulnerability in examples/inc/top.inc.php in AgerMenu 0.03 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter.20070207 false: Agermenu 0.0320070207 true: agermenuADV-2007-0512 3280 22442 agermenu-topinc-file-include(32283)FreeProxy before 3.92 Build 1626 allows malicious users to cause a denial of service (infinite loop) via a HOST: header with a hostname and port number that refers to the server itself.20070206 Medium level security hole in FreeProxy20070206 Medium level security hole in FreeProxyADV-2007-0514 22445 24064 freeproxy-hostname-portnumber-dos(32303)Multiple PHP remote file inclusion vulnerabilities in index/index_album.php in Valarsoft WebMatic 2.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) P_LIB and (2) P_INDEX parameters.20070207 true: WebMatic 2.6 RFI22444 3281 ADV-2007-0534 24092 webmatic-indexalbum-file-include(32318)Cross-site scripting (XSS) vulnerability in HLstats before 1.35 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the search class. NOTE: it is possible that this issue overlaps CVE-2006-4543.3 or CVE-2006-4454.2242224062Multiple unspecified vulnerabilities in vbDrupal before 4.7.6.0 have unknown impact and remote attack vectors. NOTE: the vector related to Drupal is covered by CVE-2007-0626. These vulnerabilities might be associated with other CVE identifiers.ADV-2007-041523990The 64-bit versions of Microsoft Visual C++ 8.0 standard library (MSVCR80.DLL) time functions, including (1) localtime, (2) localtime_s, (3) gmtime, (4) gmtime_s, (5) ctime, (6) ctime_s, (7) wctime, (8) wctime_s, and (9) fstat, trigger an assertion error instead of a NULL pointer or EINVAL when processing a time argument later than Jan 1, 3000, which might allow context-dependent attackers to cause a denial of service (application exit) via large time values. NOTE: it could be argued that this is a design limitation of the functions, and the vulnerability lies with any application that does not validate arguments to these functions. However, this behavior is inconsistent with documentation, which does not list assertions as a possible result of an error condition.20070212 SecurityVulns.com: Microsoft Visual C++ 8.0 standard library time functions invalid assertion DoS (Problem 3000). visualstudio-time-dos(32454)2237The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, Server 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information.20070222 Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak20070222 Re[2]: [Full-disclosure] Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak2266420070222 Microsoft Windows 2000/XP/2003/Vista ReadDirectoryChangesW informaton leak24245ADV-2007-07012282win-readdirectory-information-disclosure(32644)The auth_via_key function in pam_ssh.c in pam_ssh before 1.92, when the allow_blank_passphrase option is disabled, allows remote attackers to bypass authentication restrictions and use private encryption keys requiring a blank passphrase by entering a non-blank passphrase.ADV-2007-052424061 22461admin/index.php in Advanced Poll 2.0.0 through 2.0.5-dev allows remote attackers to bypass authentication and gain administrator privileges by obtaining a valid session identifier and setting the uid parameter to 1.22451 3282 advancedpoll-index-code-execution(32337)Cross-site scripting (XSS) vulnerability in forum.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to inject arbitrary HTML or web script via the name parameter.22450 3283 24116 otscms-forum-xss(32324)SQL injection vulnerability in mod/PM/reply.php in Open Tibia Server CMS (OTSCMS) 2.1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to priv.php.22450 3283 24116 otscms-priv-sql-injection(32322)PHP remote file inclusion vulnerability in classes/class_mail.inc.php in Maian Recipe 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter.20070207 true: Agermenu 0.0324074 3284 ADV-2007-0537 maianrecipe-classmail-file-include(32346)scripts/cronscript.php in SysCP 1.2.15 and earlier does not properly quote pathnames in user home directories, which allows local users to gain privileges by placing shell metacharacters in a directory name, and then using the control panel to protect this directory, a different vulnerability than CVE-2005-2568.20070207 Ability to inject and execute any code as root in SysCP22453 24102scripts/cronscript.php in SysCP 1.2.15 and earlier includes and executes arbitrary PHP scripts that are referenced by the panel_cronscript table in the SysCP database, which allows attackers with database write privileges to execute arbitrary code by constructing a PHP file and adding its filename to this table.20070207 Ability to inject and execute any code as root in SysCP22454 24102 syscp-cronscript-code-execution(32330)Buffer overflow in the Trend Micro Scan Engine 8.000 and 8.300 before virus pattern file 4.245.00, as used in other products such as Cyber Clean Center (CCC) Cleaner, allows remote attackers to execute arbitrary code via a malformed UPX compressed executable.Failed exploit attempts will likely cause a denial-of-service condition.20070208 Trend Micro AntiVirus UPX Parsing Kernel Buffer Overflow Vulnerability22449ADV-2007-0522101760124087VU#2764321017602101760324128antivirus-upx-bo(32352)ADV-2007-0569Cross-site scripting (XSS) vulnerability in DevTrack 6.x allows remote attackers to inject arbitrary web script or HTML via the "Keyword search" form field and unspecified other form fields that populate a public saved query. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.23217 22460SQL injection vulnerability in DevTrack 6.0.3 allows remote attackers to execute arbitrary SQL commands via the Username form field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.23217 22460 devtrack-username-sql-injection(32348)Remote file inclusion vulnerability in scripts2/objcache in cPanel WebHost Manager (WHM) allows remote attackers to execute arbitrary code via a URL in the obj parameter. NOTE: a third party claims that this issue is not file inclusion because the contents are not parsed, but the attack can be used to overwrite files in /var/cpanel/objcache or provide unexpected web page contents.20070207 remote file include in whm (all version)20070208 Re: remote file include in whm (all version)22455ADV-2007-054524097cpanel-webhost-objcache-xss(32400)Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR and possibly other products, allows user-assisted remote attackers to execute arbitrary code via a crafted, password-protected archive.20070207 RARLabs Unrar Password Prompt Buffer Overflow Vulnerability22447ADV-2007-0523101759324077GLSA-200702-0424165unrar-password-archive-bo(32357)SUSE-SR:2007:005TmComm.sys 1.5.0.1052 in the Trend Micro Anti-Rootkit Common Module (RCM), with the VsapiNI.sys 3.320.0.1003 scan engine, as used in Trend Micro PC-cillin Internet Security 2007, Antivirus 2007, Anti-Spyware for SMB 3.2 SP1, Anti-Spyware for Consumer 3.5, Anti-Spyware for Enterprise 3.0 SP2, Client / Server / Messaging Security for SMB 3.5, Damage Cleanup Services 3.2, and possibly other products, assigns Everyone write permission for the \\.\TmComm DOS device interface, which allows local users to access privileged IOCTLs and execute arbitrary code or overwrite arbitrary memory in the kernel context.20070207 Trend Micro TmComm Local Privilege Escalation Vulnerability22448ADV-2007-052110176041017605101760624069 VU#282240 VU#666800 trendmicro-tmcomm-privilege-escalation(32353)Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before 1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4) LocalSiteMap action.24096 USN-421-1 22506 ADV-2007-0553 31874 24117 moinmoin-pageinfo-pagename-xss(32377)The Find feature in Palm OS Treo smart phones operates despite the system password lock, which allows attackers with physical access to obtain sensitive information (memory contents) by doing (1) text searches or (2) paste operations after pressing certain keyboard shortcut keys.20070213 SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass22468 20070222 RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 20070222 Re: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 20070222 Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass 20070222 SYMSA-2007-002-1: Palm OS Treo Find Feature System Password Bypass palmos-findfeature-security-bypass(32502)20070216 Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass2260** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in local Calendar System 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) TEMPLATE_DIR parameter to (a) showinvoices.php, (b) showmonth.php, (c) showevents.php, (d) retrieveinvoice.php, (e) modifyitem.php, and (f) lookup_userid.php; or the LIBDIR parameter to (g) editevent.php, (h) resetpassword.php, (i) signup.php, showmonth.php, (j) showday.php, showevents.php, and lookup_userid.php. NOTE: this issue has been disputed by a third party, who states that the associated variables are set in config.php before use.20070127 local Calendar System v1.1 (lcStdLib.inc) Remote File Include20070128 Re: local Calendar System v1.1 (lcStdLib.inc) Remote File Include** DISPUTED ** PHP remote file inclusion vulnerability in modules/mail/index.php in phpCOIN RC-1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the _CCFG['_PKG_PATH_MDLS'] parameter. NOTE: this issue has been disputed by a reliable third party, who states that a fatal error occurs before the relevant code is reached.20070125 Re: phpCOIN <= RC-1 (modules/mail/index.php) Remote File Include Vulnerability20070125 phpCOIN <= RC-1 (modules/mail/index.php) Remote File Include Vulnerability2230** DISPUTED ** PHP remote file inclusion vulnerability in index.php in gnopaste 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code via the GNP_REAL_PATH parameter. NOTE: CVE and a third party dispute this issue, since GNP_REAL_PATH is a constant, not a variable.20070129 Re: gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability20070129 gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability** DISPUTED ** PHP remote file inclusion vulnerability in Trevorchan 0.7 and earlier allows remote attackers to execute arbitrary code via the tc_config[rootdir] parameter to (1) upgrade.php, (2) paint_save.php, (3) menu.php, (4) manage.php, and (5) banned.php. NOTE: his issue has been disputed by reliable third parties, who state that the variable is set before use in config.php.20070115 [Bogus] [ilkerkandemir at mynet.com: Trevorchan <= v0.7 Remote File Include Vulnerability] (fwd)1017512SQL injection vulnerability in register.php in LushiWarPlaner 1.0 allows remote attackers to inject arbitrary SQL commands via the id parameter.22470 3288 ADV-2007-0538 24079 lushiwarplaner-register-sql-injection(32365)SQL injection vulnerability in comments.php in LushiNews 1.01 and earlier allows remote authenticated users to inject arbitrary SQL commands via the id parameter.22469 3287 ADV-2007-0539 24081 lushinews-comments-sql-injection(32360)Unspecified vulnerability in HP OpenView Storage Data Protector on HP-UX B.11.00, B.11.11, or B.11.23 allows local users to execute arbitrary code via unknown vectors.HPSBMA021901017614 22488 ADV-2007-0542 24113 openview-dataprotector-privilege-escalation(32386)PHP remote file inclusion vulnerability in classes/menu.php in Site-Assistant 0990 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the paths[version] parameter.22467 3285 ADV-2007-0541 siteassistant-menu-file-include(32364)Unspecified vulnerability in the Chat Room functionality in Yahoo! Messenger 8.1.0.239 and earlier allows remote attackers to cause a denial of service via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22407Cross-site scripting (XSS) vulnerability in the Attachment Manager (admincp/attachment.php) in Jelsoft vBulletin 3.6.4 allows remote attackers to inject arbitrary web script or HTML via the Extension field, a different vector than CVE-2007-0830. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2246624085Unspecified vulnerability in Microsoft Word 2000 allows remote attackers to cause a denial of service (crash) via unknown vectors, a different vulnerability than CVE-2006-5994, CVE-2006-6456, CVE-2006-6561, and CVE-2007-0515, a variant of Exploit-MS06-027. VU#332404 22567 ADV-2007-0607 1017653 24122 word-unspecified-string-code-execution(32503) MS07-024 ADV-2007-1709HPSBST02214TA07-128Aoval:org.mitre.oval:def:1860Unrestricted file upload vulnerability in eXtremePow eXtreme File Hosting allows remote attackers to upload arbitrary PHP code via a filename with a double extension such as (1) .rar.php or (2) .zip.php.20070209 eXtreme File Hosting remote file upload vulnerability22498 24088 extremefilehosting-compressed-file-upload(32435)2231Directory traversal vulnerability in the Plain Old Webserver (POW) add-on before 0.0.9 for Mozilla Firefox allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.20070209 Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox extension20070209 Re: [WEB SECURITY] Plain Old Webserver - The coolest firefox extension22502 ADV-2007-0558 24127 pow-httprequest-directory-traversal(32467)nabopoll 1.1.2 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for (1) config_edit.php, (2) template_edit.php, or (3) survey_edit.php in admin/.20070210 nabopoll 1.1.2 sensitive file (admin without password)225092232nabopoll-configedit-unathorized-access(32472)Allons_voter 1.0 allows remote attackers to bypass authentication and access certain administrative functionality via a direct request for (1) admin_ajouter.php or (2) admin_supprimer.php. NOTE: this could be leveraged to conduct cross-site scripting (XSS) attacks.20070209 Allons_voter Version 1.0 xss and admin votes22508 allonsvoter-admin-authentication-bypass(32431)2234** DISPUTED ** SQL injection vulnerability in install.php in mcRefer allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: this issue has been disputed by a third party, stating that the file does not use a SQL database.20070209 mcRefer SQL injection2250720070211 Re: mcRefer SQL injection2235Cross-site scripting (XSS) vulnerability in Quick Digital Image Gallery (Qdig) 1.2.9.3 and devel-20060624 allows remote attackers to inject arbitrary web script or HTML via the Qwd parameter to the top-level URI.20070210 [XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel20070211 Re: [XSS] Qdig - Quick Digital Image Gallery Version 1.2.9.3 and -devel22510 ADV-2007-0555 24110 qdig-qwd-xss(32421)Unspecified vulnerability in March Networks DVR 3000 and 4000 Digital Video Recorders allows attackers to cause an unspecified denial of service. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22497Unspecified vulnerability in Microsoft Internet Explorer on Windows Mobile 5.0 allows remote attackers to cause a denial of service (loss of browser and other device functionality) via a malformed WML page, related to an "overflow state." NOTE: it is possible that this issue is related to CVE-2007-0685.20070209 Denial Of Service in Internet Explorer for MS Windows Mobile 5.020070209 RE: Denial Of Service in Internet Explorer for MS Windows Mobile 5.020070209 Re: Denial Of Service in Internet Explorer for MS Windows Mobile 5.020070209 Denial Of Service in Internet Explorer for MS Windows Mobile 5.022500ie-mobile-unspecified-bo(32394)Buffer overflow in SmidgeonSoft PEBrowse Professional 8.2.1.0 allows user-assisted remote attackers to execute arbitrary code via certain executable files in PE format. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22501 ADV-2007-0665 smidgeonsoft-files-bo(32524)Capital Request Forms stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database credentials via a direct request for inc/common_db.inc.20070209 Capital Request Forms Db Username and Password VulnerabilitiesPHP remote file inclusion vulnerability in the Seitenschutz plugin for OPENi-CMS 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the (1) config[oi_dir] and possibly (2) config[openi_dir] parameters to open-admin/plugins/site_protection/index.php. NOTE: vector 2 might be the same as CVE-2006-4750.Successful exploitation requires that "register_globals" is enabled.24119 3292 22511 ADV-2007-0556 internalrange-oidir-file-include(32423)Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account.Exploit 329320070213 Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?20070212 Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?20070212 Re: [Full-disclosure] Solaris telnet vulnberability - how many on your network?20070212 Solaris telnet vulnberability - how many on your network?20070214 Solaris telnet vuln solutions digest and network risks3293102802TA07-059AVU#88187222512ADV-2007-0560101762524120solaris-telnet-authentication-bypass(32434)20070214 RE: [Full-disclosure] Solaris telnet vulnberability - how many onyour network?oval:org.mitre.oval:def:2202Directory traversal vulnerability in portalgroups/portalgroups/getfile.cgi in IP3 NetAccess before firmware 4.1.9.6 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter. 20070211 Arbitrary file disclosure vulnerability in IP3 NetAccess < 4.1.9.6 3294 22513 ADV-2007-0615 1017623 24118 ip3netaccess-getfile-directory-traversal(32432)Buffer overflow in Roaring Penguin MIMEDefang 2.59 and 2.60 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors.Upgrade to 2.61[mimedefang] 20070209 SECURITY: MIMEDefang 2.61 is Released24133 22514 ADV-2007-0572 mimedefang-unspecified-bo(32466)Cross-site scripting (XSS) vulnerability in jira/secure/BrowseProject.jspa in Rainbow with the Zen (Rainbow.Zen) extension allows remote attackers to inject arbitrary web script or HTML via the id parameter.20070209 XSS in Rainbow with Rainbow.Zen 22503 rainbow-browseproject-xss(32418)Heap-based buffer underflow in axigen 1.2.6 through 2.0.0b1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via certain base64-encoded data on the pop3 port (110/tcp), which triggers an integer overflow.20070208 Axigen <2.0.0b1 DoS22473axigen-memcpy-dos(32342) 3289 24073axigen 1.2.6 through 2.0.0b1 does not properly parse login credentials, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a base64-encoded "*\x00" sequence on the imap port (143/tcp).20070208 Axigen <2.0.0b1 DoS22473axigen-nullpointer-dos(32345) 3290 24073Directory traversal vulnerability in the TFTP server in Kiwi CatTools before 3.2.0 beta allows remote attackers to read arbitrary files, and upload files to arbitrary locations, via ..// (dot dot) sequences in the pathname argument to an FTP (1) GET or (2) PUT command.This vulnerability is addressed in the following product update: Kiwi Enterprises, Kiwi CatTools, 3.2.0 Beta20070208 TFTP directory traversal in Kiwi CatTools 20070213 Re: TFTP directory traversal in Kiwi CatTools 22490 ADV-2007-0536 33162 24103 kiwicattools-tftp-directory-traversal(32398)2236Kiwi CatTools before 3.2.0 beta uses weak encryption ("reversible encoding") for passwords, account names, and IP addresses in kiwidb-cattools.kdb, which might allow local users to gain sensitive information by decrypting the file. NOTE: this issue could be leveraged with a directory traversal vulnerability for a remote attack vector.20070208 TFTP directory traversal in Kiwi CatTools 241032236Cross-site scripting (XSS) vulnerability in scripts/passwdmysql in cPanel WebHost Manager (WHM) 11.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the password parameter.20070208 local bug :[xxs] in whm22474 ADV-2007-0568 24106Cross-site scripting (XSS) vulnerability in the GetCurrentCompletePath function in phpmyvisites.php in phpMyVisites before 2.2 allows remote attackers to inject arbitrary web script or HTML via the query string.20070211 Multiple vulnerabilities in phpMyVisites24124 20070211 Multiple vulnerabilities in phpMyVisites 22516 ADV-2007-0566 phpmyvisites-phpmyvisites-xss(32430)CRLF injection vulnerability in phpMyVisites before 2.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the url parameter, when the pagename parameter begins with "FILE:".20070211 Multiple vulnerabilities in phpMyVisites 20070211 Multiple vulnerabilities in phpMyVisites phpmyvisites-pagename-response-splitting(32428)Directory traversal vulnerability in phpMyVisites before 2.2 allows remote attackers to include arbitrary files via leading ".." sequences on the pmv_ck_view COOKIE parameter, which bypasses the protection scheme.20070211 Multiple vulnerabilities in phpMyVisites 20070211 Multiple vulnerabilities in phpMyVisites 22516 phpmyvisites-pmvckview-file-include(32433)MediaWiki before 1.9.2 allows remote attackers to obtain sensitive information via a direct request to (1) Simple.deps.php, (2) MonoBook.deps.php, (3) MySkin.deps.php, or (4) Chick.deps.php in wiki/skins, which shows the installation path in the resulting error message.20070211 MediaWiki Full Path Disclosure Vulnerability mediawiki-multiple-scripts-path-disclosure(32440)Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to the root file system, a related issue to CVE-2002-0435.102782ADV-2007-054324082 31880 24405 solaris-rm-dos(32399)oval:org.mitre.oval:def:8272Cross-site scripting (XSS) vulnerability in the (1) Sage before 1.3.10, and (2) Sage++ extensions for Firefox, allows remote attackers to inject arbitrary web script or HTML via a "<SCRIPT/='SRC='" sequence in an RSS feed, a different vulnerability than CVE-2006-4712.24086224931017624sage-rssfeed-xss(32395)Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor.This vulnerability is addressed in the following product release: Clam AntiVirus, ClamAV, 0.90 Stable22580ADV-2007-062324187DSA-1263GLSA-200703-03MDKSA-2007:043SUSE-SA:2007:01710176592419224183243192433224425clamav-cabfile-dos(32531)20070215 Multiple Vendor ClamAV CAB File Denial of Service VulnerabilityAPPLE-SA-2008-03-18ADV-2008-092429420Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message.This vulnerability is addressed in the following product release: Clam Anti-Virus, ClamAV, 0.9020070215 Multiple Vendor ClamAV MIME Parsing Directory Traversal Vulnerability22581ADV-2007-062324187DSA-1263GLSA-200703-03MDKSA-2007:043SUSE-SA:2007:01710176602419224183243192433224425clamav-mimeheader-directory-traversal(32535)APPLE-SA-2008-03-18ADV-2008-092429420Multiple PHP remote file inclusion vulnerabilities in TagIt! Tagboard 2.1.B Build 2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) configpath parameter to (a) tagviewer.php, (b) tag_process.php, and (c) CONFIG/errmsg.inc.php; and (d) addTagmin.php, (e) ban_watch.php, (f) delTagmin.php, (g) delTag.php, (h) editTagmin.php, (i) editTag.php, (j) manageTagmins.php, and (k) verify.php in tagmin/; the (2) adminpath parameter to (l) tagviewer.php, (m) tag_process.php, and (n) tagmin/index.php; and the (3) admin parameter to (o) readconf.php, (p) updateconf.php, (q) updatefilter.php, and (r) wordfilter.php in tagmin/; different vectors than CVE-2006-5249. 34615 34616 34617 34618ADV-2007-0557 22518 tagit-multiplescripts-file-include(32436) 34603 34604 34605 34606 34607 34608 34609 34610 34611 34612 34613 34614Multiple cross-site scripting (XSS) vulnerabilities in Info pages in MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or HTML via the (1) hitcounts and (2) general parameters, different vectors than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24138 USN-423-1 22515 24244Unspecified vulnerability in the "Show debugging information" feature in MoinMoin 1.5.7 allows remote attackers to obtain sensitive information. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24138 USN-423-1 22515 24244Unspecified vulnerability in the mod_roster_odbc module in ejabberd before 1.1.3 has unknown impact and attack vectors.24075 22525 ADV-2007-0570 ejabberd-modrosterodbc-unspecified(32437)SQL injection vulnerability in projects.php in LightRO CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter to index.php.ADV-2007-0540lightro-index-sql-injection(32347) 3286PHP before 5.2.1 allows attackers to bypass safe_mode and open_basedir restrictions via unspecified vectors in the session extension. NOTE: it is possible that this issue is a duplicate of CVE-2006-6383.22496ADV-2007-054624089 OpenPKG-SA-2007.0102007-000924419Multiple buffer overflows in PHP before 5.2.1 allow attackers to cause a denial of service and possibly execute arbitrary code via unspecified vectors in the (1) session, (2) zip, (3) imap, and (4) sqlite extensions; (5) stream filters; and the (6) str_replace, (7) mail, (8) ibase_delete_user, (9) ibase_add_user, and (10) ibase_modify_user functions. NOTE: vector 6 might actually be an integer overflow (CVE-2007-1885). NOTE: as of 20070411, vector (3) might involve the imap_mail_compose function (CVE-2007-1825).22496ADV-2007-05462408920070227 rPSA-2007-0043-1 php php-mysql php-pgsqlDSA-1264GLSA-200703-21MDKSA-2007:048OpenPKG-SA-2007.010RHSA-2007:0076RHSA-2007:0081RHSA-2007:0089RHSA-2007:0088RHSA-2007:0082SUSE-SA:2007:020USN-424-1USN-424-23277610176712419524217242482423624295243222443224421245142460624642 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql 24945MDKSA-2007:04820070201-01-PSUSE-SA:2007:0442007-0009242842441926048Buffer underflow in PHP before 5.2.1 allows attackers to cause a denial of service via unspecified vectors involving the sapi_header_op function.USN-424-210176712419524217242482423624295243222443224421245142460624642MDKSA-2007:04820070201-01-P2007-0009242842441922496ADV-2007-05462408920070227 rPSA-2007-0043-1 php php-mysql php-pgsqlDSA-1264GLSA-200703-21MDKSA-2007:048OpenPKG-SA-2007.010RHSA-2007:0076RHSA-2007:0081RHSA-2007:0089RHSA-2007:0088RHSA-2007:0082SUSE-SA:2007:020USN-424-1The WDDX deserializer in the wddx extension in PHP 5 before 5.2.1 and PHP 4 before 4.4.5 does not properly initialize the key_length variable for a numerical key, which allows context-dependent attackers to read stack memory via a wddxPacket element that contains a variable with a string name before a numerical variable.22496ADV-2007-05462408920070227 rPSA-2007-0043-1 php php-mysql php-pgsqlDSA-1264GLSA-200703-21MDKSA-2007:048OpenPKG-SA-2007.010RHSA-2007:0076RHSA-2007:0081RHSA-2007:0089RHSA-2007:0088RHSA-2007:0082SUSE-SA:2007:020USN-424-1USN-424-210176712419524217242482423624295243222443224421245142460624642php-wddx-information-disclosure(32493)MDKSA-2007:04820070201-01-P2007-00092280624284244192321Multiple format string vulnerabilities in PHP before 5.2.1 might allow attackers to execute arbitrary code via format string specifiers to (1) all of the *print functions on 64-bit systems, and (2) the odbc_result_all function.24236242952432224432244212451424606 24642MDKSA-2007:04820070201-01-P2007-0009242842441922496ADV-2007-05462408920070227 rPSA-2007-0043-1 php php-mysql php-pgsqlDSA-1264GLSA-200703-21MDKSA-2007:048OpenPKG-SA-2007.010RHSA-2007:0076RHSA-2007:0081RHSA-2007:0089RHSA-2007:0088RHSA-2007:0082SUSE-SA:2007:020USN-424-1USN-424-21017671241952421724248Unspecified vulnerability in PHP before 5.2.1 allows attackers to "clobber" certain super-global variables via unspecified vectors.22496ADV-2007-05462408920070227 rPSA-2007-0043-1 php php-mysql php-pgsqlDSA-1264GLSA-200703-21MDKSA-2007:048OpenPKG-SA-2007.010RHSA-2007:0076RHSA-2007:0081RHSA-2007:0089RHSA-2007:0088RHSA-2007:0082SUSE-SA:2007:020USN-424-1USN-424-21017671241952421724248242362429524322244322442124514246062464220070418 rPSA-2007-0073-1 php php-mysql php-pgsql24945MDKSA-2007:04820070201-01-P2007-00092428424419Off-by-one error in the str_ireplace function in PHP 5.2.1 might allow context-dependent attackers to cause a denial of service (crash).[php-dev] 20070209 PHP 5.2.1 crashing Apache/IIS...[php-dev] 20070210 Re: PHP 5.2.1 crashing Apache/IIS...22505 20070209 PHP 5.2.1 crash bug GLSA-200703-21 SUSE-SA:2007:020 24514 24606Cross-Site Request Forgery (CSRF) vulnerability in admin/admin.adm.php in Jportal 2.3.1, and possibly earlier, allows remote attackers to perform privileged actions as administrators by tricking the admin into accessing a URL with modified arguments to admin/admin.adm.php.20070211 Jportal 2.3.1 CSRF vulnerability jportal-admin-csrf(32458)2239Unspecified vulnerability in Microsoft Powerpoint allows remote user-assisted attackers to execute arbitrary code via unknown attack vectors, as exploited by Trojan.PPDropper.G. NOTE: as of 20070213, it is not clear whether this is the same issue as CVE-2006-5296, CVE-2006-4694, CVE-2006-3876, CVE-2006-3877, or older issues.Race condition in the TCP subsystem for Solaris 10 allows remote attackers to cause a denial of service (system panic) via unknown vectors.10279622550ADV-2007-0588101764924166solaris-tcp-race-condition-dos(32484)oval:org.mitre.oval:def:2120Distributed SLS daemon (SLSd) on HP-UX B.11.11 allows remote attackers to overwrite arbitrary files and gain privileges via a crafted RPC request.See HP's advisory.HPSBUX02191225511017630 20070213 Hewlett-Packard HP-UX SLSd Arbitrary File Creation Vulnerability ADV-2007-0590 24169 hpux-slsd-unauthorized-access(32471)Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.11 and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors.HPSBUX02192225461017629ADV-2007-059624173hpux-arpa-dos(32468)The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets.20070213 Multiple IOS IPS Vulnerabilities1017631 22549 ADV-2007-0597 24142 cisco-ios-ips-security-bypass(32473)The ATOMIC.TCP signature engine in the Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XA, 12.3YA, 12.3T, and other trains allows remote attackers to cause a denial of service (IPS crash and traffic loss) via unspecified manipulations that are not properly handled by the regular expression feature, as demonstrated using the 3123.0 (Netbus Pro Traffic) signature.20070213 Multiple IOS IPS Vulnerabilities101763122549ADV-2007-059724142cisco-ios-ips-dos(32474)Directory traversal vulnerability in Nickolas Grigoriadis Mini Web server (MiniWebsvr) 0.0.6 allows remote attackers to list the directory immediately above the web root via a ..%00 sequence in the URI.20070211 Miniwebsvr 0.0.6 - Directory traversal20060213 Verified: dot in Miniwebsvr 0.0.622523 miniwebsvr-unspecified-directory-traversal(32451)2248SQL injection vulnerability in philboard_forum.asp in Philboard 1.14 and earlier allows remote attackers to execute arbitrary SQL commands via the forumid parameter.22532philboard-philboardforum-sql-injection(32442) 3295 ADV-2007-0600 nabopoll-configedit-unathorized-access(32472)Portal Search allows remote attackers to redirect a URL to an arbitrary web site by placing the URL in the query string to the top-level URI.20070212 Radical Technologies - Portal Search- multiple XSS issue22533 portalsearch-frame-url-spoofing(32460)2247Cross-site scripting (XSS) vulnerability in buscador/buscador.htm in Portal Search allows remote attackers to inject arbitrary web script or HTML via the query string.20070212 Radical Technologies - Portal Search- multiple XSS issue225332247buscador/buscador.htm in Portal Search allows remote attackers to obtain sensitive information (business logic) via a query string composed of a search for certain characters.20070212 Radical Technologies - Portal Search- multiple XSS issue22533 portalsearch-buscador-info-disclosure(32452)2247Till Gerken phpPolls 1.0.3 allows remote attackers to bypass authentication and perform certain administrative actions via a direct request to phpPollAdmin.php3. NOTE: this issue might subsume CVE-2006-3764.20070211 phpPolls 1.0.3 (acces to sensitive file)225222242Cross-site scripting (XSS) vulnerability in search/SearchResults.aspx in Community Server allows remote attackers to inject arbitrary web script or HTML via the q parameter.20070209 XSS in communityserver !22529 communityserver-searchresults-xss(32444)2241The dologin function in guestbook.php in KvGuestbook 1.0 Beta allows remote attackers to gain administrative privileges, probably via modified $mysql['pass'] and $gbpass variables.20070211 KvGuestbook Remote Add Admin Exploit2246Heap-based buffer overflow in uTorrent 1.6 allows remote attackers to execute arbitrary code via a torrent file with a crafted announce header.22530 20070216 utorrent issue? 3296 ADV-2007-0571 1017648 24130 utorrent-torrent-bo(32455)33180Virtual Calendar stores sensitive information under the web root with insufficient access control, which allows remote attackers to download an encoded password via a direct request for pwd.txt.20070210 Virtual Calendar <= (pwd.txt) Remote Password Disclosur Vulnerability 24125 virtualcalendar-pwd-information-disclosure(32446)2240Directory traversal vulnerability in php rrd browser before 0.2.1 allows remote attackers to read arbitrary files via ".." sequences in the p parameter.20070211 Arbitrary file disclosure vulnerability in php rrd browser < 0.2.1 (prb)prb-url-file-disclosure(32425)2245Variable extract vulnerability in Apache Stats before 0.0.3beta allows attackers to modify arbitrary variables and conduct attacks via unknown vectors involving the use of PHP's extract function.22388ADV-2007-0559Heap-based buffer overflow in the management interfaces in (1) Aruba Mobility Controllers 200, 800, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via long credential strings.20070213 Aruba Mobility Controller Management Buffer Overflow20070213 Aruba Mobility Controller Management Buffer OverflowVU#3199132253824144aruba-management-interface-bo(32459)2244The (1) Aruba Mobility Controllers 200, 600, 2400, and 6000 and (2) Alcatel-Lucent OmniAccess Wireless 43xx and 6000 do not properly implement authentication and privilege assignment for the guest account, which allows remote attackers to access administrative interfaces or the WLAN.20070213 Aruba Networks - Unauthorized Administrative and WLAN Access through Guest AccountVU#6138332253824144aruba-guestaccount-privilege-escalation(32461)20070213 Aruba Networks - Unauthorized Administrative and WLAN Access through Guest Account2243Buffer overflow in the wireless driver 6.0.0.18 for D-Link DWL-G650+ (Rev. A1) on Windows XP allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a beacon frame with a long TIM Information Element.2443825602Unspecified vulnerability in Microsoft Visio 2002 allows remote user-assisted attackers to execute arbitrary code via a Visio (.VSD, VSS, .VST) file with a crafted version number that triggers memory corruption.MS07-030HPSBST02231TA07-163A24349ADV-2007-2150oval:org.mitre.oval:def:1925101822725619visio-version-code-execution(34607)Multiple unspecified vulnerabilities in Microsoft Visio 2002 allow remote user-assisted attackers to execute arbitrary code via a Visio (.VSD, VSS, .VST) file with a crafted packed object that triggers memory corruption, aka "Visio Document Packaging Vulnerability."MS07-030HPSBST02231TA07-163A24384ADV-2007-2150oval:org.mitre.oval:def:1369101822725619Microsoft Content Management Server (MCMS) 2001 SP1 and 2002 SP2 does not properly handle certain characters in a crafted HTTP GET request, which allows remote attackers to execute arbitrary code, aka the "CMS Memory Corruption Vulnerability."MS07-018 VU#434137 22861 1017894 34006 HPSBST02208ADV-2007-1322oval:org.mitre.oval:def:200124819mcms-http-get-code-execution(32736)Cross-site scripting (XSS) vulnerability in Microsoft Content Management Server (MCMS) 2001 SP1 and 2002 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving HTML redirection queries, aka "Cross-site Scripting and Spoofing Vulnerability."MS07-018228601017894HPSBST02208ADV-2007-132234007oval:org.mitre.oval:def:157524819Unspecified vulnerability in the Cryptographic API Component Object Model Certificates ActiveX control (CAPICOM.dll) in Microsoft CAPICOM and BizTalk Server 2004 SP1 and SP2 allows remote attackers to execute arbitrary code via unspecified vectors, aka the "CAPICOM.Certificates Vulnerability."MS07-028 VU#866305 23782 1018016 1018017 ADV-2007-1713 25185 ms-capicom-code-execution(32739)HPSBST02214TA07-128A34397oval:org.mitre.oval:def:1670Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Windows 2000 SP4; 6 and 7 on Windows XP SP2, or Windows Server 2003 SP1 or SP2; and possibly 7 on Windows Vista does not properly "instantiate certain COM objects as ActiveX controls," which allows remote attackers to execute arbitrary code via a crafted COM object from chtskdic.dll.MS07-027ADV-2007-1712101801923769HPSBST02214TA07-128A34399oval:org.mitre.oval:def:1939ie-chtskdic-com-code-execution(33252)Unspecified vulnerability in Internet Explorer 5.01 and 6 SP1 allows remote attackers to execute arbitrary code via crafted Cascading Style Sheets (CSS) strings that trigger memory corruption during parsing, related to use of out-of-bounds pointers.MS07-045TA07-226A25288ADV-2007-286936397oval:org.mitre.oval:def:1673101856226419Unspecified vulnerability in the CTableCol::OnPropertyChange method in Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Windows 2000 SP4; and 6 on Windows XP SP2, or Windows Server 2003 SP1 or SP2 allows remote attackers to execute arbitrary code by calling deleteCell on a named table row in a named table column, then accessing the column, which causes Internet Explorer to access previously deleted objects, aka the "Uninitialized Memory Corruption Vulnerability."MS07-027 20070508 ZDI-07-027: Microsoft Internet Explorer Table Column Deletion Memory Corruption Vulnerability 23771 ADV-2007-1712 1018019 23769HPSBST02214TA07-128A34400oval:org.mitre.oval:def:1722ie-object-array-code-execution(33253)Microsoft Internet Explorer 6 SP1 on Windows 2000 SP4; 6 and 7 on Windows XP SP2, or Windows Server 2003 SP1 or SP2; and 7 on Windows Vista allows remote attackers to execute arbitrary code via certain property methods that may trigger memory corruption, aka "Property Memory Corruption Vulnerability."MS07-027 23769 ADV-2007-1712 1018019 23769HPSBST02214TA07-128A34401oval:org.mitre.oval:def:1463Unspecified vulnerability in Microsoft Internet Explorer 7 on Windows XP SP2, Windows Server 2003 SP1 or SP2, or Windows Vista allows remote attackers to execute arbitrary code via crafted HTML objects, which results in memory corruption, aka the first of two "HTML Objects Memory Corruption Vulnerabilities" and a different issue than CVE-2007-0947.MS07-027 23770 ADV-2007-1712 1018019 23769HPSBST02214TA07-128A34402oval:org.mitre.oval:def:1441ie-html-memory-code-execution(33255)Use-after-free vulnerability in Microsoft Internet Explorer 7 on Windows XP SP2, Windows Server 2003 SP1 or SP2, or Windows Vista allows remote attackers to execute arbitrary code via crafted HTML objects, resulting in accessing deallocated memory of CMarkup objects, aka the second of two "HTML Objects Memory Corruption Vulnerabilities" and a different issue than CVE-2007-0946.MS07-02723772ADV-2007-1712101801923769HPSBST02214TA07-128A34403oval:org.mitre.oval:def:2048ie-html-memory-code-execution-variant(33256)Heap-based buffer overflow in Microsoft Virtual PC 2004 and PC for Mac 7.1 and 7, and Virtual Server 2005 and 2005 R2, allows local guest OS administrators to execute arbitrary code on the host OS via unspecified vectors related to "interaction and initialization of components."MS07-04925298101856726444TA07-226AADV-2007-2873oval:org.mitre.oval:def:1259Stack-based buffer overflow in iTinySoft Studio Total Video Player 1.03, and possibly earlier, allows remote attackers to execute arbitrary code via a M3U playlist file that contains a long file name. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2255323999 totalvideoplayer-m3u-bo(32479)Cross-site scripting (XSS) vulnerability in listmain.asp in Fullaspsite ASP Hosting Site allows remote attackers to inject arbitrary web script or HTML via the cat parameter.20070213 Fullaspsite Shop (tr) Xss & SqL Inj. VulnZ.22545 fullaspsite-listmain-xss(32469)2250SQL injection vulnerability in listmain.asp in Fullaspsite ASP Hosting Site allows remote attackers to execute arbitrary SQL commands via the cat parameter.20070213 Fullaspsite Shop (tr) Xss & SqL Inj. VulnZ.22545 fullaspsite-listmain-sql-injection(32470)2250Multiple cross-site scripting (XSS) vulnerabilities in Scriptsez.net Virtual Calendar allow remote attackers to inject arbitrary web script or HTML via the (1) t and (2) yr parameters, and the (3) sho parameter when the m parameter is outside the intended range.2253624125virtualcalendar-unspecified-xss(32448)Cross-site scripting (XSS) vulnerability in search.pl in @Mail 4.61 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter.22552ADV-2007-060324155MOHA Chat 0.1b7 and earlier does not require authentication for use of the plug in API, which has unknown impact and attack vectors.ADV-2007-0599The NTLM_UnPack_Type3 function in MENTLM.dll in MailEnable Professional 2.35 and earlier allows remote attackers to cause a denial of service (application crash) via certain base64-encoded data following an AUTHENTICATE NTLM command to the imap port (143/tcp), which results in an out-of-bounds read.20071214 MailEnable DoS POC24139ADV-2007-0614mailenable-ntlm-dos(32482)2249The telnet daemon (telnetd) in MIT krb5 before 1.6.1 allows remote attackers to bypass authentication and gain system access via a username beginning with a '-' character, a similar issue to CVE-2007-0882.The vendor will address this issue in the upcoming krb5-1.6.1 release.DSA-1276RHSA-2007:0095USN-449-1VU#220816247062473624757 20070403 MITKRB5-SA-2007-001: telnetd allows login as arbitrary user [CVE-2007-0956] 20070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation GLSA-200704-02 MDKSA-2007:077 20070401-01-P 102867 SUSE-SA:2007:025 23281 ADV-2007-1249 1017848 24740 24750 24755 24785 24786 24817 24735 kerberos-telnet-security-bypass(33414) ADV-2007-1218MDKSA-2007:077TA07-093BStack-based buffer overflow in the krb5_klog_syslog function in the kadm5 library, as used by the Kerberos administration daemon (kadmind) and Key Distribution Center (KDC), in MIT krb5 before 1.6.1 allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via crafted arguments, possibly involving certain format string specifiers.DSA-1276RHSA-2007:0095USN-449-1VU#704024247062473624757 20070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation 20070403 MITKRB5-SA-2007-002: KDC, kadmind stack overflow in krb5_klog_syslog [CVE-2007-0957] GLSA-200704-02 MDKSA-2007:077 20070401-01-P SUSE-SA:2007:025 23285 ADV-2007-1250 1017849 24740 24750 24785 24786 24798 24817 24735 kerberos-krb5klogsyslog-bo(33411) ADV-2007-1218 APPLE-SA-2007-04-19 ADV-2007-1470 24966MDKSA-2007:077102930TA07-093BTA07-109AADV-2007-198325464Linux kernel 2.6.x before 2.6.20 allows local users to read unreadable binaries by using the interpreter (PT_INTERP) functionality and triggering a core dump, a variant of CVE-2004-1073.MDKSA-2007:060RHSA-2007:00992290324482MDKSA-2007:07824777USN-451-124752DSA-128625078DSA-1304MDKSA-2007:060MDKSA-2007:078RHSA-2007:0488257142583826289Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to inspect certain TCP-based protocols, allows remote attackers to cause a denial of service (device reboot) via malformed TCP packets.20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances22562ADV-2007-0608101765124160 22561 1017652 cisco-pix-asa-tcp-dos(32488)Unspecified vulnerability in Cisco PIX 500 and ASA 5500 Series Security Appliances 7.2.2, when configured to use the LOCAL authentication method, allows remote authenticated users to gain privileges via unspecified vectors.20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances22562ADV-2007-0608101765124160 22561 1017652 24179 cisco-pix-asa-local-privilege-escalation(32489)Cisco PIX 500 and ASA 5500 Series Security Appliances 6.x before 6.3(5.115), 7.0 before 7.0(5.2), and 7.1 before 7.1(2.5), and the FWSM 3.x before 3.1(3.24), when the "inspect sip" option is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed SIP packets.20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances20070214 Multiple Vulnerabilities in Firewall Services Module22562ADV-2007-060810176512416024180 VU#430969 22561 1017652 24179 cisco-pix-asa-sip-dos(32487) cisco-fwsm-sip-dos(32501)Cisco PIX 500 and ASA 5500 Series Security Appliances 7.0 before 7.0(4.14) and 7.1 before 7.1(2.1), and the FWSM 2.x before 2.3(4.12) and 3.x before 3.1(3.24), when "inspect http" is enabled, allows remote attackers to cause a denial of service (device reboot) via malformed HTTP traffic.20070214 Multiple Vulnerabilities in Cisco PIX and ASA Appliances20070214 Multiple Vulnerabilities in Firewall Services Module22562ADV-2007-060810176512416024180 22561 1017652 cisco-pix-asa-http-dos(32486)Unspecified vulnerability in Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.3), when set to log at the "debug" level, allows remote attackers to cause a denial of service (device reboot) by sending packets that are not of a particular protocol such as TCP or UDP, which triggers the reboot during generation of Syslog message 710006.20070214 Multiple Vulnerabilities in Firewall Services ModuleADV-2007-060924172 22561Cisco FWSM 3.x before 3.1(3.18), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a malformed HTTPS request.20070214 Multiple Vulnerabilities in Firewall Services ModuleADV-2007-060924172 22561Cisco FWSM 3.x before 3.1(3.2), when authentication is configured to use "aaa authentication match" or "aaa authentication include", allows remote attackers to cause a denial of service (device reboot) via a long HTTP request.20070214 Multiple Vulnerabilities in Firewall Services ModuleADV-2007-060924172 22561Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.11), when the HTTPS server is enabled, allows remote attackers to cause a denial of service (device reboot) via certain HTTPS traffic.20070214 Multiple Vulnerabilities in Firewall Services ModuleADV-2007-060924172 22561 cisco-fwsm-http-dos(32497) cisco-fwsm-https-server-dos(32513)Cisco Firewall Services Module (FWSM) 3.x before 3.1(3.1) allows remote attackers to cause a denial of service (device reboot) via malformed SNMP requests.20070214 Multiple Vulnerabilities in Firewall Services ModuleADV-2007-060924172 22561 cisco-fwsm-snmp-dos(32515)Unspecified vulnerability in Cisco Firewall Services Module (FWSM) before 2.3(4.7) and 3.x before 3.1(3.1) causes the access control entries (ACE) in an ACL to be improperly evaluated, which allows remote authenticated users to bypass intended certain ACL protections.20070214 Multiple Vulnerabilities in Firewall Services ModuleADV-2007-060924172225611017650cisco-fwsm-acl-security-bypass(32521)Multiple cross-site scripting (XSS) vulnerabilities in WebTester 5.0.20060927 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to POST parameters to multiple files.20070214 WebTester 5.0.2 sql injection and XSS vulnerabilities22559 ADV-2007-0633 24157 webtester-post-xss(32492)2261Multiple SQL injection vulnerabilities in WebTester 5.0.20060927 and earlier allow remote attackers to execute arbitrary SQL commands via the testID parameter to directions.php, and unspecified parameters to other files that accept GET or POST input.20070214 WebTester 5.0.2 sql injection and XSS vulnerabilities22559 ADV-2007-0633 24157 webtester-directions-sql-injection(32490)2261Multiple SQL injection vulnerabilities in Jupiter CMS 1.1.5 allow remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header and certain other HTTP headers, which set the ip variable that is used in SQL queries performed by index.php and certain other PHP scripts. NOTE: the attack vector might involve _SERVER.20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities22560 3310Unrestricted file upload vulnerability in modules/emoticons.php in Jupiter CMS 1.1.5 allows remote attackers to upload arbitrary files by modifying the HTTP request to send an image content type, and to omit is_guest and is_user parameters. NOTE: this issue might be related to CVE-2006-4875.20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities22560 3311 jupitercm-emoticons-file-upload(32517)Multiple cross-site scripting (XSS) vulnerabilities in index.php in Jupiter CMS 1.1.5 allow remote attackers to inject arbitrary web script or HTML via the Referer HTTP header and certain other HTTP headers, which are displayed without proper sanitization when an administrator performs a Logged Guest action.20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities22560 jupitercm-loggedguests-xss(32518)Multiple unspecified vulnerabilities in Ian Bezanson DropBox before 0.0.4 beta have unknown impact and attack vectors, possibly related to a variable extraction vulnerability.ADV-2007-0598Variable extraction vulnerability in Ian Bezanson Apache Stats before 0.0.3 beta allows attackers to overwrite critical variables, with unknown impact, when the extract function is used on the _REQUEST superglobal array.ADV-2007-0598Buffer overflow in the ActSoft DVD-Tools ActiveX control (dvdtools.ocx) allows remote attackers to execute arbitrary code via a long DVD_TOOLS.OpenDVD property value.330722558 dvdtools-dvdtools-bo(32529) 3610IBM Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores HTTPPassword hashes from names.nsf in a manner accessible through Readviewentries and OpenDocument requests to the defaultview view, a different vector than CVE-2005-2428."Generate HTML for all fields" must be enabled for successful exploitation.3302Buffer overflow in swcons in IBM AIX 5.3 allows local users to gain privileges via long input data.IY9490124154 ADV-2007-0617 1017656 aix-swcons-bo(32508)Unspecified vulnerability in LifeType before 1.1.6, and 1.2 before 1.2-beta2, allows remote attackers to obtain sensitive information (file contents) via a "crafted URL."ADV-2007-061624170Unspecified vulnerability in HP Serviceguard for Linux; packaged for SuSE SLES8 and United Linux 1.0 before SG A.11.15.07, SuSE SLES9 and SLES10 before SG A.11.16.10, and Red Hat Enterprise Linux (RHEL) before SG A.11.16.10; allows remote attackers to obtain unauthorized access via unspecified vectors.HBSBGN021892413422574ADV-2007-06191017655Mozilla based browsers, including Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8, allow remote attackers to bypass the same origin policy, steal cookies, and conduct other attacks by writing a URI with a null byte to the hostname (location.hostname) DOM property, due to interactions with DNS resolver code.20070215 Firefox: serious cookie stealing / same-domain bypass vulnerabilityVU#88575322566101765420070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-281FEDORA-2007-293GLSA-200703-04GLSA-200703-08MDKSA-2007:050RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-1ADV-2007-0624ADV-2007-0718321042417524238242872429024205243282433324343243202429324393243952438424437firefox-locationhostname-security-bypass(32533)20070301-01-P2465020070214 Firefox: serious cookie stealing / same-domain bypass vulnerabilityDSA-1336MDKSA-2007:05020070202-01-PSSA:2007-066-03SSA:2007-066-05SUSE-SA:2007:022244552445724342255882262HPSBUX02153ADV-2008-0083Cross-site scripting (XSS) vulnerability in error.php in TaskFreak! 0.5.5 allows remote attackers to inject arbitrary web script or HTML via the tznMessage parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2253724123PHP remote file inclusion vulnerability in _admin/nav.php in AT Contenator 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the Root_To_Script parameter.3297atcontenator-nav-file-include(32453) 3297 ADV-2007-0606 24141SQL injection vulnerability in admin_poll.asp in PollMentor 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to pollmentorres.asp.330122542ADV-2007-060124137pollmentor-pollmentorres-sql-injection(32456)SQL injection vulnerability in nickpage.php in phpCC 4.2 beta and earlier allows remote attackers to execute arbitrary SQL commands via the npid parameter in a sign_gb action.Exploit 329922540ADV-2007-0602PHP remote file inclusion vulnerability in index.php in Jupiter CMS 1.1.5, when PHP 5.0.0 or later is used, allows remote attackers to execute arbitrary PHP code via an ftp URL in the n parameter.Successful exploitation requires that "magic_quotes_gpc" is disabled and that "allow_url_fopen" is enabled.20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities20070214 Re: Jupiter CMS 1.1.5 Multiple VulnerabilitiesExploit 3309225603309jupitercm-index-n-file-include(32519)Directory traversal vulnerability in index.php in Jupiter CMS 1.1.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot), or an absolute pathname, in the n parameter.20070214 Jupiter CMS 1.1.5 Multiple Vulnerabilities20070214 Re: Jupiter CMS 1.1.5 Multiple Vulnerabilities22560 3309The zend_hash_init function in PHP 5 before 5.2.1 and PHP 4 before 4.4.5, when running on a 64-bit platform, allows context-dependent attackers to cause a denial of service (infinite loop) by unserializing certain integer expressions, which only cause 32-bit arguments to be used after the check for a negative value, as demonstrated by an "a:2147483649:{" argument.RHSA-2007:00762419520070227 rPSA-2007-0043-1 php php-mysql php-pgsqlDSA-1264GLSA-200703-21MDKSA-2007:048OpenPKG-SA-2007.010RHSA-2007:0081RHSA-2007:0089RHSA-2007:0088RHSA-2007:0082USN-424-1USN-424-21017671242172424824236242952432224432244212460624642php-zendhashinit-dos(32709)HPSBMA02215HPSBTU02232MDKSA-2007:04820070201-01-PSUSE-SA:2007:0322007-0009ADV-2007-1991ADV-2007-237425056254232428424419258502315** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-0933. Reason: This candidate is a duplicate of CVE-2007-0933 due to a typo. Notes: All CVE users should reference CVE-2007-0933 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.A regression error in Mozilla Firefox 2.x before 2.0.0.2 and 1.x before 1.5.0.10, and SeaMonkey 1.1 before 1.1.1 and 1.0 before 1.0.8, allows remote attackers to execute arbitrary JavaScript as the user via an HTML mail message with a javascript: URI in an (1) img, (2) link, or (3) style tag, which bypasses the access checks and executes code with chrome privileges.RHSA-2007:0097SUSE-SA:2007:01922826ADV-2007-08231017726243952438420070301-01-P24650DSA-1336SSA:2007-066-03SSA:2007-066-05SUSE-SA:2007:022244552445725588HPSBUX02153Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 ignores trailing invalid HTML characters in attribute names, which allows remote attackers to bypass content filters that use regular expressions.20070226 rPSA-2007-0040-1 firefox20070303 rPSA-2007-0040-3 firefox thunderbirdFEDORA-2007-281FEDORA-2007-293GLSA-200703-04GLSA-200703-08MDKSA-2007:050RHSA-2007:0079RHSA-2007:0077RHSA-2007:0078RHSA-2007:0097RHSA-2007:0108SUSE-SA:2007:019USN-428-122694ADV-2007-071810177022423824287242902420524328243332434324320242932439324395243842443720070301-01-P24650DSA-1336MDKSA-2007:05020070202-01-PSSA:2007-066-03SSA:2007-066-05SUSE-SA:2007:0223211124455244572434225588HPSBUX02153ADV-2008-0083The child frames in Mozilla Firefox before 1.5.0.10 and 2.x before 2.0.0.2, and SeaMonkey before 1.0.8 inherit the default charset from the parent window, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set.RHSA-2007:0079 20070223 Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability 20070226 rPSA-2007-0040-1 firefox FEDORA-2007-281 FEDORA-2007-293 MDKSA-2007:050 RHSA-2007:0077 RHSA-2007:0078 RHSA-2007:0097 RHSA-2007:0108 SUSE-SA:2007:019 USN-428-1 22694 ADV-2007-0718 1017702 24287 24290 24205 24328 24333 24343 24320 24395 24384 20070301-01-P 24650DSA-1336MDKSA-2007:05020070202-01-PSSA:2007-066-03SSA:2007-066-05SUSE-SA:2007:02224455244572434225588HPSBUX02153Race condition in the tee (sys_tee) system call in the Linux kernel 2.6.17 through 2.6.17.6 might allow local users to cause a denial of service (system crash), obtain sensitive information (kernel memory contents), or gain privileges via unspecified vectors related to a potentially dropped ipipe lock during a race between two pipe readers.[linux-kernel] 20060717 [patch 25/45] splice: fix problems with sys_tee()The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information.RHSA-2007:0114229671017764FEDORA-2007-343FEDORA-2007-344ADV-2007-1020ADV-2007-1021ADV-2007-101924575fedora-xen-qemuvnc-information-disclosure(33085)Format string vulnerability in Ekiga 2.0.3, and probably other versions, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2007-1006.MDKSA-2007:058USN-434-1 RHSA-2007:0087MDKSA-2007:058The ipv6_getsockopt_sticky function in net/ipv6/ipv6_sockglue.c in the Linux kernel before 2.6.20.2 allows local users to read arbitrary kernel memory via certain getsockopt calls that trigger a NULL dereference.22904 FEDORA-2007-335 FEDORA-2007-336 VU#920689 33025 24518 MDKSA-2007:078 24777 24901 RHSA-2007:0169 25080 SUSE-SA:2007:029 2509920070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:078USN-486-1USN-489-1ADV-2007-090725691244932613326139Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via Wireless Bitmap (WBMP) images with large width or height values.25151ADV-2007-1269php-gd-overflow(33453)20070407 PHP <= 5.2.1 wbmp file handling integer overflow23357RHSA-2007:0155248142492420070418 rPSA-2007-0073-1 php php-mysql php-pgsqlRHSA-2007:0153RHSA-2007:01622496524945 MDKSA-2007:087 MDKSA-2007:088 MDKSA-2007:089 24909APPLE-SA-2007-07-31GLSA-200705-19MDKSA-2007:087MDKSA-2007:088MDKSA-2007:089MDKSA-2007:090SSA:2007-127SUSE-SA:2007:03225159ADV-2007-2732250562544526235Format string vulnerability in the write_html function in calendar/gui/e-cal-component-memo-preview.c in Evolution Shared Memo 2.8.2.1, and possibly earlier versions, allows user-assisted remote attackers to execute arbitrary code via format specifiers in the categories of a crafted shared memo.24234evolution-writehtml-format-string(33106) 1017808 24651 24668 RHSA-2007:0158 2510220070321 Secunia Research: Evolution Shared Memo Categories Format StringVulnerabilityDSA-1325GLSA-200706-02MDKSA-2007:070SUSE-SR:2007:015USN-442-123073ADV-2007-10582555125880Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption.20070403 Multiple Vendor X Server XC-MISC Extension Memory Corruption Vulnerability[xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfontRHSA-2007:0126USN-448-123284ADV-2007-12171017857247412475624770 20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs 20070405 FLEA-2007-0009-1: xorg-x11 freetype MDKSA-2007:079 MDKSA-2007:080 RHSA-2007:0125 24745 24758 24765 24771 24772 24791 xorg-xcmisc-overflow(33424) RHSA-2007:0127 SUSE-SA:2007:027 25004 [3.9] 021: SECURITY FIX: April 4, 2007 [4.0] 011: SECURITY FIX: April 4, 2007 102886 23300 ADV-2007-1548 25006 GLSA-200705-10 25195 25216DSA-1294MDKSA-2007:079MDKSA-2007:080oval:org.mitre.oval:def:198025305SUSE-SR:2008:00829622Mozilla Firefox might allow remote attackers to conduct spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar.20070216 Firefox: about:blank is phisher's best friend20070217 Re: Firefox: about:blank is phisher's best friend22601firefox-aboutblank-security-bypass(32580)20070219 RE: Firefox: about:blank is phisher's best friend241532264Heap-based buffer overflow in SW3eng.exe in the eID Engine service in CA (formerly Computer Associates) eTrust Intrusion Detection 3.0.5.57 and earlier allows remote attackers to cause a denial of service (application crash) via a long key length value to the remote administration port (9191/tcp).20070227 Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability22743ADV-2007-07763229024309 20070228 [CAID 35112]: CA eTrust Intrusion Detection Denial of Service Vulnerability 1017706Multiple format string vulnerabilities in the gm_main_window_flash_message function in Ekiga before 2.0.5 allow attackers to cause a denial of service and possibly execute arbitrary code via a crafted Q.931 SETUP packet.Update to version 2.0.5.24194[Ekiga-list] 20070213 Ekiga 2.0.5 availableDSA-1262FEDORA-2007-262FEDORA-2007-263MDKSA-2007:044RHSA-2007:0087USN-426-122613ADV-2007-065531939101767324228242292427124379GLSA-200703-2524680SUSE-SR:2007:00925119Format string vulnerability in GnomeMeeting 1.0.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in the name, which is not properly handled in a call to the gnomemeeting_log_insert function.Failed exploit attempts will like result in a system level denial-of-service condition.RHSA-2007:008624185 DSA-1262 MDKSA-2007:045 USN-426-1 24271 24379 SUSE-SR:2007:009 25119MDKSA-2007:04520070201-01-P24284Apple iTunes 7.0.2 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted XML list of radio stations, which results in memory corruption. NOTE: iTunes retrieves the XML document from a static URL, which requires an attacker to perform DNS spoofing or man-in-the-middle attacks for exploitation.Successful exploitation requires that an attacker perform some type of DNS spoofing or man-in-the-middle attack prior to launching this attack.20070219 iTunes remote memory corruption vulnerability226152278Macrovision InstallAnywhere Enterprise before 8.0.1 uses the InstallScript.iap_xml configuration file without integrity protection to verify authorization for installing an application, which allows local users to perform unauthorized installations by removing the (1) password or (2) serial number verification sections from this file.20070416 SYMSA-2007-003 Macrovision InstallAnywhere Password and Serial Number Bypass22643ADV-2007-14332596Multiple PHP remote file inclusion vulnerabilities in ZebraFeeds 1.0, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the zf_path parameter to (1) aggregator.php and (2) controller.php in newsfeeds/includes/.331422576ADV-2007-062224162zebrafeeds-zfpath-file-include(32507)PHP remote file inclusion vulnerability in functions_inc.php in VS-Gastebuch 1.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gb_pfad parameter.22605ADV-2007-064624182 vsgastebuch-functions-file-include(32555)Cross-site scripting (XSS) vulnerability in faq.php in DeskPRO 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the article parameter.20070214 XSS in [deskpro.com v1.1.0 ]deskprocom-faq-xss(32525)2267PHP remote file inclusion vulnerability in generate.php in VirtualSystem Htaccess Passwort Generator 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the ht_pfad parameter.332422598ADV-2007-0643 24214 htaccess-generate-file-include(32559)Stack-based buffer overflow in VicFTPS before 5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long CWD command.333122608ADV-2007-064824161 vicftps-cwd-bo(32557)SQL injection vulnerability in HaberDetay.asp in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via the id parameter.3318ADV-2007-0620aktueldownload-haberdetay-sql-injection(32527)SQL injection vulnerability in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via certain vectors related to the HaberDetay.asp and rss.asp components, and the id and kid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the combination of the HaberDetay.asp component and the id parameter is already covered by another February 2007 CVE candidate.ADV-2007-0620PHP remote file inclusion vulnerability in show_news_inc.php in VirtualSystem VS-News-System 1.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the newsordner parameter.Successful exploitation requires that "register_globals" is enabled.33222259224220vsnewssystem-shownewsinc-file-include(32544) ADV-2007-0649PHP remote file inclusion vulnerability in tpl/header.php in VirtualSystem VS-News-System 1.2.1 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the newsordner parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24220SQL injection vulnerability in news.php in webSPELL 4.01.02, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the showonly parameter to index.php, a different vector than CVE-2006-5388.Successful exploitation e.g. allows retrieval of password hashes, but requires that "register_globals" is enabled.33252254124191webspell-showonly-sql-injection(32554) ADV-2007-0650Cross-site scripting (XSS) vulnerability in index.php in CedStat 1.31 allows remote attackers to inject arbitrary web script or HTML via the hier parameter.20070215 CedStat v1.31 XSS22588Cedstat-index-xss(32537) 22653 ADV-2007-06802265SQL injection vulnerability in inc_listnews.asp in CodeAvalanche News 1.x allows remote attackers to execute arbitrary SQL commands via the CAT_ID parameter.331722582ADV-2007-0621codeavalanche-inclistnews-sql-injection(32528)SQL injection vulnerability in h_goster.asp in Turuncu Portal 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2259124209 turuncu-hgoster-sql-injection(32571)SQL injection vulnerability in pop_profile.asp in Snitz Forums 2000 3.1 SR4 allows remote attackers to execute arbitrary SQL commands via the id parameter.332122593snitzforums-popprofile-sql-injection(32543)PHP remote file inclusion vulnerability in include.php in Meganoide's news 1.