Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms, as used in ncompress and probably others, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error. RHSA-2010:0095 https://bugzilla.redhat.com/show_bug.cgi?id=554418 ADV-2010-1872 ADV-2010-1796 ADV-2010-0185 USN-889-1 RHSA-2010:0061 61869 MDVSA-2011:152 MDVSA-2010:020 MDVSA-2010:019 DSA-2074 DSA-1974 http://support.apple.com/kb/HT4435 1023490 40689 40655 40551 38232 38225 38223 38220 http://savannah.gnu.org/forum/forum.php?forum_id=6153 oval:org.mitre.oval:def:7511 oval:org.mitre.oval:def:10546 http://ncompress.sourceforge.net/#status SUSE-SA:2010:008 APPLE-SA-2010-11-10-1 HPSBMA02554 HPSBMA02554 http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=a3db5806d012082b9e25cc36d09f19cd736a468f The /etc/profile.d/60alias.sh script in the Mandriva bash package for Bash 2.05b, 3.0, 3.2, 3.2.48, and 4.0 enables the --show-control-chars option in LS_OPTIONS, which allows local users to send escape sequences to terminal emulators, or hide the existence of a file, via a crafted filename. MDVSA-2010:004 https://qa.mandriva.com/show_bug.cgi?id=56882 The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address. RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=554578 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 37724 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 RHSA-2010:0147 [oss-security] 20100113 Re: CVE request - kernel: infoleak if print-fatal-signals=1 [oss-security] 20100112 CVE request - kernel: infoleak if print-fatal-signals=1 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 DSA-2005 DSA-1996 43315 39033 38779 38492 38333 http://patchwork.kernel.org/patch/69752/ oval:org.mitre.oval:def:10550 SUSE-SA:2010:014 SUSE-SA:2010:012 SUSE-SA:2010:010 FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. FEDORA-2009-13634 FEDORA-2009-13610 [oss-security] 20100114 Re: CVE Request: viewvc [oss-security] 20100113 Re: CVE Request: viewvc [oss-security] 20100111 CVE Request: viewvc http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD http://viewvc.tigris.org/source/browse/*checkout*/viewvc/trunk/docs/release-notes/1.1.0.html?revision=2222 SUSE-SA:2010:008 query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2242&r2=2313&pathrev=HEAD FEDORA-2009-13634 FEDORA-2009-13610 [oss-security] 20100113 Re: CVE Request: viewvc [oss-security] 20100111 CVE Request: viewvc http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2300 SUSE-SA:2010:008 The ipv6_hop_jumbo function in net/ipv6/exthdrs.c in the Linux kernel before 2.6.32.4, when network namespaces are enabled, allows remote attackers to cause a denial of service (NULL pointer dereference) via an invalid IPv6 jumbogram, a related issue to CVE-2007-4567. https://bugzilla.redhat.com/show_bug.cgi?id=555217 37810 61876 [oss-security] 20100114 CVE-2010-0006 - kernel: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo() http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 http://security-tracker.debian.org/tracker/CVE-2010-0006 38333 38168 [linux-netdev] 20100114 [PATCH]: ipv6: skb_dst() can be NULL in ipv6_hop_jumbo(). SUSE-SA:2010:010 FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2570a4f5428bcdb1077622342181755741e7fa60 http://cert.fi/en/reports/2010/vulnerability341748.html http://bugs.gentoo.org/show_bug.cgi?id=300951 net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application. ADV-2010-0109 RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=555238 kernel-ebtables-security-bypass(55602) http://www.vmware.com/security/advisories/VMSA-2011-0003.html 37762 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 RHSA-2010:0147 [oss-security] 20100114 Re: CVE Request: kernel ebtables perm check [oss-security] 20100113 CVE Request: kernel ebtables perm check MDVSA-2011:051 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.33-rc4 DSA-2005 DSA-1996 43315 39033 38779 38492 38333 38296 38133 oval:org.mitre.oval:def:9630 SUSE-SA:2010:014 SUSE-SA:2010:013 SUSE-SA:2010:012 SUSE-SA:2010:010 SUSE-SA:2010:007 FEDORA-2010-0919 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=dce766af541f6605fa9889892c0280bab31c66ab The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length. [oss-security] 20100317 CVE-2010-0008 kernel: sctp remote denial of service http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ece25dfa0991f65c4e1d26beb1c3c45bda4239b8 RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=555658 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0342 RHSA-2010:0147 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23 43315 39295 oval:org.mitre.oval:def:11160 Apache CouchDB 0.8.0 through 0.10.1 allows remote attackers to obtain sensitive information by measuring the completion time of operations that verify (1) hashes or (2) passwords. http://couchdb.apache.org/security.html https://bugzilla.redhat.com/show_bug.cgi?id=578572 39116 20100331 [SECURITY] CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability 63350 39146 20100331 [SECURITY] CVE-2008-2370: Apache CouchDB Timing Attack Vulnerability Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. modproxy-approxysendfb-bo(55941) ADV-2010-1001 ADV-2010-0240 1023533 37966 20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow. http://site.pi3.com.pl/adv/mod_proxy.txt 39656 38319 http://packetstormsecurity.org/1001-exploits/modproxy-overflow.txt oval:org.mitre.oval:def:7923 SSRT090208 HPSBOV02683 SUSE-SR:2010:010 http://httpd.apache.org/dev/dist/CHANGES_1.3.42 http://blog.pi3.com.pl/?p=69 20100127 Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow. The eval_js function in uzbl-core.c in Uzbl before 2010.01.05 exposes the run method of the Uzbl object, which allows remote attackers to execute arbitrary commands via JavaScript code. http://github.com/Dieterbe/uzbl/downloads uzbl-evaljs-command-execution(56612) http://www.uzbl.org/news.php?id=22 [oss-security] 20100106 Re: CVE request - uzbl remote code execution [oss-security] 20100106 CVE request - uzbl remote code execution [uzbl-dev] 20100102 Fw: Uzbl: security issue http://github.com/Dieterbe/uzbl/commit/1958b52d41cba96956dc1995660de49525ed1047 Directory traversal vulnerability in libtransmission/metainfo.c in Transmission 1.22, 1.34, 1.75, and 1.76 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a pathname within a .torrent file. https://launchpad.net/bugs/500625 transmission-name-directory-traversal(55454) ADV-2010-0071 [oss-security] 20100106 Re: CVE Request: Transmission [oss-security] 20100106 CVE Request: Transmission [debian-devel-changes] 20100105 Accepted transmission 1.77-1 (source all amd64) DSA-1967 http://trac.transmissionbt.com/wiki/Changes#version-1.77 http://trac.transmissionbt.com/changeset/9829/ http://security.debian.org/pool/updates/main/t/transmission/transmission_1.22-1+lenny2.diff.gz 38005 37993 SUSE-SA:2010:008 Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. https://bugzilla.redhat.com/show_bug.cgi?id=552483 ADV-2010-1020 ADV-2009-3663 ADV-2009-3662 [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload [oss-security] 20100102 CVE request - pidgin MSN arbitrary file upload MDVSA-2010:085 1022203 277450 38915 37961 37954 37953 oval:org.mitre.oval:def:10333 SUSE-SR:2010:006 FEDORA-2010-0429 FEDORA-2010-0368 http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 System Security Services Daemon (SSSD) before 1.0.1, when the krb5 auth_provider is configured but the KDC is unreachable, allows physically proximate attackers to authenticate, via an arbitrary password, to the screen-locking program on a workstation that has any user's Kerberos ticket-granting ticket (TGT); and might allow remote attackers to bypass intended access restrictions via vectors involving an arbitrary password in conjunction with a valid TGT. https://fedorahosted.org/sssd/wiki/Releases/Notes-1.0.1 https://bugzilla.redhat.com/show_bug.cgi?id=553233 37747 38160 nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function. [oss-security] 20100111 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100109 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100108 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100107 CVE id request: GNU libc: NIS shadow password leakage MDVSA-2010:112 MDVSA-2010:111 http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup http://sourceware.org/bugzilla/show_bug.cgi?id=11134 [oss-security] 20100111 Re: CVE id request: GNU libc: NIS shadow password leakage [oss-security] 20100111 Re: CVE id request: GNU libc: NIS shadow password leakage http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560333 The SMB client implementation in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly validate response fields, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted response, aka "SMB Client Pool Corruption Vulnerability." TA10-040A MS10-006 oval:org.mitre.oval:def:8278 Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability." TA10-040A MS10-006 oval:org.mitre.oval:def:8298 Integer overflow in the Embedded OpenType (EOT) Font Engine (t2embed.dll) in Microsoft Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code via compressed data that represents a crafted EOT font, aka "Microtype Express Compressed Fonts Integer Flaw in the LZCOMP Decompressor Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-001.mspx This security update is rated Critical for Microsoft Windows 2000, and is rated Low for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section. TA10-012B MS10-001 ADV-2010-0095 1023432 37671 35457 oval:org.mitre.oval:def:8324 61651 http://blogs.technet.com/srd/archive/2010/01/12/ms10-001-font-file-decompression-vulnerability.aspx Microsoft Silverlight 3 before 3.0.50611.0 on Windows, and before 3.0.41130.0 on Mac OS X, does not properly handle pointers, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and framework outage) via a crafted web site, aka "Microsoft Silverlight Memory Corruption Vulnerability." TA10-222A MS10-060 The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate request fields, which allows remote authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:8438 Multiple race conditions in the SMB implementation in the Server service in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allow remote attackers to cause a denial of service (system hang) via a crafted (1) SMBv1 or (2) SMBv2 Negotiate packet, aka "SMB Memory Corruption Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:8524 The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate the share and servername fields in SMB packets, which allows remote attackers to cause a denial of service (system hang) via a crafted packet, aka "SMB Null Pointer Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:8314 The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly kill processes after a logout, which allows local users to obtain sensitive information or gain privileges via a crafted application that continues to execute throughout the logout of one user and the login session of the next user, aka "CSRSS Local Privilege Elevation Vulnerability." TA10-040A MS10-011 38509 oval:org.mitre.oval:def:8304 The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2003 SP2, does not properly parse MX records, which allows remote DNS servers to cause a denial of service (service outage) via a crafted response to a DNS MX record query, aka "SMTP Server MX Record Vulnerability." TA10-103A MS10-024 oval:org.mitre.oval:def:7067 The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka "SMTP Memory Allocation Vulnerability." TA10-103A MS10-024 39253 oval:org.mitre.oval:def:12175 The Hyper-V server implementation in Microsoft Windows Server 2008 Gold, SP2, and R2 on the x64 platform allows guest OS users to cause a denial of service (host OS hang) via a crafted application that executes a malformed series of machine instructions, aka "Hyper-V Instruction Set Validation Vulnerability." TA10-040A MS10-010 oval:org.mitre.oval:def:8006 The URL validation functionality in Microsoft Internet Explorer 5.01, 6, 6 SP1, 7 and 8, and the ShellExecute API function in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, does not properly process input parameters, which allows remote attackers to execute arbitrary local programs via a crafted URL, aka "URL Validation Vulnerability." TA10-040A MS10-007 MS10-002 ie-url-code-execution(55773) http://www.zerodayinitiative.com/advisories/ZDI-10-016/ 20100209 ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability oval:org.mitre.oval:def:8464 Integer overflow in Microsoft Paint in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted JPEG (.JPG) file, aka "MS Paint Integer Overflow Vulnerability." TA10-040A MS10-005 36634 oval:org.mitre.oval:def:8429 Buffer overflow in Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint File Path Handling Buffer Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8410 Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint LinkedSlideAtom Heap Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8050 Array index error in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3, and PowerPoint in Office 2004 for Mac, allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint OEPlaceholderAtom 'placementId' Invalid Array Indexing Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8081 Use-after-free vulnerability in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "OEPlaceholderAtom Use After Free Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8303 Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint Viewer TextBytesAtom Record Stack Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:7711 Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "Office PowerPoint Viewer TextCharsAtom Record Stack Overflow Vulnerability." TA10-040A MS10-004 1023563 oval:org.mitre.oval:def:8268 The Key Distribution Center (KDC) in Kerberos in Microsoft Windows 2000 SP4, Server 2003 SP2, and Server 2008 Gold and SP2, when a trust relationship with a non-Windows Kerberos realm exists, allows remote authenticated users to cause a denial of service (NULL pointer dereference and domain controller outage) via a crafted Ticket Granting Ticket (TGT) renewal request, aka "Kerberos Null Pointer Dereference Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-014.mspx "This vulnerability only affects domain controllers. Servers that do not perform the role of domain controllers are not affected." TA10-040A MS10-014 oval:org.mitre.oval:def:8428 Buffer overflow in CoreAudio in Apple Mac OS X 10.5.8 and 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MP4 audio file. 37868 macos-coreaudio-mp4-bo(55746) ADV-2010-0173 1023472 http://support.apple.com/kb/HT4013 http://support.apple.com/kb/HT4004 38241 APPLE-SA-2010-01-19-1 APPLE-SA-2010-02-02-1 Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 and 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted DNG image. macos-imageraw-dng-bo(55747) ADV-2010-0173 1023473 37869 http://support.apple.com/kb/HT4004 38241 APPLE-SA-2010-01-19-1 Recovery Mode in Apple iPhone OS 1.0 through 3.1.2, and iPhone OS for iPod touch 1.1 through 3.1.2, allows physically proximate attackers to bypass device locking, and read or modify arbitrary data, via a USB control message that triggers memory corruption. 38040 http://support.apple.com/kb/HT4013 62128 APPLE-SA-2010-02-02-1 The Application-Level Gateway (ALG) on the Apple Time Capsule, AirPort Extreme Base Station, and AirPort Express Base Station with firmware before 7.5.2 modifies PORT commands in incoming FTP traffic, which allows remote attackers to use the device's IP address for arbitrary intranet TCP traffic by leveraging write access to an intranet FTP server. http://support.apple.com/kb/HT4298 APPLE-SA-2010-12-16-1 1024907 Integer overflow in ColorSync in Apple Safari before 4.0.5 on Windows, and iTunes before 9.1, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with a crafted color profile that triggers a heap-based buffer overflow. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html ColorSync CVE-ID: CVE-2010-0040 Available for: Windows 7, Vista, XP Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow, that could result in a heap buffer overflow, exists in the handling of images with an embedded color profile. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. The issue is addressed by performing additional validation of color profiles. This issue does not affect Mac OS X systems. Credit to Sebastien Renaud of VUPEN Vulnerability Research Team for reporting this issue. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38674 38671 safari-colorsync-bo(56826) 1023706 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4070 39135 oval:org.mitre.oval:def:6741 APPLE-SA-2010-03-11-1 APPLE-SA-2010-03-30-2 ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows does not ensure that memory access is associated with initialized memory, which allows remote attackers to obtain potentially sensitive information from process memory via a crafted BMP image. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html ImageIO CVE-ID: CVE-2010-0041 Available for: Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may result in sending data from Safari's memory to the website Description: An uninitialized memory access issue exists in ImageIO's handling of BMP images. Visiting a maliciously crafted website may result in sending data from Safari's memory to the website. This issue is addressed through improved memory handling and additional validation of BMP images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38676 38671 1023706 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4077 http://support.apple.com/kb/HT4070 39135 oval:org.mitre.oval:def:6885 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-03-30-2 APPLE-SA-2010-03-29-1 ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows does not ensure that memory access is associated with initialized memory, which allows remote attackers to obtain potentially sensitive information from process memory via a crafted TIFF image. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'ImageIO CVE-ID: CVE-2010-0042 Available for: Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may result in sending data from Safari's memory to the website Description: An uninitialized memory access issue exists in ImageIO's handling of TIFF images. Visiting a maliciously crafted website may result in sending data from Safari's memory to the website. This issue is addressed through improved memory handling and additional validation of TIFF images. Credit to Matthew 'j00ru' Jurczyk of Hispasec for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38677 38671 1023706 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4077 http://support.apple.com/kb/HT4070 42314 39135 oval:org.mitre.oval:def:7561 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-03-30-2 APPLE-SA-2010-03-29-1 ImageIO in Apple Safari before 4.0.5 and iTunes before 9.1 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted TIFF image. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'ImageIO CVE-ID: CVE-2010-0043 Available for: Windows 7, Vista, XP Impact: Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling. Credit to Gus Mueller of Flying Meat for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38673 38671 1023706 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4105 http://support.apple.com/kb/HT4077 http://support.apple.com/kb/HT4070 39135 oval:org.mitre.oval:def:6901 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-03-30-2 APPLE-SA-2010-03-29-1 PubSub in Apple Safari before 4.0.5 does not properly implement use of the Accept Cookies preference to block cookies, which makes it easier for remote web servers to track users by setting a cookie in a (1) RSS or (2) Atom feed. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'PubSub CVE-ID: CVE-2010-0044 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting or updating a feed may result in a cookie being set, even if Safari is configured to block cookies Description: An implementation issue exists in the handling of cookies set by RSS and Atom feeds. Visiting or updating a feed may result in a cookie being set, even if Safari is configured to block cookies via the "Accept Cookies" preference. This update addresses the issue by respecting the preference while updating or viewing feeds.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38675 38671 safari-pubsub-security-bypass(56830) http://support.apple.com/kb/HT4070 oval:org.mitre.oval:def:7051 62937 APPLE-SA-2010-03-11-1 Apple Safari before 4.0.5 on Windows does not properly validate external URL schemes, which allows remote attackers to open local files and execute arbitrary code via a crafted HTML document. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0045 Available for: Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An issue in Safari's handling of external URL schemes may cause a local file to be opened in response to a URL encountered on a web page. Visiting a maliciously crafted website may lead to arbitrary code execution. This update addresses the issue through improved validation of external URLs. This issue does not affect Mac OS X systems. Credit to Billy Rios and Microsoft Vulnerability Research (MSVR) for reporting this issue. 38671 1023706 http://support.apple.com/kb/HT4070 oval:org.mitre.oval:def:6817 APPLE-SA-2010-03-11-1 The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted format arguments. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0046 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue exists in WebKit's handling of CSS format() arguments. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of CSS format() arguments. Credit to Robert Swiecki of Google Inc. for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7053 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to "HTML object element fallback content." Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0047 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in the handling of HTML object element fallback content. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:6882 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XML document. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0048 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's parsing of XML documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 38671 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7135 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via HTML elements with right-to-left (RTL) text directionality. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000. CVE-ID: CVE-2010-0049 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in the handling of HTML elements containing right-to-left displayed text. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi&Z of team509 for reporting this issue. 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:6810 62942 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 20100311 Multiple Vendor WebKit HTML Element Use After Free Vulnerability Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an HTML document with improperly nested tags. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0050 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's handling of incorrectly nested HTML tags. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi&Z of team509 working with TippingPoint's Zero Day Initiative for reporting this issue.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 safari-nested-html-code-exec(56836) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7587 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 WebKit in Apple Safari before 4.0.5 does not properly validate the cross-origin loading of stylesheets, which allows remote attackers to obtain sensitive information via a crafted HTML document. NOTE: this might overlap CVE-2010-0651. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0051 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information Description: An implementation issue exists in WebKit's handling of cross-origin stylesheet requests. Visiting a maliciously crafted website may disclose the content of protected resources on another website. This update addresses the issue by performing additional validation on stylesheets that are loaded during a cross-origin request.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 safari-stylesheet-info-disclosure(56837) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://websec.sv.cmu.edu/css/css.pdf http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 42314 41856 http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html oval:org.mitre.oval:def:7554 62944 SUSE-SR:2011:002 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 http://code.google.com/p/chromium/issues/detail?id=9877 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to "callbacks for HTML elements." Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0052 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's handling of callbacks for HTML elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit: Apple. 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7403 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the run-in Cascading Style Sheets (CSS) display property. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html CVE-ID: CVE-2010-0053 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in the rendering of content with a CSS display property set to 'run-in'. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue. ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 38671 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:7323 62948 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 4.0.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving HTML IMG elements. Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'WebKit CVE-ID: CVE-2010-0054 Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 or later, Mac OS X Server v10.6.1 or later, Windows 7, Vista, XP Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A use-after-free issue exists in WebKit's handling of HTML image elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory reference tracking. Credit: Apple.' Per: http://lists.apple.com/archives/security-announce/2010/Mar/msg00000.html 'Safari 4.0.5 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/' 38671 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 1023708 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4070 43068 41856 oval:org.mitre.oval:def:6915 62949 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 APPLE-SA-2010-03-11-1 APPLE-SA-2010-06-21-1 xar in Apple Mac OS X 10.5.8 does not properly validate package signatures, which allows attackers to have an unspecified impact via a modified package. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Buffer overflow in Cocoa spell checking in AppKit in Apple Mac OS X 10.5.8 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted document. APPLE-SA-2010-03-29-1 AFP Server in Apple Mac OS X before 10.6.3 does not prevent guest use of AFP shares when guest access is disabled, which allows remote attackers to bypass intended access restrictions via a mount request. APPLE-SA-2010-03-29-1 freshclam in ClamAV in Apple Mac OS X 10.5.8 with Security Update 2009-005 has an incorrect launchd.plist ProgramArguments key and consequently does not run, which might allow remote attackers to introduce viruses into the system. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted audio content with QDM2 encoding, which triggers a buffer overflow due to inconsistent length fields, related to QDCA. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-041 20100402 ZDI-10-041: Apple QuickTime QDM2/QDCA Atom Remote Code Execution Vulnerability oval:org.mitre.oval:def:6922 APPLE-SA-2010-03-30-1 CoreAudio in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted audio content with QDMC encoding. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 oval:org.mitre.oval:def:7513 APPLE-SA-2010-03-30-1 Heap-based buffer overflow in quicktime.qts in CoreMedia and QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed .3g2 movie file with H.263 encoding that triggers an incorrect buffer length calculation. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-036 20100402 ZDI-10-036: Apple QuickTime H.263 PictureHeader Remote Code Execution Vulnerability oval:org.mitre.oval:def:6626 APPLE-SA-2010-03-30-1 Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.6.3 makes it easier for user-assisted remote attackers to execute arbitrary JavaScript via a web page that offers a download with a Content-Type value that is not on the list of possibly unsafe content types for Safari, as demonstrated by the values for the (1) .ibplugin and (2) .url extensions. Per: http://cwe.mitre.org/data/slices/2000.html 'Incomplete Blacklist - CWE-184' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 DesktopServices in Apple Mac OS X 10.6 before 10.6.3 preserves file ownership during an authenticated Finder copy, which might allow local users to bypass intended disk-quota restrictions and have unspecified other impact by copying files owned by other users. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Disk Images in Apple Mac OS X before 10.6.3 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted disk image with bzip2 compression. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Unspecified vulnerability in the Access Manager Identity Server component in Oracle Application Server 7.0.4.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html 1023438 Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server 10.1.2.3 and 10.1.3.4 allows remote attackers to affect confidentiality via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html 1023438 Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 9.0, 9.1, 9.2MP2, and 10.0 allows remote attackers to affect confidentiality via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 7.0, SP7, 8.1SP6, 9.0, 9.1, 9.2MP3, 10.0MP1, and 10.3.0 allows remote attackers to affect integrity via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server 10.1.2.3 and 10.1.3.4 allows remote attackers to affect integrity via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html 1023438 Unspecified vulnerability in the Listener component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a buffer overflow in observiced.exe that allows remote attackers to execute arbitrary code via vectors related to a "reverse lookup of connections" to TCP port 10000. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the WebLogic Server in Oracle WebLogic Server 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, and 10.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. TA10-103B ADV-2010-0216 http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html 39439 Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 7.0SP7, 8.1SP6, 9.0, 9.1, 9.2MP3, 10.0MP2, and 10.3.1 allows remote attackers to affect availability via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the Oracle HRMS (Self Service) component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the Application Express Application Builder component in Oracle Database 3.2.1.00.10 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the CRM Technical Foundation (mobile) component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect confidentiality and integrity via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 9.0, 9.1, 9.2MP3, 10.0MP2, and 10.3.1 allows remote attackers to affect availability via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Multiple vulnerabilities in the JRockit component in BEA Product Suite R27.6.5 using JRE/JDK 1.4.2, 5, and 6 allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: this CVE identifier overlaps CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, and CVE-2009-3877. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the PeopleSoft Enterprise HCM - eProfile component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9 Bundle, #21 and 9.0 Bundle #11 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. TA10-012A http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39317 39292 oval:org.mitre.oval:def:13934 oval:org.mitre.oval:def:11576 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in Oracle OpenSolaris 8, 9, and 10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14061 oval:org.mitre.oval:def:11120 63482 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:13803 oval:org.mitre.oval:def:10474 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Portal component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023869 39439 Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 oval:org.mitre.oval:def:13959 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14321 oval:org.mitre.oval:def:11173 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 oval:org.mitre.oval:def:14208 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Web Start, Java Plug-in component in Oracle Java SE and Java for Business 6 Update 18 allows remote attackers to affect integrity and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0337 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 oval:org.mitre.oval:def:14237 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:9855 oval:org.mitre.oval:def:13492 63481 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14210 oval:org.mitre.oval:def:10057 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39317 39292 oval:org.mitre.oval:def:9877 oval:org.mitre.oval:def:14288 63485 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18 and 5.0 Update 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is due to missing privilege checks during deserialization of RMIConnectionImpl objects, which allows remote attackers to call system-level Java functions via the ClassLoader of a constructor that is being deserialized. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-051 ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-051: Sun Java Runtime RMIConnectionImpl Privileged Context Remote Code Execution Vulnerability RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14351 oval:org.mitre.oval:def:10851 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14105 oval:org.mitre.oval:def:11621 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. VU#360341 https://www.isc.org/advisories/CVE-2010-0097 RHSA-2010:0095 RHSA-2010:0062 https://bugzilla.redhat.com/show_bug.cgi?id=554851 bind-dnssecnsec-cache-poisoning(55753) ADV-2010-1352 ADV-2010-0981 ADV-2010-0622 ADV-2010-0176 USN-888-1 37865 61853 MDVSA-2010:021 DSA-2054 http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018 http://support.apple.com/kb/HT5002 1021798 1023474 40086 39582 39334 38240 38219 38169 oval:org.mitre.oval:def:9357 oval:org.mitre.oval:def:7430 oval:org.mitre.oval:def:7212 oval:org.mitre.oval:def:12205 SSRT100004 SSRT100004 SUSE-SA:2010:008 FEDORA-2010-0868 FEDORA-2010-0861 APPLE-SA-2011-10-12-3 ftp://ftp.sco.com/pub/unixware7/714/security/p535243_uw7/p535243b.txt ClamAV before 0.96 does not properly handle the (1) CAB and (2) 7z file formats, which allows remote attackers to bypass virus detection via a crafted archive that is compatible with standard archive utilities. 39262 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1826 ADV-2010-1206 ADV-2010-1001 ADV-2010-0909 ADV-2010-0832 ADV-2010-0827 USN-926-1 [oss-security] 20100407 Re: ClamAV small issues [oss-security] 20100406 ClamAV small issues MDVSA-2010:082 http://support.apple.com/kb/HT4312 39656 39329 39293 SUSE-SR:2010:010 APPLE-SA-2010-08-24-1 http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.96 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0092. Reason: This candidate is a duplicate of CVE-2010-0092. Notes: All CVE users should reference CVE-2010-0092 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The embedded HTTP server in multiple Lexmark laser and inkjet printers and MarkNet devices, including X94x, W840, T656, N4000, E462, C935dn, 25xxN, and other models, allows remote attackers to cause a denial of service (operating system halt) via a malformed HTTP Authorization header. http://support.lexmark.com/index?page=content&id=TE87&locale=EN&userlocale=EN_US UsbCharger.dll in the Energizer DUO USB battery charger software contains a backdoor that is implemented through the Arucer.dll file in the %WINDIR%\system32 directory, which allows remote attackers to download arbitrary programs onto a Windows PC, and execute these programs, via a request to TCP port 7777. Per: http://www.energizer.com/usbcharger/download/March_8_2010_USB_Release__3_.pdf "Energizer has discontinued sale of this product and has removed the site to download the software. In addition, the company is directing consumers that downloaded the Windows version of the software to uninstall or otherwise remove the software from your computer." VU#154421 http://www.symantec.com/connect/blogs/trojan-found-usb-battery-charger-software 38571 http://www.marketwatch.com/story/energizer-announces-duo-charger-and-usb-charger-software-problem-2010-03-05 Unspecified vulnerability in the Broadcom Integrated NIC Management Firmware 1.x before 1.40.0.0 and 8.x before 8.08 on the HP Small Form Factor and Microtower platforms allows remote attackers to execute arbitrary code via unknown vectors. VU#512705 HPSBGN02511 ADV-2010-0631 38759 1023710 39003 HPSBGN02511 The hfs implementation in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions, related to the fsck_hfs program in the diskdev_cmds component. 1024723 39658 http://support.apple.com/kb/HT4435 20100423 MacOS X 10.6.3 filesystem hfs Denial of Service Vulnerability APPLE-SA-2010-11-10-1 The on-demand scanning in Symantec AntiVirus 10.0.x and 10.1.x before MR9, AntiVirus 10.2.x, and Client Security 3.0.x and 3.1.x before MR9, when Tamper protection is disabled, allows remote attackers to cause a denial of service (prevention of on-demand scanning) via "specific events" that prevent the user from having read access to unspecified resources. symantec-ondemand-dos(56354) ADV-2010-0410 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_00 1023621 38219 38653 62414 Buffer overflow in an ActiveX control (SYMLTCOM.dll) in Symantec N360 1.0 and 2.0; Norton Internet Security, AntiVirus, SystemWorks, and Confidential 2006 through 2008; and Symantec Client Security 3.0.x before 3.1 MR9, and 3.1.x before MR9; allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. NOTE: this is only a vulnerability if the attacker can "masquerade as an authorized site." symantec-symltcom-activex-bo(56357) ADV-2010-0411 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_01 1023631 1023630 1023629 1023628 38217 20100224 VUPEN Security Research - Symantec Products "SYMLTCOM.dll" Buffer Overflow Vulnerability 38654 62412 Buffer overflow in the cliproxy.objects.1 ActiveX control in the Symantec Client Proxy (CLIproxy.dll) in Symantec AntiVirus 10.0.x, 10.1.x before MR9, and 10.2.x before MR4; and Symantec Client Security 3.0.x and 3.1.x before MR9 allows remote attackers to execute arbitrary code via a long argument to the SetRemoteComputerName function. scp-cliproxy-activex-bo(56355) ADV-2010-0412 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02 38222 20100219 [DSECRG-09-039] Symantec Antivirus 10.0 ActiveX - buffer Overflow. 38651 http://dsecrg.com/pages/vul/show.php?id=139 Multiple stack-based buffer overflows in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allow remote attackers to execute arbitrary code via (1) a long string to msgsys.exe, related to the AMSSendAlertAct function in AMSLIB.dll in the Intel Alert Handler service (aka Symantec Intel Handler service); a long (2) modem string or (3) PIN number to msgsys.exe, related to pagehndl.dll in the Intel Alert Handler service; or (4) a message to msgsys.exe, related to iao.exe in the Intel Alert Originator service. symantec-intel-ams2-bo(64940) http://www.zerodayinitiative.com/advisories/ZDI-11-032 http://www.zerodayinitiative.com/advisories/ZDI-11-031 http://www.zerodayinitiative.com/advisories/ZDI-11-030 http://www.zerodayinitiative.com/advisories/ZDI-11-028 ADV-2011-0234 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_00 45936 1024996 43106 43099 HDNLRSVC.EXE in the Intel Alert Handler service (aka Symantec Intel Handler service) in Intel Alert Management System (aka AMS or AMS2), as used in Symantec AntiVirus Corporate Edition (SAVCE) 10.x before 10.1 MR10, Symantec System Center (SSC) 10.x, and Symantec Quarantine Server 3.5 and 3.6, allows remote attackers to execute arbitrary programs by sending msgsys.exe a UNC share pathname, which is used directly in a CreateProcessA (aka CreateProcess) call. symantec-intelams2-dos(64943) symantec-intelams2-code-execution(64942) http://www.zerodayinitiative.com/advisories/ZDI-11-029 ADV-2011-0234 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110126_01 45935 1024997 43106 43099 Multiple SQL injection vulnerabilities in the Administrative Interface in the IIS extension in Symantec IM Manager before 8.4.16 allow remote attackers to execute arbitrary SQL commands via (1) the rdReport parameter to rdpageimlogic.aspx, related to the sGetDefinition function in rdServer.dll, and SQL statements contained within a certain report file; (2) unspecified parameters in a DetailReportGroup (aka DetailReportGroup.lgx) action to rdpageimlogic.aspx; the (3) selclause, (4) whereTrendTimeClause, (5) TrendTypeForReport, (6) whereProtocolClause, or (7) groupClause parameter in a SummaryReportGroup (aka SummaryReportGroup.lgx) action to rdpageimlogic.aspx; the (8) loginTimeStamp, (9) dbo, (10) dateDiffParam, or (11) whereClause parameter in a LoggedInUsers (aka LoggedInUSers.lgx) action to (a) rdpageimlogic.aspx or (b) rdPage.aspx; the (12) selclause, (13) whereTrendTimeClause, (14) TrendTypeForReport, (15) whereProtocolClause, or (16) groupClause parameter to rdpageimlogic.aspx; (17) the groupList parameter to IMAdminReportTrendFormRun.asp; or (18) the email parameter to IMAdminScheduleReport.asp. immanager-unspecified-sql-injection(62806) http://www.zerodayinitiative.com/advisories/ZDI-10-226/ http://www.zerodayinitiative.com/advisories/ZDI-10-225/ http://www.zerodayinitiative.com/advisories/ZDI-10-224/ http://www.zerodayinitiative.com/advisories/ZDI-10-223/ http://www.zerodayinitiative.com/advisories/ZDI-10-222/ http://www.zerodayinitiative.com/advisories/ZDI-10-221/ http://www.zerodayinitiative.com/advisories/ZDI-10-220/ ADV-2010-2789 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101027_01 1024648 44299 41959 68903 68902 68901 The Symantec Norton Mobile Security application 1.0 Beta for Android records setup details, possibly including wipe/lock credentials, in the device logs, which allows user-assisted remote attackers to obtain potentially sensitive information by leveraging the ability of a separate crafted application to read these logs. norton-mobile-setup-information-disclosure(63294) ADV-2010-2982 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101111_00 44767 69253 fw_charts.php in the reporting module in the Manager (aka SEPM) component in Symantec Endpoint Protection (SEP) 11.x before 11 RU6 MP2 allows remote attackers to bypass intended restrictions on report generation, overwrite arbitrary PHP scripts, and execute arbitrary code via a crafted request. symantec-endpoint-fwcharts-code-execution(64118) http://www.zerodayinitiative.com/advisories/ZDI-10-291/ ADV-2010-3252 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20101215_00 45372 1024900 42643 SQL injection vulnerability in login.php in the GUI management console in Symantec Web Gateway 4.5 before 4.5.0.376 allows remote attackers to execute arbitrary SQL commands via the USERNAME parameter. symantec-web-username-sql-injection(64658) http://www.zerodayinitiative.com/advisories/ZDI-11-013/ ADV-2011-0088 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110112_00 1024958 45742 42878 70415 Integer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows might allow remote attackers to execute arbitrary code via a crafted QCP file that triggers a heap-based buffer overflow. realplayer-qcp-bo(61420) ADV-2010-2216 1024370 http://service.real.com/realplayer/security/08262010_player/en/ http://secunia.com/secunia_research/2010-3/ 41154 41096 oval:org.mitre.oval:def:7326 RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows do not properly handle dimensions during YUV420 transformations, which might allow remote attackers to execute arbitrary code via crafted MP4 content. realplayer-yuv420-code-execution(61421) ADV-2010-2216 1024370 http://service.real.com/realplayer/security/08262010_player/en/ http://secunia.com/secunia_research/2010-5/ 41154 41096 oval:org.mitre.oval:def:7169 Bournal before 1.4.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified temporary files associated with a --hack_the_gibson update check. 38353 20100222 Secunia Research: Bournal Insecure Temporary Files Security Issue http://secunia.com/secunia_research/2010-6/ 38814 38554 FEDORA-2010-3168 FEDORA-2010-3221 FEDORA-2010-3301 Bournal before 1.4.1 on FreeBSD 8.0, when the -K option is used, places a ccrypt key on the command line, which allows local users to obtain sensitive information by listing the process and its arguments, related to "echoing." 38352 20100222 Secunia Research: Bournal ccrypt Information Disclosure Security Issue http://secunia.com/secunia_research/2010-7/ 38814 38723 FEDORA-2010-3168 FEDORA-2010-3221 FEDORA-2010-3301 Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allows remote attackers to execute arbitrary code via large size values in QCP audio content. realplayer-qcp-audio-bo(61422) ADV-2010-2216 1024370 http://service.real.com/realplayer/security/08262010_player/en/ http://secunia.com/secunia_research/2010-8/ 41154 41096 oval:org.mitre.oval:def:6807 The cook codec in RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.5, Mac RealPlayer 11.0 through 12.0.0.1444, and Linux RealPlayer 11.0.2.1744 does not properly perform initialization, which has unspecified impact and attack vectors. Per: http://cwe.mitre.org/data/definitions/665.html 'CWE-665: Improper Initialization' 1024861 http://service.real.com/realplayer/security/12102010_player/en/ Multiple SQL injection vulnerabilities in Employee Timeclock Software 0.99 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to (a) auth.php or (b) login_action.php. timeclock-auth-sql-injection(56799) 38639 20100310 Secunia Research: Employee Timeclock Software SQL Injection Vulnerabilities 62832 62831 http://secunia.com/secunia_research/2010-11/ 38739 The database backup implementation in Employee Timeclock Software 0.99 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a "semi-predictable file name." timeclock-database-info-disclosure(56798) 20100310 Secunia Research: Employee Timeclock Software Backup Information Disclosure 62833 http://secunia.com/secunia_research/2010-10/ 38739 Employee Timeclock Software 0.99 places the database password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process. timeclock-mysqldump-info-disclosure(56800) 38642 20100310 Secunia Research: Employee Timeclock Software "mysqldump" Password Disclosure 62830 http://secunia.com/secunia_research/2010-12/ 38739 RealNetworks RealPlayer 11.0 through 11.1, RealPlayer SP 1.0 through 1.1.4, RealPlayer Enterprise 2.1.2, and Mac RealPlayer 11.0 through 12.0.0.1444 do not properly parse spectral data in AAC files, which has unspecified impact and remote attack vectors. 1024861 http://service.real.com/realplayer/security/12102010_player/en/ Heap-based buffer overflow in an unspecified library in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted compound file, as demonstrated using a Quattro Pro file, which is not properly handled by the Quattro speed reader (qpssr.dll). http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-16/ Adobe Shockwave Player before 11.5.7.609 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted FFFFFF45h Shockwave 3D blocks in a Shockwave file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 20100512 Secunia Research: Adobe Shockwave Player 3D Parsing Memory Corruption http://secunia.com/secunia_research/2010-17/ 38751 oval:org.mitre.oval:def:7477 Integer signedness error in dirapi.dll in Adobe Shockwave Player before 11.5.7.609 and Adobe Director before 11.5.7.609 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir file that triggers an invalid read operation. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 20100512 Secunia Research: Adobe Shockwave Player Signedness Error Vulnerability 20100511 [CORE-2010-0405] Adobe Director Invalid Read http://www.coresecurity.com/content/adobe-director-invalid-read http://secunia.com/secunia_research/2010-19/ 38751 oval:org.mitre.oval:def:7273 Multiple integer overflows in Adobe Shockwave Player before 11.5.7.609 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .dir (aka Director) file that triggers an array index error. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 20100511 Abobe Shockwave Player Heap Memory Indexing Vulnerability 40082 20100512 Secunia Research: Adobe Shockwave Player Array Indexing Vulnerability 20100512 [CAL-20100204-2]Adobe Shockwave Player Director File Parsing integer overflow vulnerability http://secunia.com/secunia_research/2010-20/ 38751 oval:org.mitre.oval:def:7134 http://hi.baidu.com/fs_fx/blog/item/fa74a61705b5e24621a4e951.html 20100511 [CAL-20100204-2]Adobe Shockwave Player Director File Parsing integer overflow vulnerability Integer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via a crafted .dir (aka Director) file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 40084 20100512 Secunia Research: Adobe Shockwave Player Integer Overflow Vulnerability http://secunia.com/secunia_research/2010-22/ 38751 oval:org.mitre.oval:def:7108 Stack-based buffer overflow in the SpreadSheet Lotus 123 reader (wkssr.dll), as used in Autonomy KeyView 10.4 and 10.9, Symantec Mail Security, and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to floating point conversion in unknown record types. http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-25/ http://secunia.com/secunia_research/2010-23/ Cross-site scripting (XSS) vulnerability in ViewVC 1.1 before 1.1.5 and 1.0 before 1.0.11, when the regular expression search functionality is enabled, allows remote attackers to inject arbitrary web script or HTML via vectors related to "search_re input," a different vulnerability than CVE-2010-0736. ADV-2010-0743 ADV-2010-0844 20100330 Secunia Research: ViewVC Regular Expression Search Cross-Site Scripting http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD http://secunia.com/secunia_research/2010-26/ 38918 SUSE-SR:2010:009 FEDORA-2010-5805 FEDORA-2010-5524 FEDORA-2010-5507 Multiple stack-based buffer overflows in the SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allow remote attackers to execute arbitrary code via unspecified vectors related to "certain records." http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-28/ Integer signedness error in rtfsr.dll in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted \ls keyword in a list override table entry in an RTF file, which triggers a buffer overflow. http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-27/ Heap-based buffer overflow in the WordPerfect 5.x reader (wosr.dll), as used in Autonomy KeyView 10.4 and 10.9 and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to "data blocks." http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-31/ OpenOffice.org (OOo) 2.0.4, 2.4.1, and 3.1.1 does not properly enforce Visual Basic for Applications (VBA) macro security settings, which allows remote attackers to run arbitrary macros via a crafted document. ADV-2010-2905 ADV-2010-0635 USN-903-1 38245 MDVSA-2010:221 [debian-openoffice] 20100212 ./packages/openofficeorg/3.1.1/unstable r1866: merge 1:3.1.1-15+squeeze1 DSA-1995 1023588 38921 38695 SUSE-SA:2010:017 Unspecified vulnerability in the sshd_child_handler process in the SSH server in Cisco IOS XR 3.4.1 through 3.7.0 allows remote attackers to cause a denial of service (process crash and memory consumption) via a crafted SSH2 packet, aka Bug ID CSCsu10574. 20100120 Cisco IOS XR Software SSH Denial of Service Vulnerability ciscoios-ssh-dos(55767) ADV-2010-0183 37878 1023480 38227 Buffer overflow in Cisco CiscoWorks Internetwork Performance Monitor (IPM) 2.6 and earlier on Windows, as distributed in CiscoWorks LAN Management Solution (LMS), allows remote attackers to execute arbitrary code via a malformed getProcessName CORBA General Inter-ORB Protocol (GIOP) request, related to a "third-party component," aka Bug ID CSCsv62350. cisco-ipm-corba-bo(55768) http://www.zerodayinitiative.com/advisories/ZDI-10-004/ ADV-2010-0184 37879 20100120 CiscoWorks Internetwork Performance Monitor CORBA GIOP Overflow Vulnerability 1023484 38230 Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.2, and possibly 5 does not properly validate SQL commands, which allows remote attackers to create, modify, or delete data in a database via unspecified vectors, aka Bug ID CSCtc39691. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 Multiple unspecified vulnerabilities in the web server in Cisco Unified MeetingPlace 7 before 7.0(2.3) hotfix 5F, 6 before 6.0.639.3, and possibly 5 allow remote attackers to create (1) user or (2) administrator accounts via a crafted URL in a request to the internal interface, aka Bug IDs CSCtc59231 and CSCtd40661. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1490b.shtml Affected Products Vulnerable Products Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote attackers to discover usernames, passwords, and unspecified other data from the user database via a modified authentication sequence to the Audio Server, aka Bug ID CSCsv76935. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 MeetingTime in Cisco Unified MeetingPlace 6 before MR5, and possibly 5, allows remote authenticated users to gain privileges via a modified authentication sequence, aka Bug ID CSCsv66530. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1490b.shtml Affected Products Vulnerable Products Cisco Unified MeetingPlace versions 5, 6, and 7 are each affected by at least one of the vulnerabilities described in this document. 20100127 Multiple Vulnerabilities in Cisco Unified MeetingPlace 37965 Unspecified vulnerability in the administrative interface in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65921. 20100210 Multiple Vulnerabilities in Cisco IronPort Encryption Appliance http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080b17904.html 38525 Unspecified vulnerability in the WebSafe DistributorServlet in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65922. 20100210 Multiple Vulnerabilities in Cisco IronPort Encryption Appliance http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080b17904.html 38525 Unspecified vulnerability in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to execute arbitrary code via unknown vectors, aka IronPort Bug 65923. 20100210 Multiple Vulnerabilities in Cisco IronPort Encryption Appliance http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080b17904.html 38525 Directory traversal vulnerability in the Management Center for Cisco Security Agents 6.0 allows remote authenticated users to read arbitrary files via unspecified vectors. 20100217 Multiple Vulnerabilities in Cisco Security Agent cisco-sa-mgmtcenter-dir-traversal(56345) ADV-2010-0416 1023606 38271 38619 62443 SQL injection vulnerability in the Management Center for Cisco Security Agents 5.1 before 5.1.0.117, 5.2 before 5.2.0.296, and 6.0 before 6.0.1.132 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 20100217 Multiple Vulnerabilities in Cisco Security Agent 38619 cisco-sa-mgmtcenter-sql-injection(56346) ADV-2010-0416 1023606 38272 62444 Unspecified vulnerability in Cisco Security Agent 5.2 before 5.2.0.285, when running on Linux, allows remote attackers to cause a denial of service (kernel panic) via "a series of TCP packets." Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1910d.shtml Only Cisco Security Agent release 5.2 for Linux, either managed or standalone, are affected by the DoS vulnerability (the Windows version is not affected). The Linux version of standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * IPCC Express * IP Interactive Voice Response (IP IVR) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity Connection Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. Only Cisco Security Agent release 5.2 for Linux, either managed or standalone, are affected by the DoS vulnerability. " 20100217 Multiple Vulnerabilities in Cisco Security Agent 38619 cisco-securityagent-tcp-dos(56347) ADV-2010-0416 1023607 38273 62445 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.2 before 7.2(4.46), 8.0 before 8.0(4.38), 8.1 before 8.1(2.29), and 8.2 before 8.2(1.5); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (prevention of new connections) via crafted TCP segments during termination of the TCP connection that cause the connection to remain in CLOSEWAIT status, aka "TCP Connection Exhaustion Denial of Service Vulnerability." cisco-asa-tcp-dos(56336) ADV-2010-0415 1023612 38275 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38636 38618 62433 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.2), 8.1 before 8.1(2.37), and 8.2 before 8.2(1.16); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCsy91157. cisco-asa5500-sip-dos(56338) ADV-2010-0415 1023612 38277 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38636 38618 62434 The Cisco Firewall Services Module (FWSM) 4.0 before 4.0(8), as used in for the Cisco Catalyst 6500 switches, Cisco 7600 routers, and ASA 5500 Adaptive Security Appliances, allows remote attackers to cause a denial of service (crash) via a malformed Skinny Client Control Protocol (SCCP) message. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1910e.shtml "All non-fixed 4.x versions of Cisco FWSM Software are affected by this vulnerability if SCCP inspection is enabled. SCCP inspection is enabled by default." 20100217 Cisco Firewall Services Module Skinny Client Control Protocol Inspection Denial of Service Vulnerability 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances cisco-fwsm-asa-sccp-dos(56333) ADV-2010-0418 1023609 38274 38621 62432 Multiple cross-site scripting (XSS) vulnerabilities in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5.0.2 allow remote attackers to inject arbitrary web script or HTML via (1) the date1 parameter to pvm_messagestore.php, (2) the userfilter parameter to pvm_user_management.php, (3) the ping parameter to sys_tools.php in a sys_ping.php action, (4) the action parameter to pvm_cert_commaction.php, (5) the action parameter to pvm_cert_serveraction.php, (6) the action parameter to pvm_smtpstore.php, (7) the l parameter to sla/index.php, or (8) unspecified stored data; and allow remote authenticated users to inject arbitrary web script or HTML via (9) saved search filters. Per: http://www.ventuneac.net/security-advisories/MVSA-10-007 Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) IBM Proventia Network Mail Security System - virtual appliance (firmware 2.5) http://www.ventuneac.net/security-advisories/MVSA-10-007 20100912 MVSA-10-007 / CVE-2010-0152 - IBM Proventia Mail Security System - Multiple persistent and reflected XSS vulnerabilities Multiple cross-site request forgery (CSRF) vulnerabilities in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5.0.2 allow remote attackers to hijack the authentication of administrators for requests that (1) change settings or (2) conduct denial of service attacks. Per: Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) IBM Proventia Network Mail Security System - virtual appliance (firmware 2.5) http://www.ventuneac.net/security-advisories/MVSA-10-006 20100912 MVSA-10-006 / CVE-2010-0153 - IBM Proventia Network Mail Security System - Cross-Site Request Forgery vulnerabilities Directory traversal vulnerability in sla/index.php in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the l parameter, related to an "Insecure Direct Object Reference vulnerability." Per: http://www.ventuneac.net/security-advisories/MVSA-10-008 Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) http://www.ventuneac.net/security-advisories/MVSA-10-008 20100912 MVSA-10-008 / CVE-2010-0154 - IBM Proventia Mail Security System - Insecure Direct Object Reference vulnerability CRLF injection vulnerability in load.php in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5 allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the javaVersion parameter. Per: http://www.ventuneac.net/security-advisories/MVSA-10-009 Affected Versions IBM Proventia Network Mail Security System - virtual appliance (firmware 1.6) http://www.ventuneac.net/security-advisories/MVSA-10-009 20100912 MVSA-10-009 / CVE-2010-0155 - IBM Proventia Network Mail Security System - CRLF Injection vulnerability Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file. https://bugzilla.redhat.com/show_bug.cgi?id=502881 38766 [puppet-announce] 20100105 ANNOUNCE: Puppet 0.25.2 "Zoe" now available! SUSE-SR:2010:013 FEDORA-2010-1372 FEDORA-2010-1079 [puppet-announce] 20100108 ANNOUNCE: Puppet 0.24.9 is available Directory traversal vulnerability in the Bible Study (com_biblestudy) component 6.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter in a studieslist action to index.php. 37583 37896 http://packetstormsecurity.org/1001-exploits/joomlabiblestudy-lfi.txt ** DISPUTED ** SQL injection vulnerability in the JoomlaBamboo (JB) Simpla Admin template for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to the com_content component, reachable through index.php. NOTE: the vendor disputes this report, saying: "JoomlaBamboo has investigated this report, and it is incorrect. There is no SQL injection vulnerability involving the id parameter in an article view, and there never was. JoomlaBamboo customers have no reason to be concerned about this report." ADV-2010-0014 37579 10971 [VIM] 20100203 Re: disputed: CVE-2010-0158 JoomlaBamboo (JB) Simpla Admin SQL injection [VIM] 20100203 disputed: CVE-2010-0158 JoomlaBamboo (JB) Simpla Admin SQL injection http://packetstormsecurity.org/1001-exploits/joomlabamboo-sql.txt The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=534082 https://bugzilla.mozilla.org/show_bug.cgi?id=530880 https://bugzilla.mozilla.org/show_bug.cgi?id=528300 https://bugzilla.mozilla.org/show_bug.cgi?id=528134 https://bugzilla.mozilla.org/show_bug.cgi?id=527567 https://bugzilla.mozilla.org/show_bug.cgi?id=501934 https://bugzilla.mozilla.org/show_bug.cgi?id=467005 mozilla-browsereng-code-execution(56359) ADV-2010-0650 ADV-2010-0405 USN-896-1 USN-895-1 RHSA-2010:0154 RHSA-2010:0153 RHSA-2010:0113 RHSA-2010:0112 http://www.mozilla.org/security/announce/2010/mfsa2010-01.html MDVSA-2010:042 DSA-1999 38847 38772 38770 37242 oval:org.mitre.oval:def:9590 oval:org.mitre.oval:def:8485 SUSE-SA:2010:015 FEDORA-2010-3267 FEDORA-2010-3230 FEDORA-2010-1727 FEDORA-2010-1936 FEDORA-2010-1932 The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly handle array data types for posted messages, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. ADV-2010-0405 https://bugzilla.mozilla.org/show_bug.cgi?id=534051 https://bugzilla.mozilla.org/show_bug.cgi?id=533000 https://bugzilla.mozilla.org/show_bug.cgi?id=531222 mozilla-webworkers-code-execution(56360) http://www.zerodayinitiative.com/advisories/ZDI-10-046 USN-896-1 USN-895-1 20100402 ZDI-10-046: Mozilla Firefox Web Worker Array Remote Code Execution Vulnerability RHSA-2010:0112 http://www.mozilla.org/security/announce/2010/mfsa2010-02.html MDVSA-2010:042 DSA-1999 38847 37242 oval:org.mitre.oval:def:8465 oval:org.mitre.oval:def:11166 SUSE-SA:2010:015 FEDORA-2010-1727 FEDORA-2010-1936 FEDORA-2010-1932 The nsAuthSSPI::Unwrap function in extensions/auth/nsAuthSSPI.cpp in Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 on Windows Vista, Windows Server 2008 R2, and Windows 7 allows remote SMTP, IMAP, and POP servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via crafted data in a session that uses SSPI. https://bugzilla.mozilla.org/show_bug.cgi?id=511806 ADV-2010-0648 http://www.mozilla.org/security/announce/2010/mfsa2010-07.html thunderbird-activedirectory-dos(56992) 38831 39001 oval:org.mitre.oval:def:14159 SUSE-SR:2010:013 Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document. https://bugzilla.mozilla.org/show_bug.cgi?id=455472 mozilla-svg-xss(56363) ADV-2010-0405 USN-896-1 USN-895-1 RHSA-2010:0112 http://www.mozilla.org/security/announce/2010/mfsa2010-05.html MDVSA-2010:042 DSA-1999 38847 37242 oval:org.mitre.oval:def:8631 oval:org.mitre.oval:def:10697 SUSE-SA:2010:015 FEDORA-2010-1727 FEDORA-2010-1936 FEDORA-2010-1932 Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing. https://bugzilla.mozilla.org/show_bug.cgi?id=505221 http://www.mozilla.org/security/announce/2010/mfsa2010-07.html thunderbird-messages-dos(56993) ADV-2010-1556 ADV-2010-0648 USN-915-1 38831 RHSA-2010:0499 39001 38977 oval:org.mitre.oval:def:14259 oval:org.mitre.oval:def:10805 SUSE-SR:2010:013 Use-after-free vulnerability in the imgContainer::InternalAddFrameHelper function in src/imgContainer.cpp in libpr0n in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace animation in which the frames have different bits-per-pixel (bpp) values. https://bugzilla.mozilla.org/show_bug.cgi?id=547143 http://www.zerodayinitiative.com/advisories/ZDI-10-047 ADV-2010-0692 38921 38918 20100402 ZDI-10-047: Mozilla Firefox libpr0n imgContainer Bits-Per-Pixel Change Remote Code Execution Vulnerability http://www.mozilla.org/security/announce/2010/mfsa2010-09.html MDVSA-2010:070 oval:org.mitre.oval:def:8703 The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors involving certain indirect calls to the JavaScript eval function. https://bugzilla.mozilla.org/show_bug.cgi?id=542849 ADV-2010-0692 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-11.html MDVSA-2010:070 oval:org.mitre.oval:def:8472 The gfxTextRun::SanitizeGlyphRuns function in gfx/thebes/src/gfxFont.