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter.20070216 Meganoide's news v1.1.1 < = RFi Vulnerabilities22589meganoidesnews-include-file-include(32546)2266PHP remote file inclusion vulnerability in inc/functions_inc.php in VS-Link-Partner 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gb_pfad, or possibly script_pfad, parameter.332322594ADV-2007-0651vslinkpartner-functions-file-include(32547)SQL injection vulnerability in view.php in XLAtunes 0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the album parameter in view mode. NOTE: some of these details are obtained from third party information.332722602ADV-2007-0644 20070219 XLAtunes 0.1 (album) Remote SQL Injection Vulnerability 20070220 Re: XLAtunes 0.1 (album) Remote SQL Injection Vulnerability 20070221 XLAtunes 0.1 (album) Remote SQL Injection Vulnerability xlatunes-album-sql-injection(32556)Certain setuid DB2 binaries in IBM DB2 before 9 Fix Pack 2 for Linux and Unix allow local users to overwrite arbitrary files via a symlink attack on the DB2DIAG.LOG temporary file.ADV-2007-0652242131017695226141017665Cross-site scripting (XSS) vulnerability in the Barry Jaspan Image Pager 4.7.x-1.x-dev and 5.x-1.x-dev before 2007-02-08 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to HTML entities and the IMG element.22586ADV-2007-0636imagepager-img-xss(32539)Stack-based buffer overflow in the Connect method in the IMAP4 component in Quiksoft EasyMail Objects before 6.5 allows remote attackers to execute arbitrary code via a long host name.20070215 EasyMail Objects v6.5 Connect Method Stack Overflow22583ADV-2007-063424199easymailobjects-connect-bo(32540)332082277Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset.20070219 Remote DoS in libevent DNS parsing <= 1.2a22606ADV-2007-0647241812268Directory traversal vulnerability in include/db_conn.php in SpoonLabs Vivvo Article Management CMS 3.4 allows remote attackers to include and execute arbitrary local files via the root parameter.332622600vivvo-dbconn-file-include(32553)Unspecified vulnerability in phpMyFAQ 1.6.9 and earlier, when register_globals is enabled, allows remote attackers to "gain the privilege for uploading files on the server."Successful exploitation requires that "register_globals" is enabled.24230phpmyfaq-unspecified-globals-file-upload(32573)Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x-dev module for Drupal allows remote attackers to bypass access restrictions via a crafted URL.ADV-2007-0637securesite-url-security-bypass(32538)SQL injection vulnerability in the category file in modules.php in the Emporium 2.3.0 and earlier module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the category_id parameter.333422612ADV-2007-0661emporium-modules-sql-injection(23699)Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors.This vulnerability affects the following versions of Drupal Mediafield Module: Drupal, Mediafield Module, 4.7.x-1.x-dev Drupal, Mediafield Module, 5.x-1.x-dev This vulnerability affects the following versions of Drupal Audio Module: Drupal, Audio Module, 4.7.x-1.x-dev Drupal, Audio Module, 5.x-0.2 Drupal, Audio Module, 5.x-0.x-dev DRUPAL-SA-2007-00922587ADV-2007-0635drupal-getid3-code-execution(32542)The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.20070220 Jboss vulnerability20070220 Re: Jboss vulnerability20070220 Re: Jboss vulnerabilityVU#632656 1017677 jboss-admin-unauth-access(32596)Stack-based buffer overflow in News File Grabber 4.1.0.1 and earlier allows remote attackers to execute arbitrary code via a .nzb file with a long subject field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22617ADV-2007-066224237newsfilegrabber-nzb-bo(32577)Shemes.com Grabit 1.5.3, and possibly earlier, allows remote attackers to cause a denial of service (application crash) via a .nzb file with a subject field containing ';' (semicolon) characters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22619ADV-2007-0664 grabit-nzb-dos(32579)Unspecified vulnerability in Peanut Knowledge Base (PeanutKB) 0.0.3 and earlier has unknown impact and attack vectors.ADV-2007-0666 22628 peanutkb-multiple-unspecified(32574)Directory traversal vulnerability in archives.php in Xpression News (X-News) 1.0.1 allows remote attackers to include arbitrary files or obtain sensitive information via a .. (dot dot) in the xnews-template parameter.333222609ADV-2007-064524177xnews-archives-news-directory-traversal(32560)Multiple stack-based buffer overflows in S&H Computer Systems News Rover 12.1 Rev 1 allow remote attackers to execute arbitrary code via a .nzb file with a long (1) group or (2) subject string.334222618ADV-2007-066324216newsrover-nzb-bo(32576)Directory traversal vulnerability in news.php in Xpression News (X-News) 1.0.1, when magic_quotes_gpc is disabled, allows remote attackers to include arbitrary files or obtain sensitive information via a .. (dot dot) in the xnews-template parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24177xnews-archives-news-directory-traversal(32560)Ezboo webstats, possibly 3.0.3, allows remote attackers to bypass authentication and gain access via a direct request to (1) update.php and (2) config.php.20070215 Ezboo webstats acces to sensitive files22590ezboo-update-unauthorized-access(32563)2275Pearson Education PowerSchool 4.3.6 allows remote attackers to list the contents of the admin folder via a URI composed of the admin/ directory name and an arbitrary filename ending in ".js." NOTE: it was later reported that this issue had been addressed by 5.1.2.20070219 Powerschool 404 Admin Exposure22611powerschool-js-information-disclosure(32569)227620071204 Re: Powerschool 404 Admin ExposuremAlbum 0.3 has default accunts (1) "login"/"pass" for its administrative account and (2) "dqsfg"/"sdfg", which allows remote attackers to gain privileges.mAlbum should reconfigure their administrative login and password from their default values.20070217 mAlbum v0.3 admin by default user/passmalbum-default-admin-account(32562)2272Dem_trac allows remote attackers to read log file contents via a direct request for /anc_sit.txt.20070215 Dem_trac acces to log file wihtout authentificationdemtrac-ancsit-information-disclosure(32566)2271Unspecified vulnerability in Distributed Checksum Clearinghouse (DCC) before 1.3.51 allows remote attackers to delete or add hosts in /var/dcc/maps.22622ADV-2007-065424176PHP remote file inclusion vulnerability in admin_rebuild_search.php in phpbb_wordsearch allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.20070216 phpbb_wordsearch < = RFi Vulnerabilitiesphpbbwordsearch-rebuildsearch-file-include(32551)2280Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable.22534 GLSA-200703-23 ADV-2007-0741 24306 24566Multiple cross-site scripting (XSS) vulnerabilities in index.php in AbleDesign MyCalendar allow remote attackers to inject arbitrary web script or HTML via (1) the go parameter, (2) the keyword parameter in the search menu (go=search), or (3) the username or (4) the password in a go=Login action.20070219 MyCalendar multiple XSS22635ADV-2007-067924222mycalendar-index-xss(32581)2270Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.17.183 and earlier uses a weak cryptographic hashing function (CRC32) to identify trusted modules, which allows local users to bypass security protections by substituting modified modules that have the same CRC32 value.20070215 Comodo DLL injection via weak hash function exploitation Vulnerability20070215 Comodo DLL injection via weak hash function exploitation Vulnerabilitycomodofirewallpro-crc32-security-bypass(32530)2279** DISPUTED ** PHP remote file inclusion vulnerability in index.php in PBLang (PBL) 4.60 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the dbpath parameter, a different vector than CVE-2006-5062. NOTE: this issue has been disputed by a reliable third party for 4.65, stating that the dbpath variable is initialized in an included file that is created upon installation.20070216 PBLang 4.60 <= (index.php) Remote File Include Vulnerability20070216 PBLang 4.60 <= (index.php) Remote File Include Vulnerability2269** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in phpXmms 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the tcmdp parameter to (1) phpxmmsb.php or (2) phpxmmst.php. NOTE: this issue has been disputed by a reliable third party, stating that the tcmdp variable is initialized by config.php.20070220 phpXmms 1.0 (tcmdp) Remote File Include Vulnerabilities20070220 false: phpXmms 1.0 (tcmdp) Remote File Include Vulnerabilities2273Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.6.x through 1.9.2, when $wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded value of the rs parameter, which is processed by Internet Explorer.Successful exploitation requires that "$wgUseAjax" is enabled20070220 MediaWiki Cross-site Scripting20070221 [unsure] MediaWiki Cross-site Scripting ADV-2007-0678 24211 mediawiki-index-xss(32586)2274Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.9.x before 1.9.0rc2, and 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the rs parameter. NOTE: this issue might be a duplicate of CVE-2007-0177.20070220 MediaWiki Cross-site Scripting mediawiki-index-xss(32586)2274VMware Workstation 5.5.3 build 34685 does not provide per-user restrictions on certain privileged actions, which allows local users to perform restricted operations such as changing system time, accessing hardware components, and stopping the "VMware tools service" service. NOTE: exploitation is simplified via (1) weak file permisssions (Users = Read & Execute) for %PROGRAMFILES%\VMware; and weak registry key permissions (access by Users) for (2) vmmouse, (3) vmscsi, (4) VMTools, (5) vmx_svga, and (6) vmxnet in HKLM\SYSTEM\CurrentControlSet\Services\; which allows local users to perform various privileged actions outside of the guest OS by executing certain files under %PROGRAMFILES%\VMware\VMware Tools, as demonstrated by (a) VMControlPanel.cpl and (b) vmwareservice.exe.20070219 VMware Workstation multiple denial of service and isolation manipulation vulnerabilities20070303 Re: VMware Workstation multiple denial of service and isolation manipulation vulnerabilities2281The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client.2423122632ADV-2007-06711017678netdirect-permissions-privilege-escalation(32597)SQL injection vulnerability in user_pages/page.asp in Online Web Building 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter.3339ADV-2007-067424208 onlineweb-page-sql-injection(32583)PHP remote file inclusion vulnerability in function.php in Ultimate Fun Book 1.02 allows remote attackers to execute arbitrary PHP code via a URL in the gbpfad parameter. NOTE: some sources mention "Ultimate Fun Board," but this appears to be an error.333622633ADV-2007-067524219 ultimatefunbook-function-file-include(32584)Multiple PHP remote file inclusion vulnerabilities in Interspire SendStudio 2004.14 and earlier, when register_globals and allow_fopenurl are enabled, allow remote attackers to execute arbitrary PHP code via a URL in the ROOTDIR parameter to (1) createemails.inc.php and (2) send_emails.inc.php in /admin/includes/.3348ADV-2007-067224212 20070221 [ECHO_ADV_66$2007] SendStudio <= 2004.14 Remote File Inclusion Vulnerability 22642 sendstudio-rootdir-file-include(32602)SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header (HTTP_REFERER variable).3346ADV-2007-067324224 20070224 Blind sql injection attack in INSERT syntax on PHP-nuke <=8.0 Final 20070220 Blind sql injection attack in INSERT syntax on PHP-nuke <=8.0 Final 22638 phpnuke-index-sql-injection(32607)The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time20070221 Cisco Unified IP Conference Station and IP Phone VulnerabilitiesADV-2007-068820070221 Identifying and Mitigating Exploitation of Cisco Unified IP Conference Station and IP Phone Vulnerabilities22647101768024262cisco-unified-ip-conference-url-auth-bypass(32623)The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device.20070221 Cisco Unified IP Conference Station and IP Phone VulnerabilitiesADV-2007-0689 20070221 Identifying and Mitigating Exploitation of Cisco Unified IP Conference Station and IP Phone Vulnerabilities 22647 1017681 24262 cisco-unified-ip-phone-default-user-account(32627)Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not drop privileges when the help facility in the supplicant GUI is invoked, which allows local users to gain privileges, aka CSCsf14120.20070221 Multiple Vulnerabilities in 802.1X Supplicant22648ADV-2007-06901017683101768424258cisco-cssc-help-privilege-escalation(32621)Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client allows local users to gain SYSTEM privileges via unspecified vectors in the supplicant, aka CSCsf15836.20070221 Multiple Vulnerabilities in 802.1X Supplicant22648ADV-2007-06901017683101768424258cisco-cssc-privilege-escalation(32622)Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client use an insecure default Discretionary Access Control Lists (DACL) for the connection client GUI, which allows local users to gain privileges by injecting "a thread under ConnectionClient.exe," aka CSCsg20558.20070221 Multiple Vulnerabilities in 802.1X Supplicant22648ADV-2007-06901017683101768424258cisco-cssc-dacl-privilege-escalation(32625)Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not properly parse commands, which allows local users to gain privileges via unspecified vectors, aka CSCsh30624.20070221 Multiple Vulnerabilities in 802.1X Supplicant22648ADV-2007-06901017683101768424258cisco-cssc-parsing-privilege-escalation(32624)The (1) TTLS CHAP, (2) TTLS MSCHAP, (3) TTLS MSCHAPv2, (4) TTLS PAP, (5) MD5, (6) GTC, (7) LEAP, (8) PEAP MSCHAPv2, (9) PEAP GTC, and (10) FAST authentication methods in Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client store transmitted authentication credentials in plaintext log files, which allows local users to obtain sensitive information by reading these files, aka CSCsg34423.20070221 Multiple Vulnerabilities in 802.1X Supplicant22648ADV-2007-06901017683101768424258cisco-cssc-password-information-disclosure(32626)The memory management in VMware Workstation before 5.5.4 allows attackers to cause a denial of service (Windows virtual machine crash) by triggering certain general protection faults (GPF). 20070507 [Reversemode Advisory] VMware Products - GPF Denial of Service 25079 vmware-gpf-dos(33994) 101801123732ADV-2007-1592Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll. 20070220 TSRT-07-01: Trend Micro ServerProtect StCommon.dll Stack Overflow Vulnerabilities 20070220 TSRT-07-02: Trend Micro ServerProtect eng50.dll Stack Overflow Vulnerabilities VU#349393 VU#466609 VU#630025 VU#730433 22639 ADV-2007-0670 1017676 24243 serverprotect-eng50-bo(32594) serverprotect-stcommon-bo(32601)Integer overflow in the gifGetBandProc function in ImageIO in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image that triggers the overflow during decompression. NOTE: this is a different issue than CVE-2006-3502 and CVE-2006-3503.22630 VU#559444 ADV-2007-0930 1017758 24479APPLE-SA-2007-03-13TA07-072A34854The command line interface (CLI) in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier allows local users to obtain privileges or cause a denial of service via unspecified vectors. NOTE: this issue can be leveraged remotely via CVE-2007-1063.20070221 Cisco Unified IP Conference Station and IP Phone Vulnerabilities20070221 Identifying and Mitigating Exploitation of Cisco Unified IP Conference Station and IP Phone Vulnerabilities24262 22647Static code injection vulnerability in install.php in mcRefer allows remote attackers to execute arbitrary PHP code via the bgcolor parameter, which is inserted into mcrconf.inc.php.20070211 Re: mcRefer SQL injection2283Multiple buffer overflows in NewsBin Pro 5.33 and NewsBin Pro 4.x allow user-assisted remote attackers to execute arbitrary code via a long (1) DataPath or (2) DownloadPath attributed in a (a) NBI file, or (3) a long group field in a (b) NZB file.Successful exploitation allows execution of arbitrary code, but requires that the user is tricked into e.g. loading a malicious NBI configuration file.33492265224261newsbinpro-nbi-bo(32598) ADV-2007-0694 newsbinpro-nzb-bo(32608)TurboFTP 5.30 Build 572 allows remote servers to cause a denial of service (CPU consumption) via a response with a large number of newline characters.334122634Multiple directory traversal vulnerabilities in phpTrafficA 1.4.1, and possibly earlier, allow remote attackers to include arbitrary local files via a .. (dot dot) in the (1) file parameter to plotStat.php and the (2) lang parameter to banref.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2265524242 ADV-2007-0709 phptraffica-plotstat-banref-file-include(32628)SQL injection vulnerability in page.asp in Design4Online UserPages2 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22636PHP remote file inclusion vulnerability in index.php in FlashGameScript 1.5.4 allows remote attackers to execute arbitrary PHP code via a URL in the func parameter.2264620070221 FlashGameScript v1.5.4 Remote File Inclusion Vulnerability3360ADV-2007-070724267flashgamescript-index-file-include(32635)Stack-based buffer overflow in Rhino Software, Inc. FTP Voyager 14.0.0.3 and earlier allows remote servers to cause a denial of service (crash) via a long response to a CWD command, which triggers the overflow when the user aborts the command.334322637ftpvoyager-cwd-dos(32593)Multiple heap-based buffer overflows in TurboFTP 5.30 Build 572 allow remote servers to cause a denial of service via (1) long filename in a response to a LIST command, and (2) a long response to a CWD command.334122634 turboftp-cwd-dos(32605) turboftp-list-dos(32604)The start function in class.t3lib_formmail.php in TYPO3 before 4.0.5, 4.1beta, and 4.1RC1 allows attackers to inject arbitrary email headers via unknown vectors. NOTE: some details were obtained from third party information.ADV-2007-0697 22668 24207 typo3-t3libformmail-field-email-injection(32630)FTP Explorer 1.0.1 Build 047, and other versions before 1.0.1.52, allows remote servers to cause a denial of service (CPU consumption) via a long response to a PWD command.334722640ftpexplorer-pwd-dos(32606)20070324 Vendor ACK for FTPx DoS (CVE-2007-1082)Buffer overflow in the Configuration Checker (ConfigChk) ActiveX control in VSCnfChk.dll 2.0.0.2 for Verisign Managed PKI Service, Secure Messaging for Microsoft Exchange, and Go Secure! allows remote attackers to execute arbitrary code via long arguments to the VerCompare method.20070222 VeriSign ConfigChk ActiveX Control Buffer Overflow VulnerabilityVU#3080872267122676ADV-2007-070210176921017693101769424249verisign-configchk-bo(32639)Mozilla Firefox 2.0.0.1 and earlier does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page.20070221 Firefox bookmark cross-domain surfing vulnerability20070221 Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability20070221 Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability2266620070222 Re: [Full-disclosure] Firefox bookmark cross-domain surfing vulnerability20070223 Re: [Full-disclosure] Firefox bookmark cross-domain surfingvulnerability2304Cross-site scripting (XSS) vulnerability in Google Desktop allows remote attackers to bypass protection schemes and inject arbitrary web script or HTML, and possibly gain full access to the system, by using an XSS vulnerability in google.com to extract the signature for the internal web server, then calling the "under" parameter in Advanced Search with the proper signature.20070221 Overtaking Google Desktop20070222 RE: Overtaking Google DesktopVU#6158572265010176862301Unspecified binaries in IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 allow local users to create or modify arbitrary files via unspecified environment variables related to "unsafe file access."20070222 IBM DB2 Universal Database Multiple Privilege Escalation VulnerabilitiesIY948332267720070818 Recent DB2 Vulnerabilitiesdb2-setuid-privilege-escalation(32650)IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 does not properly terminate certain input strings, which allows local users to execute arbitrary code via unspecified environment variables that trigger a heap-based buffer overflow.20070222 IBM DB2 Universal Database Multiple Privilege Escalation VulnerabilitiesIY948332267720070818 Recent DB2 Vulnerabilitiesdb2-bss-bo(32651)Stack-based buffer overflow in IBM DB2 8.x before 8.1 FixPak 15 and 9.1 before Fix Pack 2 allows local users to execute arbitrary code via a long string in unspecified environment variables.20070222 IBM DB2 Universal Database Multiple Privilege Escalation VulnerabilitiesIY948332267720070818 Recent DB2 Vulnerabilitiesdb2-variable-bo(32652)IBM DB2 Universal Database (UDB) 9.1 GA through 9.1 FP1 allows local users with table SELECT privileges to perform unauthorized UPDATE and DELETE SQL commands via unknown vectors.JR259412428320070818 Recent DB2 VulnerabilitiesADV-2007-0721Microsoft Windows Explorer on Windows XP and 2003 allows remote user-assisted attackers to cause a denial of service (crash) via a malformed WMF file, which triggers the crash when the user browses the folder.20070225 Few unreported vulnerabilities by SehaTo22715Microsoft Internet Explorer 7 allows remote attackers to prevent users from leaving a site, spoof the address bar, and conduct phishing and other attacks via onUnload Javascript handlers.20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too)20070223 Secunia Research: Internet Explorer 7 20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too)22680ADV-2007-071323014ie-mozilla-onunload-dos(32647) ie-mozilla-onunload-url-spoofing(32649)HPSBST02280MS07-057TA07-282A10187882291oval:org.mitre.oval:def:2162Mozilla Firefox 1.5.0.9 and 2.0.0.1, and SeaMonkey before 1.0.8 allow remote attackers to execute arbitrary code via JavaScript onUnload handlers that modify the structure of a document, wich triggers memory corruption due to the lack of a finalize hook on DOM window objects.20070223 Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)VU#39392122679MDKSA-2007:050RHSA-2007:0078SUSE-SA:2007:019USN-428-1101770124333243432439524384mozilla-onunload-code-execution(32648)ie-mozilla-onunload-dos(32647)20070301-01-P24650MDKSA-2007:050SSA:2007-066-05SUSE-SA:2007:022244572302HPSBUX02153Multiple unspecified vulnerabilities in JP1/Cm2/Network Node Manager (NNM) before 07-10-05, and before 08-00-02 in the 08-x series, allow remote attackers to execute arbitrary code, cause a denial of service, or trigger invalid Web utility behavior.24276ADV-2007-0739nnm-unspecified-code-execution(32682)nnm-unspecified-dos(32683)Microsoft Internet Explorer 7 allows remote attackers to cause a denial of service (NULL dereference and application crash) via JavaScript onUnload handlers that modify the structure of a document.20070223 Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)22678ie-mozilla-onunload-dos(32647)2302Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 do not properly implement JavaScript onUnload handlers, which allows remote attackers to run certain JavaScript code and access the location DOM hierarchy in the context of the next web site that is visited by a client.20070223 Firefox: onUnload tailgating (MSIE7 entrapment bug variant)20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too)20070223 MSIE7 browser entrapment vulnerability (probably Firefox, too)22688ie-mozilla-onunload-dos(32647)ie-mozilla-onunload-url-spoofing(32649)20071029 FLEA-2007-0062-1 firefox20071026 rPSA-2007-0225-1 firefox20071029 rPSA-2007-0225-2 firefox thunderbirdDSA-1396DSA-1401DSA-1392FEDORA-2007-2601FEDORA-2007-2664GLSA-200711-14MDKSA-2007:202RHSA-2007:0979RHSA-2007:0980RHSA-2007:0981SUSE-SA:2007:057USN-535-1USN-536-1ADV-2007-35441018837272762732527327273352735627383274252740327480273872729827311273152733627665274142310FEDORA-2007-343127680HPSBUX02153ADV-2007-3587ADV-2008-00832736028398201516Cross-site scripting (XSS) vulnerability in ps_cart.php in VirtueMart before 20070116 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this issue might overlap CVE-2007-0376. ADV-2007-0817 24399Unrestricted file upload vulnerability in the onAttachFiles function in the upload tool (inc/lib/attachment.lib.php) in Wiclear before 0.11.1 allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors related to filename validation. NOTE: some details were obtained from third party information.ADV-2007-079224286wiclear-onattachfiles-file-upload(32757)Multiple unspecified vulnerabilities in ScryMUD before 2.1.11 have unknown impact and attack vectors, possibly related to denial of service caused by a search that begins with a .* sequence.[ScryMUD] 20070223 ScryMUD 2.1.11 (stable) has been released.dbclient in Dropbear SSH client before 0.49 does not sufficiently warn the user when it detects a hostkey mismatch, which might allow remote attackers to conduct man-in-the-middle attacks. 22761 ADV-2007-0785 32088 24345 dropbear-hostkey-weak-security(32762)Directory traversal vulnerability in download.php in Ahmet Sacan Pickle before 20070301 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.20070223 pickle download local file22703ADV-2007-074824294pickle-download-directory-traversal(32712)2293Multiple cross-site scripting (XSS) vulnerabilities in Photostand 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) message ("comment") or (2) name field, or the (3) q parameter in a search action in index.php.20070224 Photostand_1.2.0 Multiple Cross Site Scripting2270622707ADV-2007-075224310photostand-index-xss(32701)2296Photostand 1.2.0 allows remote attackers to obtain sensitive information via a ' (quote) character in (1) a PHPSESSID cookie or (2) the id parameter in an article action in index.php, which reveal the path in various error messages.20070224 Photostand_1.2.0 Multiple Cross Site Scripting ADV-2007-0752 photostand-index-path-disclosure(32702)2296Tor does not verify a node's uptime and bandwidth advertisements, which allows remote attackers who operate a low resource node to make false claims of greater resources, which places the node into use for many circuits and compromises the anonymity of traffic sources and destinations.[or-talk] 20070225 [or-talk] 20070225 Re: [or-talk] 20070225 Re: ISP controlling entry/exti (PHP remote file inclusion vulnerability in top.php in PHP Module Implementation (PHP-MIP) 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the laypath parameter.3374 22714 ADV-2007-0732 phpmodule-top-file-include(32672)PHP remote file inclusion vulnerability in functions.php in Extreme phpBB (aka phpBB Extreme) 3.0.1 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.337022708 ADV-2007-0733 extremephpbb-functions-file-include(32685)PHP remote file inclusion vulnerability in includes/functions_nomoketos_rules.php in the NoMoKeTos Rules 0.0.1 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.337322713 ADV-2007-0735 nomoketo-functions-file-include(32686)SQL injection vulnerability in thumbnails.php in Coppermine Photo Gallery (CPG) 1.3.x allows remote authenticated users to execute arbitrary SQL commands via a cpg131_fav cookie.20070224 Coppermine Photo Gallery 1.3.x Blind SQL Injection Exploit3371 22709 coppermine-thumbnails-sql-injection(32688)2297PHP remote file inclusion vulnerability in index.php in Christian Schneider CS-Gallery 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the album parameter during a securealbum todo action.337222712 ADV-2007-0734 24291 csgallery-index-file-include(32674)Multiple cross-site scripting (XSS) vulnerabilities in Phpwebgallery 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) login or (2) mail_address field in Register.php, or the (3) search_author, (4) mode, (5) start_year, (6) end_year, or (7) date_type field in Search.php, a different vulnerability than CVE-2006-1674. NOTE: 1.6.2 and other versions might also be affected.20070224 Phpwebgallery-1.4.1, Multiple Cross Site Scripting2271124308phpwebgallery-register-search-xss(32687)2298Directory traversal vulnerability in data/showcode.php in ActiveCalendar 1.2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter.20070224 ActiveCalendar 1.2.0, Multiple vulnerabilities22704 20070224 Re: ActiveCalendar 1.2.0, Multiple vulnerabilities ADV-2007-0759 33144 activecalendar-showcode-file-include(32691)2299Multiple cross-site scripting (XSS) vulnerabilities in ActiveCalendar 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the css parameter to (1) flatevents.php, (2) js.php, (3) mysqlevents.php, (4) m_2.php, (5) m_3.php, (6) m_4.php, (7) xmlevents.php, (8) y_2.php, or (9) y_3.php in data/.20070224 ActiveCalendar 1.2.0, Multiple vulnerabilities22705 20070224 Re: ActiveCalendar 1.2.0, Multiple vulnerabilities ADV-2007-0759 33145 33146 33147 33148 33149 33150 33153 33151 33152 activecalendar-multiple-scripts-xss(32690)2299Kaspersky Anti-Virus 6.0 and Internet Security 6.0 exposes unsafe methods in the (a) AXKLPROD60Lib.KAV60Info (AxKLProd60.dll) and (b) AXKLSYSINFOLib.SysInfo (AxKLSysInfo.dll) ActiveX controls, which allows remote attackers to "download" or delete arbitrary files via crafted arguments to the (1) DeleteFile, (2) StartBatchUploading, (3) StartStrBatchUploading, or (4) StartUploading methods.ADV-2007-126824778 20070405 ZDI-07-014: Kaspersky Anti-Virus ActiveX Control Unsafe Method Exposure Vulnerablity 23345 1017884 1017885 kaspersky-startuploading-info-disclosure(33464)The child frames in Microsoft Internet Explorer 7 inherit the default charset from the parent window when a charset is not specified in an HTTP Content-Type header or META tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set. 20070223 Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance Vulnerability ADV-2007-0744 32119 24314 22701The child frames in Opera 9 before 9.20 inherit the default charset from the parent window when a charset is not specified in an HTTP Content-Type header or META tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated using the UTF-7 character set.20070223 Advisory 03/2007: Multiple Browsers Cross Domain Charset Inheritance VulnerabilityADV-2007-0745243121017909SUSE-SA:2007:0282270125027The CheckLoadURI function in Mozilla Firefox 1.8 lists the about: URI as a ChromeProtocol and can be loaded via JavaScript, which allows remote attackers to obtain sensitive information by querying the browser's session history.20070223 Firefox Cache Hack - Firefox History Hack redux20070223 Re: [Full-disclosure] Firefox Cache Hack - Firefox History Hack redux2309Unspecified vulnerability in Publisher 2007 in Microsoft Office 2007 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "file format vulnerability." NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source. 22702Multiple PHP remote file inclusion vulnerabilities in eFiction 3.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path_to_smf parameter to (1) bridges/SMF/logout.php or (2) get_session_vars.php.336122682ADV-2007-070824268 efiction-pathtosmf-file-include(32662)Unspecified vulnerability in Novell ZENworks 7 Desktop Management Support Pack 1 before Hot patch 3 (ZDM7SP1HP3) allows remote attackers to upload images to certain folders that were not configured in the "Only allow uploads to the following directories" setting via unspecified vectors.22686ADV-2007-071224274The (1) Import.LoadFromURL and (2) Export.asText.SaveToFile functions in TeeChart Pro ActiveX control (TeeChart7.ocx) allow remote attackers to download a crafted .tee file to an arbitrary location. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2268924263 teechart-activex-file-upload(32694)Multiple SQL injection vulnerabilities in Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) 1.00 allow remote attackers to execute arbitrary SQL commands via the id parameter to the (1) updateRow and (2) deleteRow functions in functions.php. NOTE: some of these details are obtained from third party information.22685ADV-2007-071524269 zephyrsoft-id-sql-injection(32665)Multiple SQL injection vulnerabilities in Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) 1.00 and 1.01 allow remote attackers to execute arbitrary SQL commands via the id parameter to the (1) updateRow and (2) deleteRow functions in functions.php, a variant of a SQL injection issue that was fixed in 1.01. NOTE: some of these details are obtained from third party information.22685ADV-2007-071524269Multiple PHP remote file inclusion vulnerabilities in ZPanel 2.0 allow remote attackers to execute arbitrary PHP code via a URL in (1) the body parameter to templates/ZPanelV2/template.php or (2) the page parameter to zpanel.php. NOTE: the zpanel.php vector may overlap CVE-2005-0793.2. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22683ADV-2007-071024275zpanel-template-file-include(32659) zpanel-zpanel-file-include(32680)Directory traversal vulnerability in gallery.php in XeroXer Simple one-file gallery allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter.20070223 Simple one-file gallery22700 sofg-gallery-file-include(32654)2292Cross-site scripting (XSS) vulnerability in gallery.php in XeroXer Simple one-file gallery allows remote attackers to inject arbitrary web script or HTML via the f parameter.20070223 Simple one-file gallery22700 ADV-2007-0740 24292 sofg-gallery-xss(32655)2292Directory traversal vulnerability in index.php in xtcommerce allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter.20070223 xtcommerce local file include 22698 ADV-2007-0746 24301 xtcommerce-index-file-include(32656)2294Directory traversal vulnerability in enc/stylecss.php in shopkitplus allows remote attackers to read arbitrary files via a .. (dot dot) in the changetheme parameter.20070223 shopkitplus local file include22697 ADV-2007-0747 24279 shopkitplus-stylecss-file-include(32660)2295shopkitplus allows remote attackers to obtain sensitive information via a request to (1) events.php with a curmonth[]=01 query string or (2) enc/stylecss.php with a changetheme[]= query string, which reveals the path in various error messages.20070223 shopkitplus local file include shopkitplus-events-stylecss-info-disclosure(32661)2295Multiple unrestricted file upload vulnerabilities in MTCMS 3.2 allow remote attackers to upload and execute files via (1) an avatar upload in an add_down action, or (2) an add_link action.2269020070223 MTCMS multiple upload vulnerabilitiesADV-2007-0755PHP remote file inclusion vulnerability in sinagb.php in Sinapis Gastebuch 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the fuss parameter.336622696 ADV-2007-0737 sinapis-gastebuch-sinagb-file-include(32657)PHP remote file inclusion vulnerability in sinapis.php in Sinapis Forum 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the fuss parameter.336722699 ADV-2007-0738 sinapisforum-sinapis-file-include(32658)Multiple cross-site scripting (XSS) vulnerabilities in the "Contact Us" functionality in MTCMS 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) message and (2) title fields.2269020070223 MTCMS multiple upload vulnerabilitiesADV-2007-0755PHP remote file inclusion vulnerability in fcring.php in FCRing 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the s_fuss parameter.336522693 ADV-2007-0736 24305 fcring-fcring-file-include(32653)Unspecified vulnerability in Watchtower (WT) before 0.12 has unknown impact and attack vectors, related to "unauthorized accounts."The vendor has released version 0.12 to address this issue. Watchtower wt0.12.tar.gz Download: http://downloads.sourceforge.net/wtelements/wt0.12.tar.gz?modtime=1171 460836&big_mirror=0 ADV-2007-0743 22721Multiple SQL injection vulnerabilities in WebMplayer before 0.6.1-Alpha allow remote attackers to execute arbitrary SQL commands via the (1) strid parameter to index.php and the (2) id[0] or other id array index parameter to filecheck.php.ADV-2007-0742 22726index.php in WebMplayer before 0.6.1-Alpha allows remote attackers to execute arbitrary code via shell metacharacters in an exec function call. NOTE: some sources have referred to this as eval injection in the param parameter, but CVE source inspection suggests that this is erroneous.ADV-2007-0742 22726putmail.py in Putmail before 1.4 does not detect when a user attempts to use TLS with a server that does not support it, which causes putmail.py to send the username and password in plaintext while the user believes encryption is in use, and allows remote attackers to obtain sensitive information.24266 22718 ADV-2007-0753 putmail-tls-password-plaintext(32689)Absolute path traversal vulnerability in list_main_pages.php in Cromosoft Simple Plantilla PHP (SPP) allows remote attackers to list arbitrary directories, and read arbitrary files, via an absolute pathname in the nfolder parameter.20070222 Plantilla PHP Simple226692332Unrestricted file upload vulnerability in Cromosoft Simple Plantilla PHP (SPP) allows remote attackers to upload arbitrary scripts via a filename with a double extension.20070222 Plantilla PHP Simple226692332Directory traversal vulnerability in edit.php in pheap allows remote attackers to read and modify arbitrary files via a .. (dot dot) in the filename parameter.20070222 pheap [edit LFI] vulnerability226702354PHP remote file inclusion vulnerability in preview.php in Magic News Plus 1.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the php_script_path parameter. NOTE: This issue may overlap CVE-2006-0723.20070221 Magic News Plus File Inclusion And Xss Vulnerabilitis226612334Cross-site scripting (XSS) vulnerability in Magic News Plus 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the link_parameters parameter in (1) news.php and (2) n_layouts.php.20070221 Magic News Plus File Inclusion And Xss Vulnerabilitis226612334Directory traversal vulnerability in pn-menu.php in J-Web Pics Navigator 1.0 allows remote attackers to list arbitrary directories via a .. (dot dot) in the dir parameter.20070222 Pics Navigator Directory Traversal Vulnerability picsnavigator-dir-directory-traversal(32646)2340Directory traversal vulnerability in jwpn-photos.php in J-Web Pics Navigator 2.0 allows remote attackers to list arbitrary directories via a .. (dot dot) in the dir parameter.20070222 Pics Navigator Directory Traversal Vulnerability 22681 ADV-2007-0711 24273 picsnavigator-dir-directory-traversal(32646)2340Multiple cross-site scripting (XSS) vulnerabilities in Kayako SupportSuite - ESupport 3.00.13 and 3.04.10 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to a (1) lostpassword or (2) register action in index.php, (3) unspecified vectors in the Submit form in a submit action in index.php, and (4) the user's name in index.php; and (5) allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to the Admin and Staff Control Panel. NOTE: this might issue overlap CVE-2004-1412, CVE-2005-0487, or CVE-2005-0842.20070219 ESupport Multiple HTML Injection Vulnerabilities22631ADV-2007-0717242232335PHP remote file inclusion vulnerability in function.php in arabhost allows remote attackers to execute arbitrary PHP code via a URL in the adminfolder parameter.20070222 Hasadya Raed20070227 Verified: arabhost function.php RFI2339PHP remote file inclusion vulnerability in view.php in hbm allows remote attackers to execute arbitrary PHP code via a URL in the hbmpath parameter.20070222 Hasadya Raed2339PHP remote file inclusion vulnerability in install/index.php in LoveCMS 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the step parameter.20070222 LoveCMS 1.4 multiple vulnerabilities22675ADV-2007-07162338Multiple directory traversal vulnerabilities in LoveCMS 1.4 allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the step parameter to install/index.php or (2) the load parameter to the top-level URI.20070222 LoveCMS 1.4 multiple vulnerabilities22675ADV-2007-07162338Unrestricted file upload vulnerability in LoveCMS 1.4 allows remote authenticated administrators to upload arbitrary files to /modules/content/pictures/tmp/.20070222 LoveCMS 1.4 multiple vulnerabilities226752338Cross-site scripting (XSS) vulnerability in LoveCMS 1.4 allows remote attackers to inject arbitrary web script or HTML via the id parameter to the top-level URI, possibly related to a SQL error.20070222 LoveCMS 1.4 multiple vulnerabilities22675ADV-2007-07162338Multiple directory traversal vulnerabilities in Pyrophobia 2.1.3.1 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) act or (2) pid parameter to the top-level URI, or the (3) action parameter to admin/index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22667Multiple PHP remote file inclusion vulnerabilities in CutePHP CuteNews 1.3.6 allow remote attackers to execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: issue might overlap CVE-2004-1660 or CVE-2006-4445.22674SQL injection vulnerability in webSPELL allows remote attackers to execute arbitrary SQL commands via a ws_auth cookie, a different vulnerability than CVE-2006-4782.Successful exploitation requires that "magic_quotes_gpc" is disabled.20070222 WebSpell > 4.0 Authentication Bypass and arbitrary code executionwebspell-login-sql-injection(32669)2337Unrestricted file upload vulnerability in webSPELL allows remote authenticated administrators to upload and execute arbitrary PHP code via the add squad feature. NOTE: this issue may be an administrative feature, in which case this CVE may be REJECTED.Affected product versions unspecified.20070222 WebSpell > 4.0 Authentication Bypass and arbitrary code executionwebspell-addsquad-file-upload(32670)2337JBrowser allows remote attackers to bypass authentication and access certain administrative capabilities via a direct request for _admin/.20070222 JBrowser acces to admin/config files 20070223 JBrowser Acces to Admin Panel Exploit953710089092370Cross-site request forgery (CSRF) vulnerability in jmx-console/HtmlAdaptor in JBoss allows remote attackers to perform privileged actions as administrators via certain MBean operations, a different vulnerability than CVE-2006-3733.Affected product versions unspecified.20070222 JBoss jmx-console CSRF20070223 Re: JBoss jmx-console CSRFjboss-jmxconsole-csrf(32673)Directory traversal vulnerability in index.php in the Pagesetter 6.2.0 through 6.3.0 beta 5 module for PostNuke allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter.20070226 SEC Consult SA-20070226-0 :: File Disclosure in Pagesetter for PostNuke20070226 SEC Consult SA-20070226-0 :: File Disclosure in20070227 Re:SEC Consult SA-20070226-0 :: File Disclosure2273324299 ADV-2007-0758 pagesetter-index-directory-traversal(32695)2336Cross-site scripting (XSS) vulnerability in modules/out.php in Pyrophobia 2.1.3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22667webSPELL 4.0, and possibly later versions, allows remote attackers to bypass authentication via a ws_auth cookie, a different vulnerability than CVE-2006-4782.This vulnerability may affect more recent versions of the product as well. (WebSPELL, WebSPELL, 4.0 and later)20070222 WebSpell > 4.0 Authentication Bypass and arbitrary code execution2337Cross-site scripting (XSS) vulnerability in call_entry.php in Call Center Software 0,93 allows remote attackers to inject arbitrary web script or HTML via the problem_desc parameter, as demonstrated by the ONLOAD attribute of a BODY element.20070221 Call Center Software - Remote Xss Post Exploit -20070222 [TRUE] Call Center Software - Remote Xss Post Exploit -2333A certain ActiveX control in the Common Controls Replacement Project (CCRP) CCRP BrowseDialog Server (ccrpbds6.dll) allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long (1) IsFolderAvailable or (2) RootFolder property value, different vectors than CVE-2007-0371.22645SQL injection vulnerability in printview.php in webSPELL 4.01.02 and earlier allows remote attackers to execute arbitrary SQL commands via the topic parameter, a different vector than CVE-2007-1019, CVE-2006-5388, and CVE-2006-4783.335122659ADV-2007-071424257Multiple PHP remote file inclusion vulnerabilities in DBImageGallery 1.2.2 allow remote attackers to execute arbitrary PHP code via a URL in the donsimg_base_path parameter to (1) attributes.php, (2) images.php, or (3) scan.php in admin/; or (4) attributes.php, (5) db_utils.php, (6) images.php, (7) utils.php, or (8) values.php in includes/.33532265720070302 Remote File Include In DBImageGallery20070305 Re: Remote File Include In DBImageGalleryADV-2007-0692dbimagegallery-donsimg-file-include(32612)Multiple PHP remote file inclusion vulnerabilities in DBGuestbook 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the dbs_base_path parameter to (1) utils.php, (2) guestbook.php, or (3) views.php in includes/.335422658ADV-2007-0693SQL injection vulnerability in result.php in Nabopoll 1.2 allows remote attackers to execute arbitrary SQL commands via the surv parameter.20070221 Nabopoll Blind SQL Injection vulnerabilies3355226492372inc/filebrowser/browser.php in deV!L`z Clanportal (DZCP) 1.4.5 and earlier allows remote attackers to obtain MySQL data via the inc/mysql.php value of the file parameter.This vulnerability is addressed in the following product release: 1.4.633572266024260ADV-2007-0695Trend Micro ServerProtect for Linux (SPLX) 1.25, 1.3, and 2.5 before 20070216 allows remote attackers to access arbitrary web pages and reconfigure the product via HTTP requests with the splx_2376_info cookie to the web interface port (14942/tcp).20070221 Trend Micro ServerProtect Web Interface Authorization Bypass Vulnerability22662ADV-2007-0691101768524264The web interface in Trend Micro ServerProtect for Linux (SPLX) 1.25, 1.3, and 2.5 before 20070216 accepts logon requests through unencrypted HTTP, which might allow remote attackers to obtain credentials by sniffing the network.SimBin GTR - FIA GT Racing Game 1.5.0.0 and earlier, GT Legends 1.1.0.0 and earlier, GTR 2 1.1 and earlier, and RACE - The WTCC Game 1.0 and earlier allow remote attackers to cause a denial of service (client disconnection) via an empty UDP packet to the server port.20070221 Players disconnection in Simbin racing games22651 ADV-2007-06962369SQL injection vulnerability in includes/nsbypass.php in NukeSentinel 2.5.05, 2.5.11, and other versions before 2.5.12 allows remote attackers to execute arbitrary SQL commands via an admin cookie.20070220 NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit333722629nukesentinel-nsbypass-sql-injection(32582)20070925 [waraxe-2007-SA#053] - Critical Sql Injection in NukeSentinel 2.5.1120070928 Re: [waraxe-2007-SA#053] - Critical Sql Injection in NukeSentinel 2.5.1120070928 CVE-2007-5125 - dupe25805269542344SQL injection vulnerability in nukesentinel.php in NukeSentinel 2.5.05, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, aka the "File Disclosure Exploit."20070220 NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit3338 20070314 SQL injection (x2) in NukeSentinel 242212341Multiple buffer overflows in the CentennialIPTransferServer service (XFERWAN.EXE), as used by (1) Centennial Discovery 2006 Feature Pack 1, (2) Numara Asset Manager 8.0, and (3) Symantec Discovery 6.5, allow remote attackers to execute arbitrary code via long strings in a crafted TCP packet.ADV-2007-1832ADV-2007-1833ADV-2007-1834240902428124329240021018072xferwan-tcp-bo(34313)Multiple cross-site scripting (XSS) vulnerabilities in WebAPP before 20070214 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to unspecified fields in user Profiles. NOTE: some of these details are obtained from third party information.22563ADV-2007-0605webapp-profileedit-xss(32506)Cross-site scripting (XSS) vulnerability in an admin feature in WebAPP before 20070209 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.22563ADV-2007-0604Multiple cross-site scripting (XSS) vulnerabilities in WebAPP before 0.9.9.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) Gallery Comments pages, (2) Feedback pages, (3) Search Results pages, and (4) the Statistics Log viewer.22563ADV-2007-060424080webapp-gallery-feedback-xss(32526)webapp-searchresultspages-xss(32499)webapp-statisticslogviewer-xss(32498)WebAPP before 0.9.9.5 does not properly filter certain characters in contexts related to (1) the query string, (2) Profiles, (3) the Forum Post icon field, (4) the Edit Profile, and (5) the Gallery, which has unknown impact and remote attack vectors, possibly related to cross-site scripting (XSS).22563ADV-2007-060424080WebAPP before 0.9.9.5 does not check access in certain contexts related to (1) Calendar Administration, (2) Instant Messages Administration, and (3) the Image Uploader, which has unknown impact and attack vectors.22563ADV-2007-060424080WebAPP before 0.9.9.5 does not properly manage e-mail addresses in certain contexts related to (1) the Recommend feature, Email Article (2) senders and (3) recipients, (4) New User Approval, (5) Edit Profiles, (6) the Newsletter Subscription form, (7) the Recommend form, and (8) sending of articles, which has unknown impact, and remote attack vectors related to spam attacks and possibly other attacks.22563ADV-2007-060424080WebAPP before 0.9.9.5 does not check referrers in certain forms, which might facilitate remote cross-site request forgery (CSRF) attacks or have other unknown impact.22563ADV-2007-060424080WebAPP before 0.9.9.5 passes (1) Unused Informations and (2) the username through Edit Profile forms, which has unknown impact and attack vectors.22563ADV-2007-060424080WebAPP before 0.9.9.5 allows remote Guest users to edit a Guest profile, which has unknown impact.22563ADV-2007-060424080WebAPP before 0.9.9.5 allows remote authenticated users to spoof another user's Real Name via whitespace, which has unknown impact and attack vectors.22563ADV-2007-060424080The default configuration of WebAPP before 0.9.9.5 has a CAPTCHA setting of "no," which makes it easier for automated programs to submit false data.22563ADV-2007-060424080The (1) Search, (2) Edit Profile, (3) Recommend, and (4) User Approval forms in WebAPP before 0.9.9.5 use hidden inputs, which has unknown impact and remote attack vectors.22563ADV-2007-060424080WebAPP before 0.9.9.5 does not "censor" the Latest Member real name, which has unknown impact.22563ADV-2007-060424080WebAPP before 0.9.9.5 allows remote authenticated users, without admin privileges, to obtain sensitive information via (1) the Forum Archive feature and (2) Recent Searches.22563ADV-2007-060424080WebAPP before 0.9.9.5 allows remote attackers to submit Search form input that is not checked for (1) composition or (2) length, which has unknown impact, possibly related to "search form hijacking".22563ADV-2007-060424080Integer overflow in the envwrite function in the Alcatel-Lucent Bell Labs Plan 9 kernel allows local users to overwrite certain memory addresses with kernel memory via a large n argument, as demonstrated by (1) modifying the iseve function to gain privileges and (2) making the devpermcheck function grant unrestricted device permissions.3383[dailydave] 20070227 Wow, free kernel zero day?22749Unspecified vulnerability in the EmbeddedWB Web Browser ActiveX control allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22755The Social Bookmarks (del.icio.us) plug-in 8F in Quicksilver writes usernames and passwords in plaintext to the /Library/Logs/Console/UID/Console.log file, which allows local users to obtain sensitive information by reading this file.20070228 Quicksilver Social Bookmark plugin v.8F: password in clear text22752socialbookmarks-password-plaintext(32721)2368Thomas R. Pasawicz HyperBook Guestbook 1.30 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download an admin password hash via a direct request for data/gbconfiguration.dat.22754 24392Multiple unspecified vulnerabilities in the Login page in OrangeHRM before 20070212 have unknown impact and attack vectors.Successful exploitation requires that "magic_quotes_gpc" is disabled.22756ADV-2007-0781Norman SandBox Analyzer does not use the proper range for Interrupt Descriptor Table (IDT) entries, which allows local users to determine that the local machine is an emulator, or a similar environment not based on a physical Intel processor, which allows attackers to produce malware that is more difficult to analyze.20070228 Evading the Norman SandBox Analyzer20070302 Re: Evading the Norman SandBox Analyzer20070303 Re: Evading the Norman SandBox AnalyzerMultiple buffer overflows in XM Easy Personal FTP Server 5.3.0 allow remote attackers to execute arbitrary code via unspecified vectors. NOTE: this issue might overlap CVE-2006-2225, CVE-2006-2226, or CVE-2006-5728.22747Unspecified vulnerability in Citrix Presentation Server Client for Windows before 10.0 allows remote web sites to execute arbitrary code via unspecified vectors, related to the implementation of ICA connectivity through proxy servers.Upgrade to Citrix Presentation Server Client for Windows version 10.0: http://www.citrix.com/English/SS/downloads/downloads.asp?dID=2755 CTX112589ADV-2007-0784 VU#798364 22762 1017712 24350 citrix-ica-code-execution(32754)Multiple unspecified vulnerabilities in Epiware before 4.7.5 have unknown impact and attack vectors, possibly related to cross-site scripting (XSS) and other unspecified issues.Cross-site scripting (XSS) vulnerability in TaskFreak! before 0.5.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly a variant of CVE-2007-0982.Adobe Reader and Acrobat Trial allow remote attackers to read arbitrary files via a file:// URI in a PDF document, as demonstrated with <</URI(file:///C:/)/S/URI>>, a different issue than CVE-2007-0045.22753 24408GLSA-200803-0129205Unspecified vulnerability in certain COM objects in Microsoft Office Web Components 2000 allows user-assisted remote attackers to execute arbitrary code via vectors related to DataSource that trigger memory corruption, aka "Office Web Components DataSource Vulnerability."MS08-017TA08-071A28136ADV-2008-0849293281019581HPSBST02320oval:org.mitre.oval:def:5327Word (or Word Viewer) in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, 2004 for Mac, and Works Suite 2004, 2005, and 2006 does not properly parse certain rich text "property strings of certain control words," which allows user-assisted remote attackers to trigger heap corruption and execute arbitrary code, aka the "Word RTF Parsing Vulnerability."MS07-024VU#55548923836ADV-2007-1709101801320070508 Microsoft Word RTF File Parsing Heap Corruption VulnerabilityHPSBST02214TA07-128A34388oval:org.mitre.oval:def:1900Unspecified vulnerability in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, 2004 for Mac, and 2007 allows user-assisted remote attackers to execute arbitrary code via a crafted set font value in an Excel file, which results in memory corruption.MS07-023 23779 ADV-2007-1708 1018012 25150HPSBST02214TA07-128A34394oval:org.mitre.oval:def:2014excel-placeholder-code-execution(33914)Stack-based buffer overflow in the Universal Plug and Play (UPnP) service in Microsoft Windows XP SP2 allows remote attackers on the same subnet to execute arbitrary code via crafted HTTP headers in request or notification messages, which trigger memory corruption.MS07-01920070410 Microsoft Windows Universal Plug and Play Memory Corruption Vulnerability233711017895 HPSBST02208 34010ADV-2007-1323oval:org.mitre.oval:def:204924822Unspecified vulnerability in Microsoft Agent (msagent\agentsvr.exe) in Windows 2000 SP4, XP SP2, and Server 2003, 2003 SP1, and 2003 SP2 allows remote attackers to execute arbitrary code via crafted URLs, which result in memory corruption.MS07-02020070410 Secunia Research: Microsoft Agent URL Parsing Memory CorruptionVulnerabilityVU#72805723337101789622896 HPSBST02208TA07-100AADV-2007-1324oval:org.mitre.oval:def:2034The Virtual DOS Machine (VDM) in the Windows Kernel in Microsoft Windows NT 4.0; 2000 SP4; XP SP2; Server 2003, 2003 SP1, and 2003 SP2; and Windows Vista before June 2006; uses insecure permissions (PAGE_READWRITE) for a physical memory view, which allows local users to gain privileges by modifying the "zero page" during a race condition before the view is unmapped.MS07-02220070410 EEYE: Windows VDM Zero Page Race Condition Privilege EscalationVU#3379532336710178982483434011HPSBST02208TA07-100AADV-2007-1326oval:org.mitre.oval:def:1639Use-after-free vulnerability in the Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Vista does not properly handle connection resources when starting and stopping processes, which allows local users to gain privileges by opening and closing multiple ApiPort connections, which leaves a "dangling pointer" to a process data structure.20070410 EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege EscalationMS07-021233381017897 34008 HPSBST02208TA07-100AVU#219848ADV-2007-1325oval:org.mitre.oval:def:1524248232531Unspecified kernel GDI functions in Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (possibly persistent restart) via a crafted Windows Metafile (WMF) image that causes an invalid dereference of an offset in a kernel structure, a related issue to CVE-2005-4560.MS07-017win-wmf-dos(33258)20070403 Microsoft Windows WMF Triggerable Kernel Design Error DoS VulnerabilityADV-2007-1215101784323275 HPSBST02206oval:org.mitre.oval:def:1571Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via a crafted Enhanced Metafile (EMF) image format file.MS07-017ADV-2007-1215101784423278 HPSBST02206oval:org.mitre.oval:def:1923The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4 allows local users to gain privileges via crafted TrueType fonts, which result in an uninitialized function pointer.MS07-01723276ADV-2007-12151017845 HPSBST02206oval:org.mitre.oval:def:1797Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, and 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a crafted AutoFilter filter record in an Excel BIFF8 format XLS file, which triggers memory corruption.MS07-02320070508 Microsoft Excel Filter Record Code Execution VulnerabilityVU#25382523780ADV-2007-1708101801225150HPSBST02214TA07-128A34395oval:org.mitre.oval:def:2064excel-autofilter-code-execution(33915)Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via certain "color-related parameters" in crafted images.MS07-017ADV-2007-1215101784723273 HPSBST02206oval:org.mitre.oval:def:1927Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding".DSA-1276RHSA-2007:0095USN-449-1VU#41934424706247362475720070404 rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test krb5-workstation20070403 MITKRB5-SA-2007-003: double-free vulnerability in kadmind (via GSS-API library) [CVE-2007-1216]GLSA-200704-02MDKSA-2007:07720070401-01-PSUSE-SA:2007:025232821017852247402475024785247862481724735kerberos-kadmind-code-execution(33413)ADV-2007-1218APPLE-SA-2007-04-19ADV-2007-147024966HPSBUX02217MDKSA-2007:077TA07-093BTA07-109AADV-2007-191625388Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a denial of service (crash) and possibly gain privileges via a crafted CAPI packet.MDKSA-2007:0782333324777GLSA-200704-23MDKSA-2007:078RHSA-2007:0673RHSA-2007:0672RHSA-2007:0671RHSA-2007:0774RHSA-2007:070510185392637926478267092676027528Off-by-one buffer overflow in the parse_elements function in the 802.11 printer code (print-802_11.c) for tcpdump 3.9.5 and earlier allows remote attackers to cause a denial of service (crash) via a crafted 802.11 frame. NOTE: this was originally referred to as heap-based, but it might be stack-based.20070301 tcpdump: off-by-one heap overflow in 802.11 printerDSA-1272FEDORA-2007-347FEDORA-2007-348MDKSA-2007:056USN-429-122772ADV-2007-0793324271017717243182435424423244512458324610tcpdump-print80211c-bo(32749)MDKSA-2007:056MDKSA-2007:155RHSA-2007:0368RHSA-2007:0387TLSA-2007-4627580APPLE-SA-2007-12-17TA07-352AADV-2007-423828136PHP remote file inclusion vulnerability in actions/del.php in Admin Phorum 3.3.1a allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter.338222739ADV-2007-0778The Hypervisor in Microsoft Xbox 360 kernel 4532 and 4548 does not properly verify the parameters passed to the syscall dispatcher, which allows attackers with physical access to bypass code-signing requirements and execute arbitrary code.20070227 Xbox 360 Hypervisor Privilege Escalation Vulnerability227452367The Hypervisor in Microsoft Xbox 360 kernel 4532 and 4548 allows attackers with physical access to force execution of the hypervisor syscall with a certain register set, which bypasses intended code protection.20070227 Xbox 360 Hypervisor Privilege Escalation Vulnerability2274520070327 Re: RE: Xbox 360 Hypervisor Privilege Escalation Vulnerability2367Parallels Desktop for Mac before 20070216 implements Drag and Drop by sharing the entire host filesystem as the .psf share, which allows local users of the guest operating system to write arbitrary files to the host filesystem, and execute arbitrary code via launchd by writing a plist file to a LaunchAgents directory.[dailydave] 20070216 Minor Virtualization Vulnerability24171Unspecified vulnerability in Hitachi OSAS/FT/W before 20070223 allows attackers to cause a denial of service (responder control processing halt) by sending "data unexpectedly through the port".osas-unspecified-dos(32696)Grok Developments NetProxy 4.03 allows remote attackers to bypass URL filtering via a request that omits "http://" from the URL and specifies the destination port (:80).338122741ADV-2007-0779netproxy-url-filtering-bypass(32697)The connection log file implementation in Grok Developments NetProxy 4.03 does not record requests that omit http:// in a URL, which might allow remote attackers to conduct unauthorized activities and avoid detection.338122741ADV-2007-0779netproxy-url-filtering-bypass(32697)McAfee VirusScan for Mac (Virex) before 7.7 patch 1 has weak permissions (0666) for /Library/Application Support/Virex/VShieldExclude.txt, which allows local users to reconfigure Virex to skip scanning of arbitrary files.20070227 [NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass]22744ADV-2007-07772433710177072342VShieldCheck in McAfee VirusScan for Mac (Virex) before 7.7 patch 1 allow local users to change permissions of arbitrary files via a symlink attack on /Library/Application Support/Virex/VShieldExclude.txt, as demonstrated by symlinking to the root crontab file to execute arbitrary commands.Apply patch 1 for McAfee Virex version 7.7: https://mysupport.mcafee.com/eservice_enu/ 20070227 [NETRAGARD-20070220 SECURITY ADVISORY] [McAfee VirusScan for Mac (Virex) Local root exploit and Scan Bypass]Security Bulletin22744ADV-2007-077724337 1017707 mcafee-virex-library-privilege-escalation(32729)2342IBM DB2 UDB 8.2 before Fixpak 7 (aka fixpack 14), and DB2 9 before Fix Pack 2, on UNIX allows the "fenced" user to access certain unauthorized directories.IY86711IY8749222729 1017731 24387Cross-site scripting (XSS) vulnerability in the Nullsoft ShoutcastServer 1.9.7 allows remote attackers to inject arbitrary web script or HTML via the top-level URI on the Incoming interface (port 8001/tcp), which is not properly handled in the administrator interface when viewing the log file.20070227 Nullsoft ShoutcastServer Persistant XSS - 0day22742ADV-2007-077524323shoutcast-admin-interface-xss(32726)Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049.ADV-2007-0756 GLSA-200703-23 24566Multiple cross-site scripting (XSS) vulnerabilities in SQLiteManager 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) database name, (2) table name, (3) ViewName, (4) view, (5) trigger, and (6) function fields in main.php and certain other files.20070224 SQLiteManager v1.2.0 Multiple Vulnerabilities22731 sqlitemanager-main-xss(32692)2366Directory traversal vulnerability in SQLiteManager 1.2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in a SQLiteManager_currentTheme cookie.Successful exploitation requires that "magic_quotes_gpc" is disabled. Additionally, in order to exploit this vulnerability to execute arbitrary code, the attacker would first be required to upload a malicious file or inject arbitrary commands into an existing file.20070224 SQLiteManager v1.2.0 Multiple Vulnerabilities2272724296sqlitemanager-sqlitemanager-file-include(32693)2366PHP remote file inclusion vulnerability in downloadcounter.php in STWC-Counter 3.4.0.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the stwc_counter_verzeichniss parameter.337922723stwccounter-downloadcounter-file-include(32681) ADV-2007-0754 24280Multiple cross-site scripting (XSS) vulnerabilities in sitex allow remote attackers to inject arbitrary web script or HTML via (1) the sxYear parameter to calendar.php, (2) the search parameter to search.php, (3) the linkid parameter to redirect.php, or (4) the page parameter to calendar_events.php.20070223 sitex multiple vulnerabilities20070414 Re: sitex multiple vulnerabilities2373Unrestricted file upload vulnerability in sitex allows remote attackers to upload arbitrary PHP code via an avatar filename with a double extension such as .php.jpg, which fails verification and is saved as a .php file.20070223 sitex multiple vulnerabilities2373sitex allows remote attackers to obtain sensitive information via a request with a numerical value for the (1) sxMonth[] or (2) sxYear[] parameter to calendar.php, or the (3) page[] parameter to calendar_events.php, which reveals the path in various error messages.20070223 sitex multiple vulnerabilities2373sitex allows remote attackers to obtain potentially sensitive information via a ' (quote) value for certain parameters, as demonstrated by parameters used in forum and search, which forces a SQL error.20070223 sitex multiple vulnerabilities2373Microsoft Office 2003 allows user-assisted remote attackers to cause a denial of service (application crash) by attempting to insert a corrupted WMF file.20070225 Few unreported vulnerabilities by SehaToMicrosoft Excel 2003 does not properly parse .XLS files, which allows remote attackers to cause a denial of service (application crash) via a file with a (1) corrupted XML format or a (2) corrupted XLS format, which triggers a NULL pointer dereference.20070225 Few unreported vulnerabilities by SehaTo 22717Multiple cross-site scripting (XSS) vulnerabilities in Docebo CMS 3.0.3 through 3.0.5 allow remote attackers to inject arbitrary web script or HTML via (1) the searchkey parameter to index.php, or the (2) sn or (3) ri parameter to modules/htmlframechat/index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22719Cross-site scripting (XSS) vulnerability in setup.php in Audins Audiens 3.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22728 audins-setup-xss(32839)SQL injection vulnerability in system/index.php in Audins Audiens 3.3 allows remote attackers to execute arbitrary SQL commands via the PHPSESSID cookie. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.22728 audins-index-sql-injection(32837)Audins Audiens 3.3 allows remote attackers to bypass authentication and perform certain privileged actions, possibly an uninstall of the product, by calling unistall.php with the values cnf=disinstalla and status=on. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2272824254audins-unistall-authentication-bypass(32707)Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter.20070226 WordPress AdminPanel CSRF/XSS - 0day22735 GLSA-200703-23 24566 wordpress-post-csrf(32703)IrfanView 3.99 allows remote attackers to cause a denial of service (application crash) via a malformed WMF file.20070225 Few unreported vulnerabilities by SehaToThe DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier, as used in xine-lib, does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code, a different vulnerability than CVE-2007-1387.Failed exploit attempts will likely result in a denial-of-service condition.ADV-2007-0794mplayer-dmovideodecoder-bo(32747)20070301 MPlayer DMO buffer overflowMDKSA-2007:055MDKSA-2007:057USN-433-12277124448244622444424446SUSE-SR:2007:005 GLSA-200704-09 24897 SSA:2007-109-02 SUSE-SR:2007:007 24995 24866GLSA-200705-21MDKSA-2007:055MDKSA-2007:0572546224443DSA-153629601Multiple PHP remote file inclusion vulnerabilities in aWeb Labs aWebNews 1.5 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_news parameter to (1) listing.php or (2) visview.php.Successful exploitation requires that "register_globals" is enabled.20070301 aWebNews V 1.120070301 aWebNews v 1.1=>RFI2278124351ADV-2007-0808awebnews-pathtonews-file-include(32770)2365Multiple cross-site scripting (XSS) vulnerabilities in built2go News Manager Blog 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cid, (2) uid, and (3) nid parameters to (a) news.php, and the nid parameter to (b) rating.php.20070301 Built2Go v.1.0 => ( news.php & rating.php ) Cross Site Scripting22783ADV-2007-081824334newsmanagerblog-news-rating-xss(32772)2343MoveSortedContentAction in C1 Financial Services Contelligent 9.1.4 does not check "the additional environment security configuration," which allows remote attackers with write permissions to reorder components.2278524364 ADV-2007-0814 contelligent-sortedcontent-security-bypass(32775)SQL injection vulnerability in section/default.asp in ANGEL Learning Management Suite (LMS) 7.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.20070301 Angel LMS 7.1 - Remote SQL Injection20070301 Re: Angel LMS 7.1 - Remote SQL Injection339022768 20070301 [Fwd: Re: Angel LMS 7.1 - Remote SQL Injection] ADV-2007-0807 24368 angellms-default-sql-injection(32756)Format string vulnerability in the new_warning function in ntserv/warning.c for Netrek Vanilla Server 2.12.0, when EVENTLOG is enabled, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in the message handling.This vulnerability is addressed in the following product update: http://sourceforge.net/project/shownotes.php?release_id=4905612278624357 20070302 Limited format string in Netrek 2.12.0 ADV-2007-0815 vanilla-vsprintf-format-string(32777)Buffer overflow in Symantec Mail Security for SMTP 5.0 before Patch 175 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted headers in an e-mail message. NOTE: some information was obtained from third party sources.VU#87563322782ADV-2007-079924371 1017716 symantec-email-headers-code-execution(32781)Eval injection vulnerability in the (a) kmz_ImportWithMesh.py Script for Blender 0.1.9h, as used in (b) Blender before 2.43, allows user-assisted remote attackers to execute arbitrary Python code by importing a crafted (1) KML or (2) KMZ file.This vulnerability is addressed in the following product update: http://www.blender.org/download/get-blender/22770ADV-2007-079810177142423224233 blender-kml-kmz-command-execution(32778) GLSA-200704-19 24991SQL injection vulnerability in part.userprofile.php in Connectix Boards 0.7 and earlier allows remote authenticated users to execute arbitrary SQL commands and obtain privileges via the p_skin parameter to index.php.20070221 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit3352242552364Unrestricted file upload vulnerability in admin.bbcode.php in Connectix Boards 0.7 and earlier allows remote authenticated administrators to execute arbitrary PHP code by uploading a crafted GIF smiley image with a .php extension via the uploadimage parameter to admin.php, which can be later accessed via a direct request for the file in smileys/. NOTE: this can be leveraged with a separate SQL injection issue for remote unauthenticated attacks.20070221 Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit3352242552364Mozilla Firefox 2.0.0.2 allows remote attackers to spoof the address bar, favicons, and document source, and perform updates in the context of arbitrary websites, by repeatedly setting document.location in the onunload attribute when linking to another website, a variant of CVE-2007-1092.20070227 Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)20070227 RE: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)20070227 Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)The Network Analysis Module (NAM) in Cisco Catalyst Series 6000, 6500, and 7600 allows remote attackers to execute arbitrary commands via certain SNMP packets that are spoofed from the NAM's own IP address.20070228 Cisco Catalyst 6000, 6500 Series and Cisco 7600 Series NAM (Network Analysis Module) VulnerabilityVU#47241222751ADV-2007-0783101771024344cisco-catalyst-nam-unauthorized-access(32750)Unspecified vulnerability in Cisco IOS 12.2SXA, SXB, SXD, and SXF; and the MSFC2, MSFC2a and MSFC3 running in Hybrid Mode on Cisco Catalyst 6000, 6500 and Cisco 7600 series systems; allows remote attackers on a local network segment to cause a denial of service (software reload) via a certain MPLS packet.20070228 Cisco Catalyst 6000, 6500 and Cisco 7600 Series MPLS Packet VulnerabilityADV-2007-0782101770924348cisco-catalyst-mpls-dos(32748)Multiple unspecified vulnerabilities in WebAPP before 0.9.9.6 have unknown impact and attack vectors.ADV-2007-072024227Stack-based buffer overflow in the connectHandle function in server.cpp in WebMod 0.48 allows remote attackers to execute arbitrary code via a long string in the Content-Length HTTP header.24346 3395 22788 webmod-contentlength-bo(32755)Unspecified vulnerability in the reports system in OpenBiblio before 0.6.0 allows attackers to gain privileges via unspecified vectors.This vulnerability is addressed in the following product update: http://sourceforge.net/project/showfiles.php?group_id=50071ADV-2007-0790 openbiblio-reports-privilege-escalation(32758)Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.ADV-2007-174825200DSA-1290239101018033RHSA-2007:03582523625320APPLE-SA-2007-07-31MDKSA-2007:106SUSE-SR:2007:01325159ADV-2007-2732256902623525787GnuPG 1.4.6 and earlier and GPGME before 1.1.4, when run from the command line, does not visually distinguish signed and unsigned portions of OpenPGP messages with multiple components, which might allow remote attackers to forge the contents of a message without detection.20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 22757 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME DSA-1266 FEDORA-2007-315 FEDORA-2007-316 RHSA-2007:0106 RHSA-2007:0107 USN-432-1 USN-432-2 ADV-2007-0835 1017727 24365 24420 24438 24489 24511 24544 20070301-01-P SUSE-SA:2007:024 24734 24650 24875MDKSA-2007:0592007-000924407244192353Enigmail 0.94.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Enigmail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 22758 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME ADV-2007-0835 1017727 244162353KMail 1.9.5 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents KMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 22759 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME ADV-2007-0835 1017727 244132353Evolution 2.8.1 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Evolution from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 22760 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME ADV-2007-0835 1017727 244122353Sylpheed 2.2.7 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Sylpheed from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 22777 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME ADV-2007-0835 1017727 244142353Mutt 1.5.13 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents Mutt from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 22778 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME ADV-2007-0835 1017727 244152353GNUMail 1.1.2 and earlier does not properly use the --status-fd argument when invoking GnuPG, which prevents GNUMail from visually distinguishing between signed and unsigned portions of OpenPGP messages with multiple components, which allows remote attackers to forge the contents of a message without detection.20070305 CORE-2007-0115: GnuPG and GnuPG clients unsigned data injection vulnerability 22779 [gnupg-users] 20070306 [Announce] Multiple Messages Problem in GnuPG and GPGME ADV-2007-0835 1017727 244172353Double free vulnerability in VMware ESX Server 3.0.0 and 3.0.1 allows attackers to cause a denial of service (crash), obtain sensitive information, or possibly execute arbitrary code via unspecified vectors.20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updatesADV-2007-1267247882332310178752524Buffer overflow in VMware ESX Server 3.0.0 and 3.0.1 might allow attackers to gain privileges or cause a denial of service (application crash) via unspecified vectors.20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates23322ADV-2007-126724788 10178752524Integer overflow in the ktruser function in NetBSD-current before 20061022, NetBSD 3 aand 3-0 before 20061024, and NetBSD 2 before 20070209, when the kernel is built with the COMPAT_FREEBSD or COMPAT_DARWIN option, allows local users to cause a denial of service and possibly gain privileges.NetBSD-SA2007-00122878Multiple cross-site scripting (XSS) vulnerabilities in chooser.cgi in Webmin before 1.330 and Usermin before 1.260 allow remote attackers to inject arbitrary web script or HTML via a crafted filename.ADV-2007-0780101771124321webmin-chooser-xss(32725)WordPress 2.1.1, as downloaded from some official distribution sites during February and March 2007, contains an externally introduced backdoor that allows remote attackers to execute arbitrary commands via (1) an eval injection vulnerability in the ix parameter to wp-includes/feed.php, and (2) an untrusted passthru call in the iz parameter to wp-includes/theme.php.This vulnerability is addressed in the following product update: http://wordpress.org/development/2007/03/upgrade-212/VU#214480VU#64145620070303 WordPress source code compromised to enable remote code execution22797ADV-2007-081224374wordpress-feed-code-execution(32804)wordpress-theme-command-execution(32807)Unspecified vulnerability in the IIS connector in Adobe JRun 4.0 Updater 6, and ColdFusion MX 6.1 and 7.0 Enterprise, when using Microsoft IIS 6, allows remote attackers to cause a denial of service via unspecified vectors, involving the request of a file in the JRun web root.This vulnerability has been addressed by the vendor with the following patch: http://www.adobe.com/support/security/bulletins/apsb07-07.html 24488 22958 ADV-2007-0932 1017752 coldfusion-jrun-iisconnector-dos(32994)Unspecified vulnerability in the installer for Adobe Bridge 1.0.3 update for Apple OS X, when patching with desktop management tools, allows local users to gain privileges via unspecified vectors during installation of the update by a different user who has administrative privileges.23404ADV-2007-1342101790024854bridge-unspecified-privilege-escalation(33570)34896Cross-site scripting (XSS) vulnerability in Adobe RoboHelp X5, 6, and Server 6 allows remote attackers to inject arbitrary web script or HTML via a URL after a # (hash) in the URL path, as demonstrated using en/frameset-7.html, and possibly other unspecified vectors involving templates and (1) whstart.js and (2) whcsh_home.htm in WebHelp, (3) wf_startpage.js and (4) wf_startqs.htm in FlashHelp, or (5) WindowManager.dll in RoboHelp Server 6.23878ADV-2007-17142521120070511 Cross-Site Scripting in Adobe RoboHelp 6, Server 6 and X51018020robohelp-files-xss(34181)Kaspersky AntiVirus Engine 6.0.1.411 for Windows and 5.5-10 for Linux allows remote attackers to cause a denial of service (CPU consumption) via a crafted UPX compressed file with a negative offset, which triggers an infinite loop during decompression.20070302 Kaspersky AntiVirus UPX File Decompression DoS Vulnerability227951017718ADV-2007-081024391kaspersky-upx-dos(32797)Integer overflow in Mozilla Thunderbird before 1.5.0.10 and SeaMonkey before 1.0.8 allows remote attackers to trigger a buffer overflow and possibly execute arbitrary code via a text/enhanced or text/richtext e-mail message with an extremely long line.RHSA-2007:0078GLSA-200703-18RHSA-2007:010822845ADV-2007-082424522mozilla-email-messages-overflow(32810)DSA-1336FEDORA-2007-308FEDORA-2007-309SSA:2007-066-04SSA:2007-066-0524406244562445725588The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines.RHSA-2007:0082227641017771RHSA-2007:0154RHSA-2007:0155249102492420070418 rPSA-2007-0073-1 php php-mysql php-pgsqlRHSA-2007:0163RHSA-2007:01622494524941MDKSA-2007:087MDKSA-2007:088MDKSA-2007:08924909GLSA-200705-19MDKSA-2007:087MDKSA-2007:088MDKSA-2007:089MDKSA-2007:090SUSE-SA:2007:044USN-549-1USN-549-23276925445260482664227864SSA:2008-045-0328936Integer overflow in PHP 4.4.4 and earlier allows remote context-dependent attackers to execute arbitrary code via a long string to the unserialize function, which triggers the overflow in the ZVAL reference counter. GLSA-200703-21 22765 32771 24606 php-zval-code-execution(32796) RHSA-2007:0154 RHSA-2007:0155 24910 24924 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql RHSA-2007:0163 24945 24941 DSA-1282 DSA-1283 25025 25062 MDKSA-2007:087 MDKSA-2007:088GLSA-200705-19HPSBMA02215HPSBTU02232MDKSA-2007:087MDKSA-2007:0882007-0009ADV-2007-1991ADV-2007-237425445254232441925850A regression error in the phpinfo function in PHP 4.4.3 to 4.4.6, and PHP 6.0 in CVS, allows remote attackers to conduct cross-site scripting (XSS) attacks via GET, POST, or COOKIE array values, which are not escaped in the phpinfo output, as originally fixed for CVE-2005-3388. 32774APPLE-SA-2007-07-3125159ADV-2007-273226235Multiple PHP remote file inclusion vulnerabilities in Webmobo WB News 1.4.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the config[installdir] parameter to (1) comment.php, (2) themes.php, (3) directory.php, and (4) sendmsg.php in admin/.20070301 WB News Remote File Include in all versionswbnews-multiple-scripts-file-include(32774)2355SQL injection vulnerability in ViewBugs.php in Tyger Bug Tracking System (TygerBT) 1.1.3 allows remote attackers to execute arbitrary SQL commands via the s parameter.20070303 Tyger Bug Tracking System Multiple Vulnerability2279924385 ADV-2007-0822 tyger-viewbugs-sql-injection(32791)2356SQL injection vulnerability in ViewReport.php in Tyger Bug Tracking System (TygerBT) 1.1.3 allows remote attackers to execute arbitrary SQL commands via the bug parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24385tyger-viewbugs-sql-injection(32791)Multiple cross-site scripting (XSS) vulnerabilities in Tyger Bug Tracking System (TygerBT) 1.1.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) Login.php and (2) Register.php.20070303 Tyger Bug Tracking System Multiple Vulnerability2279924385 ADV-2007-0822 tyger-login-register-xss(32792)2356SQL injection vulnerability in inlinemod.php in Jelsoft vBulletin before 3.5.8, and before 3.6.5 in the 3.6.x series, might allow remote authenticated users to execute arbitrary SQL commands via the postids parameter. NOTE: the vendor states that the attack is feasible only in circumstances "almost impossible to achieve."33872278024341vbulletin-inlinemod-sql-injection(32746)SQL injection vulnerability in Rigter Portal System (RPS) 6.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the categoria parameter to the top-level URI (index.php), possibly related to ver_descarga.php.3403ADV-2007-081324382 20070303 RPS 6.2 SQL Injection Exploit 22813 rps-index-sql-injection(32784)A certain ActiveX control in the DivXBrowserPlugin (npdivx32.dll) in DivX Web Player, as distributed with DivX Player 1.3.0, allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via large values to DivxWP.Resize, related to resizing images.339222776divxwebplayer-npdivx32-dos(32759)SQL injection vulnerability in topic_title.php in AJ Forum 1.0 allows remote attackers to execute arbitrary SQL commands via the td_id parameter.34112280824378 ADV-2007-0820 ajforum-topictitle-sql-injection(32785)SQL injection vulnerability in postingdetails.php in AJ Classifieds 1.0 allows remote attackers to execute arbitrary SQL commands via the postingid parameter.341022808 ADV-2007-0833 ajclassifieds-postingdetails-sql-injection(32786)SQL injection vulnerability in view_profile.php in AJDating 1.0 allows remote attackers to execute arbitrary SQL commands via the user_id parameter.340922808 ADV-2007-0821 24376 ajdating-viewprofile-sql-injection(32788)29154ajdating-userid-sql-injection(42326)SQL injection vulnerability in subcat.php in AJ Auction 1.0 allows remote attackers to execute arbitrary SQL commands via the cate_id parameter.340822808 ADV-2007-0819 24375 ajauctionpro-subcat-sql-injection(32789)PHP remote file inclusion vulnerability in index.php in Mani Stats Reader 1.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the ipath parameter.339822794mani-stats-index-file-include(32782) 24394DOURAN Software Technologies ISPUtil 3.32.84.1, and possibly earlier versions, stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain user and reseller data via a direct request for scripts/activesessions.ini. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24304 isputil-activesessions-info-disclosure(32800)Stack-based buffer overflow in the IMAP service in MailEnable Enterprise and Professional Editions 2.37 and earlier allows remote authenticated users to execute arbitrary code via a long argument to the APPEND command. NOTE: this is probably different than CVE-2006-6423.339722792ADV-2007-0811243611017739mailenable-append-bo(32801)SQL injection vulnerability in guestbook.php in LI-Guestbook 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter. NOTE: it was later reported that 1.2 is also affected.Successful exploitation requires "magic_quotes_gpc" to be disabled.20070305 LI-Guestbook SQL Injection Vulnerability2282120071109 li-guestbook sql inj276502348liguestbook-country-sql-injection(38369)Directory traversal vulnerability in rb.cgi in RRDBrowse 1.6 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.20070304 Arbitrary file disclosure vulnerability in rrdbrowse <= 1.622817 ADV-2007-0834 rrdbrowse-file-directory-traversal(32793)2349Multiple SQL injection vulnerabilities in add2.php in Sava's Guestbook 23.11.2006, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) country, (3) email, (4) website, and (5) message parameters.Successful exploitation requires that "magic_quotes_gpc" is disabled.20070305 Sava's GuestBook Multiple Vulnerabilities22820 24411 savasguestbook-add2-sql-injection(32811)2350Multiple cross-site scripting (XSS) vulnerabilities in add2.php in Sava's Guestbook 23.11.2006 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) country, (3) email, and (4) website parameters.20070305 Sava's GuestBook Multiple Vulnerabilities22820 24411 savasguestbook-add2-xss(32812)2350Asterisk 1.4 before 1.4.1 and 1.2 before 1.2.16 allows remote attackers to cause a denial of service (crash) by sending a Session Initiation Protocol (SIP) packet without a URI and SIP-version header, which results in a NULL pointer dereference.VU#2280321017723GLSA-200703-1422838ADV-2007-08302438024578asterisk-sip-channeldriver-dos(32830) 33888DSA-1358SUSE-SA:2007:03425582Unspecified vulnerability in Lenovo Intel PRO/1000 LAN adapter before Build 135400, as used on IBM Lenovo ThinkPad systems, has unknown impact and attack vectors.22822ADV-2007-080124349ecma/kjs_html.cpp in KDE JavaScript (KJS), as used in Konqueror in KDE 3.5.5, allows remote attackers to cause a denial of service (crash) by accessing the content of an iframe with an ftp:// URI in the src attribute, probably due to a NULL pointer dereference.20070304 Konqueror DoS Via JavaScript Read Of FTP Iframe20070304 Konqueror DoS Via JavaScript Read Of FTP Iframe22814konqueror-ftp-dos(32798)MDKSA-2007:054USN-447-1MDKSA-2007:054RHSA-2007:0909ADV-2007-0886271082345Novell Access Management 3 SSLVPN Server allows remote authenticated users to bypass VPN restrictions by making policy.txt read-only, disconnecting, then manually modifying policy.txt.ADV-2007-0800101772224369NETxAutomation NETxEIB OPC Server before 3.0.1300 does not properly validate OLE for Process Control (OPC) server handles, which allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors involving the (1) IOPCSyncIO::Read, (2) IOPCSyncIO::Write, (3) IOPCServer::AddGroup, (4) IOPCServer::RemoveGroup, (5) IOPCCommon::SetClientName, and (6) IOPCGroupStateMgt::CloneGroup functions, which allow access to arbitrary memory. NOTE: the vectors might be limited to attackers with physical access.VU#29659323059ADV-2007-10382461220070322 [NB07-22] Multiple vulnerabilities in NETxEIB OPC server1017803Unspecified vulnerability in the IOPCServer::RemoveGroup function in the OPCDA interface in Takebishi Electric DeviceXPlorer OLE for Process Control (OPC) Server before 3.12 Build3 allows remote attackers to execute arbitrary code via unspecified vectors involving access to arbitrary memory. NOTE: this issue affects the (1) HIDIC, (2) MELSEC, (3) FA-M3, (4) MODBUS, and (5) SYSMAC OPC Servers.This vulnerability is addressed in the following product update: http://www.faweb.net/us/opc/1231207.htmlVU#92655120070322 [NB07-07] Multiple vulnerabilities in Takebishi Electric DeviceXplorer HIDIC OPC server20070322 [NB07-08] Multiple vulnerabilities in Takebishi Electric DeviceXplorer MELSEC OPC server20070322 [NB07-09] Multiple vulnerabilities in Takebishi Electric DeviceXplorer FA-M3 OPC server20070322 [NB07-10] Multiple vulnerabilities in Takebishi Electric DeviceXplorer MODBUS OPC server20070322 [NB07-17] Multiple vulnerabilities in Takebishi Electric DeviceXplorer SYSMAC OPC server23037ADV-2007-1029101779324570Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.DSA-128423731ADV-2007-15972507325095DSA-1384FEDORA-2007-713MDKSA-2007:203RHSA-2007:032327085271032748627047FEDORA-2008-4386FEDORA-2008-460430413MDVSA-2008:162Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.DSA-1284RHSA-2007:0323FEDORA-2007-2270FEDORA-2007-713MDKSA-2007:20320071030 Clarification on old QEMU/NE2000/Xen issues23731ADV-2007-15971018761270722710327486250732509527047FEDORA-2007-2708MDVSA-2008:162QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction.DSA-128423731ADV-2007-15972507325095qemu-icebp-dos(34043)MDVSA-2008:162** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2893. Reason: this candidate was intended for one issue, but some sources used this identifier for a separate issue, and a duplicate identifier had also been created by the time dual use was detected. Notes: All CVE users should consult CVE-2007-2893 to determine if it is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.SnapGear 560, 585, 580, 640, 710, and 720 appliances before the 3.1.4u5 firmware allow remote attackers to cause a denial of service (complete packet loss) via a packet flood, a different vulnerability than CVE-2006-4613.2283524388 ADV-2007-0850 snapgear-packet-dos(32824)The PMA_ArrayWalkRecursive function in libraries/common.lib.php in phpMyAdmin before 2.10.0.2 does not limit recursion on arrays provided by users, which allows context-dependent attackers to cause a denial of service (web server crash) via an array with many dimensions. NOTE: it could be argued that this vulnerability is caused by a problem in PHP (CVE-2006-1549) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in phpMyAdmin.22841ADV-2007-0831DSA-1370MDKSA-2007:19926733SQL injection vulnerability in index.php in Serendipity 1.1.1 allows remote attackers to execute arbitrary SQL commands via the serendipity[multiCat][] parameter.20070301 Serendipity unauthenticated SQL-Injectionserendipity-index-sql-injection(32768)2383The SILC_SERVER_CMD_FUNC function in apps/silcd/command.c in silc-server 1.0.2 allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a request without a cipher algorithm and an invalid HMAC algorithm.20070306 silc-server 1.0.2 denial-of-service vulnerability22846 GLSA-200703-12 24431 24426 silc-command-dos(32846)Cross-site scripting (XSS) vulnerability in formulaire.php in Bernard JOLY BJ Webring allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter related to the add link menu.20070303 BJ Webring XSS2384Directory traversal vulnerability in SQL-Ledger, and LedgerSMB before 1.1.5, allows remote attackers to read and overwrite arbitrary files, and execute arbitrary code, via . (dot) characters adjacent to (1) users and (2) users/members strings, which are removed by blacklisting functions that filter these strings and collapse into .. (dot dot) sequences.20070301 Full disclosure: Directory Transversal and Arbitrary Code Execution Vulnerability in SQL-Ledger and LedgerSMB1017715sqlledger-userpathmemberfile-dir-traversal(32776) 24363 243662381Comodo Firewall Pro (CFP) (formerly Comodo Personal Firewall) 2.4.18.184 and earlier allows local users to bypass driver protections on the HKLM\SYSTEM\Software\Comodo\Personal Firewall registry key by guessing the name of a named pipe under \Device\NamedPipe\OLE and attempting to open it multiple times.20070301 Comodo Bypassing settings protection using magic pipe Vulnerability22775comodofirewallpro-pipe-security-bypass(32771)2388Multiple cross-site scripting (XSS) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to inject arbitrary web script or HTML via unspecified vectors that bypass the client-side protection scheme, one of which may be the q parameter to the search program. NOTE: some of these details are obtained from third party information.20070305 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities22829 243312385Multiple cross-site request forgery (CSRF) vulnerabilities in TKS Banking Solutions ePortfolio 1.0 Java allow remote attackers to perform unspecified restricted actions in the context of certain accounts by bypassing the client-side protection scheme.20070305 ePortfolio version 1.0 Java Multiple Input Validation Vulnerabilities22829 243312385The virtual machine process (VMX) in VMware Workstation before 5.5.4 does not properly read state information when moving from the ACPI sleep state to the run state, which allows attackers to cause a denial of service (virtual machine reboot) via unknown vectors.vmware-acpi-unspecified(33990) 25079 101801123732ADV-2007-1592The default configuration of the AirPort utility in Apple AirPort Extreme creates an IPv6 tunnel but does not enable the "Block incoming IPv6 connections" setting, which might allow remote attackers to bypass intended access restrictions by establishing IPv6 sessions that would have been rejected over IPv4. APPLE-SA-2007-04-09 ADV-2007-1308 24830 1017889 airportextreme-ipv6-security-bypass(33526)SQL injection vulnerability in index.php in Links Management Application 1.0 allows remote attackers to execute arbitrary SQL commands via the lcnt parameter.34162282524355 ADV-2007-0849 links-index-sql-injection(32813)PHP remote file inclusion vulnerability in eintrag.php in Weltennetz News-Letterman 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the sqllog parameter.340622807newsletterman-eintrag-file-include(32787)include/auth/auth.php in Simple Invoices before 2007 03 05 does not use the login system to protect print preview pages for invoices, which might allow attackers to obtain sensitive information.2281824402Cross-site scripting (XSS) vulnerability in admincp/index.php in Jelsoft vBulletin 3.6.5 and earlier allows remote attackers to inject arbitrary web script or HTML via the add rss url form.20070302 vBulletin v3.6.5 admincp/index.php ( rss feed ) xss vuln.22790vbulletin-admincpindex-xss(32780)2396includes/functions.php in Craig Knudsen WebCalendar before 1.0.5 does not protect the noSet variable from external modification, which allows remote attackers to set arbitrary global variables via a URL with modified values in the noSet parameter, which leads to resultant vulnerabilities that probably include remote file inclusion and other issues.2283424403 DSA-1267 ADV-2007-0851 24519 webcalendar-noset-variable-overwrite(32832)[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)Multiple buffer overflows in src/ezstream.c in Ezstream before 0.3.0 allow remote attackers to execute arbitrary code via a crafted XML configuration file processed by the (1) urlParse function, which causes a stack-based overflow and the (2) ReplaceString function, which causes a heap-based overflow. NOTE: some of these details are obtained from third party information.24383 22840 ADV-2007-0852 ezstream-replacestring-urlparse-bo(32867)Unspecified vulnerability in cube.exe in the GINA component for CA (Computer Associates) eTrust Admin 8.1.0 through 8.1.2 allows attackers with physical interactive or Remote Desktop access to bypass authentication and gain privileges via the password reset interface.20070309 [CAID 35145]: CA eTrust Admin Privilege Escalation Vulnerability22885ADV-2007-088532722101774024441ca-etrust-admin-authentication-bypass(32887)2404Unspecified vulnerability in ipmitool for Sun Fire X2100M2 and X2200M2 allows local users to gain privileges and reset or turn off the server.10282822859 ADV-2007-0869 1017738 24447Microsoft Windows Explorer on Windows 2000 SP4 FR and XP SP2 FR, and possibly other versions and platforms, allows remote attackers to cause a denial of service (memory corruption and crash) via an Office file with crafted document summary information, which causes an error in Ole32.dll.3419VU#194944101773622847PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.ADV-2007-11502467823192MDKSA-2007:08324839SUSE-SR:2007:008GLSA-200705-042511025072MDKSA-2007:083RHSA-2007:0395RHSA-2007:0486RHSA-2007:039620070602-01-PSUSE-SR:2007:0122007-0023USN-488-1101825925432256552573025894260842623126290RHSA-2008:0261Stack-based buffer overflow in webadmin.exe in Novell NetMail 3.5.2 allows remote attackers to execute arbitrary code via a long username during HTTP Basic authentication.20070307 ZDI-07-009: Novell Netmail WebAdmin Buffer Overflow Vulnerability22857netmail-sprintf-bo(32861) VU#919369 ADV-2007-0870 1017734 244452395Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow. 25096 25195 25216APPLE-SA-2007-11-14DSA-1294MDKSA-2007:079MDKSA-2007:080MDKSA-2007:081oval:org.mitre.oval:def:18102530525495DSA-14542833320070403 Multiple Vendor X Server BDF Font Parsing Integer Overflow Vulnerability[xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfontRHSA-2007:0126USN-448-123283ADV-2007-1217101785724741247562477020070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs20070405 FLEA-2007-0009-1: xorg-x11 freetypeMDKSA-2007:079MDKSA-2007:080MDKSA-2007:081RHSA-2007:0125RHSA-2007:0132ADV-2007-12642474524758247652476824771247722477624791xorg-bdf-font-bo(33417)RHSA-2007:01502340224885SSA:2007-109-01SUSE-SR:2007:006SUSE-SA:2007:0272007-001324889250042492124996[3.9] 021: SECURITY FIX: April 4, 2007[4.0] 011: SECURITY FIX: April 4, 200710288623300ADV-2007-154825006GLSA-200705-02GLSA-200705-10GLSA-200805-0730161Integer overflow in the FontFileInitTable function in X.Org libXfont before 20070403 allows remote authenticated users to execute arbitrary code via a long first line in the fonts.dir file, which results in a heap overflow.The vendor has addressed this vulnerability in the following product update: http://xorg.freedesktop.org/archive/X11R7.2/patches/ MDKSA-2007:080 RHSA-2007:0125 RHSA-2007:0132 24745 24758 24765 24771 24772 24791 xorg-fontsdir-bo(33419) SUSE-SA:2007:027 25004 [3.9] 021: SECURITY FIX: April 4, 2007 [4.0] 011: SECURITY FIX: April 4, 2007 102886 23300 ADV-2007-1548 25006 GLSA-200705-10 25195 25216APPLE-SA-2007-11-14DSA-1294MDKSA-2007:079MDKSA-2007:080oval:org.mitre.oval:def:132432530520070403 Multiple Vendor X Server fonts.dir File Parsing Integer Overflow Vulnerability[xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfontRHSA-2007:0126USN-448-123283ADV-2007-12171017857247412475624770 20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs 20070405 FLEA-2007-0009-1: xorg-x11 freetype MDKSA-2007:079The setsockopt function in the L2CAP and HCI Bluetooth support in the Linux kernel before 2.4.34.3 allows context-dependent attackers to read kernel memory and obtain sensitive information via unspecified vectors involving the copy_from_user function accessing an uninitialized stack buffer.23594ADV-2007-149524976DSA-1356RHSA-2007:0376RHSA-2007:0488RHSA-2007:0673RHSA-2007:0672RHSA-2007:0671SUSE-SA:2007:035USN-470-1USN-486-1USN-489-12559625700256832583826133261392628926379264782645027528DSA-1503DSA-150429058The Access Control functionality (JMXOpsAccessControlFilter) in JMX Console in JBoss Application Server 4.0.2 and 4.0.5 before 20070416 uses a member variable to store the roles of the current user, which allows remote authenticated administrators to trigger a race condition and gain privileges by logging in during a session by a more privileged administrator, as demonstrated by privilege escalation from Read Mode to Write Mode.[jboss-watch-list] 20070416 [RHSA-2007:0151-01] Low: JBoss Application Server security updateRHSA-2007:0151Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors.20070519 [CVE-2007-1355] Tomcat documentation XSS vulnerabilities24058FEDORA-2007-3456HPSBUX02262ADV-2007-338627037277272722tomcat-hello-xss(34377)RHSA-2008:0261APPLE-SA-2008-06-30239312ADV-2008-1981ADV-2008-1979308023090830899** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.The atalk_sum_skb function in AppleTalk for Linux kernel 2.6.x before 2.6.21, and possibly 2.4.x, allows remote attackers to cause a denial of service (crash) via an AppleTalk frame that is shorter than the specified length, which triggers a BUG_ON call when an attempt is made to perform a checksum.2337624793 ADV-2007-1340 24901 DSA-1286 SUSE-SA:2007:029 25078 25099 SUSE-SA:2007:03020070615 rPSA-2007-0124-1 kernel xenDSA-1304SUSE-SA:2007:035SUSE-SA:2007:043USN-464-1253922568325714256912596125226Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".ADV-2007-172920070618 [CVE-2007-1358] Apache Tomcat XSS vulnerability in Accept-Language header processingAPPLE-SA-2007-07-31FEDORA-2007-3456HPSBUX022622452425159ADV-2007-2732ADV-2007-3087ADV-2007-338610182692572126235266602703727727RHSA-2008:0261239312ADV-2008-19793090830899Interpretation conflict in ModSecurity (mod_security) 2.1.0 and earlier allows remote attackers to bypass request rules via application/x-www-form-urlencoded POST data that contains an ASCIIZ (0x00) byte, which mod_security treats as a terminator even though it is still processed as normal data by some HTTP parsers including PHP 5.2.0, and possibly parsers in Perl, and Python.2283124373ADV-2007-086832778modsecurity-formurlencoded-security-bypass(32872)GLSA-200705-1725316HPSBMA02133ADV-2008-2115ADV-2008-21093111331087Unspecified vulnerability in the Nodefamily module for Drupal 5.x before 5.x-1.0 allows remote authenticated users to access and modify other users' profiles via unspecified URL parameters.22853ADV-2007-085524372 nodefamily-url-security-bypass(32873)Cross-site scripting (XSS) vulnerability in virtuemart_parser.php in VirtueMart before 20070213 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this issue is probably different than CVE-2007-0376.ADV-2007-08172439922816Mozilla Firefox 1.5.x before 1.5.0.12 and 2.x before 2.0.0.4, and SeaMonkey 1.0.9 and 1.1.2, allows remote attackers to cause a denial of service via (1) a large cookie path parameter, which triggers memory consumption, or (2) an internal delimiter within cookie path or name values, which could trigger a misinterpretation of cookie data, aka "Path Abuse in Cookies."20070531 FLEA-2007-0023-1: firefoxDSA-1300DSA-1306DSA-1308GLSA-200706-06MDKSA-2007:120MDKSA-2007:126RHSA-2007:0400RHSA-2007:0401RHSA-2007:0402SSA:2007-152-02SUSE-SA:2007:036USN-468-1TA07-151A2424222879ADV-2007-1994351391018162101816325476255332555925635256472568525534254902575025858mozilla-doccookie-dos(34613)HPSBUX02153Multiple SQL injection vulnerabilities in DropAFew before 0.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in the delete action in (a) search.php or (b) search-pda.php, or the (2) calories parameter in a save action in editlogcal.php.2340024861 dropafew-multiple-sql-injection(33560)DropAFew before 0.2.1 does not require authorization for certain privileged actions, which allows remote attackers to (1) view the logged calorie information of arbitrary users via the id parameter in editlogcal.php, (2) add arbitrary links via links.php, or (3) create arbitrary users via newaccount2.php.2340024861dropafew-editlogcal-information-disclosure(33561)Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect mbuf handling for ICMP6 packets." NOTE: this was originally reported as a denial of service.[source-changes] 20070226 CVS: cvs.openbsd.org: src[3.9] 020: SECURITY FIX: March 7, 2007[4.0] 010: SECURITY FIX: March 7, 2007101773522901101774424490VU#98642533050QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error.[Qemu-devel] 20070428 Qemu crashes on AAM 0[Qemu-devel] 20070429 Re: Qemu crashes on AAM 0DSA-128423731ADV-2007-15972507325095qemu-aam-dos(34046)MDVSA-2008:162Cross-site scripting (XSS) vulnerability in the login page in Avaya Communications Manager (CM) S87XX, S8500, and S8300 products before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Login field.2286624397 33297The Project issue tracking module before 4.7.x-1.3, 4.7.x-2.* before 4.7.x-2.3, and 5 before 5.x-0.2-beta for Drupal allows remote authenticated users, with "access project issues" permission, to read the contents of a private node via a URL with a modified node identifier.22867ADV-2007-087324409 projectissuetracking-node-security-bypass(32871)ini_modifier (sgid-zendtech) in Zend Platform 2.2.3 and earlier allows local users to modify the system php.ini file by editing a copy of php.ini file using the -f parameter, and then performing a symlink attack using the directory that contains the attacker-controlled php.ini file, and linking this directory to /usr/local/Zend/etc.22802ADV-2007-0829zend-inimodifier-privilege-escalation(32820) 32773 24501Zend Platform 2.2.3 and earlier has incorrect ownership for scd.sh and certain other files, which allows local users to gain root privileges by modifying the files. NOTE: this only occurs when safe_mode and open_basedir are disabled; other settings require leverage for other vulnerabilities.22801ADV-2007-0829zend-scd-privilege-escalation(32825) 32772 24501Multiple buffer overflows in Conquest 8.2a and earlier (1) allow local users to gain privileges by querying a metaserver that sends a long server entry processed by metaGetServerList and allow remote metaservers to execute arbitrary code via a long server entry processed by metaGetServerList; (2) allow attackers to have an unknown impact by exceeding the configured number of metaservers; and allow remote attackers to corrupt memory via a SP_CLIENTSTAT packet with certain values of (3) unum or (4) snum, different vulnerabilities than CVE-2003-0933.20070307 Buffer-overflow in Conquest client 8.2a (svn 691)[conquest] 20070303 Re: security bugs in conquest22855ADV-2007-085424370conquest-metagetserverlist-bo(32849)conquest-processpacket-dos(32860)2399PHP remote file inclusion vulnerability in styles/internal/header.php in the PostGuestbook 0.6.1 module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the tpl_pgb_moddir parameter.342322858postguestbook-header-file-include(32866) ADV-2007-0880Stack-based buffer overflow in Mercury/32 (aka Mercury Mail Transport System) 4.01b and earlier allows remote attackers to execute arbitrary code via a long LOGIN command. NOTE: this might be the same issue as CVE-2006-5961.20070306 Mercury/32 4.01b24367mercury-imap-bo(32848)2398Cross-site scripting (XSS) vulnerability in pop_profile.asp in Snitz Forums 2000 3.4.06 allows remote attackers to inject arbitrary web script or HTML via the MSN parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2286924358snitzforums-popprofile-xss(32879)Integer overflow in the substr_compare function in PHP 5.2.1 and earlier allows context-dependent attackers to read sensitive memory via a large value in the length argument, a different vulnerability than CVE-2006-1991.342422851 GLSA-200703-21 32780 24606 DSA-1283 USN-455-1 25062 25057MDKSA-2007:187SUSE-SA:2007:0322505626895The shmop functions in PHP before 4.4.5, and before 5.2.1 in the 5.x series, do not verify that their arguments correspond to a shmop resource, which allows context-dependent attackers to read and write arbitrary memory locations via arguments associated with an inappropriate resource, as demonstrated by a GD Image resource.3426342722862 GLSA-200703-21 32781 24606 DSA-1283 USN-455-1 25062 25057SUSE-SA:2007:03225056AcroPDF.DLL in Adobe Reader 8.0, when accessed from Mozilla Firefox, Netscape, or Opera, allows remote attackers to cause a denial of service (unspecified resource consumption) via a .pdf URL with an anchor identifier that begins with search= followed by many %n sequences, a different vulnerability than CVE-2006-6027 and CVE-2006-6236.22856The ovrimos_longreadlen function in the Ovrimos extension for PHP before 4.4.5 allows context-dependent attackers to write to arbitrary memory locations via the result_id and length arguments.2283332779The ovrimos_close function in the Ovrimos extension for PHP before 4.4.5 can trigger efree of an arbitrary address, which might allow context-dependent attackers to execute arbitrary code.2283334691The php_binary serialization handler in the session extension in PHP before 4.4.5, and 5.x before 5.2.1, allows context-dependent attackers to obtain sensitive information (memory contents) via a serialized variable entry with a large length value, which triggers a buffer over-read.3413GLSA-200703-21SUSE-SA:2007:020228052451424606 DSA-1282 DSA-1283 USN-455-1 25025 25062 25057HPSBMA02215HPSBTU02232SUSE-SA:2007:032ADV-2007-1991ADV-2007-2374250562542325850The wddx_deserialize function in wddx.c 1.119.2.10.2.12 and 1.119.2.10.2.13 in PHP 5, as modified in CVS on 20070224 and fixed on 20070304, calls strlcpy where strlcat was intended and uses improper arguments, which allows context-dependent attackers to execute arbitrary code via a WDDX packet with a malformed overlap of a STRING element, which triggers a buffer overflow.This vulnerability impacts PHP CVS as of 2007-02-2432775The PHP COM extensions for PHP on Windows systems allow context-dependent attackers to execute arbitrary code via a WScript.Shell COM object, as demonstrated by using the Run method of this object to execute cmd.exe, which bypasses PHP's safe mode.3429Integer overflow in the 16 bit variable reference counter in PHP 4 allows context-dependent attackers to execute arbitrary code by overflowing this counter, which causes the same variable to be destroyed twice, a related issue to CVE-2007-1286.GLSA-200703-212276524606SUSE-SA:2007:0323277025056Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.2 allows remote attackers to overwrite arbitrary files via ".." sequences in a torrent filename.[kde-announce] 20070309 KTorrent 2.1.2 is out USN-436-1 22930 ADV-2007-0913 24486 24459 SSA:2007-093-02 24753 SUSE-SR:2007:007 24995 GLSA-200705-01 250971017747chunkcounter.cpp in KTorrent before 2.1.2 allows remote attackers to cause a denial of service (crash) and heap corruption via a negative or large idx value.[kde-announce] 20070309 KTorrent 2.1.2 is out USN-436-1 22930 ADV-2007-0913 24486 24459 SSA:2007-093-02 24753 SUSE-SR:2007:007 24995 GLSA-200705-01 250971017747The DirectShow loader (loader/dshow/DS_VideoDecoder.c) in MPlayer 1.0rc1 and earlier, as used in xine-lib, does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code, a different vulnerability than CVE-2007-1246.USN-435-124462 MDKSA-2007:061 MDKSA-2007:062 22933 24444GLSA-200705-21MDKSA-2007:061MDKSA-2007:0622546224443DSA-153629601The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which triggers a NULL pointer dereference.23142ADV-2007-1122 MDKSA-2007:078 24777 24901 RHSA-2007:0169 25080 SUSE-SA:2007:029 25099MDKSA-2007:078USN-464-125392dynaliens 2.0 and 2.1 allows remote attackers to bypass authentication and perform certain privileged actions via a direct request for (1) validlien.php3 (2) supprlien.php3 (3) supprub.php3 (4) validlien.php3 (5) confsuppr.php3 (6) modiflien.php3, or (7) confmodif.php3 in admin/.20070308 dynaliens v2.0/v2.1 bypass admin authentification + XSS228732403Multiple cross-site scripting (XSS) vulnerabilities in dynaliens 2.0 and 2.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) recherche.php3 or (2) ajouter.php3.20070308 dynaliens v2.0/v2.1 bypass admin authentification + XSS228742403PHP remote file inclusion vulnerability in modules/abook/foldertree.php in Leo West WEBO (aka weborganizer) 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter.343622877ADV-2007-0883webo-foldertree-file-include(32877) 20070309 [ECHO_ADV_67$2007] WEBO (Web Organizer) <= 1.0 (baseDir) Remote File Inclusion VulnerabilityDirectory traversal vulnerability in down.php in netForo! 0.1g allows remote attackers to read arbitrary files via a .. (dot dot) in the file_to_download parameter.343522875ADV-2007-0884netforo-down-directory-traversal(32878) 24449PHP remote file inclusion vulnerability in mysave.php in Magic CMS 4.2.747 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.343822162ADV-2007-0881 24439 magiccms-mysave-file-include(32883)Direct static code injection vulnerability in startsession.php in Flat Chat 2.0 allows remote attackers to execute arbitrary PHP code via the Chat Name field, which is inserted into online.txt and included by users.php. NOTE: some of these details are obtained from third party information.342822865ADV-2007-087124433 flatchat-startsession-code-execution(32882)Incomplete blacklist vulnerability in index.php in phpMyAdmin 2.8.0 through 2.9.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary JavaScript or HTML in a (1) db or (2) table parameter value followed by an uppercase </SCRIPT> end tag, which bypasses the protection against lowercase </script>.20070307 xss in phpmyadmin >=2.8.0 and < 2.10.0phpmyadmin-dbtable-xss(32858)DSA-1370MDKSA-2007:199267332402The import_request_variables function in PHP 4.0.7 through 4.4.6, and 5.x before 5.2.2, when called without a prefix, does not prevent the (1) GET, (2) POST, (3) COOKIE, (4) FILES, (5) SERVER, (6) SESSION, and other superglobals from being overwritten, which allows remote attackers to spoof source IP address and Referer data, and have other unspecified impact. NOTE: it could be argued that this is a design limitation of PHP and that only the misuse of this feature, i.e. implementation bugs in applications, should be included in CVE. However, it has been fixed by the vendor.20070308 PHP import_request_variables() arbitrary variable overwrite20070310 Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite20070312 Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite20070314 Re: Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite22886SUSE-SA:2007:044260482406Multiple stack-based buffer overflows in the (1) ExtractRnick and (2) decrypt_topic_332 functions in FiSH allow remote attackers to execute arbitrary code via long strings.22880 ADV-2007-0910 24495 fish-multiple-bo(32892)The frag3 preprocessor in Snort 2.6.1.1, 2.6.1.2, and 2.7.0 beta, when configured for inline use on Linux without the ip_conntrack module loaded, allows remote attackers to cause a denial of service (segmentation fault and application crash) via certain UDP packets produced by send_morefrag_packet and send_overlap_packet.343422872 33024Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to execute arbitrary code via a long zip:// URL, as demonstrated by actively triggering URL access from a remote PHP interpreter via avatar upload or blog pingback.22883 SUSE-SA:2007:020 ADV-2007-0898 32782 24471 24514 pecl-url-wrapper-bo(32889)DSA-133025938Plash permits sandboxed processes to open /dev/tty, which allows local users to escape sandbox restrictions and execute arbitrary commands by sending characters to a shell process on the same termimal via the TIOCSTI ioctl.[plash] 20070301 TTY ioctl() vulnerability32598 22892 ADV-2007-0909 24498Buffer overflow in the crack extension (CrackLib), as bundled with PHP 4.4.6 and other versions before 5.0.0, might allow local users to gain privileges via a long argument to the crack_opendict function.20070308 PHP 4.4.6 crack_opendict() local buffer overflow poc exploit34312405The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll allows remote attackers to cause a denial of service via unspecified manipulations, possibly involving improper initialization or blank arguments.21924Multiple stack-based buffer overflows in an ActiveX control in SwDir.dll 10.1.4.20 in Macromedia Shockwave allow remote attackers to cause a denial of service (Internet Explorer 7 crash) and possibly execute arbitrary code via a long (1) BGCOLOR, (2) SRC, (3) AutoStart, (4) Sound, (5) DrawLogo, or (6) DrawProgress property value, different vectors than CVE-2006-6885.342122842tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 allows remote attackers to cause a denial of service via a long UDP packet that is not properly handled in a recv_from call. NOTE: this issue might be related to CVE-2006-4948.343224452 tftpdwin-recvfrom-dos(32886)Cross-site scripting (XSS) vulnerability in the "download wiki page as text" feature in Trac before 0.10.3.1, when Microsoft Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.24470 22888 ADV-2007-0900 trac-downloadwikipageastext-xss(32897)Trac before 0.10.3.1 does not send a Content-Disposition HTTP header specifying an attachment in certain "unsafe" situations, which has unknown impact and remote attack vectors.Unspecified vulnerability in OpenSolution Quick.Cart before 2.1 has unknown impact and attack vectors, related to a "low critical exploit."Multiple vulnerabilities in (1) bank.php, (2) landfill.php, (3) outposts.php, (4) tribes.php, (5) house.php, (6) tribearmor.php, (7) tribeastral.php, (8) tribeware.php, and (9) includes/head.php in Bartek Jasicki Vallheru before 1.3 beta have unknown impact and remote attack vectors, probably related to large integer values containing more than 15 digits. NOTE: the original vendor report is for integer overflows, but this is probably an incorrect usage of the term.This vulnerability is addressed in the following product release: Vallheru, Vallheru, 1.3 BetaWordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message.20070308 Re: Word Press Sensitive Directory exposure (SQL)20070308 Word Press Sensitive Directory exposure (SQL) GLSA-200703-23 24566SQL injection vulnerability in kategori.asp in GaziYapBoz Game Portal allows remote attackers to execute arbitrary SQL commands via the kategori parameter.343722871ADV-2007-0882 gaziyapboz-kategori-sql-injection(32884)Buffer overflow in PHP 4.4.6 and earlier, and unspecified PHP 5 versions, allows local and possibly remote attackers to execute arbitrary code via long server name arguments to the (1) mssql_connect and (2) mssql_pconnect functions.20070306 PHP <= 4.4.6 mssql_connect() & mssql_pconnect() local buffer overflow and safe_mode bypass22832ADV-2007-0867243532407php-ntwdblib-bo(32885)The cpdf_open function in the ClibPDF (cpdf) extension in PHP 4.4.6 allows context-dependent attackers to obtain sensitive information (script source code) via a long string in the second argument.344222897 php-clibpdf-source-disclosure(32986)Buffer overflow in the snmpget function in the snmp extension in PHP 5.2.3 and earlier, including PHP 4.4.6 and probably other PHP 4 versions, allows context-dependent attackers to execute arbitrary code via a long value in the third argument (object id).Failed exploit attempts will likely cause a denial of serivce on the webserver.343922893244404204php-snmpget-function-bo(35517)Multiple PHP remote file inclusion vulnerabilities in Coppermine Photo Gallery (CPG) allow remote attackers to execute arbitrary PHP code via a URL in the (1) cmd parameter to (a) image_processor.php or (b) picmgmt.inc.php, or the (2) path parameter to (c) include/functions.php, (d) include/plugin_api.inc.php, (e) index.php, or (f) pluginmgr.php.20070309 Remote File Include In Script Coppermine Photo Gallery22896coppermine-multiple-scripts-file-include(32894) 20070322 Remote File Include In Coppermine Photo Gallery3506535066350673506835069350702416Multiple PHP remote file inclusion vulnerabilities in PMB Services 3.0.13 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) class_path parameter to (a) includes/resa_func.inc.php (b) admin/notices/perso.inc.php, or (c) admin/quotas/main.inc.php; the (2) base_path parameter to (d) opac_css/rec_panier.php or (e) opac_css/includes/author_see.inc.php; or the (3) include_path parameter to (f) bull_info.inc.php or (g) misc.inc.php in includes/; (h) options_date_box.php, (i) options_file_box.php, (j) options_list.php, (k) options_query_list.php, or (l) options_text.php in includes/options/; (m) options.php, (n) options_comment.php, (o) options_date_box.php, (p) options_list.php, (q) options_query_list.php, or (r) options_text.php in includes/options_empr/; or (s) admin/import/iimport_expl.php, (t) admin/netbase/clean.php, (u) admin/param/param_func.inc.php, (v) admin/sauvegarde/lieux.inc.php, (w) autorites.php, (x) account.php, (y) cart.php, or (z) edit.php.344322895pmbservices-multiple-scripts-file-include(32890)20070310 [ECHO_ADV_68$2007] PMB Services <= 3.0.13 Multiple Remote File Inclusion VulnerabilityADV-2007-091735101351023510335104351053510635107351083510935110351113511235113351143511535116351173511835119351203512135122351233512435125PHP remote file inclusion vulnerability in createurl.php in JCcorp (aka James Coyle) URLshrink allows remote attackers to execute arbitrary PHP code via a URL in the formurl parameter.20070309 Remote File Include In Script copyright (c) James Coyle; JCcorp22894 20070322 Remote File Include In copyright &copy; James Coyle; JCcorp ADV-2007-0902 243402415SQL injection vulnerability in index.php in HC NEWSSYSTEM 1.0-4 allows remote attackers to execute arbitrary SQL commands via the ID parameter in a komm aktion.20070309 HC NEWSSYSTEM 1.0-4 (index.php 22898 3449 ADV-2007-0904 244772414Cross-site scripting (XSS) vulnerability in skins/ace/popup-notopic.php in MindTouch OpenGarden DekiWiki before Gooseberry++ allows remote attackers to inject arbitrary web script or HTML via the message parameter.2289124453dekiwiki-popupnotopic-xss(32893) ADV-2007-0899The Java Management Extensions Remote API Remote Method Invocation over Internet Inter-ORB Protocol (JMX RMI-IIOP) API in Java Dynamic Management Kit 5.1 before 20070309 does not properly enforce the java.policy, which allows local users to obtain certain MBeans data access by operating a server application accessed by a privileged remote authenticated user.102835 22907 ADV-2007-0906 1017745 24497MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.20070309 SEC Consult SA-20070309-0 :: MySQL 5 Single Row Subselect Denial of Service22900USN-440-1ADV-2007-09082448324609 GLSA-200705-11 25196MDKSA-2007:139101774625389259462413Multiple PHP remote file inclusion vulnerabilities in Premod SubDog 2 allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) functions_kb.php, (2) themen_portal_mitte.php, or (3) logger_engine.php in includes/.20070310 Remote File Include In Script Premod SubDog 2229122412SQL injection vulnerability in goster.asp in fystyq Duyuru Scripti allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2007-0688.20070310 Fistiq Duyuru Scripti Remote Sql Injection Exploit22910Multiple PHP remote file inclusion vulnerabilities in WORK system e-commerce 3.0.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the g_include parameter to include/include_top.php and certain other PHP scripts.Successful exploitation requires that "register_globals" is enabled.34482290824476 ADV-2007-0903Multiple PHP remote file inclusion vulnerabilities in Softnews Media Group DataLife Engine allow remote attackers to execute arbitrary PHP code via a URL in the root_dir parameter to (1) init.php and (2) Ajax/editnews.php. NOTE: some of these details are obtained from third party information.20070310 Remote File Include In Script SoftNews Media Group229132411SQL injection vulnerability in index.php in Triexa SonicMailer Pro 3.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the list parameter in an archive action.34572292024474 ADV-2007-0905The web interface in AstroCam 2.0.0 through 2.6.5 allows remote attackers to cause a denial of service (daemon shutdown) via requests that contain a large amount of data in the "a" variable, which "fills up the message queue."ADV-2007-0901244802292432868Directory traversal vulnerability in download_pdf.php in AssetMan 2.4a and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the pdf_file parameter.20070311 AssetMan 2.4a <= (download_pdf.php) Remote File Disclosure Vulnerability3458229212410SQL injection vulnerability in search.php in PHP Labs JobSitePro 1.0 allows remote attackers to execute arbitrary SQL commands via the salary parameter.34552291624454 ADV-2007-0918Multiple PHP remote file inclusion vulnerabilities in Moodle 1.7.1 allow remote attackers to execute arbitrary PHP code via a URL in the cmd parameter to (1) admin/utfdbmigrate.php or (2) filter.php.20070311 Remote File Include In Script moodle-1.7.1SUSE-SR:2007:0152409PHP remote file inclusion vulnerability in include/adodb-connection.inc.php in ClipShare 1.5.3 allows remote attackers to execute arbitrary PHP code via a URL in the cmd parameter.20070311 Remote File Include In ClipShare.v1.5.3 229282408Multiple unspecified vulnerabilities in PennMUSH 1.8.3 before 1.8.3p1 and 1.8.2 before 1.8.2p3 allow attackers to cause a denial of service (crash) related to the (1) speak and (2) buy functions.[pennmush-announce] 20070311 PennMUSH 1.8.2p3 and 1.8.3p1 Released22935ADV-2007-092124504Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to gain privileges via direct requests with modified arguments in (1) the user_permissions parameter to add_users.php, and unspecified parameters to (2) addblog.php, (3) editblog.php, (4) editlinks.php, (5) edit_users.php, and (6) add_links.php.20070310 Grayscale <= 0.8.0 Multiple Vulnerabilities22911ADV-2007-09162417Cross-site scripting (XSS) vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the comment fields to (1) scripts/addblog_comment.php and (2) detail.php.20070310 Grayscale <= 0.8.0 Multiple Vulnerabilities22911ADV-2007-09162417SQL injection vulnerability in Grayscale Blog 0.8.0, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) userdetail.php, id and (2) url parameter to (b) jump.php, and id variable to (c) detail.php.20070310 Grayscale <= 0.8.0 Multiple Vulnerabilities22911ADV-2007-09162417Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers memory corruption. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2292324360Unspecified vulnerability in admin.pl in SQL-Ledger before 2.6.26 and LedgerSMB before 1.1.9 allows remote attackers to bypass authentication via unknown vectors that prevents a password check from occurring.This vulnerability is addressed in the following product updates: SQL-Ledger, 2.6.26 LedgerSMB, 1.1.920070309 Security bypass vulnerability in LedgerSMB and SQL-Ledger (fixes released today)228892446724496 33622 336232436Unspecified vulnerability in LedgerSMB before 1.1.5 and SQL-Ledger before 2.6.25 allows remote attackers to overwrite files and possibly bypass authentication, and remote authenticated users to execute unauthorized code, by calling a custom error function that returns from execution.20070305 DoS and code execution issue in LedgerSMB < 1.1.5 and SQL-Ledger < 2.6.2524363243662435SQL injection vulnerability in devami.asp in X-Ice News System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.346922939 ADV-2007-0941 24502PHP remote file inclusion vulnerability in ressourcen/dbopen.php in bitesser MySQL Commander 2.7 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the home parameter.Successful exploitation requires that register_globals is enabled.20070313 [ECHO_ADV_73$2007] MySQL Commander <= 2.7 (home) Remote File Inclusion Vulnerability346822941 ADV-2007-0942 245002423SQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 allows remote attackers to execute arbitrary SQL commands via the author parameter.20070313 JGBBS 3.0beta1 Version Search.ASP 347022943 ADV-2007-09402431The 4thPass browser (BlackBerry Browser) on the RIM BlackBerry 8100 (Pearl) before 4.2.1 allows remote attackers to cause a denial of service (temporary functionality loss) via a long href attribute in a link in a WML page.20070312 RIM BlackBerry Pearl 8100 Browser DoSADV-2007-094520070313 Re: Re: RIM BlackBerry Pearl 8100 Browser DoSVU#28285610177482434Oracle Database 10g uses a NULL pDacl parameter when calling the SetSecurityDescriptorDacl function to create discretionary access control lists (DACLs), which allows local users to gain privileges.2290524475Multiple cross-site scripting (XSS) vulnerabilities in register.php in Woltlab Burning Board (wBB) 2.3.6 and Burning Board Lite 1.0.2pl3e allow remote attackers to inject arbitrary web script or HTML via the (1) r_username, (2) r_email, (3) r_password, (4) r_confirmpassword, (5) r_homepage, (6) r_icq, (7) r_aim, (8) r_yim, (9) r_msn, (10) r_year, (11) r_month, (12) r_day, (13) r_gender, (14) r_signature, (15) r_usertext, (16) r_invisible, (17) r_usecookies, (18) r_admincanemail, (19) r_emailnotify, (20) r_notificationperpm, (21) r_receivepm, (22) r_emailonpm, (23) r_pmpopup, (24) r_showsignatures, (25) r_showavatars, (26) r_showimages, (27) r_daysprune, (28) r_umaxposts, (29) r_dateformat, (30) r_timeformat, (31) r_startweek, (32) r_timezoneoffset, (33) r_usewysiwyg, (34) r_styleid, (35) r_langid, (36) key_string, (37) key_number, (38) disablesmilies, (39) disablebbcode, (40) disableimages, (41) field[1], (42) field[2], and (43) field[3] parameters. NOTE: a third-party researcher has disputed some of these vectors, stating that only the r_dateformat and r_timeformat parameters in Burning Board 2.3.6 are affected.20070302 Re: Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day20070302 Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0dayADV-2007-085624386244042424netserver in netperf 2.4.3 allows local users to overwrite arbitrary files via a symlink attack on /tmp/netperf.debug.22925ADV-2007-091224464SQL injection vulnerability in the heme preview feature for default.asp in BP Blog 7.0 through 7.0.2 allows remote attackers to execute arbitrary SQL commands via the layout parameter.3466ADV-2007-091924473Multiple PHP remote file inclusion vulnerabilities in Open Education System (OES) 0.1beta allow remote attackers to execute arbitrary PHP code via a URL in the CONF_INCLUDE_PATH parameter to (1) lib-account.inc.php, (2) lib-file.inc.php, (3) lib-group.inc.php, (4) lib-log.inc.php, (5) lib-mydb.inc.php, (6) lib-template-mod.inc.php, and (7) lib-themes.inc.php in includes/.20070313 [ECHO_ADV_69$2007] OES (Open Educational System) 0.1beta Remote File Inclusion Vulnerability22934ADV-2007-09202421The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC procedure arguments, which result in memory corruption, a different vulnerability than CVE-2006-6076.32990 VU#375353 22994 ADV-2007-0971 1017783 24512 brightstor-rpc-tapeengine-code-execution(33017)The Tape Engine in CA (formerly Computer Associates) BrightStor ARCserve Backup 11.5 and earlier allows remote attackers to cause a denial of service (disabled interface) by calling an unspecified RPC function.32991 VU#647273 22994 ADV-2007-0971 1017783 24512 brightstor-rpc-tapeengine-dos(33020)Directory traversal vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.20070310 PHP-Nuke <= 8.0 Cookie Manipulation (lang)20070311 Re: PHP-Nuke <= 8.0 Cookie Manipulation (lang)2290924484SQL injection vulnerability in mainfile.php in PHP-Nuke 8.0 and earlier allows remote attackers to execute arbitrary SQL commands in the Top or News module via the lang parameter.20070310 PHP-Nuke <= 8.0 Cookie Manipulation (lang)22909GuppY 4.0 allows remote attackers to delete arbitrary files via a direct request to install/install.php, then selecting "Installation propre" (cleanup.php) and then "Suppression des fichiers d'installation" (delete.php).20070311 GuppY v4.0 remote del files/index2433The FDF support (ext/fdf) in PHP 5.2.0 and earlier does not implement the input filtering hooks for ext/filter, which allows remote attackers to bypass web site filters via an application/vnd.fdf formatted POST.22906Buffer underflow in the PHP_FILTER_TRIM_DEFAULT macro in the filtering extension (ext/filter) in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by calling filter_var with certain modes such as FILTER_VALIDATE_INT, which causes filter to write a null byte in whitespace that precedes the buffer.22922 DSA-1283 25062SUSE-SA:2007:03225056ext/filter in PHP 5.2.0, when FILTER_SANITIZE_STRING is used with the FILTER_FLAG_STRIP_LOW flag, does not properly strip HTML tags, which allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML with a '<' character followed by certain whitespace characters, which passes one filter but is collapsed into a valid tag, as demonstrated using %0b. DSA-1283 25062 22914MDKSA-2007:090SUSE-SA:2007:03225056Multiple absolute path traversal vulnerabilities in Fantastico, as used with cPanel 10.x, allow remote authenticated users to include and execute arbitrary local files via (1) the userlanguage parameter to includes/load_language.php or (2) the fantasticopath parameter to includes/mysqlconfig.php and certain other files.20070311 Fantastico In all Version Cpanel 10.x <= local File Include2420** DISPUTED ** PHP remote file inclusion vulnerability in common.php in PHP Photo Album allows remote attackers to execute arbitrary PHP code via a URL in the db_file parameter. NOTE: CVE disputes this vulnerability, because versions 0.3.2.6 and 0.4.1beta do not contain this file. However, it is possible that the original researcher was referring to a different product.20070311 Remote File Include In Script PHP Photo Album20070314 [false] Remote File Include In Script PHP Photo Album20070314 Re: Remote File Include In Script PHP Photo Album2422Buffer overflow in the urarlib_get function in Christian Scheurer UniquE RAR File Library (unrarlib, aka URARFileLib) 0.4 allows context-dependent attackers to execute arbitrary code via a long (1) filename, (2) rarfile, or (3) libpassword argument.2294220070313 Unrarlib 0.4.0 (urarlib_get) Local buffer overflowADV-2007-096124472Multiple PHP remote file inclusion vulnerabilities in CARE2X 1.1 allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) inc_checkdate_lang.php, (2) inc_charset_fx.php, (3) inc_config_color.php, (4) inc_currency_set.php, (5) inc_db_makelink.php, (6) inc_diagnostics_report_fx.php, (7) inc_environment_global.php, (8) inc_front_chain_lang.php, (9) inc_init_crypt.php, (10) inc_load_copyrite.php, or (11) inc_news_save.php in include/; (12) diagnostics-report-index.php, (13) config_options_mascot.php, (14) barcode-labels.php, (15) chg-color.php, or (16) config_options_gui_template.php in main/; or unspecified other files.2295120070314 [ECHO_ADV_72$2007] CARE2X (root_path) Remote File Inclusion VulnerabilityADV-2007-093824481care2x-rootpath-file-include(32981)34045340463404734048340493405634057340583405934060340503405134052340533405434055Multiple PHP remote file inclusion vulnerabilities in WebCreator 0.2.6-rc3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the moddir parameter to (1) content/load.inc.php, (2) config/load.inc.php, (3) http/load.inc.php, and unspecified other files.2295320070314 [ECHO_ADV_74$2007] WebCreator <= 0.2.6-rc3 (moddir) Remote File Inclusion Vulnerability3473ADV-2007-0937webcreator-loadinc-file-include(32972)The zip:// URL wrapper provided by the PECL zip extension in PHP before 4.4.7, and 5.2.0 and 5.2.1, does not implement safemode or open_basedir checks, which allows remote attackers to read ZIP archives located outside of the intended directories.22954APPLE-SA-2007-07-31SUSE-SA:2007:03225159ADV-2007-27322505626235The compress.bzip2:// URL wrapper provided by the bz2 extension in PHP before 4.4.7, and 5.x before 5.2.2, does not implement safemode or open_basedir checks, which allows remote attackers to read bzip2 archives located outside of the intended directories.22954APPLE-SA-2007-07-31SUSE-SA:2007:03225159ADV-2007-27322505626235The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible.Format string vulnerability in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a URI, which is not properly handled by certain dialogs.23070USN-438-120070324 FLEA-2007-0002-1: inkscapeMDKSA-2007:069ADV-2007-105924597246152458424661inkscape-dialogs-format-string(33163)GLSA-200704-1024859SUSE-SR:2007:00825072MDKSA-2007:06923138Format string vulnerability in the whiteboard Jabber protocol in Inkscape before 0.45.1 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. 20070324 FLEA-2007-0002-1: inkscape ADV-2007-1059 24615 24661 inkscape-jabber-format-string(33164) GLSA-200704-10 24859 SUSE-SR:2007:008 2507223138Stack-based buffer overflow in dproxy.c for dproxy 0.1 through 0.5 allows remote attackers to execute arbitrary code via a long DNS query packet to UDP port 53.20070323 dproxy - arbitrary code execution through stack buffer overflow vulnerability 23112 ADV-2007-1091 24623 dproxy-udp-packet-bo(33171)Integer overflow in the the WP6GeneralTextPacket::_readContents function in WordPerfect Document importer/exporter (libwpd) before 0.8.9 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted WordPerfect file, a different vulnerability than CVE-2007-0002.This vulnerability has been address by the vendor through a product update: http://sourceforge.net/project/showfiles.php?group_id=62662 ADV-2007-097624507 20070316 Multiple Vendor libwpd Multiple Buffer Overflow Vulnerabilities 20070316 rPSA-2007-0057-1 libwpd DSA-1268 FEDORA-2007-350 MDKSA-2007:063 MDKSA-2007:064 RHSA-2007:0055 RHSA-2007:0033 USN-437-1 23006 1017789 24557 24572 24580 24573 24581 24550 GLSA-200704-07 24794 102863 24856MDKSA-2007:063MDKSA-2007:06424588Multiple cross-site scripting (XSS) vulnerabilities in (1) PreSearch.html and (2) PreSearch.class in Cisco Secure Access Control Server (ACS), VPN Client, Unified Personal Communicator, MeetingPlace, Unified MeetingPlace, Unified MeetingPlace Express, CallManager, IP Communicator, Unified Video Advantage, Unified Videoconferencing 35xx products, Unified Videoconferencing Manager, WAN Manager, Security Device Manager, Network Analysis Module (NAM), CiscoWorks and related products, Wireless LAN Solution Engine (WLSE), 2006 Wireless LAN Controllers (WLC), and Wireless Control System (WCS) allow remote attackers to inject arbitrary web script or HTML via the text field of the search form.20070315 Re: XSS vulnerability in the online help system of several Cisco products20070315 XSS vulnerability in the online help system of several Cisco products20070315 Cross-Site Scripting Vulnerability in Online Help System22982 ADV-2007-0973 cisco-presearch-xss(33024)1017778244992437Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest (CQ) Web 7.0.0.0 allows remote attackers to inject arbitrary web script or HTML via an attachment to a defect log entry.20070315 IBM Rational ClearQuest Web - Cross Site Scripting22981 ADV-2007-1036 1017786 24523 clearquest-defecttracking-xss(33001)2442SQL injection vulnerability in gallery.asp in Absolute Image Gallery 2.0 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action.20070315 Absolute Image Gallery Gallery.ASP (categoryid) MSSQL Injection Exploit22988 ADV-2007-1002 24543 absolute-gallery-sql-injection(33005) 342392429Multiple buffer overflows in LIBFtp 5.0 allow user-assisted remote attackers to execute arbitrary code via certain long arguments to the (1) FtpArchie, (2) FtpDebugDebug, (3) FtpOpenDir, (4) FtpSize, or (5) FtpChmod function.20070315 LIBFtp 5.0 (sprintf(), strcpy()) Multiple local buffer overflow229872441admin/default.asp in Orion-Blog 2.0 allows remote attackers to bypass authentication controls and gain privileges via a direct URL request for admin/AdminBlogNewsEdit.asp.20070315 Orion-Blog v2.0 Version Remote Privilege Escalation Exploit2440Variable overwrite vulnerability in groupit/base/groupit.start.inc in Groupit 2.00b5 allows remote attackers to conduct remote file inclusion attacks and execute arbitrary PHP code via arguments that are written to $_GLOBALS, as demonstrated using a URL in the c_basepath parameter to (1) content.php, (2) userprofile.php, (3) password.php, (4) dispatch.php, and (5) deliver.php in html/, and possibly (6) load.inc.php and related files.20070315 [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability20070315 [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability20070315 [ECHO_ADV_75$2007] Groupit 2.00b5 (c_basepath) Remote File Inclusion Vulnerability 3486 ADV-2007-0995 groupit-cbasepath-file-include(33000)2428Cross-site scripting (XSS) vulnerability in framework/NLS/NLS.php in Horde Framework before 3.1.4 RC1, when the login page contains a language selection box, allows remote attackers to inject arbitrary web script or HTML via the new_lang parameter to login.php.20070315 Horde 3.1.4 (RC1) fixes XSS issue[announce] 20070314 Horde 3.1.4 (final)229841017775 ADV-2007-0965 33084 24528 horde-login-xss(33013) SUSE-SR:2007:007 24995DSA-1406275652427Argument injection vulnerability in the cleanup cron script in Horde Project Horde and IMP before Horde Application Framework 3.1.4 allows local users to delete arbitrary files and possibly gain privileges via multiple space-delimited pathnames.20070315 Horde Project Cleanup Script Arbitrary File Deletion Vulnerability[announce] 20070314 Horde 3.1.4 (final)22985 ADV-2007-0965 1017784 1017785 horde-cron-file-deletion(32997)DSA-140627565Multiple buffer overflows in the (1) ibase_connect and (2) ibase_pconnect functions in the interbase extension in PHP 4.4.6 and earlier allow context-dependent attackers to execute arbitrary code via a long argument.Successful exploitation requires that the Interbase extension is installed.20070315 PHP <= 4.4.6 ibase_connect() local buffer overflow22976348824529php-interbase-extension-bo(33019)2439The SymTDI device driver (SYMTDI.SYS) in Symantec Norton Personal Firewall 2006 9.1.1.7 and earlier, Internet Security 2005 and 2006, AntiVirus Corporate Edition 3.0.x through 10.1.x, and other Norton products, allows local users to cause a denial of service (system crash) by sending crafted data to the driver's \Device file, which triggers invalid memory access, a different vulnerability than CVE-2006-4855.20070315 Norton Insufficient validation of 'SymTDI' driver input buffer2297720070315 Norton Insufficient validation of 'SymTDI' driversymantec-firewall-symtdi-dos(33003)10186562438** DISPUTED ** Directory traversal vulnerability in index.php in PHP Point Of Sale for osCommerce 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cfg_language parameter. NOTE: this issue has been disputed by CVE, since the cfg_language variable is configured upon proper product installation.20070312 PHP Point Of Sale for osCommerce <= (index.php) Remote File Include Vulnpos-index-file-include(33006)20070427 FALSE -> PHP Point of Sale (osCommerce) LFI2426download.php in McGallery 0.5b allows remote attackers to read arbitrary files and obtain script source code via the filename parameter.349422989 ADV-2007-1003 mcgallery-download-information-disclosure(33004)Cross-site scripting (XSS) vulnerability in Guestbook.php in Creative Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter.3489 24536 creative-schreiben-xss(33015)Creative Guestbook 1.0 allows remote attackers to add an administrative account via a direct request to createadmin.php with Name, Email, and PASSWORD parameters set.348924536creative-createadmin-authentication-bypass(33014)SQL injection vulnerability in index.php in WBBlog allows remote attackers to execute arbitrary SQL commands via the e_id parameter in a viewentry cmd.3490 22998 ADV-2007-1001 24532 wbblog-viewentry-sql-injection(33010)Cross-site scripting (XSS) vulnerability in index.php in WBBlog allows remote attackers to inject arbitrary web script or HTML via the e_id parameter in a viewentry cmd.3490 22998 ADV-2007-1001 24532 wbblog-viewentry-xss(33011)Multiple PHP remote file inclusion vulnerabilities in WebCalendar 0.9.45 allow remote attackers to execute arbitrary PHP code via a URL in the includedir parameter to (1) login.php, (2) get_reminders.php, or (3) get_events.php.20070315 WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include3492 20070320 Re: WebCalendar v0.9.45 (13 Dec 2004) (login.php) Remote File include [webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch) 23054 webcalendar-multiple-file-include(33008)2425[webcalendar-announce] 20070304 Announce: Release 1.0.5 (security patch)The array_user_key_compare function in PHP 4.4.6 and earlier, and 5.x up to 5.2.1, makes erroneous calls to zval_dtor, which triggers memory corruption and allows local users to bypass safe_mode and execute arbitrary code via a certain unset operation after array_user_key_compare has been called.24542 USN-455-1 25057APPLE-SA-2007-07-31GLSA-200705-19SUSE-SA:2007:0322299025159ADV-2007-2732250562544526235** DISPUTED ** Buffer overflow in the set_umask function in QFTP in LIBFtp 3.1-1 allows local users to execute arbitrary code via a long -m argument. NOTE: CVE disputes this issue because QFTP is not setuid, and it is unlikely that there are web interfaces to QFTP that would accept untrusted command line arguments.20070315 QFTP (LIBFtp 3.1-1) (command line) sprintf() local buffer overflow229862443PHP remote file inclusion vulnerability in template.class.php in Carbonize Lazarus Guestbook before 1.7.3 allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to admin.php, probably due to a dynamic variable evaluation vulnerability.This vulnerability has been addressed by the vendor with a product update: http://carbonize.co.uk/Lazarus/downloads.php20070307 Lazarus Guestbook (admin.php)Remote File Include Expliot20070308 Re: [Bogus] Lazarus Guestbook (admin.php)Remote File Include Expliot -20070307 Bogus - [c_r_ck at hotmail.com: Lazarus Guestbook (admin.php)Remote File Include Expliot]ADV-2007-0874 20070316 Re: [Bogus] Lazarus Guestbook (admin.php)Remote File Include Expliot20070520 Re: Re: [Bogus] Lazarus Guestbook (admin.php)Remote File Include Expliot -2432Directory traversal vulnerability in index.php in Sascha Schroeder (aka CyberTeddy or Cyber-inside) WebLog allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a showarticles action.3484ADV-2007-096724521 22995 weblog-index-directory-traversal(32998)Unspecified vulnerability in Sun Java System Web Server 6.0 and 6.1 before 20070315 allows remote attackers to "gain unauthorized access to data", possibly involving a sample application.10283322993ADV-2007-0972245451017788sun-java-url-information-disclosure(33016)Unspecified vulnerability in web-app.org Web Automated Perl Portal (WebAPP) 0.9.9.4 to 0.9.9.6 allows remote attackers to obtain admin access by modifying cookies and performing "certain consecutive actions," possibly due to a cross-site request forgery (CSRF) vulnerability.2454020070320 WebAPP AuditUnspecified maintenance web pages in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allow remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors (aka "shell command injection").24434 33300Apache Tomcat in Avaya S87XX, S8500, and S8300 before CM 3.1.3, and Avaya SES allows connections from external interfaces via port 8009, which exposes it to attacks from outside parties.24434 33346winmm.dll in Microsoft Windows XP allows user-assisted remote attackers to cause a denial of service (infinite loop) via a large cch argument value to the mmioRead function, as demonstrated by a crafted WAV file.20070310 Windows Multimedia mmioRead Denial of Service Vulnerability22938nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a permissive regular expression to validate an IP address, which allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, due to an incomplete patch for CVE-2007-1172.20070310 NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit20070314 SQL injection (x2) in NukeSentinel2430Cross-site scripting (XSS) vulnerability in NukeSentinel before 2.5.06 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "filters for https:// and http://".The \Device\SymEvent driver in Symantec Norton Personal Firewall 2006 9.1.1.7, and possibly other products using symevent.sys 12.0.0.20, allows local users to cause a denial of service (system crash) via invalid data, as demonstrated by calling DeviceIoControl to send the data, a reintroduction of CVE-2006-4855.20070314 SymEvent Driver Local Access System Denial of Service229612445nfnetlink_log in netfilter in the Linux kernel before 2.6.20.3 allows attackers to cause a denial of service (crash) via unspecified vectors involving the (1) nfulnl_recv_config function, (2) using "multiple packets per netlink message", and (3) bridged packets, which trigger a NULL pointer dereference.2294624492ADV-2007-0944DSA-1289RHSA-2007:03472522825288MDKSA-2007:171SUSE-SA:2007:043USN-464-1253922596126620nf_conntrack in netfilter in the Linux kernel before 2.6.20.3 does not set nfctinfo during reassembly of fragmented packets, which leaves the default value as IP_CT_ESTABLISHED and might allow remote attackers to bypass certain rulesets using IPv6 fragments.24492ADV-2007-094433028DSA-1289RHSA-2007:0347239762522825288MDKSA-2007:171MDKSA-2007:196SUSE-SA:2007:043USN-464-1253922596126620Multiple stack-based buffer overflows in the SiteManager.SiteMgr.1 ActiveX control (SiteManager.dll) in the ePO management console in McAfee ePolicy Orchestrator (ePO) before 3.6.1 Patch 1 and ProtectionPilot (PRP) before 1.5.0 HotFix allow remote attackers to execute arbitrary code via a long argument to the (1) ExportSiteList and (2) VerifyPackageCatalog functions, and (3) unspecified vectors involving a swprintf function call.20070314 [Advisory]McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities22952ADV-2007-093124466VU#71459310177572444Microsoft Internet Explorer 7.0 on Windows XP and Vista allows remote attackers to conduct phishing attacks and possibly execute arbitrary code via a res: URI to navcancl.htm with an arbitrary URL as an argument, which displays the URL in the location bar of the "Navigation Canceled" page and injects the script into the "Refresh the page" link, aka Navigation Cancel Page Spoofing Vulnerability."20070314 Phishing using IE7 local resource vulnerability20070315 RE: Phishing using IE7 local resource vulnerability20070315 Re: Phishing using IE7 local resource vulnerabilityADV-2007-094624535ie-navcancl-xss(33026)HPSBST02231MS07-033TA07-163A22966ADV-2007-2153oval:org.mitre.oval:def:17151018235256272448The Linux Security Auditing Tool (LSAT) allows local users to overwrite arbitrary files via a symlink attack on temporary files, as demonstrated using /tmp/lsat1.lsat.GLSA-200703-2024526 23014 gentoo-lsat-symlink(33057)Stack-based buffer overflow in Avant Browser 11.0 build 26 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long Content-Type HTTP header.351423002 avantbrowser-contenttype-dos(33049)Multiple buffer overflows in Rhapsody IRC 0.28b allow remote attackers to execute arbitrary code via a (1) long command, (2) long server argument to the (a) connect or (b) server commands, (3) long nick argument to the (c) nick command, or a long (4) nick or (5) message argument to the (d) ctcp, (e) chat, (f) notice, (g) message (msg), or (h) query commands.20070317 Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability230112447Multiple format string vulnerabilities in comm.c in Rhapsody IRC 0.28b allow remote attackers to execute arbitrary code via format string specifiers to the create_ctcp_message function using the message argument to the (1) me or (2) ctcp commands, and possibly related vectors involving the (3) whois, (4) mode, and (5) topic commands.20070317 Rhapsody IRC 0.28b (NICK) Multiple fs and bof vulnerability230112447Cross-site scripting (XSS) vulnerability in the Servlet Service in Fujitsu Interstage Application Server (IJServer) 8.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving web.xml and HTTP 404 and 500 status codes.ADV-2007-099624508 23020 interstage-application-servlet-xss(33099)Fujistu FENCE-Pro before V5L01, and Systemwalker Desktop Encryption V12.0L10, V12.0L10A, V12.0L10B, V12.0L20 and V13.0.0 allows local users to obtain sensitive information by extracting the decoding password from certain "self-decoding" file types.230012453724549 systemwalker-selfdecoding-info-disclosure(33029)Cross-site scripting (XSS) vulnerability in PORTAL.wwv_main.render_warning_screen in the Oracle Portal 10g allows remote attackers to inject arbitrary web script or HTML via the (1) p_oldurl and (2) p_newurl parameters.20070316 Oracle Portal PORTAL.wwv_main.render_warning_screen XSS22999 oracleportal-portalwarning-xss(33028)2463The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell, which might allow attackers to gain privileges by spoofing a response to an AFS cache manager FetchStatus request, and setting setuid and root ownership for files in the cache.[OpenAFS-announce] 20070319 OpenAFS 1.4.4 available[OpenAFS-announce] 20070319 OpenAFS 1.5.17 release available[OpenAFS-announce] 20070320 OpenAFS Security Advisory 2007-001: privilege escalation in Unix-based clientsDSA-1271MDKSA-2007:06623060ADV-2007-10331017807245822459924607openafs-setuid-privilege-escalation(33180) GLSA-200704-03 24720MDKSA-2007:066Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin allows remote attackers to inject arbitrary web script or HTML via the RESULT parameter, a different vector than CVE-2006-5983.20070315 DirectAdmin Cross Site Scripting XSS22996 ADV-2007-1037 24551 directadmin-cmduserstats-xss(33023)Directory traversal vulnerability in enkrypt.php in Sascha Schroeder krypt (aka Holtstraeter Rot 13) allows remote attackers to read arbitrary files via a .. (dot dot) in the datei parameter.20070316 Rot 13 <= (enkrypt.php) Remote File Disclosure Vulnerability22997 rot-enkrypt-directory-traversal(33027)2458SQL injection vulnerability in post.php in Particle Blogger 1.0.0 through 1.2.0 allows remote attackers to execute arbitrary SQL commands via the postid parameter.20070316 Particle Blogger All Version Post.PHP (PostID) Remote SQL Injection Exploit23005 3500 ADV-2007-1006 24559 particle-post-sql-injection(33030)2460Buffer overflow in FrontBase Relational Database Server 4.2.7 and earlier allows remote authenticated users, with privileges for creating a stored procedure, to execute arbitrary code via a CREATE PROCEDURE request with a long procedure name.20070316 [NETRAGARD-20070316 SECURITY ADVISORY][FrontBase Database <= 4.2.7 ALL PLATFORMS][REMOTE BUFFER OVERFLOW CONDITION][LEVEL: EASY][RISK:MEDIUM]23007 ADV-2007-0999 245552470Stack-based buffer overflow in the AfxOleSetEditMenu function in the MFC component in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 Gold and SP1, and Visual Studio .NET 2002 Gold and SP1, and 2003 Gold and SP1 allows user-assisted remote attackers to have an unknown impact (probably crash) via an RTF file with a malformed OLE object, which results in writing two 0x00 characters past the end of szBuffer, aka the "MFC42u.dll Off-by-Two Overflow." NOTE: this issue is due to an incomplete patch (MS07-012) for CVE-2007-0025.20070316 MS07-012 Not FixedPHP remote file inclusion vulnerability in comanda.php in GraFX Company WebSite Builder (CWB) PRO 1.9.8, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter.20070315 [ECHO_ADV_76$2007] Company WebSite Builder PRO (INCLUDE_PATH) Remote File Inclusion Vulnerability348522974 cwb-comanda-file-include(33035)ADV-2007-09942452PHP remote file inclusion vulnerability in index.php in ViperWeb Portal alpha 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the modpath parameter.20070315 Remote File Inclusion in ViperWeb22979 viperweb-index-file-include(33034)2449Multiple cross-site scripting (XSS) vulnerabilities in Horde IMP H3 4.1.3, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via (1) the email Subject header in thread.php, (2) the edit_query parameter in search.php, or other unspecified parameters in search.php. NOTE: some of these details are obtained from third party information.20070315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues20071315 Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues[announce] 20070314 IMP H3 (4.1.4) (final)2297524541 ADV-2007-0964 1017774PHP remote file inclusion vulnerability in functions/update.php in Cicoandcico CcMail 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the functions_dir parameter.348722983 ADV-2007-1000 ccmail-update-file-include(32999)SQL injection vulnerability in comments.php in WSN Guest 1.02 and 1.21 allows remote attackers to execute arbitrary SQL commands via the id parameter.20070314 WSN Guest 1.21 Version Comments.PHP 22969 3477 ADV-2007-0968 wsnguest-comments-sql-injection(32983)2451SQL injection vulnerability in usergroups.php in Woltlab Burning Board (wBB) 2.x allows remote attackers to execute arbitrary SQL commands via the array index of the applicationids array.20070314 Woltab Burning Board SQL Injection usergroups.php22970 20070315 Re: [Full-disclosure] Woltab Burning Board SQL Injection usergroups.php2455Cross-site scripting (XSS) vulnerability in modules.php in PHP-Nuke 8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search operation in the Downloads module, a different product than CVE-2006-3948.20070309 Php Nuke POST XSS on steroids24629The cross-site request forgery (CSRF) protection in PHP-Nuke 8.0 and earlier does not ensure the SERVER superglobal is an array before validating the HTTP_REFERER, which allows remote attackers to conduct CSRF attacks.20070309 Php Nuke POST XSS on steroids20070311 Re: Php Nuke POST XSS on steroids20070313 Re: Php Nuke POST XSS on steroids24629Double free vulnerability in PHP before 4.4.7, and 5.x before 5.2.2, allows context-dependent attackers to execute arbitrary code by interrupting the session_regenerate_id function, as demonstrated by calling a userspace error handler or triggering a memory limit violation.22968ADV-2007-096024505DSA-1282DSA-1283USN-455-1250252506225057APPLE-SA-2007-07-31GLSA-200705-19SUSE-SA:2007:03225159ADV-2007-2732250562544526235Double free vulnerability in the session extension in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to execute arbitrary code via illegal characters in a session identifier, which is rejected by an internal session storage module, which calls the session identifier generator with an improper environment, leading to code execution when the generator is interrupted, as demonstrated by triggering a memory limit violation or certain PHP errors. ADV-2007-0960 24505SUSE-SA:2007:0322297125056Heap-based buffer overflow in the kernel in NetBSD 3.0, certain versions of FreeBSD and OpenBSD, and possibly other BSD derived operating systems allows local users to have an unknown impact. NOTE: this information is based upon a vague pre-advisory with no actionable information. Details will be updated after 20070329.22945Directory traversal vulnerability in themes/default/ in ZomPlog 3.7.6 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) in the settings[skin] parameter, as demonstrated by injecting PHP code into an Apache HTTP Server log file, which can then included via themes/default/.346722157 ADV-2007-0966 24520 zomplog-index-file-include(32982)Direct static code injection vulnerability in postpost.php in Dayfox Blog (dfblog) 4 allows remote attackers to execute arbitrary PHP code via the cat parameter, which can be executed via a request to posts.php.3478 ADV-2007-0969 2453422972Sun Java System Web Server 6.1 before 20070314 allows remote authenticated users with revoked client certificates to bypass the Certificate Revocation List (CRL) authorization control and access secure web server instances running under an account different from that used for the admin server via unspecified vectors.102822 ADV-2007-0958 1017777 24531The LLTD Mapper in Microsoft Windows Vista does not verify that an IP address in a TLV type 0x07 field in a HELLO packet corresponds to a valid IP address for the local network, which allows remote attackers to trick users into communicating with an external host by sending a HELLO packet with the MW characteristic and a spoofed TLV type 0x07 field, aka the "Spoof and Management URL IP Redirect" attack.20070313 New report on Windows Vista network attack surface 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 23279The LLTD Mapper in Microsoft Windows Vista allows remote attackers to spoof hosts, and nonexistent bridge relationships, into the network topology map by using a MAC address that differs from the MAC address provided in the Real Source field of the LLTD BASE header of a HELLO packet, aka the "Spoof on Bridge" attack.20070313 New report on Windows Vista network attack surface 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentationThe LLTD Responder in Microsoft Windows Vista does not send the Mapper a response to a DISCOVERY packet if another host has sent a spoofed response first, which allows remote attackers to spoof arbitrary hosts via a network-based race condition, aka the "Total Spoof" attack.20070313 New report on Windows Vista network attack surface 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 23263The LLTD Mapper in Microsoft Windows Vista does not properly gather responses to EMIT packets, which allows remote attackers to cause a denial of service (mapping failure) by omitting an ACK response, which triggers an XML syntax error.20070313 New report on Windows Vista network attack surface 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 23271Microsoft Windows XP and Vista overwrites ARP table entries included in gratuitous ARP, which allows remote attackers to cause a denial of service (loss of network access) by sending a gratuitous ARP for the address of the Vista host.20070313 New report on Windows Vista network attack surface20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 23266The neighbor discovery implementation in Microsoft Windows Vista allows remote attackers to conduct a redirect attack by (1) responding to queries by sending spoofed Neighbor Advertisements or (2) blindly sending Neighbor Advertisements.20070313 New report on Windows Vista network attack surface 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 23293The Teredo implementation in Microsoft Windows Vista uses the same nonce for communication with different UDP ports within a solicitation session, which makes it easier for remote attackers to spoof the nonce through brute force attacks.20070313 New report on Windows Vista network attack surface 20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation 23301DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 for 2 minutes after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port during the time window.20070313 New report on Windows Vista network attack surface20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentationMicrosoft Windows Vista establishes a Teredo address without user action upon connection to the Internet, contrary to documentation that Teredo is inactive without user action, which increases the attack surface and allows remote attackers to communicate via Teredo.20070313 New report on Windows Vista network attack surface20070403 Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation23267Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.[file] 20070302 file-4.20 is now available24548MDKSA-2007:067RHSA-2007:0124USN-439-1VU#60670023021ADV-2007-1040101779624604246162461724592GLSA-200703-2624608DSA-1274SUSE-SR:2007:00524723SSA:2007-093-01247542513320070825 OpenBSD 4.1 - Heap overflow vulnerabillity20070828 Re: OpenBSD 4.1 - Heap overflow vulnerabillityAPPLE-SA-2007-05-24FreeBSD-SA-07:04GLSA-200710-19MDKSA-2007:067[4.0] 20070709 015: SECURITY FIX: July 9, 2007SUSE-SA:2007:040ADV-2007-1939253932540225931259892730727314openbsd-file-bo(36283)NetBSD-SA2008-00129179\Device\NdisTapi (NDISTAPI.sys) in Microsoft Windows XP SP2 and 2003 SP1 uses weak permissions, which allows local users to write to the device and cause a denial of service, as demonstrated by using an IRQL to acquire a spinlock on paged memory via the NdisTapiDispatch function.20070319 [Reversemode Advisory] Microsoft Windows Ndistapi.sys IRQL escalation23025ADV-2007-103124598windows-ndistapi-dos(33086) 336282471** DISPUTED ** McAfee VirusScan Enterprise 8.5.0.i uses insecure permissions for certain Windows Registry keys, which allows local users to bypass local password protection via the UIP value in (1) HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection or (2) HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion. NOTE: this issue has been disputed by third-party researchers, stating that the default permissions for HKEY_LOCAL_MACHINE\SOFTWARE does not allow for write access and the product does not modify the inherited permissions. There might be an interaction error with another product.20070317 Bypassing Mcafee Entreprise Password Protection20070317 Re: Bypassing Mcafee Entreprise Password Protection20070319 RE: Bypassing Mcafee Entreprise Password Protection1017791 33800Directory traversal vulnerability in inc/map.func.php in pragmaMX Landkarten 2.1 module allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the module_name parameter, as demonstrated via a static PHP code injection attack in an Apache log file.352124589 23044 ADV-2007-1030 pragma-mapfunc-file-include(33084)Directory traversal vulnerability in am.pl in (1) SQL-Ledger 2.6.27 and earlier, and (2) LedgerSMB before 1.2.0, allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence and trailing NULL (%00) in the login parameter. NOTE: this issue was reportedly addressed in SQL-Ledger 2.6.27, however third-party researchers claim that the file is still executed even though an error is generated.20070318 Full Disclosure: Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB230342456024585ADV-2007-1024ADV-2007-102533624Directory traversal vulnerability in am.pl in SQL-Ledger 2.6.27 only checks for the presence of a NULL (%00) character to protect against directory traversal attacks, which allows remote attackers to run arbitrary executables and bypass authentication via a .. (dot dot) sequence in the login parameter.20070318 Full Disclosure: Arbitrary execution vulnerability in SQL-Ledger and LedgerSMB2303424560 ADV-2007-1025Unspecified vulnerability in the Cisco IP Phone 7940 and 7960 running firmware before POS8-6-0 allows remote attackers to cause a denial of service via the Remote-Party-ID sipURI field in a SIP INVITE request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.23047ADV-2007-102324600 20070320 Cisco IP Phone 7940/7960 SIP INVITE Denial of Service 1017797 cisco-ipphone-sip-invite-dos(33098)Stack-based buffer overflow in the accept_att_local function in server/os/connection.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to execute arbitrary code via a long path slave name in a USL socket connection.23017ADV-2007-099724527nas-uslsocket-bo(33047) DSA-1273 MDKSA-2007:065 USN-446-1 24601 24628 24638 1017822 GLSA-200704-20 24980 24783Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value.23017ADV-2007-099724527nas-procauwriteelement-dos(33051) DSA-1273 MDKSA-2007:065 USN-446-1 24601 24628 24638 1017822 GLSA-200704-20 24980The AddResource function in server/dia/resource.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (server crash) via a nonexistent client ID.23017ADV-2007-099724527nas-addresource-dos(33050) DSA-1273 MDKSA-2007:065 USN-446-1 24601 24628 24638 1017822 GLSA-200704-20 24980Array index error in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via (1) large num_action values in the ProcAuSetElements function in server/dia/audispatch.c or (2) a large inputNum parameter to the compileInputs function in server/dia/auutil.c.23017ADV-2007-099724527nas-procausetelements-dos(33054) DSA-1273 MDKSA-2007:065 USN-446-1 24601 24628 24638 nas-compileinputs-dos(33055) 1017822 GLSA-200704-20 24980The ReadRequestFromClient function in server/os/io.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) via multiple simultaneous connections, which triggers a NULL pointer dereference.23017ADV-2007-099724527nas-readrequestfromclient-dos(33059) DSA-1273 MDKSA-2007:065 USN-446-1 24601 24628 24638 1017822 GLSA-200704-20 24980SQL injection vulnerability in functions/functions_filters.asp in Web Wiz Forums before 8.05a (MySQL version) does not properly filter certain characters in SQL commands, which allows remote attackers to execute arbitrary SQL commands via \"' (backslash double-quote quote) sequences, which are collapsed into \', as demonstrated via the name parameter to forum/pop_up_member_search.asp.20070320 Web Wiz Forums 8.05 (MySQL version) SQL Injection23051ADV-2007-106124561webwizforums-popupmember-sql-injection(33095)2456Unrestricted file upload vulnerability in gallery.php in phpx 3.5.15 allows remote attackers to upload and execute arbitrary PHP scripts via an addImage action, which places scripts into the gallery/shelties/ directory.20070319 phpx 3.5.15 multiples vulnerabilities23033 phpx-gallery-file-upload(33151)2457Multiple SQL injection vulnerabilities in phpx 3.5.15 allow remote attackers to execute arbitrary SQL commands via the (1) image_id or (2) cat_id parameter to (a) gallery.php; the (3) news_id parameter to (b) news.php or (c) print.php; (4) the news_cat_id parameter to news.php; the (5) cat_id, (6) topic_id, or (7) post_id parameter to (d) forums.php; or (8) the user_id parameter to (e) users.php.20070319 phpx 3.5.15 multiples vulnerabilities23033 ADV-2007-1087 24565 phpx-multiple-sql-injection(33155)2457Multiple cross-site scripting (XSS) vulnerabilities in phpx 3.5.15 allow remote attackers to inject arbitrary web script or HTML via (1) the signature in "dans profile," or (2) search.php.20070319 phpx 3.5.15 multiples vulnerabilities23033 ADV-2007-1087 24565 phpx-signature-xss(33153) phpx-search-xss(33154)2457Unrestricted file upload vulnerability in usercp.php in MetaForum 0.513 Beta restricts file types based on the MIME type in the Content-type HTTP header, which allows remote attackers to upload and execute arbitrary scripts via an image MIME type with a filename containing an executable extension such as .php.20070318 MetaForum <= 0.513 Beta - Remote file upload Vulnerability23032 3516 metaforum-mime-file-upload(33097)2454admin/configuration.php in Guestbara 1.2 and earlier allows remote attackers to modify the e-mail, name, and password of the admin account by setting the zapis parameter to "ok" and providing modified admin_mail, login, and pass parameters.3506Direct static code injection vulnerability in admin/configuration.php in Guestbara 1.2 and earlier allows remote authenticated users to inject arbitrary PHP code into config.php via the (1) admin_mail, (2) emotpatch, (3) login, (4) pass, and unspecified other parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1010 33783SQL injection vulnerability in forum.php in the Minerva mod 2.0.21 build 238a and earlier for phpBB allows remote attackers to execute arbitrary SQL commands via the c parameter.351923036 ADV-2007-1028 minerva-forum-sql-injection(33082) 33748SQL injection vulnerability in kommentare.php in Creative Files 1.2 allows remote attackers to execute arbitrary SQL commands via the dlid parameter.349823000creative-kommentare-sql-injection(33021)Format string vulnerability in F-Secure Anti-Virus Client Security 6.02 allows local users to cause a denial of service and possibly gain privileges via format string specifiers in the Management Server name field on the Communication settings page.20070319 Layered Defense Research Advisory: F-Secure Anti-Virus Client Security 6.02 Format String Vulnerability23023 ADV-2007-10552472The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions. NOTE: this design-level issue potentially affects all products that use APOP, including (1) Thunderbird 1.x before 1.5.0.12 and 2.x before 2.0.0.4, (2) Evolution, (3) mutt, (4) fetchmail, (5) SeaMonkey 1.0.x before 1.0.9 and 1.1.x before 1.1.2, (6) Balsa 2.3.16 and earlier, and possibly other products.ADV-2007-278825353254022547625529255462549625559255342566425750257982589426083264152585820070402 APOP vulnerability20070403 Re: APOP vulnerability23257ADV-2007-1466ADV-2007-1467ADV-2007-1468ADV-2007-1480MDKSA-2007:105RHSA-2007:0353101800820070615 rPSA-2007-0122-1 evolution-data-server20070619 FLEA-2007-0026-1: evolution-data-server20070531 FLEA-2007-0023-1: firefox20070620 FLEA-2007-0027-1: thunderbird[balsa-list] 20070704 balsa-2.3.17 releasedAPPLE-SA-2007-05-24DSA-1300DSA-1305GLSA-200706-06MDKSA-2007:105MDKSA-2007:107MDKSA-2007:113MDKSA-2007:119MDKSA-2007:131RHSA-2007:0344RHSA-2007:0386RHSA-2007:0385RHSA-2007:0401RHSA-2007:040220070602-01-PSSA:2007-152-02SUSE-SA:2007:036SUSE-SR:2007:0142007-00192007-0024USN-469-1USN-520-1TA07-151AADV-2007-1939ADV-2007-1994HPSBUX02153HPSBUX02156ADV-2008-0082Stack-based buffer overflow in SonicDVDDashVRNav.dll in Roxio CinePlayer 3.2 allows remote attackers to execute arbitrary code via unspecified properties and methods in the SonicDVDDashVRNav.dll ActiveX control.ADV-2007-133722251 23412 1017906 cineplayer-sonicmediaplayer-bo(33590)The clientProcessRequest() function in src/client_side.c in Squid 2.6 before 2.6.STABLE12 allows remote attackers to cause a denial of service (daemon crash) via crafted TRACE requests that trigger an assertion error.ADV-2007-103524611MDKSA-2007:06810178052461424625squid-clientprocessrequest-dos(33124) GLSA-200703-27 24662 SUSE-SR:2007:005 RHSA-2007:0131 24911MDKSA-2007:068USN-441-123085The channel driver in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP INVITE message with an SDP containing one valid and one invalid IP address.20070319 Asterisk SDP DOS vulnerability23031ADV-2007-10391017794asterisk-sip-invite-dos(33068)20070321 Two new DoS Vulnerabilities in Asterisk Fixed[VOIPSEC] 20070319 Asterisk SDP DOS vulnerability GLSA-200704-01 24719DSA-1358SUSE-SA:2007:034344792558224564The FTP protocol implementation in Mozilla Firefox before 1.5.0.11 and 2.x before 2.0.0.3 allows remote attackers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.ADV-2007-103420070322 FLEA-2007-0001-1: firefoxUSN-443-1firefox-nsftpstate-information-disclosure(33119)20070531 FLEA-2007-0023-1: firefoxRHSA-2007:0400RHSA-2007:0402SUSE-SA:2007:036230821017800254762549025858HPSBUX02153The FTP protocol implementation in Opera 9.10 allows remote attackers to allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.23089ADV-2007-1075 SUSE-SA:2007:028 250271017802The FTP protocol implementation in Konqueror 3.5.5 allows remote servers to force the client to connect to other servers, perform a proxied port scan, or obtain sensitive information by specifying an alternate server address in an FTP PASV response.USN-447-123091ADV-2007-10761017801 MDKSA-2007:072 SUSE-SR:2007:006 24889MDKSA-2007:072RHSA-2007:090927108Konqueror 3.5.5 allows remote attackers to cause a denial of service (crash) by using JavaScript to read a child iframe having an ftp:// URI.SQL injection vulnerability in News/page.asp in NetVIOS Portal allows remote attackers to execute arbitrary SQL commands via the NewsID parameter. NOTE: this issue might be the same as CVE-2006-5954.352023045netviosportal-page-sql-injection(33072)Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.22944ADV-2007-093324494Stack-based buffer overflow in DaanSystems NewsReactor 20070220.21 allows remote attackers to execute arbitrary code via a yEnc (yEncode) encoded article with a long filename.34623463ADV-2007-093424487Stack-based buffer overflow in NewsBin Pro 4.32 allows remote attackers to cause a denial of service or execute arbitrary code via a yEnc (yEncode) encoded article with a long filename, as demonstrated using a .nzb file. NOTE: some of these details are obtained from third party information.346422940ADV-2007-093524491** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1438. Reason: This candidate is a duplicate of CVE-2007-1438. Notes: All CVE users should reference CVE-2007-1438 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.PHP remote file inclusion vulnerability in includes/base.php in Radical Designs Activist Mobilization Platform (AMP) 3.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter.3471ADV-2007-093920070314 [ECHO_ADV_71$2007] AMP v3.2 (base_path) Remote File Inclusion VulnerabilitySQL injection vulnerability in search.asp in JGBBS 3.0 Beta 1 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter, a different vector than CVE-2007-1440. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-0940SQL injection vulnerability in admincp/attachment.php in Jelsoft vBulletin 3.6.5 allows remote authenticated administrators to execute arbitrary SQL commands via the "Attached Before" field.2450320070313 vbulletin admincp sql injectionCARE2X 2.2, and possibly earlier, allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24481Multiple SQL injection vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) unspecified vectors to the (a) calendar and (2) search modules, and an (2) unspecified cookie when the user logs out.20070314 n.runs-SA-2007.003 - PHProjekt 5.2.0 - SQL Injection2295524509GLSA-200706-07257482466Multiple cross-site scripting (XSS) vulnerabilities in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Search (only Gecko engine driven Browsers), and (5) Notes modules; the (6) Mail summary page; and unspecified other files.20070314 n.runs-SA-2007.004 - PHProjekt 5.2.0 - Cross Site Scripting and Filter Evasion2295724509GLSA-200706-07257482459Directory traversal vulnerability in index.php in GeBlog 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[tplname] parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php.352223052geblog-index-file-include(33089) 33776Multiple integer signedness errors in the NTLM implementation in Atrium MERCUR IMAPD (mcrimap4.exe) 5.00.14, with SP4, allow remote attackers to execute arbitrary code via a long NTLMSSP argument that triggers a stack-based buffer overflow.20070320 Mercur SP4 IMAPD352723058101779824596mercur-imap-ntlm-bo(33120)33545ADV-2007-1053Stack-based buffer overflow in Atrium MERCUR IMAPD allows remote attackers to have an unknown impact via a certain SUBSCRIBE command.230503537ADV-2007-109224619 33546FTPDMIN 0.96 allows remote attackers to cause a denial of service (daemon crash) via a LIST command for a Windows drive letter, as demonstrated using "//A:". NOTE: this has been reported as a buffer overflow by some sources, but there is not a long argument.352323049ftpdmin-list-dos(33091)The resource system in PHP 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting the hash_update_file function via a userspace (1) error or (2) stream handler, which can then be used to destroy and modify internal resources.352923062 24542The resource system in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to execute arbitrary code by interrupting certain functions in the GD (ext/gd) extension and unspecified other extensions via a userspace error handler, which can be used to destroy and modify internal resources.35252304624542The mb_parse_str function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 sets the internal register_globals flag and does not disable it in certain cases when a script terminates, which allows remote attackers to invoke available PHP scripts with register_globals functionality that is not detectable by these scripts, as demonstrated by forcing a memory_limit violation.23016 RHSA-2007:0155 24924 20070418 rPSA-2007-0073-1 php php-mysql php-pgsql RHSA-2007:0153 RHSA-2007:0162 24965 24945 DSA-1283 USN-455-1 25062 25057 MDKSA-2007:088 MDKSA-2007:089 24909APPLE-SA-2007-07-31GLSA-200705-19MDKSA-2007:088MDKSA-2007:089MDKSA-2007:090SUSE-SA:2007:03225159ADV-2007-2732250562544526235Buffer underflow in the header function in PHP 5.2.0 allows context-dependent attackers to execute arbitrary code by passing an all-whitespace string to this function, which causes it to write '\0' characters in whitespace that precedes the string.3517The Linksys WAG200G with firmware 1.01.01, WRT54GC 2 with firmware 1.00.7, and WRT54GC 1 with firmware 1.03.0 and earlier allow remote attackers to obtain sensitive information (passwords and configuration data) via a packet to UDP port 916. NOTE: some of these details are obtained from third party information.20070320 Linksys WAG200G - Information disclosure2306320070325 Re: Linksys WAG200G - Information disclosure24658ZynOS 3.40 allows remote attackers to cause a denial of service (link restart) by sending a request for the name \M via the SMB Mail Slot Protocol.20070319 ZynOS v3.40 One packet killer230611017795templates/config/mail.tpl in Tim Soderstrom StatsDawg 0.92 allows remote attackers to execute arbitrary programs by specifying the program name in the qshapeLocation parameter.server.cpp in MyServer 0.8.5 calls Process::setuid before calling Process::setgid and thus does not properly drop privileges, which might allow remote attackers to execute CGI programs with unintended privileges.[myserver-commit] 20070210 SF.net SVN: myserver: [2183] trunk/myserver/source/server.cppTrueCrypt before 4.3, when set-euid mode is used on Linux, allows local users to cause a denial of service (filesystem unavailability) by dismounting a volume mounted by a different user. 23128 ADV-2007-1103 24627The Grandstream BudgeTone 200 IP phone, with program 1.1.1.14 and bootloader 1.1.1.5, allows remote attackers to cause a denial of service (device crash) via SIP (1) INVITE, (2) CANCEL, or unspecified other messages with a WWW-Authenticate header containing a crafted Digest domain.20070321 Grandstream Budge Tone-200 denial of service vulnerabilityADV-2007-105424538230751017804grandstream-wwwauthenticate-dos(33108)VsapiNT.sys in the Scan Engine 8.0 for Trend Micro AntiVirus 14.10.1041, and other products, allows remote attackers to cause a denial of service (kernel fault and system crash) via a crafted UPX file with a certain field that triggers a divide-by-zero error.20070314 Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability 20070316 RE: [VulnWatch] iDefense Security Advisory 03.14.07: Trend Micro Antivirus UPX Parsing Kernel Divide by Zero Vulnerability ADV-2007-0959 1017768net/ipv6/tcp_ipv6.c in Linux kernel 2.6.x up to 2.6.21-rc3 inadvertently copies the ipv6_fl_socklist from a listening TCP socket to child sockets, which allows local users to cause a denial of service (OOPS) or double free by opening a listening IPv6 socket, attaching a flow label, and connecting to that socket.The vendor has addressed this vulnerability by releasing a patch for the Linux Kernel 2.6.21-rc3: http://www.kernel.org/pub/linux/kernel/v2.6/testing/patch-2.6.21-rc6.bz2 [linux-netdev] 20070316 [PATCH 2.6.21-rc3] IPV6: ipv6_fl_socklist is inadvertently shared.23104ADV-2007-108424618MDKSA-2007:07824777DSA-1286SUSE-SA:2007:0292507825099SUSE-SA:2007:030RHSA-2007:034725288DSA-1304MDKSA-2007:078RHSA-2007:0436RHSA-2007:0673RHSA-2007:0672SUSE-SA:2007:035SUSE-SA:2007:043USN-464-12539225630256832571425961263792522627528kernel-tcpv6synrecvsoc-dos(33176)DSA-150329058The administrative service in Symantec Veritas Volume Replicator (VVR) for Windows 3.1 through 4.3, and VVR for Unix 3.5 through 5.0, in Symantec Storage Foundation products allows remote attackers to cause a denial of service (memory consumption and service crash) via a crafted packet to the service port (8199/tcp) that triggers a request for more memory than available, which causes the service to write to an invalid pointer.20070601 Symantec VERITAS Storage Foundation Administration Service DoS Vulnerability24160ADV-2007-2036101818425516symantec-vvr-dos(34676)The handle_response function in chan_sip.c in Asterisk before 1.2.17 and 1.4.x before 1.4.2 allows remote attackers to cause a denial of service (crash) via a SIP Response code 0 in a SIP packet.20070321 Two new DoS Vulnerabilities in Asterisk Fixed[VOIPSEC] 20070319 Asterisk SDP DOS vulnerability2309324579ADV-2007-10771017809GLSA-200704-0124719SUSE-SA:2007:03425582The Asterisk Extension Language (AEL) in pbx/pbx_ael.c in Asterisk does not properly generate extensions, which allows remote attackers to execute arbitrary extensions and have an unknown impact by specifying an invalid extension in a certain form. 24694SUSE-SA:2007:03423155ADV-2007-112325582Multiple PHP remote file inclusion vulnerabilities in the NFN Address Book (com_nfn_addressbook) 0.4 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) components/com_nfn_addressbook/nfnaddressbook.php or (2) administrator/components/com_nfn_addressbook/nfnaddressbook.php.353923092 ADV-2007-1073 nfnaddressbook-nfnaddressbook-file-include(33133)Unclassified NewsBoard 1.6.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain (1) the board log via a direct request for logs/board-YYYY-MM-DD.log, (2) the mail and private message (PM) log via a direct request for logs/email-YY-MM-DD-HH-MM-SS.log, (3) the SQL error message log via a direct request for logs/error-YY-MM.log, and (4) the IP log via a direct request for logs/ip.log.20070319 Unclassified NewsBoard 1.6.3 multiples logs disclosure unb-log-information-disclosure(33150)Stack-based buffer overflow in InterVations FileCOPA FTP Server 1.01 allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by filecopa.tar by Immunity. NOTE: some of these details are obtained from third party information. NOTE: As of 20070322, this disclosure has no actionable information. However, since it is from a reliable researcher, it is being assigned a CVE identifier for tracking purposes.23056wp-login.php in WordPress allows remote attackers to redirect authenticated users to other websites and potentially obtain sensitive information via the redirect_to parameter.20070320 Advisory - Redirection Vulnerability in wp-login.php.DSA-160130960PHP remote file inclusion vulnerability in module.php in Digital Eye Gallery 1.1 Beta (aka 0.1.1b) allows remote attackers to execute arbitrary PHP code via a URL in the menu parameter.353323083 ADV-2007-1070 digital-eye-module-file-include(33115)** DISPUTED ** Directory traversal vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the order parameter. NOTE: another researcher disputes this vulnerability, noting that the order variable is not used in any context that allows opening files.20070313 Re: Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln20070313 Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln2453SQL injection vulnerability in check_vote.php in Weekly Drawing Contest 0.0.1 allows remote attackers to execute arbitrary SQL commands via the order parameter.20070313 Re: Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln2453admin/contest.php in Weekly Drawing Contest 0.0.1 allows remote attackers to bypass authentication, and insert new contest information into a database, via a direct POST request.20070313 Re: Weekly Drawing Contest <= (check_vote.php) Remote File Disclosure Vuln2453Multiple unrestricted file upload vulnerabilities in w-Agora (Web-Agora) allow remote attackers to upload and execute arbitrary PHP code (1) via a forum message with an attached file, which is stored under forums/hello/hello/notes/ or (2) by using browse_avatar.php to upload a file with a double extension, as demonstrated by .php.jpg.20070320 w-agora [multiples file upload,xss,full path disclosure,error sql]2305524605 wagora-browseavatar-file-upload(33173)2462w-Agora (Web-Agora) allows remote attackers to obtain sensitive information via a request to rss.php with an invalid (1) site or (2) bn parameter, (3) a certain value of the site[] parameter, or (4) an empty value of the bn[] parameter; a request to index.php with a certain value of the (5) site[] or (6) sort[] parameter; (7) a request to profile.php with an empty value of the site[] parameter; or a request to search.php with (8) an empty value of the bn[] parameter or a certain value of the (9) pattern[] or (10) search_date[] parameter, which reveal the path in various error messages, probably related to variable type inconsistencies. NOTE: the bn[] parameter to index.php is already covered by CVE-2007-0606.1.20070320 w-agora [multiples file upload,xss,full path disclosure,error sql]2305724605 wagora-multiple-path-disclosure(33174)2462Multiple cross-site scripting (XSS) vulnerabilities in w-Agora (Web-Agora) allow remote attackers to inject arbitrary web script or HTML via (1) the showuser parameter to profile.php, the (2) search_forum or (3) search_user parameter to search.php, or (4) the userid parameter to change_password.php.20070320 w-agora [multiples file upload,xss,full path disclosure,error sql]2305724605 wagora-multiple-xss(33175)2462search.php in w-Agora (Web-Agora) allows remote attackers to obtain potentially sensitive information via a ' (quote) value followed by certain SQL sequences in the (1) search_forum or (2) search_user parameter, which force a SQL error.20070320 w-agora [multiples file upload,xss,full path disclosure,error sql]2305724605 wagora-search-sql-injection(33177)2462CRLF injection vulnerability in IBM WebSphere Application Server (WAS) before 6.0.2.19 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a single CRLF sequence in a context that is not a valid multi-line header.397322308624552 ADV-2007-1062 1017806 websphere-unspecified-response-splitting(33123)Cross-site scripting (XSS) vulnerability in servlet/Spy in Dynamic Monitoring Services (DMS) in Oracle Application Server (OAS) 10g 10.1.2.0.0 allows remote attackers to inject arbitrary web script or HTML via the table parameter. NOTE: This may be related to CVE-2002-0563.20070320 Oracle 10g Dynamic Monitoring Services XSS /servlet/Spy 23102 ADV-2007-1078 24554 oracle-dynamicmonitoring-xss(33146) 335212474Cross-site scripting (XSS) vulnerability in the RSS reader in Glue Software NewsGlue before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via a feed. 23094 ADV-2007-1074 24603 newsglue-rss-feed-xss(33166)Cross-site scripting (XSS) vulnerability in the RSS reader in a certain SOURCENEXT product, probably IKANARI JIJYOU 1.0.0 and 1.0.1, allows remote attackers to inject arbitrary web script or HTML via the title of an article in a feed.SQL injection vulnerability in index.php in Katalog Plyt Audio 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the kolumna parameter.351324539 23024 ADV-2007-1015 katalog-index-sql-injection(33048)Directory traversal vulnerability in view.php in MPM Chat 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the logi parameter.230093503ADV-2007-100824576Stack-based buffer overflow in the zzip_open_shared_io function in zzip/file.c in ZZIPlib Library before 0.13.49 allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long filename.ADV-2007-099824586 GLSA-200704-05 24708 23013 MDKSA-2007:093MDKSA-2007:093SQL injection vulnerability in index.php in ScriptMagix Jokes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.350924595 23015 ADV-2007-1012 scriptmagixjokes-index-sql-injection(33063)SQL injection vulnerability in index.php in ScriptMagix Lyrics 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the recid parameter.351524563 23019 ADV-2007-1016 scriptmagixlyrics-index-sql-injection(33056)SQL injection vulnerability in index.php in ScriptMagix Recipes 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.3510ADV-2007-101324594SQL injection vulnerability in index.php in ScriptMagix FAQ Builder 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter.3507ADV-2007-1011 24704SQL injection vulnerability in viewcomments.php in ScriptMagix Photo Rating 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the phid parameter.3511ADV-2007-1014 23018 24698 scriptmagixphoto-viewcomments-sql-injection(33061)Multiple PHP remote file inclusion vulnerabilities in PHP DB Designer 1.02 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) _SESSION[SITE_PATH] parameter to (a) wind/help.php or (b) wind/about.php, or the (2) _SESSION[DRIVER] parameter to (c) db/session.php.3501ADV-2007-1007phpdbdesigner-multiple-script-file-include(33033)PHP remote file inclusion vulnerability in templates/head.php in Active PHP Bookmark Notes (APB) 0.2.