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 on Mac OS X, when the Core Text API is used, does not properly perform certain deletions, which allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via an HTML document containing invisible Unicode characters, as demonstrated by the U+FEFF, U+FFF9, U+FFFA, and U+FFFB characters. https://bugzilla.mozilla.org/show_bug.cgi?id=538065 ADV-2010-0692 38943 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-11.html oval:org.mitre.oval:def:14182 The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp. http://www.mozilla.org/security/announce/2010/mfsa2010-11.html https://bugzilla.mozilla.org/show_bug.cgi?id=535641 https://bugzilla.mozilla.org/show_bug.cgi?id=534082 ADV-2010-0692 38944 38918 MDVSA-2010:070 oval:org.mitre.oval:def:9835 oval:org.mitre.oval:def:8610 The nsDocument::MaybePreLoadImage function in content/base/src/nsDocument.cpp in the image-preloading implementation in Mozilla Firefox 3.6 before 3.6.2 does not apply scheme restrictions and policy restrictions to the image's URL, which might allow remote attackers to cause a denial of service (application crash or hang) or hijack the functionality of the browser's add-ons via a crafted SRC attribute of an IMG element, as demonstrated by remote command execution through an ssh: URL in a configuration that supports gnome-vfs with a nonstandard network.gnomevfs.supported-protocols setting. 38918 https://bugzilla.mozilla.org/show_bug.cgi?id=540642 ADV-2010-0692 http://www.mozilla.org/security/announce/2010/mfsa2010-13.html MDVSA-2010:070 oval:org.mitre.oval:def:8711 The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching. https://bugzilla.mozilla.org/show_bug.cgi?id=535806 ADV-2010-0692 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-14.html oval:org.mitre.oval:def:8431 oval:org.mitre.oval:def:11391 Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected window.location protection mechanism, which might allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors that are specific to each affected plugin. https://bugzilla.mozilla.org/show_bug.cgi?id=541530 ADV-2010-0692 38919 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-10.html MDVSA-2010:070 oval:org.mitre.oval:def:8602 Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736. 38918 http://www.mozilla.org/security/announce/2010/mfsa2010-12.html https://bugzilla.mozilla.org/show_bug.cgi?id=531364 ADV-2010-0692 oval:org.mitre.oval:def:7743 oval:org.mitre.oval:def:10773 toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances. http://www.mozilla.org/security/announce/2010/mfsa2010-15.html https://bugzilla.mozilla.org/show_bug.cgi?id=537862 ADV-2010-0692 38918 MDVSA-2010:070 oval:org.mitre.oval:def:8281 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=542136 https://bugzilla.mozilla.org/show_bug.cgi?id=499862 https://bugzilla.mozilla.org/show_bug.cgi?id=496011 https://bugzilla.mozilla.org/show_bug.cgi?id=491722 https://bugzilla.mozilla.org/show_bug.cgi?id=488850 firefox-browser-eng-code-execution(57388) ADV-2010-0849 ADV-2010-0748 http://www.mozilla.org/security/announce/2010/mfsa2010-16.html MDVSA-2010:070 USN-921-1 1023781 1023775 39397 39243 39242 39204 39136 oval:org.mitre.oval:def:7467 SUSE-SR:2010:013 FEDORA-2010-5539 FEDORA-2010-5526 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=546530 https://bugzilla.mozilla.org/show_bug.cgi?id=499844 mozilla-browser-eng-code-exec(57389) ADV-2010-0849 ADV-2010-0790 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-16.html MDVSA-2010:070 DSA-2027 USN-921-1 1023781 1023775 39397 39308 39243 39242 39240 39204 39136 39117 38566 oval:org.mitre.oval:def:9502 oval:org.mitre.oval:def:7615 SUSE-SR:2010:013 FEDORA-2010-5561 FEDORA-2010-5539 FEDORA-2010-5526 Use-after-free vulnerability in the nsTreeSelection implementation in Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.9, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger a call to the handler for the select event for XUL tree items. https://bugzilla.mozilla.org/show_bug.cgi?id=540100 https://bugzilla.mozilla.org/show_bug.cgi?id=375928 firefox-nstreeselection-code-execution(57390) http://www.zerodayinitiative.com/advisories/ZDI-10-050 ADV-2010-0849 ADV-2010-0790 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 20100402 ZDI-10-050: Mozilla Firefox nsTreeSelection EventListener Remote Code Execution Vulnerability RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-17.html MDVSA-2010:070 DSA-2027 USN-921-1 1023782 1023780 39397 39308 39243 39242 39240 39204 39136 39117 38566 oval:org.mitre.oval:def:9834 oval:org.mitre.oval:def:7546 SUSE-SR:2010:013 FEDORA-2010-5561 FEDORA-2010-5539 FEDORA-2010-5526 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2; Thunderbird before 3.0.4; and SeaMonkey before 2.0.4 do not properly manage reference counts for option elements in a XUL tree optgroup, which might allow remote attackers to execute arbitrary code via unspecified vectors that trigger access to deleted elements, related to a "dangling pointer vulnerability." https://bugzilla.mozilla.org/show_bug.cgi?id=538308 firefox-nstreecontentview-code-exec(57392) ADV-2010-0849 ADV-2010-0790 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-18.html MDVSA-2010:070 DSA-2027 USN-921-1 1023782 1023776 39397 39308 39243 39242 39240 39204 39136 39117 38566 oval:org.mitre.oval:def:7222 oval:org.mitre.oval:def:11052 SUSE-SR:2010:013 FEDORA-2010-5561 FEDORA-2010-5539 FEDORA-2010-5526 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, frees the contents of the window.navigator.plugins array while a reference to an array element is still active, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors, related to a "dangling pointer vulnerability." https://bugzilla.mozilla.org/show_bug.cgi?id=538310 firefox-nspluginarray-code-execution(57393) http://www.zerodayinitiative.com/advisories/ZDI-10-049 ADV-2010-0849 ADV-2010-0781 ADV-2010-0765 ADV-2010-0764 ADV-2010-0748 20100402 ZDI-10-049: Mozilla Firefox PluginArray nsMimeType Dangling Pointer Remote Code Execution Vulnerability RHSA-2010:0333 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-19.html MDVSA-2010:070 DSA-2027 USN-921-1 1023776 39397 39308 39243 39240 39136 39117 38566 oval:org.mitre.oval:def:7622 oval:org.mitre.oval:def:10833 SUSE-SR:2010:013 Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL and then loading a javascript: URL. https://bugzilla.mozilla.org/show_bug.cgi?id=546909 firefox-draganddrop-code-execution(57391) ADV-2010-0849 ADV-2010-0781 ADV-2010-0764 ADV-2010-0748 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-20.html MDVSA-2010:070 DSA-2027 USN-921-1 1023776 39397 39308 39243 39240 39136 oval:org.mitre.oval:def:6975 oval:org.mitre.oval:def:10460 SUSE-SR:2010:013 Mozilla Firefox before 3.0.19 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, when the XMLHttpRequestSpy module in the Firebug add-on is used, does not properly handle interaction between the XMLHttpRequestSpy object and chrome privileged objects, which allows remote attackers to execute arbitrary JavaScript via a crafted HTTP response. https://bugzilla.mozilla.org/show_bug.cgi?id=504021 firefox-firebug-code-execution(57394) ADV-2011-0030 ADV-2010-0849 ADV-2010-0781 ADV-2010-0764 ADV-2010-0748 39124 RHSA-2010:0332 http://www.mozilla.org/security/announce/2010/mfsa2010-21.html MDVSA-2010:251 MDVSA-2010:070 DSA-2027 USN-921-1 http://support.avaya.com/css/P8/documents/100124650 1023783 42818 39397 39308 39243 oval:org.mitre.oval:def:9446 oval:org.mitre.oval:def:6971 SUSE-SA:2011:003 SUSE-SR:2010:013 Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6 and 3.7, when use_suexec is enabled, uses world-readable permissions for the localconfig files, which allows local users to read sensitive configuration fields, as demonstrated by the database password field and the site_wide_secret field. https://bugzilla.mozilla.org/show_bug.cgi?id=561797 ADV-2010-1595 41144 http://www.bugzilla.org/security/3.2.6/ 40300 Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, executes a mail application in situations where an IMG element has a SRC attribute that is a redirect to a mailto: URL, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many images. https://bugzilla.mozilla.org/show_bug.cgi?id=452093 firefox-mailto-weak-security(57395) ADV-2010-0849 ADV-2010-0748 20100518 DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers http://www.mozilla.org/security/announce/2010/mfsa2010-23.html MDVSA-2010:070 http://websecurity.com.ua/4206/ USN-921-1 39397 39136 oval:org.mitre.oval:def:6776 SUSE-SR:2010:013 The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content. https://bugzilla.mozilla.org/show_bug.cgi?id=490790 firefox-xmldocumentload-weak-security(57396) ADV-2010-1557 ADV-2010-0849 ADV-2010-0748 39479 RHSA-2010:0501 RHSA-2010:0500 http://www.mozilla.org/security/announce/2010/mfsa2010-24.html MDVSA-2010:070 USN-921-1 http://support.avaya.com/css/P8/documents/100091069 39397 oval:org.mitre.oval:def:9375 oval:org.mitre.oval:def:7618 SUSE-SR:2010:013 Use-after-free vulnerability in the nsCycleCollector::MarkRoots function in Mozilla Firefox 3.5.x before 3.5.10 and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a crafted HTML document, related to an improper frame construction process for menus. https://bugzilla.mozilla.org/show_bug.cgi?id=557174 ADV-2010-1773 ADV-2010-1551 1024138 41050 http://www.mozilla.org/security/announce/2010/mfsa2010-27.html 40481 40326 oval:org.mitre.oval:def:12586 SUSE-SA:2010:030 The (1) domainutility and (2) domainutilitycmd components in TIBCO Domain Utility in TIBCO Runtime Agent (TRA) before 5.6.2, as used in TIBCO ActiveMatrix BusinessWorks and other products, set weak permissions on domain properties files, which allows local users to obtain domain administrator credentials, and gain privileges on all domain systems, via unspecified vectors. ADV-2010-0128 http://www.tibco.com/multimedia/security_advisory_runtime_agent_20100113_tcm8-10392.txt http://www.tibco.com/mk/advisory.jsp 37805 38191 The default configuration of Adobe ColdFusion 9.0 does not restrict access to collections that have been created by the Solr Service, which allows remote attackers to obtain collection metadata, search information, and index data via a request to an unspecified URL. coldfusion-solr-information-disclosure(55997) ADV-2010-0259 1023519 38007 http://www.adobe.com/support/security/bulletins/apsb10-04.html 38387 62037 http://kb2.adobe.com/cps/807/cpsid_80719.html Cross-domain vulnerability in Adobe Flash Player before 10.0.45.2, Adobe AIR before 1.5.3.9130, and Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows remote attackers to bypass intended sandbox restrictions and make cross-domain requests via unspecified vectors. Per: http://www.adobe.com/support/security/bulletins/apsb10-07.html A critical vulnerability has been identified in Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. As described in Security Bulletin APSB10-06, this vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. Affected software versions Adobe Reader 9.3 and earlier versions for Windows, Macintosh, and UNIX Adobe Acrobat 9.3 and earlier versions for Windows and Macintosh http://www.adobe.com/support/security/bulletins/apsb10-07.html http://www.adobe.com/support/security/bulletins/apsb10-06.html RHSA-2010:0103 RHSA-2010:0102 https://bugzilla.redhat.com/show_bug.cgi?id=563819 ADV-2011-0192 ADV-2010-1481 38198 RHSA-2010:0114 62300 http://support.apple.com/kb/HT4188 1023585 GLSA-201101-09 43026 40220 38915 38639 38547 oval:org.mitre.oval:def:8518 SUSE-SR:2010:006 APPLE-SA-2010-06-15-1 Adobe Flash Player before 10.0.45.2 and Adobe AIR before 1.5.3.9130 allow remote attackers to cause a denial of service (application crash) via a modified SWF file. RHSA-2010:0102 https://bugzilla.redhat.com/show_bug.cgi?id=564287 ADV-2011-0192 ADV-2010-1481 38200 11182 http://www.adobe.com/support/security/bulletins/apsb10-06.html http://support.apple.com/kb/HT4188 1023585 GLSA-201101-09 43026 40220 38915 38547 http://sebug.net/exploit/18967/ oval:org.mitre.oval:def:8393 SUSE-SR:2010:006 APPLE-SA-2010-06-15-1 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. adobe-unspec-priv-escalation(56297) ADV-2010-0399 38195 RHSA-2010:0114 http://www.adobe.com/support/security/bulletins/apsb10-07.html 1023601 38915 38639 oval:org.mitre.oval:def:8697 SUSE-SR:2010:006 A certain ActiveX control in NOS Microsystems getPlus Download Manager (aka DLM or Downloader) 1.5.2.35, as used in Adobe Download Manager, improperly validates requests involving web sites that are not in subdomains, which allows remote attackers to force the download and installation of arbitrary programs via a crafted name for a download site. Per: http://blogs.adobe.com/psirt/2010/02/adobe_download_manager_issue.html "Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager." http://www.adobe.com/support/security/bulletins/apsb10-08.html adobe-dlmanager-unspecified-file-download(56370) ADV-2010-0459 38313 62547 http://www.akitasecurity.nl/advisory.php?id=AK20090401 1023651 38729 oval:org.mitre.oval:def:7182 20100223 Multiple Vendor NOS Microsystems getPlus Downloader Input Validation Vulnerability http://blogs.zdnet.com/security/?p=5505 http://blogs.adobe.com/psirt/2010/02/adobe_download_manager_issue.html http://aviv.raffon.net/2010/02/18/SkeletonsInAdobesSecurityCloset.aspx Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6986 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified vectors, related to a "prefix protocol handler vulnerability." TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6729 Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2010-0193 and CVE-2010-0196. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7046 Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2010-0192 and CVE-2010-0196. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html adobe-acrobat-unspec-code-exec(57701) 39329 oval:org.mitre.oval:def:7352 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0197, CVE-2010-0201, and CVE-2010-0204. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6823 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, do not properly handle fonts, which allows attackers to execute arbitrary code via unspecified vectors. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7420 Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2010-0192 and CVE-2010-0193. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7064 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0201, and CVE-2010-0204. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7298 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0199, CVE-2010-0202, and CVE-2010-0203. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7106 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0198, CVE-2010-0202, and CVE-2010-0203. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6900 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0200. Reason: This candidate is a duplicate of CVE-2010-0200. Notes: All CVE users should reference CVE-2010-0200 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0197, and CVE-2010-0204. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:7056 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0198, CVE-2010-0199, and CVE-2010-0203. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html 39329 oval:org.mitre.oval:def:6733 Buffer overflow in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0198, CVE-2010-0199, and CVE-2010-0202. TA10-103C http://www.adobe.com/support/security/bulletins/apsb10-09.html ADV-2010-0873 39329 oval:org.mitre.oval:def:7494 Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allow attackers to cause a denial of service (memory corruption) or execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-0194, CVE-2010-0197, and CVE-2010-0201. TA10-103C ADV-2010-0873 http://www.adobe.com/support/security/bulletins/apsb10-09.html acrobat-unspec-code-execution(57711) 39522 39329 oval:org.mitre.oval:def:7387 The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack. VU#576029 38478 libpng-pngdecompresschunk-dos(56661) ADV-2010-2491 ADV-2010-1107 ADV-2010-0847 ADV-2010-0686 ADV-2010-0682 ADV-2010-0667 ADV-2010-0637 ADV-2010-0626 ADV-2010-0605 ADV-2010-0517 http://www.vmware.com/security/advisories/VMSA-2010-0014.html 1023674 MDVSA-2010:064 MDVSA-2010:063 DSA-2032 USN-913-1 http://support.apple.com/kb/HT4435 41574 39251 38774 62670 [security-announce] 20100923 VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues SUSE-SR:2010:013 SUSE-SR:2010:012 SUSE-SR:2010:011 FEDORA-2010-4683 FEDORA-2010-3414 FEDORA-2010-3375 FEDORA-2010-2988 APPLE-SA-2010-11-10-1 http://libpng.sourceforge.net/decompression_bombs.html http://libpng.sourceforge.net/ADVISORY-1.4.1.html Adobe Flash Player before 9.0.280 and 10.x before 10.1.82.76, and Adobe AIR before 2.0.3, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2213, CVE-2010-2214, and CVE-2010-2216. ADV-2011-0192 1024621 http://www.adobe.com/support/security/bulletins/apsb10-16.html http://support.apple.com/kb/HT4435 GLSA-201101-09 43026 oval:org.mitre.oval:def:11461 HPSBMA02592 HPSBMA02592 APPLE-SA-2010-11-10-1 The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite. 41770 ADV-2011-0025 ADV-2010-1858 ADV-2010-1849 http://www.vmware.com/security/advisories/VMSA-2011-0001.html 1024221 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap RHSA-2010:0543 RHSA-2010:0542 http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570 http://support.apple.com/kb/HT4435 42787 40687 40677 40639 SUSE-SR:2010:014 APPLE-SA-2010-11-10-1 OpenLDAP 2.4.22 allows remote attackers to cause a denial of service (crash) via a modrdn call with a zero-length RDN destination string, which is not properly handled by the smr_normalize function and triggers a NULL pointer dereference in the IA5StringNormalize function in schema_init.c, as demonstrated using the Codenomicon LDAPv3 test suite. ADV-2010-1849 41770 ADV-2011-0025 ADV-2010-1858 http://www.vmware.com/security/advisories/VMSA-2011-0001.html 1024221 20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap RHSA-2010:0542 http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570 http://support.apple.com/kb/HT4435 42787 40687 40639 SUSE-SR:2010:014 APPLE-SA-2010-11-10-1 BIND 9.7.1 and 9.7.1-P1, when a recursive validating server has a trust anchor that is configured statically or via DNSSEC Lookaside Validation (DLV), allows remote attackers to cause a denial of service (infinite loop) via a query for an RRSIG record whose answer is not in the cache, which causes BIND to repeatedly send RRSIG queries to the authoritative servers. VU#211905 ADV-2010-1884 1024217 41730 http://www.isc.org/software/bind/advisories/cve-2010-0213 40709 40652 SUSE-SR:2010:020 FEDORA-2010-11344 The administrative interface on the PolyVision RoomWizard with firmware 3.2.3 places the Sync Connector Active Directory (AD) credentials in a web form that is accessed over HTTP on port 80, which allows remote attackers to obtain sensitive information by reading the HTML source code corresponding to the /admin/sign/DeviceSynch URI. VU#870601 roomwizard-password-security-bypass(64543) ADV-2011-0059 45699 20110106 RoomWizard Default Password and Sync Connector Credential Leak [CVE-2010-0214] http://packetstormsecurity.org/files/view/97291/roomwizard-disclose.txt ActiveCollab before 2.3.2 allows remote authenticated users to bypass intended access restrictions, and (1) delete an attachment or (2) subscribe to an object, via a crafted URL. VU#236703 http://www.activecollab.com/docs/manuals/admin/release-notes/activecollab-2-3-2 authenticate_ad_setup_finished.cfm in MediaCAST 8 and earlier allows remote attackers to discover usernames and cleartext passwords by reading the error messages returned for requests that use the UserID parameter. mediacast-authenticateadsetup-info-disc(67082) 47572 http://www.packetninjas.net/storage/advisories/MediaCast-PWDump-FINAL.txt 72079 8245 44182 Zeacom Chat Server before 5.1 uses too short a random string for the JSESSIONID value, which makes it easier for remote attackers to hijack sessions or cause a denial of service (Chat Server crash or Tomcat daemon crash) via a brute-force attack. chat-server-jsessionid-session-hijacking(67540) 47910 20110517 CVE-2010-0217 - Zeacom Chat Server JSESSIONID weak SessionID Vulnerability http://www.packetninjas.net/storage/advisories/Zeacom-CVE-2010-0217.txt 8255 ISC BIND 9.7.2 through 9.7.2-P1 uses an incorrect ACL to restrict the ability of Recursion Desired (RD) queries to access the cache, which allows remote attackers to obtain potentially sensitive information via a DNS query. VU#784855 http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html [bind-announce] 20100928 Security Advisory Regarding Unexpected ACL Behavior in BIND 9.7.2 Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service. VU#989719 https://service.sap.com/sap/support/notes/1432881 businessobjects-dswsbobje-security-bypass(62523) ADV-2010-2673 1024929 20101014 R7-0037: SAP BusinessObjects Axis2 Default Admin Password http://www.rapid7.com/security-center/advisories/R7-0037.jsp 70233 15869 http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf 42763 41799 http://retrogod.altervista.org/9sg_ca_d2d.html The nsObserverList::FillObserverArray function in xpcom/ds/nsObserverList.cpp in Mozilla Firefox before 3.5.7 allows remote attackers to cause a denial of service (application crash) via a crafted web site that triggers memory consumption and an accompanying Low Memory alert dialog, and also triggers attempted removal of an observer from an empty observers array. http://www.mozilla.com/en-US/firefox/3.5.7/releasenotes/ http://isc.sans.org/diary.html?storyid=7897 https://bugzilla.mozilla.org/show_bug.cgi?id=507114 firefox-nsobserverlist-dos(55550) MDVSA-2010:000 oval:org.mitre.oval:def:8292 http://hg.mozilla.org/mozilla-central/rev/51396f6c9f20 Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edition (DTSP), and DataTraveler Elite Privacy Edition (DTEP) USB flash drives validate passwords with a program running on the host computer rather than the device hardware, which allows physically proximate attackers to access the cleartext drive contents via a modified program. https://www.ironkey.com/usb-flash-drive-flaw-exposed kingston-access-control-sec-bypass(55477) ADV-2010-0080 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf http://www.kingston.com/driveupdate/ http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html 1023410 http://news.zdnet.co.uk/security/0,1000000189,39963327,00.htm http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edition (DTSP), and DataTraveler Elite Privacy Edition (DTEP) USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0080 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf http://www.kingston.com/driveupdate/ http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html http://news.zdnet.co.uk/security/0,1000000189,39963327,00.htm http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Kingston DataTraveler BlackBox (DTBB), DataTraveler Secure Privacy Edition (DTSP), and DataTraveler Elite Privacy Edition (DTEP) USB flash drives do not prevent password replay attacks, which allows physically proximate attackers to access the cleartext drive contents by providing a key that was captured in a USB data stream at an earlier time. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0080 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_Kingston_USB-Stick.pdf http://www.kingston.com/driveupdate/ SanDisk Cruzer Enterprise USB flash drives validate passwords with a program running on the host computer rather than the device hardware, which allows physically proximate attackers to access the cleartext drive contents via a modified program. https://www.ironkey.com/usb-flash-drive-flaw-exposed sandisk-access-control-sec-bypass(55475) ADV-2010-0078 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_SanDisk_USB-Stick.pdf 37677 http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009 http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html 1023408 http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 SanDisk Cruzer Enterprise USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0078 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_SanDisk_USB-Stick.pdf 37677 http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009 http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 SanDisk Cruzer Enterprise USB flash drives do not prevent password replay attacks, which allows physically proximate attackers to access the cleartext drive contents by providing a key that was captured in a USB data stream at an earlier time. https://www.ironkey.com/usb-flash-drive-flaw-exposed ADV-2010-0078 http://www.syss.de/index.php?id=108&tx_ttnews[tt_news]=528&cHash=8d16fa63d9 http://www.syss.de/fileadmin/ressources/040_veroeffentlichungen/dokumente/SySS_knackt_SanDisk_USB-Stick.pdf 37677 http://www.sandisk.com/business-solutions/enterprise/technical-support/security-bulletin-december-2009 Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash drives validate passwords with a program running on the host computer rather than the device hardware, which allows physically proximate attackers to access the cleartext drive contents via a modified program. https://www.ironkey.com/usb-flash-drive-flaw-exposed http://www.verbatim.com/security/security-update.cfm http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html 1023409 http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash drives use a fixed 256-bit key for obtaining access to the cleartext drive contents, which makes it easier for physically proximate attackers to read or modify data by determining and providing this key. https://www.ironkey.com/usb-flash-drive-flaw-exposed http://www.verbatim.com/security/security-update.cfm http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html http://it.slashdot.org/story/10/01/05/1734242/ http://blogs.zdnet.com/hardware/?p=6655 Verbatim Corporate Secure and Corporate Secure FIPS Edition USB flash drives do not prevent password replay attacks, which allows physically proximate attackers to access the cleartext drive contents by providing a key that was captured in a USB data stream at an earlier time. https://www.ironkey.com/usb-flash-drive-flaw-exposed http://www.verbatim.com/security/security-update.cfm SUSE Linux Enterprise 10 SP3 (SLE10-SP3) and openSUSE 11.2 configures postfix to listen on all network interfaces, which might allow remote attackers to bypass intended access restrictions. SUSE-SA:2010:011 SUSE-SR:2010:001 The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not use a sufficient source of entropy, which allows remote attackers to obtain access to files and other SMB resources via a large number of authentication requests, related to server-generated challenges, certain "duplicate values," and spoofing of an authentication token, aka "SMB NTLM Authentication Lack of Entropy Vulnerability." TA10-040A MS10-012 oval:org.mitre.oval:def:7751 The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability." TA10-040A MS10-015 http://www.microsoft.com/technet/security/advisory/979682.mspx ms-win-gptrap-privilege-escalation(55742) ADV-2010-0179 37864 20100119 Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack 1023471 38265 20100119 Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack oval:org.mitre.oval:def:8344 http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip [dailydave] 20100119 We hold these axioms to be self evident http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspx Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application, aka "Windows Kernel Double Free Vulnerability." Per: http://cwe.mitre.org/data/slices/2000.html#d "CWE-415 Double Free" vulnerability TA10-040A MS10-015 oval:org.mitre.oval:def:8392 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 does not properly validate a registry-key argument to an unspecified system call, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Null Pointer Vulnerability." TA10-103A MS10-021 1023850 39374 39373 oval:org.mitre.oval:def:6814 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Vista Gold does not perform the expected validation before creating a symbolic link, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Symbolic Link Value Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:7509 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Vista Gold does not properly allocate memory for the destination key associated with a symbolic-link registry key, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Memory Allocation Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:7113 The kernel in Microsoft Windows 2000 SP4 and XP SP2 and SP3 allows local users to gain privileges by creating a symbolic link from an untrusted registry hive to a trusted registry hive, aka "Windows Kernel Symbolic Link Creation Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:7130 Unspecified vulnerability in registry-key validation in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Vista Gold allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Registry Key Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:6793 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Router Advertisement packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Router Advertisement Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8478 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when a custom network driver is used, does not properly handle local fragmentation of Encapsulating Security Payload (ESP) over UDP packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "Header MDL Fragmentation Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8400 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Route Information packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Route Information Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8516 The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows remote attackers to cause a denial of service (system hang) via crafted packets with malformed TCP selective acknowledgement (SACK) values, aka "TCP/IP Selective Acknowledgement Vulnerability." TA10-040A MS10-009 oval:org.mitre.oval:def:8449 Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka "MSO.DLL Buffer Overflow." TA10-040A MS10-003 oval:org.mitre.oval:def:8399 Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-2530 and CVE-2009-2531. ie-deleted-obj-code-exec(55774) MS10-002 oval:org.mitre.oval:def:8186 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0246. MS10-002 ie-uninitialized-memory-code-exec(55775) oval:org.mitre.oval:def:8491 Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability," a different vulnerability than CVE-2009-3671, CVE-2009-3674, and CVE-2010-0245. ie-deleted-object-code-exec(55776) MS10-002 oval:org.mitre.oval:def:8378 Microsoft Internet Explorer 5.01 SP4, 6, and 6 SP1 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." ie-uninitialized-obj-code-exec(55777) MS10-002 oval:org.mitre.oval:def:8506 Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability." MS10-002 ie-object-memory-code-exec(55778) oval:org.mitre.oval:def:8267 Use-after-free vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 on Windows 2000 SP4; Windows XP SP2 and SP3; Windows Server 2003 SP2; Windows Vista Gold, SP1, and SP2; Windows Server 2008 Gold, SP2, and R2; and Windows 7 allows remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object, related to incorrectly initialized memory and improper handling of objects in memory, as exploited in the wild in December 2009 and January 2010 during Operation Aurora, aka "HTML Object Memory Corruption Vulnerability." Per: http://cwe.mitre.org/data/definitions/416.htmlhttp://cwe.mitre.org/data/definitions/416.html CWE-416: Use After Free TA10-055A VU#492515 ie-freed-object-code-execution(55642) ADV-2010-0135 37815 MS10-002 http://www.microsoft.com/technet/security/advisory/979352.mspx 11167 979352 1023462 oval:org.mitre.oval:def:6835 61697 http://news.cnet.com/8301-27080_3-10435232-245.html http://blogs.technet.com/msrc/archive/2010/01/14/security-advisory-979352.aspx Heap-based buffer overflow in DirectShow in Microsoft DirectX, as used in the AVI Filter on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2, and in Quartz on Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, allows remote attackers to execute arbitrary code via an AVI file with a crafted length field in an unspecified video stream, which is not properly handled by the RLE video decompressor, aka "DirectShow Heap Overflow Vulnerability." TA10-040A http://www.zerodayinitiative.com/advisories/ZDI-10-015/ 38112 20100209 ZDI-10-015: Microsoft Windows RLE Video Decompressor Remote Code Execution Vulnerability MS10-013 http://support.avaya.com/css/P8/documents/100074167 38511 oval:org.mitre.oval:def:8064 The Microsoft Data Analyzer ActiveX control (aka the Office Excel ActiveX control for Data Analysis) in max3activex.dll in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to execute arbitrary code via a crafted web page that corrupts the "system state," aka "Microsoft Data Analyzer ActiveX Control Vulnerability." TA10-159B TA10-040A MS10-008 MS10-034 40059 38503 oval:org.mitre.oval:def:8424 Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 and SP2 does not properly validate attributes in Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Visio Attribute Validation Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-028.mspx 'Users of Microsoft Office Visio 2002 and later versions of Visio will be prompted with Open, Save, or Cancel before opening a document. This is a mitigating factor because the vulnerability requires more than a single user action to complete the exploit.' TA10-103A MS10-028 oval:org.mitre.oval:def:6819 Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448. TA10-159B 38056 38055 20100203 CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities MS10-035 http://www.microsoft.com/technet/security/advisory/980088.mspx http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag http://support.avaya.com/css/P8/documents/100089747 oval:org.mitre.oval:def:7145 62156 http://isc.sans.org/diary.html?n&storyid=8152 http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx Microsoft Office Visio 2002 SP2, 2003 SP3, and 2007 SP1 and SP2 does not properly calculate unspecified indexes associated with Visio files, which allows remote attackers to execute arbitrary code via a crafted file, aka "Visio Index Calculation Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-028.mspx 'Users of Microsoft Office Visio 2002 and later versions of Visio will be prompted with Open, Save, or Cancel before opening a document. This is a mitigating factor because the vulnerability requires more than a single user action to complete the exploit.' TA10-103A MS10-028 oval:org.mitre.oval:def:6732 Microsoft Office Excel 2002 SP3 does not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet, aka "Microsoft Office Excel Record Memory Corruption Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8617 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that causes memory to be interpreted as a different object type than intended, aka "Microsoft Office Excel Sheet Object Type Confusion Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8545 20100309 Microsoft Excel Sheet Object Type Confusion Vulnerability Heap-based buffer overflow in Microsoft Office Excel 2007 SP1 and SP2; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted spreadsheet in which "a MDXTUPLE record is broken up into several records," aka "Microsoft Office Excel MDXTUPLE Record Heap Overflow Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:7862 20100309 Microsoft Excel MDXTUPLE Record Heap Overflow Vulnerability Heap-based buffer overflow in Microsoft Office Excel 2007 SP1 and SP2 and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted spreadsheet in which "a MDXSET record is broken up into several records," aka "Microsoft Office Excel MDXSET Record Heap Overflow Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8479 20100309 Microsoft Excel MDXSET Record Heap Overflow Vulnerability Microsoft Office Excel 2007 SP1 and SP2 and Office 2004 for Mac do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet that triggers access of an uninitialized stack variable, aka "Microsoft Office Excel FNGROUPNAME Record Uninitialized Memory Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:8562 20100309 Microsoft Excel FNGROUPNAME Record Uninitialized Memory Vulnerability Microsoft Office Excel 2007 SP1 and SP2; Office 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2; and Office SharePoint Server 2007 SP1 and SP2 do not validate ZIP headers during decompression of Open XML (.XLSX) documents, which allows remote attackers to execute arbitrary code via a crafted document that triggers access to uninitialized memory locations, aka "Microsoft Office Excel XLSX File Parsing Code Execution Vulnerability." TA10-068A MS10-017 http://www.zerodayinitiative.com/advisories/ZDI-10-025/ 1023698 20100309 ZDI-10-025: Microsoft Office Excel XLSX File Parsing Remote Code Execution Vulnerability oval:org.mitre.oval:def:8407 Microsoft Office Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac do not properly parse the Excel file format, which allows remote attackers to execute arbitrary code via a crafted spreadsheet, aka "Microsoft Office Excel DbOrParamQry Record Parsing Vulnerability." TA10-068A MS10-017 1023698 oval:org.mitre.oval:def:7888 Buffer overflow in Microsoft Windows Movie Maker 2.1, 2.6, and 6.0, and Microsoft Producer 2003, allows remote attackers to execute arbitrary code via a crafted project (.MSWMM) file, aka "Movie Maker and Producer Buffer Overflow Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-016.mspx '[1]These versions of Windows Movie Maker are delivered with the indicated operating systems. [2]Windows Movie Maker 2.6 is an optional download that can be installed on the indicated operating systems. Windows 7 systems without Movie Maker 2.6 installed are not affected. TA10-068A MS10-016 oval:org.mitre.oval:def:8595 Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability." TA10-194A MS10-045 oval:org.mitre.oval:def:11623 Microsoft Internet Explorer 6, 6 SP1, and 7 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 are not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39023 MS10-018 1023773 oval:org.mitre.oval:def:8554 Unspecified vulnerability in the Windows Media Player ActiveX control in Windows Media Player (WMP) 9 on Microsoft Windows 2000 SP4 and XP SP2 and SP3 allows remote attackers to execute arbitrary code via crafted media content, aka "Media Player Remote Code Execution Vulnerability." TA10-103A MS10-027 oval:org.mitre.oval:def:7281 The SMB client in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly allocate memory for SMB responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Memory Allocation Vulnerability." TA10-103A MS10-020 39372 oval:org.mitre.oval:def:7129 The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate fields in SMB transaction responses, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted (1) SMBv1 or (2) SMBv2 response, aka "SMB Client Transaction Vulnerability." TA10-103A MS10-020 39372 oval:org.mitre.oval:def:7164 hald in Sun OpenSolaris snv_51 through snv_130 does not have the proc_audit privilege during unspecified attempts to write to the auditing log, which makes it easier for physically proximate attackers to avoid detection of changes to the set of connected hardware devices supporting the Hardware Abstraction Layer (HAL) specification. opensolaris-hald-weak-security(55461) ADV-2010-0076 1023416 37656 274830 Heap-based buffer overflow in Sun Java System Web Server 7.0 Update 6 on Linux allows remote attackers to discover process memory locations via crafted data to TCP port 80, as demonstrated by the vd_sjws2 module in VulnDisco. NOTE: as of 20100106, this disclosure has no actionable information. However, because the VulnDisco author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. jsws-data-information-disclosure(55527) http://www.intevydis.com/blog/?p=102 http://intevydis.com/sjws_demo.html Unspecified vulnerability in Sun Java System Web Server 7.0 Update 6 on Linux allows remote attackers to execute arbitrary code by sending a process memory address and crafted data to TCP port 80, as demonstrated by the vd_sjws2 module in VulnDisco. NOTE: as of 20100106, this disclosure has no actionable information. However, because the VulnDisco author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. http://www.intevydis.com/blog/?p=102 http://intevydis.com/sjws_demo.html Unspecified vulnerability in the Edit Contact scene in Ultra-light Mode in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for Domino 8.0.2 FP3 has unknown impact and attack vectors, aka SPR LSHR7TBLY5. http://www-933.ibm.com/support/fixcentral/ domino-ultralight-unspecified(55470) ADV-2010-0077 37675 http://www-01.ibm.com/support/docview.wss?uid=swg27017776 38026 Ultra-light Mode in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for Domino 8.0.2 FP3 does not properly handle script commands in the status-alerts URL, which has unspecified impact and attack vectors, aka SPR LSHR7TBM58. domino-script-command-unspecified(55471) ADV-2010-0077 37675 http://www-01.ibm.com/support/docview.wss?uid=swg27017776 38026 IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.241 for Domino 8.0.2 FP3 does not properly handle navigation of the "Try Lotus iNotes anyway" link from the page that reports use of an unsupported browser, which has unspecified impact and attack vectors, aka SPR LSHR7TBMQU. domino-trylotus-unspecified(55473) ADV-2010-0077 37675 http://www-01.ibm.com/support/docview.wss?uid=swg27017776 38026 slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. RHSA-2010:0115 https://bugzilla.redhat.com/show_bug.cgi?id=554335 ADV-2010-2693 ADV-2010-1020 ADV-2010-0413 USN-902-1 38294 [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload MDVSA-2010:085 MDVSA-2010:041 41868 38915 38712 38658 38640 38563 http://pidgin.im/news/security/?id=43 oval:org.mitre.oval:def:9421 SUSE-SR:2010:006 FEDORA-2010-1383 FEDORA-2010-1934 FEDORA-2010-1279 http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html http://developer.pidgin.im/wiki/ChangeLog http://blogs.sun.com/security/entry/cve_2010_0277_malformed_msn A certain ActiveX control in msgsc.14.0.8089.726.dll in Microsoft Windows Live Messenger 2009 build 14.0.8089.726 on Windows Vista and Windows 7 allows remote attackers to cause a denial of service (msnmsgr.exe crash) by calling the ViewProfile method with a crafted argument during an MSN Messenger session. 37680 20100108 [HACKATTACK Advisory 080110] Windows Live Messenger 2009 ActiveX DoS Vulnerability Unrestricted file upload vulnerability in upload.php in BTS-GI Read excel 1.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. NOTE: some of these details are obtained from third party information. CWE-434 - http://cwe.mitre.org/data/definitions/434.html readexcel-upload-file-upload(55462) 11057 38083 61579 Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in Google SketchUp 7.x before 7.1 M2, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted structures in a 3DS file, probably related to mesh.c. ADV-2010-0133 37708 20100113 [CORE-2009-1209] Google SketchUp 'lib3ds' 3DS Importer Memory Corruption http://www.coresecurity.com/content/google-sketchup-vulnerability http://sketchup.google.com/support/bin/answer.py?hl=en&answer=141303 38187 38185 The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2, and 1.8 alpha, allows remote attackers to cause a denial of service (assertion failure and daemon crash) via an invalid (1) AS-REQ or (2) TGS-REQ request. ADV-2010-1481 USN-916-1 38260 20100216 MITKRB5-SA-2010-001 [CVE-2010-0283] krb5-1.7 KDC denial of service http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt http://support.apple.com/kb/HT4188 1023593 40220 39023 38598 FEDORA-2010-1722 APPLE-SA-2010-06-15-1 Directory traversal vulnerability in the getEntry method in the PortalModuleInstallManager component in a servlet in nps.jar in the Administration Console (aka Access Management Console) in Novell Access Manager 3.1 before 3.1.2-281 on Windows allows remote attackers to create arbitrary files with any contents, and consequently execute arbitrary code, via a .. (dot dot) in a parameter, aka ZDI-CAN-678. accessmgr-admincosole-getentry-file-upload(59528) ADV-2010-1516 1024132 40931 http://www.novell.com/support/viewContent.do?externalId=7006255&sliceId=1 40198 gnome-screensaver 2.14.3, 2.22.2, 2.27.x, 2.28.0, and 2.28.3, when the X configuration enables the extend screen option, allows physically proximate attackers to bypass screen locking, access an unattended workstation, and view half of the GNOME desktop by attaching an external monitor. https://bugzilla.redhat.com/show_bug.cgi?id=557525 https://bugzilla.gnome.org/show_bug.cgi?id=593616 screensaver-monitor-setup-sec-bypass(56366) 38254 MDVSA-2011:093 http://security-tracker.debian.org/tracker/CVE-2010-0285 http://git.gnome.org/browse/gnome-screensaver/commit/?id=2f597ea9f1f363277fd4dfc109fa41bbc6225aca Unspecified vulnerability in the OpenID Identity Authentication extension in TYPO3 4.3.0 allows remote attackers to bypass authentication and gain access to a backend user account via unknown attack vectors in which both the attacker and victim have an OpenID provider that discards identities during authentication. ADV-2010-0127 typo3-openid-security-bypass(55609) http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-001/ 38206 61680 Directory traversal vulnerability in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to list the contents of arbitrary directories via a .. (dot dot) in the ns parameter. dokuwiki-ajax-dir-traversal(55660) ADV-2010-0150 http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security 37821 11141 DSA-1976 38183 FEDORA-2010-0800 FEDORA-2010-0770 http://bugs.splitbrain.org/index.php?do=details&task_id=1847 A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010. dokuwiki-ajax-security-bypass(55661) ADV-2010-0150 http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security 37820 11141 DSA-1976 38183 61710 FEDORA-2010-0800 FEDORA-2010-0770 http://bugs.splitbrain.org/index.php?do=details&task_id=1847 Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors. http://www.splitbrain.org/blog/2010-01/17-dokuwiki-security DSA-1976 38205 61708 FEDORA-2010-0800 FEDORA-2010-0770 http://freshmeat.net/projects/dokuwiki/tags/security-fix http://bugs.splitbrain.org/index.php?do=details&task_id=1853 Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains (1) CNAME or (2) DNAME records, which do not have the intended validation before caching, aka Bug 20737. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-4022. https://www.isc.org/advisories/CVE-2009-4022v6 RHSA-2010:0062 https://bugzilla.redhat.com/show_bug.cgi?id=557121 https://bugzilla.redhat.com/show_bug.cgi?id=554851 ADV-2010-1352 ADV-2010-0622 ADV-2010-0176 USN-888-1 MDVSA-2010:021 DSA-2054 http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018 40086 38240 38219 oval:org.mitre.oval:def:8884 oval:org.mitre.oval:def:7512 oval:org.mitre.oval:def:6815 [oss-security] 20100120 Re: BIND CVE-2009-4022 fix incomplete [oss-security] 20100119 BIND CVE-2009-4022 fix incomplete SUSE-SA:2010:008 The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess." http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.4 https://bugzilla.redhat.com/show_bug.cgi?id=556703 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 37906 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 DSA-2005 DSA-1996 43315 39033 38492 oval:org.mitre.oval:def:11824 [oss-security] 20100121 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100120 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100119 Re: CVE request - kernel: untangle the do_mremap() mess [oss-security] 20100119 CVE request - kernel: untangle the do_mremap() mess [linux-kernel] 20091205 [RFC][PATCHSET] mremap/mmap mess [linux-kernel] 20100114 [PATCH 01/52] untangle the do_mremap() mess http://groups.google.co.jp/group/fa.linux.kernel/browse_thread/thread/8bf22336b1082090 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f8b7256096a20436f6d0926747e3ac3d64c81d24 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f106af4e90eadd76cfc0b5325f659619e08fb762 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ecc1a8993751de4e82eb18640d631dae1f626bd6 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e77414e0aad6a1b063ba5e5750c582c75327ea6a http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c4caa778157dbbf04116f0ac2111e389b5cd7a29 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=bb52d6694002b9d632bb355f64daa045c6293a4e http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=aa65607373a4daf2010e8c3867b6317619f3c1a3 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=935874141df839c706cd6cdc438e85eb69d1525e http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9206de95b1ea68357996ec02be5db0638a0de2c1 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8c7b49b3ecd48923eb64ff57e07a1cdb74782970 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=570dcf2c15463842e384eb597a87c1e39bead99b http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=564b3bffc619dcbdd160de597b0547a7017ea010 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=54f5de709984bae0d31d823ff03de755f9dcac54 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2ea1d13f64efdf49319e86c87d9ba38c30902782 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=2c6a10161d0b5fc047b5bd81b03693b9af99fab5 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1a0ef85f84feb13f07b604fcf5b90ef7c2b5c82f http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0ec62d290912bb4b989be7563851bc364ec73b56 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=097eed103862f9c6a97f2e415e21d1134017b135 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=05d72faa6d13c9d857478a5d35c85db9adada685 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0067bd8a55862ac9dd212bd1c4f6f5bff1ca1301 The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563. 38106 https://bugzilla.redhat.com/show_bug.cgi?id=555367 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=7864c7a70ce00369194e734eb2842ecc5f8db531 http://chrony.tuxfamily.org/News.html The client logging functionality in chronyd in Chrony before 1.23.1 does not restrict the amount of memory used for storage of client information, which allows remote attackers to cause a denial of service (memory consumption) via spoofed (1) NTP or (2) cmdmon packets. https://bugzilla.redhat.com/show_bug.cgi?id=555367 38106 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=2f63cf448560fdb96b80d8488aae6a15b802a753 http://chrony.tuxfamily.org/News.html chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a syslog message for each unauthorized cmdmon packet, which allows remote attackers to cause a denial of service (disk consumption) via a large number of invalid packets. 38106 http://chrony.tuxfamily.org/News.html https://bugzilla.redhat.com/show_bug.cgi?id=555367 DSA-1992 38480 38428 http://git.tuxfamily.org/chrony/chrony.git/?p=gitroot/chrony/chrony.git;a=commit;h=0b710499f994823bd938fc6895f097eefb9cc59f lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. 38036 http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2010_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd-1.5_fix_slow_request_dos.patch http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.x_fix_slow_request_dos.patch lighttpd-slow-request-dos(56038) ADV-2011-0172 [oss-security] 20100202 lighttpd: slow request dos/oom attack [CVE-2010-0295] DSA-1987 GLSA-201006-17 39765 38403 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2711 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2710 http://redmine.lighttpd.net/issues/2147 SUSE-SR:2010:003 FEDORA-2010-7643 FEDORA-2010-7611 FEDORA-2010-7636 http://blogs.sun.com/security/entry/cve_2010_0295_vulnerability_in The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request. https://bugzilla.redhat.com/show_bug.cgi?id=559579 gnuclibrary-encodenamemacro-dos(59240) ADV-2011-0863 ADV-2010-1246 http://www.vmware.com/security/advisories/VMSA-2011-0012.html USN-944-1 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console RHSA-2011:0412 MDVSA-2010:112 MDVSA-2010:111 DSA-2058 http://sourceware.org/git/?p=glibc.git;a=commit;h=ab00f4eac8f4932211259ff87be83144f5211540 1024043 GLSA-201011-01 46397 43830 39900 http://frugalware.org/security/662 Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet. RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=557025 kernel-usb-bo(56194) 38158 [kvm] 20090721 Re: KVM crashes when using certain USB device [kvm] 20090721 Re: KVM crashes when using certain USB device [kvm] 20090702 KVM crashes when using certain USB device http://wiki.qemu.org/ChangeLog oval:org.mitre.oval:def:11786 [oss-security] 20100204 Re: KVM possible security issues fixed [oss-security] 20100202 KVM possible security issues fixed http://git.savannah.gnu.org/cgit/qemu.git/commit/?id=babd03fde68093482528010a5435c14ce9128e3f The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306. RHSA-2010:0095 RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=559091 38158 DSA-1996 38492 oval:org.mitre.oval:def:11335 openSUSE 11.2 installs the devtmpfs root directory with insecure permissions (1777), which allows local users to gain privileges via unspecified vectors. SUSE-SA:2010:010 cache.c in ircd-ratbox before 2.2.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a HELP command. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' DSA-1980 http://security.debian.org/pool/updates/main/i/ircd-ratbox/ircd-ratbox_2.2.8.dfsg-2+lenny1.diff.gz 38383 38210 [ircd-ratbox] 20100125 ircd-ratbox-2.2.9 released main.C in maildrop 2.3.0 and earlier, when run by root with the -d option, uses the gid of root for execution of the .mailfilter file in a user's home directory, which allows local users to gain privileges via a crafted file. https://bugzilla.redhat.com/show_bug.cgi?id=559681 maildrop-group-priv-escalation(55980) DSA-1981 http://www.courier-mta.org/maildrop/changelog.html 1023515 38374 38367 [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100128 Re: CVE id request: maildrop [oss-security] 20100127 CVE id request: maildrop http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=564601 Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553. RHSA-2010:0129 https://bugzilla.redhat.com/show_bug.cgi?id=557775 ADV-2010-1481 USN-906-1 1024124 38510 MDVSA-2010:073 http://support.apple.com/kb/HT4188 40220 38979 38927 38785 oval:org.mitre.oval:def:11216 FEDORA-2010-2743 APPLE-SA-2010-06-15-1 http://cups.org/str.php?L3490 http://cups.org/articles.php?L596 mystring.c in hybserv in IRCD-Hybrid (aka Hybrid2 IRC Services) 1.9.2 through 1.9.4 allows remote attackers to cause a denial of service (daemon crash) via a ":help \t" private message to the MemoServ service. http://security.debian.org/pool/updates/main/h/hybserv/hybserv_1.9.2-4+lenny2.diff.gz hybserv2-privatemessage-dos(55992) 38006 DSA-1982 38352 38350 [oss-security] 20100129 Re: CVE id: hybserv http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550389 Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. ADV-2010-0239 wireshark-lwres-bo(55951) http://www.wireshark.org/security/wnpa-sec-2010-02.html http://www.wireshark.org/security/wnpa-sec-2010-01.html 1023516 37985 [oss-security] 20100129 Re: CVE id request: Wireshark http://www.metasploit.com/modules/exploit/multi/misc/wireshark_lwres_getaddrbyname MDVSA-2010:031 DSA-1983 38829 38348 38257 oval:org.mitre.oval:def:9933 oval:org.mitre.oval:def:8490 61987 FEDORA-2010-3556 http://anonsvn.wireshark.org/viewvc/trunk-1.2/epan/dissectors/packet-lwres.c?view=diff&r1=31596&r2=28492&diff_format=h ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to cause a denial of service (daemon crash) via a large number of c2s (aka client2server) messages that trigger a queue overload. [oss-security] 20100129 Re: CVE Request -- ejabberd [oss-security] 20100129 CVE Request -- ejabberd https://support.process-one.net/browse/EJAB-1173 ejabberd-client2server-dos(56025) ADV-2010-0894 38003 62066 DSA-2033 39423 38337 The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298. RHSA-2010:0095 RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=560654 38158 DSA-1996 38499 38492 oval:org.mitre.oval:def:10953 The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function. RHSA-2010:0146 https://bugzilla.redhat.com/show_bug.cgi?id=560547 ADV-2010-0638 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-914-1 38027 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0771 RHSA-2010:0398 [oss-security] 20100204 Re: CVE request - kernel: DoS on x86_64 [oss-security] 20100203 Re: CVE request - kernel: DoS on x86_64 [oss-security] 20100201 Re: CVE request - kernel: DoS on x86_64 [oss-security] 20100201 CVE request - kernel: DoS on x86_64 MDVSA-2010:066 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.8 http://www.globalsecuritymag.com/Vigil-nce-Linux-kernel-denial-of,20100202,15754.html DSA-1996 http://support.avaya.com/css/P8/documents/100088287 43315 39649 38922 38779 38492 oval:org.mitre.oval:def:10870 http://marc.info/?t=126466700200002&r=1&w=2 [linux-mm] 20100128 DoS on x86_64 SUSE-SA:2010:014 FEDORA-2010-1787 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=221af7f87b97431e3ee21ce4b0e77d5411cf1549 lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. http://www.squid-cache.org/Versions/v3/3.0/changesets/squid-3.0-9163.patch squid-dns-dos(56001) ADV-2010-0260 http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-9853.patch http://www.squid-cache.org/Versions/v2/HEAD/changesets/12597.patch http://www.squid-cache.org/Advisories/SQUID-2010_1.txt 1023520 37522 38455 38451 oval:org.mitre.oval:def:11270 62044 http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file. RHSA-2010:0095 RHSA-2010:0088 https://bugzilla.redhat.com/show_bug.cgi?id=560887 ADV-2010-0638 USN-914-1 38158 [oss-security] 20100202 Re: CVE request - kvm: cat /dev/port in the guest can cause host DoS [oss-security] 20100202 CVE request - kvm: cat /dev/port in the guest can cause host DoS [kvm] 20100129 KVM: PIT: control word is write-only DSA-1996 38922 38492 oval:org.mitre.oval:def:11095 Trusted Extensions in Sun Solaris 10 allows local users to gain privileges via vectors related to omission of unspecified libraries from software updates. http://sunsolve.sun.com/search/document.do?assetkey=1-21-143502-01-1 37754 275410 1023448 38129 oval:org.mitre.oval:def:8444 Unspecified vulnerability in Sun Java System Identity Manager (aka IdM) 8.1.0.5 and 8.1.0.6, when Sun Java System Access Manager, OpenSSO Enterprise 8.0, or IBM Tivoli Access Manager is used, allows remote attackers to obtain administrative access via unknown vectors. jsim-unspecified-security-bypass(55572) ADV-2010-0108 275010 1023447 38130 61658 The do_extendedOp function in ibmslapd in IBM Tivoli Directory Server (TDS) 6.2 on Linux allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SecureWay 3.2 Event Registration Request (aka a 1.3.18.0.2.12.1 request). 1023433 http://intevydis.blogspot.com/2010/01/tivoli-directory-server-62-doextendedop.html The core_get_proxyauth_dn function in ns-slapd in Sun Java System Directory Server Enterprise Edition 7.0 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted LDAP Search Request message. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' jsds-coregetproxyauthdn-dos(55511) ADV-2010-0085 37699 1023431 37978 http://intevydis.blogspot.com/2010/01/sun-directory-server-70.html Apple Safari allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value. ADV-2011-0552 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 41856 http://nomoreroot.blogspot.com/2010/01/little-bug-in-safari-and-google-chrome.html WebKit before r53607, as used in Google Chrome before 4.0.249.89, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element. https://bugs.webkit.org/show_bug.cgi?id=33683 googlechrome-iframe-info-disc(56215) google-chrome-href-info-disclosure(55683) ADV-2011-0212 ADV-2010-0361 38177 http://trac.webkit.org/changeset/53607 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 43068 38545 oval:org.mitre.oval:def:14452 http://nomoreroot.blogspot.com/2010/01/little-bug-in-safari-and-google-chrome.html SUSE-SR:2011:002 http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=32309 Integer overflow in Google SketchUp before 7.1 M2 allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a crafted SKP file. ADV-2010-0133 http://sketchup.google.com/support/bin/answer.py?hl=en&answer=141303 38187 Novell Netware 6.5 SP8 allows remote attackers to cause a denial of service (NULL pointer dereference, memory consumption, ABEND, and crash) via a large number of malformed or AFP requests that are not properly handled by (1) the CIFS functionality in CIFS.nlm Semantic Agent (Build 163 MP) 3.27 or (2) the AFP functionality in AFPTCP.nlm Build 163 SP 3.27. NOTE: some of these details are obtained from third party information. netware-afptcp-dos(55389) ADV-2010-0041 1023400 37616 20100105 {PRL} Novell Netware CIFS And AFP Remote Memory Consumption DoS 11009 38114 http://protekresearch.blogspot.com/2010/01/prl-cifsnlm-memory-consumption-denial.html The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0, when creating files during replay of a setattr transaction, uses 7777 permissions instead of the original permissions, which might allow local users to read or modify unauthorized files in opportunistic circumstances after a system crash or power failure. FreeBSD-SA-10:03 1023407 37657 38124 Cross-site scripting (XSS) vulnerability in index.php in Docmint 1.0 and 2.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: some of these details are obtained from third party information. docmint-index-xss(55549) 37721 11119 38149 http://packetstormsecurity.org/1001-exploits/docmintcms-xss.txt Cross-site scripting (XSS) vulnerability in submitlink.php in Glitter Central Script allows remote attackers to inject arbitrary web script or HTML via the catid parameter. glittercentral-submitlink-xss(55537) 61632 11108 38146 http://packetstormsecurity.org/1001-exploits/glittercentral-xss.txt Cross-site scripting (XSS) vulnerability in jobs/index.php in Jamit Job Board 3.0 allows remote attackers to inject arbitrary web script or HTML via the post_id parameter. jamit-jobboard-index-xss(55500) 37701 11073 32797 http://packetstormsecurity.org/1001-exploits/jamitjobboard-xss.txt SQL injection vulnerability in the init function in MK-AnydropdownMenu (mk_anydropdownmenu) extension 0.3.28 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/mk_anydropdownmenu/0.4.0/info/ChangeLog/ http://typo3.org/extensions/repository/view/mk_anydropdownmenu/0.4.0/ Unspecified vulnerability in the Photo Book (goof_fotoboek) extension 1.7.14 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/goof_fotoboek/1.7.15/ SQL injection vulnerability in the Customer Reference List (ref_list) extension 1.0.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/ref_list/1.0.2/ Unspecified vulnerability in the SB Folderdownload (sb_folderdownload) extension 0.2.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/sb_folderdownload/0.2.3/ Cross-site scripting (XSS) vulnerability in the Developer log (devlog) extension 2.9.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/devlog/2.9.2/ 38164 Cross-site scripting (XSS) vulnerability in the KJ: Imagelightbox (kj_imagelightbox2) extension 2.0.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2008-2490. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/kj_imagelightbox2/2.0.2/ 38165 Cross-site scripting (XSS) vulnerability in the Unit Converter (cs2_unitconv) extension 1.0.4 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/cs2_unitconv/1.0.5/ 38166 SQL injection vulnerability in the powermail extension 1.5.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to the "SQL selection field" and "typoscript." http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/powermail/1.5.2/info/changelog.txt/ http://typo3.org/extensions/repository/view/powermail/1.5.2/ 38167 SQL injection vulnerability in the Googlemaps for tt_news (jf_easymaps) extension 1.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/jf_easymaps/1.0.3/ Cross-site scripting (XSS) vulnerability in the TV21 Talkshow (tv21_talkshow) extension 1.0.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the TV21 Talkshow (tv21_talkshow) extension 1.0.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Helpdesk (mg_help) extension 1.1.6 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Vote rank for news (vote_for_tt_news) extension 1.0.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the Vote rank for news (vote_for_tt_news) extension 1.0.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Unspecified vulnerability in the kiddog_mysqldumper (kiddog_mysqldumper) extension 0.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the tt_news Mail alert (dl3_tt_news_alerts) extension 0.2.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the TT_Products editor (ttpedit) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the User Links (vm19_userlinks) extension 0.1.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the MJS Event Pro (mjseventpro) extension 0.2.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the BB Simple Jobs (bb_simplejobs) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Reports for Job (job_reports) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the Clan Users List (pb_clanlist) extension 0.0.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ SQL injection vulnerability in the zak_store_management extension 1.0.0 and earlier TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the Majordomo extension 1.1.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the Tip many friends (mimi_tipfriends) extension 0.0.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Cross-site scripting (XSS) vulnerability in the VD / Geomap (vd_geomap) extension 0.3.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ Directory traversal vulnerability in C3 Corp. WebCalenderC3 0.32 and earlier allows remote attackers to read arbitrary files via unknown vectors. http://webcal.c-3.jp/zeijakusei.html 38135 61630 JVNDB-2010-000003 JVN#22247093 Cross-site scripting (XSS) vulnerability in C3 Corp. WebCalenderC3 0.32 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: this issue could not be reproduced by the vendor, but a patch was provided anyway. The original researcher is reliable. 61629 http://webcal.c-3.jp/zeijakusei.html 38135 JVNDB-2010-000002 JVN#33977065 Directory traversal vulnerability in the Photo Book (goof_fotoboek) extension 1.7.14 and earlier for TYPO3 has unknown impact and remote attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-021/ http://typo3.org/extensions/repository/view/goof_fotoboek/1.7.15/ Stack-based buffer overflow in the MOVIEPLAYER.MoviePlayerCtrl.1 ActiveX control in MoviePlayer.ocx 6.8.0.0 in Viscom Software Movie Player Pro SDK ActiveX 6.8 allows remote attackers to execute arbitrary code via a long strFontName parameter to the DrawText method. movieplayer-drawtext-activex-bo(55536) ADV-2010-0093 http://www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt 38156 Cross-site scripting (XSS) vulnerability in the Login page in IBM Lotus Web Content Management (WCM) 6.0.1.4, 6.0.1.5, and 6.0.1.6 before iFix 32; and 6.1.0.1 and 6.1.0.2 before iFix 24; for WebSphere Portal allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. PM02704 lotusweb-login-xss(55663) ADV-2010-0149 37825 61711 PM04647 PM03233 1023463 38174 Heap-based buffer overflow in the server in IBM Lotus Domino 7 and 8.5 FP1 allows remote attackers to cause a denial of service (daemon exit) and possibly have unspecified other impact via a long string in a crafted LDAP message to a TCP port, a different vulnerability than CVE-2009-3087. 1023456 Buffer overflow in the SSLv2 support in Zeus Web Server before 4.3r5 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long string in an invalid Client Hello message. ADV-2010-0147 37829 61699 http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES 1023465 38056 http://intevydis.com/vd-list.shtml http://intevydis.blogspot.com/2010/01/zeus-web-server-ssl2clienthello.html Sun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attackers to overwrite memory locations in the heap, and discover the contents of memory locations, via a malformed HTTP TRACE request that includes a long URI and many empty headers, related to an "overflow." NOTE: this might overlap CVE-2010-0272 and CVE-2010-0273. http://intevydis.com/vd-list.shtml http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-trace.html Stack-based buffer overflow in the WebDAV implementation in webservd in Sun Java System Web Server (aka SJWS) 7.0 Update 7 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via a long URI in an HTTP OPTIONS request. http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-webdav.html Zeus Web Server before 4.3r5 does not use random transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses. http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES Cross-site scripting (XSS) vulnerability in Zeus Web Server before 4.3r5, when SSL is enabled for the admin server, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2002-1785. http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES Stack-based buffer overflow in VideoLAN VLC Media Player 0.8.6 allows user-assisted remote attackers to execute arbitrary code via an ogg file with a crafted Advanced SubStation Alpha Subtitle (.ass) file, probably involving the Dialogue field. vlcmediaplayer-asas-bo(55717) 37832 11174 oval:org.mitre.oval:def:14342 Cross-site scripting (XSS) vulnerability in search.php in BitScripts Bits Video Script 2.04 and 2.05 Gold Beta allows remote attackers to inject arbitrary web script or HTML via the order parameter. bitsvideo-search-xss(55739) http://www.packetstormsecurity.com/1001-exploits/bitsvs-xssuploadrfi.txt 38252 61827 Multiple unrestricted file upload vulnerabilities in (1) register.php and (2) addvideo.php in BitScripts Bits Video Script 2.04 and 2.05 Gold Beta allow remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. bitsvideo-addvideo-file-upload(55738) http://www.packetstormsecurity.com/1001-exploits/bitsvs-xssuploadrfi.txt 38252 61826 Multiple PHP remote file inclusion vulnerabilities in BitScripts Bits Video Script 2.05 Gold Beta, and possibly 2.04, allow remote attackers to execute arbitrary PHP code via a URL in the rowptem[template] parameter to (1) showcasesearch.php and (2) showcase2search.php. bitsvideo-showcasesearch-file-include(55740) http://www.packetstormsecurity.com/1001-exploits/bitsvs-xssuploadrfi.txt Cross-site scripting (XSS) vulnerability in the Node Blocks module 5.x-1.1 and earlier, and 6.x-1.3 and earlier, a module for Drupal, allows remote authenticated users, with permissions to create or edit content and administer blocks, to inject arbitrary web script or HTML via the edit-title parameter (aka block title). 37782 61682 http://drupal.org/node/683598 http://drupal.org/node/683586 http://drupal.org/node/683584 nodeblocks-titles-xss(55606) 20100114 XSS Vulnerability in Drupal's Node Blocks contributed module (6.x-1.3 and 5.x-1.1) 38186 http://packetstormsecurity.org/1001-exploits/drupalnb-xss.txt Multiple cross-site scripting (XSS) vulnerabilities in index.php in Hitmaaan Gallery 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) gall and (2) levela parameters. hitmaan-index-xss(55704) 38234 http://packetstormsecurity.org/1001-exploits/galleriehitmaaan-xss.txt 61801 SQL injection vulnerability in the Articlemanager (com_articlemanager) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the artid parameter in a display action to index.php. articlemanager-index-sql-injection(55664) 37799 11140 http://packetstormsecurity.org/1001-exploits/joomlaarticlemanager-sql.txt SQL injection vulnerability in the libros (com_libros) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. libros-index-sql-injection(55696) 11178 http://packetstormsecurity.org/1001-exploits/joomlalibros-sql.txt Cross-site scripting (XSS) vulnerability in the Marketplace (com_marketplace) component 1.2 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the catid parameter in a show_category action to index.php. marketplace-index-xss(55662) 37819 http://www.packetstormsecurity.com/1001-exploits/joomlamarketplace-xss.txt SQL injection vulnerability in product_list.php in JCE-Tech PHP Calendars, downloaded 2010-01-11, allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. phpcalendars-productlist-sql-injection(55518) 40757 61617 11082 38036 Cross-site scripting (XSS) vulnerability in product_list.php in JCE-Tech PHP Calendars, downloaded 2010-01-11, allows remote attackers to inject arbitrary web script or HTML via the cat parameter. NOTE: this issue is reportedly resultant from a forced SQL error message that occurs from exploitation of CVE-2010-0375. phpcalendars-productlist-xss(55517) 40391 11082 38036 http://packetstormsecurity.org/1001-exploits/phpcalendars-xss.txt SQL injection vulnerability in modules/arcade/index.php in PHP MySpace Gold Edition 8.0 and 8.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a play_game action. NOTE: some of these details are obtained from third party information. 38245 http://packetstormsecurity.org/1001-exploits/phpmyspace-sql.txt Use-after-free vulnerability in Adobe Flash Player 6.0.79, as distributed in Microsoft Windows XP SP2 and SP3, allows remote attackers to execute arbitrary code by unloading a Flash object that is currently being accessed by a script, leading to memory corruption, aka a "Movie Unloading Vulnerability." Per: http://cwe.mitre.org/data/definitions/416.html CWE-416 Use-After Free Vulnerability Per: http://www.microsoft.com/technet/security/advisory/979267.mspx " Suggested Actions Perform one or both of the following steps: • Uninstall the Adobe Flash Player version 6. • Install the most current version of Flash Player available from Adobe." VU#204889 http://www.microsoft.com/technet/security/advisory/979267.mspx 1023435 http://secunia.com/secunia_research/2007-77/ 27105 oval:org.mitre.oval:def:7580 Multiple unspecified vulnerabilities in the Macromedia Flash ActiveX control in Adobe Flash Player 6, as distributed in Microsoft Windows XP SP2 and SP3, might allow remote attackers to execute arbitrary code via unspecified vectors that are not related to the use-after-free "Movie Unloading Vulnerability" (CVE-2010-0378). NOTE: due to lack of details, it is not clear whether this overlaps any other CVE item. http://www.microsoft.com/technet/security/advisory/979267.mspx 1023435 27105 oval:org.mitre.oval:def:14146 install.php in JCE-Tech PHP Calendars, downloaded 20100121, allows remote attackers to bypass intended access restrictions and modify application settings via a direct request. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. 11082 http://packetstormsecurity.org/1001-exploits/phpcalendars-xss.txt SQL injection vulnerability in modules/arcade/index.php in PHP MySpace Gold Edition 8.0 and 8.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a show_stats action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38245 ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta handles out-of-bailiwick data accompanying a secure response without re-fetching from the original source, which allows remote attackers to have an unspecified impact via a crafted response, aka Bug 20819. NOTE: this vulnerability exists because of a regression during the fix for CVE-2009-4022. https://www.isc.org/advisories/CVE-2009-4022v6 ADV-2010-1352 ADV-2010-0622 DSA-2054 http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018 40086 oval:org.mitre.oval:def:7086 oval:org.mitre.oval:def:6665 oval:org.mitre.oval:def:11753 Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which makes it easier for man-in-the-middle attackers to compromise the anonymity of traffic sources and destinations. 37901 38198 61977 [or-talk] 20100120 Re: Tor Project infrastructure updates in response to security breach [or-talk] 20100120 Tor 0.2.2.7-alpha is out [or-talk] 20100120 Tor Project infrastructure updates in response to security breach [or-announce] 20100121 Tor 0.2.1.22 is released (security fix) Tor 0.2.2.x before 0.2.2.7-alpha, when functioning as a directory mirror, does not prevent logging of the client IP address upon detection of erroneous client behavior, which might make it easier for local users to discover the identities of clients in opportunistic circumstances by reading log files. [or-talk] 20100120 Tor 0.2.2.7-alpha is out Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers to obtain sensitive information about bridge identities and bridge descriptors via a dbg-stability.txt directory query. 37901 61865 38198 [or-talk] 20100120 Tor 0.2.2.7-alpha is out [or-announce] 20100121 Tor 0.2.1.22 is released (security fix) The default configuration of Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398. Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 Contributing Factors This issue can occur in the following releases: * Sun Java System Application Server Standard Edition 7 and later updates * Sun Java System Application Server Standard Edition 7 2004Q2 and later updates * Sun Java System Application Server Platform Edition 7 and later updates 200942 Multiple heap-based buffer overflows in (1) webservd and (2) the admin server in Sun Java System Web Server 7.0 Update 7 allow remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via a long string in an "Authorization: Digest" HTTP header. jsws-digest-header-bo(55792) 37896 1023488 [dailydave] 20100120 Sun Web Server digest auth overflow http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70u7-digest.html Format string vulnerability in the WebDAV implementation in webservd in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in the encoding attribute of the XML declaration in a PROPFIND request. jsws-webdav-format-string(55812) 37910 http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-webdav.html The admin server in Sun Java System Web Server 7.0 Update 6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an HTTP request that lacks a method token. Per: http://cwe.mitre.org/data/slices/2000.html CWE-476 NULL Pointer Dereference http://intevydis.blogspot.com/2010/01/sun-java-system-web-server-70-admin.html Unrestricted file upload vulnerability in maxImageUpload/index.php in PHP F1 Max's Image Uploader 1.0, when Apache is not configured to handle the mime-type for files with pjpeg or jpeg extensions, allows remote attackers to execute arbitrary code by uploading a file with a pjpeg or jpeg extension, then accessing it via a direct request to the file in original/. NOTE: some of these details are obtained from third party information. Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type' 11169 38018 61808 Multiple stack-based buffer overflows in Embarcadero Technologies InterBase SMP 2009 9.0.3.437 allow remote attackers to execute arbitrary code via unknown vectors involving crafted packets. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 37916 38285 61892 Stack-based buffer overflow in vpnconf.exe in TheGreenBow IPSec VPN Client 4.51.001, 4.65.003, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via a long OpenScriptAfterUp parameter in a policy (.tgb) file, related to "phase 2." http://www.thegreenbow.com/download.php?id=1000150 http://www.senseofsecurity.com.au/advisories/SOS-10-001 ipsecvpnclient-tgb-bo(55793) 40387 20100121 TheGreenBow VPN Client Local Stack Overflow Vulnerability - Security Advisory - SOS-10-001 38262 61866 The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers. https://bugzilla.redhat.com/show_bug.cgi?id=558460 USN-906-1 38524 MDVSA-2010:073 MDVSA-2010:072 http://www.cups.org/str.php?L3482 http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 PyGIT.py in the Trac Git plugin (trac-git) before 0.0.20080710-3+lenny1 and before 0.0.20090320-1 on Debian GNU/Linux, when enabled in Trac, allows remote attackers to execute arbitrary commands via shell metacharacters in a crafted HTTP query that is used to generate a certain git command. tracgit-command-execution(56105) 38076 DSA-1990 38325 62147 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567039 OpenOffice.org 2.x and 3.0 before 3.2.1 allows user-assisted remote attackers to bypass Python macro security restrictions and execute arbitrary Python code via a crafted OpenDocument Text (ODT) file that triggers code execution when the macro directory structure is previewed. TA10-287A ADV-2010-1350 https://bugzilla.redhat.com/show_bug.cgi?id=574119 ADV-2010-2905 ADV-2010-1369 ADV-2010-1366 ADV-2010-1353 RHSA-2010:0459 http://www.openoffice.org/security/cves/CVE-2010-0395.html MDVSA-2010:221 DSA-2055 USN-949-1 40107 40104 40084 40070 oval:org.mitre.oval:def:11091 SUSE-SR:2010:014 FEDORA-2010-9633 FEDORA-2010-9628 FEDORA-2010-9576 Directory traversal vulnerability in the dpkg-source component in dpkg before 1.14.29 allows remote attackers to modify arbitrary files via a crafted Debian source archive. DSA-2011 http://security.debian.org/pool/updates/main/d/dpkg/dpkg_1.14.29.tar.gz dpkg-dpkgsource-dir-traversal(56887) ADV-2010-0582 The xmlrpc extension in PHP 5.3.1 does not properly handle a missing methodName element in the first argument to the xmlrpc_decode_request function, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) and possibly have unspecified other impact via a crafted argument. Per: http://cwe.mitre.org/data/slices/2000.html Improper Check for Unusual or Exceptional Conditions CWE-754 ADV-2010-3081 ADV-2010-0724 38708 RHSA-2010:0919 [oss-security] 20100312 CVE-2010-0397: NULL pointer dereference in PHP's xmlrpc extension MDVSA-2010:068 http://support.apple.com/kb/HT4435 http://support.apple.com/kb/HT4312 42410 SUSE-SR:2010:017 SUSE-SR:2010:013 SUSE-SR:2010:012 APPLE-SA-2010-11-10-1 APPLE-SA-2010-08-24-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573573 SQL injection vulnerability in lib/user.php in mahara 1.0.4 allows remote attackers to execute arbitrary SQL commands via a username. http://security.debian.org/pool/updates/main/m/mahara/mahara_1.0.4-4+lenny5.diff.gz 39253 DSA-2030 OpenTTD before 1.0.1 accepts a company password for authentication in response to a request for the server password, which allows remote authenticated users to bypass intended access restrictions or cause a denial of service (daemon crash) by sending a company password packet. http://security.openttd.org/en/CVE-2010-0401 39669 http://bugs.openttd.org/task/3754 OpenTTD before 1.0.1 does not properly validate index values of certain items, which allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted in-game command. http://security.openttd.org/en/CVE-2010-0402 39669 Directory traversal vulnerability in about.php in phpGroupWare (phpgw) before 0.9.16.016 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the app parameter. ADV-2010-1145 http://forums.phpgroupware.org/index.php?t=msg&th=98662&start=0&rid=0 http://download.phpgroupware.org/ phpgroupware-about-file-include(58657) ADV-2010-1146 40167 20100514 phpGroupWare SQL Injections and Local File Inclusion Vulnerabilities (CVE-2010-0403 and CVE-2010-0404) DSA-2046 39731 39665 [phpgroupware-users] 20100512 Phpgroupware security release 0.9.16.016 Multiple SQL injection vulnerabilities in phpGroupWare (phpgw) before 0.9.16.016 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) class.sessions_db.inc.php, (2) class.translation_sql.inc.php, or (3) class.auth_sql.inc.php in phpgwapi/inc/. [phpgroupware-users] 20100512 Phpgroupware security release 0.9.16.016 http://forums.phpgroupware.org/index.php?t=msg&th=98662&start=0&rid=0 http://download.phpgroupware.org/ ADV-2010-1146 ADV-2010-1145 20100514 phpGroupWare SQL Injections and Local File Inclusion Vulnerabilities (CVE-2010-0403 and CVE-2010-0404) DSA-2046 39731 39665 Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file. https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2231 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2230 https://bugzilla.redhat.com/show_bug.cgi?id=627882 http://xorl.wordpress.com/2010/09/21/cve-2010-0405-bzip2-integer-overflow/ ADV-2010-3127 ADV-2010-3126 ADV-2010-3073 ADV-2010-3052 ADV-2010-3043 ADV-2010-2455 http://www.vmware.com/security/advisories/VMSA-2010-0019.html USN-986-3 USN-986-2 USN-986-1 20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console RHSA-2010:0858 RHSA-2010:0703 http://www.bzip.org/ http://support.apple.com/kb/HT4581 42530 42529 42405 42404 42350 41505 41452 [oss-security] 20100921 bzip2 CVE-2010-0405 integer overflow SUSE-SR:2010:018 FEDORA-2010-1512 FEDORA-2010-17439 APPLE-SA-2011-03-21-1 http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.96.3 http://blogs.sun.com/security/entry/cve_2010_0405_integer_overflow OpenTTD before 1.0.1 allows remote attackers to cause a denial of service (file-descriptor exhaustion and daemon crash) by performing incomplete downloads of the map. http://security.openttd.org/en/CVE-2010-0406 39669 http://bugs.openttd.org/task/3785 Multiple buffer overflows in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite before 1.5.4 allow local users to gain privileges via crafted message data, which is improperly demarshalled. https://bugzilla.redhat.com/show_bug.cgi?id=596426 40758 DSA-2059 ADV-2010-1508 ADV-2010-1427 http://svn.debian.org/wsvn/pcsclite/?sc=1&rev=4208 40239 40140 SUSE-SR:2010:017 FEDORA-2010-10014 FEDORA-2010-9995 FEDORA-2010-10764 The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code. Per: http://cwe.mitre.org/data/definitions/703.html CWE-703: Failure to Handle Exceptional Conditions Per: http://httpd.apache.org/security/vulnerabilities_22.html Affects: 2.2.14, 2.2.13, 2.2.12, 2.2.11, 2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0 http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ajp.c?r1=917876&r2=917875&pathrev=917876 http://httpd.apache.org/security/vulnerabilities_22.html https://bugzilla.redhat.com/show_bug.cgi?id=569905 ADV-2010-1411 ADV-2010-1057 ADV-2010-1001 ADV-2010-0994 ADV-2010-0911 38491 RHSA-2010:0168 MDVSA-2010:053 DSA-2035 PM15829 PM12247 PM08939 http://svn.apache.org/viewvc?view=revision&revision=917876 http://support.apple.com/kb/HT4435 40096 39656 39632 39628 39501 39100 oval:org.mitre.oval:def:9935 oval:org.mitre.oval:def:8619 SUSE-SR:2010:010 FEDORA-2010-6131 FEDORA-2010-5942 APPLE-SA-2010-11-10-1 Buffer overflow in the GMIME_UUENCODE_LEN macro in gmime/gmime-encodings.h in GMime before 2.4.15 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via input data for a uuencode operation. http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz https://bugzilla.redhat.com/show_bug.cgi?id=561457 [oss-security] 20100203 Re: CVE Request -- GMime-2.4.15 [oss-security] 20100203 CVE Request -- GMime-2.4.15 38915 38459 SUSE-SR:2010:006 http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.15.changes drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages. http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.32.8 https://bugzilla.redhat.com/show_bug.cgi?id=561682 ADV-2010-0638 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-914-1 38058 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0398 RHSA-2010:0161 [oss-security] 20100203 Re: CVE request: kernel OOM/crash in drivers/connector [oss-security] 20100203 CVE request: kernel OOM/crash in drivers/connector SUSE-SA:2010:023 MDVSA-2010:088 DSA-2005 DSA-1996 http://support.avaya.com/css/P8/documents/100088287 43315 39742 39649 39033 38922 38779 38557 38492 oval:org.mitre.oval:def:10903 SUSE-SA:2010:019 SUSE-SA:2010:018 SUSE-SA:2010:014 FEDORA-2010-1787 FEDORA-2010-1804 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=f98bfbd78c37c5946cc53089da32a5f741efdeb7 Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow. https://bugzilla.redhat.com/show_bug.cgi?id=559719 ADV-2010-1001 38120 RHSA-2010:0125 RHSA-2010:0124 http://sourceware.org/git/gitweb.cgi?p=systemtap.git;a=commit;h=a2d399c87a642190f08ede63dc6fc434a5a8363a http://sourceware.org/bugzilla/show_bug.cgi?id=11234 1023664 39656 38817 38765 38680 38426 oval:org.mitre.oval:def:9675 [oss-security] 20100204 systemtap DoS issue (CVE-2010-0411) SUSE-SR:2010:010 FEDORA-2010-1720 FEDORA-2010-1373 stap-server in SystemTap 1.1 does not properly restrict the value of the -B (aka BUILD) option, which allows attackers to have an unspecified impact via vectors associated with executing the make program, a different vulnerability than CVE-2009-4273. systemtap-stapserver-unspecified(56611) 38316 [scm-commits] 20100215 rpms/systemtap/devel systemtap-1.1-tighten-server-params.patch, NONE, 1.1 systemtap.spec, 1.59, 1.60 FEDORA-2010-1720 FEDORA-2010-1373 gnome-screensaver before 2.28.2 allows physically proximate attackers to bypass screen locking and access an unattended workstation by moving the mouse position to an external monitor and then disconnecting that monitor. https://bugzilla.redhat.com/show_bug.cgi?id=562217 https://bugzilla.gnome.org/show_bug.cgi?id=609337 USN-898-1 38149 62219 MDVSA-2010:040 38534 38532 38468 FEDORA-2010-1556 http://git.gnome.org/browse/gnome-screensaver/commit/?id=dcca89b7ab6e1220815af38da246434b2e13fd9f http://git.gnome.org/browse/gnome-screensaver/commit/?id=a5f66339be6719c2b8fc478a1d5fc6545297d950 http://ftp.gnome.org/pub/GNOME/sources/gnome-screensaver/2.28/gnome-screensaver-2.28.2.news The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set. http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.33-rc7 https://bugzilla.redhat.com/show_bug.cgi?id=562582 ADV-2010-0638 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-914-1 38144 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 RHSA-2010:0147 [oss-security] 20100208 Re: CVE request: information leak / potential crash in sys_move_pages [oss-security] 20100207 Re: CVE request: information leak / potential crash in sys_move_pages [oss-security] 20100207 CVE request: information leak / potential crash in sys_move_pages MDVSA-2010:198 MDVSA-2010:066 DSA-2005 DSA-1996 43315 39033 38922 38779 38557 38492 oval:org.mitre.oval:def:9399 SUSE-SA:2010:018 SUSE-SA:2010:014 FEDORA-2010-1787 FEDORA-2010-1804 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0 Buffer overflow in the Unescape function in common/util/hxurl.cpp and player/hxclientkit/src/CHXClientSink.cpp in Helix Player 1.0.6 and RealPlayer allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a URL argument containing a % (percent) character that is not followed by two hex digits. https://helixcommunity.org/viewcvs/common/util/hxurl.cpp?view=log#rev1.24.4.1.4.1 https://bugzilla.redhat.com/show_bug.cgi?id=561856 RHSA-2010:0094 38450 oval:org.mitre.oval:def:10847 [common-cvs] 20070703 util hxurl.cpp,1.24.4.1,1.24.4.1.4.1 Buffer overflow in common/util/rlstate.cpp in Helix Player 1.0.6 and RealPlayer allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a RuleBook structure with a large number of rule-separator characters that trigger heap memory corruption. https://helixcommunity.org/viewcvs/common/util/rlstate.cpp?view=log#rev1.10 https://bugzilla.redhat.com/show_bug.cgi?id=561860 RHSA-2010:0094 38450 oval:org.mitre.oval:def:11364 [common-cvs] 20080114 util rlstate.cpp,1.9,1.10 The web interface in chumby one before 1.0.4 and chumby classic before 1.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in a request. http://www.chumby.com/pages/release10mar http://www.awe.com/mark/blog/20100305.html 38972 The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch. https://bugzilla.redhat.com/show_bug.cgi?id=563463 kernel-selectors-privilege-escalation(56662) 38467 RHSA-2010:0126 1023663 oval:org.mitre.oval:def:10139 libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname. ADV-2010-0413 http://developer.pidgin.im/wiki/ChangeLog RHSA-2010:0115 https://bugzilla.redhat.com/show_bug.cgi?id=565786 pidgin-xmpp-nickname-dos(56399) ADV-2010-1020 ADV-2010-0914 USN-902-1 38294 62439 MDVSA-2010:085 MDVSA-2010:041 DSA-2038 39509 38915 38712 38658 38640 38563 http://pidgin.im/news/security/?id=44 oval:org.mitre.oval:def:11485 SUSE-SR:2010:006 FEDORA-2010-1383 FEDORA-2010-1934 FEDORA-2010-1279 Array index error in the hb_ot_layout_build_glyph_classes function in pango/opentype/hb-ot-layout.cc in Pango before 1.27.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted font file, related to building a synthetic Glyph Definition (aka GDEF) table by using this font's charmap and the Unicode property database. http://ftp.gnome.org/pub/GNOME/sources/pango/1.27/pango-1.27.1.tar.bz2 https://bugzilla.redhat.com/show_bug.cgi?id=555831 ADV-2010-1552 ADV-2010-0661 ADV-2010-0627 38760 RHSA-2010:0140 MDVSA-2010:121 DSA-2019 1023711 39041 oval:org.mitre.oval:def:9417 SUSE-SR:2010:013 SUSE-SR:2010:012 SUSE-SR:2010:009 gnome-screensaver 2.28.x before 2.28.3 does not properly synchronize the state of screen locking and the unlock dialog in situations involving a change to the number of monitors, which allows physically proximate attackers to bypass screen locking and access an unattended workstation by connecting and disconnecting monitors multiple times, a related issue to CVE-2010-0414. https://bugzilla.redhat.com/show_bug.cgi?id=564464 https://bugzilla.gnome.org/show_bug.cgi?id=609789 gnome-screensaver-monitor-sec-bypass(56364) 38248 38583 38565 [oss-security] 20100212 Re: gnome-screensaver vulnerability (CVE-2010-0414) FEDORA-2010-1855 http://git.gnome.org/browse/gnome-screensaver/commit/?id=f93a22c175090cf02e80bc3ee676b53f1251f685 http://git.gnome.org/browse/gnome-screensaver/commit/?id=d4dcbd65a2df3c093c4e3a74bbbc75383eb9eadb http://git.gnome.org/browse/gnome-screensaver/commit/?id=271ae93d7b140b8ba40d77f9e4ce894e5fd1b554 http://ftp.gnome.org/pub/GNOME/sources/gnome-screensaver/2.28/gnome-screensaver-2.28.3.news gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. ADV-2010-0413 http://pidgin.im/news/security/?id=45 RHSA-2010:0115 https://bugzilla.redhat.com/show_bug.cgi?id=565792 pidgin-smileys-dos(56394) ADV-2010-1020 ADV-2010-0914 USN-902-1 38294 62440 MDVSA-2010:085 MDVSA-2010:041 DSA-2038 39509 38915 38712 38658 38640 38563 oval:org.mitre.oval:def:9842 SUSE-SR:2010:006 FEDORA-2010-1383 FEDORA-2010-1934 FEDORA-2010-1279 http://developer.pidgin.im/wiki/ChangeLog The edit_cmd function in crontab.c in (1) cronie before 1.4.4 and (2) Vixie cron (vixie-cron) allows local users to change the modification times of arbitrary files, and consequently cause a denial of service, via a symlink attack on a temporary file in the /tmp directory. https://bugzilla.redhat.com/show_bug.cgi?id=565809 38391 38741 38700 FEDORA-2010-2751 http://git.fedorahosted.org/git/cronie.git?p=cronie.git;a=commit;h=9e4a8fa5f9171fb724981f53879c9b20264aeb61 modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers." VU#280613 apache-http-modisapi-ocp-unspecified(56624) ADV-2010-0994 ADV-2010-0634 http://www.vmware.com/security/advisories/VMSA-2010-0014.html http://www.senseofsecurity.com.au/advisories/SOS-10-002 1023701 38494 PM12247 PM09447 http://svn.apache.org/viewvc?view=revision&revision=917870 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/arch/win32/mod_isapi.c?r1=917870&r2=917869&pathrev=917870 http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?r1=917870&r2=917869&pathrev=917870 39628 38978 oval:org.mitre.oval:def:8439 [security-announce] 20100923 VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues http://httpd.apache.org/security/vulnerabilities_22.html http://httpd.apache.org/security/vulnerabilities_20.html sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4, when a pseudo-command is enabled, permits a match between the name of the pseudo-command and the name of an executable file in an arbitrary directory, which allows local users to gain privileges via a crafted executable file, as demonstrated by a file named sudoedit in a user's home directory. http://www.sudo.ws/sudo/stable.html 38362 ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p21.patch.gz ADV-2010-0949 ADV-2010-0450 USN-905-1 20101027 rPSA-2010-0075-1 sudo MDVSA-2010:049 http://www.linuxquestions.org/questions/linux-security-4/the-use-of-sudoedit-command-question-785442/ GLSA-201003-01 DSA-2006 http://wiki.rpath.com/Advisories:rPSA-2010-0075 http://sudo.ws/repos/sudo/rev/f86e1b56d074 http://sudo.ws/repos/sudo/rev/88f3181692fe http://sudo.ws/bugs/show_bug.cgi?id=389 SSA:2010-110-01 1023658 39399 38915 38803 38795 38762 38659 oval:org.mitre.oval:def:7238 oval:org.mitre.oval:def:10814 SUSE-SR:2010:006 FEDORA-2010-6749 FEDORA-2010-6701 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=570737 sudo 1.6.x before 1.6.9p21, when the runas_default option is used, does not properly set group memberships, which allows local users to gain privileges via a sudo command. ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p21.patch.gz https://bugzilla.redhat.com/show_bug.cgi?id=567622 USN-905-1 http://www.sudo.ws/cgi-bin/cvsweb/sudo/set_perms.c.diff?r1=1.30.2.7&r2=1.30.2.8 20101027 rPSA-2010-0075-1 sudo [oss-security] 20100224 Re: CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set [oss-security] 20100223 CVE assignment notification -- CVE-2010-0427 -- sudo fails to reset group permissions if runas_default set http://www.gratisoft.us/bugzilla/show_bug.cgi?id=349 http://www.gratisoft.us/bugzilla/attachment.cgi?id=255 GLSA-201003-01 DSA-2006 http://wiki.rpath.com/Advisories:rPSA-2010-0075 http://sudo.ws/repos/sudo/rev/aa0b6c01c462 1023658 38915 38803 38795 38762 oval:org.mitre.oval:def:7216 oval:org.mitre.oval:def:10946 SUSE-SR:2010:006 libspice, as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 and qspice 0.3.0, does not properly validate guest QXL driver pointers, which allows guest OS users to cause a denial of service (invalid pointer dereference and guest OS crash) or possibly gain privileges via unspecified vectors. RHSA-2010:0633 RHSA-2010:0622 https://bugzilla.redhat.com/show_bug.cgi?id=568699 libspice, as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 and qspice 0.3.0, does not properly restrict the addresses upon which memory-management actions are performed, which allows guest OS users to cause a denial of service (guest OS crash) or possibly gain privileges via unspecified vectors. RHSA-2010:0633 RHSA-2010:0622 https://bugzilla.redhat.com/show_bug.cgi?id=568701 QEMU-KVM, as used in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 and KVM 83, does not properly validate guest QXL driver pointers, which allows guest OS users to cause a denial of service (invalid pointer dereference and guest OS crash) or possibly gain privileges via unspecified vectors. RHSA-2010:0627 https://bugzilla.redhat.com/show_bug.cgi?id=568809 RHSA-2010:0622 Multiple cross-site scripting (XSS) vulnerabilities in the Apache Open For Business Project (aka OFBiz) 09.04 and earlier, as used in Opentaps, Neogia, and Entente Oya, allow remote attackers to inject arbitrary web script or HTML via (1) the productStoreId parameter to control/exportProductListing, (2) the partyId parameter to partymgr/control/viewprofile (aka partymgr/control/login), (3) the start parameter to myportal/control/showPortalPage, (4) an invalid URI beginning with /facility/control/ReceiveReturn (aka /crmsfa/control/ReceiveReturn or /cms/control/ReceiveReturn), (5) the contentId parameter (aka the entityName variable) to ecommerce/control/ViewBlogArticle, (6) the entityName parameter to webtools/control/FindGeneric, or the (7) subject or (8) content parameter to an unspecified component under ecommerce/control/contactus. 39489 http://www.bonsai-sec.com/en/research/vulnerabilities/apacheofbiz-multiple-xss-0103.php http://svn.apache.org/viewvc?view=revision&revision=920382 http://svn.apache.org/viewvc?view=revision&revision=920381 http://svn.apache.org/viewvc?view=revision&revision=920380 http://svn.apache.org/viewvc?view=revision&revision=920379 http://svn.apache.org/viewvc?view=revision&revision=920372 http://svn.apache.org/viewvc?view=revision&revision=920371 http://svn.apache.org/viewvc?view=revision&revision=920370 http://svn.apache.org/viewvc?view=revision&revision=920369 The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot. [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released https://kb.bluecoat.com/index?page=content&id=SA50 https://bugzilla.redhat.com/show_bug.cgi?id=569774 https://bugzilla.redhat.com/show_bug.cgi?id=567711 ADV-2010-1216 ADV-2010-0933 ADV-2010-0916 ADV-2010-0839 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX [oss-security] 20100303 OpenSSL (with KRB5) remote crash - CVE-2010-0433 http://www.openssl.org/news/changelog.html MDVSA-2010:076 [dovecot] 20100219 segfault - (imap|pop3)-login during nessus scan 43311 42733 42724 39932 39461 oval:org.mitre.oval:def:9856 oval:org.mitre.oval:def:6718 oval:org.mitre.oval:def:12260 FEDORA-2010-5357 FEDORA-2010-5744 http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/c3e1ab0034ca4b4c/66aa896c3a78b2f7 http://cvs.openssl.org/chngview?cn=19374 http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request. http://httpd.apache.org/security/vulnerabilities_22.html https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 https://bugzilla.redhat.com/show_bug.cgi?id=570171 apache-http-rh-info-disclosure(56625) ADV-2010-1411 ADV-2010-1057 ADV-2010-1001 ADV-2010-0994 ADV-2010-0911 http://www.vmware.com/security/advisories/VMSA-2010-0014.html 38494 RHSA-2010:0175 RHSA-2010:0168 DSA-2035 PM15829 PM12247 PM08939 http://svn.apache.org/viewvc?view=revision&revision=918427 http://svn.apache.org/viewvc?view=revision&revision=917867 http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/protocol.c?r1=917617&r2=917867&pathrev=917867&diff_format=h http://support.apple.com/kb/HT4435 40096 39656 39632 39628 39501 39115 39100 oval:org.mitre.oval:def:8695 oval:org.mitre.oval:def:10358 [security-announce] 20100923 VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues SUSE-SR:2010:010 FEDORA-2010-6131 FEDORA-2010-5942 APPLE-SA-2010-11-10-1 The Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via vectors related to instruction emulation. Per: http://cwe.mitre.org/data/definitions/476.html 'NULL Pointer Dereference' RHSA-2010:0627 RHSA-2010:0622 https://bugzilla.redhat.com/show_bug.cgi?id=570528 ADV-2011-0012 42778 SUSE-SA:2011:001 Race condition in backend/ctrl.c in KDM in KDE Software Compilation (SC) 2.2.0 through 4.4.2 allows local users to change the permissions of arbitrary files, and consequently gain privileges, by blocking the removal of a certain directory that contains a control socket, related to improper interaction with ksm. ADV-2010-0879 ftp://ftp.kde.org/pub/kde/security_patches/kdebase-workspace-4.3.5-CVE-2010-0436.diff https://bugzilla.redhat.com/show_bug.cgi?id=570613 kde-kdm-privilege-escalation(57823) 39467 http://www.kde.org/info/security/advisory-20100413-1.txt DSA-2037 39506 39481 39419 RHSA-2010:0348 oval:org.mitre.oval:def:9999 SUSE-SR:2010:009 FEDORA-2010-6605 The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors. https://bugzilla.redhat.com/show_bug.cgi?id=563781 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 RHSA-2010:0147 [oss-security] 20100304 Re: CVE request - kernel: ip6_dst_lookup_tail() NULL pointer dereference [oss-security] 20100211 CVE request - kernel: ip6_dst_lookup_tail() NULL pointer dereference http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.27 43315 39033 oval:org.mitre.oval:def:10061 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e550dfb0c2c31b6363aa463a035fc9f8dcaa3c9b http://bugzilla.kernel.org/show_bug.cgi?id=11469 Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 38146 http://www.otrs.org/news/2010/otrs_2-4-7/ 62181 http://source.otrs.org/viewvc.cgi/otrs/Kernel/System/Ticket.pm?view=log 38544 38507 http://otrs.org/releases/2.4.7/ http://otrs.org/advisory/OSA-2010-01-en/ SUSE-SR:2010:014 Chip Salzenberg Deliver allows local users to cause a denial of service, obtain sensitive information, and possibly change the ownership of arbitrary files via a symlink attack on an unspecified file. 38924 20100324 Multiple vulnerabilities in Deliver Cross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cisco Secure Desktop 3.4.2048, and other versions before 3.5; as used in Cisco ASA appliance before 8.2(1), 8.1(2.7), and 8.0(5); allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter, which is not properly handled by an eval statement in binary/mainv.js that writes to start.html. Per: http://tools.cisco.com/security/center/viewAlert.x?alertId=19843 "Cisco Secure Desktop versions prior to 3.5 are vulnerable. Cisco Secure Desktop is a component of Cisco ASA 5500 Series Adaptive Security Appliances. Cisco ASA appliances are vulnerable only if the Cisco Secure Desktop feature has been enabled. Cisco ASA appliance versions prior to 8.2(1), 8.1(2.7), and 8.0(5) are vulnerable." http://tools.cisco.com/security/center/viewAlert.x?alertId=19843 ADV-2010-0273 37960 20100201 [CORE-2010-0106] Cisco Secure Desktop XSS/JavaScript Injection http://www.coresecurity.com/content/cisco-secure-desktop-xss 38397 Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number. http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.1.diff http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.0.diff https://issues.asterisk.org/view.php?id=16724 https://issues.asterisk.org/view.php?id=16634 https://issues.asterisk.org/view.php?id=16517 ADV-2010-0289 38047 20100202 AST-2010-001: T.38 Remote Crash Vulnerability 1023532 39096 38395 FEDORA-2010-3724 http://downloads.asterisk.org/pub/security/AST-2010-001.html http://downloads.asterisk.org/pub/security/AST-2010-001-1.6.2.diff The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow." https://bugzilla.redhat.com/show_bug.cgi?id=559259 https://bugzilla.redhat.com/show_bug.cgi?id=559194 postgresql-substring-bo(55902) ADV-2010-1221 ADV-2010-1207 ADV-2010-1197 ADV-2010-1022 37973 RHSA-2010:0429 RHSA-2010:0428 RHSA-2010:0427 [oss-security] 20100127 Re: CVE id request: postgresql bitsubstr overflow MDVSA-2010:103 DSA-2051 USN-933-1 1023510 39939 39820 39566 oval:org.mitre.oval:def:9720 http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html http://git.postgresql.org/gitweb?p=postgresql.git;a=commit;h=b15087cb39ca9e4bde3c8920fcee3741045d2b83 http://git.postgresql.org/gitweb?p=postgresql.git;a=commit;h=75dea10196c31d98d98c0bafeeb576ae99c09b12 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567058 [pgsql-hackers] 20100107 Re: Patch: Allow substring/replace() to get/set bit values [pgsql-committers] 20100107 pgsql: Make bit/varbit substring() treat any negative length as meaning Unspecified vulnerability in Record Management Services (RMS) before VMS83A_RMS-V1100 for HP OpenVMS on the Alpha platform allows local users to gain privileges via unknown vectors. ADV-2010-0286 HPSBOV02505 HPSBOV02505 openvms-rms-privilege-escalation(56062) 38048 38366 HP Operations Agent 8.51, 8.52, 8.53, and 8.60 on Solaris 10 uses a blank password for the opc_op account, which allows remote attackers to execute arbitrary code via unspecified vectors. 38150 1023555 62213 HPSBMA02487 HPSBMA02487 Unspecified vulnerability in HP Network Node Manager (NNM) 8.10, 8.11, 8.12, and 8.13 allows remote attackers to execute arbitrary commands via unknown vectors. 38528 HPSBMA02484 HPSBMA02484 Unspecified vulnerability on the HP DreamScreen 100 and 130 with firmware before 1.6.0.0, when using a web-connected configuration, allows remote attackers to obtain sensitive information via unknown vectors. 38190 1023581 38536 HPSBPI02507 HPSBPI02507 The helpmanager servlet in the web server in HP OpenView Performance Insight (OVPI) 5.4 and earlier does not properly authenticate and validate requests, which allows remote attackers to execute arbitrary commands via vectors involving upload of a JSP document. hp-performance-unspec-command-exec(56757) http://www.zerodayinitiative.com/advisories/ZDI-10-026 ADV-2010-0555 38611 20100309 ZDI-10-026: Hewlett-Packard OVPI helpmanager Servlet Remote Code Execution Vulnerability 38899 62797 SSRT090065 SSRT090065 Unspecified vulnerability in HP SOA Registry Foundation 6.63 and 6.64 allows remote attackers to obtain "unauthorized access to data" via unknown vectors. HPSBMA02490 HPSBMA02490 1023765 39059 39187 Cross-site scripting (XSS) vulnerability in HP SOA Registry Foundation 6.63 and 6.64 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. SSRT090222 SSRT090222 1023765 39060 39187 Unspecified vulnerability in HP SOA Registry Foundation 6.63 and 6.64 allows remote authenticated users to gain privileges via unknown vectors. SSRT090222 SSRT090222 1023765 39061 39187 The installation process for NFS/ONCplus B.11.31_08 and earlier on HP HP-UX B.11.31 changes the NFS_SERVER setting in the nfsconf file, which might allow remote attackers to obtain filesystem access via NFS requests. HPSBUX02509 HPSBUX02509 hpux-oncplus-weak-security(57216) ADV-2010-0731 38982 1023758 39111 oval:org.mitre.oval:def:12025 63243 Multiple cross-site scripting (XSS) vulnerabilities in HP Project and Portfolio Management Center (PPMC, formerly Mercury IT Governance) 7.1 through SP10 and 7.5 through SP3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 38961 63175 1023749 39105 SSRT080064 SSRT080064 The ucode_ioctl function in intel/io/ucode_drv.c in Sun Solaris 10 and OpenSolaris snv_69 through snv_133, when running on x86 architectures, allows local users to cause a denial of service (panic) via a request with a 0 size value to the UCODE_GET_VERSION IOCTL, which triggers a NULL pointer dereference in the ucode_get_rev function, related to retrieval of the microcode revision. TA10-103B ADV-2010-0270 http://sunsolve.sun.com/search/document.do?assetkey=1-21-143913-01-1 solaris-microcode-dos(55991) http://www.trapkit.de/advisories/TKADV2010-001.txt 38016 20100131 [TKADV2010-001] Oracle Solaris UCODE_GET_VERSION IOCTL Kernel NULL Pointer Dereference http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1021799 275910 38452 oval:org.mitre.oval:def:6959 62046 SQL injection vulnerability in cgi/cgilua.exe/sys/start.htm in Publique! 2.3 allows remote attackers to execute arbitrary SQL commands via the sid parameter. 20100125 Publique! CMS SQL Injection Vulnerabilities 38302 http://packetstormsecurity.org/1001-exploits/publique-sql.txt 61941 Cross-site scripting (XSS) vulnerability in forum/viewtopic.php in PunBB 1.3 allows remote attackers to inject arbitrary web script or HTML via the pid parameter. punbb-viewtopic-xss(55853) 37930 http://www.packetstormsecurity.com/1001-exploits/punbb13-xss.txt SQL injection vulnerability in the indianpulse Game Server (com_gameserver) component 1.2 for Joomla! allows remote attackers to execute arbitrary SQL commands via the grp parameter in a gameserver action to index.php. gameserver-grp-sql-injection(55829) 37934 37920 11222 SQL injection vulnerability in home.php in magic-portal 2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. magicportal-home-sql-injection(55849) 11235 http://packetstormsecurity.org/1001-exploits/magicportal-sql.txt Multiple SQL injection vulnerabilities in NetArt Media Blog System 1.5 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to index.php and the (2) note parameter to blog.php. blogsystem-blog-sql-injection(55862) blogsystem-index-sql-injection(55818) 37911 11216 http://packetstormsecurity.org/0512-exploits/blog12SQL.txt SQL injection vulnerability in the Mochigames (com_mochigames) component 0.51 and possibly other versions for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. mochigames-index-sql-injection(55841) 37931 11243 http://packetstormsecurity.org/1001-exploits/joomlamochigames-sql.txt Multiple cross-site scripting (XSS) vulnerabilities in staff/index.php in Kayako SupportSuite 3.60.04 and earlier allow remote authenticated users to inject arbitrary web script or HTML via the (1) subject parameter and (2) contents parameter (aka body) in an insertquestion action. NOTE: some of these details are obtained from third party information. supportsuite-contents-xss(55859) 37947 20100121 Kayako SupportSuite Multiple Persistent Cross Site Scripting (Current Versions) 38322 http://packetstormsecurity.org/1001-advisories/kayako-xss.txt 61928 SQL injection vulnerability in the casino (com_casino) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a (1) category or (2) player action to index.php. Exploit PoC reference links indicate a prerequisite of privileged authenticated user. casino-indexphp-sql-injection(55846) 37938 11237 http://packetstormsecurity.org/1001-exploits/joomlacasino1-sql.txt Heap-based buffer overflow in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows remote authenticated users to have an unspecified impact via a SELECT statement that has a long column name generated with the REPEAT function. db2-sysibm-bo(55899) 37976 http://www-01.ibm.com/support/docview.wss?uid=swg21432298 http://www-01.ibm.com/support/docview.wss?uid=swg21426108 IC65935 IC65933 IC65922 1023509 oval:org.mitre.oval:def:14518 http://intevydis.blogspot.com/2010/01/ibm-db2-97-heap-overflow.html ftp://public.dhe.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v95/APARLIST.TXT Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. http://bugs.horde.org/ticket/8836 https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail horde-dns-info-disclosure(56052) Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. http://trac.roundcube.net/ticket/1486449 https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail MDVSA-2010:048 Cross-site scripting (XSS) vulnerability in the online Documents functionality in SugarCRM 5.2.x before 5.2.0l and 5.5.x before 5.5.0a allows remote authenticated users to inject arbitrary web script or HTML via the Document Name field. http://www.sugarcrm.com/crm/support/bugs.html?task=view&caseID=db4489b7-b5a8-4a6d-555b-4b9ffa7b4ffa 38772 20100316 SugarCRM Stored XSS vulnerability 38962 Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php. ccnewsletter-index-dir-traversal(55953) 37987 11282 11277 http://www.chillcreations.com/en/blog/ccnewsletter-joomla-newsletter/ccnewsletter-106-security-release.html 38378 Cross-site scripting (XSS) vulnerability in utilities/longproc.cfm in PaperThin CommonSpot Content Server allows remote attackers to inject arbitrary web script or HTML via the url parameter. commonspot-longproc-xss(55955) 37986 20100128 PR09-19: Cross-Site Scripting (XSS) on CommonSpot server 62087 20100128 PR09-19: Cross-Site Scripting (XSS) on CommonSpot server SQL injection vulnerability in Files2Links F2L 3000 appliance 4.0.0, and possibly other versions and models, allows remote attackers to execute arbitrary SQL commands via unspecified parameters to the login page. f2l3000-login-sql-injection(55950) 38310 http://packetstormsecurity.org/1001-advisories/DDIVRT-2009-27.txt 61976 20100125 DDIVRT-2009-27 F2L-3000 files2links SQL Injection Vulnerability Cross-site scripting (XSS) vulnerability in scvrtsrv.cmd in Comtrend CT-507IT ADSL Router allows remote attackers to inject arbitrary web script or HTML via the srvName parameter. 38004 38309 http://packetstormsecurity.org/1001-exploits/comtrend-xss.txt SQL injection vulnerability in the comment submission interface (includes/comment.php) in Enano CMS before 1.0.6pl1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. http://enanocms.org/Release_notes/1.0.6pl1 61974 38253 kuddb2 in Tivoli Monitoring for DB2, as distributed in IBM DB2 9.7 FP1 on Linux, allows remote attackers to cause a denial of service (daemon crash) via a certain byte sequence. 38018 http://www-01.ibm.com/support/docview.wss?uid=swg21432298 IC68762 oval:org.mitre.oval:def:14289 http://intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html Cross-site scripting (XSS) vulnerability in esp/editUser.esp in the Palo Alto Networks firewall 3.0.x before 3.0.9 and 3.1.x before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the role parameter. paloalto-edituser-xss(58624) http://www.jeromiejackson.com/index.php?view=article&id=83:palo-alto-cross-site-scripting-vulnerability&tmpl=component&print=1&layout=default&page= 20100512 Palo Alto Network Vulnerability - Cross-Site Scripting (XSS) The SMB client in Microsoft Windows Server 2003 SP2, Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption and reboot) via a crafted SMB transaction response that uses (1) SMBv1 or (2) SMBv2, aka "SMB Client Response Parsing Vulnerability." TA10-103A MS10-020 39336 39372 oval:org.mitre.oval:def:6918 The SMB client in Microsoft Windows Server 2008 R2 and Windows 7 does not properly handle (1) SMBv1 and (2) SMBv2 response packets, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted packet that causes the client to read the entirety of the response, and then improperly interact with the Winsock Kernel (WSK), aka "SMB Client Message Size Vulnerability." TA10-103A MS10-020 39372 oval:org.mitre.oval:def:6859 Stack-based buffer overflow in nsum.exe in the Windows Media Unicast Service in Media Services for Microsoft Windows 2000 Server SP4 allows remote attackers to execute arbitrary code via crafted packets associated with transport information, aka "Media Services Stack-based Buffer Overflow Vulnerability." TA10-103A MS10-025 oval:org.mitre.oval:def:7001 Buffer overflow in Microsoft Office Publisher 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted Publisher file, aka "Microsoft Office Publisher File Conversion TextBox Processing Buffer Overflow Vulnerability." TA10-103A MS10-023 oval:org.mitre.oval:def:7141 Multiple stack-based buffer overflows in the MPEG Layer-3 audio codecs in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to execute arbitrary code via a crafted AVI file, aka "MPEG Layer-3 Audio Decoder Stack Overflow Vulnerability." TA10-103A MS10-026 8336 oval:org.mitre.oval:def:7441 The kernel in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly translate a registry key's virtual path to its real path, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Virtual Path Parsing Vulnerability." TA10-103A MS10-021 1023850 39374 39373 oval:org.mitre.oval:def:6770 The kernel in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate relocation sections of image files, which allows local users to cause a denial of service (reboot) via a crafted file, aka "Windows Kernel Malformed Image Vulnerability." TA10-103A MS10-021 1023850 39374 oval:org.mitre.oval:def:7176 vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability." TA10-103A VU#612021 MS10-022 https://www.metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ie_winhlp32.rb ms-win-msgbox-code-execution(56558) ADV-2010-0485 http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/ 38463 62632 http://www.microsoft.com/technet/security/advisory/981169.mspx http://www.computerworld.com/s/article/9163298/New_zero_day_involves_IE_puts_Windows_XP_users_at_risk 1023668 38727 oval:org.mitre.oval:def:8654 oval:org.mitre.oval:def:7170 http://isec.pl/vulnerabilities10.html http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt http://blogs.technet.com/srd/archive/2010/03/01/help-keypress-vulnerability-in-vbscript-enabling-remote-code-execution.aspx http://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspx http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx The Windows kernel-mode drivers in win32k.sys in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 "do not properly validate changes in certain kernel objects," which allows local users to execute arbitrary code via vectors related to Device Contexts (DC) and the GetDCEx function, aka "Win32k Improper Data Validation Vulnerability." TA10-159B MS10-032 20100608 VUPEN Security Research - Microsoft Windows Kernel "GetDCEx()" Memory Corruption Vulnerability (CVE-2010-0484) http://www.opera.com/support/kb/view/954/ oval:org.mitre.oval:def:7609 The Windows kernel-mode drivers in win32k.sys in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 Gold and SP2, Windows 7, and Server 2008 R2 "do not properly validate all callback parameters when creating a new window," which allows local users to execute arbitrary code, aka "Win32k Window Creation Vulnerability." TA10-159B MS10-032 http://www.opera.com/support/kb/view/954/ oval:org.mitre.oval:def:6948 The WinVerifyTrust function in Authenticode Signature Verification 5.1, 6.0, and 6.1 in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly use unspecified fields in a file digest, which allows user-assisted remote attackers to execute arbitrary code via a modified (1) Portable Executable (PE) or (2) cabinet (aka .CAB) file that incorrectly appears to have a valid signature, aka "WinVerifyTrust Signature Validation Vulnerability." TA10-103A MS10-019 oval:org.mitre.oval:def:6787 The Authenticode Signature verification functionality in cabview.dll in Cabinet File Viewer Shell Extension 5.1, 6.0, and 6.1 in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly use unspecified fields in a file digest, which allows remote attackers to execute arbitrary code via a modified cabinet (aka .CAB) file that incorrectly appears to have a valid signature, aka "Cabview Corruption Validation Vulnerability." TA10-103A MS10-019 oval:org.mitre.oval:def:6886 Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properly handle unspecified "encoding strings," which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site, aka "Post Encoding Information Disclosure Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 8 is not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39028 MS10-018 1023773 oval:org.mitre.oval:def:7840 JVNDB-2010-000011 JVN#49467403 Race condition in Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via a crafted HTML document that triggers memory corruption, aka "Race Condition Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 8 is not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39026 MS10-018 1023773 oval:org.mitre.oval:def:7774 Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 5.01 Service Pack 4 is not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39031 MS10-018 1023773 oval:org.mitre.oval:def:8302 Use-after-free vulnerability in Microsoft Internet Explorer 5.01 SP4, 6, and 6 SP1 allows remote attackers to execute arbitrary code by changing unspecified properties of an HTML object that has an onreadystatechange event handler, aka "HTML Object Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 7 and Internet Explorer 8 are not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39027 MS10-018 1023773 oval:org.mitre.oval:def:8421 20100330 Microsoft Internet Explorer 'onreadystatechange' Use After Free Vulnerability Use-after-free vulnerability in mstime.dll in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via vectors related to the TIME2 behavior, the CTimeAction object, and destruction of markup, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 6 and Internet Explorer 7 are not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39030 MS10-018 http://www.zerodayinitiative.com/advisories/ZDI-10-033 20100402 ZDI-10-033: Microsoft Internet Explorer TIME2 Behavior Remote Code Execution Vulnerability 1023773 oval:org.mitre.oval:def:7722 Cross-domain vulnerability in Microsoft Internet Explorer 6, 6 SP1, 7, and 8 allows user-assisted remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted HTML document in a situation where the client user drags one browser window across another browser window, aka "HTML Element Cross-Domain Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 5.01 Service Pack 4 is not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39047 MS10-018 1023773 oval:org.mitre.oval:def:8553 FreeBit ServersMan 3.1.5 on Apple iPhone OS 3.1.2, and iPhone OS for iPod touch, allows remote attackers to cause a denial of service (daemon crash) via a HEAD request for the / URI. serversman-iphone-ipod-dos(55949) 38315 20100127 Apple Iphone/Ipod - Serversman 3.1.5 HTTP Remote DoS exploit Disk Images in Apple Mac OS X before 10.6.3 does not provide the expected warning for an unsafe file type in an internet enabled disk image, which makes it easier for user-assisted remote attackers to execute arbitrary code via a package file type. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Directory Services in Apple Mac OS X before 10.6.3 does not properly perform authorization during processing of record names, which allows local users to gain privileges via unspecified vectors. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Event Monitor in Apple Mac OS X before 10.6.3 does not properly validate hostnames of SSH clients, which allows remote attackers to cause a denial of service (arbitrary client blacklisting) via a crafted DNS PTR record, related to a "plist injection issue." http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Directory traversal vulnerability in FTP Server in Apple Mac OS X Server before 10.6.3 allows remote authenticated users to read arbitrary files via crafted filenames. Per: http://support.apple.com/kb/HT4077 'This issue only affects Mac OS X Server systems.' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 iChat Server in Apple Mac OS X Server before 10.6.3, when group chat is used, does not perform logging for all types of messages, which might allow remote attackers to avoid message auditing via an unspecified selection of message type. Per: http://support.apple.com/kb/HT4077 'This issue only affects Mac OS X Server systems. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Use-after-free vulnerability in iChat Server in Apple Mac OS X Server 10.5.8 allows remote authenticated users to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Per: http://support.apple.com/kb/HT4077 'This issue only affects Mac OS X Server systems, and does not affect versions 10.6 or later' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Multiple stack-based buffer overflows in iChat Server in Apple Mac OS X Server before 10.6.3 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. Per: http://support.apple.com/kb/HT4077 'These issues only affect Mac OS X Server systems.' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Heap-based buffer overflow in ImageIO in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JP2 (JPEG2000) image, related to incorrect calculation and the CGImageReadGetBytesAtOffset function. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-058 20100405 ZDI-10-058: Apple Mac OS X ImageIO Framework JPEG2000 Remote Code Execution Vulnerability Buffer overflow in Image RAW in Apple Mac OS X 10.5.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted NEF image. Per: http://support.apple.com/kb/HT4077 'This issue does not affect Mac OS X v10.6 systems' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Buffer overflow in Image RAW in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PEF image. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Mail in Apple Mac OS X before 10.6.3 does not disable the filter rules associated with a deleted mail account, which has unspecified impact and attack vectors. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 SFLServer in OS Services in Apple Mac OS X before 10.6.3 allows local users to gain privileges via vectors related to use of wheel group membership during access to the home directories of user accounts. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Password Server in Apple Mac OS X Server before 10.6.3 does not properly perform password replication, which might allow remote authenticated users to obtain login access via an expired password. Per: http://support.apple.com/kb/HT4077 'This issue only affects Mac OS X Server systems' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Podcast Producer in Apple Mac OS X 10.6 before 10.6.3 deletes the access restrictions of a Podcast Composer workflow when this workflow is overwritten, which allows attackers to access a workflow via unspecified vectors. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 The Accounts Preferences implementation in Apple Mac OS X 10.6 before 10.6.3, when a network account server is used, does not support Login Window access control that is based solely on group membership, which allows attackers to bypass intended access restrictions by entering login credentials. Per: http://support.apple.com/kb/HT4077 'This issue only affects systems configured to use a network account server, and does not affect systems prior to Mac OS X v10.6.' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 39153 Stack-based buffer overflow in PS Normalizer in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PostScript document. Per: http://support.apple.com/kb/HT4077 'On Mac OS X v10.6 systems this issue is mitigated by the -fstack-protector compiler flag.' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 39151 63409 Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with H.261 encoding. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 oval:org.mitre.oval:def:7043 APPLE-SA-2010-03-30-1 QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with H.264 encoding. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 oval:org.mitre.oval:def:6783 APPLE-SA-2010-03-30-1 Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with RLE encoding, which triggers memory corruption when the length of decompressed data exceeds that of the allocated heap chunk. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-040 20100402 ZDI-10-040: Apple QuickTime RLE Bit Depth Remote Code Execution Vulnerability oval:org.mitre.oval:def:7062 APPLE-SA-2010-03-30-1 Heap-based buffer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with M-JPEG encoding, which causes QuickTime to calculate a buffer size using height and width fields, but to use a different field to control the length of a copy operation. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-037 20100402 ZDI-10-037: Apple QuickTime MJPEG Sample Dimensions Remote Code Execution Vulnerability oval:org.mitre.oval:def:6673 APPLE-SA-2010-03-30-1 QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with Sorenson encoding. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 oval:org.mitre.oval:def:7077 APPLE-SA-2010-03-30-1 Integer overflow in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a FlashPix image with a malformed SubImage Header Stream containing a NumberOfTiles field with a large value. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-043 20100402 ZDI-10-043: Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability oval:org.mitre.oval:def:7498 APPLE-SA-2010-03-30-1 Heap-based buffer overflow in QuickTimeAuthoring.qtx in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted FLC file, related to crafted DELTA_FLI chunks and untrusted length values in a .fli file, which are not properly handled during decompression. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 http://www.zerodayinitiative.com/advisories/ZDI-10-044 20100402 ZDI-10-044: Apple QuickTime FLI LinePacket Remote Code Execution Vulnerability oval:org.mitre.oval:def:6801 APPLE-SA-2010-03-30-1 Server Admin in Apple Mac OS X Server before 10.6.3 does not properly enforce authentication for directory binding, which allows remote attackers to obtain potentially sensitive information from Open Directory via unspecified LDAP requests. APPLE-SA-2010-03-29-1 http://support.apple.com/kb/HT4077 Server Admin in Apple Mac OS X Server 10.5.8 does not properly determine the privileges of users who had former membership in the admin group, which allows remote authenticated users to leverage this former membership to obtain a server connection via screen sharing. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Wiki Server in Apple Mac OS X 10.5.8 does not restrict the file types of uploaded files, which allows remote attackers to obtain sensitive information or possibly have unspecified other impact via a crafted file, as demonstrated by a Java applet. Per: http://support.apple.com/kb/HT4077 'This issue only affects Mac OS X Server systems, and does not affect versions 10.6 or later.' http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 The default configuration of the FreeRADIUS server in Apple Mac OS X Server before 10.6.3 permits EAP-TLS authenticated connections on the basis of an arbitrary client certificate, which allows remote attackers to obtain network connectivity via a crafted RADIUS Access Request message. 39234 http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Mail in Apple Mac OS X before 10.6.3 does not properly enforce the key usage extension during processing of a keychain that specifies multiple certificates for an e-mail recipient, which might make it easier for remote attackers to obtain sensitive information via a brute-force attack on a weakly encrypted e-mail message. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Heap-based buffer overflow in QuickTimeMPEG.qtx in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted genl atom in a QuickTime movie file with MPEG encoding, which is not properly handled during decompression. http://www.zerodayinitiative.com/advisories/ZDI-10-045 http://www.zerodayinitiative.com/advisories/ZDI-10-035 20100402 ZDI-10-045: Apple QuickTime MPEG-1 genl Atom Remote Code Execution Vulnerability 20100402 ZDI-10-035: Apple QuickTime genl Atom Remote Code Execution Vulnerability http://support.apple.com/kb/HT4077 oval:org.mitre.oval:def:6927 APPLE-SA-2010-03-30-1 APPLE-SA-2010-03-29-1 Integer overflow in Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image. Per: http://lists.apple.com/archives/security-announce/2010//Mar/msg00002.html 'This issue does not affect Mac OS X systems' APPLE-SA-2010-03-30-1 oval:org.mitre.oval:def:7458 Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted color tables in a movie file, related to malformed MediaVideo data, a sample description atom (STSD), and a crafted length value. Per: http://lists.apple.com/archives/security-announce/2010//Mar/msg00002.html 'This issue does not affect Mac OS X systems.' APPLE-SA-2010-03-30-1 http://www.zerodayinitiative.com/advisories/ZDI-10-042 20100402 ZDI-10-042: Apple QuickTime MediaVideo Compressor Name Remote Code Execution Vulnerability oval:org.mitre.oval:def:6989 Heap-based buffer overflow in QuickTime.qts in Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PICT image with a BkPixPat opcode (0x12) containing crafted values that are used in a calculation for memory allocation. Per: http://lists.apple.com/archives/security-announce/2010//Mar/msg00002.html 'This issue does not affect Mac OS X systems.' APPLE-SA-2010-03-30-1 http://www.zerodayinitiative.com/advisories/ZDI-10-067 20100406 ZDI-10-067: Apple QuickTime Pict BkPixPat Remote Code Execution Vulnerability oval:org.mitre.oval:def:6780 Apple QuickTime before 7.6.9 on Windows sets weak permissions for the Apple Computer directory in the profile of a user account, which allows local users to obtain sensitive information by reading files in this directory. APPLE-SA-2010-12-07-1 1024829 http://support.apple.com/kb/HT4447 Apple iTunes before 9.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted MP4 podcast file. APPLE-SA-2010-03-30-2 http://support.apple.com/kb/HT4105 39135 oval:org.mitre.oval:def:7427 Race condition in the installation package in Apple iTunes before 9.1 on Windows allows local users to gain privileges by replacing an unspecified file with a Trojan horse. Per: http://lists.apple.com/archives/security-announce/2010//Mar/msg00003.html 'This issue does not affect Mac OS X systems.' APPLE-SA-2010-03-30-2 http://support.apple.com/kb/HT4105 39135 oval:org.mitre.oval:def:7110 Directory traversal vulnerability in AFP Server in Apple Mac OS X before 10.6.3 allows remote attackers to list a share root's parent directory, and read and modify files in that directory, via unspecified vectors. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Wiki Server in Apple Mac OS X 10.6 before 10.6.3 does not enforce the service access control list (SACL) for weblogs during weblog creation, which allows remote authenticated users to publish content via HTTP requests. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Dovecot in Apple Mac OS X 10.6 before 10.6.3, when Kerberos is enabled, does not properly enforce the service access control list (SACL) for sending and receiving e-mail, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Apple QuickTime before 7.6.6 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted BMP image. Per: http://lists.apple.com/archives/security-announce/2010//Mar/msg00002.html ' This issue does not affect Mac OS X systems.' APPLE-SA-2010-03-30-1 oval:org.mitre.oval:def:6969 DesktopServices in Apple Mac OS X 10.6 before 10.6.3 does not properly resolve pathnames in certain circumstances involving an application's save panel, which allows user-assisted remote attackers to trigger unintended remote file copying via a crafted share name. http://support.apple.com/kb/HT4077 APPLE-SA-2010-03-29-1 Apple Java for Mac OS X 10.5 before Update 7 and Java for Mac OS X 10.6 before Update 2 do not properly handle mediaLibImage objects, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted applet, related to the com.sun.medialib.mlib package. 40238 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 ADV-2010-1191 1024011 39819 Integer signedness error in the window drawing implementation in Apple Java for Mac OS X 10.5 before Update 7 and Java for Mac OS X 10.6 before Update 2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted applet. ADV-2010-1191 40240 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 1024012 39819 Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, allows remote attackers to hijack the authentication of administrators for requests that change settings. ADV-2010-1481 40871 http://support.apple.com/kb/HT4188 ADV-2011-0535 1024122 MDVSA-2010:234 MDVSA-2010:233 MDVSA-2010:232 DSA-2176 43521 40220 oval:org.mitre.oval:def:10382 APPLE-SA-2010-06-15-1 http://cups.org/str.php?L3498 http://cups.org/articles.php?L596 Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 RHSA-2011:0909 RHSA-2011:0908 MDVSA-2011:098 MDVSA-2011:097 40220 APPLE-SA-2010-06-15-1 The _WriteProlog function in texttops.c in texttops in the Text Filter subsystem in CUPS before 1.4.4 does not check the return values of certain calloc calls, which allows remote attackers to cause a denial of service (NULL pointer dereference or heap memory corruption) or possibly execute arbitrary code via a crafted file. https://bugzilla.redhat.com/show_bug.cgi?id=587746 http://cups.org/strfiles/3516/str3516.patch http://cups.org/articles.php?L596 ADV-2011-0535 40943 MDVSA-2010:234 MDVSA-2010:232 DSA-2176 1024121 43521 oval:org.mitre.oval:def:10365 SUSE-SR:2010:023 http://cups.org/str.php?L3516 ImageIO in Apple Mac OS X 10.5.8, and 10.6 before 10.6.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with MPEG2 encoding. ADV-2010-1481 40871 http://support.apple.com/kb/HT4188 1024103 40220 APPLE-SA-2010-06-15-1 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to a malformed URL. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2010-1512 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 42314 40196 40105 oval:org.mitre.oval:def:6656 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 The Finder in DesktopServices in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, does not set the expected file ownerships during an "Apply to enclosed items" action, which allows local users to bypass intended access restrictions via normal filesystem operations. ADV-2010-1481 40871 http://support.apple.com/kb/HT4188 1024103 40220 APPLE-SA-2010-06-15-1 Folder Manager in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows local users to delete arbitrary folders via a symlink attack in conjunction with an unmount operation on a crafted volume, related to the Cleanup At Startup folder. ADV-2010-1481 40871 http://support.apple.com/kb/HT4188 1024103 40220 APPLE-SA-2010-06-15-1 client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. ADV-2010-1062 38326 MDVSA-2010:090 39317 SUSE-SR:2010:014 SUSE-SR:2010:008 http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054 Multiple unspecified vulnerabilities in the Network Controller and Web Server in Xerox WorkCentre 5632, 5638, 5645, 5655, 5665, 5675, and 5687 allow remote attackers to (1) access mailboxes via unknown vectors that bypass Scan to Mailbox authorization or (2) read device configuration information via via unknown vectors that bypass web server authorization. http://www.xerox.com/downloads/usa/en/c/cert_XRX10-002_v1.0.pdf ADV-2010-0209 38139 Unspecified vulnerability in the Network Controller in Xerox WorkCentre 6400 System Software 060.070.109.11407 through 060.070.109.29510, and Net Controller 060.079.11410 through 060.079.29310, allows remote attackers to access "directory structure" via a crafted PostScript file, aka "Unauthorized Directory Structure Access Vulnerability." http://www.xerox.com/downloads/usa/en/c/cert_XRX10-001_v1.0.pdf ADV-2010-0208 1023500 38339 admin.htm in Geo++ GNCASTER 1.4.0.7 and earlier does not properly enforce HTTP Digest Authentication, which allows remote authenticated users to use HTTP Basic Authentication, bypassing intended server policy. gncaster-httpbasic-weak-security(55976) 20100127 [RT-SA-2010-003] Geo++(R) GNCASTER: Faulty implementation of HTTPDigest Authentication http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-003/-geo-r-gncaster-faulty-implementation-of-http-digest-authentication 38323 62013 HTTP authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to read authentication headers of other users via a large request with an incorrect authentication attempt, which includes sensitive memory in the response. NOTE: this is referred to as a "memory leak" by some sources, but is better characterized as "memory disclosure." gncaster-server-info-disclosure(55978) 20100127 [RT-SA-2010-003] Geo++(R) GNCASTER: Faulty implementation of HTTPDigest Authentication http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-003/-geo-r-gncaster-faulty-implementation-of-http-digest-authentication 38323 62015 Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via multiple requests for a non-existent file using a long URI. gncaster-httpget-code-execution(55974) 20100127 [RT-SA-2010-001] Geo++(R) GNCASTER: Insecure handling of long URLs http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-001/-geo-r-gncaster-insecure-handling-of-long-urls 38323 62011 Geo++ GNCASTER 1.4.0.7 and earlier allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a long NMEA data sentence. gncaster-nmea-code-execution(55975) 20100127 [RT-SA-2010-002] Geo++(R) GNCASTER: Insecure handling of NMEA-data http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-002/-geo-r-gncaster-insecure-handling-of-nmea-data 38323 62012 The HTTP Authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier uses the same nonce for all authentication, which allows remote attackers to hijack web sessions or bypass authentication via a replay attack. gncaster-nonce-replay(55977) 20100127 [RT-SA-2010-003] Geo++(R) GNCASTER: Faulty implementation of HTTPDigest Authentication http://www.redteam-pentesting.de/en/advisories/rt-sa-2010-003/-geo-r-gncaster-faulty-implementation-of-http-digest-authentication 38323 62014 Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving the product's use of text/html as the default content type for files that are encountered after a redirection, aka the URLMON sniffing vulnerability, a variant of CVE-2009-1140 and related to CVE-2008-1448. 38056 38055 20100203 CORE-2009-0625: Internet Explorer Dynamic OBJECT tag and URLMON sniffing vulnerabilities http://www.microsoft.com/technet/security/advisory/980088.mspx http://www.coresecurity.com/content/internet-explorer-dynamic-object-tag 62157 http://isc.sans.org/diary.html?n&storyid=8152 http://blogs.technet.com/msrc/archive/2010/02/03/security-advisory-980088-released.aspx browser/login/login_prompt.cc in Google Chrome before 4.0.249.89 populates an authentication dialog with credentials that were stored by Password Manager for a different web site, which allows user-assisted remote HTTP servers to obtain sensitive information via a URL that requires authentication, as demonstrated by a URL in the SRC attribute of an IMG element. http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html googlechrome-dialogs-phishing(56216) ADV-2010-0361 http://www.vsecurity.com/advisory/20100215-1.txt 38177 20100216 Chrome Password Manager Cross Origin Weakness (CVE-2010-0556) 62319 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 38545 oval:org.mitre.oval:def:14407 http://code.google.com/p/chromium/issues/detail?id=32718 IBM Cognos Express 9.0 allows attackers to obtain unspecified access to the Tomcat Manager component, and cause a denial of service, by leveraging hardcoded credentials. ADV-2010-0297 38084 62118 http://www-01.ibm.com/support/docview.wss?uid=swg21419179 38457 The default configuration of Oracle OpenSolaris snv_77 through snv_131 allows attackers to have an unspecified impact via vectors related to using smbadm to join a Windows Active Directory domain. opensolaris-smbadm-unspecified(56521) 1023545 275790 The default configuration of Oracle OpenSolaris snv_91 through snv_131 allows attackers to have an unspecified impact via vectors related to using kclient to join a Windows Active Directory domain. 1023545 1021793 275790 Unspecified vulnerability in the BIOS in Intel Desktop Board DB, DG, DH, DP, and DQ Series allows local administrators to execute arbitrary code in System Management Mode (SSM) via unknown attack vectors. intel-bios-privilege-escalation(56384) ADV-2010-0271 38251 http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00022&languageid=en-fr 38413 62071 Integer signedness error in NetBSD 4.0, 5.0, and NetBSD-current before 2010-01-21 allows local users to cause a denial of service (kernel panic) via a negative mixer index number being passed to (1) the azalia_query_devinfo function in the azalia audio driver (src/sys/dev/pci/azalia.c) or (2) the hdaudio_afg_query_devinfo function in the hdaudio audio driver (src/sys/dev/pci/hdaudio/hdaudio_afg.c). 1023539 38057 38284 62082 62081 NetBSD-SA2010-003 The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate containing non-printable characters with the high bit set, which triggers a heap-based buffer overflow during escaping. ADV-2010-0296 1023543 38088 MDVSA-2010:037 http://www.fetchmail.info/fetchmail-SA-2010-01.txt 38391 62114 http://mknod.org/svn/fetchmail/branches/BRANCH_6-3/fetchmail-SA-2010-01.txt The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. http://www-01.ibm.com/support/docview.wss?uid=swg21417839 38122 62140 PM00610 1023551 38425 Buffer overflow in Trend Micro URL Filtering Engine (TMUFE) in OfficeScan 8.0 before SP1 Patch 5 - Build 3510, possibly tmufeng.dll before 3.0.0.1029, allows attackers to cause a denial of service (crash or OfficeScan hang) via unspecified vectors. NOTE: it is likely that this issue also affects tmufeng.dll before 2.0.0.1049 for OfficeScan 10.0. ADV-2010-0295 officescan-tmufe-bo(56097) http://www.trendmicro.com/ftp/documentation/readme/readme_1224.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_80_Win_SP1_Patch_5_en_readme.txt 1023553 38083 38396 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.2 before 7.2(4.45), 8.0 before 8.0(4.44), 8.1 before 8.1(2.35), and 8.2 before 8.2(1.10), allows remote attackers to cause a denial of service (page fault and device reload) via a malformed DTLS message, aka Bug ID CSCtb64913 and "WebVPN DTLS Denial of Service Vulnerability." cisco-asa-webvpn-dtls-dos(56339) ADV-2010-0415 1023612 38280 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38618 62430 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(4.44), 8.1 before 8.1(2.35), and 8.2 before 8.2(1.10) allows remote attackers to cause a denial of service (device reload) via a malformed TCP segment when certain NAT translation and Cisco AIP-SSM configurations are used, aka Bug ID CSCtb37219. cisco-asa-nat-aipssm-dos(56340) ADV-2010-0415 1023612 38278 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38618 62431 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.1), 8.1 before 8.1(2.37), and 8.2 before 8.2(1.15); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (active IPsec tunnel loss and prevention of new tunnels) via a malformed IKE message through an existing tunnel to UDP port 4500, aka Bug ID CSCtc47782. cisco-asa-ike-dos(56341) ADV-2010-0415 1023612 38279 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38636 38618 62436 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.7), 8.1 before 8.1(2.40), and 8.2 before 8.2(2.1); and Cisco PIX 500 Series Security Appliance; allows remote attackers to bypass NTLMv1 authentication via a crafted username, aka Bug ID CSCte21953. cisco-asa-ntlmv1-security-bypass(56342) ADV-2010-0415 1023612 38279 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38636 38618 62437 Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.2), 8.1 before 8.1(2.37), and 8.2 before 8.2(1.16); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCtc96018. cisco-asa-sip-dos(56337) ADV-2010-0415 1023612 38281 20100217 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 38636 38618 62435 Cisco Digital Media Manager (DMM) 5.0.x and 5.1.x has a default password for the Tomcat administration account, which makes it easier for remote attackers to execute arbitrary code via a crafted web application, aka Bug ID CSCta03378. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1b923.shtml "Default Credentials Cisco DMM versions 5.0.x and 5.1.x are affected by this vulnerability. Cisco DMM versions 4.x are not vulnerable" 20100303 Multiple Vulnerabilities in Cisco Digital Media Manager cisco-ddm-default-credentials(56634) ADV-2010-0531 38503 1023671 38800 Unspecified vulnerability in Cisco Digital Media Manager (DMM) 5.0.x and 5.1.x allows remote authenticated users to gain privileges via unknown vectors, and consequently execute arbitrary code via a crafted web application, aka Bug ID CSCtc46008. 20100303 Multiple Vulnerabilities in Cisco Digital Media Manager cisco-ddm-privilege-escalation(56636) ADV-2010-0531 38500 1023671 38800 Cisco Digital Media Manager (DMM) before 5.2 allows remote authenticated users to discover Cisco Digital Media Player credentials via vectors related to reading a (1) error log or (2) stack trace, aka Bug ID CSCtc46050. 20100303 Multiple Vulnerabilities in Cisco Digital Media Manager cisco-ddm-mediaplayer-info-disc(56637) ADV-2010-0531 38502 1023671 38800 Unspecified vulnerability on the Cisco Digital Media Player before 5.2 allows remote attackers to hijack the source of (1) video or (2) data for a display via unknown vectors, related to a "content injection" issue, aka Bug ID CSCtc46024. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1b925.shtml " Vulnerable Products Cisco Digital Media Player versions earlier than 5.2 are affected by this vulnerability" 20100303 Cisco Digital Media Player Remote Display Unauthorized Content Injection Vulnerability cisco-mediaplayer-content-data-manipulation(56639) ADV-2010-0532 38504 1023672 38799 62723 Unspecified vulnerability in Cisco Wireless LAN Controller (WLC) software 3.2 before 3.2.215.0; 4.1 and 4.2 before 4.2.205.0; 4.1M and 4.2M before 4.2.207.54M; 5.0, 5.1, and 6.0 before 6.0.188.0; and 5.2 before 5.2.193.11 allows remote attackers to cause a denial of service (device reload) via a crafted IKE packet, aka Bug ID CSCta56653. 20100908 Multiple Vulnerabilities in Cisco Wireless LAN Controllers http://tools.cisco.com/security/center/viewAlert.x?alertId=21287 Cisco Wireless LAN Controller (WLC) software, possibly 6.0.x or possibly 4.1 through 6.0.x, allows remote attackers to bypass ACLs in the controller CPU, and consequently send network traffic to unintended segments or devices, via unspecified vectors, a different vulnerability than CVE-2010-3034. 20100908 Multiple Vulnerabilities in Cisco Wireless LAN Controllers http://tools.cisco.com/security/center/viewAlert.x?alertId=21291 Unspecified vulnerability in Cisco IOS 12.0 through 12.4, IOS XE 2.1.x through 2.3.x before 2.3.2, and IOS XR 3.2.x through 3.4.3, when Multiprotocol Label Switching (MPLS) and Label Distribution Protocol (LDP) are enabled, allows remote attackers to cause a denial of service (device reload or process restart) via a crafted LDP packet, aka Bug IDs CSCsz45567 and CSCsj25893. Per: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee2.shtml 'Affected Products Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software devices are vulnerable if they are configured to listen for either targeted LDP hello messages or link LDP hello messages. All versions of Cisco IOS Software and Cisco IOS XE Software that support MPLS are affected. Cisco IOS XR Software is affected in releases prior to 3.5.2.' 20100324 Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability ciscoios-ldp-dos(57143) ADV-2010-0707 1023740 38938 39065 63188 Cisco IOS 12.2 through 12.4, when certain PMTUD, SNAT, or window-size configurations are used, allows remote attackers to cause a denial of service (infinite loop, and device reload or hang) via a TCP segment with crafted options, aka Bug ID CSCsz75186. 20100324 Cisco IOS Software Crafted TCP Packet Denial of Service Vulnerability ciscoios-tcpsegment-dos(57129) ADV-2010-0703 1023743 38930 39078 63178 The IKE implementation in Cisco IOS 12.2 through 12.4 on Cisco 7200 and 7301 routers with VAM2+ allows remote attackers to cause a denial of service (device reload) via a malformed IKE packet, aka Bug ID CSCtb13491. Per:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee5.shtml 'IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used with the IPsec standard. IKE is a hybrid protocol that implements the Oakley and SKEME key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and SKEME are security protocols that are implemented by IKE.). More information on IKE is available at the following link: http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_key_exch_ipsec.html A vulnerability exists in the Cisco IOS Software implementation of IKE where a malformed packet may cause a device running Cisco IOS Software to reload. Only Cisco 7200 Series and Cisco 7301 routers running Cisco IOS software with a VPN Acceleration Module 2+ (VAM2+) installed are affected. This vulnerability is documented in Cisco Bug ID CSCtb13491 ( registered customers only) and has been assigned CVE ID CVE-2010-0578.' 20100324 Cisco IOS Software IPsec Vulnerability ciscoios-vpn-dos(57148) ADV-2010-0709 1023741 38932 39057 63182 The SIP implementation in Cisco IOS 12.3 and 12.4 allows remote attackers to cause a denial of service (device reload) via a malformed SIP message, aka Bug ID CSCtb93416, the "SIP Message Handling Denial of Service Vulnerability." 20100324 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities http://tools.cisco.com/security/center/viewAlert.x?alertId=20063 1023744 39068 Unspecified vulnerability in the SIP implementation in Cisco IOS 12.3 and 12.4 allows remote attackers to execute arbitrary code via a malformed SIP message, aka Bug ID CSCsz48680, the "SIP Message Processing Arbitrary Code Execution Vulnerability." 20100324 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities http://tools.cisco.com/security/center/viewAlert.x?alertId=20064 1023744 39068 Unspecified vulnerability in the SIP implementation in Cisco IOS 12.3 and 12.4 allows remote attackers to execute arbitrary code via a malformed SIP message, aka Bug ID CSCsz89904, the "SIP Packet Parsing Arbitrary Code Execution Vulnerability." 20100324 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities http://tools.cisco.com/security/center/viewAlert.x?alertId=20065 1023744 39068 Cisco IOS 12.1 through 12.4, and 15.0M before 15.0(1)M1, allows remote attackers to cause a denial of service (interface queue wedge) via malformed H.323 packets, aka Bug ID CSCta19962. 20100324 Cisco IOS Software H.323 Denial of Service Vulnerabilities ADV-2010-0706 1023742 39067 Memory leak in the H.323 implementation in Cisco IOS 12.1 through 12.4, and 15.0M before 15.0(1)M1, allows remote attackers to cause a denial of service (memory consumption and device reload) via malformed H.323 packets, aka Bug ID CSCtb93855. 20100324 Cisco IOS Software H.323 Denial of Service Vulnerabilities ciscoios-memory-dos(57140) ADV-2010-0706 1023742 38934 39067 63181 Unspecified vulnerability in Cisco IOS 12.4, when NAT SCCP fragmentation support is enabled, allows remote attackers to cause a denial of service (device reload) via crafted Skinny Client Control Protocol (SCCP) packets, aka Bug ID CSCsy09250. ADV-2010-0708 1023739 20100324 Cisco IOS Software NAT Skinny Call Control Protocol Vulnerability 39062 63187 Cisco IOS 12.1 through 12.4, when Cisco Unified Communications Manager Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) is enabled, allows remote attackers to cause a denial of service (device reload) via a malformed Skinny Client Control Protocol (SCCP) message, aka Bug ID CSCsz48614, the "SCCP Packet Processing Denial of Service Vulnerability." 20100324 Cisco Unified Communications Manager Express Denial of Service Vulnerabilities http://tools.cisco.com/security/center/viewAlert.x?alertId=20069 39069 Cisco IOS 12.1 through 12.4, when Cisco Unified Communications Manager Express (CME) or Cisco Unified Survivable Remote Site Telephony (SRST) is enabled, allows remote attackers to cause a denial of service (device reload) via a malformed Skinny Client Control Protocol (SCCP) message, aka Bug ID CSCsz49741, the "SCCP Request Handling Denial of Service Vulnerability." 20100324 Cisco Unified Communications Manager Express Denial of Service Vulnerabilities http://tools.cisco.com/security/center/viewAlert.x?alertId=20070 39069 oval:org.mitre.oval:def:6625 63177 Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x before 4.3(2)SR2, 6.x before 6.1(5), 7.x before 7.1(3a)su1, and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SCCP StationCapabilitiesRes message with an invalid MaxCap field, aka Bug ID CSCtc38985. Per:http://www.cisco.com/en/US/products/products_security_advisory09186a0080b1b924.shtml The following products are affected by vulnerabilities that are described in this advisory: * Cisco Unified Communications Manager 4.x * Cisco Unified Communications Manager 5.x * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x 20100303 Cisco Unified Communications Manager Denial of Service Vulnerabilities 38496 1023670 Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5), 7.x before 7.1(3a)su1, and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SCCP (1) RegAvailableLines or (2) FwdStatReq message with an invalid Line number, aka Bug ID CSCtc47823. 20100303 Cisco Unified Communications Manager Denial of Service Vulnerabilities 38501 1023670 The Web Install ActiveX control (CSDWebInstaller) in Cisco Secure Desktop (CSD) before 3.5.841 does not properly verify the signatures of downloaded programs, which allows remote attackers to force the download and execution of arbitrary files via a crafted web page, aka Bug ID CSCta25876. 20100414 Cisco Secure Desktop ActiveX Control Code Execution Vulnerability cisco-csdwebinstaller-code-execution(57812) http://www.zerodayinitiative.com/advisories/ZDI-10-072/ 39478 1023881 The CMSIPUtility component in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.x before 7.1(3a)su1 and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SIP Register message, aka Bug ID CSCtc37188. 20100303 Cisco Unified Communications Manager Denial of Service Vulnerabilities 38495 1023670 Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5), 7.x before 7.1(3b)SU2, and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SIP REG message, related to an overflow of the Telephone-URL field, aka Bug ID CSCtc62362. 20100303 Cisco Unified Communications Manager Denial of Service Vulnerabilities 38498 1023670 The CTI Manager service in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x before 4.3(2)sr1a, 6.x before 6.1(3), 7.0x before 7.0(2), 7.1x before 7.1(2), and 8.x before 8.0(1) allows remote attackers to cause a denial of service (service failure) via a malformed message, aka Bug ID CSCsu31800. 20100303 Cisco Unified Communications Manager Denial of Service Vulnerabilities 38497 1023670 The Cisco RVS4000 4-port Gigabit Security Router before 1.3.2.0, PVC2300 Business Internet Video Camera before 1.1.2.6, WVC200 Wireless-G PTZ Internet Video Camera before 1.1.1.15, WVC210 Wireless-G PTZ Internet Video Camera before 1.1.1.15, and WVC2300 Wireless-G Business Internet Video Camera before 1.1.2.6 do not properly restrict read access to passwords, which allows context-dependent attackers to obtain sensitive information, related to (1) access by remote authenticated users to a PVC2300 or WVC2300 via a crafted URL, (2) leveraging setup privileges on a WVC200 or WVC210, and (3) leveraging administrative privileges on an RVS4000, aka Bug ID CSCte64726. 20100421 Cisco Small Business Video Surveillance Cameras and Cisco 4-Port Gigabit Security Routers Authentication Bypass Vulnerability cisco-small-business-unauth-access(58034) ADV-2010-0965 1023906 39612 39510 63978 Cross-site scripting (XSS) vulnerability in Cisco Router and Security Device Manager (SDM) allows remote attackers to inject arbitrary web script or HTML via unknown vectors, aka Bug ID CSCtb38467. JVNDB-2010-000014 JVN#14313132 Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 has a default password for the administrative user account and unspecified other accounts, which makes it easier for remote attackers to obtain privileged access, aka Bug ID CSCtb83495. VU#757804 20100526 Multiple Vulnerabilities in Cisco Network Building Mediator cisco-nbn-default-credentials(58893) http://www.us-cert.gov/control_systems/pdf/ICSA-10-147-01_Cisco_Network_Building_Mediator.pdf 40380 1024027 39904 Unspecified vulnerability in Cisco Mediator Framework 2.2 before 2.2.1.dev.1 and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges, via a (1) HTTP or (2) HTTPS request, aka Bug ID CSCtb83607. VU#757804 20100526 Multiple Vulnerabilities in Cisco Network Building Mediator http://www.us-cert.gov/control_systems/pdf/ICSA-10-147-01_Cisco_Network_Building_Mediator.pdf 1024027 39904 Unspecified vulnerability in Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 allows remote authenticated users to read or modify the device configuration, and gain privileges or cause a denial of service (device reload), via a (1) XML RPC or (2) XML RPC over HTTPS request, aka Bug ID CSCtb83618. VU#757804 20100526 Multiple Vulnerabilities in Cisco Network Building Mediator http://www.us-cert.gov/control_systems/pdf/ICSA-10-147-01_Cisco_Network_Building_Mediator.pdf 40386 1024027 39904 Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt HTTP sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83631. VU#757804 20100526 Multiple Vulnerabilities in Cisco Network Building Mediator http://www.us-cert.gov/control_systems/pdf/ICSA-10-147-01_Cisco_Network_Building_Mediator.pdf 1024027 39904 Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt XML RPC sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83505. VU#757804 20100526 Multiple Vulnerabilities in Cisco Network Building Mediator http://www.us-cert.gov/control_systems/pdf/ICSA-10-147-01_Cisco_Network_Building_Mediator.pdf 1024027 39904 Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not properly restrict network access to an unspecified configuration file, which allows remote attackers to read passwords and unspecified other account details via a (1) XML RPC or (2) XML RPC over HTTPS session, aka Bug ID CSCtb83512. VU#757804 20100526 Multiple Vulnerabilities in Cisco Network Building Mediator http://www.us-cert.gov/control_systems/pdf/ICSA-10-147-01_Cisco_Network_Building_Mediator.pdf 40384 1024027 39904 The MGCP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S11 allows remote attackers to cause a denial of service (device crash) via a malformed packet, aka Bug ID CSCsl39126. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40117 64680 The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S11 allows remote attackers to cause a denial of service (device crash) via a malformed packet, aka Bug ID CSCsk32606. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40120 64688 The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S10 allows remote attackers to cause a denial of service (device crash) via a malformed session attribute, aka Bug ID CSCsk40030. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40121 Unspecified vulnerability in the SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S10 allows remote attackers to cause a denial of service (device crash) via unknown SIP traffic, as demonstrated by "SIP testing," aka Bug ID CSCsk38165. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40122 64686 SQL injection vulnerability in scp/ajax.php in osTicket before 1.6.0 Stable allows remote authenticated users, with "Staff" permissions, to execute arbitrary SQL commands via the input parameter. http://osticket.com/forums/project.php?issueid=176 38166 11380 38515 http://packetstormsecurity.org/1002-exploits/osTicket-1.6-RC5-SQLi.pdf Cross-site scripting (XSS) vulnerability in scp/ajax.php in osTicket before 1.6.0 Stable allows remote authenticated users to inject arbitrary web script or HTML via the f parameter, possibly related to an error message generated by scp/admin.php. http://osticket.com/forums/project.php?issueid=176 38166 38515 http://packetstormsecurity.org/1002-exploits/osTicket-1.6-RC5-ReflectedXSS.pdf Cross-site scripting (XSS) vulnerability in Forms/status_statistics_1 in the Sterlite SAM300 AX Router allows remote attackers to inject arbitrary web script or HTML via the Stat_Radio parameter. 38463 http://packetstormsecurity.org/1002-exploits/sterlite-xss.txt 62211 20100204 Sterlite SAM300AX ADSL router - Cross Site SQL injection vulnerability in index.php in NovaBoard 1.1.2 allows remote attackers to execute arbitrary SQL commands via the forums[] parameter in a search action. 37988 62002 11278 38368 http://packetstormsecurity.org/1001-exploits/novaboard112-sql.txt SQL injection vulnerability in header.php in NovaBoard 1.1.2 allows remote attackers to execute arbitrary SQL commands via the nova_name cookie parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 62003 38368 Multiple SQL injection vulnerabilities in the Photoblog (com_photoblog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the blog parameter in an images action to index.php. NOTE: a separate vector for the id parameter to detail.php may also exist. photoblog-blog-sql-injection(56135) 38136 11337 http://packetstormsecurity.org/1002-exploits/joomlaphotoblog-bsql.txt Multiple SQL injection vulnerabilities in adminlogin.php in Baal Systems 3.8 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. baalsystems-adminlogin-sql-injection(56147) 38139 11346 http://packetstormsecurity.org/1002-exploits/baalsystems-sql.txt Unspecified vulnerability in DocumentManager before 4.0 has unknown impact and attack vectors, related to file rights. http://freshmeat.net/projects/dmanager/releases/311735 62032 38441 Directory traversal vulnerability in viewfile.php in ARWScripts Fonts Script allows remote attackers to read arbitrary local files via directory traversal sequences in a base64-encoded f parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38709 38518 SQL injection vulnerability in ajax.php in evalSMSI 2.1.03 allows remote attackers to execute arbitrary SQL commands via the query parameter in the (1) question action, and possibly the (2) sub_par or (3) num_quest actions. evalsmsi-ajax-sql-injection(56152) 38116 20100204 CORELAN-10-008 - Multiple vulnerabilities found in evalmsi 2.1.03 62177 http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-008-evalmsi-2-1-03-multiple-vulnerabilities/ 38478 http://packetstormsecurity.org/1002-exploits/corelan-10-008-evalmsi.txt Cross-site scripting (XSS) vulnerability in assess.php in evalSMSI 2.1.03 allows remote attackers to inject arbitrary web script or HTML via the reports comment box in a continue_assess action. NOTE: some of these details are obtained from third party information. evalsmsi-comment-xss(56154) 38116 20100204 CORELAN-10-008 - Multiple vulnerabilities found in evalmsi 2.1.03 62178 http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-008-evalmsi-2-1-03-multiple-vulnerabilities/ 38478 http://packetstormsecurity.org/1002-exploits/corelan-10-008-evalmsi.txt evalSMSI 2.1.03 stores passwords in cleartext in the database, which allows attackers with database access to gain privileges. NOTE: remote attack vectors are possible by leveraging a separate SQL injection vulnerability. 38116 20100204 CORELAN-10-008 - Multiple vulnerabilities found in evalmsi 2.1.03 62180 http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-008-evalmsi-2-1-03-multiple-vulnerabilities/ 38478 http://packetstormsecurity.org/1002-exploits/corelan-10-008-evalmsi.txt Cross-site scripting (XSS) vulnerability in ajax.php in evalSMSI 2.1.03 allows remote attackers to inject arbitrary web script or HTML via the return parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. evalsmsi-ajax-xss(56157) 62179 38478 The flood-protection feature in the base, IPDS DLE, Forms DLE, Barcode DLE, Prescribe DLE, and Printcryption DLE components on certain Lexmark laser and inkjet printers and MarkNet devices allows remote attackers to cause a denial of service (TCP outage) by making many passive FTP connections and then aborting these connections. Per: http://support.lexmark.com/index?page=content&id=TE85&locale=EN&userlocale=EN_US#Printcryption 'Details Lexmark products have connection flood protection mechanisms that limit the number of simultaneous network connections that can be made to the device on most TCP service ports. (21/FTP 79/Finger, 515/LPD, 631/IPP, 5001, 9100-9104, 9200, 9300, 9400, 9500-9501 & 9600) The FTP service exception handler does not properly maintain the state of the flood protection when passive FTP connections are aborted. Once a sufficient number of passive FTP connections have timed out (typically 15), the flood protection is enabled and is never reset. The flood protection can be reset by resetting the network adapter, or by power cycling the device. The firmware update that resolves this vulnerability automatically resets the flood protection after the “Network Job Timeout” has expired or 90 seconds if the “Network Job Timeout” is disabled.' 38906 20100322 {PRL} Lexmark Multiple Laser printer FTP Remote Denial of Services http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=11&Itemid=11 http://support.lexmark.com/index?page=content&id=TE85&locale=EN&userlocale=EN_US 39056 Stack-based buffer overflow in the base, IPDS DLE, Forms DLE, Barcode DLE, Prescribe DLE, and Printcryption DLE components on certain Lexmark laser printers and multi-function printers allows remote attackers to execute arbitrary code or cause a denial of service (device hang) via a long argument to a PJL INQUIRE command. 38901 20100322 {PRL} Lexmark Multiple Laser Printer Remote Stack Overflow http://support.lexmark.com/index?page=content&id=TE84&locale=EN&userlocale=EN_US Directory traversal vulnerability in the SSL Service in EMC HomeBase Server 6.2.x before 6.2.3 and 6.3.x before 6.3.2 allows remote attackers to overwrite arbitrary files with any content, and consequently execute arbitrary code, via a .. (dot dot) in an unspecified parameter. Per: http://seclists.org/bugtraq/2010/Feb/222 Affected products: EMC HomeBase Server version 6.2.x EMC HomeBase Server version 6.3.x http://www.zerodayinitiative.com/advisories/ZDI-10-020/ ADV-2010-0458 38380 20100224 ESA-2010-003: EMC HomeBase Server Arbitrary File Upload Vulnerability 8230 The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space. http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.33-rc7 https://bugzilla.redhat.com/show_bug.cgi?id=563091 ADV-2010-0638 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-914-1 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0161 [oss-security] 20100211 Re: CVE request - kernel: futex: Handle user space corruption gracefully [oss-security] 20100209 CVE request - kernel: futex: Handle user space corruption gracefully MDVSA-2010:198 MDVSA-2010:088 DSA-2005 43315 39033 38922 38905 38779 oval:org.mitre.oval:def:9655 SUSE-SA:2010:018 SUSE-SA:2010:014 FEDORA-2010-1804 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=51246bfd189064079c54421507236fd2723b18f3 The futex_lock_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly manage a certain reference count, which allows local users to cause a denial of service (OOPS) via vectors involving an unmount of an ext3 filesystem. http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.33-rc7 ADV-2010-0638 USN-914-1 [oss-security] 20100211 Re: CVE request - kernel: futex: Handle user space corruption gracefully MDVSA-2010:088 38922 SUSE-SA:2010:018 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc http://bugzilla.kernel.org/show_bug.cgi?id=14256 Heap-based buffer overflow in the rmt_read__ function in lib/rtapelib.c in the rmt client functionality in GNU tar before 1.23 and GNU cpio before 2.11 allows remote rmt servers to cause a denial of service (memory corruption) or possibly execute arbitrary code by sending more data than was requested, related to archive filenames that contain a : (colon) character. https://bugzilla.redhat.com/show_bug.cgi?id=564368 https://issues.rpath.com/browse/RPL-3219 ADV-2010-1107 ADV-2010-0729 ADV-2010-0728 ADV-2010-0687 ADV-2010-0639 ADV-2010-0629 ADV-2010-0628 20101027 rPSA-2010-0070-1 cpio tar RHSA-2010:0145 RHSA-2010:0144 RHSA-2010:0142 RHSA-2010:0141 MDVSA-2010:065 http://www.agrs.tu-berlin.de/index.php?id=78327 GLSA-201111-11 39008 38988 38869 oval:org.mitre.oval:def:6907 oval:org.mitre.oval:def:10277 62950 SUSE-SR:2010:011 FEDORA-2010-4306 FEDORA-2010-4302 FEDORA-2010-4321 FEDORA-2010-4309 FEDORA-2010-2895 Stack-based buffer overflow in NWFTPD.nlm before 5.10.01 in the FTP server in Novell NetWare 5.1 through 6.5 SP8 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long (1) MKD, (2) RMD, (3) RNFR, or (4) DELE command. https://bugzilla.novell.com/show_bug.cgi?id=569496 http://www.zerodayinitiative.com/advisories/ZDI-10-062 ADV-2010-0742 39041 20100405 ZDI-10-062: Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Remote Code Execution Vulnerabilities 20100329 {PRL} Novell Netware FTP Remote Stack Overflow http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=12&Itemid=12 http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 1023768 39151 The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in the SPNEGO GSS-API functionality in MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2 and 1.8 before 1.8.1 allows remote attackers to cause a denial of service (assertion failure and daemon crash) via an invalid packet that triggers incorrect preparation of an error token. 38904 https://bugzilla.redhat.com/show_bug.cgi?id=566258 USN-916-1 20100323 MITKRB5-SA-2010-002 denial of service in SPNEGO [CVE-2010-0628 VU#839413] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt 39023 Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number. Per: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt 'AFFECTED SOFTWARE ================= * kadmind in MIT releases krb5-1.5 through krb5-1.6.3.' 39247 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt ADV-2010-0876 20100406 MITKRB5-SA-2010-003 [CVE-2010-0629] denial of service in kadmind in older krb5 releases RHSA-2010:0343 MDVSA-2010:071 DSA-2031 USN-924-1 1023821 39367 39324 39315 39290 39264 oval:org.mitre.oval:def:9489 SUSE-SR:2010:009 FEDORA-2010-6108 http://krbdev.mit.edu/rt/Ticket/Display.html?id=5998 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052 SQL injection vulnerability in viewjokes.php in Evernew Free Joke Script 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. freejokescript-viewjokes-sql-injection(56043) 38020 11306 35434 http://packetstormsecurity.org/1002-exploits/evernewfjs-sql.txt Multiple SQL injection vulnerabilities in index.php in Eicra Car Rental-Script, when the plugin_id parameter is 4, allow remote attackers to execute arbitrary SQL commands via the (1) users (username) and (2) passwords parameters. 11323 38389 SQL injection vulnerability in the Parkview Consultants SimpleFAQ (com_simplefaq) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a display action to index.php. simplefaq-catid-sql-injection(56028) 38015 11294 http://packetstormsecurity.org/1001-exploits/joomlasimplefaq-sql.txt Unspecified vulnerability in Citrix XenServer 5.0 Update 3 and earlier, and 5.5, allows local users to bypass authentication and execute unspecified Xen API (XAPI) calls via unknown vectors. http://support.citrix.com/article/CTX123460 http://support.citrix.com/article/CTX123456 http://support.citrix.com/article/CTX123193 ADV-2010-0290 1023530 38052 38431 Unspecified vulnerability in Fast Lexical Analyzer Generator (flex) before 2.5.35 has unknown impact and attack vectors. http://freshmeat.net/projects/flex/releases/311661 62029 SQL injection vulnerability in the plgSearchEventsearch::onSearch method in eventsearch.php in the JEvents Search plugin 1.5 through 1.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: some of these details are obtained from third party information. http://www.jevents.net/forum/viewtopic.php?f=17&t=3910#p15526 38050 38404 Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) tab parameter to users.php and the PATH_INFO to (2) day.php, (3) month.php, and (4) week.php. NOTE: some of these details are obtained from third party information. 38053 38222 http://holisticinfosec.org/content/view/133/45/ Multiple cross-site request forgery (CSRF) vulnerabilities in WebCalendar 1.2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) delete an event or (2) ban an IP address from posting via unknown vectors. NOTE: some of these details are obtained from third party information. 38222 http://holisticinfosec.org/content/view/133/45/ Cross-site request forgery (CSRF) vulnerability in WebCalendar 1.2.0 allows remote attackers to hijack the authentication of administrators for requests that change the administrative password via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38222 The htcpHandleTstRequest function in htcp.c in Squid 2.x before 2.6.STABLE24 and 2.7 before 2.7.STABLE8, and htcp.cc in 3.0 before 3.0.STABLE24, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets to the HTCP port. Per: http://cwe.mitre.org/data/definitions/476.html 'NULL Pointer Dereference' http://www.squid-cache.org/Versions/v3/3.0/changesets/3.0-ADV-2010_2.patch http://www.squid-cache.org/Versions/v2/2.7/changesets/12600.patch ADV-2010-0603 ADV-2010-0371 http://www.squid-cache.org/Advisories/SQUID-2010_2.txt 1023587 38212 38812 62297 FEDORA-2010-2434 FEDORA-2010-3064 http://bugs.squid-cache.org/show_bug.cgi?id=2858 Cross-site scripting (XSS) vulnerability in CA eHealth Performance Manager 6.0.x through 6.2.x, when malicious HTML detection is disabled, allows remote attackers to inject arbitrary web script or HTML via a crafted request. 38376 20100223 CA20100223-01: Security Notice for CA eHealth Performance Manager 20100223 CA20100223-01: Security Notice for CA eHealth Performance Manager Cross-site scripting (XSS) vulnerability in webline/html/admin/wcs/LoginPage.jhtml in Cisco Collaboration Server (CCS) 5 allows remote attackers to inject arbitrary web script or HTML via the dest parameter. ccs-loginpage-xss(56220) 38201 11403 Cisco Collaboration Server (CCS) 5 allows remote attackers to read the source code of JHTML files via URL encoded characters in the filename extension, as demonstrated by (1) changing .jhtml to %2Ejhtml, (2) changing .jhtml to .jhtm%6C, (3) appending %00 after .jhtml, and (4) appending %c0%80 after .jhtml, related to the (a) doc/docindex.jhtml, (b) browserId/wizardForm.jhtml, (c) webline/html/forms/callback.jhtml, (d) webline/html/forms/callbackICM.jhtml, (e) webline/html/agent/AgentFrame.jhtml, (f) webline/html/agent/default/badlogin.jhtml, (g) callme/callForm.jhtml, (h) webline/html/multichatui/nowDefunctWindow.jhtml, (i) browserId/wizard.jhtml, (j) admin/CiscoAdmin.jhtml, (k) msccallme/mscCallForm.jhtml, and (l) webline/html/admin/wcs/LoginPage.jhtml components. ccs-files-information-disclosure(56221) 38202 11403 Google Chrome before 4.0.249.89 attempts to make direct connections to web sites when all configured proxy servers are unavailable, which allows remote HTTP servers to obtain potentially sensitive information about the identity of a client user via standard HTTP logging, as demonstrated by a proxy server that was configured for the purpose of anonymity. http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html googlechrome-fallback-info-disc(56212) ADV-2010-0361 38177 62315 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 38545 oval:org.mitre.oval:def:14500 http://code.google.com/p/chromium/issues/detail?id=12303 Google Chrome before 4.0.249.89, when a SOCKS 5 proxy server is configured, sends DNS queries directly, which allows remote DNS servers to obtain potentially sensitive information about the identity of a client user via request logging, as demonstrated by a proxy server that was configured for the purpose of anonymity. ADV-2010-0361 http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html 38177 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 38545 oval:org.mitre.oval:def:13926 http://code.google.com/p/chromium/issues/detail?id=29914 Multiple integer overflows in factory.cc in Google V8 before r3560, as used in Google Chrome before 4.0.249.89, allow remote attackers to execute arbitrary code in the Chrome sandbox via crafted use of JavaScript arrays. http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html googlechrome-v8engine-code-exec(56213) ADV-2010-0361 38177 62316 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 38545 oval:org.mitre.oval:def:14508 http://codereview.chromium.org/525064 http://code.google.com/p/v8/source/detail?r=3560 http://code.google.com/p/chromium/issues/detail?id=31009 Multiple integer signedness errors in factory.cc in Google V8 before r3560, as used in Google Chrome before 4.0.249.89, allow remote attackers to execute arbitrary code in the Chrome sandbox via crafted use of JavaScript arrays. ADV-2010-0361 http://codereview.chromium.org/525064 googlechrome-v8engine-code-exec(56213) 38177 62316 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 38545 oval:org.mitre.oval:def:14222 http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html http://code.google.com/p/v8/source/detail?r=3560 http://code.google.com/p/chromium/issues/detail?id=31009 WebKit before r53525, as used in Google Chrome before 4.0.249.89, allows remote attackers to execute arbitrary code in the Chrome sandbox via a malformed RUBY element, as demonstrated by a <ruby>><table><rt> sequence. http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html https://bugs.webkit.org/show_bug.cgi?id=33266 googlechrome-ruby-tags-code-exec(56214) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-0361 USN-1006-1 38177 62317 MDVSA-2011:039 http://trac.webkit.org/changeset/53525 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 43068 41856 38545 oval:org.mitre.oval:def:14094 SUSE-SR:2011:002 http://code.google.com/p/chromium/issues/detail?id=31692 Mozilla Firefox, possibly before 3.6, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element. oval:org.mitre.oval:def:12665 http://nomoreroot.blogspot.com/2010/01/little-bug-in-safari-and-google-chrome.html FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 http://code.google.com/p/chromium/issues/detail?id=32309 Integer overflow in the CrossCallParamsEx::CreateFromBuffer function in sandbox/src/crosscall_server.cc in Google Chrome before 4.0.249.89 allows attackers to leverage renderer access to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a malformed message, related to deserializing of sandbox messages. http://googlechromereleases.blogspot.com/2010/02/stable-channel-update.html googlechrome-sandbox-code-exec(56217) ADV-2010-0361 38177 62320 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023583 38545 oval:org.mitre.oval:def:14256 http://code.google.com/p/chromium/issues/detail?id=32915 WebKit, as used in Google Chrome before 4.0.249.78 and Apple Safari, allows remote attackers to bypass intended restrictions on popup windows via crafted use of a mouse click event. https://bugs.webkit.org/show_bug.cgi?id=21501 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 38373 MDVSA-2011:039 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 43068 41856 oval:org.mitre.oval:def:13791 SUSE-SR:2011:002 http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html http://code.google.com/p/chromium/issues/detail?id=3275 WebKit before r52784, as used in Google Chrome before 4.0.249.78 and Apple Safari before 4.0.5, permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote attackers to obtain sensitive information via a crafted document. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html https://bugs.webkit.org/show_bug.cgi?id=29820 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 http://websec.sv.cmu.edu/css/css.pdf http://trac.webkit.org/changeset/52784 1023506 43068 41856 http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html oval:org.mitre.oval:def:13653 SUSE-SR:2011:002 http://code.google.com/p/chromium/issues/detail?id=9877 Microsoft Internet Explorer permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote HTTP servers to obtain sensitive information via a crafted document. http://code.google.com/p/chromium/issues/detail?id=9877 Opera before 10.10 permits cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote attackers to obtain sensitive information via a crafted document. http://websec.sv.cmu.edu/css/css.pdf http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html SUSE-SR:2010:014 http://code.google.com/p/chromium/issues/detail?id=9877 Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 permit cross-origin loading of CSS stylesheets even when the stylesheet download has an incorrect MIME type and the stylesheet document is malformed, which allows remote attackers to obtain sensitive information via a crafted document. https://bugzilla.mozilla.org/show_bug.cgi?id=524223 http://www.mozilla.org/security/announce/2010/mfsa2010-46.html http://websec.sv.cmu.edu/css/css.pdf http://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html oval:org.mitre.oval:def:11811 http://code.google.com/p/chromium/issues/detail?id=9877 Use-after-free vulnerability in Google Chrome before 4.0.249.78 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving the display of a blocked popup window during navigation to a different web site. Per: http://cwe.mitre.org/data/definitions/416.html 'Use After Free CWE-416' http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 http://secunia.com/secunia_research/2009-65/ oval:org.mitre.oval:def:14069 http://code.google.com/p/chromium/issues/detail?id=12523 WebKit before r51295, as used in Google Chrome before 4.0.249.78, presents a directory-listing page in response to an XMLHttpRequest for a file:/// URL that corresponds to a directory, which allows attackers to obtain sensitive information or possibly have unspecified other impact via a crafted local HTML document. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html https://bugs.webkit.org/show_bug.cgi?id=31329 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 38372 MDVSA-2011:039 http://trac.webkit.org/changeset/51295 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 43068 41856 oval:org.mitre.oval:def:14501 SUSE-SR:2011:002 FEDORA-2010-8423 FEDORA-2010-8379 FEDORA-2010-8360 http://code.google.com/p/chromium/issues/detail?id=20450 Google Chrome before 4.0.249.78 on Windows does not perform the expected encoding, escaping, and quoting for the URL in the --app argument in a desktop shortcut, which allows user-assisted remote attackers to execute arbitrary programs or obtain sensitive information by tricking a user into creating a crafted shortcut. Per: http://cwe.mitre.org/data/slices/2000.html 'Improper Encoding or Escaping of Output CWE-116' http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 oval:org.mitre.oval:def:14306 http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html http://code.google.com/p/chromium/issues/detail?id=23693 Multiple integer overflows in Skia, as used in Google Chrome before 4.0.249.78, allow remote attackers to execute arbitrary code in the Chrome sandbox or cause a denial of service (memory corruption and application crash) via vectors involving CANVAS elements. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 oval:org.mitre.oval:def:13852 http://code.google.com/p/chromium/issues/detail?id=8864 http://code.google.com/p/chromium/issues/detail?id=24646 http://code.google.com/p/chromium/issues/detail?id=24071 The image decoder in WebKit before r52833, as used in Google Chrome before 4.0.249.78, does not properly handle a failure of memory allocation, which allows remote attackers to execute arbitrary code in the Chrome sandbox via a malformed GIF file that specifies a large size. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html https://bugs.webkit.org/show_bug.cgi?id=33231 ADV-2011-0212 http://trac.webkit.org/changeset/52833 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 43068 oval:org.mitre.oval:def:14079 SUSE-SR:2011:002 http://code.google.com/p/chromium/issues/detail?id=28566 Google Chrome before 4.0.249.78 sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain potentially sensitive information via standard HTTP logging. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 oval:org.mitre.oval:def:14247 http://code.google.com/p/chromium/issues/detail?id=29920 WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method. http://trac.webkit.org/changeset/52401 http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html https://bugs.webkit.org/show_bug.cgi?id=32647 ADV-2011-0212 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 43068 oval:org.mitre.oval:def:14482 SUSE-SR:2011:002 http://flock.com/security/ http://code.google.com/p/chromium/issues/detail?id=30660 The ParamTraits<SkBitmap>::Read function in common/common_param_traits.cc in Google Chrome before 4.0.249.78 does not use the correct variables in calculations designed to prevent integer overflows, which allows attackers to leverage renderer access to cause a denial of service or possibly have unspecified other impact via bitmap data, related to deserialization. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html googlechrome-paramtraits-dos(56627) http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 oval:org.mitre.oval:def:14457 http://code.google.com/p/chromium/issues/detail?id=31307 The ParamTraits<SkBitmap>::Read function in common/common_param_traits.cc in Google Chrome before 4.0.249.78 does not initialize the memory locations that will hold bitmap data, which might allow remote attackers to obtain potentially sensitive information from process memory by providing insufficient data, related to use of a (1) thumbnail database or (2) HTML canvas. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 oval:org.mitre.oval:def:14002 http://code.google.com/p/chromium/issues/detail?id=31307 Stack consumption vulnerability in the ChildProcessSecurityPolicy::CanRequestURL function in browser/child_process_security_policy.cc in Google Chrome before 4.0.249.78 allows remote attackers to cause a denial of service (memory consumption and application crash) via a URL that specifies multiple protocols, as demonstrated by a URL that begins with many repetitions of the view-source: substring. http://googlechromereleases.blogspot.com/2010/01/stable-channel-update_25.html http://twitter.com/akirsanov/statuses/7370288490 http://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugs 1023506 oval:org.mitre.oval:def:14097 http://exchange.kg/other/chrome3_0day-denial_of_service_crash.html http://code.google.com/p/chromium/issues/detail?id=31517 JAG (Just Another Guestbook) 1.14 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request for jag/database.sql. jag-database-info-disclosure(56228) 11406 Unspecified vulnerability in eMBox in Novell eDirectory 8.8 SP5 Patch 2 and earlier allows remote attackers to cause a denial of service (crash) via unknown a crafted SOAP request, a different issue than CVE-2008-0926. http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5067743&sliceId=&docTypeID=DT_SUSESDB_PSDB_1_1&dialogID=122457794&stateId=0%200%20122459671 ADV-2010-0334 1023558 http://www.novell.com/support/viewContent.do?externalId=3426981 MoinMoin 1.9 before 1.9.1 does not perform the expected clearing of the sys.argv array in situations where the GATEWAY_INTERFACE environment variable is set, which allows remote attackers to obtain sensitive information via unspecified vectors. [oss-security] 20100215 CVE Request -- MoinMoin -- 1.8.7 [oss-security] 20100121 CVE request: MoinMoin information disclosure 38242 http://moinmo.in/SecurityFixes http://moinmo.in/MoinMoinChat/Logs/moin-dev/2010-01-18 [oss-security] 20100221 Re: CVE Request -- MoinMoin -- 1.8.7 [oss-security] 20100215 Re: CVE Request -- MoinMoin -- 1.8.7 http://hg.moinmo.in/moin/1.9/rev/9d8e7ce3c3a2 http://hg.moinmo.in/moin/1.9/rev/04afdde50094 http://hg.moinmo.in/moin/1.9/raw-file/1.9.1/docs/CHANGES Unspecified vulnerability in MoinMoin 1.5.x through 1.7.x, 1.8.x before 1.8.7, and 1.9.x before 1.9.2 has unknown impact and attack vectors, related to configurations that have a non-empty superuser list, the xmlrpc action enabled, the SyncPages action enabled, or OpenID configured. 38023 https://bugzilla.redhat.com/show_bug.cgi?id=565604 moinmoin-superuser-unspecified(56002) ADV-2010-0600 ADV-2010-0266 62043 [oss-security] 20100215 CVE Request -- MoinMoin -- 1.8.7 DSA-2014 38903 38709 38444 http://moinmo.in/SecurityFixes http://moinmo.in/MoinMoinRelease1.8 [oss-security] 20100221 Re: CVE Request -- MoinMoin -- 1.8.7 [oss-security] 20100215 Re: CVE Request -- MoinMoin -- 1.8.7 FEDORA-2010-1712 FEDORA-2010-1743 http://hg.moinmo.in/moin/1.8/raw-file/1.8.7/docs/CHANGES http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569975 MoinMoin before 1.8.7 and 1.9.x before 1.9.2 does not properly sanitize user profiles, which has unspecified impact and attack vectors. ADV-2010-0600 38023 [oss-security] 20100221 Re: CVE Request -- MoinMoin -- 1.8.7 [oss-security] 20100215 Re: CVE Request -- MoinMoin -- 1.8.7 [oss-security] 20100215 CVE Request -- MoinMoin -- 1.8.7 DSA-2014 38903 38444 http://moinmo.in/SecurityFixes http://moinmo.in/MoinMoinRelease1.8 http://hg.moinmo.in/moin/1.8/raw-file/1.8.7/docs/CHANGES Unspecified vulnerability in the IP-Tech JQuarks (com_jquarks) Component before 0.2.4 for Joomla! allows attackers to obtain the installation path for Joomla! via unknown vectors. jquarks-unspecified-path-disclosure(56523) http://www.iptechinside.com/labs/news/show/6 SQL injection vulnerability in index.php in KR MEDIA Pogodny CMS allows remote attackers to execute arbitrary SQL commands via the id parameter in a niusy action. 38253 20100216 Pogodny CMS SQL vulnerabilities 62343 11473 38571 http://packetstormsecurity.org/1002-exploits/pogodnycms-sql.txt http://ariko-security.com/feb2010/ad439.html SQL injection vulnerability in index.php in WSN Guest 1.02 allows remote attackers to execute arbitrary SQL commands via the orderlinks parameter. wsnguest-orderlinks-sql-injection(56256) 38236 11436 http://packetstormsecurity.org/1002-exploits/wsnguest102-sql.txt SQL injection vulnerability in cplphoto.php in the Copperleaf Photolog plugin 0.16, and possibly earlier, for WordPress allows remote attackers to execute arbitrary SQL commands via the postid parameter. 