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the APB_SETTINGS[template_path] parameter. NOTE: this issue might be related to CVE-2003-1254.350423010ADV-2007-1009Cross-site scripting (XSS) vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATH_INFO in the administration interface, related to loose regular expression processing of PHP_SELF.ADV-2007-100524567 DSA-1285 25108 23027Multiple cross-site scripting (XSS) vulnerabilities in realGuestbook 5.01, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) bg_color_1, (2) fs_menu, (3) fc_menu, (4) ff_menu, (5) bg_color_2, (6) fs_normal, (7) fc_normal, and (8) ff_normal parameters to welcome_admin.php; and possibly unspecified other parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24602 34341Multiple SQL injection vulnerabilities in realGuestbook 5.01 allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) email, (3) homepage, and (4) text parameters to save_entry.php, as reachable through add_entry.php; and possibly other unspecified parameters and files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2307224602 ADV-2007-1060 34342Cross-site scripting (XSS) vulnerability in save_entry.php in realGuestbook 5.01 allows remote attackers to inject arbitrary web script or HTML via the homepage parameter, as reachable through add_entry.php. NOTE: the original report stated that the vulnerability was in add_entry.php, which does not receive the input data.2307224602 ADV-2007-1060 34343PHP remote file inclusion vulnerability in iframe.php in the iFrame Module for PHP-NUKE allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.351223038iframe-iframe-file-include(33060)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-4606. Reason: This candidate is a duplicate of CVE-2006-4606. Notes: All CVE users should reference CVE-2006-4606 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Multiple PHP remote file inclusion vulnerabilities in Study planner (Studiewijzer) 0.15 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the SPL_CFG[dirroot] parameter to (1) service.alert.inc.php or (2) settings.ses.php in inc/; (3) db/mysql/db.inc.php; (4) integration/shortstat/configuration.php; (5) ali.class.php or (6) cat.class.php in methodology/traditional/class/; (7) cat_browse.inc.php, (8) chr_browse.inc.php, (9) chr_display.inc.php, or (10) dash_browse.inc.php in methodology/traditional/ui/inc/; (11) spl.webservice.php or (12) konfabulator/gateway_admin.php in ws/; or other unspecified files.35322307620070322 [ECHO_ADV_77$2007] Study planner (Studiewijzer) <= 0.15 Remote File Inclusion VulnerabilityADV-2007-1069studyplanner-multiple-scripts-file-include(33128)SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Photo Gallery allows remote attackers to execute arbitrary SQL commands via the catid parameter.353623077 ADV-2007-1072 24568 active-default-sql-injection(33129)SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Link Engine allows remote attackers to execute arbitrary SQL commands via the catid parameter.353423080 ADV-2007-1071 24574 active-link-default-sql-injection(33111)34364** DISPUTED ** PHP remote file inclusion vulnerability in signup.php in CLBOX 1.01 allows remote attackers to execute arbitrary PHP code via a URL in the header parameter. NOTE: this issue has been disputed by a reliable third party, stating that header is defined through an include file before use.20070317 CLBOX <= (signup.php header) Remote File Include Vulnerability20070319 Bogus - [CLBOX <= (signup.php header) Remote File Include Vulnerability] 335032469Unspecified vulnerability in TYPOlight webCMS before 2.2 Build 5 has unknown impact and attack vectors related to a "major security hole."24546ADV-2007-102633303Directory traversal vulnerability in bbcode_ref.php in the Giorgio Ciranni Splatt Forum 4.0 RC1 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by bbcode_ref.php.351823035ADV-2007-1027Variable extraction vulnerability in grab_globals.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote attackers to conduct SQL injection attacks via the _FILES[DB][tmp_name] parameter to print.php, which overwrites the $DB variable with dynamic variable evaluation.20070318 Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day20070323 Root cause of NPDS SQL injection is variable extraction/evaluation245712473Static code injection vulnerability in admin/settings.php in Net Portal Dynamic System (NPDS) 5.10 and earlier allows remote authenticated users to inject arbitrary PHP code via the xtop parameter in a "ConfigSave" op to admin.php, which can later be accessed via a "Configure" op to admin.php.20070318 Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day245712473Directory traversal vulnerability in index.php in RoseOnlineCMS 3 B1 allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the op parameter, as demonstrated by injecting PHP code into Apache log files via the URL and User-Agent HTTP header.354823108ADV-2007-1094roseonlinecms-index-file-include(33185)Multiple buffer overflows in the IMAILAPILib ActiveX control (IMailAPI.dll) in Ipswitch IMail Server before 2006.2 allow remote attackers to execute arbitrary code via the (1) WebConnect and (2) Connect members in the (a) IMailServer control; (3) Sync3 and (4) Init3 members in the (b) IMailLDAPService control; and the (5) SetReplyTo member in the (c) IMailUserCollection control.Upgrade to version 2006.2.20070307 Ipswitch IMail Server 2006 Multiple ActiveX Control Buffer Overflow VulnerabilitieADV-2007-0853101773724422Multiple cross-site request forgery (CSRF) vulnerabilities in the check_csrftoken function in lib/lib.inc.php in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allow remote attackers to perform unauthorized actions as an arbitrary user via the (1) Projects, (2) Contacts, (3) Helpdesk, (4) Notes, (5) Search, (6) Mail, or (7) Filemanager module; the (9) summary page; or unspecified other files.Successful exploitation requires that variable "magic_quotes_gpc" is disabled.Upgrade to version 5.2.1,20070314 n.runs-SA-2007.005 - PHProjekt 5.2.0 - Cross Site Request Forgery24509phprojekt-multiple-modules-csrf(32989)GLSA-200706-07257482477Unrestricted file upload vulnerability in PHProjekt 5.2.0, when magic_quotes_gpc is disabled, allows remote authenticated users to upload and execute arbitrary PHP code via a file with an executable extension, which is then accessed by the (1) calendar or (2) file management module, or possibly unspecified other files.Successful exploitation requires that variable "magic_quotes_gpc" is disabled.Upgrade to version 5.2.1.20070314 n.runs-SA-2007.006 - PHProjekt 5.2.0 - Privilege escalation2295624509phprojekt-calendarfile-file-upload(32995)GLSA-200706-07257482476Multiple PHP remote file inclusion vulnerabilities in ClassWeb 2.03 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the BASE parameter to (1) language.php and (2) phpadmin/survey.php.354223095 ADV-2007-1085 classweb-languagesurvey-file-include(33162)SQL injection vulnerability in index.php in PortailPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the idnews parameter.354323096 24620 portailphp-idnews-sql-injection(33145)Unspecified vulnerability in ManageEngine Firewall Analyzer allows remote authenticated users to "access any common file" via a direct URL request.20070322 ManageEngine Firewall Analyzer arbitrary file disclosure to authorized user2309720070329 Re: ManageEngine Firewall Analyzer arbitrary file disclosure to authorized user20070330 Re: ManageEngine Firewall Analyzer arbitrary file disclosure to authorized user24707 manageengine-unspecified-info-disclosure(33319)2479Multiple PHP remote file inclusion vulnerabilities in LAN Management System (LMS) 1.8.9 Vala and earlier allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG[directories][userpanel_dir] parameter to userpanel.php or the (2) _LIB_DIR parameter to welcome.php.35452309923100ADV-2007-108624621lms-userpanelwelcome-file-include(33158) 20070426 true: 2 distinct LMS RFI, one old, one new; and vague ACKThe dynamic DNS update mechanism in the DNS Server service on Microsoft Windows does not properly authenticate clients in certain deployments or configurations, which allows remote attackers to change DNS records for a web proxy server and conduct man-in-the-middle (MITM) attacks on web traffic, conduct pharming attacks by poisoning DNS records, and cause a denial of service (erroneous name resolution).3544Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via a long request on UDP port 69. NOTE: this issue might overlap CVE-2006-4781 or CVE-2005-1812.3541 futuresoft-seh-bo(33188)Multiple cross-site scripting (XSS) vulnerabilities in SubHub 2.3.0 allow remote attackers to inject arbitrary web script or HTML via (1) the searchtext parameter to (a) /search, or the (2) message parameter to (b) /calendar or (c) /subscribe.20070321 **SubHub v2.3.0** subhub-search-xss(33161)2475Moodle 1.5.2 and earlier stores sensitive information under the web root with insufficient access control, and provides directory listings, which allows remote attackers to obtain user names, password hashes, and other sensitive information via a direct request for session (sess_*) files in moodledata/sessions/.3508moodle-sessions-information-disclosure(33147)0irc 1345 build 20060823 allows remote attackers to cause a denial of service (application crash) by operating an IRC server that sends a long string to a client, which triggers a NULL pointer dereference.354723101 oircclient-null-pointer-dos(33224)PHP 5.2.1 allows context-dependent attackers to read portions of heap memory by executing certain scripts with a serialized data input string beginning with S:, which does not properly track the number of input bytes being processed. 23105 24630 php-unserialize-information-disclosure(33170)MDVSA-2008:126pcapsipdump.cpp in pcapsipdump before 0.1.3 allows remote attackers to cause a denial of service (application crash) via a malformed SIP packet, which results in a NULL pointer dereference.Update to version 0.1.3.Cross-site request forgery (CSRF) vulnerability in OpenID allows remote attackers to restore the login session of a user on an OpenID enabled site via unspecified vectors related to an arbitrary remote web site and cached tokens, after the user has signed into an OpenID server, logged into the OpenID enabled site, and then logged out of the OpenID enabled site.[security] 20070321 MyOpenID[security] 20070321 MyOpenID[security] 20070321 MyOpenID[security] 20070321 MyOpenID[security] 20070322 MyOpenIDOpenID allows remote attackers to forcibly log a user into an OpenID enabled site, divulge the user's personal information to this site, and add it site to the trusted sites list via a crafted web page, related to cached tokens.[security] 20070321 MyOpenID[security] 20070321 MyOpenID[security] 20070321 MyOpenID[security] 20070321 MyOpenID[security] 20070322 MyOpenIDGlowWorm FW before 1.5.3b4 allows remote attackers to cause a denial of service (kernel panic) via certain DNS responses that trigger infinite recursion in TrueDNS packet parsing, as originally observed with certain login.yahoo.com responses.Buffer overflow in the Ne7sshSftp::addOpenHandle function in ne7ssh_sftp.cpp in NetSieben SSH Library (ne7ssh) before 1.2.1 allows user-assisted remote SFTP servers to cause a denial of service (crash) or possibly execute arbitrary code via multiple file transfers, related to multiple open file handles in SFTP (1) put and (2) get operations.Buffer overflow in the fun_ladd function in funmath.cpp in TinyMUX before 20070126 might allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors related to lists of numbers. ADV-2007-1213 24733 23292DSA-131725784Multiple SQL injection vulnerabilities in index.php in Katalog Plyt Audio 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fraza and (2) litera parameters, different vectors than CVE-2007-1612. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1015Stack-based buffer overflow in the file_compress function in minigzip (Modules/zlib) in Python 2.5 allows context-dependent attackers to execute arbitrary code via a long file argument.20070314 Fwd: Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability20070314 [TRUE] Python 2.5 (Modules/zlib) minigzip local buffer overflow vulnerability22964Windows Mail in Microsoft Windows Vista might allow user-assisted remote attackers to execute certain programs via a link to a (1) local file or (2) UNC share pathname in which there is a directory with the same base name as an executable program at the same level, as demonstrated using C:/windows/system32/winrm (winrm.cmd) and migwiz (migwiz.exe).20070323 Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability20070323 Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability20070323 Re: Microsoft Windows Vista - Windows Mail Client Side Code Execution Vulnerability23103windows-mail-code-execution(33167)HPSBST02231MS07-034TA07-163AADV-2007-2154oval:org.mitre.oval:def:1861101781625639Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes.DSA-1399ADV-2007-372520071106 rPSA-2007-0231-1 pcre20071112 FLEA-2007-0064-1 pcre[gtk-devel-list] 20071107 GLib 2.14.3GLSA-200711-30MDKSA-2007:211MDKSA-2007:212RHSA-2007:0967RHSA-2007:1068SUSE-SA:2007:062SUSE-SR:2007:025USN-547-126346ADV-2007-379010188952759827538275432754727554277412777327697pcre-regex-code-execution(38272)APPLE-SA-2007-12-17TA07-352AADV-2007-4238280412796528136GLSA-200801-022840628414GLSA-200801-18GLSA-200801-19MDVSA-2008:030SUSE-SA:2008:004286582871428720FEDORA-2008-184229267APPLE-SA-2008-03-18ADV-2008-092429420GLSA-200805-113015530219Perl-Compatible Regular Expression (PCRE) library before 7.0 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code.DSA-1399ADV-2007-372520071106 rPSA-2007-0231-1 pcre20071112 FLEA-2007-0064-1 pcre[gtk-devel-list] 20071107 GLib 2.14.3GLSA-200711-30MDKSA-2007:211MDKSA-2007:212MDKSA-2007:213RHSA-2007:0967RHSA-2007:0968RHSA-2007:1063RHSA-2007:1065SUSE-SA:2007:062SUSE-SR:2007:025USN-547-126346ADV-2007-3790101889527598275382754327547275542774127773276972786227776pcre-character-class-dos(38273)APPLE-SA-2007-12-17TA07-352AADV-2007-42382796528136GLSA-200801-022840628414GLSA-200801-18GLSA-200801-19SUSE-SA:2008:004286582871428720APPLE-SA-2008-03-18ADV-2008-092429420[Security-announce] 20080415 VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasusADV-2008-123429785GLSA-200805-113015530219RHSA-2008:054631124Perl-Compatible Regular Expression (PCRE) library before 7.3 backtracks too far when matching certain input bytes against some regex patterns in non-UTF-8 mode, which allows context-dependent attackers to obtain sensitive information or cause a denial of service (crash), as demonstrated by the "\X?\d" and "\P{L}?\d" patterns.DSA-1399ADV-2007-372520071106 rPSA-2007-0231-1 pcre20071112 FLEA-2007-0064-1 pcre[gtk-devel-list] 20071107 GLib 2.14.3GLSA-200711-30MDKSA-2007:211SUSE-SA:2007:062USN-547-126346ADV-2007-3790275382754327554277412777327697pcre-nonutf8-dos(38274)APPLE-SA-2007-12-17TA07-352AADV-2007-423828136GLSA-200801-022840628414GLSA-200801-18GLSA-200801-192871428720FEDORA-2008-184229267APPLE-SA-2008-03-18ADV-2008-092429420GLSA-200805-113015530219Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the end of the string when searching for unmatched brackets and parentheses, which allows context-dependent attackers to cause a denial of service (crash), possibly involving forward references.DSA-1399ADV-2007-372520071106 rPSA-2007-0231-1 pcre20071112 FLEA-2007-0064-1 pcre[gtk-devel-list] 20071107 GLib 2.14.3GLSA-200711-30MDKSA-2007:211USN-547-126346ADV-2007-37902753827543275542774127697pcre-unmatched-dos(38275)APPLE-SA-2007-12-17TA07-352AADV-2007-423828136GLSA-200801-022840628414GLSA-200801-18GLSA-200801-192871428720FEDORA-2008-184229267APPLE-SA-2008-03-18ADV-2008-092429420GLSA-200805-113015530219Memory leak in the image message functionality in ekg before 1:1.7~rc2-1etch1 on Debian GNU/Linux Etch allows remote attackers to cause a denial of service.DSA-131824600ekg-image-message-dos(35134)ekg before 1:1.7~rc2-1etch1 on Debian GNU/Linux Etch allows remote attackers to cause a denial of service (NULL pointer dereference) via a vector related to the token OCR functionality.DSA-131824600ekg-token-ocr-dos(35135)Memory leak in the token OCR functionality in ekg before 1:1.7~rc2-1etch1 on Debian GNU/Linux Etch allows remote attackers to cause a denial of service.DSA-131824600ekg-ocr-function-dos(35136)The processor_request function in the debugger server for DataRescue IDA Pro 5.0 and 5.1 does not verify that authentication has taken place before invoking the perform_request function, which allows remote attackers to perform unauthorized actions.This vulnerability has been addressed in the following product updates. DataRescue IDA Pro 5.0 DataRescue ida_remdeb_fix_22032007.zip http://www.datarescue.com/freefiles/ida_remdeb_fix_22032007.zip DataRescue IDA Pro 5.1 DataRescue ida_remdeb_fix_22032007.zip http://www.datarescue.com/freefiles/ida_remdeb_fix_22032007.zip 20070323 DataRescue IDA Pro Remote Debugger Server Authentication Bypass Vulnerability23114ADV-2007-108933523101781524635idapro-processorrequest-code-execution(33190)Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.20070404 rPSA-2007-0065-1 freetype xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs20070405 FLEA-2007-0009-1: xorg-x11 freetype[xorg-announce] 20070403 various integer overflow vulnerabilites in xserver, libX11 and libXfontMDKSA-2007:079RHSA-2007:0126RHSA-2007:0125ADV-2007-121724741247562474524758247652477124791101786424739RHSA-2007:0157102888SUSE-SA:2007:027USN-453-1ADV-2007-1531249532500424975[3.9] 021: SECURITY FIX: April 4, 2007[4.0] 011: SECURITY FIX: April 4, 2007SUSE-SR:2007:00823300GLSA-200705-06251122507225131DSA-1294MDKSA-2007:079MDKSA-2007:147USN-453-2USN-481-1oval:org.mitre.oval:def:1693253052599226177GLSA-200805-0730161zoo decoder 2.10 (zoo-2.10), as used in multiple products including (1) Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, (2) Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, and (3) AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.20070504 Multiple vendors ZOO file decompression infinite loop DoS23823multiple-vendor-zoo-dos(34080)ADV-2007-16992512220070724 zoo - amavis - barracuda cross-ref problems35795253152680Panda Software Antivirus before 20070402 allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.20070504 Multiple vendors ZOO file decompression infinite loop DoS23823multiple-vendor-zoo-dos(34080)ADV-2007-170025152avpack32.dll before 7.3.0.6 in Avira AntiVir allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.20070504 Multiple vendors ZOO file decompression infinite loop DoS23823multiple-vendor-zoo-dos(34080)ADV-2007-1702251402680avast! antivirus before 4.7.981 allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.20070504 Multiple vendors ZOO file decompression infinite loop DoS23823multiple-vendor-zoo-dos(34080)ADV-2007-1701251372680unzoo.c, as used in multiple products including AMaViS 2.4.1 and earlier, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file.20070504 Multiple vendors ZOO file decompression infinite loop DoS23823multiple-vendor-zoo-dos(34080)253152680Stack-based buffer overflow in the Alert Service (aolnsrvr.exe) in LANDesk Management Suite 8.7 allows remote attackers to execute arbitrary code via a crafted packet to port 65535/UDP.20070413 TSRT-07-04: LANDesk Management Suite Alert Service Stack Overflow Vulnerability23483ADV-2007-1391101791224892 landesk-aolnsrvr-bo(33657)Buffer overflow in the CRAM-MD5 authentication mechanism in the IMAP server (nimap.exe) in IBM Lotus Domino before 6.5.6 and 7.x before 7.0.2 FP1 allows remote attackers to cause a denial of service via a long username.23173ADV-2007-113324633231721017823domino-imap-dos(33276)Multiple buffer overflows in the ISO network protocol support in the NetBSD kernel 2.0 through 4.0_BETA2, and NetBSD-current before 20070329, allow local users to execute arbitrary code via long parameters to certain functions, as demonstrated by a long sockaddr structure argument to the clnp_route function.2007-00423193 ADV-2007-1159 1017832Cross-site scripting (XSS) vulnerability in the Fizzle 0.5 extension for Firefox allows remote attackers to inject arbitrary web script or HTML via RSS feeds, which are executed by the chrome: URI handler.20070324 Fizzle : Firefox Extension Vulnerability24654 23144 ADV-2007-1112 33522 fizzle-rssfeed-xss(33227)2480** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware Webmail 1.0 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in (1) imp/search.php and (2) ingo/rule.php. NOTE: this issue has been disputed by the vendor, noting that the search.php issue was resolved in CVE-2006-4255, and attackers can only use rule.php to inject XSS into their own pages.20070325 Horde Webmail Multiple HTML Injection vulnerability2313620070326 Re: Horde Webmail Multiple HTML Injection vulnerabilityhorde-search-rule-xss(33228)2487Stack-based buffer overflow in the createAndJoinConference function in the AudioConf ActiveX control (yacscom.dll) in Yahoo! Messenger before 20070313 allows remote attackers to execute arbitrary code via long (1) socksHostname and (2) hostname properties.20070403 ZDI-07-012: Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow23291ADV-2007-121924742 VU#388377 1017867 yahoo-yahooaudioconf-activex-bo(33408)2523Format string vulnerability in libwebconsole_services.so in Sun Java Web Console 2.2.2 through 2.2.5 allows remote attackers to cause a denial of service (application crash), obtain sensitive information, and possibly execute arbitrary code via unspecified vectors during a failed login attempt, related to syslog.Root level code execution is only possible if the web console is running as root, which it does not by default.The vendor has addressed this issue through multiple product updates: Sun Java Web Console 2.2.2 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.2 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.3 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console 2.2.3 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.4 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console 2.2.4 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console x86 2.2.5 http://www.sun.com/download/products.xml?id=461d58be Sun Java Web Console 2.2.5 http://www.sun.com/download/products.xml?id=461d58be 20070417 n.runs-SA-2007.007 - Sun Solaris 10 - Format string vulnerability10285423539ADV-2007-1443 1017930 24927 javawebconsole-libcsyslog-format-string(33731)oval:org.mitre.oval:def:1252Multiple stack-based buffer overflows in the FileManager ActiveX control in SAFmgPws.dll in SoftArtisans XFile before 2.4.0 allow remote attackers to execute arbitrary code via unspecified calls to the (1) BuildPath, (2) GetDriveName, (3) DriveExists, or (4) DeleteFile method.VU#91478531615Stack-based buffer overflow in the DoWebMenuAction function in the IncrediMail IMMenuShellExt ActiveX control (ImShExt.dll) allows remote attackers to execute arbitrary code via unspecified vectors.VU#906777 23674 25051 incredimail-immenushellext-bo(33928) ADV-2007-1551The Run function in SolidWorks sldimdownload ActiveX control in sldimdownload.dll before 16.0.0.6 allows remote attackers to execute arbitrary commands via the (1) installerpath and (2) applicationarguments arguments.VU#55680123290ADV-2007-1216101785524762 solidworks-activex-command-execution(33428)Buffer overflow in k9filter.exe in BlueCoat K9 Web Protection 3.2.36, and probably other versions before 3.2.44, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request to port 2372.20070608 CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow20070608 CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow24373ADV-2007-2104101821025593bluecoat-management-interface-bo(34773)Multiple buffer overflows in the Internet Pictures Corporation iPIX Image Well ActiveX control (iPIX-ImageWell-ipix.dll) allow remote attackers to execute arbitrary code via unspecified vectors.VU#958609 23379 ADV-2007-1309 1017888 24816 ipix-imagewell-activex-unspecified-bo(33543)Buffer overflow in the PhPInfo ActiveX control in PhPCtrl.dll in Callisto PhotoParade Player allows remote attackers to execute arbitrary code via the FileVersionof property.VU#17144925654ADV-2007-313826789photoparade-phpinfo-bo(36588)Buffer overflow in the ISAlertDataCOM ActiveX control in ISLALERT.DLL for Norton Personal Firewall 2004 and Internet Security 2004 allows remote attackers to execute arbitrary code via long arguments to the (1) Get and (2) Set functions.20070516 Symantec Product Security: Norton Personal Firewall 2004 ActiveX Control vulnerabilityVU#98395323936ADV-2007-1843101807325290symantec-islalert-bo(34328)Multiple stack-based buffer overflows in Second Sight Software ActiveGS ActiveX control (ActiveGS.ocx) allow remote attackers to execute arbitrary code via unspecified vectors.VU#118737 23554 ADV-2007-1454 24960activegs-unspecified-bo(33759)Stack-based buffer overflow in Second Sight Software ActiveMod ActiveX control (ActiveMod.ocx) allows remote attackers to execute arbitrary code via unspecified vectors.VU#962305 activemod-unspecified-bo(33757) 23554 ADV-2007-1454 24928The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries, which might allow remote attackers to intercept web traffic by registering a proxy server using WINS or DNS, then responding to WPAD requests, as demonstrated using Internet Explorer. NOTE: it could be argued that if an attacker already has control over WINS/DNS, then web traffic could already be intercepted by modifying WINS or DNS records, so this would not cross privilege boundaries and would not be a vulnerability. It has also been reported that DHCP is an alternate attack vector.[ISN] 20070326 Windows weakness can lead to network traffic hijacks934864ADV-2007-1115windows-wpad-information-disclosure(33244)The SIP channel module in Yet Another Telephony Engine (Yate) before 1.2.0 sets the caller_info_uri parameter using a incorrect variable that can be NULL, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a Call-Info header without a purpose parameter.20070501 Radware Security Advisory - Yate 1.1.0 Denial of Service Vulnerability237462716** DISPUTED ** PHP remote file inclusion vulnerability in includes/usercp_register.php in phpBB 2.0.19 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: this issue has been disputed by third-party researchers, stating that the file checks for a global constant and cannot be accessed directly.20070324 BOGUS: Remote File Include In phpBB-2.0.1920070324 Remote File Include In phpBB-2.0.19SQL injection vulnerability in ViewNewspapers.asp in Active Newsletter 4.3 and earlier allows remote attackers to execute arbitrary SQL commands via the NewsPaperID parameter.355623115ADV-2007-10983449124640activenewsletter-newspaperid-sql-injection(33197)PHP remote file inclusion vulnerability in header.inc.php in Philex 0.2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CssFile parameter.355223111 ADV-2007-1099 philex-header-file-include(33179)download.php in Philex 0.2.3 and earlier allows remote attackers to read arbitrary files and source code, and obtain sensitive information via the file parameter.355223111 ADV-2007-1099 philex-download-file-disclosure(33181)Multiple PHP remote file inclusion vulnerabilities in the SWmenu (com_swmenupro and com_swmenufree) 4.0 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to ImageManager/Classes/ImageManager.php under the (1) components/ or (2) administrator/components/ directory trees.355723116ADV-2007-1100swmenufree-imagemanager-file-include(33204)The session extension in PHP 4 before 4.4.5, and PHP 5 before 5.2.1, calculates the reference count for the session variables without considering the internal pointer from the session globals, which allows context-dependent attackers to execute arbitrary code via a crafted string in the session_register after unsetting HTTP_SESSION_VARS and _SESSION, which destroys the session data Hashtable.23119 DSA-1283 USN-455-1 25062 25057GLSA-200705-19HPSBMA02215HPSBTU02232SUSE-SA:2007:032ADV-2007-1991ADV-2007-237425056254452542325850PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by calling session_decode on a string beginning with "_SESSION|s:39:".Successful exploitation requires that variable "register_globals" is enabled.23120GLSA-200705-19HPSBMA02215HPSBTU02232ADV-2007-1991ADV-2007-2374254452542325850PHP remote file inclusion vulnerability in mod_flatmenu.php in the Flatmenu 1.07 and earlier Mambo module allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.356720070326 Confirm - Mambo 4.5.1 Modules Flatmenu <= 1.07 Remote File Include Exploit23125ADV-2007-1106flatmenu-modflatmenu-file-include(33200)SQL injection vulnerability in index.php in the RWCards (com_rwcards) 2.4.3 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter.356523126ADV-2007-1105rwcards-index-sql-injection(33194)SQL injection vulnerability in index.php in the Car Manager (com_resman) 1.1 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter.356423131ADV-2007-1104carmanager-index-sql-injection(33193)SQL injection vulnerability in default.asp in Active Trade 2 allows remote attackers to execute arbitrary SQL commands via the catid parameter.354924631ADV-2007-1095activetrade-default-sql-injection(33184)SQL injection vulnerability in eWebQuiz.asp in eWebQuiz 8 allows remote attackers to execute arbitrary SQL commands via the QuizID parameter.355824653ADV-2007-1101ewebquiz-ewebquiz-sql-injection(33195)PHP remote file inclusion vulnerability in index.php in Net Side Content Management System (Net-Side.net CMS) allows remote attackers to execute arbitrary PHP code via a URL in the cms parameter.3562 23130PHP remote file inclusion vulnerability in lib/db/ez_sql.php in ttCMS 4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the lib_path parameter.3563 23139 ADV-2007-1102 ttcms-ezsql-file-include(33202)Buffer overflow in the confirm_phpdoc_compiled function in the phpDOC extension (PECL phpDOC) in PHP 5.2.1 allows context-dependent attackers to execute arbitrary code via a long argument string.357620070325 PHP 5.2.1 with PECL phpDOC local buffer overflow23124phpdoc-confirmcompiled-bo(33236)2512The readfile function in PHP 4.4.4, 5.1.6, and 5.2.1 allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files by referring to local files with a certain URL syntax instead of a pathname syntax, as demonstrated by a filename preceded a "php://../../" sequence.3573HPSBMA02215HPSBTU02232ADV-2007-1991ADV-2007-23742542325850Double free vulnerability in the unserializer in PHP 4.4.5 and 4.4.6 allows context-dependent attackers to execute arbitrary code by overwriting variables pointing to (1) the GLOBALS array or (2) the session data in _SESSION. NOTE: this issue was introduced when attempting to patch CVE-2007-1701 (MOPB-31-2007).23121RHSA-2007:0154RHSA-2007:0155249102492420070418 rPSA-2007-0073-1 php php-mysql php-pgsqlRHSA-2007:01632494524941DSA-1282DSA-12832502525062MDKSA-2007:087MDKSA-2007:088APPLE-SA-2007-07-31GLSA-200705-19MDKSA-2007:087MDKSA-2007:08825159ADV-2007-27322544526235SQL injection vulnerability in default.asp in ActiveWebSoftwares Active Auction Pro 7.1 allows remote attackers to execute arbitrary SQL commands via the catid parameter.3551ADV-2007-109724626 activeauctionpro-default-sql-injection(33182)34420CRLF injection vulnerability in BSMTP.DLL in B21Soft BASP21 2003.0211, and BASP21 Pro 1.0.702.27 and earlier, allows remote attackers to inject arbitrary headers into e-mail messages via CRLF sequences in Subject lines.2465223134ADV-2007-1113basp21-bsmtp-mail-relay(33211)Cross-site scripting (XSS) vulnerability in index.php in CcCounter 2.0 allows remote attackers to inject arbitrary web script or HTML via dir parameter.20070324 CcCounter 2.0 cross-site scripting vulnerability23135 ADV-2007-1120 24655 cccounter-index-xss(33213)2481PHP remote file inclusion vulnerability in frontpage.php in Free Image Hosting 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AD_BODY_TEMP parameter. NOTE: the forgot_pass.php vector is already covered by CVE-2006-5670, and the login.php vector overlaps CVE-2006-5763.3568freeimagehosting-adbodytemp-file-include(33196)pam_console does not properly restore ownership for certain console devices when there are multiple users logged into the console and one user logs out, which might allow local users to gain privileges.20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23RHSA-2007:0465RHSA-2007:0555RHSA-2007:073720070602-01-PADV-2007-3229256312589427590269092770628319The mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 truncates e-mail messages at the first ASCIIZ ('\0') byte, which might allow context-dependent attackers to prevent intended information from being delivered in e-mail messages. NOTE: this issue might be security-relevant in cases when the trailing contents of e-mail messages are important, such as logging information or if the message is expected to be well-formed.23146APPLE-SA-2007-07-31GLSA-200705-19SUSE-SA:2007:03225159ADV-2007-2732250562544526235CRLF injection vulnerability in the mail function in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows remote attackers to inject arbitrary e-mail headers and possibly conduct spam attacks via a control character immediately following folding of the (1) Subject or (2) To parameter, as demonstrated by a parameter containing a "\r\n\t\n" sequence, related to an increment bug in the SKIP_LONG_HEADER_SEP macro.23145 RHSA-2007:0155 24924 RHSA-2007:0153 RHSA-2007:0162 1017946 24965 DSA-1282 DSA-1283 USN-455-1 25025 25062 25057 MDKSA-2007:087 MDKSA-2007:088 MDKSA-2007:089 24909GLSA-200705-19MDKSA-2007:087MDKSA-2007:088MDKSA-2007:089MDKSA-2007:090SUSE-SA:2007:0322505625445Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name.3578ADV-2007-112524641freebsd-eject-bo(33212)Directory traversal vulnerability in addressbook.php in the Addressbook 1.2 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module_name parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file.3582 addressbook-addressbook-file-include(33243) 23156 ADV-2007-1118 24697Multiple PHP remote file inclusion vulnerabilities in C-Arbre 0.6PR7 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) Richtxt_functions.inc.php, (2) adddocfile.php, (3) auth_check.php, (4) browse_current_category.inc.php, (5) docfile_details.php, (6) main.php, (7) mainarticle.php, (8) maindocfile.php, (9) modify.php, (10) new.php, (11) resource_details.php, or (12) smallsearch.php in lib/; or (13) mwiki/LocalSettings.php.3583 20070327 [ECHO_ADV_78$2007] C-Arbre <= 0.6PR7 (root_path) Remote File Inclusion Vulnerability 23154 ADV-2007-1119 carbre-rootpath-file-include(33238)2491Buffer overflow in the DownloadCertificateExt function in SignKorea SKCommAX ActiveX control module 7.2.0.2 and 3280 6.6.0.1 allows remote attackers to execute arbitrary code via a long pszUserID argument.20070327 SignKorea's ActiveX Buffer Overflow VulnerabilityADV-2007-111424587 23149 skcommax-downloadcertificate-bo(33245)Multiple cross-site scripting (XSS) vulnerabilities in the administration console in Secure Computing CipherTrust IronMail 6.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) network, (2) defRouterIp, (3) hostName, (4) domainName, (5) ipAddress, (6) defaultRouter, (7) dns1, or (8) dns2 parameter to (a) admin/system_IronMail.do; the (9) ipAddress parameter to (b) admin/systemOutOfBand.do; the (10) password or (11) confirmPassword parameter to (c) admin/systemBackup.do; the (12) Klicense parameter to (d) admin/systemLicenseManager.do; the (13) rows[1].attrValueStr or (14) rows[2].attrValueStr parameter to (e) admin/systemWebAdminConfig.do; the (15) rows[0].attrValueStr, rows[1].attrValueStr, (16) rows[2].attrValue, or (17) rows[2].attrValueStrClone parameter to (f) admin/ldap_ConfigureServiceProperties.do; the (18) input1 parameter to (g) admin/mailFirewall_MailRoutingInternal.do; or the (19) rows[2].attrValueStr, (20) rows[3].attrValueStr, (21) rows[5].attrValueStr, or (22) rows[6].attrValueStr parameter to (h) admin/mailIdsConfig.do.20070326 Multiple XSS in IronMail ADV-2007-1164 1017821 246572484Unspecified vulnerability in ReactOS 0.3.1 has unknown impact and attack vectors, related to a fix for "dozens of win32k bugs and failures," in which the fix itself introduces a vulnerability, possibly related to user-mode and kernel-mode copy failures.SQL injection vulnerability in index.php in IceBB 1.0-rc5 allows remote authenticated users to execute arbitrary SQL commands via the filename of an uploaded file to the avatar function, as demonstrated by setting admin privileges.Successful exploitation allows an attacker to gain administrator privileges, but requires that "magic_quotes_gpc" is disabled.35803581ADV-2007-111624644 23158 icebb-index-sql-injection(33240)Unrestricted file upload vulnerability in index.php in IceBB 1.0-rc5 allows remote authenticated users to upload arbitrary files via the avatar function, which can later be accessed in uploads/.3581ADV-2007-111624644 23151 icebb-index-file-upload(33242)Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, 7.50, and 7.51 allows remote authenticated users to access certain privileged "facilities" via unspecified vectors.HPSBMA02198ADV-2007-11211017817 23163 hp-openview-nnm-unspecified-security-bypass(33241) 24746The Remote Play feature in Sony Playstation 3 (PS3) 1.60 and Playstation Portable (PSP) 3.10 OE-A allows remote attackers to cause a denial of service via a flood of UDP packets.20070326 Playstation 3 ps3-psp-udp-dos(33503)2485SQL injection vulnerability in includes/start.php in Flexbb 1.0.0 10005 Beta Release 1 allows remote attackers to execute arbitrary SQL commands via the flexbb_lang_id COOKIE parameter to index.php.20070327 [KAPDA::#64] - Flexbb Sql Injection flexbb-index-sql-injection(33250) 23161 ADV-2007-11412486Integer signedness error in the DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later allows local users to read kernel memory or cause a denial of service (oops) via a negative optlen value.20070327 Linux Kernel DCCP Memory Disclosure Vulnerability 23162 1017820 20070329 Re: Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability [dccp] 20070328 [PATCH 1/1] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV ADV-2007-1143 kernel-dccp-information-disclosure(33274)USN-464-1253922482Multiple stack-based buffer overflows in High Performance Anonymous FTP Server (hpaftpd) 1.01 allow remote attackers to execute arbitrary code via long arguments to the (1) USER, (2) PASS, (3) CWD, (4) MKD, (5) RMD, (6) DELE, (7) RNFR, or (8) RNTO FTP command.23147 ADV-2007-1142 hpaftpd-multiple-commands-bo(33288)** DISPUTED ** Cross-site scripting (XSS) vulnerability in an mt import in wp-admin/admin.php in WordPress 2.1.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the demo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: another researcher disputes this issue, stating that this is legitimate functionality for administrators. However, it has been patched by at least one vendor.Successful exploitation requires that the target user is logged in as administrator.20070306 Re: Wordpress <= v2.1.0GLSA-200703-232443024566Buffer overflow in InterVations NaviCOPA HTTP Server 2.01 allows remote attackers to execute arbitrary code via a long (1) /cgi-bin/ or (2) /cgi/ pathname in an HTTP GET request, probably a different issue than CVE-2006-5112.20070327 Buffer Overflow in InterVetions' NaviCopa HTTP server 2.0123179ADV-2007-113724673 3589 navicopa-cgi-bo(33296)2483The DCCP support in the do_dccp_getsockopt function in net/dccp/proto.c in Linux kernel 2.6.20 and later does not verify the upper bounds of the optlen value, which allows local users running on certain architectures to read kernel memory or cause a denial of service (oops), a related issue to CVE-2007-1730.20070327 Re: [Full-disclosure] Linux Kernel DCCP Memory Disclosure Vulnerability1017820 kernel-dccp-information-disclosure(33274)2511linux-kernel-dccp-info-disclosure(43321)Stack-based buffer overflow in Corel WordPerfect Office X3 (13.0.0.565) allows user-assisted remote attackers to execute arbitrary code via a long printer selection (PRS) name in a Wordperfect document.20070328 Corel Wordperfect Office X3 Stack Overflow231773593ADV-2007-114524664wordperfect-printer-selection-bo(33286)2489Mozilla Firefox 2.0.0.3 does not check URLs embedded in (1) object or (2) iframe HTML tags against the phishing site blacklist, which allows remote attackers to bypass phishing protection.20070328 Bypass phishing protection in Firefox / Opera2488Opera 9.10 does not check URLs embedded in (1) object or (2) iframe HTML tags against the phishing site blacklist, which allows remote attackers to bypass phishing protection.20070328 Bypass phishing protection in Firefox / Opera2488TrueCrypt 4.3, when installed setuid root, allows local users to cause a denial of service (filesystem unavailability) or gain privileges by mounting a crafted TrueCrypt volume, as demonstrated using (1) /usr/bin or (2) another user's home directory, a different issue than CVE-2007-1589.231802464320070328 Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180) 20070401 Re: Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180) 20070404 Re: Denial of Service Vulnerabilities in TrueCrypt 4.3 Linux (re. bid 23180)2492Heap-based buffer overflow in the LDAP server in IBM Lotus Domino before 6.5.6 and 7.x before 7.0.2 FP1 allows remote attackers to cause a denial of service (crash) via a long, malformed DN request, which causes only the lower 16 bits of the string length to be used in memory allocation.20070328 IBM Lotus Domino Server LDAP Request Invalid DN Message Heap Overflow Vulnerability23173ADV-2007-113324633 VU#927988 23174 1017825 domino-ldap-bo(33278)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2006-4843. Reason: This candidate is a duplicate of CVE-2006-4843. Notes: All CVE users should reference CVE-2006-4843 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.This vulnerability is addressed in the following product release: Lotus Domino 6.5.6 and 7.0.2 Fix Pack 1 (FP1). For more information consult the following URL: http://www-1.ibm.com/support/docview.wss?uid=swg21257026 Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation, and their usage, allow local users to gain privileges and execute arbitrary code by renaming directories or performing symlink attacks. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root."20070411 Apache HTTPD suEXEC Multiple Vulnerabilities[apache-http-dev] 20070328 [Fwd: iDefense Final Notice [IDEF1445]][apache-http-dev] 20070328 Re: [Fwd: iDefense Final Notice [IDEF1445]]234381017904apache-suexec-privilege-escalation(33584)suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using "html_backup" and "htmleditor" under an "html" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root."20070411 Apache HTTPD suEXEC Multiple Vulnerabilities[apache-http-dev] 20070328 [Fwd: iDefense Final Notice [IDEF1445]][apache-http-dev] 20070328 Re: [Fwd: iDefense Final Notice [IDEF1445]]1017904suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line, which might allow local users to leverage other vulnerabilities to create arbitrary UID/GID owned files if /proc is mounted. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root." In addition, because this is dependent on other vulnerabilities, perhaps this is resultant and should not be included in CVE.From the vendor: "The attacks described rely on an insecure server configuration - that the unprivileged user the server runs as has write access to the document root. The suexec tool cannot detect all possible insecure configurations, nor can it protect against privilege "escalation" in all such cases. It is important to note that to be able to invoke suexec, the attacker must also first gain the ability to execute arbitrary code as the unprivileged server user." 20070411 Apache HTTPD suEXEC Multiple Vulnerabilities[apache-http-dev] 20070328 [Fwd: iDefense Final Notice [IDEF1445]][apache-http-dev] 20070328 Re: [Fwd: iDefense Final Notice [IDEF1445]]1017904Directory traversal vulnerability in the Shared Folders feature for VMware Workstation before 5.5.4, when a folder is shared, allows users on the guest system to write to arbitrary files on the host system via the "Backdoor I/O Port" interface.Successful exploitation requires that a folder is shared. Although the "Shared Folders" feature is enabled by default, no folders are shared by default.20070427 VMware Workstation Shared Folders Directory Traversal Vulnerability237211017980 25079ADV-2007-1592The chm_decompress_stream function in libclamav/chmunpack.c in Clam AntiVirus (ClamAV) before 0.90.2 leaks file descriptors, which has unknown impact and attack vectors involving a crafted CHM file, a different vulnerability than CVE-2007-0897. NOTE: some of these details are obtained from third party information.23473ADV-2007-137824891clamav-chmdecompressstream-dos(33636) GLSA-200704-21 SUSE-SA:2007:026 2007-0013 24920 24946 24996 25022 DSA-1281 25028 MDKSA-2007:098 25189MDKSA-2007:098APPLE-SA-2008-03-18ADV-2008-092429420Unspecified vulnerability in MSO.dll in Microsoft Office 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and 2007 allows user-assisted remote attackers to execute arbitrary code via a malformed drawing object, which triggers memory corruption.MS07-025VU#85318423826ADV-2007-1710101801425178HPSBST02214TA07-128A34396oval:org.mitre.oval:def:2051office-drawing-code-execution(33908)Stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences.VU#55592024871TA07-103A23470ADV-2007-13661017910win-dns-rpc-bo(33629)MS07-02920070415 Re: [exploits] RPC vuln in DNS Server (fwd)HPSBST02214TA07-128Aoval:org.mitre.oval:def:1228Integer underflow in the CDownloadSink class code in the Vector Markup Language (VML) component (VGX.DLL), as used in Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code via compressed content with an invalid buffer size, which triggers a heap-based buffer overflow.20070814 EEYE: VGX.DLL Compressed Content Heap Overflow VulnerabilityMS07-050VU#46880025310101856826409TA07-226AADV-2007-2874oval:org.mitre.oval:def:17843020Unspecified vulnerability in Microsoft Internet Explorer 6 allows remote attackers to execute arbitrary code via a crafted Cascading Style Sheets (CSS) tag that triggers memory corruption.MS07-033HPSBST02231TA07-163A24423ADV-2007-2153oval:org.mitre.oval:def:1396101823525627ie-css-tag-code-execution(34619)Microsoft Internet Explorer 5.01, 6, and 7 allows remote attackers to execute arbitrary code by causing Internet Explorer to access an uninitialized or deleted object, related to prototype variables and table cells, aka "Uninitialized Memory Corruption Vulnerability."MS07-03320070612 ZDI-07-038: Microsoft Internet Explorer Prototype Dereference Code Execution VulnerabilityHPSBST02231TA07-163A24418ADV-2007-2153oval:org.mitre.oval:def:1978101823525627ie-uninitialized-object-code-execution(34626)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1499. Reason: This candidate is a duplicate of CVE-2007-1499. Notes: All CVE users should reference CVE-2007-1499 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.PUBCONV.DLL in Microsoft Office Publisher 2007 does not properly clear memory when transferring data from disk to memory, which allows user-assisted remote attackers to execute arbitrary code via a malformed .pub page via a certain negative value, which bypasses a sanitization procedure that initializes critical pointers to NULL, aka the "Publisher Invalid Memory Reference Vulnerability".MS07-03720070710 EEYE: Microsoft Publisher 2007 Arbitrary Pointer DereferenceSSRT071446TA07-191AADV-2007-2479oval:org.mitre.oval:def:1871101835325988Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, and Office Excel 2007 does not properly validate version information, which allows user-assisted remote attackers to execute arbitrary code via a crafted Excel file, aka "Calculation Error Vulnerability".MS07-036SSRT071446TA07-191A24801ADV-2007-2478oval:org.mitre.oval:def:2123101835225995excel-version-code-execution(35210)Mozilla Firefox 2.0.0.1 through 2.0.0.3 does not canonicalize URLs before checking them against the phishing site blacklist, which allows remote attackers to bypass phishing protection via multiple / (slash) characters in the URL.20070329 Re: Bypass phishing protection in Firefox / OperaThe ATI kernel driver (atikmdag.sys) in Microsoft Windows Vista allows user-assisted remote attackers to cause a denial of service (crash) via a crafted JPG image, as demonstrated by a slideshow, possibly due to a buffer overflow.20070325 Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability ADV-2007-1160 33635 24667 windows-atikmdag-dos(33300)Stack-based buffer overflow in FastStone Image Viewer 2.8 allows user-assisted remote attackers to execute arbitrary code via a crafted JPG image.20070329 Re: [VulnWatch] Microsoft Windows Vista Slideshow Unspecified Blue Screen Of Death Vulnerability 231962510Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.93542323194ADV-2007-11511017827 20070330 ANI Zeroday, Third Party Patch 20070331 Windows .ANI Stack Overflow ExploitPHP remote file inclusion vulnerability in login/engine/db/profiledit.php in Advanced Login 0.76 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root parameter.20070329 Advanced Login <= 0.7 (root) Remote File Inclusion Vulnerability 3608 23197 24695 ADV-2007-1179 advanced-profiledit-file-include(33321)2508Unspecified vulnerability in (1) Deskbar.dll and (2) Toolbar.dll in AOL 9.0 before February 2007 allows remote attackers to cause a denial of service (browser crash) via unknown vectors.20070329 AOL 9.0 Deskbar.dll/Toolbar.dll DoS Vulnerability aol-deskbar-toolbar-dos(33309)Cross-site scripting (XSS) vulnerability in app/helpers/application_helper.rb in Mephisto 0.7.3 and Mephisto Edge 20070325 allows remote attackers to inject arbitrary web script or HTML via the author name field in a comment.20070325 Mephisto blog is vulnerable to XSS23137mephisto-authorname-xss(33230)2490** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-1873. Reason: This candidate is a duplicate of CVE-2007-1873. Notes: All CVE users should reference CVE-2007-1873 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Buffer overflow in the ArcSDE service (giomgr) in Environmental Systems Research Institute (ESRI) ArcGIS before 9.2 Service Pack 2, when using three tiered ArcSDE configurations, allows remote attackers to cause a denial of service (giomgr crash) and execute arbitrary code via long parameters in crafted requests.2463923175ADV-2007-1140arcsde-three-tiered-dos(33282)20070404 ESRI ArcSDE Buffer Overflow Vulnerability1017874arcsde-tcpport-bo(33457)PHP remote file inclusion vulnerability in manage/javascript/formjavascript.php in Ay System Solutions Web Content System (WCS) 2.7.1 allows remote attackers to execute arbitrary PHP code via a URL in the path[JavascriptEdit] parameter.35922317124663 ADV-2007-1139 wcs-formjavascript-file-include(33281)The FTP service in HP JetDirect print servers allows remote attackers to cause a denial of service (engine crash) via a RETR command with a long pathname.20070327 Remote DOS HP JetDirect Print Servers23168 hp-jetdirect-rert-dos(33273)Multiple directory traversal vulnerabilities in aBitWhizzy allow remote attackers to list arbitrary directories via a .. (dot dot) in the d parameter to (1) whizzery/whizzypic.php or (2) whizzery/whizzylink.php, different vectors than CVE-2006-6384.23167ADV-2007-113624679abitwhizzy-multiple-directory-traversal(33277)3450534506Multiple cross-site scripting (XSS) vulnerabilities in aBitWhizzy allow remote attackers to inject arbitrary web script or HTML via the d parameter to (1) whizzery/whizzypic.php or (2) whizzery/whizzylink.php.23167ADV-2007-113624679abitwhizzy-multiple-xss(33279)3450734508Unrestricted file upload vulnerability in upload.php3 in JBrowser 2.4 and earlier allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.23166SQL injection vulnerability in index.php in the DesignForJoomla.com D4J eZine (com_ezine) 2.8 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the article parameter in a read action.359023165ADV-2007-113524675d4jezine-index-sql-injection(33249)Integer overflow in the zip_read_entry function in PHP 4 before 4.4.5 allows remote attackers to execute arbitrary code via a ZIP archive that contains an entry with a length value of 0xffffffff, which is incremented before use in an emalloc call, triggering a heap overflow.23169 DSA-1282 DSA-1283 25025 25062MDVSA-2008:130PHP remote file inclusion vulnerability in db/mysql.php in the Eve-Nuke 0.1 (EN-Forums) module for PHP-Nuke allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.3591ADV-2007-1138 23176 evenuke-mysql-file-include(33285)Multiple SQL injection vulnerabilities in the MySQL back-end in Advanced Website Creator (AWC) before 1.9.0 might allow remote attackers to execute arbitrary SQL commands via unspecified parameters, related to use of mysql_escape_string instead of mysql_real_escape_string. 23268 24685Cross-site scripting (XSS) vulnerability in the DHT shell (owdhtshell) in Overlay Weaver 0.5.9 to 0.5.11, when invoked with the -x option, allows remote attackers to inject arbitrary web script or HTML via fields in certain input forms.24669 23195 ADV-2007-1167 overlay-weaver-owdhtshell-xss(33340)Minna De Office 1.x and 2.x does not properly restrict user access to certain privileged actions, which allows local users to change the configuration or have other unspecified impact. NOTE: some of these details are obtained from third party information.24691 23198 ADV-2007-1162 aisan-unspecified-privilege-escalation(33341)CruiseWorks 1.09e and earlier does not properly restrict user access to certain privileged actions, which allows local users to change the configuration or have other unspecified impact. NOTE: some of these details are obtained from third party information.24674 23198 ADV-2007-1163 cruiseworks-security-bypass(33323)The JNILoader ActiveX control (STJNILoader.ocx) 3.1.0.26 in IBM Lotus Notes Sametime before 7.5 allows remote attackers to load arbitrary DLL libraries and execute arbitrary code via arbitrary arguments to the loadLibrary function.This vulnerability is addressed in the following product advisory: http://www-1.ibm.com/support/docview.wss?uid=swg21257029 20070329 IBM Lotus Sametime JNILoader Arbitrary DLL Load Vulnerability232011017828 sametime-stjniloader-code-execution(33314)The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t data in RPC packets, which is used in calculating an address for a function call, as demonstrated using the 191 (0xbf) RPC request.20070330 CA Brightstor Backup Mediasvr.exe Remote Code Vulnerability23209ADV-2007-116124682 20070331 CA BrightStor ARCserve Backup Mediasvr.exe vulnerability VU#151305 1017830 brightstor-mediasvr-code-execution(33316)2509SQL injection vulnerability in Hitachi Collaboration - Online Community Management 01-00 through 01-30, as used in Groupmax Collaboration Portal, Groupmax Collaboration Web Client, uCosminexus Collaboration Portal, Cosminexus Collaboration Portal, and uCosminexus Content Manager, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.ADV-2007-116824693 23208 hitachi-collaboration-sql-injection(33348)Multiple PHP remote file inclusion vulnerabilities in lib/timesheet.class.php in Softerra Time-Assistant 6.2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) inc_dir or (2) lib_dir parameter.360023203 20070330 [ECHO_ADV_80$2007] Softerra Time-Assistant <= 6.2 (inc_dir) Remote File Inclusion Vulnerability softerra-timesheetclass-file-include(33327) ADV-2007-1193 24729Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote attackers to bypass authentication via a crafted post request.24702 23214 ADV-2007-1181Flyspray 0.9.9 allows remote attackers to obtain sensitive information (private project summaries) via direct requests.24702 23214 ADV-2007-1181Multiple PHP remote file inclusion vulnerabilities in Kaqoo Auction Software Free Edition allow remote attackers to execute arbitrary PHP code via a URL in the install_root parameter to (1) support.inc.php, (2) function.inc.php, (3) rdal_object.inc.php, (4) rdal_editor.inc.php. (5) login.inc.php, (6) request.inc.php, and (7) categories.inc.php in include/core/; (8) save.inc.php, (9) preview.inc.php, (10) edit_item.inc.php, (11) new_item.inc.php, and (12) item_info.inc.php in include/display/item/; (13) search.inc.php, (14) item_edit.inc.php, (15) register_succsess.inc.php, (16) context_menu.inc.php, (17) item_repost.inc.php, (18) balance.inc.php, (19) featured.inc.php, (20) user.inc.php, (21) buynow.inc.php, (22) install_complete.inc.php, (23) fees_info.inc.php, (24) user_feedback.inc.php, (25) admin_balance.inc.php, (26) activate.inc.php, (27) user_info.inc.php, (28) member.inc.php, (29) add_bid.inc.php, (30) items_filter.inc.php, (31) my_info.inc.php, (32) register.inc.php, (33) leave_feedback.inc.php, and (34) user_auctions.inc.php in include/display/; and (35) design/form.inc.php, (36) processor.inc.php, (37) interfaces.inc.php (38) left_menu.inc.php, (39) login.inc.php, and (40) categories.inc.php in include/.36072469623211ADV-2007-1180 kaqoo-installroot-file-include(33335) 34557 34558 34559 34561 34571 34572 34573 34574 34575 34576 34579 34580 34581 34582 34545 34546 34547 34548 34549 34550 34551 34552 34553 34554 34555 34556 34560 34562 34563 34564 34565 34566 34567 34568 34569 34570 34577 34578 34583 34584SQL injection vulnerability in wall.php in Picture-Engine 1.2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter.360523205 pictureengine-wall-sql-injection(33325)libdayzero.dll in the Filter Hub Service (filter-hub.exe) in Symantec Mail Security for SMTP before 5.0.1 Patch 181 and Mail Security Appliance before 5.0.0-36 allows remote attackers to cause a denial of service (crash) via a crafted executable attachment in an e-mail, involving the detection of "PE-Shield v0.2" and "ASPack v1.00-1.08.02".ADV-2007-23352463220070628 Secunia Research: Symantec Mail Security for SMTP Boundary Errors246251018301symantec-mailsecurity-attachment-dos(35105)SPBBCDrv.sys in Symantec Norton Personal Firewall 2006 9.1.0.33 and 9.1.1.7 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateMutant and (2) NtOpenEvent functions. NOTE: it was later reported that Norton Internet Security 2008 15.0.0.60, and possibly other versions back to 2006, are also affected.2467720070401 Norton Multiple insufficient argument validation of hooked SSDT function Vulnerability23241ADV-2007-119210178371017838symantec-firewall-ssdt-dos(33352)20070918 Plague in (security) software drivers & BSDOhook utilityThe Javascript engine in Mozilla 1.7 and earlier on Sun Solaris 8, 9, and 10 might allow remote attackers to execute arbitrary code via vectors involving garbage collection that causes deletion of a temporary object that is still being used. NOTE: this issue might be related to CVE-2006-3805.102865ADV-2007-117824624JCcorp URLshrink 1.3.1 allows remote attackers to execute arbitrary PHP code via the email address field in an HTML link. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.23217urlshrink-email-code-execution(33320)Multiple unspecified vulnerabilities in JCcorp URLshrink before 1.3.2 have unspecified attack vectors and impact.Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.20070331 Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities23347ADV-2007-120010178392472124739imagemagick-readdcmimage-bo(33376)imagemagick-readxwdimage-bo(33377)SUSE-SR:2007:0082325225072GLSA-200705-1325206MDKSA-2007:147USN-481-12599226177RHSA-2008:0145RHSA-2008:01652978629857Buffer overflow in the drmgr command in IBM AIX 5.2 and 5.