38239 11458 38579 http://packetstormsecurity.org/1002-exploits/wpcopperleaf-sql.txt 62346 StatCounteX 3.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for path/stats.mdb. statcountex-stats-info-disclosure(56264) 11434 http://packetstormsecurity.org/1002-exploits/statcountex-disclose.txt Cross-site scripting (XSS) vulnerability in index.php in BGSvetionik BGS CMS 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action. NOTE: some of these details are obtained from third party information. 38264 38597 http://packetstormsecurity.org/1002-exploits/bgscms-xss.txt 62363 Directory traversal vulnerability in index.php in the RWCards (com_rwcards) component 3.0.18 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter. 38267 38638 http://packetstormsecurity.org/1002-exploits/joomlarwcards-lfi.txt SQL injection vulnerability in index.php in Katalog Stron Hurricane 1.3.5, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the get parameter. 11452 38581 http://packetstormsecurity.org/1002-exploits/katalog-rfisql.txt 62339 PHP remote file inclusion vulnerability in includes/moderation.php in Katalog Stron Hurricane 1.3.5, and possibly earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the includes_directory parameter. 11452 38581 http://packetstormsecurity.org/1002-exploits/katalog-rfisql.txt 62340 Multiple stack-based buffer overflows in the HyleosChemView.HLChemView ActiveX control (HyleosChemView.ocx) in Hyleos ChemView 1.9.5.1 allow remote attackers to execute arbitrary code via a large number of white space characters in the filename argument to the (1) SaveasMolFile and (2) ReadMolFile methods. 38225 http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf 11422 38523 http://packetstormsecurity.org/1002-exploits/hyleoschemview-heap.rb.txt http://packetstormsecurity.org/1002-advisories/chemviewx-overflow.txt 62276 Directory traversal vulnerability in index.php in ZeusCMS 0.2 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page parameter. 38237 11437 ZeusCMS 0.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request for admin/backup.sql. 11437 WordPress 2.9 before 2.9.2 allows remote authenticated users to read trash posts from other authors via a direct request with a modified p parameter. http://wordpress.org/development/2010/02/wordpress-2-9-2/ https://core.trac.wordpress.org/ticket/11236 62330 http://tmacuk.co.uk/?p=180 42871 38592 FEDORA-2010-19329 FEDORA-2010-19330 http://hakre.wordpress.com/2010/02/16/the-short-memory-of-wordpress-org-security/ Unspecified vulnerability in TIBRepoServer5.jar in TIBCO Administrator 5.4.0 through 5.6.0, when JMS transport is used, allows remote authenticated users to execute arbitrary code on all domain nodes via vectors related to leveraging administrative credentials. http://www.tibco.com/services/support/advisories/adminstrator-advisory_20100223.jsp http://www.tibco.com/multimedia/security_advisory_administrator_tcm8-10685.txt ADV-2010-0463 38396 38732 Cross-site scripting (XSS) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote authenticated users to inject arbitrary web script or HTML via the JMSDestination parameter in a queue action. 39119 http://activemq.apache.org/activemq-531-release.html https://issues.apache.org/activemq/browse/AMQ-2625 https://issues.apache.org/activemq/browse/AMQ-2613 activemq-createdestination-xss(57397) 20100330 CVE-2010-0684: Apache ActiveMQ Persistent Cross-Site Scripting (XSS) Vulnerability http://www.rajatswarup.com/CVE-2010-0684.txt 1023778 39223 The design of the dialplan functionality in Asterisk Open Source 1.2.x, 1.4.x, and 1.6.x; and Asterisk Business Edition B.x.x and C.x.x, when using the ${EXTEN} channel variable and wildcard pattern matches, allows context-dependent attackers to inject strings into the dialplan using metacharacters that are injected when the variable is expanded, as demonstrated using the Dial application to process a crafted SIP INVITE message that adds an unintended outgoing channel leg. NOTE: it could be argued that this is not a vulnerability in Asterisk, but a class of vulnerabilities that can occur in any program that uses this feature without the associated filtering functionality that is already available. asterisk-dial-weak-security(56397) ADV-2010-0439 1023637 20100218 AST-2010-002: Dialplan injection vulnerability http://svn.asterisk.org/svn/asterisk/branches/1.2/README-SERIOUSLY.bestpractices.txt 39096 38641 FEDORA-2010-3724 http://downloads.digium.com/pub/security/AST-2010-002.html WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 2.0, and VMware ESX 3.0.3 and 3.5 allows remote attackers to leverage proxy-server functionality to spoof the origin of requests via unspecified vectors, related to a "URL forwarding vulnerability." http://www.vmware.com/security/advisories/VMSA-2010-0005.html 39037 [security-announce] 20100329 VMSA-2010-0005 VMware products address vulnerabilities in WebAccess 1023769 Stack-based buffer overflow in Orbital Viewer 1.04 allows user-assisted remote attackers to execute arbitrary code via a crafted (1) .orb or (2) .ov file. orbitalviewer-ov-bo(59560) ADV-2010-0478 40985 38436 62580 13940 http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/ 38720 The ExecuteExe method in the DVBSExeCall Control ActiveX control 1.0.0.1 in DVBSExeCall.ocx in DATEV Base System (aka Grundpaket Basis) allows remote attackers to execute arbitrary commands via unspecified vectors. Per: http://cwe.mitre.org/data/definitions/77.html "CWE-77: Improper Sanitization of Special Elements used in a Command ('Command Injection')" datev-dvbsexecall-command-execution(56530) ADV-2010-0474 38415 20100225 NSOADV-2010-003: DATEV ActiveX Control remote command execution http://www.datev.de/info-db/1080162 http://sotiriu.de/demos/videos/nso-2010-003.html http://sotiriu.de/adv/NSOADV-2010-003.txt 38716 62564 SQL injection vulnerability in index.php in CommodityRentals Video Games Rentals allows remote attackers to execute arbitrary SQL commands via the pfid parameter in a catalog action. videogames-index-sql-injection(56226) 11409 38555 http://packetstormsecurity.org/1002-exploits/videogamesrental-sql.txt 62295 SQL injection vulnerability in druckansicht.php in JTL-Shop 2 allows remote attackers to execute arbitrary SQL commands via the s parameter. 11445 38588 62329 SQL injection vulnerability in the IP-Tech JQuarks (com_jquarks) Component 0.2.3, and possibly earlier, for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. NOTE: some of these details are obtained from third party information. 38203 http://www.iptechinside.com/labs/news/show/6 62332 38623 SQL injection vulnerability in products.php in CommodityRentals Trade Manager Script allows remote attackers to execute arbitrary SQL commands via the cid parameter. trade-manager-products-sql-injection(56223) 11412 38556 http://packetstormsecurity.org/1002-exploits/trademanager-sql.txt 62294 SQL injection vulnerability in the PerchaGallery (com_perchagallery) component before 1.5b for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an editunidad action to index.php. perchagallery-index-sql-injection(55447) 37642 11024 http://packetstormsecurity.org/1001-exploits/joomlaperchagallery-sql.txt http://docs.joomla.org/Vulnerable_Extensions_List#New_format_Feed_Starts_Here Cross-site scripting (XSS) vulnerability in pages/index.php in BASIC-CMS allows remote attackers to inject arbitrary web script or HTML via the nav_id parameter. 38235 http://packetstormsecurity.org/1002-exploits/basiccms-sqlxss.txt Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter. http://www.joomlaworks.gr/content/view/77/34/ 38238 11447 38587 62331 Cross-site scripting (XSS) vulnerability in the iTweak Upload module 6.x-1.x before 6.x-1.2 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users, with create content and upload file permissions, to inject arbitrary web script or HTML via the file name of an uploaded file. 38292 http://drupal.org/node/717214 http://drupal.org/node/711074 http://drupal.org/node/711072 itweakupload-filenames-xss(56351) 38633 62405 SQL injection vulnerability in backoffice/login.asp in Dynamicsoft WSC CMS 2.2 allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: some of these details are obtained from third party information. wsccms-login-sql-injection(56406) 38335 11507 38698 http://packetstormsecurity.org/1002-exploits/wsccms-sql.txt Cross-site scripting (XSS) vulnerability in index.php in VideoSearchScript Pro 3.5 allows remote attackers to inject arbitrary web script or HTML via the q parameter. 38701 http://packetstormsecurity.org/1002-exploits/vss-xss.txt Cross-site scripting (XSS) vulnerability in index.php in WampServer 2.0i allows remote attackers to inject arbitrary web script or HTML via the lang parameter. http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4926.php http://zeroscience.mk/codes/wamp_xss.txt wampserver-index-xss(56417) 38357 38706 62481 SQL injection vulnerability in ForceChangePassword.jsp in Newgen Software OmniDocs allows remote attackers to execute arbitrary SQL commands via unspecified vectors. omnidocs-forcechangepassword-sql-injection(56237) 38304 11393 38527 http://packetstormsecurity.org/1002-exploits/omnidocs-sql.txt 62403 SQL injection vulnerability in cisco/services/PhonecDirectory.php in Fonality Trixbox 2.2.4 allows remote attackers to execute arbitrary SQL commands via the ID parameter. trixbox-phonedirectory-sql-injection(56407) 38323 11508 http://packetstormsecurity.org/1002-exploits/tribox-sql.txt Cross-site scripting (XSS) vulnerability in wa/auth in PortWise SSL VPN 4.6 allows remote attackers to inject arbitrary web script or HTML via the reloadFrame parameter. portwise-reloadframe-xss(56420) 38308 20100217 Cross-Site Scriting on Portwise SSL VPN v4.6 http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-04 38627 http://packetstormsecurity.org/1002-exploits/PR09-04.txt 62482 Cross-site scripting (XSS) vulnerability in the Portlet Palette in IBM WebSphere Portal 6.0.1.5 wp6015_008_01 allows remote attackers to inject arbitrary web script or HTML via the search field. PM05829 38574 Aavmker4.sys in avast! 4.8 through 4.8.1368.0 and 5.0 before 5.0.418.0 running on Windows 2000 and XP does not properly validate input to IOCTL 0xb2d60030, which allows local users to cause a denial of service (system crash) or execute arbitrary code to gain privileges via IOCTL requests using crafted kernel addresses that trigger memory corruption. ADV-2010-0449 http://www.trapkit.de/advisories/TKADV2010-003.txt 1023644 38363 20100223 [TKADV2010-003] avast! 4.8 and 5.0 aavmker4.sys Kernel Memory Corruption 38689 38677 62510 http://forum.avast.com/index.php?topic=55484.0 Cross-site scripting (XSS) vulnerability in the login/prompt component in Subex Nikira Fraud Management System allows remote attackers to inject arbitrary web script or HTML via the message parameter. nfms-message-xss(56393) 38311 http://www.packetstormsecurity.org/1002-exploits/nikara-xss.txt 38564 Cross-site request forgery (CSRF) vulnerability in add_user.php in Employee Timeclock Software 0.99 allows remote attackers to hijack the authentication of an administrator for requests that create new administrative users. NOTE: some of these details are obtained from third party information. timeclock-adduser-csrf(56410) 11516 38662 62478 Multiple unspecified vulnerabilities in (1) ns-slapd and (2) slapd.exe in Sun Directory Server Enterprise Edition 7.0, Sun Java System Directory Server 5.2, and Sun Java System Directory Server Enterprise Edition 6.0 through 6.3.1 allow remote attackers to cause a denial of service (daemon crash) via a crafted LDAP search request. 275711 http://sunsolve.sun.com/search/document.do?assetkey=1-21-143884-01-1 jsds-nsslapd-slapd-dos(56603) 1021788 Multiple cross-site request forgery (CSRF) vulnerabilities in Limny 2.0 allow remote attackers to (1) hijack the authentication of users or administrators for requests that change the email address or password via the user action to index.php, and (2) hijack the authentication of the administrator for requests that create a new user via the admin/modules/user/new action to limny/index.php. http://www.limny.org/ limny-admin-csrf(56318) 11478 11477 38616 62389 SQL injection vulnerability in default.asp in ASPCode CMS 1.5.8, 2.0.0 Build 103, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the newsid parameter when the sec parameter is 26. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38596 62358 Cross-site request forgery (CSRF) vulnerability in default.asp in ASPCode CMS 1.5.8, 2.0.0 Build 103, and possibly other versions, allows remote attackers to hijack the authentication of an administrator for requests that (1) delete users via the delete action in the ma2 parameter or (2) create administrators via the update action in the ma2 parameter. 38596 http://packetstormsecurity.org/1002-exploits/aspcodecms-xssxsrf.txt 62357 Multiple SQL injection vulnerabilities in zport/dmd/Events/getJSONEventsInfo in Zenoss 2.3.3, and other versions before 2.5, allow remote authenticated users to execute arbitrary SQL commands via the (1) severity, (2) state, (3) filter, (4) offset, and (5) count parameters. zenoss-getjsoneventsinfo-sql-injection(55670) http://www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html 37802 http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-001-zenoss-getjsoneventsinfo-sql-injection/ 38195 61804 http://dev.zenoss.org/trac/changeset/15257 Multiple cross-site request forgery (CSRF) vulnerabilities in Zenoss 2.3.3, and other versions before 2.5, allow remote attackers to hijack the authentication of an administrator for (1) requests that reset user passwords via zport/dmd/ZenUsers/admin, and (2) requests that change user commands, which allows for remote execution of system commands via zport/dmd/userCommands/. http://www.zenoss.com/news/SQL-Injection-and-Cross-Site-Forgery-in-Zenoss-Core-Corrected.html 37843 20100116 Zenoss Multiple Admin CSRF http://www.ngenuity.org/wordpress/2010/01/14/ngenuity-2010-002-zenoss-multiple-admin-csrf/ 38195 61805 Cross-site scripting (XSS) vulnerability in login.jsp in IBM WebSphere Portal, IBM Lotus Web Content Management (WCM), and IBM Lotus Workplace Web Content Management 5.1.0.0 through 5.1.0.5, 6.0.0.0 through 6.0.0.4, 6.0.1.0 through 6.0.1.7, 6.1.0.0 through 6.1.0.3, and 6.1.5.0; and IBM Lotus Quickr services 8.0, 8.0.0.2, 8.1, 8.1.1, and 8.1.1.1 for WebSphere Portal; allows remote attackers to inject arbitrary web script or HTML via the query string. http://www-01.ibm.com/support/docview.wss?uid=swg21421469 ibm-login-xss(56508) 1023660 38412 20100225 Hacktics Advisory Feb10: XSS in IBM WebSphere Portal & Lotus WCM http://www.hacktics.com/content/advisories/AdvIBM20100224.html Open redirect vulnerability in login.jsp in IBM WebSphere Portal, IBM Lotus Web Content Management (WCM), and IBM Lotus Workplace Web Content Management 5.1.0.0 through 5.1.0.5, 6.0.0.0 through 6.0.0.4, 6.0.1.0 through 6.0.1.7, 6.1.0.0 through 6.1.0.3, and 6.1.5.0; and IBM Lotus Quickr services 8.0, 8.0.0.2, 8.1, 8.1.1, and 8.1.1.1 for WebSphere Portal; allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the query string. http://www-01.ibm.com/support/docview.wss?uid=swg21421469 ibm-login-phishing(56602) 20100225 Hacktics Advisory Feb10: XSS in IBM WebSphere Portal & Lotus WCM http://www.hacktics.com/content/advisories/AdvIBM20100224.html _layouts/Upload.aspx in the Documents module in Microsoft SharePoint before 2010 uses URLs with the same hostname and port number for a web site's primary files and individual users' uploaded files (aka attachments), which allows remote authenticated users to leverage same-origin relationships and conduct cross-site scripting (XSS) attacks by uploading TXT files, a related issue to CVE-2008-5026. NOTE: the vendor disputes the significance of this issue, because cross-domain isolation can be implemented when needed. sharepoint-aspx-xss(56597) 20100222 Hacktics Advisory Feb10: Persistent XSS in Microsoft SharePoint Portal http://www.hacktics.com/content/advisories/AdvMS20100222.html The default configuration of cfg.packagepages_actions_excluded in MoinMoin before 1.8.7 does not prevent unsafe package actions, which has unspecified impact and attack vectors. moinmoin-cfgpackagepages-unspecified(56595) ADV-2010-0600 [oss-security] 20100215 CVE Request -- MoinMoin -- 1.8.7 DSA-2014 38903 http://moinmo.in/MoinMoinRelease1.8 http://hg.moinmo.in/moin/1.8/raw-file/1.8.7/docs/CHANGES Buffer overflow in Microsoft Windows Media Player 9 and 11.0.5721.5145 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted .mpg file. win-mediaplayer-mpg-bo(56435) 11531 An unspecified API in Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 does not validate arguments, which allows local users to cause a denial of service (system crash) via a crafted application. ms-win-api-dos(56591) http://www.scmagazineus.com/malta-researchers-find-windows-bug-that-crashes-pcs/article/164439/ 1023656 62660 SQL injection vulnerability in news.php in Erotik Auktionshaus allows remote attackers to execute arbitrary SQL commands via the id parameter. erotikauktionshaus-news-sql-injection(56330) 62369 11489 38614 http://packetstormsecurity.org/1002-exploits/erotik-sql.txt http://4004securityproject.wordpress.com/2009/10/21/erotik-auktionshaus-sql-injection-news-php/ SQL injection vulnerability in news.php in Auktionshaus Gelb 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. auktionshausgelb-news-sql-injection(56332) 11488 http://packetstormsecurity.org/1002-exploits/auktionshausgelb-sql.txt SQL injection vulnerability in news.php in Php Auktion Pro allows remote attackers to execute arbitrary SQL commands via the id parameter. phpauktionpro-news-sql-injection(56478) 38371 11547 38679 http://4004securityproject.wordpress.com/2010/02/22/php-auktion-pro-sql-injection-news-php/ SQL injection vulnerability in news.php in Ero Auktion 2.0 and 2010 allows remote attackers to execute arbitrary SQL commands via the id parameter. eroauktion-news-sql-injection(56446) 11522 11521 38666 http://packetstormsecurity.org/1002-exploits/eroauktion2010-sql.txt http://packetstormsecurity.org/1002-exploits/eroauktion20-sql.txt http://4004securityproject.wordpress.com/2010/02/21/ero-auktion-v-2-0-sql-injection-news-php/ http://4004securityproject.wordpress.com/2010/02/21/ero-auktion-2010-sql-injection-news-php/ SQL injection vulnerability in showimg.php in Arab Cart 1.0.2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2010-0443 38426 11524 http://packetstormsecurity.org/1002-exploits/arabcart-sqlxss.txt Cross-site scripting (XSS) vulnerability in showimg.php in Arab Cart 1.0.2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. ADV-2010-0443 38426 11524 http://packetstormsecurity.org/1002-exploits/arabcart-sqlxss.txt Cross-site scripting (XSS) vulnerability in the tb-send.rb (TrackBack transmission) plugin in tDiary 2.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors, possibly related to the (1) plugin_tb_url and (2) plugin_tb_excerpt parameters. http://www.tdiary.org/20100225.html 38413 http://tdiary.svn.sourceforge.net/viewvc/tdiary/branches/Stable-2_2/plugin/tb-send.rb?r1=3238&r2=3573 38742 62562 JVNDB-2010-000005 JVN#73331060 The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file's permissions. https://bugzilla.redhat.com/show_bug.cgi?id=570863 [linux-kernel] 20100311 [PATCH 3/3] GFS2: Skip check for mandatory locks when unlocking RHSA-2010:0521 RHSA-2010:0380 RHSA-2010:0330 [oss-security] 20100312 CVE-2010-0727 kernel: gfs/gfs2 locking code DoS flaw MDVSA-2010:066 http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.34-rc1-next-20100312.bz2 DSA-2053 1023809 39830 oval:org.mitre.oval:def:11392 smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled, runs with the CAP_DAC_OVERRIDE capability, which allows remote authenticated users to bypass intended file permissions via standard filesystem operations with any client. https://bugzilla.samba.org/show_bug.cgi?id=7222 http://www.samba.org/samba/security/CVE-2010-0728 http://www.samba.org/samba/history/samba-3.5.1.html http://www.samba.org/samba/history/samba-3.4.7.html http://www.samba.org/samba/history/samba-3.3.12.html [samba-announce] 20100308 Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11 A certain Red Hat patch for the Linux kernel in Red Hat Enterprise Linux (RHEL) 4 on the ia64 platform allows local users to use ptrace on an arbitrary process, and consequently gain privileges, via vectors related to a missing ptrace_check_attach call. https://bugzilla.redhat.com/show_bug.cgi?id=572007 38702 RHSA-2010:0394 [oss-security] 20100312 CVE-2010-0729 kernel: ia64: ptrace: peek_or_poke requests miss ptrace_check_attach() http://support.avaya.com/css/P8/documents/100090459 oval:org.mitre.oval:def:8687 The MMIO instruction decoder in the Xen hypervisor in the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows guest OS users to cause a denial of service (32-bit guest OS crash) via vectors that trigger an unspecified instruction emulation. Per: http://secunia.com/advisories/39649 'Successful exploitation requires a 32bit system and access to an MMIO region.' RHSA-2010:0398 https://bugzilla.redhat.com/show_bug.cgi?id=572971 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39979 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX [oss-security] 20100507 CVE-2010-0730 xen: emulator instruction decoding inconsistency http://support.avaya.com/css/P8/documents/100088287 43315 39649 oval:org.mitre.oval:def:11430 The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number. Per: http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4230 "Please note that the problem was solved for GnuTLS 1.2.1, released on 2005-04-04. Also, 32-bit platforms are not affected. I have added information about this on http://www.gnu.org/software/gnutls/security.html so that it contains the complete list of known security flaws. I'm using the keyword GNUTLS-SA-2010-1 for this." ADV-2010-0713 https://bugzilla.redhat.com/show_bug.cgi?id=573028 ADV-2010-1054 38959 RHSA-2010:0167 MDVSA-2010:089 http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4230 39127 oval:org.mitre.oval:def:9759 SUSE-SR:2010:014 gdk/gdkwindow.c in GTK+ before 2.18.5, as used in gnome-screensaver before 2.28.1, performs implicit paints on windows of type GDK_WINDOW_FOREIGN, which triggers an X error in certain circumstances and consequently allows physically proximate attackers to bypass screen locking and access an unattended workstation by pressing the Enter key many times. https://bugzilla.redhat.com/show_bug.cgi?id=565527 https://bugzilla.gnome.org/show_bug.cgi?id=598476 [oss-security] 20100305 Re: CVE Request: gnome-screensaver termination by pressing "Enter" http://git.gnome.org/browse/gnome-screensaver/commit/?id=ab08cc93f2dc6223c8c00bfa1ca4f2d89069dbe0 https://bugs.edge.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/446395 38211 [oss-security] 20100316 Re: Re: CVE Request: gnome-screensaver termination by pressing "Enter" [oss-security] 20100212 CVE Request: gnome-screensaver termination by pressing "Enter" MDVSA-2010:109 http://www.heise.de/newsticker/meldung/Gnome-Bildschirmsperre-in-OpenSuse-Linux-wirkungslos-2-Update-928580.html 39317 SUSE-SR:2010:008 http://git.gnome.org/browse/gtk+/commit/?id=0748cf563d0d0d03001a62589f13be16a8ec06c1 http://git.gnome.org/browse/gnome-screensaver/commit/?h=gnome-2-28&id=98f8a22412cf388217fd5b88915eadd274d68520 http://ftp.gnome.org/pub/gnome/sources/gtk+/2.18/gtk+-2.18.5.news Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations. https://bugzilla.redhat.com/show_bug.cgi?id=546621 http://git.postgresql.org/gitweb?p=postgresql.git;a=commit;h=64b057e6823655fb6c5d1f24a28f236b94dd6c54 ADV-2010-1197 38619 RHSA-2010:0429 RHSA-2010:0428 RHSA-2010:0427 [oss-security] 20100316 Re: CVE Request: postgresql integer overflow in hash table size calculation [oss-security] 20100309 CVE Request: postgresql integer overflow in hash table size calculation 39820 oval:org.mitre.oval:def:10691 SUSE-SR:2010:014 [pgsql-bugs] 20091030 Re: BUG #5145: Complex query with lots of LEFT JOIN causes segfault [pgsql-bugs] 20091029 Re: BUG #5145: Complex query with lots of LEFT JOIN causes segfault [pgsql-bugs] 20091029 Re: BUG #5145: Complex query with lots of LEFT JOIN causes segfault [pgsql-bugs] 20091028 BUG #5145: Complex query with lots of LEFT JOIN causes segfault content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit. [oss-security] 20100316 Re: CVE Request -- cURL/libCURL 7.20.0 [oss-security] 20100309 Re: CVE Request -- cURL/libCURL 7.20.0 [oss-security] 20100209 CVE Request -- cURL/libCURL 7.20.0 http://curl.haxx.se/libcurl-contentencoding.patch https://bugzilla.redhat.com/show_bug.cgi?id=563220 ADV-2010-1481 ADV-2010-0725 ADV-2010-0660 ADV-2010-0602 ADV-2010-0571 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-1158-1 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20101027 rPSA-2010-0072-1 curl RHSA-2010:0329 MDVSA-2010:062 DSA-2023 http://wiki.rpath.com/Advisories:rPSA-2010-0072 http://support.avaya.com/css/P8/documents/100081819 http://support.apple.com/kb/HT4188 45047 40220 39734 39087 38981 38843 oval:org.mitre.oval:def:6756 oval:org.mitre.oval:def:10760 FEDORA-2010-2720 FEDORA-2010-2762 APPLE-SA-2010-06-15-1 http://curl.haxx.se/docs/security.html#20100209 http://curl.haxx.se/docs/adv_20100209.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0969. Reason: This candidate is a duplicate of CVE-2010-0969. Notes: All CVE users should reference CVE-2010-0969 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cross-site scripting (XSS) vulnerability in the view_queryform function in lib/viewvc.py in ViewVC before 1.0.10, and 1.1.x before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via "user-provided input." [oss-security] 20100316 Re: CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input [oss-security] 20100310 CVE Request: ViewVC 1.1.4 / 1.0.10 -- XSS via user-provided query form input http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2326 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2313&r2=2342&pathrev=HEAD The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method. RHSA-2010:0379 RHSA-2010:0378 RHSA-2010:0377 RHSA-2010:0376 https://bugzilla.redhat.com/show_bug.cgi?id=574105 jboss-jmxconsole-security-bypass(58147) ADV-2010-0992 39710 1023918 8408 39563 Integer overflow in the predospecial function in dospecial.c in dvips in (1) TeX Live and (2) teTeX might allow user-assisted remote attackers to execute arbitrary code via a crafted DVI file that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. https://bugzilla.redhat.com/show_bug.cgi?id=572941 USN-937-1 39500 39390 oval:org.mitre.oval:def:11468 SUSE-SR:2010:013 SUSE-SR:2010:012 FEDORA-2010-8273 http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-stable.git;a=blob;f=source/xapps-extra/tetex/texlive-CVE-2010-0739-int-overflow.patch The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information. Per: http://www.openssl.org/news/secadv_20100324.txt 'Affected versions depend on the C compiler used with OpenSSL: - If 'short' is a 16-bit integer, this issue applies only to OpenSSL 0.9.8m. - Otherwise, this issue applies to OpenSSL 0.9.8f through 0.9.8m.' ADV-2010-0710 http://www.openssl.org/news/secadv_20100324.txt [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released https://kb.bluecoat.com/index?page=content&id=SA50 ADV-2010-1216 ADV-2010-0933 ADV-2010-0839 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 1023748 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX MDVSA-2010:076 http://support.apple.com/kb/HT4723 43311 42733 42724 39932 oval:org.mitre.oval:def:11731 FEDORA-2010-5744 APPLE-SA-2011-06-23-1 http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc The virtio_net_bad_features function in hw/virtio-net.c in the virtio-net driver in the Linux kernel before 2.6.26, when used on a guest OS in conjunction with qemu-kvm 0.11.0 or KVM 83, allows remote attackers to cause a denial of service (guest OS crash, and an associated qemu-kvm process exit) by sending a large amount of network traffic to a TCP port on the guest OS, related to a virtio-net whitelist that includes an improper implementation of TCP Segment Offloading (TSO). RHSA-2010:0476 https://patchwork.kernel.org/patch/56479/ https://bugzilla.redhat.com/show_bug.cgi?id=577218 https://bugs.edge.launchpad.net/ubuntu/+source/qemu-kvm/+bug/458521 ADV-2010-0760 RHSA-2010:0271 1023798 oval:org.mitre.oval:def:11143 [oss-security] 20100329 CVE-2010-0741 qemu: Improper handling of erroneous data provided by Linux virtio-net driver [qemu-devel] 20091029 [PATCH] whitelist host virtio networking features [was Re: qemu-kvm-0.11 regression, crashes on older ...] [qemu-devel] 20091029 Re: qemu-kvm-0.11 regression, crashes on older guests with virtio network http://git.kernel.org/?p=virt/kvm/qemu-kvm.git;a=commit;h=184bd0484533b725194fa517ddc271ffd74da7c9 The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. ADV-2010-1313 [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released https://kb.bluecoat.com/index?page=content&id=SA50 https://bugzilla.redhat.com/show_bug.cgi?id=598738 ADV-2010-3105 40502 http://www.openssl.org/news/secadv_20100601.txt 42733 42724 42457 40024 40000 http://rt.openssl.org/Ticket/Display.html?id=2211&user=guest&pass=guest oval:org.mitre.oval:def:12395 HPSBUX02610 HPSBUX02610 http://cvs.openssl.org/filediff?f=openssl/crypto/cms/cms_asn1.c&v1=1.8&v2=1.8.6.1 http://cvs.openssl.org/chngview?cn=19693 Multiple format string vulnerabilities in isns.c in (1) Linux SCSI target framework (aka tgt or scsi-target-utils) 1.0.3, 0.9.5, and earlier and (2) iSCSI Enterprise Target (aka iscsitarget) 0.4.16 allow remote attackers to cause a denial of service (tgtd daemon crash) or possibly have unspecified other impact via vectors that involve the isns_attr_query and qry_rsp_handle functions, and are related to (a) client appearance and (b) client disappearance messages. http://git.kernel.org/?p=linux/kernel/git/tomo/tgt.git;a=commit;h=107d922706cd36f3bb79bcca9bc4678c32f22e59 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574935 https://bugzilla.redhat.com/show_bug.cgi?id=576359 lstf-isns-format-string(57496) ADV-2010-1786 39127 MDVSA-2010:131 DSA-2042 39726 39142 oval:org.mitre.oval:def:11248 [oss-security] 20100331 iscsitarget/scsi-target-tuils format string CVE assignment SUSE-SR:2010:017 aMSN (aka Alvaro's Messenger) 0.98.3 and earlier, when SSL is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field or a Subject Alternative Name field of the X.509 certificate, which allows man-in-the-middle attackers to spoof an MSN server via an arbitrary certificate. ADV-2010-1109 35507 [oss-security] 20100401 Re: CVE Request -- aMSN -- improper SSL certificate validation (MITM) [oss-security] 20100310 CVE Request -- aMSN -- improper SSL certificate validation (MITM) http://www.opensource-archive.org/showthread.php?p=183821 39796 35621 20090626 aMSN SSL Certificate Vulnerability FEDORA-2010-7378 FEDORA-2010-7373 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572818 http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/amsn/soap.tcl?r1=11891&r2=11991&pathrev=11991 http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/amsn/sip.tcl?r1=11953&r2=11991&pathrev=11991 http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/amsn/proxy.tcl?r1=11886&r2=11991&pathrev=11991 http://amsn.svn.sourceforge.net/viewvc/amsn/trunk/?view=log&pathrev=11991 Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message. [dovecot-news] 20100308 v1.2.11 released https://bugzilla.redhat.com/show_bug.cgi?id=572268 ADV-2010-1226 ADV-2010-1107 [oss-security] 20100310 CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header MDVSA-2010:104 http://security-tracker.debian.org/tracker/CVE-2010-0745 [oss-security] 20100401 Re: CVE Request -- Dovecot v1.2.11 -- DoS (excessive CPU use) by processing email with huge header SUSE-SR:2010:011 [dovecot] 20100227 Possible CPU Denial-Of-Service attack to dovecot IMAP. pkexec.c in pkexec in libpolkit in PolicyKit 0.96 allows local users to determine the existence of arbitrary files via the argument. http://cgit.freedesktop.org/PolicyKit/commit/?id=14bdfd816512a82b1ad258fa143ae5faa945df8a http://bugs.freedesktop.org/show_bug.cgi?id=26982 https://launchpad.net/bugs/532852 policykit-pkexec-info-disc(57543) 39149 [oss-security] 20100401 Re: CVE Request: policykit (minor) [oss-security] 20100401 CVE Request: policykit (minor) The ip_evictor function in ip_fragment.c in libnids 1.24, as used in dsniff and possibly other products, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via crafted fragmented packets. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' ADV-2010-0791 ADV-2010-0777 http://xorl.wordpress.com/2010/04/04/libnids-ip-fragmentation-remote-null-pointer-dereference/ libnids-ipfragment-dos(57428) 39142 39249 39225 FEDORA-2010-5562 FEDORA-2010-5545 FEDORA-2010-5535 http://freefr.dl.sourceforge.net/project/libnids/libnids/1.24/libnids-1.24.releasenotes.txt The week_post_page function in the Weekly Archive by Node Type module 6.x before 6.x-2.7 for Drupal does not properly implement node access restrictions when constructing SQL queries, which allows remote attackers to read restricted node listings via unspecified vectors. http://drupal.org/node/724286 http://drupal.org/node/723776 weeklyarchive-nodetype-info-disclosure(56504) 38397 38717 62565 SQL injection vulnerability in the SQL Reports (com_sqlreport) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter to ajax/print.php. NOTE: some of these details are obtained from third party information. sql-reports-print-sql-injection(56541) sqlreport-userid-sql-injection(56476) 38361 http://www.packetstormsecurity.com/1002-exploits/joomlasqlreport-sql.txt 11549 38678 62534 Cross-site scripting (XSS) vulnerability in index.php/Special/Main/Templates in WikyBlog 1.7.2 and 1.7.3 rc2 allows remote attackers to inject arbitrary web script or HTML via the which parameter in a copy action. wikyblog-which-xss(56518) ADV-2010-0468 38386 11560 38699 http://packetstormsecurity.org/1002-exploits/wikyblog-rfishellxss.txt 62558 PHP remote file inclusion vulnerability in include/WBmap.php in WikyBlog 1.7.3 rc2 allows remote attackers to execute arbitrary PHP code via a URL in the langFile parameter. wikyblog-langfile-file-include(56519) 38386 11560 http://packetstormsecurity.org/1002-exploits/wikyblog-rfishellxss.txt 62647 Session fixation vulnerability in WikyBlog 1.7.3 rc2 allows remote attackers to hijack web sessions by setting the jsessionid parameter to (1) index.php/Comment/Main, (2) index.php/Comment/Main/Home_Wiky, or (3) index.php/Edit/Main. wikyblog-multiple-session-hijacking(56594) 38386 11560 http://packetstormsecurity.org/1002-exploits/wikyblog-rfishellxss.txt Unrestricted file upload vulnerability in index.php/Attach in WikyBlog 1.7.3rc2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension using the uploadform action, then accessing it via a direct request to the file in userfiles/[username]/uploaded/. Per: http://cwe.mitre.org/data/definitions/434.html CWE-434: Unrestricted Upload of File with Dangerous Type wikyblog-index-file-upload(56517) 38386 11560 http://packetstormsecurity.org/1002-exploits/wikyblog-rfishellxss.txt 62648 SQL injection vulnerability in news_desc.php in Softbiz Jobs allows remote attackers to execute arbitrary SQL commands via the id parameter. jobboard-newsdesc-sql-injection(56453) 38344 11518 http://packetstormsecurity.org/1002-exploits/softbizjobs-sql.txt Directory traversal vulnerability in plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allows remote attackers to read, and possibly include and execute, arbitrary files via directory traversal sequences in the files[] parameter, a different vector than CVE-2010-0760. scriptegrator-jsloader-file-include(56380) 38296 62486 11498 38637 http://packetstormsecurity.org/1002-exploits/joomlascriptegrator-lfi.txt Multiple directory traversal vulnerabilities in the Core Design Scriptegrator plugin 1.4.1 for Joomla! allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) file parameter to libraries/jquery/js/ui/jsloader.php and the (2) files[] parameter to libraries/jquery/js/jsloader.php, a different vector than CVE-2010-0759. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 62485 62484 38637 SQL injection vulnerability in index.php in CommodityRentals Books/eBooks Rentals Script allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a gamecatalog action. booksebooks-index-sql-injection(56210) 38189 http://www.indonesiancoder.org/booksebooks-rental-software-sql-injection-vulnerability 11402 38520 http://packetstormsecurity.org/1002-exploits/ebooksrental-sql.txt 62277 SQL injection vulnerability in index.php in CommodityRentals CD Rental Software allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a catalog action. cdrentals-index-sql-injection(56209) 38184 62278 http://www.indonesiancoder.org/cd-rentals-script-sql-injection-vulnerability 11401 38519 http://packetstormsecurity.org/1002-exploits/cdrentals-sql.txt SQL injection vulnerability in index.php in CommodityRentals Vacation Rental Software allows remote attackers to execute arbitrary SQL commands via the rental_id parameter in a CalendarView action. 38208 11410 38552 SQL injection vulnerability in index.php in KuwaitPHP eSmile allows remote attackers to execute arbitrary SQL commands via the cid parameter in a show action. esmile-index-sql-injection(56206) 11382 38548 http://packetstormsecurity.org/1002-exploits/esmile-sql.txt 62272 fipsForum 2.6 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for _database/forumFips.mdb. fipsforum-forumfips-information-disclosure(56183) 11361 http://packetstormsecurity.org/1001-exploits/fipsforum-disclose.txt Integer overflow in the Swap4 function in valet4.dll in Luxology Modo 401 allows user-assisted remote attackers to execute arbitrary code via a .LXO file containing a CHNL subchunk associated with an invalid length. 38460 20100303 CORRECTION: CORE-2009-0913 - Luxology Modo 401 .LXO Integer Overflow 20100302 Luxology Modo 401 .LXO Integer Overflow http://www.coresecurity.com/content/luxology-modo-lxo-vulnerability 38784 62669 Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote attackers to inject arbitrary web script or HTML via the URI. was-admin-console-xss(57164) 39051 39140 IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 does not properly define wsadmin scripting J2CConnectionFactory objects, which allows local users to discover a KeyRingPassword password by reading a cleartext field in the resources.xml file. was-wsadmin-info-disclosure(57185) 39140 IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.9 allows remote authenticated users to cause a denial of service (ORB ListenerThread hang) by aborting an SSL handshake. PK93653 was-orb-client-dos(57182) 39056 39140 Unspecified vulnerability in the channel process in IBM WebSphere MQ 7.0 before 7.0.1.2 allows remote authenticated users to cause a denial of service (daemon crash) via "incorrect channel control data." websphere-mq-ccd-dos(58039) ADV-2010-1083 1023961 The (1) JAX-RPC WS-Security 1.0 and (2) JAX-WS runtime implementations in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 do not properly handle WebServices PKCS#7 and PKIPath tokens, which allows remote attackers to bypass intended access restrictions via unspecified vectors. was-pkipath-security-bypass(58554) PK96427 Unspecified vulnerability in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.41, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a crafted request, related to the nodeagent and Deployment Manager components. was-dmgr-nodeagent-dos(58555) The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle chunked transfer encoding during a call to response.sendRedirect, which allows remote attackers to cause a denial of service via a GET request. was-webcontainer-dos(58556) The Web Container in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.31, and 7.0 before 7.0.0.11 does not properly handle long filenames and consequently sends an incorrect file in some responses, which allows remote attackers to obtain sensitive information by reading the retrieved file. was-webcontainer-info-disclosure(58557) ADV-2010-1200 40277 http://www-01.ibm.com/support/docview.wss?uid=swg27007951 39838 Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. was-admincons-xss(59646) Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.43, 6.1 before 6.1.0.33, and 7.0 before 7.0.0.11 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. was-admin-xss(59647) IBM WebSphere MQ 7.x before 7.0.1.4 allows remote attackers to cause a denial of service (disk consumption) via multiple connection attempts to a stopped queue manager. wmq-diskspace-dos(60638) IZ75124 http://www-01.ibm.com/support/docview.wss?uid=swg27014224 Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL. was-adminconsole-dos(61890) http://www-01.ibm.com/support/docview.wss?uid=swg27007951 41722 IBM WebSphere MQ 6.x before 6.0.2.10 and 7.x before 7.0.1.3 allows remote attackers to spoof X.509 certificate authentication, and send or receive channel messages, via a crafted Subject Distinguished Name (DN) value in a certificate. websphere-mq-subjectdn-spoofing(60018) http://www-01.ibm.com/support/docview.wss?uid=swg27014224 IZ68707 Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. was-admin-cons-xss(62947) 69007 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-01.ibm.com/support/docview.wss?uid=swg27004980 1024686 42136 41722 Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. was-admins-console-xss(62948) ADV-2010-2595 43874 http://www-01.ibm.com/support/docview.wss?uid=swg27014463 http://www-01.ibm.com/support/docview.wss?uid=swg27004980 PM23872 41722 Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. was-admin-console-csrf(62949) ADV-2010-2595 43875 http://www-01.ibm.com/support/docview.wss?uid=swg27004980 PM23874 PM18909 41722 The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request that leads to incorrectly encoded data. was-jaxws-dos(62950) http://www-01.ibm.com/support/docview.wss?uid=swg27014463 client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.2, 3.4.0, and 3.4.5 allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. https://bugzilla.samba.org/show_bug.cgi?id=6853 37992 https://bugzilla.redhat.com/show_bug.cgi?id=558833 https://bugzilla.redhat.com/show_bug.cgi?id=532940 sambaclient-mountcifs-symlink(55944) ADV-2010-1062 USN-893-1 39898 MDVSA-2010:090 38357 38308 38286 SUSE-SR:2010:014 FEDORA-2010-1218 FEDORA-2010-1190 http://git.samba.org/?p=samba.git;a=commit;h=a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5 http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80 ncpfs 2.2.6 allows local users to cause a denial of service, obtain sensitive information, or possibly gain privileges via symlink attacks involving the (1) ncpmount and (2) ncpumount programs. https://bugzilla.redhat.com/show_bug.cgi?id=558833 https://bugzilla.redhat.com/show_bug.cgi?id=532940 38563 20100305 Re: ncpfs, Multiple Vulnerabilities 20100305 ncpfs, Multiple Vulnerabilities 38371 38327 20100305 ncpfs, Multiple Vulnerabilities SUSE-SR:2010:013 SUSE-SR:2010:012 FEDORA-2010-1168 FEDORA-2010-1145 fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a symlink attack on a mountpoint. https://bugzilla.redhat.com/show_bug.cgi?id=532940 37983 DSA-1989 http://sourceforge.net/projects/fuse/files/fuse-2.X/2.7.5/fuse-2.7.5.tar.gz/download https://bugzilla.redhat.com/show_bug.cgi?id=558833 fuse-fusermount-dos(55945) ADV-2010-1107 USN-892-1 http://sourceforge.net/projects/fuse/files/ReleaseNotes/fuse-2.8.3.html/view 38437 38359 38287 38261 SUSE-SR:2010:013 SUSE-SR:2010:011 SUSE-SR:2010:003 FEDORA-2010-1159 FEDORA-2010-1140 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633 sutil/ncpumount.c in ncpumount in ncpfs 2.2.6 produces certain detailed error messages about the results of privileged file-access attempts, which allows local users to determine the existence of arbitrary files via the mountpoint name. 20100305 ncpfs, Multiple Vulnerabilities 38563 20100305 Re: ncpfs, Multiple Vulnerabilities 20100305 ncpfs, Multiple Vulnerabilities SUSE-SR:2010:013 SUSE-SR:2010:012 The (1) ncpmount, (2) ncpumount, and (3) ncplogin programs in ncpfs 2.2.6 do not properly create lock files, which allows local users to cause a denial of service (application failure) via unspecified vectors that trigger the creation of a /etc/mtab~ file that persists after the program exits. 20100305 ncpfs, Multiple Vulnerabilities 38563 20100305 Re: ncpfs, Multiple Vulnerabilities 20100305 ncpfs, Multiple Vulnerabilities SUSE-SR:2010:013 SUSE-SR:2010:012 fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via a symlink attack on an unspecified file. 38531 http://fcron.free.fr/ fcron-fcrontab-symlink(56680) ADV-2010-0730 20100304 fcrontab Information Disclosure Vulnerability 62718 1023677 39195 38796 20100303 fcrontab Information Disclosure Vulnerability FEDORA-2010-4063 Buffer overflow in BarnOwl before 1.5.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted CC: header. http://barnowl.mit.edu/wiki/barnowl-1.5.1-announce ADV-2010-1218 DSA-2049 39908 SQL injection vulnerability in the JE Event Calendars (com_jeeventcalendar) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the event_id parameter in an event action to index.php. jeeventcalendars-index-sql-injection(56008) 38012 11292 38408 62038 SQL injection vulnerability in the JE Quiz (com_jequizmanagement) component 1.b01 for Joomla! allows remote attackers to execute arbitrary SQL commands via the eid parameter in a question action to index.php. jequiz-index-sql-injection(56009) 38032 11287 38412 http://packetstormsecurity.org/1001-exploits/joomlajequiz-sql.txt 62039 Cross-site scripting (XSS) vulnerability in the T3BLOG extension 0.6.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-002/ http://typo3.org/extensions/repository/view/t3blog/0.8.0/ 38030 38388 SQL injection vulnerability in the T3BLOG extension 0.6.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-002/ http://typo3.org/extensions/repository/view/t3blog/0.8.0/ 38030 38388 Directory traversal vulnerability in misc/tell_a_friend/tell.php in phpunity.newsmanager allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter. 11290 38409 http://packetstormsecurity.org/1001-exploits/phpunity-lfi.txt 62036 SQL injection vulnerability in the Ossolution Team Documents Seller (aka DMS) (com_dms) component 2.5.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a view_category action to index.php. documentseller-categoryid-sql-injection(56006) 38024 38017 11289 38410 62040 Directory traversal vulnerability in the AutartiTarot (com_autartitarot) component 1.0.3 for Joomla! allows remote authenticated users, with "Public Back-end" group permissions, to read arbitrary files via directory traversal sequences in the controller parameter in an edit task to administrator/index.php. NOTE: some of these details are obtained from third party information. 38034 38434 http://packetstormsecurity.org/1001-exploits/joomlaautartitarot-traversal.txt 62041 SQL injection vulnerability in index.php in (nv2) Awards 1.1.0, a modification for Invision Power Board, allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action. 11297 38407 http://packetstormsecurity.org/1001-exploits/ipbawards-sql.txt SQL injection vulnerability in the jVideoDirect (com_jvideodirect) component 1.1 RC3b for Joomla! allows remote attackers to execute arbitrary SQL commands via the v parameter to index.php. jvideo-v-sql-injection(55957) 37990 11280 38436 http://packetstormsecurity.org/1001-exploits/joomlajvideodirect-sql.txt 62042 Cross-site scripting (XSS) vulnerability in index.php in iBoutique 4.0 allows remote attackers to inject arbitrary web script or HTML via the key parameter in a products action. 20100122 iBoutique v4.0 31871 http://packetstormsecurity.org/1001-exploits/iboutique-xss.txt The Tabular Data Control (TDC) ActiveX control in Microsoft Internet Explorer 5.01 SP4, 6 on Windows XP SP2 and SP3, and 6 SP1 allows remote attackers to execute arbitrary code via a long URL (DataURL parameter) that triggers memory corruption in the CTDCCtl::SecurityCHeckDataURL function, aka "Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 7 and Internet Explorer 8 are not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39025 MS10-018 http://www.zerodayinitiative.com/advisories/ZDI-10-034 20100402 ZDI-10-034: Microsoft Internet Explorer Tabular Data Control ActiveX Remote Code Execution Vulnerability 1023773 oval:org.mitre.oval:def:8080 Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer 6, 6 SP1, and 7 allows remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object, as exploited in the wild in March 2010, aka "Uninitialized Memory Corruption Vulnerability." Further information on this vulnerability can be found at the following link from Microsoft: http://support.microsoft.com/kb/981374 VU#744549 TA10-089A TA10-068A MS10-018 http://www.microsoft.com/technet/security/advisory/981374.mspx ms-ie-useafterfree-code-execution(56772) ADV-2010-0744 ADV-2010-0567 38615 38860 oval:org.mitre.oval:def:8446 62810 http://blogs.technet.com/msrc/archive/2010/03/09/security-advisory-981374-released.aspx Microsoft Internet Explorer 7 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, leading to memory corruption, aka "HTML Rendering Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx 'Internet Explorer 5.01 Service Pack 4, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 8 are not affected by this vulnerability.' TA10-089A TA10-068A ADV-2010-0744 39024 MS10-018 1023773 oval:org.mitre.oval:def:8532 Microsoft Internet Explorer 6 and 7 on Windows XP and Vista does not prevent script from simulating user interaction with the AutoComplete feature, which allows remote attackers to obtain sensitive form information via a crafted web site, aka "AutoComplete Information Disclosure Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-071.mspx 'An attacker who successfully exploited this vulnerability could potentially capture data previously entered into forms in the browser. The AutoComplete feature is disabled by default.' MS10-071 http://support.avaya.com/css/P8/documents/100113324 oval:org.mitre.oval:def:6889 The kernel in Microsoft Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, does not properly handle unspecified exceptions, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Exception Handler Vulnerability." TA10-103A MS10-021 1023850 39373 oval:org.mitre.oval:def:7012 Multiple unspecified vulnerabilities in the Microsoft Internet Explorer 8 Developer Tools ActiveX control in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allow remote attackers to execute arbitrary code via unknown vectors that "corrupt the system state," aka "Microsoft Internet Explorer 8 Developer Tools Vulnerability." TA10-159B MS10-034 MS11-027 oval:org.mitre.oval:def:7492 oval:org.mitre.oval:def:12534 Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allow remote attackers to bypass intended IPv4 source-address restrictions via a mismatched IPv6 source address in a tunneled ISATAP packet, aka "ISATAP IPv6 Source Address Spoofing Vulnerability." TA10-103A MS10-029 39382 oval:org.mitre.oval:def:7574 The Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office Access 2003 SP3 and 2007 SP1 and SP2 do not properly interact with the memory-allocation approach used by Internet Explorer during instantiation, which allows remote attackers to execute arbitrary code via a web site that references multiple ActiveX controls, as demonstrated by the ImexGrid and FieldList controls, aka "Access ActiveX Control Vulnerability." TA10-194A MS10-044 oval:org.mitre.oval:def:11907 VBE6.DLL in Microsoft Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Visual Basic for Applications (VBA), and VBA SDK 6.3 through 6.5 does not properly search for ActiveX controls that are embedded in documents, which allows remote attackers to execute arbitrary code via a crafted document, aka "VBE6.DLL Stack Memory Corruption Vulnerability." TA10-131A MS10-031 oval:org.mitre.oval:def:7074 Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, 6, and 6 SP1; Windows Live Mail on Windows XP SP2 and SP3, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; and Windows Mail on Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote e-mail servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) POP3 or (2) IMAP response, as demonstrated by a certain +OK response on TCP port 110, aka "Outlook Express and Windows Mail Integer Overflow Vulnerability." TA10-131A MS10-030 40052 http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=13&Itemid=13 oval:org.mitre.oval:def:6734 20100511 {PRL} Microsoft Windows Outlook Express and Windows Mail Integer Overflow Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 12.0.0.6421 and possibly earlier, and SharePoint Services 3.0 SP1 and SP2, versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter. TA10-159B 20100428 XSS in Microsoft SharePoint Server 2007 MS10-039 http://www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html oval:org.mitre.oval:def:7468 The MPEG-4 codec in the Windows Media codecs in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2 does not properly handle crafted media content with MPEG-4 video encoding, which allows remote attackers to execute arbitrary code via a file in an unspecified "supported format," aka "MPEG-4 Codec Vulnerability." MS10-062 oval:org.mitre.oval:def:7318 Unspecified vulnerability in the Windows OpenType Compact Font Format (CFF) driver in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users to execute arbitrary code via unknown vectors related to improper validation when copying data from user mode to kernel mode, aka "OpenType CFF Font Driver Memory Corruption Vulnerability." TA10-159B MS10-037 win-opentype-cff-priv-escalation(58884) 40572 oval:org.mitre.oval:def:7072 Heap-based buffer overflow in the Local Security Authority Subsystem Service (LSASS), as used in Active Directory in Microsoft Windows Server 2003 SP2 and Windows Server 2008 Gold, SP2, and R2; Active Directory Application Mode (ADAM) in Windows XP SP2 and SP3 and Windows Server 2003 SP2; and Active Directory Lightweight Directory Service (AD LDS) in Windows Vista SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, allows remote authenticated users to execute arbitrary code via malformed LDAP messages, aka "LSASS Heap Overflow Vulnerability." MS10-068 oval:org.mitre.oval:def:7120 Unspecified vulnerability in Microsoft Office Excel 2002 SP3, 2003 SP3, 2007 SP1 and SP2; Office 2004 for mac; Office 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2; allows remote attackers to execute arbitrary code via an Excel file with a crafted SxView record, related to improper validation of unspecified structures, aka "Excel Record Parsing Memory Corruption Vulnerability," a different vulnerability than CVE-2010-0824 and CVE-2010-1245. TA10-159B MS10-038 http://www.zerodayinitiative.com/advisories/ZDI-10-104 20100608 ZDI-10-104: Microsoft Office Excel SxView Record Parsing Remote Code Execution Vulnerability oval:org.mitre.oval:def:6771 Stack-based buffer overflow in Microsoft Office Excel 2002 SP3, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via an Excel file with a crafted OBJ (0x5D) record, aka "Excel Object Stack Overflow Vulnerability." TA10-159B MS10-038 40520 20100608 VUPEN Security Research - Microsoft Office Excel OBJ Stack Overflow Vulnerability (CVE-2010-0822) oval:org.mitre.oval:def:7265 65236 Unspecified vulnerability in Microsoft Office Excel 2002 SP3, 2003 SP3, 2007 SP1 and SP2; Office 2004 for mac; Office 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2; allows remote attackers to execute arbitrary code via a crafted Excel file, aka "Excel Memory Corruption Vulnerability," a different vulnerability than CVE-2010-1247 and CVE-2010-1249. TA10-159B MS10-038 oval:org.mitre.oval:def:7240 65233 Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via an Excel file with a malformed WOPT (0x80B) record, aka "Excel Record Memory Corruption Vulnerability," a different vulnerability than CVE-2010-0821 and CVE-2010-1245. TA10-159B MS10-038 40522 20100608 VUPEN Security Research - Microsoft Office Excel WOPT Heap Corruption Vulnerability (CVE-2010-0824) oval:org.mitre.oval:def:6768 lib-src/movemail.c in movemail in emacs 22 and 23 allows local users to read, modify, or delete arbitrary mailbox files via a symlink attack, related to improper file-permission checks. https://bugs.launchpad.net/ubuntu/+bug/531569 emacs-emailhelper-symlink(57457) ADV-2010-0952 ADV-2010-0734 USN-919-1 MDVSA-2010:083 39155 The Free Software Foundation (FSF) Berkeley DB NSS module (aka libnss-db) 2.2.3pre1 reads the DB_CONFIG file in the current working directory, which allows local users to obtain sensitive information via a symlink attack involving a setgid or setuid application that uses this module. https://bugs.launchpad.net/ubuntu/+source/libnss-db/+bug/531976 ADV-2010-0903 ADV-2010-0841 ADV-2010-0776 USN-922-1 39132 MDVSA-2010:077 39165 oval:org.mitre.oval:def:6681 oval:org.mitre.oval:def:10727 FEDORA-2010-6203 Integer overflow in dvips in TeX Live 2009 and earlier, and teTeX, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted virtual font (VF) file associated with a DVI file. https://bugzilla.redhat.com/show_bug.cgi?id=572914 USN-937-1 http://www.tug.org/svn/texlive/trunk/Build/source/texk/dvipsk/ChangeLog?view=log http://www.tug.org/svn/texlive/trunk/Build/source/texk/dvipsk/ChangeLog?r1=18009&r2=18095 39971 http://security-tracker.debian.org/tracker/CVE-2010-0827 oval:org.mitre.oval:def:10052 SUSE-SR:2010:013 SUSE-SR:2010:012 Cross-site scripting (XSS) vulnerability in action/Despam.py in the Despam action module in MoinMoin 1.8.7 and 1.9.2 allows remote authenticated users to inject arbitrary web script or HTML by creating a page with a crafted URI. http://hg.moinmo.in/moin/1.9/rev/6e603e5411ca https://bugzilla.redhat.com/show_bug.cgi?id=578801 https://bugs.launchpad.net/ubuntu/+source/moin/+bug/538022 moinmoin-despam-xss(57435) ADV-2010-0834 ADV-2010-0831 ADV-2010-0767 USN-925-1 39110 DSA-2024 39284 39267 39190 39188 FEDORA-2010-6180 FEDORA-2010-6134 FEDORA-2010-6012 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575995 Multiple array index errors in set.c in dvipng 1.11 and 1.12, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed DVI file. https://bugzilla.redhat.com/show_bug.cgi?id=573999 ADV-2010-1219 USN-936-1 DSA-2048 39914 oval:org.mitre.oval:def:9718 SUSE-SR:2010:013 SUSE-SR:2010:012 FEDORA-2010-8279 Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header. 40063 glibc-elf-code-execution(58915) ADV-2010-1246 USN-944-1 MDVSA-2010:112 MDVSA-2010:111 DSA-2058 http://sourceware.org/git/?p=glibc.git;a=commit;h=db07e962b6ea963dbb345439f6ab9b0cf74d87c5 1024044 GLSA-201011-01 39900 http://frugalware.org/security/662 http://drosenbe.blogspot.com/2010/05/integer-overflow-in-ldso-cve-2010-0830.html Directory traversal vulnerability in the extract_jar function in jartool.c in FastJar 0.98 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in a non-initial pathname component in a filename within a .jar archive, a related issue to CVE-2005-1080. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-3619. https://launchpad.net/bugs/540575 https://bugzilla.redhat.com/show_bug.cgi?id=601823 https://bugzilla.redhat.com/show_bug.cgi?id=594497 ADV-2011-0121 ADV-2010-1553 41006 RHSA-2011:0025 65467 MDVSA-2010:122 42892 http://packages.debian.org/changelogs/pool/main/f/fastjar/fastjar_0.98-3/changelog [oss-security] 20100608 Re: jar, fastjar directory traversal vulnerabilities [oss-security] 20100608 Re: jar, fastjar directory traversal vulnerabilities [oss-security] 20100608 jar, fastjar directory traversal vulnerabilities pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user's home directory, related to "user file stamps" and the motd.legal-notice file. 41465 pammotd-motdlegalnotice-priv-escalation(60194) ADV-2010-1747 USN-959-1 66116 http://www.h-online.com/security/news/item/Ubuntu-closes-root-hole-1034618.html 14273 http://twitter.com/jonoberheide/statuses/18009527979 40512 The pam_lsass library in Likewise Open 5.4 and CIFS 5.4 before build 8046, and 6.0 before build 8234, as used in HP StorageWorks X9000 Network Storage Systems and possibly other products, uses "SetPassword logic" when running as part of a root service, which allows remote attackers to bypass authentication for a Likewise Security Authority (lsassd) account whose password is marked as expired. http://www.likewise.com/community/index.php/forums/viewthread/772/ ADV-2011-0312 ADV-2010-1913 USN-964-1 1025031 20100726 [LWSA-2010-001] Likewise Open 5.4 & 6.0 43244 40736 40725 HPSBST02630 HPSBST02630 The base-files package before 5.0.0ubuntu7.1 on Ubuntu 9.10 and before 5.0.0ubuntu20.10.04.2 on Ubuntu 10.04 LTS, as shipped on Dell Latitude 2110 netbooks, does not require authentication for package installation, which allows remote archive servers and man-in-the-middle attackers to execute arbitrary code via a crafted package. 42280 ADV-2010-2015 USN-968-1 40889 Unspecified vulnerability in the Wireless component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Oracle Knowledge Management component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Pack200 component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:14276 oval:org.mitre.oval:def:10680 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a stack-based buffer overflow using an untrusted size value in the readMabCurveData function in the CMM module in the JVM. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html javase-javab-java2d-unspecifed(57346) http://www.zerodayinitiative.com/advisories/ZDI-10-061 ADV-2010-1793 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39069 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-061: Sun Java Runtime CMM readMabCurveData Remote Code Execution Vulnerability RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 39819 39659 39317 39292 oval:org.mitre.oval:def:13923 oval:org.mitre.oval:def:10482 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1454 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 43308 40545 39659 39317 oval:org.mitre.oval:def:13357 SUSE-SR:2010:017 SUSE-SR:2010:008 SSRT100179 SSRT100179 Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to improper checks when executing privileged methods in the Java Runtime Environment (JRE), which allows attackers to execute arbitrary code via (1) an untrusted object that extends the trusted class but has not modified a certain method, or (2) "a similar trust issue with interfaces," aka "Trusted Methods Chaining Remote Code Execution Vulnerability." Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-056 ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39065 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-056: Sun Java Runtime Environment Trusted Methods Chaining Remote Code Execution Vulnerability RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 39292 oval:org.mitre.oval:def:9974 oval:org.mitre.oval:def:13971 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the ImageIO component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow in the Java Runtime Environment that allows remote attackers to execute arbitrary code via a JPEG image that contains subsample dimensions with large values, related to JPEGImageReader and "stepX". Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-054/ ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39067 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-054: Sun Java Runtime Environment JPEGImageReader stepX Remote Code Execution Vulnerability RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 oval:org.mitre.oval:def:14144 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an uncontrolled array index that allows remote attackers to execute arbitrary code via a MIDI file with a crafted MixerSequencer object, related to the GM_Song structure. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-060 ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39077 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-060: Sun Java Runtime Environment MixerSequencer Invalid Array Index Remote Code Execution Vulnerability RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 oval:org.mitre.oval:def:14101 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to XNewPtr and improper handling of an integer parameter when allocating heap memory in the com.sun.media.sound libraries, which allows remote attackers to execute arbitrary code. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-052/ ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39083 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 20100405 ZDI-10-052: Sun Java Runtime Environment XNewPtr Remote Code Execution Vulnerability oval:org.mitre.oval:def:14092 63492 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is for improper parsing of a crafted MIDI stream when creating a MixerSequencer object, which causes a pointer to be corrupted and allows a NULL byte to be written to arbitrary memory. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-053 ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-053: Sun Java Runtime Environment MIDI File metaEvent Remote Code Execution Vulnerability RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 oval:org.mitre.oval:def:14282 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the HotSpot Server component in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update, and 23 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 MDVSA-2010:084 USN-923-1 43308 40545 39317 39292 oval:org.mitre.oval:def:9896 oval:org.mitre.oval:def:14521 SUSE-SR:2010:011 SUSE-SR:2010:008 SSRT100179 SSRT100179 Unspecified vulnerability in the ImageIO component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a heap-based buffer overflow that allows remote attackers to execute arbitrary code, related to an "invalid assignment" and inconsistent length values in a JPEG image encoder (JPEGImageEncoderImpl). Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-059 ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39062 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-059: Sun Java Runtime Environment JPEGImageEncoderImpl Remote Code Execution Vulnerability RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 oval:org.mitre.oval:def:14503 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a heap-based buffer overflow that allows arbitrary code execution via a crafted image. http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1523 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39071 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0489 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39317 39292 oval:org.mitre.oval:def:14453 oval:org.mitre.oval:def:10392 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 20100330 Oracle Java Runtime Environment Image FIle Buffer Overflow Vulnerability HPSBMA02547 HPSBMA02547 Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html 'Affected product releases and versions: • Java SE: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux • JDK 5.0 Update 23 and earlier for Solaris • SDK 1.4.2_25 and earlier for Solaris • Java for Business: • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux' http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 ADV-2010-1107 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39078 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0339 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html MDVSA-2010:084 USN-923-1 http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 39292 oval:org.mitre.oval:def:9899 oval:org.mitre.oval:def:14350 SUSE-SR:2010:017 SUSE-SR:2010:011 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a heap-based buffer overflow in a decoding routine used by the JPEGImageDecoderImpl interface, which allows code execution via a crafted JPEG image. http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html http://www.zerodayinitiative.com/advisories/ZDI-10-057/ ADV-2010-1793 ADV-2010-1523 ADV-2010-1454 ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39073 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100405 ZDI-10-057: Sun Java Runtime Environment JPEGImageDecoderImpl Remote Code Execution Vulnerability RHSA-2010:0489 RHSA-2010:0471 RHSA-2010:0383 RHSA-2010:0338 RHSA-2010:0337 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 43308 40545 40211 39819 39659 39317 oval:org.mitre.oval:def:13795 SUSE-SR:2010:017 SUSE-SR:2010:008 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 SSRT100179 SSRT100179 Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html ADV-2010-1793 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 43308 40545 39317 SUSE-SR:2010:008 SSRT100179 SSRT100179 Unspecified vulnerability in the XML DB component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 39438 Unspecified vulnerability in the XML DB component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 39438 Unspecified vulnerability in the Oracle Internet Directory component in Oracle Database 9.2.0.8, 9.2.0.8, and DV; and Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1; allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 39439 39438 Unspecified vulnerability in the Audit component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect integrity, related to "SELECT, INSERT or DELETE on tables subject to auditing." TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 39438 Unspecified vulnerability in the Portal component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023869 39439 Unspecified vulnerability in the Portal component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.2 allows remote attackers to affect availability via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023869 39442 39439 Unspecified vulnerability in the Oracle Workflow Cartridge component in Oracle E-Business Suite 11.5.10.2 allows remote authenticated users to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the E-Business Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2 ATG RUP6 allows remote attackers to affect confidentiality and integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to the Create User privilege. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 39438 Unspecified vulnerability in the Oracle HRMS (Self Service) component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect confidentiality via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the Retail - Oracle Retail Markdown Optimization component in Oracle Industry Product Suite 13.1 allows remote attackers to affect integrity via unknown vectors related to Online Help. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html '1. For Oracle Retail Markdown Optimization, Plan, and Place In-Season, this vulnerability affects the Online Help and not the actual applications.' TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html oipsr-rmo-unspecifed(57742) 1023872 39444 Unspecified vulnerability in the Retail - Oracle Retail Plan In-Season component in Oracle Industry Product Suite 12.2 allows remote attackers to affect integrity via unknown vectors related to Online Help. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html oipsr-rplanis-unspecified(57744) 1023872 Unspecified vulnerability in the Retail - Oracle Retail Place In-Season component in Oracle Industry Product Suite 12.2 allows remote attackers to affect integrity via unknown vectors related to Online Help. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html#AppendixBU '1. For Oracle Retail Markdown Optimization, Plan, and Place In-Season, this vulnerability affects the Online Help and not the actual applications.' TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html oipsr-rplaceis-unspecified(57743) 1023872 Unspecified vulnerability in the Oracle Agile Engineering Data Management component in Oracle E-Business Suite 6.1.1.0 allows remote attackers to affect confidentiality via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the JavaVM component in Oracle Database 11.1.0.7 and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html Unspecified vulnerability in the JavaVM component in Oracle Database 10.2.0.4, 11.1.0.7, and 11.2.0.1.0 allows remote authenticated users to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect confidentiality and integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the Oracle Transportation Management component in Oracle E-Business Suite 5.5.05.07, 5.5.06.00, and 6.0.03 allows remote attackers to affect confidentiality via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the Change Data Capture component in Oracle Database 9.2.0.8 and 9.2.0.8DV allows remote authenticated users to affect confidentiality and integrity, related to SYS.DBMS_CDC_PUBLISH. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 39438 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023859 39441 Unspecified vulnerability in the Oracle Internet Directory component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3 allows remote attackers to affect availability via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 39439 Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Communications - Oracle Communications Unified Inventory Management component in Oracle Industry Product Suite 7.1 allows remote attackers to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023872 Unspecified vulnerability in the Life Sciences - Oracle Thesaurus Management System component in Oracle Industry Product Suite 4.5.2, 4.6, and 4.6.1 allows remote attackers to affect integrity, related to TMS Browser. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023872 Unspecified vulnerability in the Life Sciences - Oracle Clinical Remote Data Capture Option component in Oracle Industry Product Suite 4.5.3 and 4.6 allows remote attackers to affect integrity, related to RDC Onsite. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023872 Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.26 and 8.50.07 allows remote attackers to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html opejee-peopletools-unspecified-var1(57736) Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.26 and 8.50.07 allows remote authenticated users to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html opejee-peopletools-unspecified-var2(57737) Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.26 and 8.50.07 allows remote authenticated users to affect confidentiality via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html opejee-peopletools-unspecified-var3(57738) Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.26 and 8.50.07 allows remote attackers to affect confidentiality and integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html opejee-peopletools-unspecified(57735) Unspecified vulnerability in the User Interface Components in Oracle Collaboration Suite 10.1.2.4 allows remote attackers to affect integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1023871 39447 39440 Unspecified vulnerability in the Solaris component in Oracle Sun Product Suite 10 and OpenSolaris snv_134 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Trusted Extensions. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-solaris-unspecified(57747) 1020726 oval:org.mitre.oval:def:7023 Unspecified vulnerability in the Sun Cluster component in Oracle Sun Product Suite 3.1 and 3.2 allows local users to affect confidentiality via unknown vectors related to Data Service for Oracle E-Business Suite. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-cluster-unspecified(57759) 39460 1021808 Unspecified vulnerability in the Sun Cluster component in Oracle Sun Product Suite 3.1 and 3.2 allows local users to affect confidentiality via unknown vectors related to Data Service for Oracle E-Business Suite. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-cluster-unspecified-var1(57760) 39464 1021808 Unspecified vulnerability in the Sun Java System Communications Express component in Oracle Sun Product Suite 6 2005Q4 (6.2) and and 6.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Address Book. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html 1022024 Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE and Java for Business JDK and JRE 6 Update 10 through 19 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html 'Notes: 1. Affects the Windows platform only. CVSS 10.0 score assumes running with Administrator privileges. Otherwise, CVSS score of 7.5 with Confidentiality, Integrity and Availability impacts of Partial+, Partial+ and Partial+.' http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html ADV-2010-1191 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 1022294 279590 39819 oval:org.mitre.oval:def:14216 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 Unspecified vulnerability in the New Java Plug-in component in Oracle Java SE and Java for Business JDK and JRE 6 Update 18 and 19 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. ADV-2010-1191 http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html http://support.apple.com/kb/HT4171 http://support.apple.com/kb/HT4170 39819 APPLE-SA-2010-05-18-2 APPLE-SA-2010-05-18-1 Unspecified vulnerability in the Sun Ray Server Software component in Oracle Sun Product Suite 4.0, 4.1, and 4.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Device Services. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-srss-unspecified(57745) 1021732 274590 Unspecified vulnerability in the Solaris component in Oracle Sun Product Suite OpenSolaris snv_68 through snv_128 allows local users to affect confidentiality via unknown vectors related to the Kernel. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-solars-unspecified-var1(57754) 1021697 273850 Unspecified vulnerability in the Solaris component in Oracle Sun Product Suite 10 and OpenSolaris snv_01 through snv_98 allows local users to affect availability via unknown vectors related to the Kernel. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-solaris-unspecified-var3(57758) 1023874 39459 1019619 242386 39435 oval:org.mitre.oval:def:7594 Unspecified vulnerability in the Sun Management Center component in Oracle Sun Product Suite 3.6.1 and 4.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Solaris Container Manager. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-smc-unspecified(57751) 1019908 248666 oval:org.mitre.oval:def:7233 Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2.0.00.27 allows remote attackers to affect integrity via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 'For patching information please see Critical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1.' http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Sun Convergence component in Oracle Sun Product Suite 1.0 allows remote attackers to affect confidentiality via unknown vectors related to Mail. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-converge-unspecified(57756) 39446 1021807 276090 Unspecified vulnerability in the Sun Java System Access Manager component in Oracle Sun Product Suite 7.1, 7 2005Q4, and OpenSSO Enterprise 8.0 allows remote attackers to affect confidentiality and integrity via unknown vectors. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-sjsa-unspecified(57750) 39457 1020934 267568 39431 Unspecified vulnerability in the Solaris component in Oracle Sun Product Suite OpenSolaris snv_119 allows local users to affect integrity and availability via unknown vectors related to IP Filter. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-solaris-unspecified-var2(57757) 39455 Unspecified vulnerability in the Sun Convergence component in Oracle Sun Product Suite 1.0 allows remote attackers to affect confidentiality via unknown vectors related to Address Book and Mail Filter. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-convergence-unspecified(57748) Unspecified vulnerability in the Sun Java System Directory Server component in Oracle Sun Product Suite 5.2, 6.0, 6.1, 6.2, 6.3, and 6.3.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Directory Service Markup Language. TA10-103B http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html osps-sjsds-unspecified(57746) 39453 276210 Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0907, and CVE-2010-0906. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 'This bug is applicable to Windows only.' http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Network Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 'Oracle Database Server Client-Only Installations The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2010-0900' Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 'For patching information please see Critical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1.' http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Export component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Select Any Dictionary. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Net Foundation Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 'For patching information please see Critical Patch Update July 2010 Patch Availability Document for Oracle Products, My Oracle Support Note 1089044.1.' http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 8356 8354 Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2 and 12.0.4 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 'CVSS Score is 9.0 for Windows based installation. For Linux, Unix and other platforms, the CVSS Base Score is 6.5, and the impacts for Confidentiality, Integrity and Availability are Partial.' http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0899, CVE-2010-0904, and CVE-2010-0906. Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html 'CVSS Score is 10.0 for Windows based installation. For Linux, Unix and other platforms, the CVSS Base Score is 7.5, and the impacts for Confidentiality, Integrity and Availability are Partial.' http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 and 11.2.1.4.1 allows remote attackers to affect availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Listener component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote attackers to affect availability via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in Oracle Sun Convergence 1.0 allows remote attackers to affect confidentiality via unknown vectors related to Mail, Calendar, Address Book, and Instant Messaging. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in the Oracle Advanced Product Catalog component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Unspecified vulnerability in Oracle OpenSolaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to rdist. http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html Stack-based buffer overflow in VBScript in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, might allow user-assisted remote attackers to execute arbitrary code via a long string in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution when the F1 key is pressed, a different vulnerability than CVE-2010-0483. ms-win-winhlp32-bo(56560) http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/ 38473 http://www.microsoft.com/technet/security/advisory/981169.mspx http://isec.pl/vulnerabilities10.html http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt http://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspx Multiple unspecified vulnerabilities in the UltraLite functionality in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.281 for Domino 8.0.2 FP4 have unknown impact and attack vectors. inotes-ultralite-unspecified(56557) ADV-2010-0496 38459 http://www-01.ibm.com/support/docview.wss?uid=swg27018109 Stack-based buffer overflow in the Lotus Domino Web Access ActiveX control in IBM Lotus iNotes (aka Domino Web Access or DWA) 6.5, 7.0 before 7.0.4, 8.0, 8.0.2, and before 229.281 for Domino 8.0.2 FP4 allows remote attackers to execute arbitrary code via a long URL argument to an unspecified method, aka PRAD7JTNHJ. ADV-2010-0496 inotes-activex-bo(56555) ADV-2010-0495 38459 38457 62612 http://www-01.ibm.com/support/docview.wss?uid=swg27018109 http://www-01.ibm.com/support/docview.wss?uid=swg21421808 1023662 38755 38744 38681 20100301 IBM Lotus Domino Web Access ActiveX Stack Buffer Overflow Vulnerability Cross-site scripting (XSS) vulnerability in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.281 for Domino 8.0.2 FP4 allows remote attackers to inject arbitrary web script or HTML via vectors related to lack of "XSS/CSRF Get Filter and Referer Check fixes." ADV-2010-0496 38459 http://www-01.ibm.com/support/docview.wss?uid=swg27018109 Cross-site request forgery (CSRF) vulnerability in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.281 for Domino 8.0.2 FP4 allows remote attackers to hijack the authentication of unspecified victims via vectors related to lack of "XSS/CSRF Get Filter and Referer Check fixes." inotes-getfilter-csrf(56556) ADV-2010-0496 38459 http://www-01.ibm.com/support/docview.wss?uid=swg27018109 Unspecified vulnerability in secldapclntd in IBM AIX 5.3 with SP 5300-11-02 allows attackers to cause a denial of service (LDAP login failure) via unknown vectors. NOTE: some of these details are obtained from third party information. NOTE: there may be no attacker role, and the issue may be triggered entirely by an administrator's installation of an official service pack. Per: ftp://public.dhe.ibm.com/aix/efixes/iz69977/ IZ69977.epkg.Z http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4956 38444 IZ69977 ftp://public.dhe.ibm.com/aix/efixes/iz69977/README.txt Race condition in workspace/krunner/lock/lockdlg.cc in the KRunner lock module in kdebase in KDE SC 4.4.0 allows physically proximate attackers to bypass KScreenSaver screen locking and access an unattended workstation by pressing the Enter key at a certain time, related to multiple forked processes. ADV-2010-0409 http://websvn.kde.org/?view=revision&revision=1089241 http://websvn.kde.org/?revision=1089213&view=revision https://bugzilla.novell.com/show_bug.cgi?id=579280 https://bugs.kde.org/show_bug.cgi?id=217882 [oss-security] 20100217 Re: Re: CVE Request: KDE screensaver unlock issue similar to GNOME one http://www.kde.org/info/security/advisory-20100217-1.txt http://websvn.kde.org/trunk/KDE/kdebase/workspace/krunner/lock/lockdlg.cc?r1=1089213&r2=1089212&pathrev=1089213 1023641 38600 [oss-security] 20100212 Re: Re: CVE Request: KDE screensaver unlock issue similar to GNOME one [oss-security] 20100212 Re: CVE Request: KDE screensaver unlock issue similar to GNOME one [oss-security] 20100212 CVE Request: KDE screensaver unlock issue similar to GNOME one http://bugs.kde.org/show_bug.cgi?id=226449 cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 in Apple Safari 4.0.3 and 4.0.4 on Windows, allows remote attackers to cause a denial of service (application crash) via a long string in the BACKGROUND attribute of a BODY element. 38447 http://nobytes.com/exploits/Safari_4.0.4_background_DoS_pl.txt cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 in Apple Safari 4.0.4 on Windows, allows remote attackers to cause a denial of service (application crash) via a long string in the SRC attribute of a (1) IMG or (2) IFRAME element. http://nobytes.com/exploits/Safari_4.0.4_background_DoS_pl.txt The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options. https://bugzilla.samba.org/show_bug.cgi?id=7104 https://bugzilla.redhat.com/show_bug.cgi?id=562568 http://www.samba.org/samba/news/symlink_attack.html [oss-security] 20100305 Re: Samba symlink 0day flaw [oss-security] 20100206 Re: Samba symlink 0day flaw 39317 [samba-technical] 20100207 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100206 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100206 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100206 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 re: Claimed Zero Day exploit in Samba. [samba-technical] 20100205 Claimed Zero Day exploit in Samba. [oss-security] 20100305 Re: Samba symlink 0day flaw [oss-security] 20100206 Re: Samba symlink 0day flaw [oss-security] 20100205 Re: Samba symlink 0day flaw [oss-security] 20100205 Re: Samba symlink 0day flaw [oss-security] 20100205 Samba symlink 0day flaw 20100205 Re: Samba Remote Zero-Day Exploit SUSE-SR:2010:014 SUSE-SR:2010:008 http://gitweb.samba.org/?p=samba.git;a=commit;h=bd269443e311d96ef495a9db47d1b95eb83bb8f4 http://blog.metasploit.com/2010/02/exploiting-samba-symlink-traversal.html 20100204 Re: Samba Remote Zero-Day Exploit 20100204 Re: Samba Remote Zero-Day Exploit 20100204 Samba Remote Zero-Day Exploit Cross-site scripting (XSS) vulnerability in help/readme.nsf/Header in the Help component in IBM Lotus Domino 7.x before 7.0.4 and 8.x before 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the BaseTarget parameter in an OpenPage action. NOTE: this may overlap CVE-2010-0920. 38481 http://www.cybsec.com/vuln/CYBSEC_Advisory_2010_0301_IBM_%20Lotus_Dominio_Readme_nsf_Reflected_XSS.pdf OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." openssl-fwe-weak-security(56750) http://www.theregister.co.uk/2010/03/04/severe_openssl_vulnerability/ 62808 http://www.networkworld.com/news/2010/030410-rsa-security-attack.html http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf http://rdist.root.org/2010/03/08/attacking-rsa-exponentiation-with-fault-injection/ The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data beginning with a byte sequence of 0x4c, 0xb3, 0xff, 0xff, and 0xff. 36261 [dailydave] 20100304 Perforce The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (infinite loop) via crafted data that includes a byte sequence of 0xdc, 0xff, 0xff, and 0xff immediately before the client protocol version number. 36261 [dailydave] 20100304 Perforce The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data, possibly involving a large sndbuf value. 36261 [dailydave] 20100304 Perforce The FTP server in Perforce Server 2008.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a certain MKD command. 36261 [dailydave] 20100304 Perforce Directory traversal vulnerability in Perforce Server 2008.1 allows remote authenticated users to create arbitrary files via a .. (dot dot) in the argument to the "p4 add" command. 36261 [dailydave] 20100304 Perforce The triggers functionality in Perforce Server 2008.1 allows remote authenticated users with super privileges to execute arbitrary operating-system commands by using a "p4 client" command in conjunction with the form-in trigger script. 36261 [dailydave] 20100304 Perforce Perforce Server 2009.2 and earlier, when the protection table is empty, allows remote authenticated users to obtain super privileges via a "p4 protect" command. 36261 http://www.perforce.com/perforce/doc.current/manuals/cmdref/protect.html [dailydave] 20100304 Perforce Cross-site scripting (XSS) vulnerability in auth.asp on the D-LINK DKVM-IP8 with firmware 2282_dlinkA4_p8_20071213 allows remote attackers to inject arbitrary web script or HTML via the nickname parameter. dkvmip8-auth-xss(55429) ADV-2010-0083 37646 11030 38051 61615 Multiple unspecified vulnerabilities in Visualization Library before 2009.08.812 have unknown impact and attack vectors. visualizationlibrary-multiple-unspecified(55478) ADV-2010-0050 37644 http://visualizationlibrary.com/documentation/pagchangelog.html Cross-site scripting (XSS) vulnerability in todooforum.php in Todoo Forum 2.0 allows remote attackers to inject arbitrary web script or HTML via the id_forum parameter in a post action. todooforum-todooforum-xss(55502) 11099 38060 http://packetstormsecurity.org/1001-exploits/todooforum-xss.txt Visialis ABB Forum 1.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for fpdb/abb.mdb. abb-abb-info-disclosure(55505) 11096 http://packetstormsecurity.org/1001-exploits/abbforums-dislclose.txt Cross-site scripting (XSS) vulnerability in guestbook.php in Simple PHP Guestbook 1.0 allows remote attackers to inject arbitrary web script or HTML via the action parameter. simplephpguestbook-guestbook-xss(55522) 11077 38053 http://packetstormsecurity.org/1001-exploits/simplephpgb-xss.txt 61614 Multiple cross-site scripting (XSS) vulnerabilities in eTek Systems Hit Counter 2.0 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) inc/login.php, (3) admin/index.php, and (4) admin/forgot.php. hitcounter-index-xss(55285) 61444 61443 61442 10887 38052 http://packetstormsecurity.org/1001-exploits/hitcounter-xss.txt Directory traversal vulnerability in the jVideoDirect (com_jvideodirect) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. jvideodirect-index-directory-traversal(55513) 37694 11089 http://packetstormsecurity.org/1001-exploits/joomlajvideodirect-traversal.txt Directory traversal vulnerability in the JA Showcase (com_jashowcase) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a jashowcase action to index.php. jashowcase-index-directory-traversal(55512) 37692 11090 33486 http://packetstormsecurity.org/1001-exploits/joomlajashowcase-traversal.txt Directory traversal vulnerability in the JCollection (com_jcollection) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. jcollection-index-directory-traversal(55514) 37691 11088 http://packetstormsecurity.org/1001-exploits/joomlajcollection-traversal.txt SQL injection vulnerability in the HotBrackets Tournament Brackets (com_hotbrackets) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. hotbrackets-id-sql-injection(54986) ADV-2010-0021 37439 http://www.packetstormsecurity.org/0912-exploits/joomlahotbrackets-sql.txt 10953 SQL injection vulnerability in the Keep It Simple Stupid (KISS) Software Advertiser (com_ksadvertiser) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter in a showcats action to index.php. kisssoftware-index-sql-injection(55526) 37682 http://explo.it/exploits/11068 Cross-site scripting (XSS) vulnerability in post.aspx in Max Network Technology BBSMAX 3.0, 4.1, and 4.2 allows remote attackers to inject arbitrary web script or HTML via the action parameter. 38592 20100306 [xss] a xss on "action" parameter in BBSMAX http://packetstormsecurity.org/1003-exploits/bbsmax-xss.txt SQL injection vulnerability in profil.php in Bigforum 4.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. bigforum-profil-sql-injection(56723) 38597 11646 38872 http://packetstormsecurity.org/1003-exploits/bigforum-sql.txt 62778 Multiple cross-site scripting (XSS) vulnerabilities in Natychmiast CMS allow remote attackers to inject arbitrary web script or HTML via the id_str parameter to (1) index.php and (2) a_index.php. natychmiast-index-xss(56724) 38561 20100305 SQL injection vulnerability in Natychmiast CMS http://www.packetstormsecurity.com/1003-exploits/natychmiast-sqlxss.txt Multiple SQL injection vulnerabilities in Natychmiast CMS allow remote attackers to execute arbitrary SQL commands via the id_str parameter to (1) index.php and (2) a_index.php. natychmiast-index-sql-injection(56725) 38561 20100305 SQL injection vulnerability in Natychmiast CMS http://www.packetstormsecurity.com/1003-exploits/natychmiast-sqlxss.txt SQL injection vulnerability in go_target.php in dev4u CMS allows remote attackers to execute arbitrary SQL commands via the kontent_id parameter. dev4ucms-gotarget-sql-injection(56722) 38577 11643 http://packetstormsecurity.org/1003-exploits/dev4u-sql.txt SQL injection vulnerability in index.php in OneCMS 2.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the user parameter in an elite action. onecms-index-sql-injection(56700) 38557 11635 30378 http://packetstormsecurity.org/1003-exploits/onecmsv25-sql.txt Directory traversal vulnerability in mod.php in phpCOIN 1.2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the mod parameter. phpcoin-mod-file-include(56721) 38576 11641 SQL injection vulnerability in search_result.asp in Pre Projects Pre E-Learning Portal allows remote attackers to execute arbitrary SQL commands via the course_ID parameter. preelearning-searchresult-sql-injection(56729) 38582 http://www.packetstormsecurity.com/1003-exploits/preelearningportal-sql.txt 38891 62774 http://evilc0de.blogspot.com/2010/03/pre-e-learning-portal-sql-injection.html SQL injection vulnerability in index.php in Bild Flirt Community 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. bildflirt-index-sql-injection(56727) 38585 11648 38870 http://packetstormsecurity.org/1003-exploits/bildflirt-sql.txt 62780 http://4004securityproject.wordpress.com/2010/03/07/bild-flirt-system-v2-0-index-php-id-sql-injection/ SQL injection vulnerability in index.php in OpenCart 1.3.2 allows remote attackers to execute arbitrary SQL commands via the page parameter. 38605 http://packetstormsecurity.org/1003-exploits/opencart-sql.txt Directory traversal vulnerability in content.php in Saskia's Shopsystem beta1 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the id parameter. shopsystem-content-file-include(56358) 38574 11433 http://packetstormsecurity.org/1002-exploits/saskiashopsystem-lfi.txt Directory traversal vulnerability in modules/hayoo/index.php in Tribisur 2.1, 2.0, and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary files via directory traversal sequences in the theme parameter. NOTE: some of these details are obtained from third party information. 38596 11655 28362 http://packetstormsecurity.org/1003-exploits/tribisur-lfi.txt Cross-site scripting (XSS) vulnerability in WebEditor/Authentication/LoginPage.aspx in IBM ENOVIA SmarTeam 5 allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter. 38612 20100309 IBM ENOVIA SmarTeam v5 Cross Site Scripting Vulnerability 62901 Buffer overflow in qosmod in bos.net.tcp.server in IBM AIX 6.1 and VIOS 2.1 allows local users to gain privileges via unspecified vectors. ADV-2010-0557 IZ71870 IZ71627 IZ71555 IZ68231 1023695 oval:org.mitre.oval:def:6822 http://aix.software.ibm.com/aix/efixes/security/qosmod_advisory.asc Buffer overflow in qoslist in bos.net.tcp.server in IBM AIX 6.1 and VIOS 2.1 allows local users to gain privileges via unspecified vectors. ADV-2010-0556 IZ71869 IZ71590 IZ71554 IZ68194 1023694 oval:org.mitre.oval:def:12051 http://aix.software.ibm.com/aix/efixes/security/qoslist_advisory.asc The FTP proxy server in Apple AirPort Express, AirPort Extreme, and Time Capsule with firmware 7.5 does not restrict the IP address and port specified in a PORT command from a client, which allows remote attackers to leverage intranet FTP servers for arbitrary TCP forwarding via a crafted PORT command. apple-ftpproxy-security-bypass(56701) 38543 20100309 Re: Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass 20100304 Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass 20100304 Apple Airport Wireless Products: Promiscuous FTP PORT Allowed in FTP Proxy Provides Security Bypass Cross-site scripting (XSS) vulnerability in index.php in dl Download Ticket Service before 0.7 allows remote attackers to inject arbitrary web script or HTML via the t parameter, related to an invalid ticket ID. NOTE: some of these details are obtained from third party information. 38700 http://freshmeat.net/projects/dl-ticket-service [dl-ticket-service] 20100311 dl 0.7 released 38898 62884 SQL injection vulnerability in start.php in Eros Webkatalog allows remote attackers to execute arbitrary SQL commands via the id parameter in a rubrik action. eroswebkatalog-start-sql-injection(56851) 11689 38900 http://packetstormsecurity.org/1003-exploits/eroserotikwebkat-sql.txt 62902 http://4004securityproject.wordpress.com/2010/03/11/eros-erotik-webkatalog-start-php-rubrikidsql-injection/ Jevci Siparis Formu Scripti stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for siparis.mdb. jevci-siparis-information-disclosure(56794) 38893 http://packetstormsecurity.org/1003-exploits/jevci-disclose.txt 62843 PHP remote file inclusion vulnerability in inc/config.php in deV!L`z Clanportal (DZCP) 1.5.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the basePath parameter. ADV-2010-0615 11735 38902 Multiple directory traversal vulnerabilities in Geekhelps ADMP 1.01, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the style parameter to (1) colorvoid/footer.php, (2) default-green/footer.php, (3) default-orange/footer.php, and (4) default/footer.php in themes/. NOTE: some of these details are obtained from third party information. geekhelpsadmp-style-file-include(56857) ADV-2010-0612 11721 38949 62918 62917 62916 62915 SQL injection vulnerability in bannershow.php in Geekhelps ADMP 1.01 allows remote attackers to execute arbitrary SQL commands via the click parameter. ADV-2010-0612 11721 Unbound before 1.4.3 does not properly align structures on 64-bit platforms, which allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. [unbound-users] 20100311 Unbound 1.4.3 release 38701 [oss-security] 20100312 CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS 38888 62903 [oss-security] 20100316 Re: CVE Request -- Unbound v1.4.3 -- 64 bit platforms specific remote DoS http://bugs.gentoo.org/show_bug.cgi?id=309117 SQL injection vulnerability in phpmylogon.php in PhpMyLogon 2 allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. phpmylogon-phpmylogon-sql-injection(56868) ADV-2010-0614 11737 Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information. atutor-add-xss(56852) 38656 11685 38906 http://packetstormsecurity.org/1003-exploits/atutor-xss.txt 62906 62905 62904 Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. gcalendar-index-file-include(56863) 11738 38925 SQL injection vulnerability in index.php in phppool media Domain Verkaus and Auktions Portal allows remote attackers to execute arbitrary SQL commands via the id parameter. verkaus-index-sql-injection(56872) ADV-2010-0616 11733 38939 http://4004securityproject.wordpress.com/2010/03/14/phppool-media-domain-verkaufs-und-auktions-portal-index-php-sql-injection/ Multiple SQL injection vulnerabilities in PHPCityPortal allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) video_show.php, (2) spotlight_detail.php, (3) real_estate_details.php, and (4) auto_details.php. phpcityportal-id-sql-injection(56811) 38649 http://www.packetstormsecurity.com/1003-exploits/phpcityportal-sqlrfi.txt 11678 PHP remote file inclusion vulnerability in external.php in PHPCityPortal allows remote attackers to execute arbitrary PHP code via a URL in the url parameter. phpcityportal-external-file-include(56812) 11678 http://packetstormsecurity.org/1003-exploits/phpcityportal-sqlrfi.txt Acidcat CMS 3.5.x does not prevent access to install.asp after installation finishes, which might allow remote attackers to restart the installation process and have unspecified other impact via requests to install.asp and other install_*.asp scripts. NOTE: the final installation screen states "Important: you must now delete all files beginning with 'install' from the root directory." acidcat-install-info-disclosure(55331) 10972 http://packetstormsecurity.org/1001-exploits/acidcatcms-disclose.txt PD PORTAL 4.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/db.mdb. 10995 38109 http://packetstormsecurity.org/1001-exploits/pdportal-disclose.txt 61468 KMSoft Guestbook (aka GBook) 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/db.mdb. kmsoft-guestbok-db-info-disclosure(55376) 11005 38076 http://packetstormsecurity.org/1001-exploits/kmsoftgb-disclose.txt 61487 Cross-site scripting (XSS) vulnerability in display.php in Obsession-Design Image-Gallery (ODIG) 1.1 allows remote attackers to inject arbitrary web script or HTML via the folder parameter. ADV-2010-0048 38107 http://packetstormsecurity.org/1001-exploits/odig-xss.txt SQL injection vulnerability in player.php in Left 4 Dead (L4D) Stats 1.1 allows remote attackers to execute arbitrary SQL commands via the steamid parameter. left4deadstats-player-sql-injection(55299) 10930 38008 http://packetstormsecurity.org/1001-exploits/left4deadstats-sql.txt 61472 http://greyhathackers.wordpress.com/2010/01/02/left-4-dead-stats-1-1-sql-injection-vulnerability/ SQL injection vulnerability in the TPJobs (com_tpjobs) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id_c[] parameter in a resadvsearch action to index.php. tpjobs-idc-sql-injection(55350) ADV-2010-0023 37591 10950 38001 http://packetstormsecurity.org/0912-exploits/joomlatpjobs-sql.txt 61477 Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. 37581 37917 http://packetstormsecurity.org/1001-exploits/joomlacartweberp-lfi.txt 61447 PHP remote file inclusion vulnerability in include/mail.inc.php in Rezervi 3.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the root parameter, a different vector than CVE-2007-2156. rezervi-mailinc-file-include(55341) ADV-2010-0016 37589 10967 38118 http://packetstormsecurity.org/1001-exploits/rezervi-rfi.txt 61450 Acidcat CMS 3.5.3 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for databases/acidcat_3.mdb. acidcat-acidcat3-info-disclosure(55329) 10972 38084 http://packetstormsecurity.org/1001-exploits/acidcatcms-disclose.txt 61436 Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. abbreviations-index-file-include(55348) 37560 10948 37834 61458 Adobe Shockwave Player before 11.5.7.609 does not properly process asset entries, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted Shockwave file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 40086 20100512 Secunia Research: Adobe Shockwave Player Asset Entry Parsing Vulnerability http://secunia.com/secunia_research/2010-34/ 38751 oval:org.mitre.oval:def:6967 Heap-based buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow remote attackers to execute arbitrary code via crafted embedded fonts in a Shockwave file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 40093 20100512 Secunia Research: Adobe Shockwave Player Font Processing Buffer Overflow http://secunia.com/secunia_research/2010-50/ 38751 oval:org.mitre.oval:def:7052 Multiple unspecified vulnerabilities in Pulse CMS before 1.2.3 allow (1) remote attackers to write to arbitrary files and execute arbitrary PHP code via vectors related to improper handling of login failures by includes/login.php; and allow remote authenticated users to write to arbitrary files and execute arbitrary PHP code via vectors involving the (2) filename and (3) block parameters to view.php. 38956 20100324 Secunia Research: Pulse CMS login.php Arbitrary File Writing Vulnerability 20100324 Secunia Research: Pulse CMS Arbitrary File Writing Vulnerability 63168 63166 http://secunia.com/secunia_research/2010-51/ http://secunia.com/secunia_research/2010-45/ 39011 Directory traversal vulnerability in delete.php in Pulse CMS before 1.2.3 allows remote authenticated users to delete arbitrary files via directory traversal sequences in the f parameter. 38947 20100324 Secunia Research: Pulse CMS Arbitrary File Deletion Vulnerability 63167 http://secunia.com/secunia_research/2010-48/ 39011 Stack-based buffer overflow in Creative Software AutoUpdate Engine ActiveX Control 2.0.12.0, as used in Creative Software AutoUpdate 1.40.01, allows remote attackers to execute arbitrary code via vectors related to the BrowseFolder method. 40768 20100611 Secunia Research: Creative Software AutoUpdate Engine 2 ActiveX Control Buffer Overflow http://secunia.com/secunia_research/2010-52/ 38970 Multiple heap-based buffer overflows in imlib2 1.4.3 allow context-dependent attackers to execute arbitrary code via a crafted (1) ARGB, (2) XPM, or (3) BMP file, related to the IMAGE_DIMENSIONS_OK macro in lib/image.h. ADV-2010-0959 20100421 Secunia Research: imlib2 "IMAGE_DIMENSIONS_OK()" Logic Error http://secunia.com/secunia_research/2010-54/ 39354 Multiple cross-site request forgery (CSRF) vulnerabilities in Pulse CMS Basic 1.2.2 and 1.2.3, and possibly Pulse Pro before 1.3.2, allow remote attackers to hijack the authentication of users for requests that (1) upload image files, (2) delete image files, or (3) create blocks. http://pulsecms.com/blog.php 20100409 Secunia Research: Pulse CMS Cross-Site Request Forgery http://secunia.com/secunia_research/2010-46/ 39046 Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.2 and 1.2.3, and possibly Pulse Pro before 1.3.2, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. Per: http://cwe.mitre.org/data/definitions/434.html 'Unrestricted Upload of File with Dangerous Type' http://pulsecms.com/blog.php 20100409 Secunia Research: Pulse CMS Arbitrary File Upload Vulnerability http://secunia.com/secunia_research/2010-47/ 39046 Multiple buffer overflows in src/vl/vlDAT.cpp in Visualization Library 2009.08.812 allow user-assisted remote attackers to execute arbitrary code via a crafted DAT file, related to the (1) vl::loadDAT and (2) vl::isDAT functions. 39471 20100414 Secunia Research: Visualization Library DAT File Parsing Vulnerabilities http://secunia.com/secunia_research/2010-02/ 38162 Stack-based buffer overflow in Internet Download Manager (IDM) before 5.19 allows remote attackers to execute arbitrary code via a crafted FTP URI that causes unspecified "test sequences" to be sent from client to server. 39822 20100430 Secunia Research: Internet Download Manager FTP Buffer Overflow Vulnerability http://www.internetdownloadmanager.com/news.html http://secunia.com/secunia_research/2010-62/ 39446 Unrestricted file upload vulnerability in e107 before 0.7.20 allows remote authenticated users to execute arbitrary code by uploading a .php.filetypesphp file. NOTE: the vendor disputes the significance of this issue, noting that "an odd set of preferences and a missing file" are required. Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type' http://e107.org/comment.php?comment.news.864 e107-phpfiletypesphp-file-upload(57932) ADV-2010-0919 39540 20100419 Secunia Research: e107 Avatar/Photograph Image File Upload Vulnerability http://secunia.com/secunia_research/2010-44/ 39013 http://e107.org/svn_changelog.php?version=0.7.20 Cross-site scripting (XSS) vulnerability in 107_plugins/content/content_manager.php in the Content Management plugin in e107 before 0.7.20, when the personal content manager is enabled, allows user-assisted remote authenticated users to inject arbitrary web script or HTML via the content_heading parameter. http://e107.org/comment.php?comment.news.864 e107-contentmanager-xss(57933) ADV-2010-0919 39539 20100419 Secunia Research: e107 Content Management Plugin Script Insertion Vulnerability http://secunia.com/secunia_research/2010-43/ 39013 http://e107.org/svn_changelog.php?version=0.7.20 Multiple stack-based buffer overflows in Free Download Manager (FDM) before 3.0.852 allow remote attackers to execute arbitrary code via vectors involving (1) the folders feature in Site Explorer, (2) the websites feature in Site Explorer, (3) an FTP URI, or (4) a redirect. fdm-siteexplorer-bo(58626) 40146 20100513 Secunia Research: Free Download Manager Four Buffer Overflow Vulnerabilities http://secunia.com/secunia_research/2010-68/ 39447 oval:org.mitre.oval:def:7006 64674 64673 64672 64671 Directory traversal vulnerability in Free Download Manager (FDM) before 3.0.852 allows remote attackers to create arbitrary files via directory traversal sequences in the name attribute of a file element in a metalink file. fdm-name-directory-traversal(58627) 40152 20100513 Secunia Research: Free Download Manager metalink "name" Directory Traversal http://secunia.com/secunia_research/2010-67/ oval:org.mitre.oval:def:7284 64670 Directory traversal vulnerability in KGet in KDE SC 4.0.0 through 4.4.3 allows remote attackers to create arbitrary files via directory traversal sequences in the name attribute of a file element in a metalink file. Per: http://www.kde.org/info/security/advisory-20100513-1.txt 'Patches have been committed to the KDE Subversion repository in the following revision numbers: 4.3 branch: r1126227 4.4 branch: r1124974 Trunk: r1124976' kde-name-directory-traversal(58628) ADV-2011-1101 ADV-2010-3096 ADV-2010-1144 ADV-2010-1142 USN-938-1 40141 20100514 Re: Secunia Research: KDE KGet Insecure File Operation Vulnerability 20100513 Secunia Research: KDE KGet metalink MDVSA-2010:098 http://www.kde.org/info/security/advisory-20100513-1.txt 1023984 http://secunia.com/secunia_research/2010-69/ 42423 39787 39528 64690 [oss-security] 20100513 KDENetwork vulnerabilities SUSE-SR:2010:024 FEDORA-2011-5211 FEDORA-2010-18029 Directory traversal vulnerability in www/editor/tiny_mce/langs/language.php in eFront 3.5.x through 3.5.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the langname parameter. 38787 http://www.efrontlearning.net/product/efront-news/265-important-security-fix.html http://www.coresecurity.com/content/efront-php-file-inclusion http://forum.efrontlearning.net/viewtopic.php?f=15&t=1945 20100316 CORE-2010-0311 - eFront-learning PHP file inclusion vulnerability 63028 SQL injection vulnerability in the Yet another TYPO3 search engine (YATSE) extension before 0.3.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38808 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/yatse/0.3.2/ Cross-site scripting (XSS) vulnerability in the Yet another TYPO3 search engine (YATSE) extension before 0.3.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 38808 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/yatse/0.3.2/ SQL injection vulnerability in the Brainstorming extension 0.1.8 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38798 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ Unspecified vulnerability in the Power Extension Manager (ch_lightem) extension 1.0.34 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors. 38811 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ Cross-site scripting (XSS) vulnerability in the Sellector.com Widget Integration (chsellector) extension before 0.1.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 38816 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/chsellector/0.1.2/ SQL injection vulnerability in the Educator extension 0.1.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38789 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ SQL injection vulnerability in the MK Wastebasket (mk_wastebasket) extension 2.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38792 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ Cross-site scripting (XSS) vulnerability in the myDashboard (mydashboard) extension 0.1.13 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 38795 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ SQL injection vulnerability in the CleanDB (nf_cleandb) extension 1.0.7 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38810 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ SQL injection vulnerability in the Diocese of Portsmouth Database (pd_diocesedatabase) extension before 0.7.13 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38812 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/pd_diocesedatabase/0.7.13/ 63034 38996 Cross-site scripting (XSS) vulnerability in the Reports Logfile View (reports_logview) extension 1.2.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 38823 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ SQL injection vulnerability in the SAV Filter Alphabetic (sav_filter_abc) extension before 1.0.9 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38801 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/sav_filter_abc/1.0.9/ 63033 38995 SQL injection vulnerability in the SAV Filter Selectors (sav_filter_selectors) extension before 1.0.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38804 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/sav_filter_selectors/1.0.5/ SQL injection vulnerability in the SAV Filter Months (sav_filter_months) extension before 1.0.5 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38806 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/sav_filter_months/1.0.5/ 63035 38994 SQL injection vulnerability in the Book Reviews (sk_bookreview) extension 0.0.12 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38803 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ SQL injection vulnerability in the Simple Gallery (sk_simplegallery) extension 0.0.9 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38796 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ Cross-site scripting (XSS) vulnerability in the Simple Gallery (sk_simplegallery) extension 0.0.9 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 38796 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ Cross-site scripting (XSS) vulnerability in the Typo3 Quixplorer (t3quixplorer) extension before 1.7.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/t3quixplorer/1.7.1/ 38818 38993 63036 The TYPO3 Security - Salted user password hashes (t3sec_saltedpw) extension before 0.2.13 for TYPO3 allows remote attackers to bypass authentication via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/t3sec_saltedpw/0.2.13/ 38799 38992 Cross-site scripting (XSS) vulnerability in the UserTask Center, Recent (taskcenter_recent) extension 0.1.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/taskcenter_recent/0.2.0/ 63037 38797 38985 SQL injection vulnerability in the TGM-Newsletter (tgm_newsletter) extension 0.0.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 38805 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/tgm_newsletter/0.0.3/ tgmnewsletter-unspecified-sql-injection(56978) Cross-site scripting (XSS) vulnerability in the TGM-Newsletter (tgm_newsletter) extension 0.0.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ http://typo3.org/extensions/repository/view/tgm_newsletter/0.0.3/ tgmnewsletter-unspecified-xss(56977) 38805 SQL injection vulnerability in the CleanDB - DBAL (tmsw_cleandb) extension 2.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. cleandbdbal-unspecified-sql-injection(56979) 38800 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ SQL injection vulnerability in the Meet Travelmates (travelmate) extension 0.1.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. travelmates-unspecified-sql-injection(56980) 38802 http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-006/ Integer overflow in the decompression functionality in the Web Open Fonts Format (WOFF) decoder in Mozilla Firefox 3.6 before 3.6.2 and 3.7 before 3.7 alpha 3 allows remote attackers to execute arbitrary code via a crafted WOFF file that triggers a buffer overflow, as demonstrated by the vd_ff module in VulnDisco 9.0. VU#964549 https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/ https://bugzilla.mozilla.org/show_bug.cgi?id=552216 http://www.mozilla.org/security/announce/2010/mfsa2010-08.html http://www.h-online.com/security/news/item/Zero-day-exploit-for-Firefox-3-6-936124.html http://secunia.com/community/forum/thread/show/3592 38608 oval:org.mitre.oval:def:7969 http://blog.psi2.de/en/2010/02/20/going-commercial-with-firefox-vulnerabilities/ http://blog.mozilla.com/security/2010/03/18/update-on-secunia-advisory-sa38608/ http://blog.mozilla.com/security/2010/02/22/secunia-advisory-sa38608/ Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod touch, and Google Chrome 4.0.249, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a STYLE element composed of a large number of *> sequences. webkit-cssselector-dos(56527) safari-chrome-css-bo(56524) ADV-2011-0212 38398 11574 11567 43068 oval:org.mitre.oval:def:14301 SUSE-SR:2011:002 Unspecified vulnerability in HP-UX B.11.31, with AudFilter rules enabled, allows local users to cause a denial of service via unknown vectors. SSRT100010 SSRT100010 1023772 39046 oval:org.mitre.oval:def:11779 Unspecified vulnerability in HP Insight Control for Linux (aka IC-Linux or ICE-LX) 2.11 and earlier allows local users to gain privileges via unknown vectors. HPSBMA02513 HPSBMA02513 ADV-2010-0750 39052 1023771 39227 Unspecified vulnerability in HP HP-UX B.11.11 allows local users to cause a denial of service via unknown vectors. ADV-2010-0948 39537 oval:org.mitre.oval:def:12146 SSRT100051 SSRT100051 Multiple stack-based buffer overflows in a certain Tetradyne ActiveX control in HP Operations Manager 7.5, 8.10, and 8.16 might allow remote attackers to execute arbitrary code via a long string argument to the (1) LoadFile or (2) SaveFile method, related to srcvw32.dll and srcvw4.dll. operations-manager-sourceview-bo(57938) ADV-2010-0946 39578 http://www.corelan.be:8800/wp-content/forum-file-uploads/mr_me/hpoperationsmngr.html.txt http://www.corelan.be:8800/advisories.php?id=CORELAN-10-027 1023894 39538 http://net-ninja.net/blog/media/blogs/b/exploits/hpoperationsmngr.html.txt SSRT100060 SSRT100060 Unspecified vulnerability in HP System Management Homepage (SMH) 6.0 before 6.0.0-95 on Linux, and 6.0 before 6.0.0.96 on Windows, allows remote authenticated users to obtain sensitive information, modify data, and cause a denial of service via unknown vectors. HPSBMA02492 64089 1023909 Multiple unspecified vulnerabilities in HP Virtual Machine Manager (VMM) before 6.0 allow remote authenticated users to execute arbitrary code via unknown vectors. 1023913 39637 HPSBMA02494 HPSBMA02494 39583 Cross-site scripting (XSS) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 39735 1023927 39645 SSRT100083 SSRT100083 Cross-site request forgery (CSRF) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. 39736 1023927 39645 HPSBMA02525 HPSBMA02525 Unspecified vulnerability in HP System Insight Manager before 6.0 allows remote authenticated users to gain privileges via unknown vectors. 39734 1023927 39645 SSRT100083 SSRT100083 Format string vulnerability in the _msgout function in rpc.pcnfsd in IBM AIX 6.1, 5.3, and earlier; IBM VIOS 2.1, 1.5, and earlier; NFS/ONCplus B.11.31_09 and earlier on HP HP-UX B.11.11, B.11.23, and B.11.31; and SGI IRIX 6.5 allows remote attackers to execute arbitrary code via an RPC request containing format string specifiers in an invalid directory name. 40248 hpux-nfsoncplus-privilege-escalation(58718) http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5088 ADV-2010-1213 ADV-2010-1212 ADV-2010-1211 ADV-2010-1199 1023994 20100520 HP-UX, IBM AIX, SGI IRIX Remote Vulnerability - CVE-2010-1039 IZ75465 IZ75440 IZ75369 IZ73874 IZ73757 IZ73681 IZ73599 IZ73590 http://www.checkpoint.com/defense/advisories/public/2010/cpai-13-May.html 1024016 39911 39835 oval:org.mitre.oval:def:12103 oval:org.mitre.oval:def:11986 64729 HPSBUX02523 HPSBUX02523 http://aix.software.ibm.com/aix/efixes/security/pcnfsd_advisory.asc The "IP address range limitation" function in OpenPNE 1.6 through 1.8, 2.0 through 2.8, 2.10 through 2.14, and 3.0 through 3.4, when mobile device support is enabled, allows remote attackers to bypass the "simple login" functionality via unknown vectors related to spoofing. http://www.openpne.jp/archives/4612/ http://www.ipa.go.jp/security/vuln/alert/201003_openpne.html 38857 JVNDB-2010-000006 JVN#06874657 Unspecified vulnerability in the single sign-on functionality in the Web Services implementation in IBM DB2 Content Manager (CM) Toolkit 8.3 before FP13 on z/OS and DB2 Information Integrator for Content 8.3 before FP13 has unknown impact and remote attack vectors. PM03804 ADV-2010-0656 38833 63079 http://www-01.ibm.com/support/docview.wss?uid=swg27018205&aid=1 1023726 39025 Microsoft Windows Media Player 11 does not properly perform colorspace conversion, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted .AVI file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. win-mediaplayer-avi-code-execution(57205) 38790 Directory traversal vulnerability in index.php in jaxCMS 1.0 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the p parameter. 11359 38524 62161 SQL injection vulnerability in Login.do in ManageEngine OpUtils 5.0 allows remote attackers to execute arbitrary SQL commands via the isHttpPort parameter. oputils-login-sql-injection(56102) 38082 11330 http://packetstormsecurity.org/1002-exploits/oputils_5-sql.txt SQL injection vulnerability in the Productbook (com_productbook) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: some of these details are obtained from third party information. ADV-2010-0322 11352 38466 Multiple SQL injection vulnerabilities in index.php in Rostermain 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) userid (username) and (2) password parameters. ADV-2010-0318 11356 38440 62162 SQL injection vulnerability in index.php in MASA2EL Music City 1.0 and 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in a singer action. musiccity-index-sql-injection(56110) 11329 38469 http://packetstormsecurity.org/1002-exploits/masa2elmc-sql.txt 62133 Cross-site scripting (XSS) vulnerability in blog/index.php in Uiga Business Portal allows remote attackers to inject arbitrary web script or HTML via the textcomment parameter (aka the Comment Box) in a noentryid action. NOTE: some of these details are obtained from third party information. ADV-2010-0317 11357 38430 Multiple SQL injection vulnerabilities in Uiga Business Portal allow remote attackers to execute arbitrary SQL commands via the (1) noentryid parameter to blog/index.php and the (2) p parameter to index2.php. ADV-2010-0317 11357 38430 SQL injection vulnerability in index.php in AudiStat 1.3 allows remote attackers to execute arbitrary SQL commands via the mday parameter. 11334 38494 http://packetstormsecurity.org/1002-exploits/audistats-sql.txt Multiple SQL injection vulnerabilities in index.php in AudiStat 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) year and (2) month parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38494 Multiple cross-site scripting (XSS) vulnerabilities in index.php in AudiStat 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) year and (2) mday parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38494 Multiple SQL injection vulnerabilities in Zen Time Tracking 2.2 and earlier, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to (a) userlogin.php and (b) managerlogin.php. NOTE: some of these details are obtained from third party information. zentracking-userlogin-sql-injection(56146) 11345 38471 Multiple SQL injection vulnerabilities in ParsCMS allow remote attackers to execute arbitrary SQL commands via the RP parameter to (1) fa_default.asp and (2) en_default.asp. 38734 20100315 Pars CMS SQL Injection Vulnerability 39007 http://packetstormsecurity.org/1003-exploits/parscms-sql.txt 63000 62999 Multiple PHP remote file inclusion vulnerabilities in osDate 2.1.9 and 2.5.4, when magic_quotes_gpc is disabled and register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the config[forum_installed] parameter to (1) forum/adminLogin.php and (2) forum/userLogin.php. NOTE: some of these details are obtained from third party information. osdate-adminlogin-file-include(56909) 38738 11755 38943 63006 63005 http://evilc0de.blogspot.com/2010/03/osdate-rfi-vuln.html Directory traversal vulnerability in the RokDownloads (com_rokdownloads) component before 1.0.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. 38741 http://www.rockettheme.com/extensions-updates/638-rokdownloads-10-released rokdownloads-index-file-include(56898) 11760 38982 http://packetstormsecurity.org/1003-exploits/joomlarokdownloads-lfi.txt 62972 Multiple directory traversal vulnerabilities in Phpkobo AdFreely (aka Ad Board Script) 1.01, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via a ..// (dot dot slash slash) in the LANG_CODE parameter to common.inc.php in (1) codelib/cfg/, (2) codelib/sys/, (3) staff/, and (4) staff/app/; and (5) staff/file.php. NOTE: some of these details are obtained from third party information. adboardscript-common-file-include(56865) adfreely-commoninc-file-include(56858) ADV-2010-0611 38731 11722 38947 62926 Directory traversal vulnerability in codelib/cfg/common.inc.php in Phpkobo Address Book Script 1.09, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the LANG_CODE parameter. addressbook-langcode-file-include(56910) 38731 11754 38938 http://packetstormsecurity.org/1003-exploits/addressbookscript-lfi.txt 63003 Directory traversal vulnerability in staff/app/common.inc.php in Phpkobo Address Book Script 1.09, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the LANG_CODE parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38731 38938 63004 Directory traversal vulnerability in staff/app/common.inc.php in Phpkobo Short URL 1.01, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the LANG_CODE parameter. 38731 11775 38968 http://packetstormsecurity.org/1003-exploits/shorturl-lfi.txt Multiple directory traversal vulnerabilities in Phpkobo Short URL 1.01, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the LANG_CODE parameter to (1) url/app/common.inc.php and (2) codelib/cfg/common.inc.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38731 38968 Directory traversal vulnerability in codelib/sys/common.inc.php in Phpkobo Free Real Estate Contact Form 1.09, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the LANG_CODE parameter. NOTE: some of these details are obtained from third party information. 38731 11773 38967 http://packetstormsecurity.org/1003-exploits/frecf-lfi.txt Multiple directory traversal vulnerabilities in Phpkobo Free Real Estate Contact Form 1.09, when magic_quotes_gpc is disabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the LANG_CODE parameter to (1) codelib/cfg/common.inc.php, (2) form/app/common.inc.php, and (3) staff/app/common.inc.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38731 38967 Erolife AjxGaleri VT stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/ajxgaleri.mdb. ajxgalerie-ajxgalerie-info-disclosure(55446) 11023 38033 http://packetstormsecurity.org/1001-exploits/erolife-disclose.txt Lebisoft Ziyaretci Defteri 7.4 and 7.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/lebisoft.mdb. lebisoftzdefter-lebisoft-info-disclosure(55452) 11015 38039 AR Web Content Manager (AWCM) 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for control/db_backup.php. awcm-dbbackup-info-disclosure(55445) 11025 38065 http://packetstormsecurity.org/1001-exploits/awcm-backup.txt E-membres 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/bdEMembres.mdb. emembres-bdemembres-info-disclosure(55503) 11098 38062 Multiple cross-site scripting (XSS) vulnerabilities in surgeftpmgr.cgi in NetWin SurgeFTP 2.3a6 allow remote attackers to inject arbitrary web script or HTML via the (1) domainid or (2) classid parameter in a class action. surgeftp-surgeftpmgr-xss(55509) 11092 38097 http://packetstormsecurity.org/1001-exploits/surgeftp-xss.txt SQL injection vulnerability in games/game.php in ProArcadeScript allows remote attackers to execute arbitrary SQL commands via the id parameter. 