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long path name.IY96772ADV-2007-1186ibmaix-drmgr-bo(33354)1017841IY95054IY96753Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.3 only checks for the ".." string, which allows remote attackers to overwrite arbitrary files via modified ".." sequences in a torrent filename, as demonstrated by "../" sequences, due to an incomplete fix for CVE-2007-1384. SUSE-SR:2007:007 24995 GLSA-200705-01 MDKSA-2007:095 25097 USN-436-2 23745DSA-137326773Cisco Secure ACS does not require authentication when Cisco Trust Agent (CTA) transmits posture information, which might allow remote attackers to gain network access via a spoofed Network Endpoint Assessment posture, aka "NACATTACK." NOTE: this attack might be limited to authenticated users and devices.20070330 NACATTACK PresentationDirectory traversal vulnerability in inc/lang.php in sBLOG 0.7.3 Beta allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the conf_lang_default parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by inc/lang.php.360123206sblog-inclang-file-include(33326)Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.23207ADV-2007-116624681maildwarf-unspecified-xss(33322)Unspecified vulnerability in MailDwarf 3.01 and earlier allows remote attackers to send e-mail to addresses different from the configured addresses.23207ADV-2007-116624681maildwarf-unspecified-security-bypass(33324)PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file.pulseaudio-assert-dos(33315) 23240 ADV-2007-1214SUSE-SR:2007:013USN-465-12543125787MDVSA-2008:065SQL injection vulnerability in genre.php in the debaser 0.92 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the genreid parameter.3630 23253 xoops-debaser-genre-sql-injection(33372)SQL injection vulnerability in categos.php in the RM+Soft Gallery (rmgallery) 1.0 module for Xoops allows remote attackers to execute arbitrary SQL commands via the idcat parameter.3633 23250 24709 xoops-rmsoft-categos-sql-injection(33370)SQL injection vulnerability in modules/myalbum/viewcat.php in the myAlbum-P 2.0 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.3632 23229 ADV-2007-1202 xoops-myalbump-viewcat-sql-injection(33371)SQL injection vulnerability in show.php in the Camportail 1.1 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the camid parameter in a showcam action.3629 23245 ADV-2007-1201 24748 xoops-camportail-show-sql-injection(33373)Multiple PHP remote file inclusion vulnerabilities in GraFX Company WebSite Builder (CWB) PRO 1.5 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter to (1) cls_headline_prod.php, (2) cls_listorders.php, or (3) cls_viewpastorders.php in include/, different vectors than CVE-2007-1513.362820070402 [true] CWB pro 1.5 INCLUDE_PATH RFI 23242 cwb-includepath-file-include(33351)SQL injection vulnerability in product_details.php in the Kshop 1.17 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.3626 23272 ADV-2007-1211 24749 xoops-kshop-productdetails-sql-injection(33374)SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.3625 xoops-tinyevent-index-sql-injection(33359)PHP remote file inclusion vulnerability in utilitaires/gestion_sondage.php in BT-Sondage 112 allows remote attackers to execute arbitrary PHP code via a URL in the repertoire_visiteur parameter.362420070402 [true] BT-Sondage-v112 RFI 23248 ADV-2007-1183 24701 btsondage-gestionsondage-file-include(33363)SQL injection vulnerability in display.php in the eCal 2.24 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the katid parameter.3623 xoops-ecal-display-sql-injection(33369)SQL injection vulnerability in viewcat.php in the Core module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-0377.3620 23229 xoops-core-viewcat-sql-injection(33350)SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.3619 23229 xoops-library-viewcat-sql-injection(33366)SQL injection vulnerability in viewcat.php in the Tutoriais module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.3621 23229 xoops-tutoriais-viewcat-sql-injection(33367)SQL injection vulnerability in index.php in the Lykos Reviews (lykos_reviews) 1.00 module for Xoops allows remote attackers to execute arbitrary SQL commands via the uid parameter in a u action.3618 23232 ADV-2007-1189 xoops-lykos-reviews-sql-injection(33365)PHP remote file inclusion vulnerability in MOD_forum_fields_parse.php in the Forum picture and META tags 1.7 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.3613 23222 ADV-2007-1188 phpbb-modforumfieldsparse-file-include(33346)Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32, allows remote attackers to execute arbitrary code via a long ProgColor property.HPSBGN02199VU#589097101783520070402 Hewlett-Packard Mercury Quality Center ActiveX Control ProgColor Buffer Overflow Vulnerability23239ADV-2007-118524692Nortel Networks CallPilot and Meridian Mail voicemail systems, when a mailbox has auto logon enabled, allow remote attackers to retrieve or remove messages, or reconfigure the mailbox, by spoofing Calling Number Identification (CNID, aka Caller ID).Access complexity set to Medium because Nortel Networks voicemail systems do not hard code or default to this behavior.VU#726548Sprint Nextel Sprint voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).VU#726548Alcatel-Lucent Lucent Technologies voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).VU#726548T-Mobile voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).VU#726548Buffer overflow in the php_stream_filter_create function in PHP 5 before 5.2.1 allows remote attackers to cause a denial of service (application crash) via a php://filter/ URL that has a name ending in the '.' character.23237 DSA-1283 USN-455-1 25062 25057SUSE-SA:2007:03225056Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field. NOTE: as of 20070411, it appears that this issue might be subsumed by CVE-2007-0906.3.23234Unspecified vulnerability in the IPSec Manager Service for Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allows remote attackers to cause a denial of service (loss of cluster services) via a "specific UDP packet" to UDP port 8500, aka bug ID CSCsg60949.20070328 Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities23181101782624690 ADV-2007-1144Multiple unspecified vulnerabilities in form input validation in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to corrupt data files, gain access to private files, and execute arbitrary code via "certain characters."20070322 WebAPP AuditADV-2007-072024227Multiple cross-site scripting (XSS) vulnerabilities in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the QUERY_STRING corresponding to drop downs or (2) various forms.20070322 WebAPP AuditADV-2007-072024227Multiple unspecified vulnerabilities in web-app.net WebAPP have unknown impact and attack vectors, described as "[having] other [security] issues too, not as bad as letting users take over your admin account, but bad too."Unspecified vulnerability in the Username Hijacking Patch 20070312 for web-app.org WebAPP 0.9.9.6 allows remote attackers to obtain administrative access via unknown vectors, related to "something overlooked in the original that was still overlooked in the patch", and possibly related to copying files to the user-lib and the "XSS and cookies exploit."web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to open files and write "wrong data" via a crafted QUERY_STRING.20070322 WebAPP AuditADV-2007-072024227web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to upload certain files (1) via a crafted filename or (2) by "using percent encoding in forms."20070322 WebAPP AuditADV-2007-072024227The Skinny Call Control Protocol (SCCP) implementation in Cisco Unified CallManager (CUCM) 3.3 before 3.3(5)SR2a, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3)SR1, and 5.0 before 5.0(4a)SU1 allows remote attackers to cause a denial of service (loss of voice services) by sending crafted packets to the (1) SCCP (2000/tcp) or (2) SCCPS (2443/tcp) port.20070328 Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities23181101782624665 ADV-2007-1144Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allow remote attackers to cause a denial of service (loss of voice services) via a flood of ICMP echo requests, aka bug ID CSCsf12698.20070328 Multiple Cisco Unified CallManager and Presence Server Denial of Service Vulnerabilities23181101782624690 ADV-2007-1144PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.23183HPSBMA02215HPSBTU02232ADV-2007-1991ADV-2007-23742542325850The command line administration interface in Data Domain OS before 4.0.3.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in certain arguments to various commands, as demonstrated by the interface argument to the (1) ifconfig and (2) ping commands.20070328 Arbitrary Command Execution in DataDomain Administrator Interface23182 246662516Multiple PHP remote file inclusion vulnerabilities in MangoBery CMS 0.5.5 allow remote attackers to execute arbitrary PHP code via a URL in the Site_Path parameter to (1) boxes/quotes.php or (2) templates/mangobery/footer.sample.php.359824686 23187 ADV-2007-1147 mangoberycms-quotes-file-include(33290)SQL injection vulnerability in view.php in the Friendfinder 3.3 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.359723184 20070329 Xoops Module Friendfinder <= 3.3 (view.php id) BLIND SQL Injection Exploit ADV-2007-1146 xoops-friendfinder-view-sql-injection(33292)Multiple PHP remote file inclusion vulnerabilities in CodeBB 1.1b3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) pass_code.php or (2) lang_select.3599 23185 ADV-2007-1148 codebb-passcode-file-include(33293)lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not escape HTML special characters in LDAP data, which allows remote attackers to have an unknown impact, probably cross-site scripting (XSS). ADV-2007-1149 24687 DSA-1287 23190 25157The isakmp_info_recv function in src/racoon/isakmp_inf.c in racoon in Ipsec-tools before 0.6.7 allows remote attackers to cause a denial of service (tunnel crash) via crafted (1) DELETE (ISAKMP_NPTYPE_D) and (2) NOTIFY (ISAKMP_NPTYPE_N) messages.[Ipsec-tools-devel] 20070406 Ipsec-tools 0.6.7 releasedADV-2007-131024815MDKSA-2007:084USN-450-1233942483324826ipsectools-isakmpinforecv-dos(33541)SUSE-SR:2007:008GLSA-200705-092507225142RHSA-2007:034225322DSA-1299MDKSA-2007:084101808625560Directory traversal vulnerability in login.php in JSBoard before 2.0.12 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the table parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, a related issue to CVE-2006-2019.361423223ADV-2007-1182 jsboard-login-file-include(33338)PHP remote file inclusion vulnerability in gmapfactory/params.php in MapLab 2.2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the gszAppPath parameter.2471520070402 Maplab <= 2.2.1 (gszAppPath) Remote File Inclusion Vulnerability20070402 Re: Maplab <= 2.2.1 (gszAppPath) Remote File Inclusion Vulnerability20070402 Re: Maplab <= 2.2.1 (gszAppPath) Remote File InclusionVulnerability363823249ADV-2007-1203maplab-params-file-include(33360)Multiple PHP remote file inclusion vulnerabilities in Aardvark Topsites PHP 5 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) button/settings_sql.php, (2) settings_sql.php, and (3) sources/misc/new_day.php.20070331 Remot File Include In Aardvark Topsites PHP 5 aardvark-settingssql-newday-file-include(33342)2515SQL injection vulnerability in show_event.php in the Expanded Calendar (calendar_panel) 2.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the m_month parameter.20070331 PHP-Fusion 'Calendar_Panel' Module show_event.PHP (m_month) SQL Injection Exploit And PoC2322524718 ADV-2007-1191 phpfusion-showevent-sql-injection(33336)2514SQL injection vulnerability in index.php in the MyAds 2.04jp and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, different vectors than CVE-2006-3341.360323212xoops-myads-index-sql-injection(33334)SQL injection vulnerability in viewcat.php in the Repository module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.361223221 xoops-viewcatphp-sql-injection(33344)Cross-site scripting (XSS) vulnerability in admin/classes/ui.dta.php in Drake CMS allows remote attackers to inject arbitrary web script or HTML via the desc[][title] field. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS."20070330 DrakeCMS multiple vulerabilities23216drakecms-uidta-xss(33332)2522Directory traversal vulnerability in 404.php in Drake CMS allows remote attackers to include and execute arbitrary local arbitrary files via a .. (dot dot) in the d_private parameter. NOTE: some of these details are obtained from third party information. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS."20070330 DrakeCMS multiple vulerabilities23215drakecms-dprivate-file-include(33331)Directory traversal vulnerability in classes/captcha/captcha.jpg.php in Drake CMS allows remote attackers to read arbitrary files or list arbitrary directories, and obtain the installation path, via a .. (dot dot) in the d_private parameter. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS."20070330 DrakeCMS multiple vulerabilitiesdrakecms-dprivate-directory-traversal(33333)2522Multiple directory traversal vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the __class parameter to (1) Controller_v4.php or (2) Controller_v5.php.3641ADV-2007-119024671 rspa-class-file-include(33357)** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in 2BGal 3.1.1 allow remote attackers to execute arbitrary PHP code via a URL in the lang_filename parameter to (1) index.php or (2) backupdb.inc.php in admin/, or other unspecified files, different vectors than CVE-2006-5505. NOTE: this issue has been disputed by CVE, since the lang_filename variable is defined before it is used.20070331 2BGal 3.1.1 <= (admin/index.php) Remote File Include Vulnerability2bgal-langfilename-file-include(33375)20070427 FALSE -> 2bgal RFI2517Unspecified vulnerability in Hitachi JP1/HiCommand DeviceManager, Global Link Availability Manager, Replication Monitor, Tiered Storage Manager, and Tuning Manager allows local users to obtain authentication information via unspecified vectors.23210ADV-2007-116924684hitachi-hicommand-information-disclosure(33328)Unspecified vulnerability in Hitachi Cosminexus Component Container 07-00 through 07-00-10, and 07-10 through 07-10-03, as used in uCosminexus Application Server Enterprise and Standard; uCosminexus Service Platform; uCosminexus Developer Standard and Professional; uCosminexus Service Architect; Electronic Form Workflow Standard Set, Professional Library Set, and Developer Client Set; and uCosminexus ERP Integrator, does not properly manage session information, which has an unspecified impact related to "unintended other requests."23213ADV-2007-117024683hitachi-container-information-disclosure(33318)Multiple PHP remote file inclusion vulnerabilities in smarty/smarty_class.php in Shop-Script FREE allow remote attackers to execute arbitrary PHP code via a URL in the (1) _smarty_compile_path, (2) smarty_compile_path, (3) get_plugin_filepath, (4) smarty_dir, and (5) filename parameters. NOTE: this issue might be related to CVE-2006-7105.20070331 Remot File Include In Shop-SCRIPT FREE shopscriptfree-smarty-file-include(33339)2520Vixie Cron before 4.1-r10 on Gentoo Linux is installed with insecure permissions, which allows local users to cause a denial of service (cron failure) by creating hard links, which results in a failed st_nlink check in database.c.GLSA-200704-1123520 SUSE-SR:2007:007 24905 24995 RHSA-2007:0345 2532120070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerMDKSA-2007:234ADV-2007-3229101808125723269092770627886The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.ADV-2007-1729tomcat-ssl-security-bypass(34212)SUSE-SR:2008:0072848229392XScreenSaver 4.10, when using a remote directory service for credentials, does not properly handle the results from the getpwuid function in drivers/lock.c when there is no network connectivity, which causes XScreenSaver to crash and unlock the screen and allows local users to bypass authentication.RHSA-2007:0322MDKSA-2007:097SUSE-SR:2007:0092378310179962506525105251182511625119xscreensaver-getpwuid-authentication-bypass(34054)GLSA-200705-1425225USN-474-125610mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.25383APPLE-SA-2007-07-31DSA-1312GLSA-200708-15HPSBUX02262RHSA-2007:03792414725159ADV-2007-1941ADV-2007-2732ADV-2007-338634877101813825701262352651227037tomcat-jkconnector-security-bypass(34496)SUSE-SR:2008:00529242RHSA-2008:0261The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows attackers to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow.2508323677ADV-2007-159525030DSA-1289RHSA-2007:0347252282528820070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:171SUSE-SA:2007:043USN-486-1USN-489-12569125961261332613926620kernel-netlinkfiblookup-dos(34014)The recall_headers function in mod_mem_cache in Apache 2.2.4 does not properly copy all levels of header data, which can cause Apache to return HTTP headers containing previously used data, which could be used by remote attackers to obtain potentially sensitive information.FEDORA-2007-2214GLSA-200711-06MDKSA-2007:12724553ADV-2007-2231ADV-2007-2727262732684227563cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value.RHSA-2007:0534RHSA-2007:055624649PK49355PK52702FEDORA-2007-2214GLSA-200711-06HPSBUX02262MDKSA-2007:140MDKSA-2007:141RHSA-2007:0533RHSA-2007:0557SUSE-SA:2007:0612007-0026USN-499-1ADV-2007-2727ADV-2007-3283ADV-2007-3386101830325830258732592026273264432650826822268422699327037275632773228606APPLE-SA-2008-05-28TA08-150AADV-2008-169730430Buffer overflow in the bundled libxmlrpc library in PHP before 4.4.7, and 5.x before 5.2.2, has unknown impact and remote attack vectors.MDKSA-2007:102MDKSA-2007:103RHSA-2007:0348RHSA-2007:0349RHSA-2007:0355101802425187251912007-001725255DSA-1330DSA-1331GLSA-200705-19MDKSA-2007:102MDKSA-2007:103SUSE-SA:2007:044USN-485-123813ADV-2007-218725445256602593825945260482610227377** DISPUTED ** The ipv6_getsockopt_sticky function in the kernel in Red Hat Enterprise Linux (RHEL) Beta 5.1.0 allows local users to obtain sensitive information (kernel memory contents) via a negative value of the len parameter. NOTE: this issue has been disputed in a bug comment, stating that "len is ignored when copying header info to the user's buffer."Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than CVE-2007-1465.20070331 Re: dproxy-nexgen remote20070331 dproxy-nexgen remoteADV-2007-1194246882518Buffer overflow in IrfanView 3.99 allows remote attackers to execute arbitrary code via a crafted animated cursor (ANI) file.364823262ADV-2007-121024725 irfanview-ani-bo(33386)The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST requests, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via crafted POST requests to port 8080/tcp or 443/tcp.20070331 IBM Tivoli Provisioning Manager for OS Deployment Multiple Vulnerabilities23264ADV-2007-119924717 1017840lighttpd 1.4.12 and 1.4.13 allows remote attackers to cause a denial of service (cpu and resource consumption) by disconnecting while lighttpd is parsing CRLF sequences, which triggers an infinite loop and file descriptor consumption.ADV-2007-139924886 SUSE-SR:2007:007 23515 24995 lighttpd-rnrn-dos(33671) GLSA-200705-07 25166 24947DSA-130325613lighttpd before 1.4.14 allows attackers to cause a denial of service (crash) via a request to a file whose mtime is 0, which results in a NULL pointer dereference.ADV-2007-139924886 SUSE-SR:2007:007 23515 24995 lighttpd-mtime-dos(33678) GLSA-200705-07 25166 24947DSA-130325613Cross-site scripting (XSS) vulnerability in chcounter 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the login_name parameter to /stats/.Successful exploitation requires that the target user is not logged in.20070411 CVE-2007-1871: Cross site scripting in chcounter 3.1.323462ADV-2007-1371248792569Cross-site scripting (XSS) vulnerability in toendaCMS 1.5.3 allows remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search id.20070411 CVE-2007-1872: Cross site scripting in toendaCMS 1.5.323453ADV-2007-137224869 toendacms-search-xss(33622)2568Cross-site scripting (XSS) vulnerability in mephisto 0.7.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter to the search script.20070411 Cross site scripting in mephisto 0.7.320070412 Re: Cross site scripting in mephisto 0.7.3ADV-2007-1373 24870 mephisto-search-xss(33620)23141Adobe ColdFusion MX 7 for Linux and Solaris uses insecure permissions for certain scripts and directories, which allows local users to execute arbitrary code or obtain sensitive information via the (1) CFMX7DreamWeaverExtensions.mxp, (2) CFReportBuilderInstaller.exe, (3) .com.zerog.registry.xml, (4) uninstall.lax, (5) license.txt, (6) Readme.htm, (7) .com.zerog.registry.xml, (8) k2adminstop, or (9) k2adminstart files; or (10) certain files in lib/wsconfig/.20070410 Adobe Macromedia ColdFusion MX7 Insecure File Permissions Vulnerability24850 23405 ADV-2007-1341 1017899 coldfusion-verity-privilege-escalation(33571)VMware Workstation before 5.5.4, when running a 64-bit Windows guest on a 64-bit host, allows local users to "corrupt the virtual machine's register context" by debugging a local program and stepping into a "syscall instruction."25079vmware-windebugging-unspecified(33993)101801123732ADV-2007-1592VMware Workstation before 5.5.4 allows attackers to cause a denial of service against the guest OS by causing the virtual machine process (VMX) to store malformed configuration information. 25079 vmware-vmx-dos(33992) 101801123732ADV-2007-1592Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.03 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome, as demonstrated via the runFile function, related to lack of HTML escaping in the property name.20070404 Firefox extensions go Evil - Critical Vulnerabilities in Firefox/Firebug2331520070404 Re: [WEB SECURITY] Firefox extensions go Evil - Critical Vulnerabilities in Firefox/FirebugADV-2007-127224743firefox-firebug-console-security-bypass(33451)2525The StartUploading function in KL.SysInfo ActiveX control (AxKLSysInfo.dll) in Kaspersky Anti-Virus 6.0 and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to read arbitrary files by triggering an outbound anonymous FTP session that invokes the PUT command. NOTE: this issue might be related to CVE-2007-1112.20070404 Kaspersky AntiVirus SysInfo ActiveX Control Information Disclosure Vulnerability23325ADV-2007-1268101787124778 kaspersky-startuploading-info-disclosure(33464)Integer overflow in the _NtSetValueKey function in klif.sys in Kaspersky Anti-Virus, Anti-Virus for Workstations, Anti-Virus for File Server 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows context-dependent attackers to execute arbitrary code via a large, unsigned "data size argument," which results in a heap overflow.The vendor has addressed this vulnerability within Maintenance Pack 2. More information is available from the following link: http://www.kaspersky.com/technews?id=203038693 20070404 Kaspersky Internet Security Suite klif.sys Heap Overflow Vulnerability23326ADV-2007-1268101787324778 1017872 kaspersky-klif-bo(33460) 33851Unspecified vulnerability in KLIF (klif.sys) in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows local users to gain Ring-0 privileges via unspecified vectors.ADV-2007-126824778 33852qcbin/servlet/tdservlet/TDAPI_GeneralWebTreatment in HP Mercury Quality Center 9.0 build 9.1.0.4352 allows remote authenticated users to execute arbitrary SQL commands via the RunQuery method.20070403 HP Mercury Quality Center Any SQL executionADV-2007-1246101784224730hpmercuryquality-sql-command-execution(33385)2527PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allows context-dependent attackers to read arbitrary memory locations via an interruption that triggers a user space error handler that changes a parameter to an arbitrary pointer, as demonstrated via the iptcembed function, which calls certain convert_to_* functions with its input parameters.24542GLSA-200710-0227102Multiple integer signedness errors in the printf function family in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 on 64 bit machines allow context-dependent attackers to execute arbitrary code via (1) certain negative argument numbers that arise in the php_formatted_print function because of 64 to 32 bit truncation, and bypass a check for the maximum allowable value; and (2) a width and precision of -1, which make it possible for the php_sprintf_appendstring function to place an internal buffer at an arbitrary memory location.23219 33955HPSBMA02215HPSBTU02232ADV-2007-1991ADV-2007-2374347672542325850Integer overflow in the str_replace function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via a single character search string in conjunction with a long replacement string, which overflows a 32 bit length counter. NOTE: this is probably the same issue as CVE-2007-0906.6.23233HPSBMA02215HPSBTU02232ADV-2007-1991ADV-2007-23742542325850Integer overflow in the str_replace function in PHP 4.4.5 and PHP 5.2.1 allows context-dependent attackers to have an unknown impact via a single character search string in conjunction with a single character replacement string, which causes an "off by one overflow."HPSBMA02215HPSBTU02232ADV-2007-1991ADV-2007-23742542325850Buffer overflow in the sqlite_decode_binary function in the bundled sqlite library in PHP 4 before 4.4.5 and PHP 5 before 5.2.1 allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter, as demonstrated by calling the sqlite_udf_decode_binary function with a 0x01 character.23235 DSA-1283 USN-455-1 25062 25057 MDKSA-2007:088 MDKSA-2007:089 24909FEDORA-2007-2215GLSA-200710-02HPSBUX02262MDKSA-2007:088MDKSA-2007:089ADV-2007-2016ADV-2007-3386270372711027102Buffer overflow in the sqlite_decode_binary function in src/encode.c in SQLite 2, as used by PHP 4.x through 5.x and other applications, allows context-dependent attackers to execute arbitrary code via an empty value of the in parameter. NOTE: some PHP installations use a bundled version of sqlite without this vulnerability. The SQLite developer has argued that this issue could be due to a misuse of the sqlite_decode_binary() API.20070422 vendor ack/clarification for CVE-2007-1888 (SQLite)USN-455-125057MDKSA-2007:091MDKSA-2007:091Integer signedness error in the _zend_mm_alloc_int function in the Zend Memory Manager in PHP 5.2.0 allows remote attackers to execute arbitrary code via a large emalloc request, related to an incorrect signed long cast, as demonstrated via the HTTP SOAP client in PHP, and via a call to msg_receive with the largest positive integer value of maxsize. DSA-1283 25062SUSE-SA:2007:03225056Integer overflow in the msg_receive function in PHP 4 before 4.4.5 and PHP 5 before 5.2.1, on FreeBSD and possibly other platforms, allows context-dependent attackers to execute arbitrary code via certain maxsize values, as demonstrated by 0xffffffff.23236Stack-based buffer overflow in the GetPrivateProfileSectionW function in Akamai Technologies Download Manager ActiveX Control (DownloadManagerV2.ocx) after 2.0.4.4 but before 2.2.1.0 allows remote attackers to execute arbitrary code, related to misinterpretation of the nSize parameter as a byte count instead of a wide character count.20070416 Akamai Download Manager ActiveX Stack Buffer Overflow Vulnerability20070416 Akamai Technologies Security Advisory 2007-000123522 VU#120241 ADV-2007-1415 1017925 24900 34323Stack-based buffer overflow in Akamai Technologies Download Manager ActiveX Control (DownloadManagerV2.ocx) before 2.2.1.0 allows remote attackers to execute arbitrary code via unspecified vectors, a different issue than CVE-2007-1891.20070416 Akamai Technologies Security Advisory 2007-000123522 ADV-2007-1415 24900 akamai-download-manager-bo(33697) 34324xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post."24751wordpress-xmlrpc-security-bypass(33470) ADV-2007-1245 DSA-1285 25108Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function.20070309 WordPress XSS under function wp_title()2290224485 DSA-1285 251082526PHP remote file inclusion vulnerability in chat.php in Sky GUNNING MySpeach 3.0.7 and earlier, when used with PHP 5, allows remote attackers to execute arbitrary PHP code via an ftp URL in a my_ms[root] cookie, a different vector than CVE-2007-0491 and CVE-2006-4630.3657 ADV-2007-1261 24760Directory traversal vulnerability in chat.php in Sky GUNNING MySpeach 3.0.7 and earlier allows remote attackers to include arbitrary local files via a .. (dot dot) and trailing %00 (NULL) in a my_ms[root] cookie.3657 ADV-2007-1261 24760 24766SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.This vulnerability has been addressed by the vendor with the release of the following product update: http://wordpress.org/development/2007/04/wordpress-213-and-2010/36562329424751 ADV-2007-1245 DSA-1285 25108formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitrary e-mails (spam) via modified recipient, _SETTINGS[allowed_email_hosts][], and subject parameters.20070515 Jetbox CMS version 2.1 E-Mail Injection Vulnerability23989ADV-2007-1831340881018063jetbox-formmail-mail-relay(34292)2710Multiple SQL injection vulnerabilities in myWebland myBloggie 2.1.6 allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a viewuser action to index.php, and allow remote authenticated administrators to execute arbitrary SQL commands via (2) the post_id parameter in an edit action to admin.php.597530892CRLF injection vulnerability in the FILTER_VALIDATE_EMAIL filter in ext/filter in PHP 5.2.0 and 5.2.1 allows context-dependent attackers to inject arbitrary e-mail headers via an e-mail address with a '\n' character, which causes a regular expression to ignore the subsequent part of the address string.2335924824 php-filtervalidateemail-header-injection(33510) DSA-1283 USN-455-1 25062 25057 33962FEDORA-2007-2215GLSA-200705-19GLSA-200710-02HPSBUX02262SSA:2007-152-01SUSE-SA:2007:0322007-0023ADV-2007-2016ADV-2007-338625056254452553526231270372711027102SonicBB 1.0 allows remote attackers to obtain sensitive information via the (1) by[] parameter to search.php, (2) p[] parameter to viewforum.php, and the (3) id parameter to (a) viewforum.php or (b) members.php, which reveal the installation path in the resulting error message.Successful exploitation requires that "magic_quotes_gpc" is disabled.20070514 SonicBB version 1.0 Multiple Path Disclosure Vulnerabilities33906 20070514 SonicBB version 1.0 Multiple Path Disclosure Vulnerabilities ADV-2007-1816 25279 sonicbb-multiple-path-disclosure(34259)Multiple SQL injection vulnerabilities in SonicBB 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) part and (2) by parameters to (a) search.php, or the (2) id parameter to (b) viewforum.php.Successful exploitation requires that "magic_quotes_gpc" is disabled.20070514 SonicBB version 1.0 Multiple SQL Injection Vulnerabilities33907 20070514 SonicBB version 1.0 Multiple SQL Injection Vulnerabilities 23964 ADV-2007-1816 25279 sonicbb-search-sql-injection(34258)Cross-site scripting (XSS) vulnerability in search.php in SonicBB 1.0 allows remote attackers to inject arbitrary web script or HTML via the part parameter.Successful exploitation requires that "magic_quotes_gpc" is disabled.20070514 SonicBB version 1.0 XSS Attack Vulnerabilities34042 20070514 SonicBB version 1.0 XSS Attack Vulnerabilities 23963 ADV-2007-1816 25279 sonicbb-search-xss(34256)Directory traversal vulnerability in AOL Instant Messenger (AIM) 5.9 and earlier, and ICQ 5.1 and probably earlier, allows user-assisted remote attackers to write files to arbitrary locations via a .. (dot dot) in a filename in a file transfer operation.20070409 AOL AIM and ICQ File Transfer Path-Traversal Vulnerability23391 ADV-2007-1306 ADV-2007-1307 1017890 1017891 24747 24803 aim-icq-filetransfer-directory-traversal(33538)Cross-site scripting (XSS) vulnerability in auth.php in Pineapple Technologies QuizShock 1.6.1 and earlier allows remote attackers to inject arbitrary web script or HTML via encoded special characters in the forward_to parameter, as demonstrated using "<"<".20070408 QuizShock 1.6.1 - Cross-Site Scripting Vulnerability23368ADV-2007-131924831quizshock-auth-xss(33523)2554Directory traversal vulnerability in richedit/keyboard.php in eCardMAX HotEditor (Hot Editor) 4.0, and the HotEditor plugin for MyBB, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the first parameter.20070409 Hot Editor v4.0 Local File Inclusion20070409 Mybb Hot Editor Plugin Local File Inclusion23377hoteditor-keyboard-file-include(33521) ADV-2007-1315 248252533PHP remote file inclusion vulnerability in warn.php in Pathos Content Management System (CMS) 0.92-2 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.3696 23393 ADV-2007-1321 pathoscms-warn-file-include(33536)PHP file inclusion vulnerability in php121db.php in PHP121 Instant Messenger 2.2 allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the php121dir parameter, which is accessed by the file_exists function.3694 23392 ADV-2007-1314 24818 php121-php121db-file-include(33525)SQL injection vulnerability in login.php in Ryan Haudenschilt Battle.net Clan Script for PHP 1.5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) user or (2) pass parameter.369123383 ADV-2007-1313 24838Buffer overflow in wwlib.dll in Microsoft Word 2007 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted document, as demonstrated by file789-1.doc.369023380 1017902Multiple unspecified vulnerabilities in Microsoft Word 2007 allow remote attackers to cause a denial of service (CPU consumption) via crafted documents, as demonstrated by (1) file798-1.doc and (2) file613-1.doc, possibly related to a buffer overflow.3690Heap-based buffer overflow in Microsoft Windows allows user-assisted remote attackers to have an unknown impact via a crafted .HLP file.369323382 1017901The TRUSTED_SYSTEM_SECURITY function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to verify the existence of users and groups on systems and domains via unspecified vectors, a different vulnerability than CVE-2006-6010. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.20070404 CYBSEC Pre-Advisory: SAP TRUSTED_SYSTEM_SECURITY RFC Function Information Disclosure23305ADV-2007-127024722sap-rfc-syssecurity-information-disclosure(33423)2535The RFC_START_PROGRAM function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to obtain sensitive information (external RFC server configuration data) via unspecified vectors, a different vulnerability than CVE-2006-6010. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.20070404 CYBSEC Security Pre-Advisory: SAP RFC_START_PROGRAM RFC Function Multiple Vulnerabilities23313ADV-2007-127024722sap-rfc-startprogram-information-disclosure(33422)2538Buffer overflow in the RFC_START_PROGRAM function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.20070404 CYBSEC Security Pre-Advisory: SAP RFC_START_PROGRAM RFC Function Multiple Vulnerabilities23313ADV-2007-127024722sap-rfc-startprogram-bo(33421)2538Buffer overflow in the RFC_START_GUI function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.20070404 CYBSEC Security Pre-Advisory: SAP RFC_START_GUI RFC Function Buffer Overflow23304ADV-2007-127024722sap-rfc-startgui-bo(33420)2537Buffer overflow in the SYSTEM_CREATE_INSTANCE function in the SAP RFC Library 6.40 and 7.00 before 20061211 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.20070404 CYBSEC Security Pre-Advisory: SAP SYSTEM_CREATE_INSTANCE RFC Function Buffer Overflow23307ADV-2007-127024722sap-rfc-createinstance-bo(33416)2536The RFC_SET_REG_SERVER_PROPERTY function in the SAP RFC Library 6.40 and 7.00 before 20070109 implements an option for exclusive access to an RFC server, which allows remote attackers to cause a denial of service (client lockout) via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended.20070404 CYBSEC Security Pre-Advisory: SAP RFC_SET_REG_SERVER_PROPERTY RFC Function Denial Of Service23309ADV-2007-127024722sap-rfc-setregserverproperty-dos(33418)2540Cross-site scripting (XSS) vulnerability in index.php in Arizona Dream Livre d'or (livor) 2.5 allows remote attackers to inject arbitrary web script or HTML via the page parameter.20070406 livor 2.5 Cross-Site Scripting Vulnerability23353livor-index-xss(33490)SQL injection vulnerability in index.php in the aktualnosci module in SmodBIP 1.06 and earlier allows remote attackers to execute arbitrary SQL commands via the zoom parameter, possibly related to home.php.367823356smodbip-index-sql-injection(33476)ADV-2007-129824802LIBSNDFILE.DLL, as used by AOL Nullsoft Winamp 5.33 and possibly other products, allows remote attackers to execute arbitrary code via a crafted .MAT (MATLAB sound) file that contains a value that is used as an offset, which triggers memory corruption.To exploit this issue, an attacker must entice an unsuspecting user to use the affected application to open a specially crafted file.20070406 AOL Nullsoft Winamp LIBSNDFILE.DLL Remote Memory Corruption (Off By Zero)23351ADV-2007-1286 1017886 24766 winamp-libsndfile-code-execution(33481) [dailydave] 20070406 AOL Nullsoft Winamp LIBSNDFILE.DLL Remote Memory Corruption (Off By Zero)2541The Impulse Tracker (IT) and ScreamTracker 3 (S3M) modules in IN_MOD.DLL in AOL Nullsoft Winamp 5.33 allows remote attackers to execute arbitrary code via a crafted (1) .IT or (2) .S3M file containing integer values that are used as memory offsets, which triggers memory corruption.20070406 AOL Nullsoft Winamp IT Module 20070406 AOL Nullsoft Winamp S3M Module 23350ADV-2007-12861017886winamp-inmod-code-execution(33480)[dailydave] 20070406 AOL Nullsoft Winamp IT Module [dailydave] 20070406 AOL Nullsoft Winamp S3M Module 2532(1) LedgerSMB and (2) DWS Systems SQL-Ledger implement access control lists by changing the set of URLs linked from menus, which allows remote attackers to access restricted functionality via direct requests.20070406 ACLS ineffective in SQL-Ledger and LedgerSMB23352 sqlledger-acl-weak-security(33494)2552** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in phpContact allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) contact_business.php or (2) contact_person.php. NOTE: this issue is disputed by CVE and a reliable third party, because include_path is initialized to a fixed value before use.20070406 phpContact Multiple Remote File Inclusion Vulnerabilities20070406 false: phpContact Multiple Remote File Inclusion Vulnerabilities2528The borrado function in modules/Your_Account/index.php in Tru-Zone Nuke ET 3.4 before fix 7 does not verify that account deletion requests come from the account owner, which allows remote authenticated users to delete arbitrary accounts via a modified cookie.23354ADV-2007-128524800nukeet-youraccount-data-manipulation(33483)Cross-site scripting (XSS) vulnerability in JBMC Software DirectAdmin before 1.293 does not properly display log files, which allows remote authenticated users to inject arbitrary web script or HTML via (1) http or (2) ftp requests logged in /var/log/directadmin/security.log; (3) allows context-dependent attackers to inject arbitrary web script or HTML into /var/log/messages via a PHP script that invokes /usr/bin/logger; (4) allows local users to inject arbitrary web script or HTML into /var/log/messages by invoking /usr/bin/logger at the command line; and allows remote attackers to inject arbitrary web script or HTML via remote requests logged in the (5) /var/log/exim/rejectlog, (6) /var/log/exim/mainlog, (7) /var/log/proftpd/auth.log, (8) /var/log/httpd/error_log, (9) /var/log/httpd/access_log, (10) /var/log/directadmin/error.log, and (11) /var/log/directadmin/security.log files.20070401 DirectAdmin persistant XSS [takeover an Administrator`s account]247282534Cross-site scripting (XSS) vulnerability in signup.asp in CmailServer WebMail 5.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the POP3Mail parameter.20070407 CmailServer WebMail <= V.5.3.4 (signup) Remote XSS Exploit23360 24812 cmailserver-signup-xss(33501)2529Directory traversal vulnerability in index.php in witshare 0.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the menu parameter.20070407 witshare 0.9 Remote File Include Vulnerabilitiy23358 ADV-2007-1303 24813 witshare-index-file-include(33496)2539Directory traversal vulnerability in downloadpic.php in Beryo 2.0, and possibly other versions including 2.4, allows remote atatckers to read arbitrary files via a .. (dot dot) in the chemin parameter.3676ADV-2007-1296beryo-downloadpic-directory-traversal(33479)2338724811Directory traversal vulnerability in download2.php in cattaDoc 2.21, and possibly other versions including 3.0, allows remote attackers to read arbitrary files via a .. (dot dot) in the fn1 parameter.3677ADV-2007-1297cattadoc-download2-directory-traversal(33474)2339024807SQL injection vulnerability in index.php in the slownik module in SmodCMS 2.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ssid parameter.3679ADV-2007-1299smodcms-ssid-sql-injection(33477)Directory traversal vulnerability in scarnews.inc.php in ScarNews 1.2.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sn_admin_dir parameter.3687ADV-2007-1304 23375 24796 scarnews-scarnewsinc-file-include(33492)Multiple directory traversal vulnerabilities in PcP-Guestbook (PcP-Book) 3.0 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to (1) index.php, (2) gb.php, or (3) faq.php.pcpguestbook-lang-file-include(33491)Directory traversal vulnerability in member.php in the eBoard 1.0.7 module for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the GLOBALS[name] parameter.3683ADV-2007-1301 23365 24806 eboard-member-file-include(33493)PHP file inclusion vulnerability in admin/index.php in ScarAdControl (ScarAdController) 1.1 allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the site parameter, which is accessed by the file_exists function.3682PHP remote file inclusion vulnerability in scaradcontrol.php in ScarAdControl (ScarAdController) 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the sac_config_dir parameter.3682PHP remote file inclusion vulnerability in smilies.php in Scorp Book 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the config parameter.3681ADV-2007-1300 20070408 Scorp Book <== v1.0 (smilies.php) Remote File Include Exploit 24809 scorp-smilies-file-include(33495)Ichitaro 2005 through 2007, and possibly related products, allows remote attackers to have an unknown impact via unspecified vectors in a document distributed through e-mail or a web site, possibly due to a buffer overflow or cross-site scripting (XSS).ADV-2007-128724780233861017887ichitaro-unspecified-code-execution(33507)Cross-site scripting (XSS) vulnerability in the embedded webserver in Daniel Naber LanguageTool before 0.8.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message, possibly the demultiplex method in HTTPServer.java.ADV-2007-1759IBM Tivoli Business Service Manager (TBSM) 4.1 before Interim Fix 1 logs passwords in plaintext, which allows local users to obtain sensitive information by reading (1) ncisetup.db or (2) msi.log.IY9657223298ADV-2007-1248101786924763Cross-site scripting (XSS) vulnerability in the Active Content Filter feature in Domino Web Access (DWA) in IBM Lotus Notes before 6.5.6 and 7.x before 7.0.2 FP1 allows remote attackers to inject arbitrary web script or HTML via a multipart/related e-mail message, a different issue than CVE-2006-4843.1017870 23421Integer overflow in FastStone Image Viewer 2.9 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted BMP image, as demonstrated by wh3intof.bmp and wh4intof.bmp.20070404 Several Windows image viewers vulnerabilities23312247842558Integer overflow in ACDSee Photo Manager 9.0 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via large width image sizes in a crafted BMP image, as demonstrated by w3intof.bmp and w4intof.bmp.20070404 Several Windows image viewers vulnerabilities23317ADV-2007-1283247792558The Java Message Service (JMS) in IBM WebSphere Application Server (WAS) before 6.1.0.7 allows attackers to cause a denial of service via unknown vectors involving the "double release [of] a bytebuffer input stream," possibly a double free vulnerability.ADV-2007-128224852Unspecified vulnerability in the Servlet Engine/Web Container in IBM WebSphere Application Server (WAS) before 6.1.0.7 has unknown impact and attack vectors.PK36447ADV-2007-1282websphere-servlet-information-disclosure(33471) 24852Integer overflow in Windows Explorer in Microsoft Windows XP SP1 might allow user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large width dimension in a crafted BMP image, as demonstrated by w4intof.bmp.20070404 Several Windows image viewers vulnerabilities233212558Cross-zone scripting vulnerability in the DOM templates (domplates) used by the console.log function in the Firebug extension before 1.04 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome by overwriting the toString function via a certain function declaration, related to incorrect identification of anonymous JavaScript functions, a different issue than CVE-2007-1878.20070406 Re: Firefox extensions go Evil - Critical Vulnerabilities in Firefox/FirebugBuffer overflow in IrfanView 3.99 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via the (1) xoffset or (2) yoffset RLE command, or (3) large non-RLE encoded blocks in a crafted BMP image, as demonstrated by rle8of3.bmp and rle8of4.bmp.20070404 Several Windows image viewers vulnerabilitiesADV-2007-12842558Session fixation vulnerability in WebBlizzard CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.20070407 [MajorSecurity Advisory #42]webblizzard CMS - Cross Site Scripting and Session fixation Issues webblizzardcms-cookie-session-hijack(33499)2557Cross-site scripting (XSS) vulnerability in index_cms.php in WebBlizzard CMS allows remote attackers to inject arbitrary web script or HTML via the Suchzeile parameter.20070407 [MajorSecurity Advisory #42]webblizzard CMS - Cross Site Scripting and Session fixation Issues webblizzardcms-indexcms-xss(33498)2557Session fixation vulnerability in onelook obo Shop allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.20070406 [MajorSecurity Advisory #40]onelook oboShop - Session fixation Issue oboshop-phpsessid-security-bypass(33500)Session fixation vulnerability in onelook onebyone CMS allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.20070406 [MajorSecurity Advisory #39]onelook onebyone CMS - Session fixation Issue onebyonecms-phpsessid-security-bypass(33497)2546Session fixation vulnerability in onelook courts on-line allows remote attackers to hijack web sessions by setting a PHPSESSID cookie.20070406 [MajorSecurity Advisory #41]onelook courts online - Session fixation Issue courtsonline-phpsessid-security-bypass(33502)Multiple directory traversal vulnerabilities in ArchiveXpert 2.02 build 80 allow remote attackers to create files in arbitrary directories via a .. (dot dot) in a (1) .gz, (2) .jar, (3) .rar, (4) .tar.gz, (5) .zip, or (6) .tar file.24827 23372 ADV-2007-1311 archivexpert-archive-directory-traversal(33539)Multiple stack-based buffer overflows in the SignKorea SKCrypAX ActiveX control module 5.4.1.2 allow remote attackers to execute arbitrary code via a long string in unspecified arguments to the (1) DownloadCert, (2) DecryptFileByKey, and (3) EncryptFileByKey functions, a different module and vectors than CVE-2007-1722. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24820 23374SQL injection vulnerability in ubbthreads.php in Groupee UBB.threads 6.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the C parameter.20070408 UBB.threads (<= 6.1.1) SQL Injection Vulnerability 23369 ubbthreads-ubbthreads-sql-injection(33509)2545Multiple PHP remote file inclusion vulnerabilities in Guernion Sylvain Portail Web Php (aka Gsylvain35 Portail Web, PwP) allow remote attackers to execute arbitrary PHP code via a URL in the pageAll parameter to index.php in (1) template/Vert/, or (2) template/Noir/.20070408 Gsylvain35 Portail Web Remote File Include Vulnerabilities2543Buffer overflow in TinyMUX before 2.4 allows attackers to cause a denial of service via unspecified vectors related to "too many substring matches in a regexp $-command." NOTE: some of these details are obtained from third party information.ADV-2007-1213Unspecified vulnerability in the process_cmdent function in command.cpp in TinyMUX before 2.4 has unknown impact and attack vectors, related to lack of the "'other half' of buffer overflow protection."ADV-2007-1213SQL injection vulnerability in visit.php in the Rha7 Downloads (rha7downloads) 1.0 module for XOOPS, and possibly other versions up to 1.10, allows remote attackers to execute arbitrary SQL commands via the lid parameter.36662332024790PHP remote file inclusion vulnerability in mutant_functions.php in the Mutant 0.9.2 portal for phpBB 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.366523319 ADV-2007-1265SQL injection vulnerability in index.php in the WF-Snippets 1.02 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the c parameter in a cat action.3663xoops-wfsnippets-index-sql-injection(33425)ADV-2007-126324781SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.20070403 MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit3653ADV-2007-124424689member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output.20070330 Mybb Change Password Vulnerability2544Multiple cross-site scripting (XSS) vulnerabilities in eXV2 CMS 2.0.4.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the set_lang parameter to (1) archive.php, (2) article.php, (3) index.php, or (4) topics.php.20070404 [MajorSecurity Advisory #38]eXV2 CMS - Session fixation and Cross-Site-Scripting Issues23314Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID cookie.20070404 [MajorSecurity Advisory #38]eXV2 CMS - Session fixation and Cross-Site-Scripting Issues** DISPUTED ** PHP remote file inclusion vulnerability in index.php in stat12 allows remote attackers to execute arbitrary PHP code via a URL in the langpath parameter. NOTE: this issue was published by an unreliable researcher, and there is little information to determine which product is actually affected. This is probably an invalid report based on analysis by CVE and a third party.20070403 Remote File Include In Script stat1220070403 [false] Remote File Include In Script stat1220070411 [false] Remote File Include In Script stat122555PHP remote file inclusion vulnerability in games.php in Sam Crew MyBlog, possibly 1.0 through 1.6, allows remote attackers to execute arbitrary PHP code via a URL in the scoreid parameter.20070404 MyBlog: PHP and MySQL Blog/CMS software Remote File Include Vulnerabilitiy20070410 True: MyBlog games.php RFI23311 3685 ADV-2007-13022548Cross-site scripting (XSS) vulnerability in admin/modify.php in Sam Crew MyBlog remote attackers to inject arbitrary web script or HTML via the id parameter.20070404 MyBlog: PHP and MySQL Blog/CMS software Cross-Site Scripting Vulnerabilitiy2549Mozilla Firefox does not warn the user about HTTP elements on an HTTPS page when the HTTP elements are dynamically created by a delayed document.write, which allows remote attackers to supply unauthenticated content and conduct phishing attacks.20070404 Mozilla Firefox Insecure Element Stealth Injection VulnerabilitySQL injection vulnerability in fotokategori.asp in Gazi Okul Sitesi 2007 allows remote attackers to execute arbitrary SQL commands via the query string.20070404 Gazi Okul Sitesi 2007(tr)(fotokategori.asp) Remote SQL Injection233162547** DISPUTED ** PatrolAgent.exe in BMC Performance Manager does not require authentication for requests to modify configuration files, which allows remote attackers to execute arbitrary code via a request on TCP port 3181 for modification of the masterAgentName and masterAgentStartLine SNMP parameters. NOTE: the vendor disputes this vulnerability, stating that it does not exist when the system is properly configured.20070418 ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability23559ADV-2007-1458 20070419 Re: ZDI-07-020: BMC Performance Manager SNMP Command Execution Vulnerability 10179352599Race condition in the Virtual DOS Machine (VDM) in the Windows Kernel in Microsoft Windows NT 4.0 allows local users to modify memory and gain privileges via the temporary \Device\PhysicalMemory section handle, a related issue to CVE-2007-1206.20070410 EEYE: Windows VDM Zero Page Race Condition Privilege Escalation2563SQL injection vulnerability in the getArticle function in class/wfsarticle.php in WF-Section (aka WF-Sections) 1.0.1, as used in Xoops modules such as (1) Zmagazine 1.0, (2) Happy Linux XFsection 1.07 and earlier, and possibly other modules, allows remote attackers to execute arbitrary SQL commands via the articleid parameter to print.php.36443645364620070411 WF-Sections SQL injection vendor ack; shows up in other modules232582325923261ADV-2007-1207ADV-2007-1208ADV-2007-1209xoops-wfsection-print-sql-injection(33378)xoops-zmagazine-print-sql-injection(33379)xoops-xfsection-print-sql-injection(33380)20080218 XOOPS Module section SQL Injection(articleid)Multiple PHP remote file inclusion vulnerabilities in SLAED CMS 2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) path parameter to admin/admin.php or the (2) modpath parameter to index.php.20070331 Remot File Include In SLAED_CMS_2slaed-index-admin-file-include(33343)2567** DISPUTED ** PHP remote file inclusion vulnerability in index.php in the Virii Info 1.10 and earlier module for Xoops allows remote attackers to execute arbitrary PHP code via a URL in the xoopsConfig[root_path] parameter. NOTE: the issue has been disputed by a reliable third party, stating that the application's checkSuperglobals function defends against the attack.364220070403 Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit]20070403 Bogus - [Xoops Module Virii Info <= 1.10 (index.php) Remote File Include Exploit]ADV-2007-1206xoops-virii-index-file-include(33368)Cross-site scripting (XSS) vulnerability in index_cms.php in holaCMS 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the acuparam parameter.24656 20070403 [MajorSecurity Advisory #37]HolaCMS - Cross Site Scripting Issue 23288 holacms-indexcms-xss(33392)SQL injection vulnerability in index.php in the Arcade 1.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view_game_list action.3640ADV-2007-1205phpfusion-arcade-index-sql-injection(33361)SQL injection vulnerability in index.php in the PopnupBlog 2.52 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the postid parameter, possibly involving the get_blogid_from_postid function in class/PopnupBlogUtils.php. NOTE: later versions such as 3.03 and 3.05 might also be affected.365523286ADV-2007-120624761SQL injection vulnerability in index.php in the Topliste 1.0 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter.363923256ADV-2007-1204phpfusion-topliste-index-sql-injection(33364)The safevoid_vsnprintf function in Metamod-P 1.19p29 and earlier on Windows allows remote attackers to cause a denial of service (daemon crash) via a long meta list command.ADV-2007-124724738Multiple PHP remote file inclusion vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) __IncludeFilePHPClass, (2) __ClassPath, and (3) __class parameters to (a) rspa/framework/Controller_v5.php, and (b) rspa/framework/Controller_v4.php.364123246ADV-2007-119024671rspa-controller-file-include(33356)PHP remote file inclusion vulnerability in include/default_header.php in Cyboards PHP Lite 1.21 allows remote attackers to execute arbitrary PHP code via a URL in the script_path parameter, a different vector than CVE-2006-2871.366020070411 Cyboards PHP RFI: true for 1.21, fixed in at least 1.2523306cyboards-defaultheader-file-include(33406)PHP remote file inclusion vulnerability in index.php in lite-cms 0.2.1 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.20070404 lite-cms-0.2.1 Remote File Include Vulnerabilities2559Multiple PHP remote file inclusion vulnerabilities in phpexplorator.php in phpexplorator 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) cmd or (2) lang_path parameter.20070404 Remot File Include In phpexplorator_2_02564Multiple PHP remote file inclusion vulnerabilities in barnraiser AROUNDMe 0.7.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) language_path_core parameter to inc/core_profile.header.php, the (2) template_path_core parameter to template/barnraiser_01/maint_contact_view.tpl.php, and the (3) template_path parameter to template/barnraiser_01/default.tpl.php. NOTE: this issue might overlap CVE-2006-5533.365923303 ADV-2007-1262 24773 aroundme-multiple-file-include(33427)** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in PHPEcho CMS 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) _plugin_file parameter to smarty/internals/core.load_pulgins.php or the (2) root_path parameter to index.php. NOTE: CVE disputes (1) because the inclusion occurs within a function that is not called during a direct request. CVE disputes (2) because root_path is defined in config.php before use.20070404 phpechocms2 Remote File Include Vulnerabilities2551Cross-site scripting (XSS) vulnerability in kernel/filters.inc.php in PHPEcho CMS 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.20070404 phpechocms v.2 Cross-Site Scripting Vulnerabilitiy2550Multiple cross-site scripting (XSS) vulnerabilities in DotClear before 1.2.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post_id parameter to ecrire/trackback.php or the (2) tool_url parameter to tools/thememng/index.php. NOTE: some of these details are obtained from third party information.24829 20070412 Dotclear 1.* Cross Site Scripting Vulnerability 23411 ADV-2007-1338 dotclear-tools-xss(33616) dotclear-trackback-xss(33615)PHP remote file inclusion vulnerability in games.php in Sam Crew MyBlog, possibly 1.0 through 1.6, allows remote attackers to execute arbitrary PHP code via a URL in the id parameter, a different vector than CVE-2007-1968. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1302Cross-site scripting (XSS) vulnerability in mail/signup.asp in CmailServer WebMail 5.4.3, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the Comment parameter, a different vector than CVE-2007-1927.2336324812cmailserver-signup-xss(33501)Multiple PHP remote file inclusion vulnerabilities in the com_zoom 2.5 beta 2 and earlier module for Mambo allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) EXIF_Makernote.php or (2) EXIF.php in classes/iptc/.370623415 ADV-2007-1353 zmg-exif-file-include(33580)Buffer overflow in the pfs_mountd.rpc RPC daemon in the Portable File System (PFS) in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to execute arbitrary code by sending "a call to procedure 5, followed by a crafted payload to procedure 2."HPSBUX0220323401ADV-2007-134310178932485520070412 Hewlett Packard HP-UX Remote pfs_mountd.rpc Buffer Overflow VulnerabilityUnspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport functionality in HP-UX B.11.00 allows local users to cause a denial of service via unknown vectors. NOTE: due to lack of vendor details, it is not clear whether this is the same as CVE-2007-0916.HPSBUX02205234101017892 ADV-2007-1358bgpd/bgp_attr.c in Quagga 0.98.6 and earlier, and 0.99.6 and earlier 0.99 versions, does not validate length values in the MP_REACH_NLRI and MP_UNREACH_NLRI attributes, which allows remote attackers to cause a denial of service (daemon crash or exit) via crafted UPDATE messages that trigger an assertion error or out of bounds read.ADV-2007-133624808quagga-bgpattributes-dos(33547)23417MDKSA-2007:096GLSA-200705-05SUSE-SR:2007:0092508425119DSA-12932007-0017USN-461-1252552531225293MDKSA-2007:096OpenPKG-SA-2007.015RHSA-2007:0389101814225428236141ADV-2008-119529743PHP remote file inclusion vulnerability in codebreak.php in CodeBreak, probably 1.1.2 and earlier, allows remote attackers to execute arbitrary PHP code via a URL in the process_method parameter.20070411 CodeBreak (codebreak.php process_method) - Remote File Inclusion Vulnerability23425ADV-2007-1355248462562Integer signedness error in the (1) cab_unstore and (2) cab_extract functions in libclamav/cab.c in Clam AntiVirus (ClamAV) before 0.90.2 allow remote attackers to execute arbitrary code via a crafted CHM file that contains a negative integer, which passes a signed comparison and leads to a stack-based buffer overflow.20070416 Clam AntiVirus ClamAV CAB File Unstore Buffer Overflow Vulnerability23473ADV-2007-137824891clamav-cabunstore-cabextract-bo(33637) 1017921 GLSA-200704-21 SUSE-SA:2007:026 2007-0013 24920 24946 24996 25022 DSA-1281 25028 MDKSA-2007:098 25189MDKSA-2007:098APPLE-SA-2008-03-18ADV-2008-092429420Direct static code injection vulnerability in HIOX Guest Book (HGB) 4.0 allows remote attackers to inject arbitrary PHP code via the Email field, which results in code execution through a direct request to gb.php.3697 24835 hgb-gb-command-execution(33540) ADV-2007-1333PHP remote file inclusion vulnerability in index.php in Weatimages 1.7.1 and earlier, when weatimages.ini is missing, allows remote attackers to execute arbitrary PHP code via a URL in the ini[langpack] parameter.3700 ADV-2007-1335 24863 weatimages-index-file-include(33553)Multiple SQL injection vulnerabilities in admin/admin.php in Crea-Book 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) pseudo or (2) passe parameter.3701 ADV-2007-1344 creabook-admin-sql-injection(33555)3481624862Multiple direct static code injection vulnerabilities in admin/configurer2.php in Crea-Book 1.0 and earlier allow remote authenticated administrators to execute arbitrary PHP code via the "Fond de la page" (background color) field and other unspecified fields, which injects into config.inc.php3.37013481724862InoutMailingListManager 3.1 and earlier allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by setting an arbitrary admin cookie.3702 ADV-2007-1345 24842InoutMailingListManager 3.1 and earlier sends a Location redirect header but does not exit after an authorization check fails, which allows remote attackers to access certain restricted functionality, and upload and execute arbitrary PHP code, by ignoring the redirect.3702 ADV-2007-1345 24842Multiple SQL injection vulnerabilities in InoutMailingListManager 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to changename.php and other unspecified vectors.3702 ADV-2007-1345 24842Multiple PHP remote file inclusion vulnerabilities in the Taskhopper 1.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) contact_type.php, (2) itemstatus_type.php, (3) projectstatus_type.php, (4) request_type.php, (5) responses_type.php, (6) timelog_type.php, or (7) urgency_type.php in inc/.370323408ADV-2007-1346taskhopper-mosconfigabsolute-file-include(33552)20070411 Confirm: Joomla/Mambo Component Taskhopper 1.1 RFI Vulnerabilities34795347963479734798347993480034801Multiple SQL injection vulnerabilities in login.php in pL-PHP beta 0.9 allow remote attackers to execute arbitrary SQL commands via the (1) login or (2) pass parameter.3704 20070411 pL-PHP beta 0.9 - Multiple Vulnerabilities ADV-2007-1352admin.php in pL-PHP beta 0.9 allows remote attackers to bypass authentication by setting the is_admin parameter to 1.3704 20070411 pL-PHP beta 0.9 - Multiple Vulnerabilities ADV-2007-1352Directory traversal vulnerability in admin.php in pL-PHP beta 0.9 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.3704 20070411 pL-PHP beta 0.9 - Multiple Vulnerabilities ADV-2007-1352PHP remote file inclusion vulnerability in index.php in SimpCMS Light 04.10.2007 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the site parameter.370520070412 true: SimpCMS Light RFI 23439 ADV-2007-1348 24851 simpcms-index-file-include(33572) 20070411 New bug :)Double free vulnerability in bftpd before 1.8 allows remote authenticated users to cause a denial of service (daemon crash) via a (1) get or (2) mget command.2486423406ADV-2007-1347bftpd-getmget-dos(33594)Cross-site scripting (XSS) vulnerability in login.php in DeskPro 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the username parameter.20070408 DeskPRO v2.0.1 - Cross-Site Scripting Vulnerability2338124844 ADV-2007-13202556Multiple directory traversal vulnerabilities in MimarSinan CompreXX 4.1 allow remote attackers to create files in arbitrary directories via a .. (dot dot) in a (1) .rar, (2) .jar or (3) .zip archive.23362ADV-2007-131224840 comprexx-archive-directory-traversal(33551)Cross-site scripting (XSS) vulnerability in index.php in JEx-Treme Einfacher Passworschutz allows remote attackers to inject arbitrary web script or HTML via the msg parameter.ADV-2007-1316 23395 24922PHP remote file inclusion vulnerability in include/blocks/week_events.php in MyNews 4.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the myNewsConf[path][sys][index] parameter, a different vector than CVE-2007-0633.ADV-2007-1317PHP remote file inclusion vulnerability in index.php in Request It 1.0b allows remote attackers to execute arbitrary PHP code via a URL in the id parameter.20070409 Request It : Song Request System 1.0b - remote file inclusion20070411 true: Request It : Song Request System 1.0b RFI23370ADV-2007-1318248322553Cross-site scripting (XSS) vulnerability in mysql/phpinfo.php in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary web script or HTML via the lang[] parameter.20070408 phpMyAdmin 2.6.1 Local Cross Site Scripting2560siteadmin/useredit.php in AlstraSoft Video Share Enterprise does not check authentication, which allows remote attackers to obtain or modify user information via a direct request.23409ADV-2007-133124836 alstrasoft-vse-useredit-insecure-permissions(33548)20070710 Vendor ACK: CVE-2007-2017 (AlstraSoft useredit.php auth bypass)SQL injection vulnerability in msg.php in AlstraSoft Video Share Enterprise allows remote authenticated users to execute arbitrary SQL commands via the id parameter.23409ADV-2007-133124836 alstrasoft-vse-msg-sql-injection(33546)PHP remote file inclusion vulnerability in init.gallery.php in phpGalleryScript 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the include_class parameter.20070409 phpGalleryScript 1.0 - File Inclusion Vulnerabilities20070410 false: phpGalleryScript 1.0 - File Inclusion Vulnerabilities ADV-2007-1334 24860 phpgalleryscript-gallery-file-include(33545)2566** DISPUTED ** Unspecified vulnerability in administration.php in xodagallery allows remote attackers to execute arbitrary code via the cmd parameter. NOTE: CVE disputes this vulnerability because administration.php does not use the cmd parameter for inclusion.20070408 xodagallery Remote Code Execution Vulnerability20070412 probably false: xodagallery execution claimxodagallery-administration-code-execution(33522)2561Multiple PHP remote file inclusion vulnerabilities in Pineapple Technologies Lore 1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang_path parameter to third_party/phpmailer/class.phpmailer.php or the (2) get_plugin_file_path parameter to third_party/smarty/libs/plugins/function.html_checkboxes.php. NOTE: the affected files might be from other software packages, so this might not be a vulnerability in Lore itself. NOTE: (1) might be the same issue as CVE-2006-5734.4.20070408 Remot File Include In Script Lore v12565Adobe Macromedia Flash Player 7 and 9, when used with Opera before 9.20 or Konqueror before 20070613, allows remote attackers to obtain sensitive information (browser keystrokes), which are leaked to the Flash Player applet.23437ADV-2007-1361101790324877opera-flash-player-unspecified(33595)SUSE-SA:2007:02825027GLSA-200708-01MDKSA-2007:138RHSA-2007:049420070602-01-PSUSE-SR:2007:012SUSE-SA:2007:046TA07-192AADV-2007-2497254322566225669258942593326027261182635726860103167ADV-2007-419028068201506USB20.dll in Secustick USB flash drive decouples the authorization and file access routines, which allows local users to bypass authentication requirements by altering the return value of the VerifyPassWord function.Unrestricted file upload vulnerability in the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.x allows remote attackers to upload arbitrary PHP files with a (1) php3, (2) php4, or (3) php5 extension."Successful exploitation requires being logged in and that the webserver is configured to execute PHP scripts with such extensions. In the default configuration of PhpWiki, no registration or validation is necessary to log in." 20070412 Critical phpwiki c99shell exploit20070412 RE: Critical phpwiki c99shell exploit20070412 Re: Critical phpwiki c99shell exploit[phpwiki-talk] 20070413 Fwd: Critical phpwiki c99shell exploitVU#91479324888 ADV-2007-1400 GLSA-200705-16 25307DSA-137126784Unrestricted file upload vulnerability in the UpLoad feature (lib/plugin/UpLoad.php) in PhpWiki 1.3.11p1 allows remote attackers to upload arbitrary PHP files with a double extension, as demonstrated by .php.3, which is interpreted by Apache as being a valid PHP file.[phpwiki-talk] 20070408 Important UpLoad security fix! was [Fwd: [phpwiki - Open Discussion] RE: upload security risk] GLSA-200705-16 25307DSA-137126784The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS. GLSA-200704-13 24918MDKSA-2007:11424146ADV-2007-2071253942554425578Untrusted search path vulnerability in the add_filename_to_string function in intl/gettext/loadmsgcat.c for Elinks 0.11.1 allows local users to cause Elinks to use an untrusted gettext message catalog (.po file) in a "../po" directory, which can be leveraged to conduct format string attacks.An untrusted message catalog might lead to a format-string attack when an attacker tricks user into launching links from a particular directory. USN-457-123844ADV-2007-168625169251982007-001725255GLSA-200706-0325550Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures. MDKSA-2007:085 23466 ADV-2007-1369 24849 24907 GLSA-200704-14 2007-0013 24917 24996 RHSA-2007:0338 SUSE-SR:2007:010 1018042 25201 25220MDKSA-2007:085File descriptor leak in the PDF handler in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service via a crafted PDF file.DSA-12812365625028MDKSA-2007:09825189MDKSA-2007:098clamav-pdfhandler-dos(34083)lharc.c in lha does not securely create temporary files, which might allow local users to read or write files by creating a file before LHA is invoked.MDKSA-2007:1172433625519lha-lharc-symlink(34063)Buffer overflow in the HTTP proxy service for 3proxy 0.5 to 0.5.3g, and 0.6b-devel before 20070413, might allow remote attackers to execute arbitrary code via crafted transparent requests. GLSA-200704-17 23545 ADV-2007-1442 24961 25001 20070423 3proxy 0.5.3i bugfix releaseCisco Wireless Control System (WCS) before 4.0.96.0 has a hard-coded FTP username and password for backup operations, which allows remote attackers to read and modify arbitrary files via unspecified vectors related to "properties of the FTP server," aka Bug ID CSCse93014.20070412 Multiple Vulnerabilities in the Cisco Wireless Control System23460ADV-2007-1367101790724865cisco-wcs-ftp-unauthorized-access(33614)34132Unspecified vulnerability in Cisco Wireless Control System (WCS) before 4.0.81.0 allows remote authenticated users to read any configuration page by changing the group membership of user accounts, aka Bug ID CSCse78596.20070412 Multiple Vulnerabilities in the Cisco Wireless Control System23460ADV-2007-1367101790724865cisco-wcs-account-privilege-escalation(33612)34129Unspecified vulnerability in Cisco Wireless Control System (WCS) before 4.0.87.0 allows remote authenticated users to gain the privileges of the SuperUsers group, and manage the application and its networks, related to the group membership of user accounts, aka Bug ID CSCsg05190.20070412 Multiple Vulnerabilities in the Cisco Wireless Control System23460ADV-2007-1367101790724865cisco-wcs-account-privilege-escalation(33612)34130Cisco Wireless Control System (WCS) before 4.0.66.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain network organization data via a direct request for files in certain directories, aka Bug ID CSCsg04301.20070412 Multiple Vulnerabilities in the Cisco Wireless Control System23460ADV-2007-1367101790724865cisco-wcs-password-information-disclosure(33606)34131The SNMP implementation in the Cisco Wireless LAN Controller (WLC) before 20070419 uses the default read-only community public, and the default read-write community private, which allows remote attackers to read and modify SNMP variables, aka Bug ID CSCse02384.20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points23461ADV-2007-13681017908cisco-wlc-default-snmp(33604)34134Cisco Wireless LAN Controller (WLC) before 3.2.116.21, and 4.0.x before 4.0.155.0, allows remote attackers on a local network to cause a denial of service (device crash) via malformed Ethernet traffic.20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points23461ADV-2007-13681017908cisco-wlc-ethernet-traffic-dos(33607)34135The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller (WLC) before 3.2.193.5, 4.0.x before 4.0.206.0, and 4.1.x allows remote attackers on a local wireless network to cause a denial of service (loss of packet forwarding) via (1) crafted SNAP packets, (2) malformed 802.11 traffic, or (3) packets with certain header length values, aka Bug ID CSCsg36361.20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points23461ADV-2007-13681017908cisco-wlc-npu-traffic-dos(33609)34136The Network Processing Unit (NPU) in the Cisco Wireless LAN Controller (WLC) before 3.2.171.5, 4.0.x before 4.0.206.0, and 4.1.x allows remote attackers on a local wireless network to cause a denial of service (loss of packet forwarding) via (1) crafted SNAP packets, (2) malformed 802.11 traffic, or (3) packets with certain header length values, aka Bug IDs CSCsg15901 and CSCsh10841.20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points23461ADV-2007-13681017908cisco-wlc-npu-traffic-dos(33609)3413734139Cisco Aironet 1000 Series and 1500 Series Lightweight Access Points before 3.2.185.0, and 4.0.x before 4.0.206.0, have a hard-coded password, which allows attackers with physical access to perform arbitrary actions on the device, aka Bug ID CSCsg15192.20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points23461ADV-2007-13681017908 cisco-aironet-default-password(33610)34133Cisco Wireless LAN Controller (WLC) before 4.0.206.0 saves the WLAN ACL configuration with an invalid checksum, which prevents WLAN ACLs from being loaded at boot time, and might allow remote attackers to bypass intended access restrictions, aka Bug ID CSCse58195.20070412 Multiple Vulnerabilities in the Cisco Wireless LAN Controller and Cisco Lightweight Access Points23461ADV-2007-13681017908cisco-wlc-acl-weak-security(33611)34138Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia Lite 1.0.6 and earlier module for Mambo allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) support.html.php or (2) info.html.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1357Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia (com_mosmedia) 1.08 and earlier module for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) media.tab.php or (2) media.divs.php.371423432ADV-2007-1357PHP remote file inclusion vulnerability in mod_weather.php in the Antonis Ventouris Weather module for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter.3712ADV-2007-1356Unspecified vulnerability in the IP implementation in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (CPU consumption) via crafted IP packets, probably related to fragmented packets with duplicate or missing fragments.102866 ADV-2007-1375 1017911 24857 solaris-ip-packet-dos(33597) 23468 24987oval:org.mitre.oval:def:9127Multiple CRLF injection vulnerabilities in adclick.php in (a) Openads (phpAdsNew) 2.0.11 and earlier and (b) Openads for PostgreSQL (phpPgAds) 2.0.11 and earlier allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in (1) the dest parameter and (2) the Referer HTTP header. NOTE: some of these details are obtained from third party information.ADV-2007-136424876CRLF injection vulnerability in www/delivery/ck.php in Openads 2.3 (aka Max Media Manager, MMM) before 0.3.31-alpha-pr3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the destination parameter. NOTE: some of these details are obtained from third party information.ADV-2007-1365Directory traversal vulnerability in /console in the Management Console in webMethods Glue 6.5.1 and earlier allows remote attackers to read arbitrary system files via a .. (dot dot) in the resource parameter.20070411 webMethods Glue Management Console Directory Traversal23423ADV-2007-1363 20070417 webMethods Security Advisory: Glue console directory traversal vulnerability 1017926 249332589Multiple PHP remote file inclusion vulnerabilities in the Calendar Module (com_calendar) 1.5.5 for Mambo allow remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter to (1) com_calendar.php or (2) mod_calendar.php.371323435Multiple directory traversal vulnerabilities in header.php in RicarGBooK 1.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) a lang cookie or (2) the language parameter.371824858 23450 ADV-2007-1370 ricargbook-header-file-include(33596)Buffer overflow in the parsecmd function in bftpd before 1.8 has unknown impact and attack vectors related to the confstr variable.ADV-2007-1347Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.MDKSA-2007:099238872519025217ADV-2007-146525233MDKSA-2007:099RHSA-2007:1076RHSA-2007:1077SUSE-SR:2007:0132007-00192535325787280272805020080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updates[Security-announce] 20080221 VMSA-2008-0003 Moderate: Updated aacraid driver and samba and python service console updatesADV-2008-063729032USN-585-129303DSA-155129889Multiple stack-based buffer overflows in AFFLIB before 2.2.6 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) a long LastModified value in an S3 XML response in lib/s3.cpp; (2) a long (a) path or (b) bucket in an S3 URL in lib/vnode_s3.cpp; or (3) a long (c) EFW, (d) AFD, or (c) aimage file path. NOTE: the aimage vector (3c) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB.The vendor has addressed this issue through a product update: http://www.afflib.org/downloads/ 20070427 AFFLIB(TM): Multiple Buffer Overflows23695 afflib-multiple-bo(33961)2655Multiple format string vulnerabilities in AFFLIB before 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls in (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/aimage.cpp, (f) aimage/imager.cpp, and (g) tools/afxml.cpp. NOTE: the aimage.cpp vector (e) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB.The vendor has addressed this issue through the following product update: http://www.afflib.org/downloads/ 20070427 AFFLIB(TM): Multiple Format String Injections afflib-multiple-format-string(33969)2657AFFLIB 2.2.8 and earlier allows attackers to execute arbitrary commands via shell metacharacters involving (1) certain command line parameters in tools/afconvert.cpp and (2) arguments to the get_parameter function in aimage/ident.cpp. NOTE: it is unknown if the get_parameter vector (2) is ever called.The vendor has addressed this issue through a product update which can be found at: http://www.afflib.org/downloads/ 20070427 AFFLIB(TM): Multiple Shell Metacharacter Injections afflib-multiple-command-execution(33964)2656** REJECT ** The getlock function in aimage/aimage.cpp in AFFLIB 2.2.8 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary lock files (aka "time-of-check-time-of-use file race"). NOTE: the researcher has retracted the original advisory, stating that "the portion of vulnerable code is not called in any current version of AFFLIB and is therefore not exploitable." 20070427 AFFLIB(TM): Time-of-Check-Time-of-Use File Race 20070428 please retract CVE-2007-2056 "Time-of-Check-Time-of-Use File Race in AFFLIB" 20070429 Re: please retract CVE-2007-2056 "Time-of-Check-Time-of-Use File Race in AFFLIB" 23696Stack-based buffer overflow in aircrack-ng airodump-ng 0.7 allows remote attackers to execute arbitrary code via crafted 802.11 authentication packets.20070412 Aircrack-ng (airodump-ng) remote buffer overflow vulnerability23467ADV-2007-137924880aircrackng-airodumpng-bo(33626) DSA-1280 GLSA-200704-16 VU#349828 24964 249822584Directory traversal vulnerability in Acubix PicoZip 4.02 allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in the file path in an (1) GZ, (2) TAR, (3) RAR, (4) JAR, or (5) ZIP archive.23471ADV-2007-137724868picozip-archive-directory-traversal(33639)Multiple buffer overflows in the ESA protocol implementation in eIQnetworks Enterprise Security Analyzer (ESA) 2.5 allow remote attackers to execute arbitrary code via a long parameter to the (1) DELETESEARCHFOLDER, (2) DELTASK, (3) HMGR_CHECKHOSTSCSV, (4) TASKUPDATEDUSER, (5) VERIFYUSERKEY, or (6) VERIFYPWD command.20070412 INFIGO-2007-04-05: Enterprise Security Analyzer server remotebuffer overflowsADV-2007-138024881eiqnetworks-esa-multiple-commands-bo(33646)Cross-zone scripting vulnerability in the Wizz RSS Reader before 2.1.9 extension to Mozilla Firefox allows remote attackers to execute arbitrary Javascript in the browser chrome via the RSS feed DOM.VU#319464 23523 ADV-2007-1425 24913 firefox-wizz-rssfeed-xss(33693)Cross-site scripting (XSS) vulnerability in check_login.asp in AfterLogic MailBee WebMail Pro 3.4 allows remote attackers to inject arbitrary web script or HTML via the username parameter.20070413 [MajorSecurity Advisory #44]MailBee WebMail Pro - Cross Site Scripting Issue23481mailbee-checklogin-xss(33645) ADV-2007-1416 248822572Stack-based buffer overflow in VCDGear 3.55 and 3.56 BETA allows user-assisted remote attackers to execute arbitrary code via a long FILE argument in a CUE file.20070414 VCDGear <= 3.56 Build 050213 (FILE) Local Code Execution Exploit37272347524884vcdgear-seh-bo(33642)SSH Tectia Server for IBM z/OS before 5.4.0 uses insecure world-writable permissions for (1) the server pid file, which allows local users to cause arbitrary processes to be stopped, or (2) when _BPX_BATCH_UMASK is missing from the environment, creates HFS files with insecure permissions, which allows local users to read or modify these files and have other unknown impact.23508101791324916ADV-2007-1414ssh-tectia-pid-hfs-privilege-escalation(33699)35014Multiple PHP remote file inclusion vulnerabilities in Robert Ladstaetter ActionPoll 1.1.0, and possibly 1.1.1, allow remote attackers to execute arbitrary PHP code via a URL in (1) the CONFIG_POLLDB parameter to actionpoll.php or (2) the CONFIG_DB parameter to db/DataReaderWriter.php, different vectors than CVE-2001-1297.20070415 ActionPoll Script (actionpoll.php) Remote File Include // starhack.org2078823504 actionpoll-multiple-file-include(33691)2587PHP remote file inclusion vulnerability in db/PollDB.php in Robert Ladstaetter ActionPoll 1.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the CONFIG_DATAREADERWRITER parameter, a different vector than CVE-2001-1297. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.20788UseBB before 1.0.6 allows remote attackers to obtain sensitive information via a request with unspecified GET or POST parameters to an unspecified script, which reveals the path in an error message.24837Multiple PHP remote file inclusion vulnerabilities in Marco Antonio Islas Cruz Web Slider (WebSlider) 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) index.php, (2) modules/pdf.php, (3) plugins/highlight.php, or (4) include/modules.php.3745ADV-2007-1397webslider-path-file-include(33689)Multiple PHP remote file inclusion vulnerabilities in the StoreFront mods for Gallery allow remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter to (1) mods/business_functions.php or (2) mods/ui_functions.php.374923516 ADV-2007-1423 24890 storefront-functions-file-include(33701)Directory traversal vulnerability in scr/soustab.php in openMairie 1.11 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the dsn[phptype] parameter.374723505 ADV-2007-1421 openmairie-soustab-file-include(33700)Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tools SunShop Shopping Cart before 3.5.1 allow remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) index.php or (2) checkout.php.374823511ADV-2007-1422sunshop-index-checkout-file-include(33670)Multiple cross-site scripting (XSS) vulnerabilities in Open-gorotto 2.0a 2006/02/08 edition, 2006/03/19 edition, and 2006/04/07 edition before 20070416 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) pub/modules/d/_top.html; (2) /pub/modules/a/_access.html; (3) _circletop.html or (4) _cir66.html in pub/modules/ci/; or (5) _fri66.html, (6) _inv66.html, (7) _top.html, (8) _friends.html, or (9) _fri33.html in pub/modules/f/.23507ADV-2007-1398** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Ivan Gallery Script 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the dir parameter. NOTE: this issue has been disputed by third party researchers for 0.3, stating that the dir variable is properly initialized before use.20070416 Ivan Gallery Script V.0.1 (index.php) Remote File Include Exploit20070417 Not Quite: Ivan Gallery Script V.0.1 (index.php) Remote File Include Exploit235192580PHP remote file inclusion vulnerability in index.php in Ivan Gallery Script 0.3 allows remote attackers to execute arbitrary PHP code via a URL in the gallery parameter in a new session.20070417 Not Quite: Ivan Gallery Script V.0.1 (index.php) Remote File Include ExploitCertain programs in containers in ScramDisk 4 Linux before 1.0-1 execute with SUID permissions, which allows local users to gain privileges via mounted containers.23495ADV-2007-141824903 scramdisk-mount-privilege-escalation(33674)ScramDisk 4 Linux before 1.0-1 does not perform permission checks on mount points, which allows local users to gain privileges by using a system directory as a mount point for a container.23495ADV-2007-141824903 scramdisk-directory-privilege-escalation(33677)PHP remote file inclusion vulnerability in index.php in Maian Gallery 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, but confirmed by the vendor, stating "this problem existed only briefly in v1.0."20070414 Maian Gallery v1.020070414 Re: Maian Gallery v1.020070415 false: Maian Gallery v1.0maiangallery-pathtofolder-file-include(33692) 20070415 Re: phpMyChat-0.14.5 34149PHP remote file inclusion vulnerability in search.php in Maian Search 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, but confirmed by the vendor, stating "this issue was fixed last year and [no] is longer a problem."20070414 Maian Search v1.120070414 Re: Maian Search v1.120070414 false: Maian Search v1.1 20070415 Re: phpMyChat-0.14.5 34150** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Maian Weblog 3.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_to_folder parameter. NOTE: this issue was disputed by a third party researcher, since the path_to_folder variable is initialized before use.20070414 Maian Weblog v3.120070415 false: Maian Weblog v3.1 20070415 Re: phpMyChat-0.14.5 maianweblog-pathtofolder-file-include(33708)2582The ADONewConnection Connect function in adodb.php in XAMPP 1.6.0a and earlier for Windows uses untrusted input for the database server hostname, which allows remote attackers to trigger a library buffer overflow and execute arbitrary code via a long host parameter, or have other unspecified impact. NOTE: it could be argued that this is an issue in mssql_connect (CVE-2007-1411.1) in PHP, or an issue in the ADOdb Library, and the proper fix should be in one of these products; if so, then this should not be treated as a vulnerability in XAMPP.Failed exploit attempts will likely crash the webserver, denying service to legitimate users. Additionally, this issue is remotely exploitable only if the installation is not secured as described in the manual.373823491xampp-mssqlconnect-bo(33683)Multiple SQL injection vulnerabilities in XAMPP 1.6.0a for Windows allow remote attackers to execute arbitrary SQL commands via unspecified vectors in certain test scripts.3738MyBlog 0.9.8 and earlier allows remote attackers to bypass authentication requirements via the admin cookie parameter to certain admin files, as demonstrated by admin/settings.php.20070415 MyBlog <= 0.9.8 Remote Command Execution Exploit235212581myblog-admin-cookie-authentication-bypass(34025)Direct static code injection vulnerability in admin/settings.php in MyBlog 0.9.8 and earlier allows remote authenticated admin users to inject arbitrary PHP code via the content parameter, which can be executed by accessing index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers.20070415 MyBlog <= 0.9.8 Remote Command Execution Exploit myblog-settings-code-execution(33707)2581vsdatant.sys in Check Point Zone Labs ZoneAlarm Pro before 7.0.302.000 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (system crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateKey and (2) NtDeleteFile functions.20070415 ZoneAlarm Multiple insufficient argument validation of hooked SSDT function Vulnerabilityzonealarm-vsdatant-dos(33664)2591** DISPUTED ** PHP remote file inclusion vulnerability in MobilePublisherphp 1.1.2 allows remote attackers to execute arbitrary PHP code via a URL in the auth_method parameter to (1) index.php, (2) list.php, (3) postreview.php, (4) reindex.php, (5) sections.php, (6) templates.php, (7) userinfo.php, (8) users.php, and (9) view.php in admin/. NOTE: this issue has been disputed by a reliable third party, who states that $auth_method is defined before use.20070414 MobilePublisherphp v1.1.2 Remote File Include Vulnerabilitiesmobilepublisher-authmethod-file-include(33679)20070414 true until installed: MobilePublisherphp v1.1.2 Remote File Include Vulnerabilities353252583Cross-site scripting (XSS) vulnerability in oe2edit.cgi in oe2edit CMS allows remote attackers to inject arbitrary web script or HTML via the q parameter.An attacker can exploit this issue by enticing an unsuspecting user to follow a malicious URI which indicates a Medium Access Complexity.23512ADV-2007-141724919 20070415 [MajorSecurity Advisory #45]oe2edit CMS - Cross Site Scripting and Cookie Manipulation Issue oe2editcms-oe2edit-xss(33690)Multiple PHP remote file inclusion vulnerabilities in CNStats 2.9 allow remote attackers to execute arbitrary PHP code via a URL in the bj parameter to (1) who_r.php or (2) who_s.php in reports/.37412350124902cnstats-whor-file-include(33672)Multiple PHP remote file inclusion vulnerabilities in CNStats 2.12, when register_globals is enabled and .htaccess is not recognized, allow remote attackers to execute arbitrary PHP code via a URL in the bn parameter to (1) who_r.php or (2) who_s.php in reports/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.Successful exploitation requires that "register_globals" is enabled and support for ".htaccess" files is disabled.24902cnstats-bn-file-include(33977)Multiple PHP remote file inclusion vulnerabilities in Sitebar 3.3.5 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) writerFile parametere to index.php and the (2) file parameter to Integrator.php.20070414 Sitebar 3.3.5 (index.php writerFile)Remote File Include Vulnerabilitiessitebar-index-integrator-file-include(33688)2586Multiple PHP remote file inclusion vulnerabilities in the Jx Development Article 1.1 and earlier component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter to com_articles.php in (1) components/ or (2) classes/html/.373623513ADV-2007-1394newarticle-comarticles-file-include(33663) 20070415 Mambo/Joomla Component New Article Component RFICross-site scripting (XSS) vulnerability in index.php in TuMusika Evolution 1.6 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.20070412 TuMusika Evolution 1.6 Cross Site Scripting VulnerabilitiyADV-2007-137424874tumusika-index-xss(33593)2585PHP remote file inclusion vulnerability in blocks/tsdisplay4xoops_block2.php in tsdisplay4xoops (TSD4XOOPS, aka the TeamSpeak display module) 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the xoops_url parameter.375023518ADV-2007-1424xoops-tsdisplay4xoopsblock2-file-include(33695)Direct static code injection vulnerability in index.php in Limesoft Guestbook (LS Simple Guestbook) allows remote attackers to inject arbitrary PHP code into posts.txt via the name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1393Direct static code injection vulnerability in index.php in Limesoft Guestbook (LS Simple Guestbook) 1.0 allows remote attackers to inject arbitrary PHP code into posts.txt via the message parameter.20070415 LS simple guestbook - arbitrary code execution373523503ADV-2007-139324904lsguestbook-index-code-execution(33666)2590PHP remote file inclusion vulnerability in index.php in Anthologia 0.5.2 allows remote attackers to execute arbitrary PHP code via a URL in the ads_file parameter.375123524 ADV-2007-1427 24908 anthologia-adsfile-file-include(33705) 34083PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9 allows remote attackers to execute arbitrary PHP code via a URL in the my[root] parameter, a different vector than CVE-2007-0498.20070414 MySpeach v1.92592PHP remote file inclusion vulnerability in common.php in Hinton Design PHPHD Download System (phphd_downloads) allows remote attackers to execute arbitrary PHP code via a URL in the phphd_real_path parameter. NOTE: this issue may be present in versions from 2006.20070417 Remot File Include In Script phphd_downloads phphd-common-code-execution(33724)2588** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in OpenConcept Back-End CMS 0.4.7 allow remote attackers to execute arbitrary PHP code via a URL in the includes_path parameter to (1) click.php or (2) pollcollector.php in htdocs/; or (3) index.php, (4) articlepages.php, (5) articles.php, (6) articleform.php, (7) articlesections.php, (8) createArticlesPage.php, (9) guestbook.php, (10) helpguide.php, (11) helpguideeditor.php, (12) links.php, (13) upload.php, (14) sitestatistics.php, (15) nav.php, (16) tpl_upload.php, (17) linksections, or (18) pophelp.php in htdocs/site-admin/; different vectors than CVE-2006-5076. NOTE: this issue is disputed by a third party, who states that $includes_path is defined before use.20070414 Back-End CMS Database Tables v0.4.7 Remote File Include Vulnerabilitiesbackend-multiple-scripts-file-include(33668)20070415 false: Back-End CMS Database Tables v0.4.7 Remote File Include Vulnerabilities341482573Multiple cross-site scripting (XSS) vulnerabilities in showpic.php in Wabbit PHP Gallery 0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) pic and (2) gal parameters.20070416 Wabbit PHP Gallery v0.9 Cross Site Scripting 23526 24943 wabbit-showpic-xss(33717)2574Cross-site scripting (XSS) vulnerability in htdocs/php.php in OpenConcept Back-End CMS 0.4.7 allows remote attackers to inject arbitrary web script or HTML via the page[] parameter.20070414 Back-End CMS Database Tables v0.4.7 Cross Site Scriptingbackend-htdocs-xss(33685)2575FAC Guestbook 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/Gdb.mdb.20070412 FAC GuestBook v2.0 remote database disclosure vulnerability2344124872facguestbook-gdb-gbdb-information-disclosure(33600)2570FAC Guestbook 3.01 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/gbdb.mdb. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2344124872facguestbook-gdb-gbdb-information-disclosure(33600)Cross-site scripting (XSS) vulnerability in weblog.php in my little weblog allows remote attackers to inject arbitrary web script or HTML via the id parameter, a different vector than CVE-2006-6087.20070416 my little weblog Cross Site Scripting 24942 mylittleweblog-id-xss(33718)2571Multiple PHP remote file inclusion vulnerabilities in my little forum 1.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) admin.php and (2) timedifference.php.20070416 my little forum 1.7 Remote File Include Vulnerabilitiy mylittleforum-lang-file-include(33719)2576Multiple directory traversal vulnerabilities in iXon CMS 0.30 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme_url parameter to (1) index.php, (2) page.php, (3) search.php, (4) single.php, and (5) archives.php.20070404 iXon_CMS 0.30 Remote File Include Vulnerabilitiesixoncms-themeurl-file-include(33438)2577Directory traversal vulnerability in admin/index.php in Monkey CMS 0.0.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the admin_skin parameter.20070404 Monkey CMS v0.0.3 Remote File Include Vulnerabilitiymonkeycms-index-file-include(33436)20070607 Re: Monkey CMS v0.0.3 Remote File Include Vulnerabilitiy2578Directory traversal vulnerability in index.php in Kai Content Management System (K-CMS) 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the current_theme parameter.20070404 K-CMS v1.0 Remote File Include Vulnerabilitieskcms-index-file-include(33437)2579SQL injection vulnerability in visit.php in the Rha7 Downloads (rha7downloads) 1.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-1960. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1266Unspecified vulnerability in the Core RDBMS component Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.2 on Windows allows remote attackers to have an unknown impact, aka DB01. NOTE: as of 20070424, Oracle has not disputed reliable claims that this issue occurs because the NTLM SSPI AcceptSecurityContext function grants privileges based on the username provided even though all users are authenticated as Guest, which allows remote attackers to gain privileges.VU#809457ADV-2007-14261017927HPSBMA02133TA07-108A23532Multiple unspecified vulnerabilities in Oracle Database 10.2.0.3 have unknown impact and remote authenticated attack vectors related to (1) Rules Manager and Expression Filter components (DB02) and (2) Oracle Streams (DB06). Note: as of 20070424, Oracle has not disputed reliable claims that DB02 is for a race condition in the RLMGR_TRUNCATE_MAINT trigger in the Rules Manager and Expression Filter components changing the AUTHID of a package from DEFINER to CURRENT_USER after a TRUNCATE call, and DB06 is for SQL injection in the DBMS_APPLY_USER_AGENT.SET_REGISTRATION_HANDLER procedure, which is later passed to the DBMS_APPLY_ADM_INTERNAL.ALTER_APPLY procedure, aka "Oracle Streams".ADV-2007-14261017927HPSBMA02133TA07-108A23532Unspecified vulnerability in the Core RDBMS component for Oracle Database 9.0.1.5 and 10.1.0.4 on Windows systems has unknown impact and attack vectors, aka DB03. NOTE: as of 20070424, Oracle has not disputed reliable claims that DB03 occurs because RDBMS uses a NULL Discretionary Access Control List (DACL) for the Oracle process and certain shared memory sections, which allows local users to inject threads and execute arbitrary code via the OpenProcess, OpenThread, and SetThreadContext functions (DB03).[oracle-l] 20061201 Re: Oracle 9i on Windows 2003 -- Vulnerability QuestionADV-2007-14261017927HPSBMA02133TA07-108A23532SQL injection vulnerability in the SYS.DBMS_AQADM_SYS package in Oracle Database 9.0.1.5, 9.2.0.7, and 10.1.0.5 allows remote authenticated users to inject arbitrary SQL commands via unknown vectors, aka DB04. NOTE: as of 20070424, Oracle has not disputed reliable claims that DB04 is actually for multiple vulnerabilities.ADV-2007-14261017927HPSBMA02133TA07-108A23532Unspecified vulnerability in the Authentication component for Oracle Database 10.1.0.5 and 10.2.0.3 has unknown impact and attack vectors, aka DB05. NOTE: as of 20070424, Oracle has not disputed reliable claims that this issue allows remote authenticated users to bypass the AUTH_ALTER_SESSION security policies via a logon trigger ("AFTER LOGON ON DATABASE" trigger directive), a related issue to CVE-2006-0547.20070418 Advisory: Bypass Oracle Logon TriggerADV-2007-14261017927HPSBMA02133TA07-108A23532SQL injection vulnerability in the Upgrade/Downgrade component (DBMS_UPGRADE_INTERNAL) for Oracle Database 10.1.0.5 allows remote authenticated users to execute arbitrary SQL commands via unknown vectors, aka DB07. NOTE: as of 20070424, Oracle has not disputed reliable claims that DB07 is actually for multiple issues.20070418 Advisory: SQL Injection in package SYS.DBMS_UPGRADE_INTERNALADV-2007-14261017927HPSBMA02133TA07-108A23532Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 10.2.0.2 have unknown impact and remote authenticated attack vectors, related to (1) Change Data Capture (CDC), aka DB08, and (2) Oracle Instant Client, aka DB11. NOTE: as of 20070424, oracle has not disputed reliable claims that these issues are buffer overflows using a long CHANGE_TABLE_NAME parameter to the DBMS_CDC_IPUBLISH.CHGTAB_CACHE procedure (DB08) and Oracle Instant Client genezi utility (DB11).ADV-2007-14261017927HPSBMA02133TA07-108A23532Unspecified vulnerability in the Change Data Capture (CDC) component in Oracle Database 9.2.0.7, 10.1.0.5, and 10.2.0.2 has unknown impact and attack vectors, aka DB09. NOTE: as of 20070424, oracle has not disputed reliable claims that this issue involves multiple SQL injection vulnerabilities in the DBMS_CDC_PUBLISH with remote authenticated vectors involving the "java classes in CDC.jar."ADV-2007-14261017927HPSBMA02133TA07-108A23532Unspecified vulnerability in the Advanced Replication component in Oracle Database 9.0.1.5, 9.2.0.7, and 10.2.0.1 has unknown impact and attack vectors, aka DB10. NOTE: as of 20070424, Oracle has not disputed claims that these are buffer overflows in kkzi.o for the SYS.DBMS_SNAP_INTERNAL package using the (1) SNAP_OWNER or (2) SNAP_NAME parameters.20070418 Oracle Database Buffer overflow vulnerabilities in package DBMS_SNAP_INTERNALADV-2007-14261017927HPSBMA02133TA07-108A23532Unspecified vulnerability in the Oracle Text component in Oracle Database 9.2.0.5 has unknown impact and attack vectors, aka DB12. NOTE: as of 20070424, Oracle has not disputed reliable claims that this involves a buffer overflow in the ctxsrv server daemon.ADV-2007-14261017927HPSBMA02133TA07-108A23532Unspecified vulnerability in the Upgrade/Downgrade component of Oracle Database 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors, aka DB13. NOTE: as of 20070424, Oracle has not disputed reliable claims that this is a buffer overflow involving the "mig utility."ADV-2007-14261017927HPSBMA02133TA07-108A23532Cross-site scripting (XSS) vulnerability in boundary_rules.jsp in the Administration Front End for Oracle Enterprise (Ultra) Search, as used in Database Server 9.2.0.8, 10.1.0.5, and 10.2.0.2, and in Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2.0 allows remote attackers to inject arbitrary HTML or web script via the EXPTYPE parameter, aka SES01. ADV-2007-1426 1017927 HPSBMA02133 20070418 Advisory: XSS Vulnerability in Oracle Secure Enterprise Search [SES01]TA07-108A23532The Oracle Discoverer servlet in Oracle Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2.0 allows remote attackers to shut down an Oracle TNS Listener via a TNS STOP commmand in a request that uses the database/TNS alias, aka AS01.ADV-2007-14261017927HPSBMA0213320070418 Advisory: Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet [AS01]TA07-108A23532Unspecified vulnerability in the COREid Access component in Oracle Application Server 7.0.4.4 has unknown impact and attack vectors, aka AS02. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in the Wireless component in Oracle Application Server 9.0.4.3 has unknown impact and attack vectors, aka AS03. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.3 up to 10.1.3.2.0, 10.1.2 up to 10.1.2.2.0, and 9.0.4.3 has unknown impact and attack vectors, aka AS04. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.4.1.0 has unknown impact and remote attack vectors, aka AS05. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in Collaborative Workspace in Oracle Collaboration Suite 10.1.2 has unknown impact and attack vectors, aka OCS01. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in Oracle E-Business Suite 11.5.10CU2 has unknown impact and remote attack vectors in the (1) Common Applications (APPS01) and (2) iProcurement (APPS02). ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Multiple unspecified vulnerabilities in Oracle E-Business Suite 12.0.0 have unknown impact and remote attack vectors via (1) Application Object Library (APPS04), iStore (2) APPS05 and (3) APPS06, (4) iSupport (APPS07), (5) Trade Management (APPS09), (6) Applications Manager (APPS10), and (7) Oracle Report Manager (APPS03).ADV-2007-14261017927HPSBMA02133TA07-108A23532Unspecified vulnerability in the Sales Online component for Oracle E-Business Suite 11.5.10 has unknown impact and remote authenticated attack vectors, aka APPS08. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in the Agent component in Oracle Enterprise Manager 9.2.0.8 has unknown impact and remote attack vectors, aka EM01. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in Workflow Cartridge, as used in Oracle Database Server 9.2.0.1, 10.1.0.2, and 10.2.0.1; Application Server 9.0.4.3 and 10.1.2.0.2; Collaboration Suite 10.1.2; and E-Business Suite; has unknown impact and remote authenticated attack vectors, aka OWF01. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in PeopleTools in Oracle PeopleSoft Enterprise 8.22.14, 8.47.12, and 8.48.08 has unknown impact and attack vectors, aka PSE01. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise 8.47.12 and 8.48.08 has unknown impact and attack vectors, aka PSE02. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in the PeopleSoft Enterprise Human Capital Management component in Oracle PeopleSoft Enterprise 8.9 has unknown impact and attack vectors, aka PSEHCM01. ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532Unspecified vulnerability in the HTML Server in Oracle JD Edwards EnterpriseOne SP23_Q1 and 8.96.I1 has unknown impact and local attack vectors, aka JDE01.The vendor has addressed this issue through the release of the following patch information: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html ADV-2007-1426 1017927 HPSBMA02133TA07-108A23532The ADI_BINARY component in the Oracle E-Business Suite allows remote attackers to download arbitrary documents from the APPS.FND_DOCUMENTS table via the ADI_DISPLAY_REPORT function, when passed a certain parameter. NOTE: due to lack of details from Oracle, it is not clear whether this issue is related to other CVE identifiers such as CVE-2007-2126, CVE-2007-2127, or CVE-2007-2128.20070418 ZDI-07-017: Oracle E-Business Suite Arbitrary Document Download Vulnerability2612Stack-based buffer overflow in bgs_sdservice.exe in BMC Patrol PerformAgent allows remote attackers to execute arbitrary code by connecting to TCP port 10128 and sending certain XDR data, which is not properly parsed.20070418 ZDI-07-019: BMC Patrol PerformAgent bgs_sdservice Memory Corruption Vulnerability23557ADV-2007-1457 1017934 24937 bmcpatrol-bgssdservice-code-execution(33745)2598Heap-based buffer overflow in kde.dll in IBM Tivoli Monitoring Express 6.1.0 before Fix Pack 2, as used in Tivoli Universal Agent, Windows OS Monitoring agent, and Enterprise Portal Server, allows remote attackers to execute arbitrary code by sending a long string to a certain TCP port.20070418 ZDI-07-018: IBM Tivoli Monitoring Express Universal Agent Heap Overflow Vunlerability23558ADV-2007-1456 1017933 24938 tivoli-monitoring-multiple-bo(33746)2597Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."25019 MDKSA-2007:094 23618 ADV-2007-1497 25005 24989 postgresql-searchpath-privilege-escalation(33842) 102894 2007-0015 USN-454-1 ADV-2007-1549 1017974 25037 24999 25058 RHSA-2007:0337 GLSA-200705-12 RHSA-2007:0336 25184 25238DSA-1309DSA-1311MDKSA-2007:09425334257172572525720Multiple stack-based buffer overflows in the SUN RPC service in CA (formerly Computer Associates) BrightStor ARCserve Media Server, as used in BrightStor ARCserve Backup 9.01 through 11.5 SP2, BrightStor Enterprise Backup 10.5, Server Protection Suite 2, and Business Protection Suite 2, allow remote attackers to execute arbitrary code via malformed RPC strings, a different vulnerability than CVE-2006-5171, CVE-2006-5172, and CVE-2007-1785.20070424 ZDI-07-022: CA BrightStor ArcServe Media Server Multiple Buffer Overflow Vulnerabilities23635 VU#979825 ADV-2007-1529 24972 brightstor-sun-rpc-bo(33854) 10179522628PHP remote file inclusion vulnerability in everything.php in Franklin Huang Flip (aka Flip-search-add-on) 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the incpath parameter.20070414 Flip-search-add-on 2.020070503 True: Flip-search-add-on everything.php incpath RFI34147flip-search-incpath-file-include(33696)Direct static code injection vulnerability in shoutbox.php in ShoutPro 1.5.2 allows remote attackers to inject arbitrary PHP code into shouts.php via the shout parameter.20070417 ShoutPro 1.5.2 - arbitrary code execution375823542ADV-2007-1432 24939 shoutpro-shouts-code-execution(33727)2593Multiple PHP remote file inclusion vulnerabilities in AjPortal2Php allow remote attackers to execute arbitrary PHP code via a URL in the PagePrefix parameter to (1) begin.inc.php, (2) connection.inc.php, (3) events.inc.php, (4) footer.inc.php, (5) header.inc.php, (6) menuleft.inc.php, or (7) pages.inc.php in includes/.3752ADV-2007-1428 23525 ajportal2php-pageprefix-file-include(33703)PHP remote file inclusion vulnerability in index.php in the Be2004-2 template for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.3759 23549 joomla-be20042-index-file-include(33728)PHP remote file inclusion vulnerability in includes/CAltInstaller.php in the JoomlaPack (com_jpack) 1.0.4a2 RE component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.3753ADV-2007-142923529joomlapack-caltinstaller-file-include(33702)The imagecomments function in classes.php in MiniGal b13 allows remote attackers to inject arbitrary PHP code into a file in the thumbs/ directory via the input parameter. NOTE: some of these details are obtained from third party information.3754ADV-2007-1430The imagecomments function in classes.php in MiniGal b13 allow remote attackers to inject arbitrary PHP code into a file in the thumbs/ directory via the (1) name or (2) email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1430admin/options.php in Stephen Craton (aka WiredPHP) Chatness 2.5.3 and earlier does not check for administrative credentials, which allows remote attackers to read and modify the classes/vars.php and classes/varstuff.php configuration files via direct requests.20070412 Chatness <= 2.5.3 - Arbitrary Code ExecutionADV-2007-1386248732595Direct static code injection vulnerability in admin/save.php in Stephen Craton (aka WiredPHP) Chatness 2.5.3 and earlier allows remote authenticated administrators to inject PHP code into .html files via the html parameter, as demonstrated by head.html and foot.html, which are included and executed upon a direct request for index.php. NOTE: a separate vulnerability could be leveraged to make this issue exploitable by remote unauthenticated attackers.20070412 Chatness <= 2.5.3 - Arbitrary Code ExecutionADV-2007-1386248732595Stephen Craton (aka WiredPHP) Chatness 2.5.3 and earlier stores usernames and unencrypted passwords in (1) classes/vars.php and (2) classes/varstuff.php, and recommends 0666 or 0777 permissions for these files, which allows local users to gain privileges by reading the files, and allows remote attackers to obtain credentials via a direct request for admin/options.php.20070412 Chatness <= 2.5.3 - Arbitrary Code ExecutionADV-2007-1386248732595BlueArc-FTPD in BlueArc Titan 2x00 devices with firmware 4.2.944b allows remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command, a variant of CVE-1999-0017.20070417 BlueArc Firmware 4.2.944b FTP bounce23540 bluearc-port-traffic-hijacking(33721)The administration server in McAfee e-Business Server before 8.1.1 and 8.5.x before 8.5.2 allows remote attackers to cause a denial of service (service crash) via a large length value in a malformed authentication packet, which triggers a heap over-read.The vendor has addressed this issue in the following product update: https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=612751&command=show&forward=nonthreadedKC20070417 McAfee E-Business Admin Server Invalid Data Length DoS Vulnerability23544ADV-2007-1434101792924893 mcafee-ebusiness-utility-dos(33730)Buffer overflow in the On-Access Scanner in McAfee VirusScan Enterprise before 8.0i Patch 12 allows user-assisted remote attackers to execute arbitrary code via a long filename containing multi-byte (Unicode) characters.The vendor has addressed this issue with the following product update: https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=612750&command=show&forward=nonthreadedKC20070417 McAfee VirusScan On-Access Scanner Long Unicode File Name Buffer Overflow23543ADV-2007-1435101792824914 VU#324929 mcafee-onaccess-bo(33732)Cross-site scripting (XSS) vulnerability in atmail.php in @Mail 5.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter.20070411 [MajorSecurity Advisory #43]Calacode ATMail 5.0 - Cross Site Scripting and Cookie Manipulation Issue23428@mail-atmail-xss(33591)2594PHP remote file inclusion vulnerability in services/samples/inclusionService.php in Cabron Connector 1.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the CabronServiceFolder parameter.375623531ADV-2007-1431 cabronconnector-inclusion-file-include(33716)Directory traversal vulnerability in template.php in in phpFaber TopSites 3 allows remote attackers to read arbitrary files via a .. (dot dot) in the modify parameter in a template action to admin/index.php.20070411 nEw Bug :D20070418 [uncertain] (mostly) phpFaber TopSitespath traversal23419phpfaber-index-directory-traversal(33581)Multiple PHP remote file inclusion vulnerabilities in Rezervi Generic 0.9 allow remote attackers to execute arbitrary PHP code via a URL in the root parameter to (1) datumVonDatumBis.inc.php, (2) footer.inc.php, (3) header.inc.php, and (4) stylesheets.php in templates/; and (5) wochenuebersicht.inc.php, (6) monatsuebersicht.inc.php, (7) jahresuebersicht.inc.php, and (8) tagesuebersicht.inc.php in belegungsplan/.3763ADV-2007-1448 24926 Rezervi-root-file-include(33737) 23550Directory traversal vulnerability in upload/force_download.php in Zomplog 3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.3764ADV-2007-1449 zomplog-forcedownload-dir-traversal(33740) 23553 24899PHP remote file inclusion vulnerability in index.php in jGallery 1.3 allows remote attackers to execute arbitrary PHP code via a URL in the G_JGALL[inc_path] parameter.3760ADV-2007-1445 jgallery-index-file-include(33738) 24956Multiple cross-site scripting (XSS) vulnerabilities in the Database Administration (dba) module 4.6.x-*, and before 4.7.x-1.2 in the 4.7.x-1.* series, for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified vectors relating to (1) direct display of data from the database and (2) other portions of the user interface.ADV-2007-136024848Multiple cross-site request forgery (CSRF) vulnerabilities in the Database Administration (dba) module 4.6.x-*, and before 4.7.x-1.2 in the 4.7.x-1.* series, for Drupal allow remote attackers to perform unauthorized actions as an arbitrary user, a related issue to CVE-2006-5476.ADV-2007-136024848Microsoft Internet Explorer 7 allows remote attackers to cause a denial of service (browser hang) via JavaScript that matches a regular expression against a long string, as demonstrated using /(.)*/.20070417 Internet Explorer Crash20070417 Re: Internet Explorer Crash20070418 Re: Internet Explorer Crashie-unspecified-dos(33715)(1) Mozilla Firefox 2.0.0.3 and (2) GNU IceWeasel 2.0.0.3 allow remote attackers to cause a denial of service (browser crash or system hang) via JavaScript that matches a regular expression against a long string, as demonstrated using /(.)*/.20070417 Internet Explorer Crash20070417 Re: Internet Explorer Crash20070418 Re: Internet Explorer CrashApple Safari allows remote attackers to cause a denial of service (browser crash) via JavaScript that matches a regular expression against a long string, as demonstrated using /(.)*/.20070417 Internet Explorer Crash20070417 Re: Internet Explorer CrashKonqueror 3.5.5 release 45.4 allows remote attackers to cause a denial of service (browser crash or abort) via JavaScript that matches a regular expression against a long string, as demonstrated using /(.)*/.20070417 Internet Explorer Crash20070417 Re: Internet Explorer Crash2600The Auth API in ProFTPD before 20070417, when multiple simultaneous authentication modules are configured, does not require that the module that checks authentication is the same as the module that retrieves authentication data, which might allow remote attackers to bypass authentication, as demonstrated by use of SQLAuthTypes Plaintext in mod_sql, with data retrieved from /etc/passwd.23546ADV-2007-1444101793124867proftpd-authapi-security-bypass(33733)FEDORA-2007-2613MDKSA-2007:1302572427516PHP remote file inclusion vulnerability in administration/user/lib/group.inc.php in OpenSurveyPilot (osp) 1.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cfgPathToProjectAdmin parameter.3765 23563 ADV-2007-1460 24915 osp-groupinc-file-include(33749)Static code injection vulnerability in process.php in AimStats 3.2 allows remote attackers to inject PHP code into config.php via the number parameter in an update action.3762ADV-2007-1447 23573 24955 aimstats-config-command-execution(33742)Static code injection vulnerability in process.php in AimStats 3.2 and earlier allows remote attackers to inject PHP code into config.php via the databasehost parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1447 23573 24955 aimstats-config-command-execution(33742)Static code injection vulnerability in add.php in Mozzers SubSystem 1.0 allows remote attackers to inject PHP code into subs.php via the (1) Sub-name or (2) Sub-url field. NOTE: an earlier report indicated that the add action can be reached through a request to index.php.376123548ADV-2007-1446 mozzers-subsystem-index-code-execution(33739)The APPLSYS.FND_DM_NODES package in Oracle E-Business Suite does not check for valid sessions, which allows remote attackers to delete arbitrary nodes. NOTE: due to lack of details from Oracle, it is not clear whether this issue is related to other CVE identifiers such as CVE-2007-2126, CVE-2007-2127, or CVE-2007-2128.20070418 ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vulnerability2611Stack-based buffer overflow in the base64_decode function in GWINTER.exe in Novell GroupWise (GW) WebAccess before 7.0 SP2 allows remote attackers to execute arbitrary code via long base64 content in an HTTP Basic Authentication request.20070418 ZDI-07-015: Novell Groupwise WebAccess Base64 Decoding Stack Overflow Vulnerability23556ADV-2007-14551017932249442610A typo in Linux kernel 2.6 before 2.6.21-rc6 and 2.4 before 2.4.35 causes RTA_MAX to be used as an array size instead of RTN_MAX, which leads to an "out of bound access" by the (1) dn_fib_props (dn_fib.c, DECNet) and (2) fib_props (fib_semantics.c, IPv4) functions.23447RHSA-2007:034725288DSA-1356DSA-1363MDKSA-2007:171MDKSA-2007:196MDKSA-2007:216RHSA-2007:0488RHSA-2007:1049USN-464-1ADV-2007-26902539225838262892645025068266472662027913DSA-1503DSA-150429058Eval injection vulnerability in (1) courier-imapd.indirect and (2) courier-pop3d.indirect in Courier-IMAP before 4.0.6-r2, and 4.1.x before 4.1.2-r1, on Gentoo Linux allows remote attackers to execute arbitrary commands via the XMAILDIR variable, related to the LOGINRUN variable.GLSA-200704-1824963 23589 gentoo-courier-imap-code-execution(33805)The IOCTL handling in srescan.sys in the ZoneAlarm Spyware Removal Engine (SRE) in Check Point ZoneAlarm before 5.0.156.0 allows local users to execute arbitrary code via certain IOCTL lrp parameter addresses.20070420 Check Point Zone Labs SRESCAN IOCTL Local Privilege Escalation Vulnerability23579101794824986 20070423 [Reversemode advisory] CheckPoint Zonelabs - ZoneAlarm SRESCAN driver local privilege escalation ADV-2007-1491 zonealarm-srescan-privilege-escalation(33786) 1017953Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007.1017950quicktime-unspecified-code-execution(33827)APPLE-SA-2007-05-01 20070501 ZDI-07-023: Apple QTJava toQTPointer() Pointer Arithmetic Memory Overwrite Vulnerability VU#42066834178Unspecified vulnerability in Mozilla Firefox allows remote attackers to execute arbitrary code via unspecified vectors involving Javascript errors. NOTE: this might be the same issue as CVE-2007-2175.Stack-based buffer overflow in the Microgaming Download Helper ActiveX control (dlhelper.dll) before 7.2.0.19, and the WebHandler Class control, allows remote attackers to execute arbitrary code via unspecified vectors.VU#18447323595 ADV-2007-1507 25017Multiple unspecified vulnerabilities in Objective Development Sharity before 3.3 allow remote attackers to cause a denial of service (daemon crash) via unspecified vectors.2357224925 Sharity-unspecified-dos(33774)Multiple unspecified vulnerabilities in IXceedCompression in XceddZipLib (RaidenFTPD.dll) in RaidenFTPD 2.4 allow remote attackers to cause a denial of service (crash) via unspecified vectors involving the (1) CalculateCrc, (2) Compress, and (3) Uncompress functions, which result in a NULL pointer dereference.20070419 RaidenFTPd IXceedCompression multiple denial of service vulnerabilities23570 raidenftpd-multiple-dos(33776)2606Buffer overflow in Nullsoft Winamp 5.3 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted WMV file.20070419 Winamp <= (WMV) 5.3 Buffer Overflow DOS Exploit (0-DAY)23568 3768 winamp-wmv-bo(33764)2601PHP remote file inclusion vulnerability in admin/login.php in Webinsta FM Manager 0.1.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter, a different product and vector than CVE-2005-0748.3778 23592 ADV-2007-1494 24958 webinstafm-login-file-include(33793)Unrestricted file upload vulnerability in forum_write.php in Maran PHP Forum allows remote attackers to upload and execute arbitrary PHP files via a trailing %00 in a filename in the page parameter.3775 23614 ADV-2007-1493 24968 maranforum-pagename-code-execution(33802)SQL injection vulnerability in index.php in PHP-Ring Webring System (aka uPHP_ring_website) 0.9 allows remote attackers to execute arbitrary SQL commands via the ring parameter.3774 23586 uphp-ring-sql-injection(33804)Directory traversal vulnerability in imgsrv.php in jchit counter 1.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the acc parameter.3773 23585 jchitcounter-imgsrv-directory-traversal(33806)Multiple PHP remote file inclusion vulnerabilities in Supasite 1.23b allow remote attackers to execute arbitrary PHP code via a URL in the supa[db_path] parameter to (1) common_functions.php, (2) admin_auth_cookies.php, (3) admin_mods.php, (4) admin_news.php, (5) admin_topics.php, (6) admin_users.php, (7) admin_utilities.php, (8) site_comment.php, or (9) site_news.php; or the supa[include_path] parameter to (10) admin_settings.php or (11) backend_site.php.377123581ADV-2007-1492supasite-supa-file-include(33796)Foxit Reader 2.0 allows remote attackers to cause a denial of service (application crash) via a crafted PDF document.377023576foxitreader-pdf-dos(33784)Stack-based buffer overflow in eXtremail 2.1.1 and earlier allows remote attackers to execute arbitrary code via a long DNS response. NOTE: this might be related to CVE-2006-6926.20070420 eXtremail-v9376923577eXtremail 2.1.1 and earlier does not verify the ID field (aka transaction id) in DNS responses, which makes it easier for remote attackers to conduct DNS spoofing.20070420 eXtremail-v923577PHP remote file inclusion vulnerability in admin/admin_album_otf.php in the MX Smartor Full Album Pack (FAP) 2.0 RC1 module for mxBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.376623561mxbb-smartorfap-admin-file-include(33760)PHP remote file inclusion vulnerability in admin/public/webpages.php in Eba News 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the filename parameter.20070420 Eba News Version : v1.1 <= (webpages.php) Remote File Include // starhack.orgebanews-webpages-file-include(33783)2607Multiple cross-site scripting (XSS) vulnerabilities in freePBX 2.2.x allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, (3) Call-ID, (4) User-Agent, and unspecified other SIP protocol fields, which are stored in /var/log/asterisk/full and displayed by admin/modules/logfiles/asterisk-full-log.php.20070419 XSS in freePBX 2.2.x portal's Asterisk Log tool23575freepbx-sip-xss(33772) ADV-2007-1535 249352627Buffer overflow in Photofiltre Studio 8.1.1 allows user-assisted remote attackers to execute arbitrary code via a crafted .tif file.377223582 ADV-2007-1490 24981 photofiltre-tif-bo(33807)Stack-based buffer overflow in the ID_X.apl plugin in ACDSee 9.0 Build 108, Pro 8.1 Build 99, and Photo Editor 4.0 Build 195 allows user-assisted remote attackers to execute arbitrary code via a crafted XPM file with a long section string. NOTE: some of these details are obtained from third party information.3776ADV-2007-148924994 23620 acdsee-xpm-bo(33812)Stack-based buffer overflow in XnView 1.90.3 allows user-assisted remote attackers to execute arbitrary code via a crafted XPM file with a long section string. NOTE: some of these details are obtained from third party information.3777ADV-2007-148824973 23625 xnview-xpm-bo(33810)GLSA-200707-0626006aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers to cause a denial of service (application crash) by sending invalid data to TCP port 31337.23583** DISPUTED ** PHP remote file inclusion vulnerability in jambook.php in the Jambook (com_Jambook) 1.0 beta7 module for Mambo and Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: this issue has been disputed by a reliable third party because the jambook.php protects against direct request.20070415 Joomla/Mambo Jambook v1.0 beta7 Rfi Vuln.20070417 False: Joomla/Mambo Jambook v1.0 beta7 Rfi Vuln.23509341512603Race condition in the NeatUpload ASP.NET component 1.2.11 through 1.2.16, 1.1.18 through 1.1.23, and trunk.379 through trunk.445 allows remote attackers to obtain other clients' HTTP responses via multiple simultaneous requests, which triggers multiple calls to HttpWorkerRequest.FlushResponse for the same HttpWorkerRequest object and causes a buffer to be reused for a different request.20070420 NeatUpload vulnerability and fix2357825003neatupload-responses-information-disclosure(33785)Cross-site scripting (XSS) vulnerability in LAN Management System (LMS) before 1.6.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably involving the OD parameter to contrib/formularz_przelewu_wplaty/druk.php. 23715 25067 ADV-2007-1580PHP remote file inclusion vulnerability in lib/pcltar.lib.php (aka pcltar.php) in the PclTar module 1.3 and 1.3.1 for Vincent Blavet PhpConcept Library, as used in multiple products including (1) Joomla! 1.5.0 Beta, (2) N/X Web Content Management System (WCMS) 4.5, (3) CJG EXPLORER PRO 3.3, and (4) phpSiteBackup 0.1, allows remote attackers to execute arbitrary PHP code via a URL in the g_pcltar_lib_dir parameter.37812361320070423 Remote file inclusion in Joomla 1.5.0 BetaADV-2007-1511joomla-pcltar-file-include(33837)391520070514 shared code incolving pcltar.lib.php/g_pcltar_lib_dir RFI2370825230cjgexplorerpro-pcltarpcltrace-file-include(34273)20070904 Re: Multiple vulnerabilities in Joomla 1.5 RC 141112466025528phpsitebackup-pcltarlib-file-include(35092)Directory traversal vulnerability in navigator/navigator_ok.php in Pagode 0.5.8 allows remote attackers to read and possibly delete arbitrary files via a .. (dot dot) in the asolute parameter.3783 23617 ADV-2007-1512 24992 pagode-navigatorok-directory-traversal(33848)Multiple PHP remote file inclusion vulnerabilities in Post Revolution 6.6 and 7.0 RC2 allow remote attackers to execute arbitrary PHP code via a URL in the dir parameter to (1) common.php or (2) themes/default/preview_post_completo.php.20070422 Post Revolution Remote File Inclusion378523607 ADV-2007-1513 24971 postrevolution-commonpreview-file-include(33825)2653PHP remote file inclusion vulnerability in inc_ACVS/SOAP/Transport.php in Accueil et Conseil en Visites et Sejours Web Services (ACVSWS) PHP5 (ACVSWS_PHP5) 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the CheminInclude parameter.20070423 acvsws_php5_v1.0 <= Multiple Remote File Include Vulnerablitiy 23603 ADV-2007-1509 24983 acvswebservices-transport-file-include(33840)2609Cross-site scripting (XSS) vulnerability in Big Blue Guestbook allows remote attackers to inject arbitrary web script or HTML via the message field in the guestbook entry submission form.20070423 Big Blue Guestbook HTML Injection Vulnerabilities23591 ADV-2007-1518 24997Multiple PHP remote file inclusion vulnerabilities in GPL PHP Board (GPB) unstable-2001.11.14-1 allow remote attackers to execute arbitrary PHP code via a URL in the root_path parameter to (1) db.mysql.inc.php or (2) gpb.inc.php in include/, or the (3) theme parameter to themes/ubb/login.php.3786 23622 ADV-2007-1514 gpb-multiple-script-file-include(33839)PHP remote file inclusion vulnerability in modules/rtmessageadd.php in LAN Management System (LMS) 1.5.3, and possibly 1.5.4, allows remote attackers to execute arbitrary PHP code via a URL in the _LIB_DIR parameter, a different vector than CVE-2007-1643.20070422 lms 1.5.3 Remote File Inclusion23611 20070426 true: 2 distinct LMS RFI, one old, one new; and vague ACK lms-rtmessageadd-file-include(33819)2630Cross-site scripting (XSS) vulnerability in contact/index.php in Ripe Website Manager 0.8.4 and earlier allows remote attackers to inject arbitrary web script or HTML via a leading "<"<" in the ripeformpost parameter.20070422 Ripe Website Manager (<= 0.8.4) - SQL Injection Vulnerability and Cross-Site Scripting Exploit2359720070422 Ripe Website Manager (<= 0.8.4) - SQL Injection Vulnerability and Cross-Site Scripting ExploitADV-2007-151924984rwm-index-xss(33817)2602SQL injection vulnerability in contact/index.php in Ripe Website Manager 0.8.