37703 11080 38040 http://packetstormsecurity.org/1001-exploits/proarcadescripttogame-sql.txt SQL injection vulnerability in index.php in ImagoScripts Deviant Art Clone allows remote attackers to execute arbitrary SQL commands via the seid parameter in a forums viewcat action. deviantart-index-sql-injection(55379) ADV-2010-0031 11002 38096 http://packetstormsecurity.org/1001-exploits/imagoscriptsdac-sql.txt 61482 SQL injection vulnerability in profil.php in phpMDJ 1.0.3 allows remote attackers to execute arbitrary SQL commands via the id parameter. phpmdj-profile-sql-injection(55516) 37698 11083 33480 http://packetstormsecurity.org/1001-exploits/phpmdj103-sql.txt Cross-site scripting (XSS) vulnerability in search.php in Sniggabo CMS 2.21 allows remote attackers to inject arbitrary web script or HTML via the q parameter. sniggabocms-search-xss(55472) 11049 38029 http://packetstormsecurity.org/1001-exploits/sniggabocms-xss.txt http://greyhathackers.wordpress.com/2010/01/07/sniggabo-cms-v2-21-xss-vulnerability/ SQL injection vulnerability in the jEmbed-Embed Anything (com_jembed) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a summary action to index.php. jembed-index-sql-injection(55443) ADV-2010-0047 11026 38112 61510 Cross-site scripting (XSS) vulnerability in the Currency Exchange module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to watchdog logging. http://drupal.org/node/676216 http://drupal.org/node/676214 currency-exchange-watchdog-xss(55453) ADV-2010-0063 37649 38121 61587 SQL injection vulnerability in index.php in Entry Level CMS (EL CMS) allows remote attackers to execute arbitrary SQL commands via the subj parameter. 38688 http://packetstormsecurity.org/1002-exploits/elcms-sql.txt 62513 Cross-site scripting (XSS) vulnerability in index.php in Entry Level CMS (EL CMS) allows remote attackers to inject arbitrary web script or HTML via the subj parameter, which is not properly handled in a forced SQL error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38688 Directory traversal vulnerability in vbseo.php in Crawlability vBSEO plugin 3.1.0 for vBulletin allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the vbseourl parameter. vbseo-vbseourl-file-include(56439) ADV-2010-0442 11526 http://packetstormsecurity.org/1002-exploits/vbseo-lfi.txt SQL injection vulnerability in archive.php in XlentProjects SphereCMS 1.1 alpha allows remote attackers to execute arbitrary SQL commands via encoded null bytes ("%00") in the view parameter, which bypasses a protection mechanism. spherecms-archive-sql-injection(56423) 38309 20100217 SphereCMS Blind SQL Injection Vulnerability http://www.packetstormsecurity.org/1002-exploits/spherecms-sql.txt http://www.bugreport.ir/index_68.htm Cross-site scripting (XSS) vulnerability in Sawmill before 7.2.18 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 38387 http://www.sawmill.net/version_history7.html 38730 Cross-site scripting (XSS) vulnerability in view.php in Pulse CMS 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the f parameter. pulsecms-view-xss(56430) 38356 38650 http://packetstormsecurity.org/1002-exploits/pulsecms-xss.txt 62475 Directory traversal vulnerability in the Community Polls (com_communitypolls) component 1.5.2, and possibly earlier, for Core Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. 38330 http://www.corejoomla.com/component/content/article/1-corejoomla-updates/40-community-polls-v153-security-release.html 38692 http://packetstormsecurity.org/1002-exploits/joomlacp-lfi.txt 62506 Multiple directory traversal vulnerabilities in OI.Blogs 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to read arbitrary files via directory traversal sequences in the (1) theme parameter to loadStyles.php and the (2) scripts parameter to javascript/loadScripts.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38726 The processcompl_compat function in drivers/usb/core/devio.c in Linux kernel 2.6.x through 2.6.32, and possibly other versions, does not clear the transfer buffer before returning to userspace when a USB command fails, which might make it easier for physically proximate attackers to obtain sensitive information (kernel memory). [oss-security] 20100217 additional memory leak in USB userspace handling [linux-kernel] 20100221 [80/93] USB: usbfs: properly clean up the as structure on error paths http://www.vmware.com/security/advisories/VMSA-2011-0012.html 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console RHSA-2010:0723 RHSA-2010:0394 [oss-security] 20100219 Re: CVE request: kernel information leak via userspace USB interface [oss-security] 20100218 Re: CVE request: kernel information leak via userspace USB interface [oss-security] 20100219 Re: additional memory leak in USB userspace handling [oss-security] 20100217 CVE request: kernel information leak via userspace USB interface SUSE-SA:2010:023 DSA-2053 http://support.avaya.com/css/P8/documents/100113326 http://support.avaya.com/css/P8/documents/100090459 46397 39830 39742 oval:org.mitre.oval:def:10831 [linux-kernel] 20100330 [48/89] USB: usbfs: properly clean up the as structure on error paths SUSE-SA:2010:019 Linux kernel 2.6.18 through 2.6.33, and possibly other versions, allows remote attackers to cause a denial of service (memory corruption) via a large number of Bluetooth sockets, related to the size of sysfs files in (1) net/bluetooth/l2cap.c, (2) net/bluetooth/rfcomm/core.c, (3) net/bluetooth/rfcomm/sock.c, and (4) net/bluetooth/sco.c. https://bugzilla.redhat.com/show_bug.cgi?id=576018 [oss-security] 20100323 CVE request: kernel: bluetooth: potential bad memory access with sysfs files http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 38898 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0610 DSA-2053 http://security-tracker.debian.org/tracker/CVE-2010-1084 43315 39830 The azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 and earlier, when running on the AMD780V chip set, allows context-dependent attackers to cause a denial of service (crash) via unknown manipulations that trigger a divide-by-zero error. https://bugzilla.redhat.com/show_bug.cgi?id=567168 [oss-security] 20100222 CVE request: kernel: ALSA: hda-intel: Avoid divide by zero crash http://nctritech.net/bugreport.txt http://www.vmware.com/security/advisories/VMSA-2011-0003.html 38348 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0398 RHSA-2010:0394 http://support.avaya.com/css/P8/documents/100090459 http://support.avaya.com/css/P8/documents/100088287 43315 39649 oval:org.mitre.oval:def:10027 [linux-kernel] 20100205 PROBLEM: hda-intel divide by zero kernel crash in azx_position_ok() The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE. https://bugzilla.redhat.com/show_bug.cgi?id=569237 [oss-security] 20100301 CVE request: kernel: dvb-core: ULE decapsulation DoS http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=29e1fa3565a7951cc415c634eb2b78dbdbee151d http://www.vmware.com/security/advisories/VMSA-2011-0003.html 38479 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0398 RHSA-2010:0394 SUSE-SA:2010:023 DSA-2053 http://support.avaya.com/css/P8/documents/100090459 http://support.avaya.com/css/P8/documents/100088287 43315 39830 39742 39649 oval:org.mitre.oval:def:10569 SUSE-SA:2010:019 The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible. https://bugzilla.redhat.com/show_bug.cgi?id=567184 [oss-security] 20100303 CVE request: kernel: NFS: Fix an Oops when truncating a file http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9f557cd8073104b39528794d44e129331ded649f ADV-2010-1857 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39569 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX DSA-2053 43315 40645 39830 oval:org.mitre.oval:def:10442 SUSE-SA:2010:031 fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount "symlinks," which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW. https://bugzilla.redhat.com/show_bug.cgi?id=567813 [oss-security] 20100224 CVE request: kernel: NFS DoS related to "automount" symlinks http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ac278a9c505092dd82077a2446af8f9fc0d9c095 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39044 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX SUSE-SA:2010:023 MDVSA-2010:198 MDVSA-2010:088 DSA-2053 43315 39830 39742 oval:org.mitre.oval:def:10093 SUSE-SA:2010:019 SQL injection vulnerability in vedi_faq.php in PHP Trouble Ticket 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. 38763 http://packetstormsecurity.org/1003-exploits/phptroubleticket-sql.txt SQL injection vulnerability in index.php in phpMySite allows remote attackers to execute arbitrary SQL commands via the action parameter. phpmysite-index-sql-injection(56573) ADV-2010-0492 11588 http://packetstormsecurity.org/1002-exploits/phpmysite-sqlxss.txt Multiple cross-site scripting (XSS) vulnerabilities in contact.php in phpMySite allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) city, (3) email, (4) state, and (5) message parameters. phpmysite-contact-xss(56574) ADV-2010-0492 11588 http://packetstormsecurity.org/1002-exploits/phpmysite-sqlxss.txt Multiple SQL injection vulnerabilities in login.php in ScriptsFeed Business Directory Software allow remote attackers to execute arbitrary SQL commands via the (1) us and (2) ps parameters. scriptsfeed-login-sql-injection(56570) ADV-2010-0494 38470 11592 38771 62626 SQL injection vulnerability in rss.php in 1024 CMS 2.1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a vp action. 38476 http://www.bugreport.ir/index_69.htm 38775 SQL injection vulnerability in news.php in DZ EROTIK Auktionshaus V4rgo allows remote attackers to execute arbitrary SQL commands via the id parameter. v4rgo-news-sql-injection(56581) 11582 38792 62623 http://4004securityproject.wordpress.com/2010/02/26/dz-erotik-auktionshaus-v-4-rgo-news-php-sql-injection/ Cross-site scripting (XSS) vulnerability in login_reset_password_page.php in Tracking Requirements & Use Cases (TRUC) 0.11.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2010-0491 Multiple SQL injection vulnerabilities in searchmatch.php in ScriptsFeed Dating Software allow remote attackers to execute arbitrary SQL commands via the (1) txtgender and (2) txtlookgender parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ADV-2010-0493 38767 62627 include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php. 38469 38790 62622 http://bbs.wolvez.org/topic/125/ The ANI parser in Microsoft Windows before 7 on the x86 platform, as used in Internet Explorer and other applications, allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted biClrUsed value in the BITMAPINFO header of a .ANI file. microsoft-windows-ani-dos(56756) 38579 http://skypher.com/index.php/2010/03/08/ani-file-bitmapinfoheader-biclrused-bounds-check-missing/ http://code.google.com/p/skylined/issues/detail?id=3 Integer overflow in Apple Safari allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25. safari-tcp-security-bypass(57233) 20100323 Safari browser port blocking bypassed by integer overflow Integer overflow in Arora allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25. arora-tcp-security-bypass(57234) 20100323 Safari browser port blocking bypassed by integer overflow Integer overflow in Alexander Clauss iCab allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25. icab-tcp-security-bypass(57235) 20100323 Safari browser port blocking bypassed by integer overflow Integer overflow in OmniWeb allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25. omniweb-tcp-security-bypass(57236) 20100323 Safari browser port blocking bypassed by integer overflow Integer overflow in Stainless allows remote attackers to bypass intended port restrictions on outbound TCP connections via a port number outside the range of the unsigned short data type, as demonstrated by a value of 65561 for TCP port 25. stainless-tcp-security-bypass(57237) 20100323 Safari browser port blocking bypassed by integer overflow Cross-site scripting (XSS) vulnerability in Zope 2.8.x before 2.8.12, 2.9.x before 2.9.12, 2.10.x before 2.10.11, 2.11.x before 2.11.6, and 2.12.x before 2.12.3 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages. [zope-announce] 20100112 New Zope2 releases available ADV-2010-0104 zope-standarderrormessage-xss(55599) 37765 61655 38007 Cross-site scripting (XSS) vulnerability in cgi/index.php in AdvertisementManager 3.1.0 and 3.6 allows remote attackers to inject arbitrary web script or HTML via the usr parameter. advertisementmanager-index-xss(55754) 40151 http://www.packetstormsecurity.com/1001-exploits/advertisemanager-xssrfitraversal.txt 38243 61846 PHP remote file inclusion vulnerability in cgi/index.php in AdvertisementManager 3.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the req parameter. NOTE: this can also be leveraged to include and execute arbitrary local files via .. (dot dot) sequences. advertisementmanager-index-file-include(55756) http://www.packetstormsecurity.com/1001-exploits/advertisemanager-xssrfitraversal.txt Cross-site scripting (XSS) vulnerability in the Recent Comments module 5.x through 5.x-1.2 and 6.x through 6.x-1.0 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a "custom block title interface." 37898 http://drupal.org/node/690734 http://drupal.org/node/688636 http://drupal.org/node/688632 recentcomments-title-xss(55770) 38281 Cross-site scripting (XSS) vulnerability in the Control Panel module 5.x through 5.x-1.5 and 6.x through 6.x-1.2 for Drupal allows remote authenticated users, with "administer blocks" privileges, to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/690718 http://drupal.org/node/686428 controlpanel-unspecified-xss(55769) 37890 38280 Multiple SQL injection vulnerabilities in index.php in phpMySport 1.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) v2 parameter in a member view action, (2) v1 parameter in a news action, (3) v1 parameter in an information action, (4) v2 parameter in a team view action, (5) v2 parameter in a club view action, or (6) v2 parameter in a matches view action. phpmysport-unspecified-sql-injection(55762) 37856 34279 http://phpmysport.sourceforge.net/en/forum/bugs/sujet_2851.html http://packetstormsecurity.org/1001-exploits/phpmysport-sqlaccess.txt Directory traversal vulnerability in index.php in phpMySport 1.4 allows remote attackers to list arbitrary directories via a .. (dot dot) in the current_folder parameter. phpmysport-filemanager-dir-traversal(55763) 37856 http://phpmysport.sourceforge.net/en/forum/bugs/sujet_2851.html http://packetstormsecurity.org/1001-exploits/phpmysport-sqlaccess.txt Multiple cross-site scripting (XSS) vulnerabilities in Jokes Complete Website allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to joke.php and the (2) searchingred parameter to results.php. jokescompletewebsite-multiple-xss(55761) 37852 http://www.packetstormsecurity.com/1001-exploits/jokescomplete-xss.txt Cross-site scripting (XSS) vulnerability in cat.php in KloNews 2.0 allows remote attackers to inject arbitrary web script or HTML via the cat parameter. 38268 http://packetstormsecurity.org/1001-exploits/klonews-xss.txt Cross-site scripting (XSS) vulnerability in the forum page in Web Server Creator - Web Portal 0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to index.php. webservercreator-index-xss(55726) 37841 http://www.packetstormsecurity.com/1001-exploits/webservercreator-traversalxssrfi.txt Multiple PHP remote file inclusion vulnerabilities in Web Server Creator - Web Portal 0.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) pg parameter to index.php and the (2) path parameter to news/form.php. webservercreator-index-file-include(55727) 37841 http://www.packetstormsecurity.com/1001-exploits/webservercreator-traversalxssrfi.txt Directory traversal vulnerability in news/include/customize.php in Web Server Creator - Web Portal 0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the l parameter. webservercreator-customize-dir-traversal(55725) 37841 http://www.packetstormsecurity.com/1001-exploits/webservercreator-traversalxssrfi.txt LookMer Music Portal stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for dbmdb/LookMerSarkiMDB.mdb. lookmermusicportal-mdb-info-disclosure(55751) http://www.packetstormsecurity.com/1001-exploits/lookmer-disclose.txt 38247 61845 Heap-based buffer overflow in Internet Explorer 8 on Microsoft Windows 7 allows remote attackers to discover the base address of a Windows .dll file, and possibly have unspecified other impact, via unknown vectors, as demonstrated by Peter Vreugdenhil during a Pwn2Own competition at CanSecWest 2010. ie-base-address-bo(57196) http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf http://twitter.com/thezdi/statuses/11003801960 http://news.cnet.com/8301-27080_3-20001126-245.html http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 Unspecified vulnerability in Internet Explorer 8 on Microsoft Windows 7 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to a use-after-free issue, as demonstrated by Peter Vreugdenhil during a Pwn2Own competition at CanSecWest 2010. ie-unspecified-code-exec(57197) http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf http://twitter.com/thezdi/statuses/11003801960 http://news.cnet.com/8301-27080_3-20001126-245.html http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, Safari before 4.1 on Mac OS X 10.4, and Safari on Apple iPhone OS allows remote attackers to execute arbitrary code or cause a denial of service (application crash), or read the SMS database or other data, via vectors related to "attribute manipulation," as demonstrated by Vincenzo Iozzo and Ralf Philipp Weinmann during a Pwn2Own competition at CanSecWest 2010. APPLE-SA-2010-06-07-1 ADV-2010-1512 ADV-2010-1373 40620 http://twitter.com/thezdi/statuses/11001080021 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 8128 40196 40105 oval:org.mitre.oval:def:7037 http://news.cnet.com/8301-27080_3-20001126-245.html APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 Unspecified vulnerability in Safari 4 on Apple Mac OS X 10.6 allows remote attackers to execute arbitrary code via unknown vectors, as demonstrated by Charlie Miller during a Pwn2Own competition at CanSecWest 2010. http://twitter.com/thezdi/statuses/11002504493 http://news.cnet.com/8301-27080_3-20001126-245.html http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 Mozilla Firefox 3.6.x before 3.6.3 does not properly manage the scopes of DOM nodes that are moved from one document to another, which allows remote attackers to conduct use-after-free attacks and execute arbitrary code via unspecified vectors involving improper interaction with garbage collection, as demonstrated by Nils during a Pwn2Own competition at CanSecWest 2010. https://bugzilla.mozilla.org/show_bug.cgi?id=555109 ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 USN-930-2 1023817 RHSA-2010:0501 RHSA-2010:0500 http://www.mozilla.org/security/announce/2010/mfsa2010-25.html USN-930-1 http://twitter.com/thezdi/statuses/11005277222 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 40323 oval:org.mitre.oval:def:6844 oval:org.mitre.oval:def:10924 http://news.cnet.com/8301-27080_3-20001126-245.html SUSE-SA:2010:030 http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010 Unspecified vulnerability in Mozilla Firefox 3.5.x through 3.5.8 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly have unknown other impact via vectors that might involve compressed data, a different vulnerability than CVE-2010-1028. https://bugzilla.mozilla.org/show_bug.cgi?id=552216 MDVSA-2010:070 oval:org.mitre.oval:def:12448 Chip Salzenberg Deliver does not properly associate a lockfile with the user who created the file, which allows local users to cause a denial of service (blockage of incoming e-mail) by creating lockfiles for arbitrary mailboxes. deliver-lockfile-dos(57558) 38924 20100324 Multiple vulnerabilities in Deliver bos.rte.libc 5.3.9.4 on IBM AIX 5.3 does not properly support reading a certain address field after a successful getaddrinfo function call, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors, as demonstrated by IBM DB2 crashes on "systems with databases cataloged with alternate servers using IP addresses." 38964 IZ66710 The JavaScript implementation in Mozilla Firefox 3.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method. https://bugzilla.mozilla.org/show_bug.cgi?id=552255 ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1551 USN-930-2 1024138 20100313 ...because you can't get enough of clickjacking RHSA-2010:0501 RHSA-2010:0500 http://www.mozilla.org/security/announce/2010/mfsa2010-31.html MDVSA-2010:125 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 oval:org.mitre.oval:def:13962 oval:org.mitre.oval:def:10386 SUSE-SA:2010:030 The JavaScript implementation in WebKit allows remote attackers to send selected keystrokes to a form field in a hidden frame, instead of the intended form field in a visible frame, via certain calls to the focus method. https://bugzilla.mozilla.org/show_bug.cgi?id=552255 ADV-2011-0212 20100313 ...because you can't get enough of clickjacking 43068 SUSE-SR:2011:002 Microsoft Internet Explorer 6 and 7 does not initialize certain data structures during execution of the createElement method, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted JavaScript code, as demonstrated by setting the (1) outerHTML or (2) value property of an object returned by createElement. Per: http://cwe.mitre.org/data/definitions/476.html CWE-476: NULL Pointer Dereference http://securityreason.com/exploitalert/7731 20100128 Re: Microsoft IE 6&7 Crash Exploit 20100126 Microsoft IE 6&7 Crash Exploit The Linear Congruential Generator (LCG) in PHP before 5.2.13 does not provide the expected entropy, which makes it easier for context-dependent attackers to guess values that were intended to be unpredictable, as demonstrated by session cookies generated by using the uniqid function. ADV-2010-0479 ADV-2010-3081 38430 RHSA-2010:0919 http://www.php.net/releases/5_2_13.php http://www.php.net/ChangeLog-5.php 42410 38708 The safe_mode implementation in PHP before 5.2.13 does not properly handle directory pathnames that lack a trailing / (slash) character, which allows context-dependent attackers to bypass intended access restrictions via vectors related to use of the tempnam function. http://www.php.net/releases/5_2_13.php ADV-2010-1796 ADV-2010-0479 38431 http://www.php.net/ChangeLog-5.php http://support.apple.com/kb/HT4312 1023661 40551 38708 APPLE-SA-2010-08-24-1 SSRT100018 SSRT100018 session.c in the session extension in PHP before 5.2.13, and 5.3.1, does not properly interpret ; (semicolon) characters in the argument to the session_save_path function, which allows context-dependent attackers to bypass open_basedir and safe_mode restrictions via an argument that contains multiple ; characters in conjunction with a .. (dot dot). http://www.php.net/releases/5_2_13.php ADV-2010-0479 http://www.php.net/ChangeLog-5.php http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/ext/session/session.c?r1=293036&r2=294272 http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?view=log http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/ext/session/session.c?r1=293036&r2=294272 1023661 7008 20100211 PHP 5.2.12/5.3.1 session.save_path safe_mode and open_basedir bypass 38708 JavaScriptCore.dll, as used in Apple Safari 4.0.5 on Windows XP SP3, allows remote attackers to cause a denial of service (application crash) via an HTML document composed of many successive occurrences of the <object> substring. http://www.securityfocus.com/data/vulnerabilities/exploits/38884.php 38884 The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message. https://savannah.nongnu.org/bugs/?29136 https://bugzilla.redhat.com/show_bug.cgi?id=572117 spamassassin-expand-command-execution(56732) ADV-2010-0837 ADV-2010-0683 ADV-2010-0559 1023691 38578 11662 DSA-2021 39265 38956 38840 62809 FEDORA-2010-5112 FEDORA-2010-5176 FEDORA-2010-5096 http://bugs.debian.org/573228 20100307 Spamassassin Milter Plugin Remote Root Multiple SQL injection vulnerabilities in TikiWiki CMS/Groupware 4.x before 4.2 allow remote attackers to execute arbitrary SQL commands via unspecified vectors, probably related to (1) tiki-searchindex.php and (2) tiki-searchresults.php. http://info.tikiwiki.org/article86-Tiki-Announces-3-5-and-4-2-Releases tikiwiki-unknown-input-sql-injection(56769) 38608 http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=25435 http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=25424 38896 62800 SQL injection vulnerability in the _find function in searchlib.php in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to execute arbitrary SQL commands via the $searchDate variable. 38608 http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=25429 tikiwiki-unknown-input-sql-injection(56769) 38882 62800 http://info.tikiwiki.org/article86-Tiki-Announces-3-5-and-4-2-Releases The user_logout function in TikiWiki CMS/Groupware 4.x before 4.2 does not properly delete user login cookies, which allows remote attackers to gain access via cookie reuse. http://info.tikiwiki.org/article86-Tiki-Announces-3-5-and-4-2-Releases tikiwiki-userlogout-unspecified(56770) 38608 http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=25046 38896 The Standard Remember method in TikiWiki CMS/Groupware 3.x before 3.5 allows remote attackers to bypass access restrictions related to "persistent login," probably due to the generation of predictable cookies based on the IP address and User agent in userslib.php. tikiwiki-standardmethod-unspecified(56771) 38608 http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki?view=rev&revision=25196 http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/branches/proposals/3.x/lib/userslib.php?r1=25196&r2=25195&pathrev=25196 38882 62801 http://info.tikiwiki.org/article86-Tiki-Announces-3-5-and-4-2-Releases Cross-site scripting (XSS) vulnerability in WebAccess in VMware VirtualCenter 2.0.2 and 2.5 and VMware ESX 3.0.3 and 3.5, and the Server Console in VMware Server 1.0, allows remote attackers to inject arbitrary web script or HTML via the name of a virtual machine. http://www.vmware.com/security/advisories/VMSA-2010-0005.html [security-announce] 20100329 VMSA-2010-0005 VMware products address vulnerabilities in WebAccess 1023769 39037 oval:org.mitre.oval:def:6863 The virtual networking stack in VMware Workstation 7.0 before 7.0.1 build 227600, VMware Workstation 6.5.x before 6.5.4 build 246459 on Windows, VMware Player 3.0 before 3.0.1 build 227600, VMware Player 2.5.x before 2.5.4 build 246459 on Windows, VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459, VMware Server 2.x, and VMware Fusion 3.0 before 3.0.1 build 232708 and 2.x before 2.0.7 build 246742 allows remote attackers to obtain sensitive information from memory on the host OS by examining received network packets, related to interaction between the guest OS and the host vmware-vmx process. http://www.vmware.com/security/advisories/VMSA-2010-0007.html [security-announce] 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 1023836 39395 39215 39206 39203 63607 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues Format string vulnerability in vmrun in VMware VIX API 1.6.x, VMware Workstation 6.5.x before 6.5.4 build 246459, VMware Player 2.5.x before 2.5.4 build 246459, and VMware Server 2.x on Linux, and VMware Fusion 2.x before 2.0.7 build 246742, allows local users to gain privileges via format string specifiers in process metadata. http://www.vmware.com/security/advisories/VMSA-2010-0007.html [security-announce] 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 1023835 39407 39215 39206 39201 63606 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues The USB service in VMware Workstation 7.0 before 7.0.1 build 227600 and VMware Player 3.0 before 3.0.1 build 227600 on Windows might allow host OS users to gain privileges by placing a Trojan horse program at an unspecified location on the host OS disk. http://www.vmware.com/security/advisories/VMSA-2010-0007.html [security-announce] 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 39397 1023834 39206 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly access libraries, which allows user-assisted remote attackers to execute arbitrary code by tricking a Windows guest OS user into clicking on a file that is stored on a network share. http://www.vmware.com/security/advisories/VMSA-2010-0007.html [security-announce] 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 1023833 1023832 39206 39198 oval:org.mitre.oval:def:7020 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly load VMware programs, which might allow Windows guest OS users to gain privileges by placing a Trojan horse program at an unspecified location on the guest OS disk. http://www.vmware.com/security/advisories/VMSA-2010-0007.html [security-announce] 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 1023833 1023832 39394 http://www.acrossecurity.com/aspr/ASPR-2010-04-12-2-PUB.txt 39206 39198 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues 20100409 VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues Cross-site scripting (XSS) vulnerability in VMware View (formerly Virtual Desktop Manager or VDM) 3.1.x before 3.1.3 build 252693 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.vmware.com/security/advisories/VMSA-2010-0008.html [security-announce] 20100505 VMSA-2010-0008 VMware View 3.1.3 addresses an important cross-site scripting vulnerability 39949 1023945 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-0751, CVE-2010-1277. Reason: this candidate was intended for one issue, but it was accidentally assigned to two different issues, one for libnids and another for Zabbix. Notes: All CVE users should consult CVE-2010-0751 (libnids) and CVE-2010-1277 (Zabbix) to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-4498. Reason: This candidate is a duplicate of CVE-2009-4498. Notes: All CVE users should reference CVE-2009-4498 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The Linux kernel 2.6.33.2 and earlier, when a ReiserFS filesystem exists, does not restrict read or write access to the .reiserfs_priv directory, which allows local users to gain privileges by modifying (1) extended attributes or (2) ACLs, as demonstrated by deleting a file under .reiserfs_priv/xattrs/. [linux-kernel] 20100408 [PATCH #3] reiserfs: Fix permissions on .reiserfs_priv https://bugzilla.redhat.com/show_bug.cgi?id=568041 kernel-reiserfs-privilege-escalation(57782) 39344 12130 39316 63601 Stack-based buffer overflow in Open Direct Connect Hub (aka Open DC Hub or OpenDCHub) 0.8.1 allows remote authenticated users to execute arbitrary code via a long MyINFO message. https://bugzilla.redhat.com/show_bug.cgi?id=579206 ADV-2010-1044 ADV-2010-1023 39129 20100331 OpenDcHub 0.8.1 Remote Code Execution Exploit http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600 39664 [oss-security] 20100403 CVE Request -- OpenDCHub v0.8.1 -- Stack overflow by handling a specially-crafted MyINFO message [oss-security] 20100406 Re: CVE Request -- OpenDCHub v0.8.1 -- Stack overflow by handling a specially-crafted MyINFO message FEDORA-2010-6426 FEDORA-2010-6415 FEDORA-2010-6478 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576308 The cifs_create function in fs/cifs/dir.c in the Linux kernel 2.6.33.2 and earlier allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a NULL nameidata (aka nd) field in a POSIX file-creation request to a server that supports UNIX extensions. https://bugzilla.redhat.com/show_bug.cgi?id=579445 http://xorl.wordpress.com/2010/04/05/linux-kernel-unix-extensions-cifs-null-pointer-dereference/ linux-kernel-cifscreate-dos(57561) 39186 39344 [oss-security] 20100405 Re: CVE request: kernel: cifs: cifs_create() NULL pointer dereference [oss-security] 20100405 Re: CVE request: kernel: cifs: cifs_create() NULL pointer dereference [oss-security] 20100405 CVE request: kernel: cifs: cifs_create() NULL pointer dereference [linux-cifs-client] 20100404 [patch] skip posix open if nameidata is null [linux-cifs-client] 20100402 [patch] skip posix open if nameidata is null [linux-cifs-client] 20100402 [patch] skip posix open if nameidata is null [linux-cifs-client] 20100402 [patch] skip posix open if nameidata is null probers/udisks-dm-export.c in udisks before 1.0.1 exports UDISKS_DM_TARGETS_PARAMS information to udev even for a crypt UDISKS_DM_TARGETS_TYPE, which allows local users to discover encryption keys by (1) running a certain udevadm command or (2) reading a certain file under /dev/.udev/db/. https://launchpad.net/bugs/556651 https://bugzilla.redhat.com/show_bug.cgi?id=580005 https://bugzilla.novell.com/show_bug.cgi?id=594261 https://bugs.freedesktop.org/show_bug.cgi?id=27494 39265 39332 FEDORA-2010-6296 http://cgit.freedesktop.org/udisks/commit/?id=0fcc7cb3b66f23fac53ae08647aa0007a2bd56c4 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576687 MediaWiki before 1.15.3, and 1.6.x before 1.16.0beta2, does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to conduct phishing attacks by arranging for a victim to login to the attacker's account and then execute a crafted user script, related to a "login CSRF" issue. [mediawiki-announce] 20100407 MediaWiki security update: 1.15.3 and 1.16.0beta2 http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.0beta2.patch.gz http://download.wikimedia.org/mediawiki/1.15/mediawiki-1.15.3.patch.gz https://bugzilla.wikimedia.org/show_bug.cgi?id=23076 https://bugzilla.redhat.com/show_bug.cgi?id=580418 ADV-2010-1055 [oss-security] 20100407 Re: CVE Request: MediaWiki 1.15.3 -- Login CSRF [oss-security] 20100406 CVE Request: MediaWiki 1.15.3 -- Login CSRF DSA-2041 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_16_0beta2/phase3/RELEASE-NOTES http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_3/phase3/RELEASE-NOTES Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials. https://bugzilla.redhat.com/show_bug.cgi?id=578168 ADV-2010-1148 ADV-2010-0908 39538 MDVSA-2010:081 39823 FEDORA-2010-6359 FEDORA-2010-6323 memcached.c in memcached before 1.4.3 allows remote attackers to cause a denial of service (daemon hang or crash) via a long line that triggers excessive memory allocation. NOTE: some of these details are obtained from third party information. [oss-security] 20100408 Re: CVE request -- memcached [oss-security] 20100408 Re: CVE request -- memcached [oss-security] 20100408 CVE request -- memcached http://github.com/memcached/memcached/commit/d9cd01ede97f4145af9781d448c62a3318952719 http://github.com/memcached/memcached/commit/75cc83685e103bc8ba380a57468c8f04413033f9 ADV-2011-0442 1023839 39306 SUSE-SR:2010:013 SUSE-SR:2010:012 http://code.google.com/p/memcached/issues/detail?id=102 http://blogs.sun.com/security/entry/input_validation_vulnerability_in_memcached PHP remote file inclusion vulnerability in the autoloader in TYPO3 4.3.x before 4.3.3 allows remote attackers to execute arbitrary PHP code via a URL in an input field associated with the className variable. [oss-security] 20100412 Re: CVE request: typo3 remote command execution http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-008/ [oss-security] 20100410 CVE request: typo3 remote command execution Irssi before 0.8.15, when SSL is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field or a Subject Alternative Name field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IRC servers via an arbitrary certificate. ADV-2010-0856 irssi-hostname-mitm(57790) ADV-2010-1110 ADV-2010-1107 ADV-2010-0987 USN-929-1 SSA:2010-116-01 39797 39620 39365 [oss-security] 20100413 Re: CVE request: irssi 0.8.15 [oss-security] 20100413 Re: CVE request: irssi 0.8.15 [oss-security] 20100412 Re: CVE request: irssi 0.8.15 [oss-security] 20100411 CVE request: irssi 0.8.15 SUSE-SR:2010:011 FEDORA-2010-6629 http://irssi.org/news/ChangeLog http://irssi.org/news http://github.com/ensc/irssi-proxy/commit/85bbc05b21678e80423815d2ef1dfe26208491ab core/nicklist.c in Irssi before 0.8.15 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an attempted fuzzy nick match at the instant that a victim leaves a channel. Per: http://cwe.mitre.org/data/definitions/476.html 'NULL Pointer Dereference' ADV-2010-0856 irssi-unspecified-dos(57791) ADV-2010-1110 ADV-2010-1107 ADV-2010-0987 USN-929-1 http://svn.irssi.org/cgi-bin/viewvc.cgi/irssi/trunk/src/core/nicklist.c?root=irssi&r1=4922&r2=5126 SSA:2010-116-01 1023845 39797 39620 39365 [oss-security] 20100413 Re: CVE request: irssi 0.8.15 [oss-security] 20100413 Re: CVE request: irssi 0.8.15 [oss-security] 20100412 Re: CVE request: irssi 0.8.15 [oss-security] 20100412 Re: CVE request: irssi 0.8.15 [oss-security] 20100411 CVE request: irssi 0.8.15 SUSE-SR:2010:011 FEDORA-2010-6629 http://irssi.org/news/ChangeLog http://irssi.org/news Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply. http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://svn.apache.org/viewvc?view=revision&revision=936541 http://svn.apache.org/viewvc?view=revision&revision=936540 ADV-2010-3056 ADV-2010-0980 http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39635 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 20100421 [SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability RHSA-2011:0897 RHSA-2011:0896 MDVSA-2010:177 MDVSA-2010:176 DSA-2207 http://support.apple.com/kb/HT5002 43310 42368 39574 HPSBUX02579 HPSBUX02579 SUSE-SR:2010:017 APPLE-SA-2011-10-12-3 Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular expression against a long string. https://bugzilla.redhat.com/show_bug.cgi?id=580605 [oss-security] 20100414 Re: CVE Request -- perl v5.8.* -- stack overflow by processing certain regex (Gentoo BTS#313565 / RH BZ#580605) [oss-security] 20100408 CVE Request -- perl v5.8.* -- stack overflow by processing certain regex (Gentoo BTS#313565 / RH BZ#580605) http://perldoc.perl.org/perl5100delta.html http://bugs.gentoo.org/show_bug.cgi?id=313565 GNU nano before 2.2.4 does not verify whether a file has been changed before it is overwritten in a file-save operation, which allows local user-assisted attackers to overwrite arbitrary files via a symlink attack on an attacker-owned file that is being edited by the victim. 1023891 [oss-security] 20100414 CVE request: GNU nano (minor) http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup 39444 [Nano-devel] 20100407 New prerelease for security tweaks http://drosenbe.blogspot.com/2010/03/nano-as-root.html Race condition in GNU nano before 2.2.4, when run by root to edit a file that is not owned by root, allows local user-assisted attackers to change the ownership of arbitrary files via vectors related to the creation of backup files. 1023891 [oss-security] 20100414 CVE request: GNU nano (minor) http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup 39444 [Nano-devel] 20100407 New prerelease for security tweaks http://drosenbe.blogspot.com/2010/03/nano-as-root.html The release_one_tty function in drivers/char/tty_io.c in the Linux kernel before 2.6.34-rc4 omits certain required calls to the put_pid function, which has unspecified impact and local attack vectors. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6da8d866d0d39e9509ff826660f6a86a6757c966 https://bugzilla.redhat.com/show_bug.cgi?id=582076 ADV-2010-1857 [oss-security] 20100415 Re: CVE request: kernel: tty: release_one_tty() forgets to put pids [oss-security] 20100415 CVE request: kernel: tty: release_one_tty() forgets to put pids [oss-security] 20100414 Re: Couple of kernel issues [oss-security] 20100414 Couple of kernel issues MDVSA-2010:198 http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.34-rc4 DSA-2053 40645 39830 SUSE-SA:2010:031 The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the PATH contains an entry for ".", which allows local users to execute arbitrary commands via a Trojan horse executable, as demonstrated using sudoedit, a different vulnerability than CVE-2010-0426. sudo-sudoefit-privilege-escalation(57836) ADV-2011-0212 ADV-2010-1019 ADV-2010-0956 ADV-2010-0949 ADV-2010-0904 ADV-2010-0895 ADV-2010-0881 USN-928-1 http://www.sudo.ws/sudo/alerts/sudoedit_escalate2.html 39468 20101027 rPSA-2010-0075-1 sudo 20100422 Re: sudoedit local privilege escalation through PATH manipulation 20100420 Re: sudoedit local privilege escalation through PATH manipulation 20100419 sudoedit local privilege escalation through PATH manipulation RHSA-2010:0361 63878 MDVSA-2010:078 http://wiki.rpath.com/Advisories:rPSA-2010-0075 SSA:2010-110-01 43068 39543 39474 39399 39384 oval:org.mitre.oval:def:9382 SUSE-SR:2011:002 FEDORA-2010-6756 Multiple cross-site scripting (XSS) vulnerabilities in Atlassian JIRA 3.12 through 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) element or (2) defaultColor parameter to the Colour Picker page; the (3) formName parameter, (4) element parameter, or (5) full name field to the User Picker page; the (6) formName parameter, (7) element parameter, or (8) group name field to the Group Picker page; the (9) announcement_preview_banner_st parameter to unspecified components, related to the Announcement Banner Preview page; unspecified vectors involving the (10) groupnames.jsp, (11) indexbrowser.jsp, (12) classpath-debug.jsp, (13) viewdocument.jsp, or (14) cleancommentspam.jsp page; the (15) portletKey parameter to runportleterror.jsp; the (16) URI to issuelinksmall.jsp; the (17) afterURL parameter to screenshot-redirecter.jsp; or the (18) HTTP Referrer header to 500page.jsp, as exploited in the wild in April 2010. http://jira.atlassian.com/browse/JRA-21004 http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16 jira-element-xss(57827) jira-groupnames-xss(57826) 39485 [oss-security] 20100416 Re: CVE Request: JIRA Issues [oss-security] 20100416 CVE Request: JIRA Issues 39353 http://jira.atlassian.com/browse/JRA-20994 Atlassian JIRA 3.12 through 4.1 allows remote authenticated administrators to execute arbitrary code by modifying the (1) attachment (aka attachments), (2) index (aka indexing), or (3) backup path and then uploading a file, as exploited in the wild in April 2010. http://jira.atlassian.com/browse/JRA-21004 http://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2010-04-16 jira-pathsettings-priv-escalation(57828) 39485 [oss-security] 20100416 Re: CVE Request: JIRA Issues [oss-security] 20100416 CVE Request: JIRA Issues 39353 http://jira.atlassian.com/browse/JRA-20995 The fbComposite function in fbpict.c in the Render extension in the X server in X.Org X11R7.1 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted request, related to an incorrect macro definition. http://cgit.freedesktop.org/xorg/xserver/commit/?id=d2f813f7db RHSA-2010:0382 https://bugzilla.redhat.com/show_bug.cgi?id=582601 https://bugzilla.redhat.com/show_bug.cgi?id=495733 ADV-2010-1185 USN-939-1 1023929 39834 39650 oval:org.mitre.oval:def:10112 SUSE-SR:2010:014 fetchmail 4.6.3 through 6.3.16, when debug mode is enabled, does not properly handle invalid characters in a multi-character locale, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted (1) message header or (2) POP3 UIDL list. 20100506 fetchmail security announcement fetchmail-SA-2010-02 (CVE-2010-1167) http://www.fetchmail.info/fetchmail-SA-2010-02.txt 39556 MDVSA-2011:107 http://developer.berlios.de/project/shownotes.php?group_id=1824&release_id=17512 The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods." https://bugzilla.redhat.com/show_bug.cgi?id=576508 ADV-2010-3075 RHSA-2010:0458 RHSA-2010:0457 [oss-security] 20100520 CVE-2010-1974 reject request (dupe of CVE-2010-1168) and CVE-2010-1447 description modification request MDVSA-2010:116 MDVSA-2010:115 1024062 42402 40052 40049 oval:org.mitre.oval:def:9807 oval:org.mitre.oval:def:7424 http://cpansearch.perl.org/src/RGARCIA/Safe-2.27/Changes http://blogs.sun.com/security/entry/cve_2010_1168_vulnerability_in http://blogs.perl.org/users/rafael_garcia-suarez/2010/03/new-safepm-fixes-security-hole.html PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447. http://www.postgresql.org/about/news.1203 https://bugzilla.redhat.com/show_bug.cgi?id=588269 https://bugzilla.redhat.com/show_bug.cgi?id=582615 postgresql-safe-code-execution(58693) ADV-2010-1221 ADV-2010-1207 ADV-2010-1198 ADV-2010-1197 ADV-2010-1182 ADV-2010-1167 1023988 40215 RHSA-2010:0430 RHSA-2010:0429 RHSA-2010:0428 RHSA-2010:0427 http://www.postgresql.org/support/security http://www.postgresql.org/docs/current/static/release-8-4-4.html http://www.postgresql.org/docs/current/static/release-8-3-11.html http://www.postgresql.org/docs/current/static/release-8-2-17.html http://www.postgresql.org/docs/current/static/release-8-1-21.html http://www.postgresql.org/docs/current/static/release-8-0-25.html http://www.postgresql.org/docs/current/static/release-7-4-29.html [oss-security] 20100520 CVE-2010-1974 reject request (dupe of CVE-2010-1168) and CVE-2010-1447 description modification request MDVSA-2010:103 DSA-2051 39939 39898 39845 39820 39815 oval:org.mitre.oval:def:10645 64755 SUSE-SR:2010:014 FEDORA-2010-8723 FEDORA-2010-8715 FEDORA-2010-8696 The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script. ADV-2010-1167 https://bugzilla.redhat.com/show_bug.cgi?id=583072 ADV-2010-1221 ADV-2010-1207 ADV-2010-1198 ADV-2010-1197 ADV-2010-1182 1023987 40215 RHSA-2010:0430 RHSA-2010:0429 RHSA-2010:0428 RHSA-2010:0427 http://www.postgresql.org/support/security http://www.postgresql.org/docs/current/static/release-8-4-4.html http://www.postgresql.org/docs/current/static/release-8-3-11.html http://www.postgresql.org/docs/current/static/release-8-2-17.html http://www.postgresql.org/docs/current/static/release-8-1-21.html http://www.postgresql.org/docs/current/static/release-8-0-25.html http://www.postgresql.org/docs/current/static/release-7-4-29.html http://www.postgresql.org/about/news.1203 [oss-security] 20100520 CVE-2010-1974 reject request (dupe of CVE-2010-1168) and CVE-2010-1447 description modification request MDVSA-2010:103 DSA-2051 39939 39898 39845 39820 39815 oval:org.mitre.oval:def:10510 64757 SUSE-SR:2010:014 FEDORA-2010-8723 FEDORA-2010-8715 FEDORA-2010-8696 Red Hat Network (RHN) Satellite 5.3 and 5.4 exposes a dangerous, obsolete XML-RPC API, which allows remote authenticated users to access arbitrary files and cause a denial of service (failed yum operations) via vectors related to configuration and package group (comps.xml) files for channels. RHSA-2011:0434 https://bugzilla.redhat.com/show_bug.cgi?id=584118 rhnss-xmlrpcapi-info-disclosure(66690) ADV-2011-0967 1025316 47316 44150 DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services. https://bugzilla.redhat.com/show_bug.cgi?id=585394 glib-property-security-bypass(61041) ADV-2010-3097 ADV-2010-2063 42347 RHSA-2010:0616 http://support.avaya.com/css/P8/documents/100113103 42397 40925 40908 SUSE-SR:2010:022 SUSE-SR:2010:020 SUSE-SR:2010:019 http://cgit.freedesktop.org/dbus/dbus-glib/commit/?h=rhel5&id=9a6bce9b615abca6068348c1606ba8eaf13d9ae0 The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data. http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commit;h=5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 [netdev] 20100428 Re: [PATCH]: sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4) https://bugzilla.redhat.com/show_bug.cgi?id=584645 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0474 [oss-security] 20100429 Re: CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid parameter errors [oss-security] 20100429 CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid parameter errors MDVSA-2010:198 DSA-2053 43315 40218 39830 oval:org.mitre.oval:def:11416 [oss-security] 20100429 Re: CVE-2010-1173 kernel: skb_over_panic resulting from multiple invalid parameter errors http://kbase.redhat.com/faq/docs/DOC-31052 Cisco TFTP Server 1.1 allows remote attackers to cause a denial of service (daemon crash) via a crafted (1) read (aka RRQ) or (2) write (aka WRQ) request, or other TFTP packet. NOTE: some of these details are obtained from third party information. cisco-tftp-dos(57165) 38968 11878 39116 Microsoft Internet Explorer 7.0 on Windows XP and Windows Server 2003 allows remote attackers to have an unspecified impact via a certain XML document that references a crafted web site in the SRC attribute of an image element, related to a "0day Vulnerability." 20100320 Internet Explorer 7.0 0day Vulnerability Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors related to an array of long strings, an array of IMG elements with crafted strings in their SRC attributes, a TBODY element with no associated TABLE element, and certain calls to the delete operator and the cloneNode, clearAttributes, and CollectGarbage methods, possibly a related issue to CVE-2009-0075. 38989 11891 http://nishantdaspatnaik.yolasite.com/ipodpoc1.php Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving document.write calls with long crafted strings. 38994 http://nishantdaspatnaik.yolasite.com/ipodpoc2.php Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) via a JavaScript loop that attempts to construct an infinitely long string. safari-iphone-javascript-dos(57993) http://nishantdaspatnaik.yolasite.com/ipodpoc3.php Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a large integer in the numcolors attribute of a recolorinfo element in a VML file, possibly a related issue to CVE-2007-0024. 38990 11890 http://nishantdaspatnaik.yolasite.com/ipodpoc4.php Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long exception string in a throw statement, possibly a related issue to CVE-2009-1514. safari-iphone-throw-code-execution(57992) 38992 http://nishantdaspatnaik.yolasite.com/ipodpoc5.php Safari on Apple iPhone OS 3.1.3 for iPod touch allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a MARQUEE element. http://nishantdaspatnaik.yolasite.com/ipodpoc6.php Multiple unspecified vulnerabilities in the administrative console in IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.9 on z/OS have unknown impact and attack vectors. ADV-2010-0609 Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager. solaris-update-manager-multiple-symlink(57149) 38928 20100324 Symlink attack with Solaris Update manager and Sun Patch Cluster 20100324 Symlink attack with Solaris Update manager The Microsoft wireless keyboard uses XOR encryption with a key derived from the MAC address, which makes it easier for remote attackers to obtain keystroke information and inject arbitrary commands via a nearby wireless device, as demonstrated by Keykeriki 2. ms-keyboard-xor-command-execution(57978) http://www.theregister.co.uk/2010/03/26/open_source_wireless_sniffer/ http://www.remote-exploit.org/?p=437 Stack-based buffer overflow in serv.exe in SAP MaxDB 7.4.3.32, and 7.6.0.37 through 7.6.06 allows remote attackers to execute arbitrary code via an invalid length parameter in a handshake packet to TCP port 7210. NOTE: some of these details are obtained from third party information. maxdb-serv-bo(56950) http://www.zerodayinitiative.com/advisories/ZDI-10-032/ ADV-2010-0643 1023719 38769 20100316 ZDI-10-032: SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability 38955 63047 Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter. http://wordpress.org/extend/plugins/nextgen-gallery/changelog/ nextgen-mode-xss(57562) ADV-2010-0821 39250 12098 http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability 39341 The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' https://bugzilla.redhat.com/show_bug.cgi?id=578057 [oss-security] 20100331 Re: CVE request: kernel: tipc: Fix oops on send prior to entering networked mode [oss-security] 20100330 CVE request: kernel: tipc: Fix oops on send prior to entering networked mode http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=d0021b252eaf65ca07ed14f0d66425dd9ccab9a6;hp=6d55cb91a0020ac0d78edcad61efd6c8cf5785a3 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39120 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX MDVSA-2010:198 DSA-2053 43315 39830 oval:org.mitre.oval:def:9832 Use-after-free vulnerability in net/ipv4/tcp_input.c in the Linux kernel 2.6 before 2.6.20, when IPV6_RECVPKTINFO is set on a listening socket, allows remote attackers to cause a denial of service (kernel panic) via a SYN packet while the socket is in a listening (TCP_LISTEN) state, which is not properly handled and causes the skb structure to be freed. http://git.kernel.org/linus/fb7e2399ec17f1004c0e0ccfd17439f8759ede01 http://www.vmware.com/security/advisories/VMSA-2011-0009.html 1023992 39016 RHSA-2010:0882 RHSA-2010:0439 RHSA-2010:0424 RHSA-2010:0394 RHSA-2010:0380 [oss-security] 20100329 CVE request: kernel: ipv6: skb is unexpectedly freed (remote DoS) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.20 http://support.avaya.com/css/P8/documents/100090459 39652 oval:org.mitre.oval:def:9878 MediaWiki before 1.15.2 does not prevent wiki editors from linking to images from other web sites in wiki pages, which allows editors to obtain IP addresses and other information of wiki users by adding a link to an image on an attacker-controlled web site, aka "CSS validation issue." [MediaWiki-announce] 20100303 MediaWiki security update: 1.15.2 ADV-2010-1001 ADV-2010-0685 DSA-2022 39656 39022 SUSE-SR:2010:010 thumb.php in MediaWiki before 1.15.2, when used with access-restriction mechanisms such as img_auth.php, does not check user permissions before providing scaled images, which allows remote attackers to bypass intended access restrictions and read private images via unspecified manipulations. [MediaWiki-announce] 20100303 MediaWiki security update: 1.15.2 ADV-2010-1001 ADV-2010-0685 DSA-2022 http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_15_2/phase3/RELEASE-NOTES 39656 39022 SUSE-SR:2010:010 Sahana disaster management system 0.6.2.2, and possibly other versions, allows remote attackers to bypass intended access restrictions and disable administrator authentication via a direct request to stream.php in an acl_enable_acl action to the admin module. 20100317 Sahana 0.6.2.2 Authentication Bypass http://sourceforge.net/tracker/?func=detail&aid=2970786&group_id=127855&atid=709778 39020 libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. ADV-2010-1107 [oss-security] 20100309 Re: CVE Request: libesmtp does not check NULL bytes in commonName [oss-security] 20100303 CVE Request: libesmtp does not check NULL bytes in commonName SUSE-SR:2010:011 Cross-site scripting (XSS) vulnerability in WebAccess in VMware Server 2.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON error messages. http://www.vmware.com/security/advisories/VMSA-2010-0005.html [security-announce] 20100329 VMSA-2010-0005 VMware products address vulnerabilities in WebAccess 1023769 39037 The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=311191 ADV-2010-1107 [oss-security] 20100309 Re: CVE Request: libesmtp does not check NULL bytes in commonName [oss-security] 20100303 CVE Request: libesmtp does not check NULL bytes in commonName SUSE-SR:2010:011 Cross-site scripting (XSS) vulnerability in the htmlscrubber component in ikiwiki 2.x before 2.53.5 and 3.x before 3.20100312 allows remote attackers to inject arbitrary web script or HTML via a crafted data:image/svg+xml URI. ADV-2010-0662 DSA-2020 39048 38983 http://ikiwiki.info/security/#index36h2 Integer overflow in the nsGenericDOMDataNode::SetTextInternal function in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a DOM node with a long text value that triggers a heap-based buffer overflow. https://bugzilla.mozilla.org/show_bug.cgi?id=534666 firefox-nsgenericdomdatanode-bo(59665) ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1551 USN-930-2 1024139 1024138 41087 41050 RHSA-2010:0501 RHSA-2010:0500 http://www.mozilla.org/security/announce/2010/mfsa2010-29.html MDVSA-2010:125 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 40323 oval:org.mitre.oval:def:14017 oval:org.mitre.oval:def:11424 SUSE-SA:2010:030 Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document. https://bugzilla.mozilla.org/show_bug.cgi?id=537120 firefox-contentdisposition-security-bypass(59667) ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1556 ADV-2010-1551 USN-930-2 1024138 41103 41050 RHSA-2010:0501 RHSA-2010:0500 RHSA-2010:0499 http://www.mozilla.org/security/announce/2010/mfsa2010-32.html MDVSA-2010:125 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 oval:org.mitre.oval:def:14186 oval:org.mitre.oval:def:10168 SUSE-SA:2010:030 Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, allows remote attackers to execute arbitrary code via vectors involving multiple plugin instances. https://bugzilla.mozilla.org/show_bug.cgi?id=532246 firefox-plugin-instances-code-exec(59664) ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1556 ADV-2010-1551 USN-930-2 1024138 41102 41050 RHSA-2010:0501 RHSA-2010:0500 RHSA-2010:0499 http://www.mozilla.org/security/announce/2010/mfsa2010-28.html MDVSA-2010:125 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 oval:org.mitre.oval:def:14176 oval:org.mitre.oval:def:10990 SUSE-SA:2010:030 Integer overflow in the XSLT node sorting implementation in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to execute arbitrary code via a large text value for a node. https://bugzilla.mozilla.org/show_bug.cgi?id=554255 firefox-xslt-node-code-execution(59666) ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1556 ADV-2010-1551 USN-930-2 1024139 1024138 41082 41050 RHSA-2010:0501 RHSA-2010:0500 RHSA-2010:0499 http://www.mozilla.org/security/announce/2010/mfsa2010-30.html MDVSA-2010:125 14949 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 40323 oval:org.mitre.oval:def:13287 oval:org.mitre.oval:def:10885 SUSE-SA:2010:030 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=553938 https://bugzilla.mozilla.org/show_bug.cgi?id=551661 https://bugzilla.mozilla.org/show_bug.cgi?id=551233 https://bugzilla.mozilla.org/show_bug.cgi?id=534768 https://bugzilla.mozilla.org/show_bug.cgi?id=531176 https://bugzilla.mozilla.org/show_bug.cgi?id=509839 https://bugzilla.mozilla.org/show_bug.cgi?id=484890 firefox-seamonkey-browser-code-exec(59659) ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1556 ADV-2010-1551 USN-930-2 1024139 1024138 41090 41050 RHSA-2010:0501 RHSA-2010:0500 RHSA-2010:0499 http://www.mozilla.org/security/announce/2010/mfsa2010-26.html MDVSA-2010:125 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 40323 oval:org.mitre.oval:def:14326 oval:org.mitre.oval:def:10816 SUSE-SA:2010:030 Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x before 3.5.10, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=524921 ADV-2010-1773 ADV-2010-1640 ADV-2010-1551 USN-930-2 1024139 1024138 41050 http://www.mozilla.org/security/announce/2010/mfsa2010-26.html USN-930-1 40481 40401 40326 40323 oval:org.mitre.oval:def:12671 SUSE-SA:2010:030 Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, Thunderbird before 3.0.5, and SeaMonkey before 2.0.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=561592 https://bugzilla.mozilla.org/show_bug.cgi?id=561031 https://bugzilla.mozilla.org/show_bug.cgi?id=526449 https://bugzilla.mozilla.org/show_bug.cgi?id=424558 firefox-javascript-ce(59661) ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1551 USN-930-2 1024139 1024138 41094 41050 RHSA-2010:0501 RHSA-2010:0500 http://www.mozilla.org/security/announce/2010/mfsa2010-26.html MDVSA-2010:125 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 40323 oval:org.mitre.oval:def:14308 oval:org.mitre.oval:def:10889 SUSE-SA:2010:030 The JavaScript engine in Mozilla Firefox 3.6.x before 3.6.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors that trigger an assertion failure in jstracer.cpp. https://bugzilla.mozilla.org/show_bug.cgi?id=557946 https://bugzilla.mozilla.org/show_bug.cgi?id=546611 mozilla-firefox-javascript-ce(59662) ADV-2010-1773 ADV-2010-1640 ADV-2010-1557 ADV-2010-1551 USN-930-2 1024139 1024138 41099 41050 RHSA-2010:0501 RHSA-2010:0500 http://www.mozilla.org/security/announce/2010/mfsa2010-26.html MDVSA-2010:125 USN-930-1 http://support.avaya.com/css/P8/documents/100091069 40481 40401 40326 40323 oval:org.mitre.oval:def:8317 oval:org.mitre.oval:def:10401 SUSE-SA:2010:030 Search.pm in Bugzilla 2.17.1 through 3.2.6, 3.3.1 through 3.4.6, 3.5.1 through 3.6, and 3.7 allows remote attackers to obtain potentially sensitive time-tracking information via a crafted search URL, related to a "boolean chart search." https://bugzilla.mozilla.org/show_bug.cgi?id=309952 ADV-2010-1595 41141 http://www.bugzilla.org/security/3.2.6/ 40300 Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before 1.4.3, as used in progressive applications, might allow remote attackers to execute arbitrary code via a PNG image that triggers an additional data row. https://bugzilla.redhat.com/show_bug.cgi?id=608238 41174 https://bugzilla.mozilla.org/show_bug.cgi?id=570451 https://bugs.webkit.org/show_bug.cgi?id=40798 libpng-rowdata-bo(59815) ADV-2010-3046 ADV-2010-3045 ADV-2010-2491 ADV-2010-1877 ADV-2010-1846 ADV-2010-1837 ADV-2010-1755 ADV-2010-1612 http://www.vmware.com/security/advisories/VMSA-2010-0014.html USN-960-1 http://www.mozilla.org/security/announce/2010/mfsa2010-41.html MDVSA-2010:133 http://www.libpng.org/pub/png/libpng.html DSA-2072 http://trac.webkit.org/changeset/61816 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4554 http://support.apple.com/kb/HT4457 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4435 http://support.apple.com/kb/HT4312 42317 42314 41574 40547 40472 40302 oval:org.mitre.oval:def:11851 [security-announce] 20100923 VMSA-2010-0014 VMware Workstation, Player, and ACE address several security issues SUSE-SR:2010:017 FEDORA-2010-10833 FEDORA-2010-10823 APPLE-SA-2011-03-02-1 APPLE-SA-2011-03-09-2 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-10-1 APPLE-SA-2010-08-24-1 http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=188eb6b42602bf7d7ae708a21897923b6a83fe7c#patch18 http://googlechromereleases.blogspot.com/2010/07/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=45983 http://blackberry.com/btsc/KB27244 The startDocumentLoad function in browser/base/content/browser.js in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, does not properly implement the Same Origin Policy in certain circumstances related to the about:blank document and a document that is currently loading, which allows (1) remote web servers to conduct spoofing attacks via vectors involving a 204 (aka No Content) status code, and allows (2) remote attackers to conduct spoofing attacks via vectors involving a window.stop call. https://bugzilla.mozilla.org/show_bug.cgi?id=556957 http://hg.mozilla.org/mozilla-central/rev/cadddabb1178 http://www.mozilla.org/security/announce/2010/mfsa2010-45.html 40283 oval:org.mitre.oval:def:8248 http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 do not properly implement read restrictions for CANVAS elements, which allows remote attackers to obtain sensitive cross-origin information via vectors involving reference retention and node deletion. https://bugzilla.mozilla.org/show_bug.cgi?id=571287 http://www.mozilla.org/security/announce/2010/mfsa2010-43.html oval:org.mitre.oval:def:11887 Use-after-free vulnerability in the attribute-cloning functionality in the DOM implementation in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute arbitrary code via vectors related to deletion of an event attribute node with a nonzero reference count. https://bugzilla.mozilla.org/show_bug.cgi?id=572986 http://www.zerodayinitiative.com/advisories/ZDI-10-134/ 41849 20100721 ZDI-10-134: Mozilla Firefox DOM Attribute Cloning Remote Code Execution Vulnerability http://www.mozilla.org/security/announce/2010/mfsa2010-35.html oval:org.mitre.oval:def:11740 Use-after-free vulnerability in the NodeIterator implementation in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute arbitrary code via a crafted NodeFilter that detaches DOM nodes, related to the NodeIterator interface and a javascript callback. https://bugzilla.mozilla.org/show_bug.cgi?id=552110 http://www.zerodayinitiative.com/advisories/ZDI-10-130/ 41845 20100721 ZDI-10-130: Mozilla Firefox NodeIterator Remote Code Execution Vulnerability http://www.mozilla.org/security/announce/2010/mfsa2010-36.html oval:org.mitre.oval:def:11055 intl/uconv/util/nsUnicodeDecodeHelper.cpp in Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 inserts a U+FFFD sequence into text in certain circumstances involving undefined positions, which might make it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted 8-bit text. https://bugzilla.mozilla.org/show_bug.cgi?id=564679 http://www.mozilla.org/security/announce/2010/mfsa2010-44.html oval:org.mitre.oval:def:11863 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=574750 https://bugzilla.mozilla.org/show_bug.cgi?id=570657 https://bugzilla.mozilla.org/show_bug.cgi?id=567059 https://bugzilla.mozilla.org/show_bug.cgi?id=566136 https://bugzilla.mozilla.org/show_bug.cgi?id=564705 https://bugzilla.mozilla.org/show_bug.cgi?id=561539 https://bugzilla.mozilla.org/show_bug.cgi?id=559241 https://bugzilla.mozilla.org/show_bug.cgi?id=535926 https://bugzilla.mozilla.org/show_bug.cgi?id=529087 https://bugzilla.mozilla.org/show_bug.cgi?id=528644 https://bugzilla.mozilla.org/show_bug.cgi?id=507775 http://www.mozilla.org/security/announce/2010/mfsa2010-34.html oval:org.mitre.oval:def:11552 js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) propagation of deep aborts in the TraceRecorder::record_JSOP_BINDNAME function, (2) depth handling in the TraceRecorder::record_JSOP_GETELEM function, and (3) tracing of out-of-range arguments in the TraceRecorder::record_JSOP_ARGSUB function. https://bugzilla.mozilla.org/show_bug.cgi?id=568855 https://bugzilla.mozilla.org/show_bug.cgi?id=558618 https://bugzilla.mozilla.org/show_bug.cgi?id=530955 http://www.mozilla.org/security/announce/2010/mfsa2010-34.html oval:org.mitre.oval:def:11771 The importScripts Web Worker method in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 does not verify that content is valid JavaScript code, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted HTML document. https://bugzilla.mozilla.org/show_bug.cgi?id=568148 http://www.mozilla.org/security/announce/2010/mfsa2010-42.html oval:org.mitre.oval:def:11835 Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute arbitrary code via plugin content with many parameter elements. https://bugzilla.mozilla.org/show_bug.cgi?id=572985 http://www.mozilla.org/security/announce/2010/mfsa2010-37.html oval:org.mitre.oval:def:11685 Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not properly implement access to a content object through a SafeJSObjectWrapper (aka SJOW) wrapper, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging "access to an object from the chrome scope." https://bugzilla.mozilla.org/show_bug.cgi?id=567069 http://www.mozilla.org/security/announce/2010/mfsa2010-38.html oval:org.mitre.oval:def:11527 PHP remote file inclusion vulnerability in templates/template.php in notsoPureEdit 1.4.1 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the content parameter. NOTE: some of these details are obtained from third party information. ADV-2010-0673 11832 39070 http://inj3ct0r.com/exploits/11393 Directory traversal vulnerability in the JE Form Creator (com_jeformcr) component for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE: the original researcher states that the affected product is JE Tooltip, not Form Creator; however, the exploit URL suggests that Form Creator is affected. 