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ripeformpost parameter.20070422 Ripe Website Manager (<= 0.8.4) - SQL Injection Vulnerability and Cross-Site Scripting Exploit23597 ADV-2007-1519 24984 rwm-index-sql-injection(33818)2602Multiple PHP remote file inclusion vulnerabilities in Extreme PHPBB2 3.0 Pre Final allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) functions.php or (2) functions_portal.php in includes/.20070418 Extreme PHPBB2 Remote File Inclusionextremephpbb-phpbbrootpath-file-include(33743)2608Buffer overflow in igcore15d.dll 15.1.2.0 and 15.2.0.0 for AccuSoft ImageGear, as used in Corel Paint Shop Pro Photo 11.20 and possibly other products, allows user-assisted remote attackers to execute arbitrary code via a crafted .CLP file. NOTE: some details were obtained from third party sources.377923604ADV-2007-15062501625050paintshopphoto-clp-bo(33821)1017963A certain ActiveX control in askPopStp.dll in Netsprint Ask IE Toolbar 1.1 allows remote attackers to cause a denial of service (Internet Explorer crash) via a long AddAllowed property value, related to "improper memory handling," possibly a buffer overflow.20070417 Multiple Ask IE Toolbar denial of service vulnerabilities235352604SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action.378023612mybb-calendar-sql-injection(33814) ADV-2007-1510 24967Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.mybb-calendar-sql-injection(33814)Unspecified vulnerability in the Initialize function in NetscapeFTPHandler in WS_FTP Home and Professional 2007 allows remote attackers to cause a denial of service (NULL dereference and application crash) via unspecified vectors related to "improper arguments."20070421 WS_FTP Home 2007 NetscapeFTPHandler denial of service20070422 Re: WS_FTP Home 2007 NetscapeFTPHandler denial of service23584 wsftp-netscapeftphandler-dos(33846)Unrestricted file upload vulnerability in includes/upload_file.php in DmCMS allows remote attackers to upload arbitrary PHP scripts by placing a script's contents in both the File2 and File3 parameters, and sending a ok.php?do=act Referer.20070423 DmCMS Shell Uploading 23628 ADV-2007-15162605The tblinf32.dll (aka vstlbinf.dll) ActiveX control for Internet Explorer 5.01, 6 SP1, and 7 uses an incorrect IObjectsafety implementation, which allows remote attackers to execute arbitrary code by requesting the HelpString property, involving a crafted DLL file argument to the TypeLibInfoFromFile function, which overwrites the HelpStringDll property to call the DLLGetDocumentation function in another DLL file, aka "ActiveX Object Vulnerability."20070815 TlbInf32 ActiveX Command ExecutionTA07-226A25289ADV-2007-286936396oval:org.mitre.oval:def:2109101856226419Kodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP SP2 and Server 2003 SP1 and SP2, allows remote attackers to execute arbitrary code via crafted image files that trigger memory corruption, as demonstrated by a certain .tif (TIFF) file.MS07-0554584HPSBST02280TA07-282AVU#18034525909ADV-2007-3435101878427092win-kodak-image-code-execution(36799)oval:org.mitre.oval:def:1481Unspecified vulnerability in the Windows Schannel Security Package for Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2, allows remote servers to execute arbitrary code or cause a denial of service via crafted digital signatures that are processed during an SSL handshake.MS07-031HPSBST02231TA07-163AVU#81007324416ADV-2007-2151oval:org.mitre.oval:def:1895101822625620Unspecified vulnerability in the Win32 API on Microsoft Windows 2000, XP SP2, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via certain parameters to an unspecified function.MS07-035HPSBST02231TA07-163AVU#45728124370ADV-2007-2155oval:org.mitre.oval:def:1643101823025640Unspecified vulnerability in the mdsauth.dll COM object in Microsoft Windows Media Server in the Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Windows 2000 SP4; 6 and 7 on Windows XP SP2, or Windows Server 2003 SP1 or SP2; or 7 on Windows Vista allows remote attackers to overwrite arbitrary files via unspecified vectors, aka the "Arbitrary File Rewrite Vulnerability."MS07-02723827ADV-2007-1712101801923769VU#500753HPSBST02214TA07-128A34404oval:org.mitre.oval:def:1885ie-msdauth-code-execution(33355)Multiple buffer overflows in the (1) ActiveListen (Xlisten.dll) and (2) ActiveVoice (Xvoice.dll) speech controls, as used by Microsoft Internet Explorer 5.01, 6, and 7, allow remote attackers to execute arbitrary code via a crafted ActiveX object that triggers memory corruption, as demonstrated via the ModeName parameter to the FindEngine function in ACTIVEVOICEPROJECTLib.DirectSS.MS07-033HPSBST02231TA07-163AVU#50743324426ADV-2007-2153oval:org.mitre.oval:def:2031101823525627ie-speech-code-execution(34630)Microsoft XML Core Services (MSXML) 3.0 through 6.0 allows remote attackers to execute arbitrary code via the substringData method on a (1) TextNode or (2) XMLDOM object, which causes an integer overflow that leads to a buffer overflow.MS07-04220070814 Microsoft XML Core Services XMLDOM Memory Corruption Vulnerability20070814 ZDI-07-048: Microsoft Internet Explorer substringData() Heap Overflow Vulnerability20070816 MS07-042 XMLDOM substringData() PoCVU#36196825301ADV-2007-2866oval:org.mitre.oval:def:2069101855926447Object linking and embedding (OLE) Automation, as used in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Office 2004 for Mac, and Visual Basic 6.0 allows remote attackers to execute arbitrary code via the substringData method on a TextNode object, which causes an integer overflow that leads to a buffer overflow.MS07-04320070814 ZDI-07-048: Microsoft Internet Explorer substringData() Heap Overflow VulnerabilityTA07-226A25282ADV-2007-2867oval:org.mitre.oval:def:1248101856026449A component in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle certain HTTP headers when processing MHTML protocol URLs, which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "URL Parsing Cross Domain Information Disclosure Vulnerability."MS07-03420070622 MS07-034: Executing arbitrary script with mhtml: protocol handlerHPSBST02231TA07-163AVU#68282524392ADV-2007-2154oval:org.mitre.oval:def:20451018231101823225639The MHTML protocol handler in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle Content-Disposition "notifications," which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "Content Disposition Parsing Cross Domain Information Disclosure Vulnerability."MS07-03420070622 MS07-034: Executing arbitrary script with mhtml: protocol handlerHPSBST02231TA07-163A24410ADV-2007-2154oval:org.mitre.oval:def:20851018233101823425639rpcrt4.dll (aka the RPC runtime library) in Microsoft Windows XP SP2, XP Professional x64 Edition, Server 2003 SP1 and SP2, Server 2003 x64 Edition and x64 Edition SP2, and Vista and Vista x64 Edition allows remote attackers to cause a denial of service (RPCSS service stop and system restart) via an RPC request that uses NTLMSSP PACKET authentication with a zero-valued verification trailer signature, which triggers an invalid dereference. NOTE: this also affects Windows 2000 SP4, although the impact is an information leak.MS07-05820071010 ZDI-07-055: Microsoft Windows DCERPC Authentication Denial of Service VulnerabilityHPSBST02280TA07-282A25974ADV-2007-343810187872713427153oval:org.mitre.oval:def:2310Microsoft Windows Vista uses insecure default permissions for unspecified "local user information data stores" in the registry and the file system, which allows local users to obtain sensitive information such as administrative passwords, aka "Permissive User Information Store ACLs Information Disclosure Vulnerability."MS07-032HPSBST02231TA07-163A24411ADV-2007-2152oval:org.mitre.oval:def:1529101822525623SQL injection vulnerability in CA Clever Path Portal allows remote authenticated users to execute limited SQL commands and retrieve arbitrary database contents via (1) the ofinterest parameter in a light search query, (2) description parameter in the advanced search query, and possibly other vectors.20070424 Security Advisory: CA CleverPath SQL Injection23671ADV-2007-15443412825002ca-cpp-search-sql-injection(33853)101797020070424 Security Advisory: CA CleverPath SQL InjectionDirectory traversal vulnerability in index/mbox/mbox-storage.c in Dovecot before 1.0.rc29, when using the zlib plugin, allows remote attackers to read arbitrary gzipped (.gz) mailboxes (mbox files) via a .. (dot dot) sequence in the mailbox name.20070418 rPSA-2007-0074-1 dovecot[dovecot-cvs] 20070330 dovecot/src/lib-storage/index/mbox mbox-storage.c, 1.145.2.14, 1.145.2.15[dovecot-news] 20070330 Security hole #3: zlib plugin allows opening any gziped mboxes23552ADV-2007-1452 SUSE-SR:2007:008 25072DSA-1359USN-487-1The CHECK command in Cosign 2.0.1 and earlier allows remote attackers to bypass authentication requirements via CR (\r) sequences in the cosign cookie parameter.20070411 Cosign SSO Authentication BypassADV-2007-135924845cosign-bin/cosign.cgi in Cosign 2.0.2 and earlier allows remote authenticated users to perform unauthorized actions as an arbitrary user by using CR (\r) sequences in the service parameter to inject LOGING and REGISTER commands with the desired username.20070411 Cosign SSO Authentication BypassADV-2007-135924845include/common.php in PunBB 1.2.14 and earlier does not properly handle a disabled ini_get function when checking the register_globals setting, which allows remote attackers to register global parameters, as demonstrated by an SQL injection attack on the search_id parameter to search.php.20070411 PunBB <= 1.2.14 Multiple Vulnerabilities (Advisory)20070411 PunBB <= 1.2.14 Remote Code Execution (Exploit)2613Multiple cross-site scripting (XSS) vulnerabilities in PunBB 1.2.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Referer HTTP header to misc.php or the (2) category name when deleting a category in admin_categories.php.20070411 PunBB <= 1.2.14 Multiple Vulnerabilities (Advisory)20070411 PunBB <= 1.2.14 Remote Code Execution (Exploit)ADV-2007-1362248432613footer.php in PunBB 1.2.14 and earlier allows remote attackers to include local files in include/user/ via a cross-site scripting (XSS) attack, or via the pun_include tag, as demonstrated by use of admin_options.php to execute PHP code from an uploaded avatar file.20070411 PunBB <= 1.2.14 Multiple Vulnerabilities (Advisory)20070411 PunBB <= 1.2.14 Remote Code Execution (Exploit)ADV-2007-1362248432613Microsoft Windows Graphics Device Interface (GDI+, GdiPlus.dll) allows context-dependent attackers to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero, which triggers a divide-by-zero error.VU#29096124346ADV-2007-2083windows-gdi-dos(34743)20070607 CSIS Advisory: Microsoft GDI+ Integer division by zero flaw handling .ICO files1018202Stack-based buffer overflow in the SaveBMP method in the AXIS Camera Control (aka CamImage) ActiveX control before 2.40.0.0 in AxisCamControl.ocx in AXIS 2100, 2110, 2120, 2130 PTZ, 2420, 2420-IR, 2400, 2400+, 2401, 2401+, 2411, and Panorama PTZ allows remote attackers to cause a denial of service (Internet Explorer crash) or execute arbitrary code via a long argument.VU#35580925093 23816 ADV-2007-1663 axis-activex-savebmp-bo(34133)The IBM Lenovo Access Support acpRunner ActiveX control, as distributed in acpcontroller.dll before 1.2.8.0 and possibly acpir.dll before 1.0.0.9 (Automated Solutions 1.0 before fix pack 1), does not properly validate digital signatures of downloaded software, which makes it easier for remote attackers to spoof a download.MS07-045VU#57070525311ADV-2007-288226482ibm-lenovo-acprunner-code-execution(36028)Unspecified vulnerability in query.c in ISC BIND 9.4.0, and 9.5.0a1 through 9.5.0a3, when recursion is enabled, allows remote attackers to cause a denial of service (daemon exit) via a sequence of queries processed by the query_addsoa function.Successful exploitation requires that "recursion" is enabled.ADV-2007-1593101798525070 VU#718460 23738 bind-queryaddsoa-dos(33988) MDKSA-2007:100The IPv6 protocol allows remote attackers to cause a denial of service via crafted IPv6 type 0 route headers (IPV6_RTHDR_TYPE_0) that create network amplification between two routers.[3.9] 20070423 012: SECURITY FIX: April 23, 2007[4.0] 20070423 012: SECURITY FIX: April 23, 20072361524978 openbsd-ipv6-type0-dos(33851) FreeBSD-SA-07:03.ipv6 ADV-2007-1563 25033 25068 25083 RHSA-2007:0347 2528820070615 rPSA-2007-0124-1 kernel xenMDKSA-2007:171MDKSA-2007:196MDKSA-2007:216SUSE-SA:2007:051USN-486-1USN-508-1VU#267289ADV-2007-3050ADV-2007-2270101794925691257702613326651267032662026664SUSE-SA:2008:00628806OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483.20070421 OpenSSH - System Account Enumeration if S/Key is used20070424 OpenSSH - System Account Enumeration if S/Key is used23601openssh-challenge-information-disclosure(33794) 346002631Multiple buffer overflows in Adobe Photoshop CS2 and CS3, Illustrator CS3, and GoLive 9 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) BMP, (2) DIB, or (3) RLE file.379323621ADV-2007-152325023adobe-multiple-files-bo(33838)1017962ADV-2007-3442ADV-2007-34433537010187922684626864Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.10.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the fieldkey parameter to browse_foreigners.php or (2) certain input to the PMA_sanitize function.ADV-2007-150824952 phpmyadmin-fieldkey-xss(33898)DSA-1370MDKSA-2007:19926733Unspecified vulnerability in HP-UX B.11.00 and B.11.11, when running sendmail 8.9.3 or 8.11.1; and HP-UX B.11.23 when running sendmail 8.11.1; allows remote attackers to cause a denial of service via unknown attack vectors. NOTE: due to the lack of details from HP, it is not known whether this issue is a duplicate of another CVE such as CVE-2006-1173 or CVE-2006-4434.HPSBUX0218323606ADV-2007-1504249901017966VU#349305SQL injection vulnerability in modules/news/article.php in phpMySpace Gold 8.10 allows remote attackers to execute arbitrary SQL commands via the item_id parameter.20070422 phpMySpace Gold (v8.10) - Blind SQL/XPath Injection Exploit23602ADV-2007-1515 phpmyspace-article-sql-injection(33843)2616Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Phorum before 5.1.22 allow remote attackers to inject arbitrary web script or HTML via the (1) group_id parameter in the groups module or (2) the smiley_id parameter in the smileys modsettings module.This vulnerability is addressed in the following product release: Phorum, Phorum, 5.1.2220070419 [waraxe-2007-SA#049] - Multiple vulnerabilities in Phorum 5.1.20236161017936249322617include/controlcenter/users.php in Phorum before 5.1.22 allows remote authenticated moderators to gain privileges via a modified (1) user_ids POST parameter or (2) userdata array.20070419 [waraxe-2007-SA#049] - Multiple vulnerabilities in Phorum 5.1.2023616ADV-2007-14791017936249322617admin.php in Phorum before 5.1.22 allows remote attackers to obtain the full path via the module[] parameter.20070419 [waraxe-2007-SA#049] - Multiple vulnerabilities in Phorum 5.1.2023616ADV-2007-14791017936249322617Unspecified vulnerability in the Roles module in Xaraya 1.1.2 and earlier allows attackers to gain privileges via unspecified vectors, probably related to incorrect permission checking in xartemplates/user-view.xd.ADV-2007-152224959 23631 xaraya-roles-module-security-bypass(33844)Directory traversal vulnerability in iconspopup.php in Exponent CMS 0.96.6 Alpha and earlier allows remote attackers to obtain sensitive information via a .. (dot dot) in the icodir parameter.2357424934 exponentcms-iconspopup-directory-traversal(33936)Exponent CMS 0.96.6 Alpha and earlier allows remote attackers to obtain path information via a direct request for (1) sdk/blanks/formcontrol.php and (2) sdk/blanks/file_modules.php.exponentcms-multiple-path-disclosure(33937)PHP remote file inclusion vulnerability in admin/setup/level2.php in PHP Classifieds 6.04, and probably earlier versions, allows remote attackers to execute arbitrary PHP code via a URL in the dir parameter. NOTE: this product was referred to as "Allfaclassfieds" in the original disclosure.20070422 Allfaclassfieds (level2.php dir) remote file inclusion20070425 [false but true] allfaclassfieds-level2-file-include(33798)2618Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1.4.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) eng_dir parameter to addmember.php, (2) lang_path parameter to admin/enginelib/class.phpmailer.php, and the (3) spaw_root parameter to admin/includes/spaw/dialogs/colorpicker.php, different vectors than CVE-2006-5291 and CVE-2006-5459. NOTE: vector 3 might be an issue in SPAW.20070417 Remot File Include download_engine_V1.4.3downloadengine-multiple-file-include(33723)2619Cross-site scripting (XSS) vulnerability in you.php in TJSChat 0.95 allows remote attackers to inject arbitrary web script or HTML via the user parameter.20070423 TJSChat Version 0.95 Cross Site Scripting 23593 ADV-2007-1517 24998 tjschat-you-xss(33845)2620PHP remote file inclusion vulnerability in subscp.php in Fully Modded phpBB2 allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.20070418 FullyModdedphpBB2 Remote File Inclusion23565phpbb2-subscp-file-include(33751)2621PHP remote file inclusion vulnerability in includes/init.inc.php in PHPMyBibli allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter.20070423 PHPMyBibli <= Multiple Remote File Include 23599 phpmybibli-initinc-file-include(33808)2622SQL injection vulnerability in forum.php in EsForum 3.0 allows remote attackers to execute arbitrary SQL commands via the idsalon parameter.20070422 EsForum <= 3.0 SQL Injection Vulnerability 23605 ADV-2007-1521 25010 esforum-forum-sql-injection(33813)2623Multiple PHP remote file inclusion vulnerabilities in bibtex mase beta 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the bibtexrootrel parameter to (1) unavailable.php, (2) source.php, (3) log.php, (4) latex.php, (5) indexinfo.php, (6) index.php, (7) importinfo.php, (8) import.php, (9) examplefile.php, (10) clearinfo.php, (11) clear.php, (12) aboutinfo.php, (13) about.php, and other unspecified files.20070422 bibtex mase Remote File Inclusion2624PHP remote file inclusion vulnerability in espaces/communiques/annotations.php in C-Arbre 0.6PR7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter, a different vector than CVE-2007-1721.20070422 c-arbre <= Multiple Remote File Include Vulnerablitiy carbre-annotations-file-include(33816)2625Multiple PHP remote file inclusion vulnerabilities in html/php/detail.php in Sinato jmuffin allow remote attackers to execute arbitrary PHP code via a URL in the (1) relPath and (2) folder parameters. NOTE: this product was originally reported as "File117".20070422 File117 Remote File Inclusion2360023655ADV-2007-1520file117-detail-file-include(33815)2626Heap-based buffer overflow in RealNetworks RealPlayer 10.0, 10.1, and possibly 10.5, RealOne Player, and RealPlayer Enterprise allows remote attackers to execute arbitrary code via an SWF (Flash) file with malformed record headers.20071030 RealPlayer Updates of October 25, 200726214ADV-2007-3628101886627361realplayer-swf-bo(37436)20071031 ZDI-07-061: RealNetworks RealPlayer SWF Processing Remote Code Execution Vulnerability26284Heap-based buffer overflow in RealNetworks RealPlayer 8, 10, 10.1, and possibly 10.5; RealOne Player 1 and 2; and RealPlayer Enterprise allows remote attackers to execute arbitrary code via a RAM (.ra or .ram) file with a large size value in the RA header.20071030 RealPlayer Updates of October 25, 200726214ADV-2007-3628101886627361realplayer-ram-bo(37437)20071031 ZDI-07-063: RealPlayer RA Field Size File Processing Heap Oveflow VulnerabilityCross-site scripting (XSS) vulnerability in YA Book 0.98-alpha allows remote attackers to inject arbitrary web script or HTML via the City field in a sign action in index.php.20070424 YA Book 0.98 Persistent XSS23626 yabook-city-xss(33894)2629Progress Webspeed Messenger allows remote attackers to read, create, modify, and execute arbitrary files by invoking webutil/_cpyfile.p in the WService parameter to (1) cgiip.exe or (2) wsisa.dll in scripts/, as demonstrated by using the save,editor options to create a new file using the fileName parameter.20070424 Progress Webspeed exploit for all releases236342498820070629 Re: Re: Progress Webspeed exploit for all releasesUnspecified vulnerability in Sun Cluster 3.1 and Solaris Cluster 3.2 before 20070424 allows remote authenticated users, operating from a different cluster node, to cause a denial of service (data corruption or send_mondo panic) via unspecified vectors, as demonstrated by EMC Symcli backup software 6.2.1.102874 ADV-2007-1530 cluster-sibling-node-dos(33858) 23638 1017953 249851018642Multiple directory traversal vulnerabilities in SWsoft Plesk for Windows 7.6.1, 8.1.0, and 8.1.1 allow remote attackers to read arbitrary files via a .. (dot dot) in the locale_id parameter to (1) login.php3 or (2) login_up.php3.34081340822363925036ADV-2007-1588Directory traversal vulnerability in top.php3 in SWsoft Plesk for Windows 8.1 and 8.1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the locale_id parameter. 25036The Linksys SPA941 VoIP Phone allows remote attackers to cause a denial of service (device reboot) via a 0377 (0xff) character in the From header, and possibly certain other locations, in a SIP INVITE request.3791379223619 ADV-2007-1532 linksys-spa941-sip-dos(33856) 20070424 Linksys SPA941 remote DOS with \377 character 1017957 25031Directory traversal vulnerability in Rajneel Lal TotaRam USP FOSS Distribution 1.01 allows remote attackers to read arbitrary files via a .. (dot dot) in the dnld parameter.379423632 ADV-2007-1527 24957 uspfoss-download-file-include(33893)PHP remote file inclusion vulnerability in docs/front-end-demo/cart2.php in Advanced Webhost Billing System (AWBS) 2.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the workdir parameter.379523633 awbs-cart2-file-include(33860) 25046PHP remote file inclusion vulnerability in include/loading.php in Alessandro Lulli wavewoo 0.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_include parameter.379625015 23636 ADV-2007-1528 wavewoo-loading-file-include(33865)The BitTorrent implementation in Opera 9.2 allows remote attackers to cause a denial of service (CPU consumption and application crash) via a malformed torrent file. NOTE: the original disclosure refers to this to as a memory leak, but it is not certain.3784opera-bittorrent-dos(34079)Unspecified vulnerability in HP StorageWorks Command View Advanced Edition for XP before 5.6.0-01, XP Replication Monitor before 5.6.0-01, and XP Tiered Storage Manager before 5.5.0-02 allows local users to access other accounts via unspecified vectors during registration or addition of new users.HPSBST0220023630 ADV-2007-1533 25029 1017959** DISPUTED ** 3Com TippingPoint IPS allows remote attackers to cause a denial of service (device hang) via a flood of packets on TCP port 80 with sequentially increasing source ports, related to a "badly written loop." NOTE: the vendor disputes this issue, stating that the product has "performed as expected with no DoS emerging."20070424 3Com's TippingPoint Denial of Service20070424 Re: 3Com's TippingPoint Denial of Service2364420070425 Re: 3Com's TippingPoint Denial of ServiceSession fixation vulnerability in Plogger allows remote attackers to hijack web sessions by setting the PHPSESSID parameter.20070424 [MajorSecurity Advisory #46]Plogger - Session fixation Issue plogger-phpsessid-weak-security(33863)2614Multiple PHP remote file inclusion vulnerabilities in DCP-Portal 6.1.1 allow remote attackers to execute arbitrary PHP code via a URL in (1) the path parameter to library/adodb/adodb.inc.php, (2) the abs_path_editor parameter to library/editor/editor.php, or (3) the cfgfile_to_load parameter to admin/phpMyAdmin/libraries/common.lib.php.20070424 dcp-portal v611 >> RFi dcpportal-adodb-editor-file-include(33876) dcpportal-common-file-include(33878)2615The Scheduler Service (VxSchedService.exe) in Symantec Storage Foundation for Windows 5.0 allows remote attackers to bypass authentication and execute arbitrary code via certain requests to the service socket that create (1) PreScript or (2) PostScript registry values under Veritas\VxSvc\CurrentVersion\Schedules specifying future command execution.2419420070605 TPTI-07-08: Symantec Veritas Storage Foundation Scheduler Service Authentication Bypass VulnerabilityADV-2007-2035101818825537symantec-scheduler-security-bypass(34680)Cisco Network Services (CNS) NetFlow Collection Engine (NFC) before 6.0 has an nfcuser account with the default password nfcuser, which allows remote attackers to modify the product configuration and, when installed on Linux, obtain login access to the host operating system.The vendor has addressed this issue through the update 6.0.0 of the NetFlow Collection Engine. 20070425 Default Passwords in NetFlow Collection Engine23647ADV-2007-15451017960cisco-nfc-default-password(33861)VU#12754535524Buffer overflow in Fresh View 7.15 allows user-assisted remote attackers to execute arbitrary code via a crafted .PSP file.379823660ADV-2007-154325054freshview-psp-bo(33866)Buffer overflow in ABC-View Manager 1.42 allows user-assisted remote attackers to execute arbitrary code via a crafted .PSP file.379723653ADV-2007-1542 25055 abcviewmanager-psp-bo(33862)Directory traversal vulnerability in examples/layout/feed-proxy.php in Jack Slocum Ext 1.0 alpha1 (Ext JS) allows remote attackers to read arbitrary files via a .. (dot dot) in the feed parameter. NOTE: analysis by third party researchers indicates that this issue might be platform dependent.380020070426 False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure20070426 Re: False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure20070426 re: False: ext 1.0 alpha1 (feed-proxy.php) Remote File Disclosure23643 ext-feedproxy-directory-traversal(33864)PHP remote file inclusion vulnerability in config.php in Built2Go PHP Link Portal 1.79 allows remote attackers to execute arbitrary PHP code via a URL in the full_path_to_db parameter.20070425 Built2Go_PHP_Link_Portal_v1.79 >> RFI23651PHP remote file inclusion vulnerability in accept.php in comus 2.0 Final allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter.20070425 comus 2.0 Final >> RFI23661 comus-accept-file-include(33870) 34168PHP remote file inclusion vulnerability in info.php in Doruk100.net doruk100net allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.20070425 :doruk100net >> RFI 23675 doruk100net-info-file-include(33923)PHP remote file inclusion vulnerability in admin/includes/spaw/dialogs/insert_link.php in download engine (Download-Engine) 1.4.1 allows remote authenticated users to execute arbitrary PHP code via a URL in the spaw_root parameter, a different vector than CVE-2007-2255. NOTE: this may be an issue in SPAW.20070425 download engine V1.4.1 >> RFI (local) downloadengine-insertlink-file-include(33918)Multiple PHP remote file inclusion vulnerabilities in B2 Weblog and News Publishing Tool 0.6.1 allow remote attackers to execute arbitrary PHP code via a URL in the b2inc parameter to (1) b2archives.php, (2) b2categories.php, or (3) b2mail.php. NOTE: this may overlap CVE-2002-1466.20070425 B2 Weblog and News Publishing Tool v0.6.1 >> RFI23659 b2-b2inc-file-include(33884)2632CRLF injection vulnerability in the Digest Authentication support for Microsoft Internet Explorer 7.0.5730.11 allows remote attackers to conduct HTTP response splitting attacks via a LF (%0a) in the username attribute.20070425 IE 7 and Firefox Browsers Digest Authentication Request Splitting2366810179692654ie-lf-response-splitting(33978)CRLF injection vulnerability in the Digest Authentication support for Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allows remote attackers to conduct HTTP request splitting attacks via LF (%0a) bytes in the username attribute.20070425 IE 7 and Firefox Browsers Digest Authentication Request Splitting23668101796820071029 FLEA-2007-0062-1 firefox20071026 rPSA-2007-0225-1 firefox20071029 rPSA-2007-0225-2 firefox thunderbirdDSA-1396DSA-1401DSA-1392FEDORA-2007-2601FEDORA-2007-2664GLSA-200711-14MDKSA-2007:202RHSA-2007:0979RHSA-2007:0980RHSA-2007:0981SUSE-SA:2007:057USN-535-1USN-536-1ADV-2007-3544272762732527327273352735627383274252740327480273872729827311273152733627665274142654firefox-lf-response-splitting(33981)FEDORA-2007-343127680HPSBUX02153ADV-2007-3587ADV-2008-00832736028398201516Multiple stack-based buffer overflows in the process_sdp function in chan_sip.c of the SIP channel T.38 SDP parser in Asterisk before 1.4.3 allow remote attackers to execute arbitrary code via a long (1) T38FaxRateManagement or (2) T38FaxUdpEC SDP parameter in an SIP message, as demonstrated using SIP INVITE.asterisk-processsdp-bo(33895)20070704 Multiple Remote unauthenticated stack overflows in Asterisk chan_sip.c353681018337264520070425 ASA-2007-010: Two stack buffer overflows in SIP channel's T.38 SDP parsing code23648101795124977ADV-2007-1534The Manager Interface in Asterisk before 1.2.18 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (crash) by using MD5 authentication to authenticate a user that does not have a password defined in manager.conf, resulting in a NULL pointer dereference.Successful exploitation requires that the Management Interface is enabled and a user without a password is configured in the manager.conf file.20070425 ASA-2007-012: Remote Crash Vulnerability in Manager Interface101795524977 23649 ADV-2007-1534 asterisk-interface-dos(33886)DSA-1358SUSE-SA:2007:03435369255822646Heap-based buffer overflow in the JVTCompEncodeFrame function in Apple Quicktime 7.1.5 and other versions before 7.2 allows remote attackers to execute arbitrary code via a crafted H.264 MOV file.236501017965APPLE-SA-2007-07-11TA07-193AADV-2007-251035577101837326034quicktime-h264-code-execution(35356)quicktime-jvtcompencodeframe-bo(34070)Integer overflow in the FlipFileTypeAtom_BtoN function in Apple Quicktime 7.1.5, and other versions before 7.2, allows remote attackers to execute arbitrary code via a crafted M4V (MP4) file.236521017967APPLE-SA-2007-07-11TA07-193AADV-2007-251035578101837326034quicktime-flipfiletypeatombton-overflow(34069)The SIP channel driver (chan_sip) in Asterisk before 1.2.18 and 1.4.x before 1.4.3 does not properly parse SIP UDP packets that do not contain a valid response code, which allows remote attackers to cause a denial of service (crash).20070425 ASA-2007-011: Multiple problems in SIP channel parser handling response codes1017954 asterisk-sip-response-dos(33892)DSA-1358SUSE-SA:2007:03424359255822644Multiple PHP remote file inclusion vulnerabilities in Garennes 0.6.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the repertoire_config parameter to index.php in (1) cpe/, (2) direction/, or (3) professeurs/.373223479ADV-2007-1389Multiple SQL injection vulnerabilities in Frogss CMS 0.7 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) dzial parameter to (a) katalog.php, or the (2) t parameter to (b) forum.php or (c) forum/viewtopic.php, different vectors than CVE-2006-4536.373123476ADV-2007-1388frogsscms-katalog-sql-injection(33640)Multiple cross-site scripting (XSS) vulnerabilities in Endy Kristanto Surat kabar / News Management Online (aka phpwebnews) 0.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the m_txt parameter to (1) iklan.php, (2) index.php, or (3) bukutamu.php.20070412 phpwebnews v.1 Multiple Cross Site Scripting Vulnerabilites23448phpwebnews-mtxt-xss(33641)3536535366353672643Multiple PHP remote file inclusion vulnerabilities in audioCMS arash 0.1.4 allow remote attackers to execute arbitrary PHP code via a URL in the arashlib_dir parameter to (1) edit.inc.php and (2) list_features.inc.php in arash_lib/include, and (3) arash_gadmin.class.php and (4) arash_sadmin.class.php in arash_lib/class/.374423496ADV-2007-1396PHP remote file inclusion vulnerability in autoindex.php in Expow 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the cfg_file parameter.372223464expow-autoindex-file-include(33619)Directory traversal vulnerability in includes/footer.php in News Manager Deluxe (NMDeluxe) 1.0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the template parameter.3742ADV-2007-139524896Multiple directory traversal vulnerabilities in Quick and Dirty Blog (QDBlog) 0.4, and possibly earlier, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme parameter to categories.php and other unspecified files.372923485ADV-2007-1387qdblog-categories-file-include(33634)Multiple SQL injection vulnerabilities in authenticate.php in Quick and Dirty Blog (QDBlog) 0.4, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.372923485ADV-2007-1387qdblog-login-sql-injection(33631)Multiple cross-site scripting (XSS) vulnerabilities in the Virtual War (VWar) 1.5.0 R15 and earlier module for PHP-Nuke, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) memberlist parameter to extra/login.php and the (2) title parameter to extra/today.php.20070413 [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke23478vwar-login-today-xss(33647)2642PHP remote file inclusion vulnerability in engine/engine.inc.php in WebKalk2 1.9.0 allows remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter.371723451ADV-2007-1385webkalk2-engine-file-include(33598)Cross-site scripting (XSS) vulnerability in cas.php in FloweRS 2.0 allows remote attackers to inject arbitrary web script or HTML via the rok parameter.20070414 FloweRS v2.0 Cross Site Scripting23488ADV-2007-14022639Cross-site scripting (XSS) vulnerability in cas.php in FloweRS 2.0 allows remote attackers to inject arbitrary web script or HTML via the den parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.ADV-2007-1402Cross-site scripting (XSS) vulnerability in plugins/spaw/img_popup.php in BloofoxCMS 0.2.2 allows remote attackers to inject arbitrary web script or HTML via the img_url parameter.20070414 bloofoxCMS 0.2.2 Cross Site Scripting234872640** DISPUTED ** PHP remote file inclusion vulnerability in install/index.php in BlooFoxCMS 0.2.2 allows remote attackers to execute arbitrary PHP code via a URL in the content_php parameter. NOTE: this issue has been disputed by a reliable third party, stating that content_php is initialized before use.20070414 bloofoxCMS 0.2.2 Remote File Include Vulnerabilitiy20070415 false: bloofoxCMS 0.2.2 Remote File Include Vulnerabilitiy 20070417 Re: bloofoxCMS 0.2.2 Remote File Include Vulnerabilitiy2641Multiple SQL injection vulnerabilities in the Virtual War (VWar) 1.5.0 R15 module for PHP-Nuke allow remote attackers to execute arbitrary SQL commands via the n parameter to extra/online.php and other unspecified scripts in extra/. NOTE: this might be same vulnerability as CVE-2006-4142; however, there is an intervening vendor fix announcement.20070413 [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke20070413 DUP?: [waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke23478vwar-online-sql-injection(33649)2642PHP remote file inclusion vulnerability in getinfo1.php in the Shotcast 1.0 RC2 module for mxBB allows remote attackers to execute arbitrary PHP code via a URL in the mx_root_path parameter.371623444ADV-2007-1384mxbb-shotcast-getinfo1-file-include(33599)Multiple SQL injection vulnerabilities in Crea-Book 1.0, and possibly earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) pseudo or (2) passe parameter to (a) configurer.php, (b) connect.php, (c) delete.php, (d) delete2.php, (e) index.php, (f) infos.php, (g) membres.php, (h) modif-infos.php, (i) modif-message.php, (j) modif.php, (k) uninstall.php, or (l) uninstall_table.php in admin/, different vectors than CVE-2007-2000. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24862348183481934820348213482234823348243482534826348273482834829MiniShare 1.5.4, and possibly earlier, allows remote attackers to cause a denial of service (application crash) via a flood of requests for new connections.24898Unspecified vulnerability in the admin script in Open Business Management (OBM) before 2.0.0 allows remote attackers to have an unknown impact by calling the script "in txt mode from a browser."23472ADV-2007-137624775Multiple PHP remote file inclusion vulnerabilities in MiniBB Forum 1.5a and earlier, as used by TOSMO/Mambo 4.0.12 and probably other products, allow remote attackers to execute arbitrary PHP code via a URL in the absolute_path parameter to bb_plugins.php in (1) components/minibb/ or (2) components/com_minibb, or (3) configuration.php. NOTE: the com_minibb.php vector is already covered by CVE-2006-3690.370720070413 Dup: TOSMO/Mambo 1.4.13a (absolute_path) Remote File Inclusion Vulns23416ADV-2007-1354tosmomambo-absolutepath-file-include(33578)Multiple format string vulnerabilities in FileZilla before 2.2.32 allow remote attackers to execute arbitrary code via format string specifiers in (1) FTP server responses or (2) data sent by an FTP server. NOTE: some of these details are obtained from third party information.2350624894PHP remote file inclusion vulnerability in the AutoStand 1.1 and earlier module for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to mod_as_category.php in (1) modules/mod_as_category/ or (2) modules/.373423490ADV-2007-1392autostand-modascategory-file-include(33660)SQL injection vulnerability in kontakt.php in Papoo 3.02 and earlier allows remote attackers to execute arbitrary SQL commands via the menuid parameter, a different vector than CVE-2005-4478.373923500 25071 papoo-kontakt-sql-injection(33682)Unspecified vulnerability in the search functionality in SilverStripe 2.0.0 has unknown impact and attack vectors.24936 ADV-2007-1537 silverstripe-search-unspecified(33883)NMMediaServer.exe in Nero MediaHome 2.5.5.0 and CE 1.3.0.4 allows remote attackers to cause a denial of service (NULL dereference and application crash) via a crafted packet that contains two CRLF sequences. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2472423640nero-crlf-dos(33974)Multiple buffer overflows in the WinDVDX ActiveX control in InterVideo Home Theater 2.1.13.0 and 2.5.13.58 allow remote attackers to execute arbitrary code via a long string argument to the (1) GetDiscType or (2) AddFileList method. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.24710 intervideo-windvdx-bo(33868)Directory traversal vulnerability in file.php in JulmaCMS 1.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.379923642 25053 julmacms-file-directory-traversal(33859)PHP remote file inclusion vulnerability in include.php in MyNewsGroups :) allows remote attackers to execute arbitrary PHP code via a URL in the myng_root parameter.20070424 MyNewsGroups >> RFI in include.php 23646 mynewsgroups-include-file-include(33867)Multiple PHP remote file inclusion vulnerabilities in HYIP Manager Pro allow remote attackers to execute arbitrary PHP code via a URL in the plugin_file parameter to (1) Smarty.class.php and (2) Smarty_Compiler.class.php in inc/libs/; (3) core.display_debug_console.php, (4) core.load_plugins.php, (5) core.load_resource_plugin.php, (6) core.process_cached_inserts.php, (7) core.process_compiled_include.php, and (8) core.read_cache_file.php in inc/libs/core/; and other unspecified files. NOTE: (1) and (2) might be incorrectly reported vectors in Smarty.20070425 HYIP Manager Pro Script >> Remote file Include 23663 hyipmanager-pluginfile-file-include(33882)2634PHP remote file inclusion vulnerability in _editor.php in HTMLeditbox 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the settings[app_dir] parameter.20070425 HTMLeditbox & 2.2 >> RFI 23664 htmleditbox-editor-file-include(33875)2635PHP remote file inclusion vulnerability in addvip.php in phpMYTGP 1.4b allows remote attackers to execute arbitrary PHP code via a URL in the msetstr[PROGSDIR] parameter.20070425 phpMYTGP v v1.4b >> RFI phpmytgp-addvip-file-include(33880)2636PHP remote file inclusion vulnerability in searchbot.php in Searchactivity allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.20070425 Searchactivity >> RFI searchactivity-searchbot-file-include(33881)2637PHP remote file inclusion vulnerability in includes_handler.php in DynaTracker 151 allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter.20070425 DynaTracker &v151>> RFI 23667 dynatracker-basepath-file-include(33873)2638PHP remote file inclusion vulnerability in cart.php in Shop-Script 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the lang_list parameter.20070425 Shop-Script v 2.0 >> RFI shopscript-cart-file-include(33877)2633Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 6_05.140 uses a fixed DES key to encrypt passwords, which allows remote authenticated users to obtain a password via a brute force attack on a hash from the LDAP store.23562ADV-2007-146424962Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 5_05.149, 5_05.3xx before 5_05.304, and 6.x before 6_05.140 includes the FIPSecryptedtest1219 and FIPSunecryptedtest1219 default accounts in the LDAP template, which might allow remote attackers to access the private network.The vendor has addressed this issue through a product update that can be found at: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=567877&RenditionID=&poid=null 23562ADV-2007-1464101794324962Nortel VPN Router (aka Contivity) 1000, 2000, 4000, and 5000 before 5_05.149, 5_05.3xx before 5_05.304, and 6.x before 6_05.140 has two template HTML files lacking certain verification tags, which allows remote attackers to access the administration interface and change the device configuration via certain requests.The vendor has addressed this issue with the following product update: http://www130.nortelnetworks.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=567877&RenditionID=&poid=null 23562ADV-2007-1464101794324962Cross-site scripting (XSS) vulnerability in the RSS feed reader functionality in Lunascape 4.1.3 build2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.23665ADV-2007-153825000lunascape-rssfeed-xss(34074)Unspecified vulnerability in InterVations NaviCOPA Web Server 2.01 20070323 allows remote attackers to cause a denial of service (daemon crash) via crafted HTTP requests, as demonstrated by long requests containing '\A' characters, probably a different issue than CVE-2006-5112 and CVE-2007-1733. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.25049 navicopa-httpget-dos(33903)Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS 0.96.6 Alpha and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter to (a) magpie_debug.php and (b) magpie_simple.php in external/magpierss/scripts/, the (2) rss_url parameter to (c) magpie_slashbox.php in external/magpierss/scripts/, and the (3) body parameter to the (d) weblogmodule (aka Weblog Comments) module.23574exponentcms-multiple-scripts-xss(34077)Cross-site request forgery (CSRF) vulnerability in include/admin/banlist.php in Phorum before 5.1.22 allows remote attackers to perform unauthorized banlist deletions as an administrator via the delete parameter.20070419 [waraxe-2007-SA#049] - Multiple vulnerabilities in Phorum 5.1.2023616ADV-2007-14791017936249322617phorum-banlist-csrf(34078)Multiple SQL injection vulnerabilities in Phorum before 5.1.22 allow remote attackers to execute arbitrary SQL commands via (1) a modified recipients parameter name in (a) pm.php; (2) the curr parameter to the (b) badwords (aka censorlist) or (c) banlist module in admin.php; or (3) the "Edit groups / Add group" field in the (d) groups module in admin.php.20070419 [waraxe-2007-SA#049] - Multiple vulnerabilities in Phorum 5.1.2023616ADV-2007-14791017936249322617phorum-multiple-scripts-sql-injection(34081)Multiple PHP remote file inclusion vulnerabilities in inc/include_all.inc.php in phporacleview allow remote attackers to execute arbitrary PHP code via a URL in the (1) page_dir or (2) inc_dir parameters.380323672phporacleview-includeallinc-file-include(33904)ADV-2007-155525035PHP remote file inclusion vulnerability in suite/index.php in phpBandManager 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the pg parameter.380223673 ADV-2007-1556 phpbandmanager-index-file-include(33906)SQL injection vulnerability in error.asp in CreaScripts CreaDirectory 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2006-6083.376723564 ADV-2007-1476Stack-based buffer overflow in the TFTPD component in Enterasys NetSight Console 2.1 and NetSight Inventory Manager 2.1, and possibly earlier, allows remote attackers to execute arbitrary code via crafted request packets that contain long file names.20070404 Enterasys Networks Multiple NetSight Products Multiple VulnerabilitiesADV-2007-1271101787624764The BOOTPD component in Enterasys NetSight Console 2.1 and NetSight Inventory Manager 2.1, and possibly earlier, on Windows allows remote attackers to cause a denial of service (daemon crash) via a UDP packet that contains an invalid "packet type" field.The vendor has addressed this issue with the following product updates: Apply Security Patch 1 : http://www.enterasys.com/products/management/downloads/security_and_patches/ Or upgrade to Enterasys NetSight Console 2.3.1 build 6 and NetSight Inventory Manager 2.2.2 build 4 : http://www.enterasys.com/services/support/downloads/ 20070404 Enterasys Networks Multiple NetSight Products Multiple VulnerabilitiesADV-2007-1271101787624764PHP remote file inclusion vulnerability in include/include_stream.inc.php in CodeWand phpBrowse allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter.366823329Multiple PHP remote file inclusion vulnerabilities in PHP-Generics 1.0 beta allow remote attackers to execute arbitrary PHP code via a URL in the _APP_RELATIVE_PATH parameter to (1) include.php, (2) dbcommon/include.php, and (3) exception/include.php.366923328PHP remote file inclusion vulnerability in main/forum/komentar.php in OneClick CMS (aka Sisplet CMS) 05.10 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the site_path parameter.3667Sispletcms-komentar-file-include(33455)23334mirror --script in lftp before 3.5.9 does not properly quote shell metacharacters, which might allow remote user-assisted attackers to execute shell commands via a malicious script. NOTE: it is not clear whether this issue crosses security boundaries, since the script already supports commands such as "get" which could overwrite executable files. ADV-2007-1590 23736 25107 25132Cross-site scripting (XSS) vulnerability in Invision Power Board (IP.Board) 2.1.x and 2.2.x allows remote attackers to inject arbitrary web script or HTML by uploading crafted images or PDF files.The vendor has addressed this issue with the following product update: http://forums.invisionpower.com/index.php?showtopic=234377ADV-2007-155825021ipb-classupload-xss(33942)admin/config.php in the music-on-hold module in freePBX 2.2.x allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the del parameter.20070421 freePBX 2.2.x's Music-on-hold Remote Code Execution InjectionADV-2007-1535249352652Unspecified vulnerability in the HP Power Manager Remote Agent (RA) 4.0Build10 and earlier in HP-UX B.11.11 and B.11.23 allows local users to execute arbitrary code via unspecified vectors.The vendor has addressed this issue with the following product update: http://h18004.www1.hp.com/products/servers/proliantstorage/power-protection/software/power-manager/pm3-dl.htmlHPSBMA0219723703ADV-2007-157425066 1017977hpux-hppower-privilege-escalation(33965)Multiple format string vulnerabilities in AFFLIB 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls, possibly involving (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/imager.cpp, and (f) tools/afxml.cpp. NOTE: this identifier is intended to address the vectors that were not fixed in CVE-2007-2054, but the unfixed vectors were not explicitly listed.The vendor has addressed this issue with the following product update: http://www.afflib.org/downloads/ 20070427 AFFLIB(TM): Multiple Format String Injections2657Apache Axis 1.0 allows remote attackers to obtain sensitive information by requesting a non-existent WSDL file, which reveals the installation path in the resulting exception message.20070427 Apache AXIS Non-Existent Java Web Service Path Disclosure?2368734154apache-axis-wsdl-path-disclosure(34167)Progress Webspeed Messenger allows remote attackers to obtain sensitive information via a WService parameter containing "wsbroker1/webutil/about.r", which reveals the operating system and product information.20070429 Flaw in about.r OS and Progress version disclosureThe get_url function in DODS_Dispatch.pm for the CGI_server in OPeNDAP 3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.The vendor has addressed this issue with the following solution: http://www.opendap.org/server3-patch-04.27.2007.txtVU#85715323719 ADV-2007-1591 1017983 25060 opendap-geturl-command-execution(33997)Stack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file.38012368025012gimp-sunras-plugin-bo(33911)ADV-2007-156020070430 FLEA-2007-0015-1: gimpGLSA-200705-082511125167RHSA-2007:0343SUSE-SR:2007:01125239DSA-1301MDKSA-2007:108USN-467-1101809225346253592546625573103170ADV-2007-424128114201320Cross-site scripting (XSS) vulnerability in mods/Core/result.php in SineCms 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the stringa parameter.20070426 SineCMS23682 ADV-2007-1559 25014 sinecms-result-xss(33919)2649** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in b2evolution allow remote attackers to execute arbitrary PHP code via a URL in the (1) inc_path parameter to (a) a_noskin.php, (b) a_stub.php, (c) admin.php, (d) contact.php, (e) default.php, (f) index.php, and (g) multiblogs.php in blogs/; the (2) view_path and (3) control_path parameters to blogs/admin.php; and the (4) skins_path parameter to (h) blogs/contact.php and (i) blogs/multiblogs.php. NOTE: this issue is disputed by CVE, since the inc_path, view_path, control_path, and skins_path variables are all initialized in conf/_advanced.php before they are used.20070425 Remote File Inclusion20070427 What the *#$(! -- b2evolution RFI [False]b2evolution-multiple-scripts-file-include(33907) 34152Buffer overflow in Ghost Service Manager, as used in Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, allows local users to gain privileges via a long string.20070426 Symantec Norton Ghost 10 Service Manager Buffer Overflow Vulnerability 1017971 symantec-backup-unspecified-bo(33931)ADV-2007-155225013Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore point images are configured, encrypt network share credentials with a key formed by a hash of the username, which allows local users to obtain the credentials by calculating the key."In order for this exploit to have an impact, administrators would either have to configure client machines to save restore points images to a private share, or the vulnerable machine would have to be shared by several users who each saved their restore points images to private shares."20070426 Symantec Norton Ghost 10 Recovery Points Insecure Password Storage Vulnerability 1017971ADV-2007-155225013Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore points images are configured, uses weak permissions (world readable) for a configuration file with network share credentials, which allows local users to obtain the credentials by reading the file.20070426 Symantec Norton Ghost 10 Recovery Points Insecure Password Storage Vulnerability 1017971 symantec-backup-information-disclosure(33929)ADV-2007-155225013Multiple buffer overflows in MyDNS 1.1.0 allow remote attackers to (1) cause a denial of service (daemon crash) and possibly execute arbitrary code via a certain update, which triggers a heap-based buffer overflow in update.c; and (2) cause a denial of service (daemon crash) via unspecified vectors that trigger an off-by-one stack-based buffer overflow in update.c.Successful exploitation requires update privileges and that "allow-update" is set to "yes" in mydns.conf.20070427 mydns-1.1.0 remote heap overflow23694ADV-2007-156125007mydns-update-bo(33933)2658DSA-143428086Buffer overflow in IrfanView 4.00 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted .IFF file.381123692irfanview-iff-bo(33946)ADV-2007-157525052Multiple PHP remote file inclusion vulnerabilities in burnCMS 0.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the root parameter to (1) mysql.class.php or (2) postgres.class.php in lib/db/; or (3) authuser.php, (4) misc.php, or (5) connect.php in lib/.380923691ADV-2007-1557burncms-multiple-script-file-include(33938)Buffer overflow in Adobe Photoshop CS2 and CS3, Photoshop Elements 5.0, Illustrator CS3, and GoLive 9 allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.381223698ADV-2007-157725044adobe-pngfile-bo(33956)ADV-2007-3442ADV-2007-344310187922684626864Buffer overflow in Corel Paint Shop Pro 11.20 allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.381223698ADV-2007-157625034adobe-pngfile-bo(33956)Buffer overflow in wserve_console.exe in Wserve HTTP Server (whttp) 4.6 allows remote attackers to cause a denial of service (forced application exit) via a long directory name in the URI.20070405 Wserve HTTP Server 4.6 Version (Long Directory Name) Buffer Overflow - Denial Of Service233412647picture.php in WebSPELL 4.01.02 and earlier allows remote attackers to read arbitrary files via the file parameter.3673Directory traversal vulnerability in picture.php in WebSPELL 4.01.02 and earlier, when PHP before 4.3.0 is used, allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter.Successful exploitation requires that PHP before 4.3.0 is used.3673SQL injection vulnerability in index.php in the John Mordo Jobs 2.4 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a jobsview action. NOTE: the module name was originally reported as Job Listings.367220070405 true: XOOPS Module Jobs <= 2.4 (cid) SQL Injection Exploitadmin/index.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier provides access to configuration modification before login, which allows remote attackers to cause a denial of service (loss of configuration data), and possibly perform direct static code injection, via a saveGlobalconfig action.367123342admin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier prints a Location header but does not exit when administrative credentials are missing, which allows remote attackers to compose an e-mail message via a post with the subject, message, format, and list_id fields; and send the message via a direct request for the MsgId value under admin/.367123342SQL injection vulnerability in viewcat.php in the WF-Links (wflinks) 1.03 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter.367020080218 XOOPS Module wflinks SQL Injection(cid)20080220 Re: XOOPS Module wflinks SQL Injection(cid)23340Unspecified vulnerability in Microsoft Windows 2000, XP, and Server 2003 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source.23332The agent remote upgrade interface in Symantec Enterprise Security Manager (ESM) before 20070405 does not verify the authenticity of upgrades, which allows remote attackers to execute arbitrary code via software that implements the agent upgrade protocol.2328724767 1017881The Dojo framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The Getahead Direct Web Remoting (DWR) framework 1.1.4 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The Google Web Toolkit (GWT) framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The Microsoft Atlas framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The MochiKit framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The Moo.fx framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The Script.aculo.us framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."The Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."Buffer overflow in mDNSResponder in Apple Mac OS X 10.4 up to 10.4.9 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted UPnP Internet Gateway Device (IGD) packet.APPLE-SA-2007-05-24APPLE-SA-2007-06-20VU#2218762414424159ADV-2007-1939ADV-2007-22693514210181232540225745macos-mdnsresponder-upnp-bo(34493)Apple Xserve Lights-Out Management before Firmware Update 1.0 on Intel hardware does not require a password for remote access to IPMI, which allows remote attackers to gain administrative access via unspecified requests with ipmitool.APPLE-SA-2007-05-3124257ADV-2007-2014254991018181xserve-ipmi-privilege-escalation(34651)Apple QuickTime for Java 7.1.6 on Mac OS X and Windows does not properly restrict QTObject subclassing, which allows remote attackers to execute arbitrary code via a web page containing a user-defined class that accesses unsafe functions that can be leveraged to write to arbitrary memory locations.APPLE-SA-2007-05-29VU#99583624221ADV-2007-197435576101813625130Apple QuickTime for Java 7.1.6 on Mac OS X and Windows does not clear potentially sensitive memory before use, which allows remote attackers to read memory from a web browser via unknown vectors related to Java applets.APPLE-SA-2007-05-29VU#43474824222ADV-2007-197435575101813625130quicktime-applet-information-disclosure(34571)Buffer overflow in iChat in Apple Mac OS X 10.3.9 and 10.4.9 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted UPnP Internet Gateway Device (IGD) packet.APPLE-SA-2007-05-24VU#11610024144ADV-2007-193935141101811925402macos-ichat-bo(34502)Cross-site scripting (XSS) vulnerability in Apple Safari Beta 3.0.1 for Windows allows remote attackers to inject arbitrary web script or HTML via a web page that includes a windows.setTimeout function that is activated after the user has moved from the current page.APPLE-SA-2007-06-1420070613 Apple Safari: cookie stealing20070613 Re: [Full-disclosure] Apple Safari: cookie stealing24457ADV-2007-21921018238safari-settimeout-security-bypass(34847)Apple Quicktime before 7.2 on Mac OS X 10.3.9 and 10.4.9 allows user-assisted remote attackers to execute arbitrary code via a crafted movie file that triggers memory corruption.APPLE-SA-2007-07-11VU#58268124873ADV-2007-251026034quicktime-moviefile-code-execution(35353)TA07-193A1018373The design of QuickTime for Java in Apple Quicktime before 7.2 allows remote attackers to bypass certain security controls and write to process memory via Java applets, possibly leading to arbitrary code execution.APPLE-SA-2007-07-1124873ADV-2007-251026034quicktime-java-applet-code-execution(35359)TA07-193A1018373Integer overflow in Apple Quicktime before 7.2 on Mac OS X 10.3.9 and 10.4.9 allows user-assisted remote attackers to execute arbitrary code via crafted (1) title and (2) author fields in an SMIL file, related to improper calculations for memory allocation.20070711 Apple QuickTime SMIL File Processing Integer Overflow VulnerabilityAPPLE-SA-2007-07-1124873ADV-2007-251026034quicktime-smil-overflow(35357)20070717 Re: iDefense Security Advisory 07.11.07: Apple QuickTime SMIL File Processing Integer Overflow VulnerabilityTA07-193A1018373Unspecified vulnerability in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via a crafted image description atom in a movie file, related to "memory corruption."APPLE-SA-2007-11-05ADV-2007-3723101889427523TA07-310AVU#79787526340apple-quicktime-movie-code-execution(38266)The JDirect support in QuickTime for Java in Apple Quicktime before 7.2 exposes certain dangerous interfaces, which allows remote attackers to execute arbitrary code via crafted Java applets.APPLE-SA-2007-07-1124873ADV-2007-251026034quicktime-jdirect-code-execution(35360)TA07-193A1018373QuickTime for Java in Apple Quicktime before 7.2 does not properly check permissions, which allows remote attackers to disable security controls and execute arbitrary code via crafted Java applets.APPLE-SA-2007-07-1124873ADV-2007-251026034quicktime-applet-code-execution(35358)TA07-193A1018373Apple Safari 3.0.1 beta (522.12.12) on Windows allows remote attackers to modify the window title and address bar while filling the main window with arbitrary content by setting the location bar and using setTimeout() to create an event that modifies the window content, which could facilitate phishing attacks.20070614 Re: Apple Safari: urlbar/window title spoofing20070614 Re: [Full-disclosure] Apple Safari: urlbar/window title spoofing20070615 Re: [Full-disclosure] Apple Safari: urlbar/window title spoofingAPPLE-SA-2007-06-2224484ADV-2007-23161018282safari-addressbar-spoofing(35050)APPLE-SA-2008-04-16WebKit in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1 performs an "invalid type conversion", which allows remote attackers to execute arbitrary code via unspecified frame sets that trigger memory corruption.APPLE-SA-2007-06-22VU#38986824597ADV-2007-2296101828125786ADV-2007-2316ADV-2007-273126287macos-framesets-code-execution(35019)Race condition in Apple Safari 3 Beta before 3.0.2 on Mac OS X, Windows XP, Windows Vista, and iPhone before 1.0.1, allows remote attackers to bypass the JavaScript security model and modify pages outside of the security domain and conduct cross-site scripting (XSS) attacks via vectors related to page updating and HTTP redirects.APPLE-SA-2007-06-22245991018282VU#289988ADV-2007-2316ADV-2007-273126287CRLF injection vulnerability in WebCore in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1, allows remote attackers to inject arbitrary HTTP headers via LF characters in an XMLHttpRequest request, which are not filtered when serializing headers via the setRequestHeader function. NOTE: this issue can be leveraged for cross-site scripting (XSS) attacks.APPLE-SA-2007-06-22VU#84570824598ADV-2007-229610182812578620070625 Safari XMLHttpRequest HTTP header injectionADV-2007-2316ADV-2007-273126287macos-xmlhttprequest-header-injection(35017)QuickTime for Java in Apple Quicktime before 7.2 does not perform sufficient "access control," which allows remote attackers to obtain sensitive information (screen content) via crafted Java applets.APPLE-SA-2007-07-1124873ADV-2007-251026034quicktime-java-information-disclosure(35361)TA07-193A1018373CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 does not properly validate ftp: URIs, which allows remote attackers to trigger the transmission of arbitrary FTP commands to arbitrary FTP servers.macos-ftp-command-execution(35721)APPLE-SA-2007-07-3125159ADV-2007-2732101849126235CRLF injection vulnerability in CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 before 20070731 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in an unspecified context. NOTE: this can be leveraged for cross-site scripting (XSS) attacks.APPLE-SA-2007-07-3125159ADV-2007-2732101849126235macos-cfnetwork-response-splitting(35723)Integer underflow in Preview in PDFKit on Apple Mac OS X 10.4.10 allows remote attackers to execute arbitrary code via a crafted PDF file.APPLE-SA-2007-07-3125159ADV-2007-273226235macos-pdfkit-code-execution(35734)Quartz Composer on Apple Mac OS X 10.4.10 does not initialize a certain object pointer, which might allow user-assisted remote attackers to execute arbitrary code via a crafted Quartz Composer file.APPLE-SA-2007-07-3125159ADV-2007-273226235macos-quartzcomposer-code-execution(35737)The Samba server on Apple Mac OS X 10.3.9 and 10.4.10, when Windows file sharing is enabled, does not enforce disk quotas after dropping privileges, which allows remote authenticated users to use disk space in excess of quota.APPLE-SA-2007-07-3125159ADV-2007-273226235samba-filesystem-security-bypass(35738)WebKit in Apple Safari 3 Beta before Update 3.0.3 does not properly recognize an unchecked "Enable Java" setting, which allows remote attackers to execute Java applets via a crafted web page.25157ADV-2007-2730safari-applet-security-bypass(35714)Cross-domain vulnerability in WebCore on Apple Mac OS X 10.3.9 and 10.4.10 allows remote attackers to obtain sensitive information via a popup window, which is able to read the current URL of the parent window.APPLE-SA-2007-07-3125159ADV-2007-2732101849426235macos-webcore-information-disclosure(35740)WebCore on Apple Mac OS X 10.3.9 and 10.4.10 retains properties of certain global objects when a new URL is visited in the same window, which allows remote attackers to conduct cross-site scripting (XSS) attacks.APPLE-SA-2007-07-3125159ADV-2007-2732101849426235safari-global-objects-security-bypass(35743)** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Sphider 1.2.x allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter. NOTE: a third party disputes this vulnerability, stating that "the application is not vulnerable to this issue."20070428 Sphider Version 1.2.x (include_dir) file include2369920070430 Re: Sphider Version 1.2.x (include_dir) file includesphider-index-file-include(33963)2648** DISPUTED ** Directory traversal vulnerability in modules/file.php in Seir Anphin allows remote attackers to obtain sensitive information via a .. (dot dot) in the a[filepath] parameter. NOTE: a third party has disputed this issue because the a array is populated by a database query before use.20070428 Seir Anphin (file.php a[filepath]) Remote File Disclosure Vulnerability20070429 false: Seir Anphin (file.php a[filepath]) Remote File Disclosure Vulnerabilityseiranphin-file-directory-traversal(33962)2651** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2459. Reason: This candidate is a duplicate of CVE-2007-2459. Notes: All CVE users should reference CVE-2007-2459 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.MyServer before 0.8.8 allows remote attackers to cause a denial of service via unspecified vectors.2502623716myserver-data-dos(33971)ADV-2007-1589Pi3Web Web Server 2.0.3 PL1 allows remote attackers to cause a denial of service (application exit) via a long URI. NOTE: this issue was originally reported as a crash, but the vendor states that the impact is a "clean" exit in which "the server I/O loop finishes and the process exits normally."2371325009ADV-2007-1579pi3web-http-dos(33967)SQL injection vulnerability in home.php in E-Annu allows remote attackers to execute arbitrary SQL commands via the a