38866 http://www.packetstormsecurity.org/1003-exploits/joomlajetooltip-lfi.txt 11814 39063 63120 Cross-site scripting (XSS) vulnerability in the mm_forum extension 1.8.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-sa-2010-007/ http://typo3.org/extensions/repository/view/mm_forum/1.8.3/ mmforum-unspecified-xss(57037) 38825 Directory traversal vulnerability in the JA News (com_janews) component 1.0 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. janews-index-file-include(56901) 38746 11757 38952 CA XOsoft r12.0 and r12.5 does not properly perform authentication, which allows remote attackers to enumerate usernames via a SOAP request. Per: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869 'The first vulnerability, CVE-2010-1221, occurs due to a lack of authentication. An attacker can make a SOAP request to enumerate user names. This vulnerability has a low risk rating and affects r12.0 and r12.5 XOsoft products.' https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869 39244 20100406 CA20100406-01: Security Notice for CA XOsoft CA XOsoft r12.5 does not properly perform authentication, which allows remote attackers to obtain potentially sensitive information via a SOAP request. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869 39249 20100406 CA20100406-01: Security Notice for CA XOsoft Multiple buffer overflows in CA XOsoft r12.0 and r12.5 allow remote attackers to execute arbitrary code via (1) a malformed request to the ws_man/xosoapapi.asmx SOAP endpoint or (2) a long string to the entry_point.aspx service. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=232869 39238 http://www.zerodayinitiative.com/advisories/ZDI-10-066/ http://www.zerodayinitiative.com/advisories/ZDI-10-065/ 20100406 ZDI-10-066: CA XOsoft Control Service entry_point.aspx Remote Code Execution Vulnerability 20100406 ZDI-10-065: CA XOsoft xosoapapi.asmx Multiple Remote Code Execution Vulnerabilities 20100406 CA20100406-01: Security Notice for CA XOsoft main/acl.c in Asterisk Open Source 1.6.0.x before 1.6.0.25, 1.6.1.x before 1.6.1.17, and 1.6.2.x before 1.6.2.5 does not properly enforce remote host access controls when CIDR notation "/0" is used in permit= and deny= configuration rules, which causes an improper arithmetic shift and might allow remote attackers to bypass ACL rules and access services from unauthorized hosts. http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.2.diff asterisk-cidr-security-bypass(56552) ADV-2010-0475 38424 20100225 AST-2010-003: Invalid parsing of ACL rules can compromise security 39096 38752 62588 FEDORA-2010-3724 http://downloads.asterisk.org/pub/security/AST-2010-003.html http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.1.diff http://downloads.asterisk.org/pub/security/AST-2010-003-1.6.0.diff The memory-management implementation in the Virtual Machine Monitor (aka VMM or hypervisor) in Microsoft Virtual PC 2007 Gold and SP1, Virtual Server 2005 Gold and R2 SP1, and Windows Virtual PC does not properly restrict access from the guest OS to memory locations in the VMM work area, which allows context-dependent attackers to bypass certain anti-exploitation protection mechanisms on the guest OS via crafted input to a vulnerable application. NOTE: the vendor reportedly found that only systems with an otherwise vulnerable application are affected, because "the memory areas accessible from the guest cannot be leveraged to achieve either remote code execution or elevation of privilege and ... no data from the host is exposed to the guest OS." 38764 20100316 CORE-2009-0803: Virtual PC Hypervisor Memory Protection Vulnerability http://www.coresecurity.com/content/virtual-pc-2007-hypervisor-memory-protection-bug 1023720 The HTTP client functionality in Apple iPhone OS 3.1 on the iPhone 2G and 3.1.3 on the iPhone 3GS allows remote attackers to cause a denial of service (Safari, Mail, or Springboard crash) via a crafted innerHTML property of a DIV element, related to a "malformed character" issue. 38758 11769 Cross-site scripting (XSS) vulnerability in Sun Java System Communications Express 6.2 and 6.3 allows remote attackers to inject arbitrary web script or HTML via the subject field of a message, as demonstrated by a subject containing an IMG element with a SRC attribute that performs a cross-site request forgery (CSRF) attack involving the cmd and argv parameters to cmd.msc. ADV-2011-0157 20100313 Sun Java System Communication Express CSRF via HPP http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html 42990 Multiple race conditions in the sandbox infrastructure in Google Chrome before 4.1.249.1036 have unspecified impact and attack vectors. oval:org.mitre.oval:def:13829 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=31880 http://code.google.com/p/chromium/issues/detail?id=28804 The sandbox infrastructure in Google Chrome before 4.1.249.1036 does not properly use pointers, which has unspecified impact and attack vectors. oval:org.mitre.oval:def:14220 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=31880 http://code.google.com/p/chromium/issues/detail?id=28804 Google Chrome before 4.1.249.1036 does not have the expected behavior for attempts to delete Web SQL Databases and clear the Strict Transport Security (STS) state, which has unspecified impact and attack vectors. oval:org.mitre.oval:def:14292 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=33445 http://code.google.com/p/chromium/issues/detail?id=30801 Google Chrome before 4.1.249.1036 processes HTTP headers before invoking the SafeBrowsing feature, which allows remote attackers to have an unspecified impact via crafted headers. oval:org.mitre.oval:def:14332 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=33572 Google Chrome before 4.1.249.1036 allows remote attackers to cause a denial of service (memory error) or possibly have unspecified other impact via a malformed SVG document. oval:org.mitre.oval:def:14000 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=34978 Multiple integer overflows in Google Chrome before 4.1.249.1036 allow remote attackers to have an unspecified impact via vectors involving WebKit JavaScript objects. ADV-2011-0212 43068 oval:org.mitre.oval:def:14023 SUSE-SR:2011:002 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=35724 Unspecified vulnerability in Google Chrome before 4.1.249.1036 allows remote attackers to truncate the URL shown in the HTTP Basic Authentication dialog via unknown vectors. oval:org.mitre.oval:def:14275 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=36772 Unspecified vulnerability in Google Chrome before 4.1.249.1036 allows remote attackers to trigger the omission of a download warning dialog via unknown vectors. oval:org.mitre.oval:def:14297 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=37007 The protocolIs function in platform/KURLGoogle.cpp in WebCore in WebKit before r55822, as used in Google Chrome before 4.1.249.1036 and Flock Browser 3.x before 3.0.0.4112, does not properly handle whitespace at the beginning of a URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted javascript: URL, as demonstrated by a \x00javascript:alert sequence. https://bugs.webkit.org/show_bug.cgi?id=35948 ADV-2011-0212 http://src.chromium.org/viewvc/chrome?view=rev&revision=41244 43068 oval:org.mitre.oval:def:14067 SUSE-SR:2011:002 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://flock.com/security/ http://codereview.chromium.org/858001 http://code.google.com/p/chromium/issues/detail?id=37383 Google Chrome 4.1 BETA before 4.1.249.1036 allows remote attackers to cause a denial of service (memory error) or possibly have unspecified other impact via an empty SVG element. oval:org.mitre.oval:def:14374 http://googlechromereleases.blogspot.com/2010/03/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=37061 MoinMoin 1.7.1 allows remote attackers to bypass the textcha protection mechanism by modifying the textcha-question and textcha-answer fields to have empty values. ADV-2010-0831 USN-925-1 DSA-2024 39284 Foxit Reader before 3.2.1.0401 allows remote attackers to (1) execute arbitrary local programs via a certain "/Type /Action /S /Launch" sequence, and (2) execute arbitrary programs embedded in a PDF document via an unspecified "/Launch /Action" sequence, a related issue to CVE-2009-0836. VU#570177 http://www.foxitsoftware.com/pdf/reader/security.htm#0401 http://www.foxitsoftware.com/announcements/2010420408.html http://www.f-secure.com/weblog/archives/00001923.html http://blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message. TA10-231A http://www.adobe.com/support/security/bulletins/apsb10-15.html oval:org.mitre.oval:def:7466 [dailydave] 20100401 0day, it may not be http://blog.didierstevens.com/2010/06/29/quickpost-no-escape-from-pdf/ http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ Heap-based buffer overflow in the custom heap management system in Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, aka FG-VD-10-005. TA10-103C reader-customheap-code-execution(57589) http://www.youtube.com/watch?v=9EVHtY1-0q8 ADV-2010-0873 39329 39227 http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Li http://www.adobe.com/support/security/bulletins/apsb10-09.html oval:org.mitre.oval:def:6940 [dailydave] 20100401 0day, it may not be http://blog.fortinet.com/the-upcoming-blackhat-europe-2010-presentation/ Multiple cross-site scripting (XSS) vulnerabilities in the IBM Web Interface for Content Management (aka WEBi) before 1.0.4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www-01.ibm.com/support/docview.wss?uid=swg24025662 ADV-2011-0834 ADV-2010-0733 39186 The IBM Web Interface for Content Management (aka WEBi) before 1.0.4 creates persistent cookies on client workstations, which has unspecified impact and attack vectors. http://www-01.ibm.com/support/docview.wss?uid=swg24025662 ADV-2011-0834 ADV-2010-0733 39186 Cross-site request forgery (CSRF) vulnerability in createDestination.action in Apache ActiveMQ before 5.3.1 allows remote attackers to hijack the authentication of unspecified victims for requests that create queues via the JMSDestination parameter in a queue action. http://activemq.apache.org/activemq-531-release.html https://issues.apache.org/activemq/browse/AMQ-2625 https://issues.apache.org/activemq/browse/AMQ-2613 activemq-web-console-csrf(57398) 39223 Unspecified vulnerability in Microsoft Office Excel 2002 SP3, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via an Excel file with a malformed SxView (0xB0) record, aka "Excel Record Memory Corruption Vulnerability," a different vulnerability than CVE-2010-0824 and CVE-2010-0821. TA10-159B MS10-038 20100608 VUPEN Security Research - Microsoft Office Excel SxView Memory Corruption Vulnerability (CVE-2010-1245) oval:org.mitre.oval:def:6877 Stack-based buffer overflow in Microsoft Office Excel 2002 SP3 allows remote attackers to execute arbitrary code via an Excel file with a malformed RTD (0x813) record, aka "Excel RTD Memory Corruption Vulnerability." TA10-159B MS10-038 20100608 VUPEN Security Research - Microsoft Office Excel RTD Stack Overflow Vulnerability (CVE-2010-1246) oval:org.mitre.oval:def:6839 Unspecified vulnerability in Microsoft Office Excel 2002 SP3 allows remote attackers to execute arbitrary code via an Excel file with a malformed RTD (0x813) record that triggers heap corruption, aka "Excel Memory Corruption Vulnerability," a different vulnerability than CVE-2010-0823 and CVE-2010-1249. TA10-159B MS10-038 20100608 VUPEN Security Research - Microsoft Office Excel RTD Heap Corruption Vulnerability (CVE-2010-1247) oval:org.mitre.oval:def:6630 65237 Buffer overflow in Microsoft Office Excel 2002 SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via an Excel file with a malformed HFPicture (0x866) record, aka "Excel HFPicture Memory Corruption Vulnerability." TA10-159B MS10-038 40526 20100608 VUPEN Security Research - Microsoft Office Excel HFPicture Buffer Overflow Vulnerability (CVE-2010-1248) oval:org.mitre.oval:def:7223 65235 Buffer overflow in Microsoft Office Excel 2002 SP3, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via an Excel file with a malformed ExternName (0x23) record, aka "Excel Memory Corruption Vulnerability," a different vulnerability than CVE-2010-0823 and CVE-2010-1247. TA10-159B MS10-038 40527 20100608 VUPEN Security Research - Microsoft Office Excel ExternName Buffer Overflow Vulnerability (CVE-2010-1249) oval:org.mitre.oval:def:6634 65232 Heap-based buffer overflow in Microsoft Office Excel 2002 SP3, Office 2004 for Mac, Office 2008 for Mac, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via an Excel file with malformed (1) EDG (0x88) and (2) Publisher (0x89) records, aka "Excel EDG Memory Corruption Vulnerability." TA10-159B MS10-038 40528 20100608 VUPEN Security Research - Microsoft Office Excel EDG Heap Overflow Vulnerability (CVE-2010-1250) oval:org.mitre.oval:def:7593 Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Excel file, aka "Excel Record Stack Corruption Vulnerability." TA10-159B MS10-038 40529 oval:org.mitre.oval:def:6761 Unspecified vulnerability in Microsoft Office Excel 2002 SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Excel file, aka "Excel String Variable Vulnerability." TA10-159B MS10-038 40530 oval:org.mitre.oval:def:7369 Microsoft Office Excel 2002 SP3, 2007 SP1, and SP2; Office 2004 for mac; Office 2008 for Mac; Open XML File Format Converter for Mac; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2; allows remote attackers to execute arbitrary code via an Excel file with crafted DBQueryExt records that allow a function call to a "user-controlled pointer," aka "Excel ADO Object Vulnerability." TA10-159B MS10-038 http://www.zerodayinitiative.com/advisories/ZDI-10-103 20100608 ZDI-10-103: Microsoft Office Excel DBQueryExt Record Unspecified ADO Object Remote Code Execution Vulnerability oval:org.mitre.oval:def:6842 65228 The installation for Microsoft Open XML File Format Converter for Mac sets insecure ACLs for the /Applications folder, which allows local users to execute arbitrary code by replacing the executable with a Trojan Horse, aka "Mac Office Open XML Permissions Vulnerability." TA10-159B MS10-038 40533 The Windows kernel-mode drivers in win32k.sys in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 Gold and SP2, Windows 7, and Server 2008 R2 allows local users to execute arbitrary code via vectors related to "glyph outline information" and TrueType fonts, aka "Win32k TrueType Font Parsing Vulnerability." TA10-159B MS10-032 http://www.opera.com/support/kb/view/954/ oval:org.mitre.oval:def:7283 Unspecified vulnerability in Microsoft IIS 6.0, 7.0, and 7.5, when Extended Protection for Authentication is enabled, allows remote authenticated users to execute arbitrary code via unknown vectors related to "token checking" that trigger memory corruption, aka "IIS Authentication Memory Corruption Vulnerability." Per: http://www.microsoft.com/technet/security/bulletin/ms10-040.mspx 'Mitigating Factors for IIS Authentication Memory Corruption Vulnerability - CVE-2010-1256 Without the installation of KB973917 on Windows Server 2003, Windows Vista, and Windows Server 2008, systems will not have the Extended Protection for Authentication feature and will not be vulnerable. Extended Protection for Authentication is not enabled by default on any affected platform, even when a system has installed KB973917. Systems are only affected when this feature is enabled.' TA10-159B MS10-040 ms-iis-authentication-code-execution(58864) 40573 oval:org.mitre.oval:def:7149 Cross-site scripting (XSS) vulnerability in the toStaticHTML API, as used in Microsoft Office InfoPath 2003 SP3, 2007 SP1, and 2007 SP2; Office SharePoint Server 2007 SP1 and SP2; SharePoint Services 3.0 SP1 and SP2; and Internet Explorer 8 allows remote attackers to inject arbitrary web script or HTML via vectors related to sanitization. TA10-159B MS10-039 MS10-035 ie-tostatichtml-information-disclosure(58866) 40409 http://support.avaya.com/css/P8/documents/100089747 oval:org.mitre.oval:def:6677 Microsoft Internet Explorer 6, 7, and 8 does not properly determine the origin of script code, which allows remote attackers to execute script in an unintended domain or security zone, and obtain sensitive information, via unspecified vectors, aka "Event Handler Cross-Domain Vulnerability." TA10-222A MS10-053 oval:org.mitre.oval:def:11954 Microsoft Internet Explorer 6 SP1 and SP2, 7, and 8 allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." TA10-159B MS10-035 http://support.avaya.com/css/P8/documents/100089747 oval:org.mitre.oval:def:7324 65215 The IE8 Developer Toolbar in Microsoft Internet Explorer 8 SP1, SP2, and SP3 allows user-assisted remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Element Memory Corruption Vulnerability." TA10-159B MS10-035 http://support.avaya.com/css/P8/documents/100089747 oval:org.mitre.oval:def:6686 65213 The IE8 Developer Toolbar in Microsoft Internet Explorer 8 SP1, SP2, and SP3 allows user-assisted remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." TA10-159B MS10-035 http://support.avaya.com/css/P8/documents/100089747 oval:org.mitre.oval:def:7124 65214 Microsoft Internet Explorer 6 SP1 and SP2, 7, and 8 allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, related to the CStyleSheet object and a free of the root container, aka "Memory Corruption Vulnerability." TA10-159B MS10-035 http://www.zerodayinitiative.com/advisories/ZDI-10-102/ 40417 20100608 ZDI-10-102: Microsoft Internet Explorer Stylesheet Array Removal Remote Code Execution Vulnerability http://support.avaya.com/css/P8/documents/100089747 oval:org.mitre.oval:def:7406 Windows Shell and WordPad in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; Microsoft Office XP SP3; Office 2003 SP3; and Office System 2007 SP1 and SP2 do not properly validate COM objects during instantiation, which allows remote attackers to execute arbitrary code via a crafted file, aka "COM Validation Vulnerability." TA10-285A TA10-159B MS10-036 1024555 40574 MS10-083 oval:org.mitre.oval:def:7286 Unspecified vulnerability in Microsoft Windows SharePoint Services 3.0 SP1 and SP2 allows remote attackers to cause a denial of service (hang) via crafted requests to the Help page that cause repeated restarts of the application pool, aka "Sharepoint Help Page Denial of Service Vulnerability." TA10-159B MS10-039 40559 oval:org.mitre.oval:def:7241 SQL injection vulnerability in Adam Corley dcsFlashGames (com_dcs_flashgames) allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. 38981 11884 39161 http://packetstormsecurity.org/1003-exploits/joomladcsflashgames-sql.txt Multiple PHP remote file inclusion vulnerabilities in WebMaid CMS 0.2-6 Beta and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) template, (2) menu, (3) events, and (4) SITEROOT parameters to template/babyweb/index.php; the (5) modules and (6) copyright parameters to template/calm/footer.php; the (7) menu parameter to template/calm/top.php; and the (8) modules, (9) copyright, and (10) menu parameters to template/wm025/footer.php. webmaidcms-index-file-include(57059) ADV-2010-0674 38993 11831 http://packetstormsecurity.org/1003-exploits/webmaid-rfilfi.txt http://inj3ct0r.com/exploits/11394 Multiple directory traversal vulnerabilities in WebMaid CMS 0.2-6 Beta and earlier allow remote attackers to read arbitrary files via directory traversal sequences in the com parameter to (1) cContactus.php, (2) cGuestbook.php, and (3) cArticle.php. ADV-2010-0674 38993 11831 http://packetstormsecurity.org/1003-exploits/webmaid-rfilfi.txt http://inj3ct0r.com/exploits/11394 Directory traversal vulnerability in index.php in justVisual CMS 2.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files directory traversal sequences in the p parameter. NOTE: some of these details are obtained from third party information. justvisualcms-index-file-include(57174) 38970 11876 39093 http://packetstormsecurity.org/1003-exploits/justvisual-lfi.txt 63156 SQL injection vulnerability in auktion.php in phpscripte24 Niedrig Gebote Pro Auktions System II allows remote attackers to execute arbitrary SQL commands via the id_auk parameter. niedrig-auktion-sql-injection(57020) 11805 38971 http://packetstormsecurity.org/1003-exploits/phpscripte24-sql.txt http://4004securityproject.wordpress.com/2010/03/18/phpscripte24-niedrig-gebote-pro-auktions-system-ii-blind-sql-injection-auktion-php/ SQL injection vulnerability in auktion.php in Multi Auktions Komplett System 2 allows remote attackers to execute arbitrary SQL commands via the id_auk parameter. auktionhaus-auktion-sql-injection(56935) 38793 63048 11776 38971 http://packetstormsecurity.org/1003-exploits/multiauktions-sql.txt http://4004securityproject.wordpress.com/2010/03/16/phpscripte24-auktionshaus-community-standart-system/ SQL injection vulnerability in showplugs.php in smartplugs 1.3 allows remote attackers to execute arbitrary SQL commands via the domain parameter. smartplugs-showplugs-sql-injection(56676) 38529 11623 38819 http://packetstormsecurity.org/1003-exploits/smartplugs-sql.txt http://4004securityproject.wordpress.com/2010/03/03/smartplugs-1-3-sql-injection-showplugs-php PHP remote file inclusion vulnerability in includes/tgpinc.php in Gnat-TGP 1.2.20 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter. gnattgp-tgpinc-file-include(56675) 38522 11621 http://packetstormsecurity.org/1003-exploits/gnattgp-rfi.txt Emweb Wt before 3.1.1 does not validate the UTF-8 encoding of (1) form values and (2) JSignal arguments, which has unspecified impact and remote attack vectors. http://www.webtoolkit.eu/wt/doc/reference/html/Releasenotes.html 38541 62717 38759 Cross-site scripting (XSS) vulnerability in Emweb Wt before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to "insertions of the URL" that occur during a redirection. wt-unspecified-xss(56681) http://www.webtoolkit.eu/wt/doc/reference/html/Releasenotes.html 38541 62716 38759 Cross-site scripting (XSS) vulnerability in ShowPost.asp in BBSXP 2008 allows remote attackers to inject arbitrary web script or HTML via the ThreadID parameter. 38542 20100304 [xss] a xss on "ThreadID" parameter in BBSXP 2008 from china 38855 Multiple cross-site scripting (XSS) vulnerabilities in BBSXP 2008 SP2 allow remote attackers to inject arbitrary web script or HTML via the URI in a request to (1) AddPost.asp, (2) AddTopic.asp, (3) Admin_Default.asp, (4) Bank.asp, (5) Manage.asp, and (6) ShowPost.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38855 SQL injection vulnerability in the user.authenticate method in the API in Zabbix 1.8 before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the user parameter in JSON data to api_jsonrpc.php. http://www.zabbix.com/rn1.8.2.php ADV-2010-0799 39148 20100401 Zabbix <= 1.8.1 SQL Injection 63456 39119 http://legalhackers.com/poc/zabbix181api.pl-poc http://legalhackers.com/advisories/zabbix181api-sql.txt 20100401 Zabbix <= 1.8.1 SQL Injection Buffer overflow in the Atlcom.get_atlcom ActiveX control in gp.ocx in Adobe Download Manager, as used in Adobe Reader and Acrobat 8.x before 8.2 and 9.x before 9.3, allows remote attackers to execute arbitrary code via unspecified parameters. http://www.adobe.com/support/security/bulletins/apsb10-02.html http://www.zerodayinitiative.com/advisories/ZDI-10-077/ 1023908 20100421 ZDI-10-077: Adobe Download Manager Atlcom.get_atlcom ActiveX Control Remote Code Execution Vulnerability oval:org.mitre.oval:def:7500 Multiple unspecified vulnerabilities in Adobe Photoshop CS4 11.x before 11.0.1 allow user-assisted remote attackers to execute arbitrary code via a crafted TIFF file. ADV-2010-1049 http://www.adobe.com/support/security/bulletins/apsb10-10.html 39849 39711 Adobe Shockwave Player before 11.5.7.609 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file, related to (1) an erroneous dereference and (2) a certain Shock.dir file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4937.php http://www.zeroscience.mk/codes/shockwave_mem.txt 20100512 [CAL-20100204-3]Adobe Shockwave Player Director File Parsing RCSL Pointer Overwrite 38751 oval:org.mitre.oval:def:7184 20100511 [CAL-20100204-3]Adobe Shockwave Player Director File Parsing RCSL Pointer Overwrite iml32.dll in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html http://www.zerodayinitiative.com/advisories/ZDI-10-087/ 20100511 ZDI-10-087: Adobe Shockwave Invalid Offset Memory Corruption Remote Code Execution Vulnerability 38751 oval:org.mitre.oval:def:7268 Adobe Shockwave Player before 11.5.7.609 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted ATOM size in a .dir (aka Director) file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 40088 20100512 [CAL-20100204-1]Adobe Shockwave Player Director File Parsing ATOM size infinite loop vulnerability oval:org.mitre.oval:def:7388 http://hi.baidu.com/fs_fx/blog/item/f8de1d18ba8c9b76dbb4bd56.html 20100511 [CAL-20100204-1]Adobe Shockwave Player Director File Parsing ATOM size infinite loop vulnerability Adobe Shockwave Player before 11.5.7.609 does not properly parse 3D objects in .dir (aka Director) files, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a modified field in a 0xFFFFFF49 record. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html http://www.zerodayinitiative.com/advisories/ZDI-10-088/ 20100511 ZDI-10-088: Adobe Shockwave Player 3D Parsing Memory Corruption Vulnerability 38751 oval:org.mitre.oval:def:7262 Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 40091 38751 oval:org.mitre.oval:def:6638 Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified manipulations involving the newclass (0x58) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-2168 and CVE-2010-2201. http://www.adobe.com/support/security/bulletins/apsb10-15.html 41232 20100630 VUPEN Security Research - Adobe Acrobat and Reader "newclass" Memory Corruption Vulnerability (CVE-2010-1285) oval:org.mitre.oval:def:6725 Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1287, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 38751 oval:org.mitre.oval:def:7269 Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1289, CVE-2010-1290, and CVE-2010-1291. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 38751 oval:org.mitre.oval:def:6803 Buffer overflow in Adobe Shockwave Player before 11.5.7.609 might allow attackers to execute arbitrary code via unspecified vectors. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 38751 oval:org.mitre.oval:def:7543 Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1290, and CVE-2010-1291. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 40087 38751 oval:org.mitre.oval:def:6652 Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, and CVE-2010-1291. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 38751 oval:org.mitre.oval:def:7154 Adobe Shockwave Player before 11.5.7.609 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2010-1284, CVE-2010-1286, CVE-2010-1287, CVE-2010-1289, and CVE-2010-1290. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html 38751 oval:org.mitre.oval:def:7183 The implementation of pami RIFF chunk parsing in Adobe Shockwave Player before 11.5.7.609 does not validate a certain value from a file before using it in file-pointer calculations, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dir (aka Director) file. Per: http://www.adobe.com/support/security/bulletins/apsb10-12.html 'Adobe recommends users of Adobe Shockwave Player 11.5.6.606 and earlier versions update to Adobe Shockwave Player 11.5.7.609' ADV-2010-1128 http://www.adobe.com/support/security/bulletins/apsb10-12.html http://www.zerodayinitiative.com/advisories/ZDI-10-089/ 20100511 ZDI-10-089: Adobe Shockwave Director PAMI Chunk Remote Code Execution Vulnerability 38751 oval:org.mitre.oval:def:7416 Cross-site scripting (XSS) vulnerability in the Administrator page in Adobe ColdFusion 8.0, 8.0.1, and 9.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Per: http://www.adobe.com/support/security/bulletins/apsb10-11.html 'Affected software versions ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX' ADV-2010-1127 http://www.adobe.com/support/security/bulletins/apsb10-11.html 39790 Unspecified vulnerability in Adobe ColdFusion 8.0, 8.0.1, and 9.0 allows local users to obtain sensitive information via unknown vectors. Per: http://www.adobe.com/support/security/bulletins/apsb10-11.html 'Affected software versions ColdFusion 8.0, 8.0.1, 9.0 and earlier versions for Windows, Macintosh and UNIX' ADV-2010-1127 http://www.adobe.com/support/security/bulletins/apsb10-11.html 39790 Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2202, CVE-2010-2207, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211, and CVE-2010-2212. Per: http://www.adobe.com/support/security/bulletins/apsb10-15.html 'This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1295).' http://www.adobe.com/support/security/bulletins/apsb10-15.html oval:org.mitre.oval:def:7504 Multiple buffer overflows in Adobe Photoshop CS4 before 11.0.2 allow user-assisted remote attackers to execute arbitrary code via a crafted (1) .ASL, (2) .ABR, or (3) .GRD file. http://www.adobe.com/support/security/bulletins/apsb10-13.html photoshopcs4-multiple-code-execution(58888) http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4938.php http://www.zeroscience.mk/codes/psstyle_bof.txt http://www.zeroscience.mk/codes/psgradient_bof.txt http://www.zeroscience.mk/codes/psbrush_bof.txt 1024042 40389 12753 12752 12751 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64; Adobe AIR before 2.0.2.12610; and Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, related to authplay.dll and the ActionScript Virtual Machine 2 (AVM2) newfunction instruction, as exploited in the wild in June 2010. TA10-162A TA10-159A VU#486225 adobe-authplay-code-execution(59137) ADV-2011-0192 ADV-2010-1793 ADV-2010-1522 ADV-2010-1482 ADV-2010-1453 ADV-2010-1434 ADV-2010-1432 ADV-2010-1421 ADV-2010-1349 ADV-2010-1348 TLSA-2010-19 40759 40586 RHSA-2010:0470 RHSA-2010:0464 65141 13787 http://www.adobe.com/support/security/bulletins/apsb10-15.html http://www.adobe.com/support/security/bulletins/apsb10-14.html http://www.adobe.com/support/security/advisories/apsa10-01.html http://support.apple.com/kb/HT4435 1024086 1024085 1024058 1024057 GLSA-201101-09 43026 40545 40144 40034 40026 oval:org.mitre.oval:def:7116 SUSE-SR:2010:013 SUSE-SA:2010:024 APPLE-SA-2010-11-10-1 SSRT100179 SSRT100179 http://community.websense.com/blogs/securitylabs/archive/2010/06/09/having-fun-with-adobe-0-day-exploits.aspx http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/ Directory traversal vulnerability in view.php in Pulse CMS 1.2.2 allows remote attackers to read arbitrary files via directory traversal sequences in the f parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. per: http://secunia.com/advisories/38650 '2) Input passed via the "f" parameter to view.php is not properly sanitised before being used to read files. This can be exploited to disclose the content of local files via directory traversal sequences. Successful exploitation of this vulnerability requires authentication.' 38650 Multiple PHP remote file inclusion vulnerabilities in DynPG CMS 4.1.0, and possibly earlier, when magic_quotes_gpc is disabled and register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) DefineRootToTool parameter to counter.php, (2) PathToRoot parameter to plugins/DPGguestbook/guestbookaction.php and (3) get_popUpResource parameter to backendpopup/popup.php. NOTE: some of these details are obtained from third party information. dynphcms-popup-file-include(57491) dynphcms-guestbookaction-file-include(57490) 39168 20100401 DynPG CMS v4.1.0 Multiple Remote File Inclusion Vulnerability 11994 http://www.dynpg.org/cms-freeware.php?t=DynPG-Update+4.1.1+noch+einfacher+und+sicherer!&read_article=169 39185 http://packetstormsecurity.org/1004-exploits/dynpgcms-rfi.txt 63415 SQL injection vulnerability in index.php in Yamamah (aka Dove Photo Album) 1.00 allows remote attackers to execute arbitrary SQL commands via the calbums parameter. yamamah-calbums-sql-injection(59404) yamamah-index-sql-injection(57415) 39690 13857 13849 11947 39205 http://packetstormsecurity.org/1003-exploits/yamamah-sql.txt 63344 SQL injection vulnerability in main.php in Centreon 2.1.5 allows remote attackers to execute arbitrary SQL commands via the host_id parameter. centreon-hostid-sql-injection(57464) 39118 11979 39236 http://packetstormsecurity.org/1004-exploits/centreon-sql.txt 63347 Directory traversal vulnerability in dwgraphs.php in the DecryptWeb DW Graphs (com_dwgraphs) component 1.0 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. 39108 11978 39200 http://packetstormsecurity.org/1003-exploits/joomladwgraph-lfi.txt 63345 Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy Filter module 6.x before 6.x-1.1 for Drupal allow remote authenticated users, with administer taxonomy permissions or create node permissions when free tagging is enabled, to inject arbitrary web script or HTML via vocabulary (1) names, (2) terms, and (3) filter menus. http://drupal.org/node/758756 http://drupal.org/node/622096 taxonomy-names-xss(57445) 63425 39220 Directory traversal vulnerability in userstatus.php in the User Status (com_userstatus) component 1.21.16 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. userstatus-controller-file-include(57483) 39174 11998 Directory traversal vulnerability in jinventory.php in the JInventory (com_jinventory) component 1.23.02 and possibly other versions before 1.26.03, a module for Joomla!, allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. http://extensions.joomla.org/extensions/e-commerce/shopping-cart/7951 jinventory-controller-file-include(57538) ADV-2010-0811 39203 12065 39351 http://packetstormsecurity.org/1004-exploits/jinventory-lfi.txt Directory traversal vulnerability in the Picasa (com_joomlapicasa2) component 2.0 and 2.0.5 for Joomla! allows remote attackers to read arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. picasa-controller-file-include(57508) 39200 12058 39338 http://packetstormsecurity.org/1004-exploits/joomlapicasa-lfi.txt Directory traversal vulnerability in the Magic Updater (com_joomlaupdater) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. magicupdater-controller-file-include(57531) ADV-2010-0806 39207 12070 39348 http://packetstormsecurity.org/1004-exploits/joomlaupdater-lfi.txt Directory traversal vulnerability in the SVMap (com_svmap) component 1.1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0809 12066 39350 http://packetstormsecurity.org/1004-exploits/joomlasvmap-lfi.txt Directory traversal vulnerability in Irmin CMS (formerly Pepsi CMS) 0.6 BETA2 allows remote attackers to read arbitrary files via a .. (dot dot) in the w parameter to index.php. 11938 Opera 10.50 allows remote attackers to obtain sensitive information via crafted XSLT constructs, which cause Opera to return cached contents of other pages. http://www.opera.com/support/kb/view/949/ http://www.opera.com/docs/changelogs/windows/1051/ 38820 The qtm_decompress function in libclamav/mspack.c in ClamAV before 0.96 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted CAB archive that uses the Quantum (aka .Q) compression format. NOTE: some of these details are obtained from third party information. 39262 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1771 ADV-2010-1206 ADV-2010-1001 ADV-2010-0909 ADV-2010-0832 ADV-2010-0827 USN-926-1 MDVSA-2010:082 http://support.apple.com/kb/HT4312 39656 39329 39293 SUSE-SR:2010:010 APPLE-SA-2010-08-24-1 http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.96 Directory traversal vulnerability in the iJoomla News Portal (com_news_portal) component 1.5.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. 39222 12077 39289 http://packetstormsecurity.org/1004-exploits/joomlanewportal-lfi.txt 63572 Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. NOTE: some of these details are obtained from third party information. 39237 12082 39355 Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. 39239 12086 39359 http://packetstormsecurity.org/1004-exploits/joomlahsconfig-lfi.txt Directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. weberpcutomer-controller-file-include(57482) 11999 39209 http://packetstormsecurity.org/1004-exploits/joomlaweberpcustomer-lfi.txt Multiple stack-based buffer overflows in Tembria Server Monitor before 5.6.1 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted (1) GET, (2) PUT, or (3) HEAD request, as demonstrated by a malformed GET request containing a long PATH_INFO to index.asp. http://www.corelan.be:8800/wp-content/forum-file-uploads/admin1/exploits/corelan_lincoln_tembria.py_.txt http://www.corelan.be:8800/advisories.php?id=CORELAN-10-022 39270 Heap-based buffer overflow in the NTLM authentication functionality in RealNetworks Helix Server and Helix Mobile Server 11.x, 12.x, and 13.x allows remote attackers to have an unspecified impact via invalid base64-encoded data. ADV-2010-0889 39490 http://www.realnetworks.com/uploadedFiles/Support/helix-support/SecurityUpdate041410HS.pdf 39279 Stack-based buffer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via unspecified vectors. ADV-2010-0889 39490 http://www.realnetworks.com/uploadedFiles/Support/helix-support/SecurityUpdate041410HS.pdf 39279 Integer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via a request with a crafted payload length. ADV-2010-0889 39490 http://www.realnetworks.com/uploadedFiles/Support/helix-support/SecurityUpdate041410HS.pdf 39279 Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation. ADV-2010-1481 ADV-2010-1192 ADV-2010-1001 USN-940-1 39599 20100420 MITKRB5-SA-2010-004 [CVE-2010-1320] double free in KDC http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt http://support.apple.com/kb/HT4188 1023904 40220 39784 39656 SUSE-SR:2010:010 APPLE-SA-2010-06-15-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490 The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' Per: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt 'AFFECTED SOFTWARE ================= * kadmind and other GSS-API server applications in all known releases of MIT krb5, up to and including krb5-1.8.1 * third-party GSS-API server applications that link link against the GSS-API library in all known releases of MIT krb5, up to and including krb5-1.8.1 * Independent implementations of the krb5 GSS-API mechanism may be vulnerable, as the underlying bug is based on plausible (but invalid) assumptions about the Kerberos protocol.' TA11-201A TA10-287A 20100518 MITKRB5-SA-2010-005 [CVE-2010-1321] GSS-API lib null pointer deref http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txt ADV-2011-0134 ADV-2010-3112 ADV-2010-1882 ADV-2010-1574 ADV-2010-1222 ADV-2010-1196 ADV-2010-1193 ADV-2010-1192 ADV-2010-1177 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-940-2 USN-940-1 40235 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2011:0880 RHSA-2011:0152 RHSA-2010:0987 RHSA-2010:0935 RHSA-2010:0873 RHSA-2010:0807 RHSA-2010:0770 RHSA-2010:0423 http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html MDVSA-2010:100 DSA-2052 http://support.avaya.com/css/P8/documents/100114315 44954 43335 42974 42432 41967 40685 40346 39849 39818 39799 39784 39762 oval:org.mitre.oval:def:7450 oval:org.mitre.oval:def:7198 oval:org.mitre.oval:def:11604 64744 SUSE-SU-2012:0042 SUSE-SU-2012:0010 SUSE-SR:2010:019 SUSE-SR:2010:014 SUSE-SR:2010:013 FEDORA-2010-8805 FEDORA-2010-8796 FEDORA-2010-8749 HPSBUX02544 HPSBUX02544 The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request that triggers an uninitialized pointer dereference, as demonstrated by a request from a Windows Active Directory client. 43756 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt ADV-2010-2865 USN-999-1 20101005 MITKRB5-SA-2010-006 [CVE-2010-1322] KDC uninitialized pointer crash in authorization data handling RHSA-2010:0863 MDVSA-2010:202 SUSE-SR:2010:019 MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys. ADV-2011-0187 ADV-2010-3118 ADV-2010-3101 ADV-2010-3095 ADV-2010-3094 http://www.vmware.com/security/advisories/VMSA-2011-0012.html http://www.vmware.com/security/advisories/VMSA-2011-0007.html USN-1030-1 1024803 45118 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console 20110428 VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console 20101130 MITKRB5-SA-2010-007 Multiple checksum handling vulnerabilities [CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021] RHSA-2010:0926 RHSA-2010:0925 MDVSA-2010:246 MDVSA-2010:245 DSA-2129 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt http://support.apple.com/kb/HT4581 46397 43015 42436 42420 42399 oval:org.mitre.oval:def:12121 69610 HPSBOV02682 SSRT100495 SSRT100355 SSRT100355 [security-announce] 20110428 VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console SUSE-SU-2012:0042 SUSE-SU-2012:0010 SUSE-SR:2010:024 SUSE-SR:2010:023 FEDORA-2010-18425 FEDORA-2010-18409 APPLE-SA-2011-03-21-1 http://kb.vmware.com/kb/1035108 MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key. ADV-2011-0187 ADV-2010-3118 ADV-2010-3095 ADV-2010-3094 http://www.vmware.com/security/advisories/VMSA-2011-0007.html USN-1030-1 1024803 45116 20110428 VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console 20101130 MITKRB5-SA-2010-007 Multiple checksum handling vulnerabilities [CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021] RHSA-2010:0925 MDVSA-2010:246 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt http://support.apple.com/kb/HT4581 43015 42399 oval:org.mitre.oval:def:11936 69609 HPSBUX02623 HPSBUX02623 [security-announce] 20110428 VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console SUSE-SR:2010:024 SUSE-SR:2010:023 FEDORA-2010-18425 FEDORA-2010-18409 APPLE-SA-2011-03-21-1 http://kb.vmware.com/kb/1035108 Cross-site request forgery (CSRF) vulnerability in the apache2-slms package in SUSE Lifecycle Management Server (SLMS) 1.0 on SUSE Linux Enterprise (SLE) 11 allows remote attackers to hijack the authentication of unspecified victims via vectors related to improper parameter quoting. NOTE: some sources report that this is a vulnerability in a product named "Apache SLMS," but that is incorrect. https://bugzilla.novell.com/show_bug.cgi?id=588284 apacheslms-quoting-csrf(61006) 42121 http://support.novell.com/security/cve/CVE-2010-1325.html SUSE-SR:2010:014 perms.cpp in March Hare Software CVSNT 2.0.58, 2.5.01, 2.5.02, 2.5.03 before build 3736, 2.5.04 before build 2862; CVS Suite 2.5.03, 2008 before build 3736, and 2009 before 3729 allows remote attackers to bypass the permissions check, modify arbitrary modules and directories within CVSROOT, and execute arbitrary code via a crafted branch name ACL, possibly related to incorrect inheritance. ADV-2010-2350 DSA-2108 41358 41345 http://march-hare.com/cvspro/vuln.htm http://customer.march-hare.com/webtools/bugzilla/attachment.cgi?tt=1&id=1790&action=view http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593884 Multiple SQL injection vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the marca parameter to precios.php3 or (2) the where parameter in a delivery_courier action to control/abm_list.php3. tornadostore-precios-sql-injection(59950) 41233 http://www.bonsai-sec.com/en/research/vulnerabilities/tornadostore-multiple-sql-injection-0106.php Multiple cross-site scripting (XSS) vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) tipo or (2) destino parameter to login_registrese.php3 in the Services section, (3) the rubro parameter to precios.php3 in the Products section, (4) the arti parameter to recomenda_articulo.php3 in the Products section, (5) the descrip parameter in a profile action to control/abm_det.php3 in the e-Commerce section, (6) the tit parameter in a delivery_courier action to control/abm_list.php3 in the e-Commerce section, or (7) the tit parameter in an usuario action to control/abm_det.php3 in the e-Commerce section. tornadostore-multiple-xss(59951) 41233 http://www.bonsai-sec.com/en/research/vulnerabilities/tornadostore-multiple-xss-0107.php Imperva SecureSphere Web Application Firewall and Database Firewall 5.0.0.5082 through 7.0.0.7078 allow remote attackers to bypass intrusion-prevention functionality via a request that has an appended long string containing an unspecified manipulation. http://www.imperva.com/resources/adc/adc_advisories_response_clearskies.html 39472 20100413 Imperva SecureSphere Web Application Firewall and Database Firewall Bypass Vulnerability http://www.clearskies.net/documents/css-advisory-css1001-imperva.php SQL injection vulnerability in Heartlogic HL-SiteManager allows remote attackers to execute arbitrary SQL commands via unknown vectors. Per: http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-000010.html '[Do not use HL-SiteManager] As patches will not be provided, users are recommended to discontinue use of HL-SiteManager and switch to a different product that provides equivalent functionality. ' hlsitemanger-unspecified-sql-injection(57495) http://www.heartlogic.jp/docs/free_cgi/hl-sitemanager.html JVNDB-2010-000010 JVN#60969543 Cross-site scripting (XSS) vulnerability in PrettyBook PrettyFormMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Per: http://jvndb.jvn.jp/en/contents/2010/JVNDB-2010-000007.html 'Solution [Do not use PrettyFormMail] As patches will not be provided, users are recommended to discontinue use of PrettyFormMail and switch to a different product that provides equivalent functionality. ' prettyformmail-unspecified-xss(57492) JVNDB-2010-000007 JVN#41842181 Multiple cross-site scripting (XSS) vulnerabilities in Almas Inc. Compiere J300_A02 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.compiere-japan.com/products/release/patch.html compiere-unspec-xss(57494) compiere-unspecified-xss(57493) 39177 63419 JVNDB-2010-000009 JVNDB-2010-000008 JVN#57963254 JVN#38687002 Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the file in an unspecified directory, a different vulnerability than CVE-2010-0993. Per: http://cwe.mitre.org/data/definitions/434.html 'CWE-434: Unrestricted Upload of File with Dangerous Type' 39046 Multiple PHP remote file inclusion vulnerabilities in Insky CMS 006-0111, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the ROOT parameter to (1) city.get/city.get.php, (2) city.get/index.php, (3) message2.send/message.send.php, (4) message.send/message.send.php, and (5) pages.add/pages.add.php in insky/modules/. NOTE: some of these details are obtained from third party information. inksky-root-file-include(57112) 11848 39112 http://packetstormsecurity.org/1003-exploits/inskycms-rfi.txt 63153 63152 63151 63150 63149 Multiple SQL injection vulnerabilities in INVOhost 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) newlanguage parameters to site.php, (3) search parameter to manuals.php, and (4) unspecified vectors to faq.php. NOTE: some of these details are obtained from third party information. invohost-manuals-sql-injection(57162) invohost-site-sql-injection(57161) 38962 11874 39095 63158 63157 Multiple PHP remote file inclusion vulnerabilities in definitions.php in Lussumo Vanilla 1.1.10, and possibly 0.9.2 and other versions, allow remote attackers to execute arbitrary PHP code via a URL in the (1) include and (2) Configuration['LANGUAGE'] parameters. vanilla-definitions-file-include(57147) 38889 http://www.packetstormsecurity.com/1003-exploits/vanilla-rfi.txt SQL injection vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to execute arbitrary SQL commands via the userid parameter in a modboard action. wbb-teamsitehack-userid-sql-injection(57066) 38870 11824 39009 http://packetstormsecurity.org/1003-exploits/woltlabb-sql.txt 63126 http://445544.44.ohost.de/worldlabburningboardadon2python-1.txt http://4004securityproject.wordpress.com/2010/03/22/woltlab-burning-board-teamsite-hack-v3-0-ts_other-php-sql-injection-exploit-2/ Cross-site scripting (XSS) vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to inject arbitrary web script or HTML via the userid parameter in a modboard action, which is not properly handled in a forced SQL error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 39009 Directory traversal vulnerability in jresearch.php in the J!Research (com_jresearch) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. jresearch-controller-file-include(57123) 38917 39079 http://packetstormsecurity.org/1003-exploits/joomlajresearch-lfi.txt 63147 SQL injection vulnerability in index.php in Systemsoftware Community Black Forum allows remote attackers to execute arbitrary SQL commands via the s_flaeche parameter. blackforum-index-sql-injection(56861) 62920 11715 38960 Multiple PHP remote file inclusion vulnerabilities in Direct News 4.10.2, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the rootpath parameter to (1) admin/menu.php and (2) library/lib.menu.php; and the adminroot parameter to (3) admin/media/update_content.php and (4) library/class.backup.php. NOTE: some of these details are obtained from third party information. 38975 11882 39106 SQL injection vulnerability in photo.php in SiteX 0.7.4 beta allows remote attackers to execute arbitrary SQL commands via the albumid parameter. sitexcms-photo-sql-injection(57173) 38976 11881 SQL injection vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the fid parameter in a detail action to index.php. 38785 ckforms-index-sql-injection(56988) 63032 11785 38976 http://packetstormsecurity.org/1003-exploits/joomlackforms-lfisql.txt Directory traversal vulnerability in the Cookex Agency CKForms (com_ckforms) component 1.3.3 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. 63031 11785 38976 http://packetstormsecurity.org/1003-exploits/joomlackforms-lfisql.txt SQL injection vulnerability in admin/login.php in Mini CMS RibaFS 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the login parameter. NOTE: some of these details are obtained from third party information. minicmsribafs-login-sqli-injection(57092) 38881 11835 39018 http://packetstormsecurity.org/1003-exploits/minicmsribafs-sql.txt 63121 Director Agent 6.1 before 6.1.2.3 in IBM Systems Director on AIX and Linux uses incorrect permissions for the (1) diruninstall and (2) opt/ibm/director/bin/wcitinst scripts, which allows local users to gain privileges by executing these scripts. systems-director-agent-sec-bypass(57611) ADV-2010-0830 1023831 39305 PM08236 39194 63595 Unspecified vulnerability in the login process in IBM WebSphere Portal 6.0.1.1, and 6.1.0.x before 6.1.0.3 Cumulative Fix 03, has unknown impact and remote attack vectors. ADV-2010-0829 PM08667 websphere-login-unspecified(57613) 1023830 39306 39305 63594 Integer overflow in Opera 10.10 through 10.50 allows remote attackers to execute arbitrary code via a large Content-Length value, which triggers a heap overflow. Per: http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issue 'We also determined that the problem only existed in our Windows version. ' ADV-2010-0529 38519 opera-contentlength-bo(56673) 1023690 http://www.opera.com/support/kb/view/948/ 11622 38820 62714 http://my.opera.com/securitygroup/blog/2010/03/09/the-malformed-content-length-header-security-issue SQL injection vulnerability in the JP Jobs (com_jp_jobs) component 1.4.1 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. 39191 http://www.joomlanetprojects.com/index.php/en/joomla-projects-downloads/joomla-1/joomla-1/38-comjpjobs.html jpjobs-index-sql-injection(57500) http://www.xenuser.org/documents/security/joomla_com_jp_jobs_sql.txt 12037 39325 http://packetstormsecurity.org/1004-exploits/joomlajpjobs-sql.txt Multiple PHP remote file inclusion vulnerabilities in Nodesforum 1.033 and 1.045, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) _nodesforum_path_from_here_to_nodesforum_folder parameter to erase_user_data.php and the (2) _nodesforum_code_path parameter to pre_output.php. NOTE: some of these details are obtained from third party information. nodesforum-preoutput-file-include(57517) 12047 39311 Directory traversal vulnerability in the JOOFORGE Jutebox (com_jukebox) component 1.0 and 1.7 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. 39248 12084 39357 http://packetstormsecurity.org/1004-exploits/joomlajukebox-lfi.txt Directory traversal vulnerability in the LoginBox Pro (com_loginbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. comloginbox-view-file-include(57533) ADV-2010-0808 39212 12068 39349 http://packetstormsecurity.org/1004-exploits/joomlaloginbox-lfi.txt Directory traversal vulnerability in the VJDEO (com_vjdeo) component 1.0 and 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. 39266 12102 39296 http://packetstormsecurity.org/1004-exploits/joomlavjdeo-lfi.txt Cross-site scripting (XSS) vulnerability on the TANDBERG Video Communication Server (VCS) before X5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Reference ID 66316. http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20(X5).pdf Unspecified vulnerability on the TANDBERG Video Communication Server (VCS) before X5.0 allows remote attackers to execute arbitrary code via unknown vectors, aka Reference ID 69773. http://ftp.tandberg.com/pub/software/vcs/TANDBERG%20Video%20Communication%20Server%20Software%20Release%20Notes%20(X5).pdf Cross-site scripting (XSS) vulnerability in editors/logindialogue.php in SBD Directory Software 4.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. sbddirectory-logindialogue-xss(55564) 61659 11118 38148 http://packetstormsecurity.org/1001-exploits/sbddirectory-xss.txt Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with "administer biblio" privileges, to inject arbitrary web script or HTML via unspecified vectors. 37804 http://drupal.org/node/683786 38207 SQL injection vulnerability in bluegate_seo.inc.php in the Direct URL module for xt:Commerce, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the coID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 37808 38197 Multiple PHP remote file inclusion vulnerabilities in FAQEngine 4.24.00 allow remote attackers to execute arbitrary PHP code via a URL in the path_faqe parameter to (1) attachs.php, (2) backup.php, (3) badwords.php, (4) categories.php, (5) changepw.php, (6) colorchooser.php, (7) colorwheel.php, (8) dbfiles.php, (9) diraccess.php, (10) faq.php, (11) index.php, (12) kb.php, and (13) stats.php. faqengine-pathfaqe-file-include(55532) 37719 11111 http://packetstormsecurity.org/1001-exploits/faqengine-rfi.txt Cross-site scripting (XSS) vulnerability in shop/USER_ARTIKEL_HANDLING_AUFRUF.php in PHPepperShop 2.5 allows remote attackers to inject arbitrary web script or HTML via the darstellen parameter. 37707 phpeppershop-darstellen-xss(55561) http://packetstormsecurity.org/1001-exploits/phpeppershopws-xss.txt Cross-site scripting (XSS) vulnerability in the Own Term module 6.x-1.0 for Drupal allows remote authenticated users, with "create additional terms" privileges, to inject arbitrary web script or HTML via the term description field in a term listing page. http://drupal.org/node/683576 http://drupal.org/node/683544 37788 38208 SQL injection vulnerability in the JProjects (com_j-projects) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the project parameter in a projects action to index.php. jprojects-index-sql-injection(55361) ADV-2010-0049 37608 10988 http://packetstormsecurity.org/1001-exploits/joomlajprojects-sql.txt SQL injection vulnerability in index.php in Uiga Personal Portal, as downloaded on 20100301, allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action. NOTE: some of these details are obtained from third party information. ADV-2010-0488 11599 38757 http://packetstormsecurity.org/1002-exploits/uigapersonalportal-sql.txt SQL injection vulnerability in index.php in Uiga Fan Club, as downloaded on 20100310, allows remote attackers to execute arbitrary SQL commands via the id parameter in a photos action. ADV-2010-0487 11600 38756 http://packetstormsecurity.org/1002-exploits/uigafc-sql.txt http://4004securityproject.wordpress.com/2010/02/28/uigafanclub-index-php-sql-injection/ Multiple SQL injection vulnerabilities in admin/admin_login.php in Uiga Fan Club 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) admin_name and (2) admin_password parameters. 11593 http://packetstormsecurity.org/1002-exploits/uigafanclub-sql.txt Multiple cross-site scripting (XSS) vulnerabilities in admin/admin_login.php in Uiga Fan Club, as downloaded on 20100310, allow remote attackers to inject arbitrary web script or HTML via the (1) admin_name and (2) admin_password parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 38756 SQL injection vulnerability in index.php in GameScript (GS) 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a category action. gamescript-index-sql-injection(56537) 38414 11577 http://packetstormsecurity.org/1002-exploits/gamescript-sql.txt SQL injection vulnerability in signup.asp in Pre Classified Listings ASP allows remote attackers to execute arbitrary SQL commands via the email parameter. 38446 11589 38768 http://packetstormsecurity.org/0812-exploits/preclass-sqlxss.txt SQL injection vulnerability in detailad.asp in Pre Classified Listings ASP allows remote attackers to execute arbitrary SQL commands via the siteid parameter. 38768 http://packetstormsecurity.org/0812-exploits/preclass-sqlxss.txt Cross-site scripting (XSS) vulnerability in signup.asp in Pre Classified Listings ASP allows remote attackers to inject arbitrary web script or HTML via the address parameter. 38768 http://packetstormsecurity.org/0812-exploits/preclass-sqlxss.txt SQL injection vulnerability in the HD FLV Player (com_hdflvplayer) component 1.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. hdflvplayer-index-sql-injection(56516) 38401 38691 http://packetstormsecurity.org/1002-exploits/joomlahdflvplayer-sql.txt 62570 Cross-site scripting (XSS) vulnerability in Help Viewer in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted help: URL, related to "URL parameters in HTML content." ADV-2010-1481 40871 http://support.apple.com/kb/HT4188 1024103 40220 APPLE-SA-2010-06-15-1 Directory traversal vulnerability in iChat in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, when AIM is used, allows remote attackers to create arbitrary files via directory traversal sequences in an inline image-transfer operation. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 NetAuthSysAgent in Network Authorization in Apple Mac OS X 10.5.8 does not have the expected authorization requirements, which allows local users to gain privileges via unspecified vectors. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 Multiple format string vulnerabilities in Network Authorization in Apple Mac OS X 10.6 before 10.6.4 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a (1) afp, (2) cifs, or (3) smb URL. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 Open Directory in Apple Mac OS X 10.6 before 10.6.4 creates an unencrypted connection upon certain SSL failures, which allows man-in-the-middle attackers to spoof arbitrary network account servers, and possibly execute arbitrary code, via unspecified vectors. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 OpenSSL in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform arithmetic, which allows remote attackers to bypass X.509 certificate authentication via an arbitrary certificate issued by a legitimate Certification Authority. http://support.apple.com/kb/HT4435 APPLE-SA-2010-11-10-1 Printer Setup in Apple Mac OS X 10.6 before 10.6.4 does not properly interpret character encoding, which allows remote attackers to cause a denial of service (printing failure) by deploying a printing device that has a Unicode character in its printing-service name. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 Integer overflow in the cgtexttops CUPS filter in Printing in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to page sizes. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 The default configuration of SMB File Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, enables support for wide links, which allows remote authenticated users to access arbitrary files via vectors involving symbolic links. NOTE: this might overlap CVE-2010-0926. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote authenticated users to inject arbitrary web script or HTML via crafted Wiki content, related to lack of a charset field. 40871 http://support.apple.com/kb/HT4188 ADV-2010-1481 1024103 40220 APPLE-SA-2010-06-15-1 CFNetwork in Apple Safari before 5.0.6 on Windows allows remote web servers to execute arbitrary code by replaying the NTLM credentials of a client user, related to a "credential reflection" issue. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not provide a warning about a (1) http or (2) https URL that contains a username and password, which makes it easier for remote attackers to conduct phishing attacks via a crafted URL. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4196 1024067 42314 40105 oval:org.mitre.oval:def:6812 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 JVNDB-2010-001538 JVN#46026251 Use-after-free vulnerability in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://support.apple.com/kb/HT4196 1024067 40105 oval:org.mitre.oval:def:7199 page/Geolocation.cpp in WebCore in WebKit before r56188 and before 1.2.5 does not properly restrict access to the lastPosition function, which has unspecified impact and remote attack vectors, aka rdar problem 7746357. https://bugs.webkit.org/show_bug.cgi?id=36255 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 42500 MDVSA-2011:039 http://trac.webkit.org/changeset/56188 http://security-tracker.debian.org/tracker/CVE-2010-1386 43068 41856 SUSE-SR:2011:002 Use-after-free vulnerability in JavaScriptCore in WebKit in Apple iTunes before 9.2 on Windows, and Apple iOS before 4 on the iPhone and iPod touch, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to page transitions, a different vulnerability than CVE-2010-1763 and CVE-2010-1769. itunes-webkit-unspecified-var1(59506) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 41016 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 1024108 43068 42314 41856 40196 oval:org.mitre.oval:def:7061 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6, and before 4.1 on Mac OS X 10.4, does not properly handle clipboard (1) drag and (2) paste operations for URLs, which allows user-assisted remote attackers to read arbitrary files via a crafted HTML document. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0212 40752 http://support.apple.com/kb/HT4196 1024067 43068 40105 SUSE-SR:2011:002 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving a (1) paste or (2) drag-and-drop operation for a selection. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4196 1024067 43068 41856 40105 oval:org.mitre.oval:def:6649 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors related to improper UTF-7 canonicalization, and lack of termination of a quoted string in an HTML document. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:6888 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Multiple directory traversal vulnerabilities in the (a) Local Storage and (b) Web SQL database implementations in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allow remote attackers to create arbitrary database files via vectors involving a (1) %2f and .. (dot dot) or (2) %5c and .. (dot dot) in a URL. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 40753 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4196 1024067 43068 41856 40105 oval:org.mitre.oval:def:7082 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to HTML buttons and the first-letter CSS style. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 20100608 VUPEN Security Research - Apple Safari WebKit HTML Button Use-after-free Vulnerability (CVE-2010-1392) MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7024 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to discover sensitive URLs via an HREF attribute associated with a redirecting URL. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7346 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving HTML document fragments. ADV-2010-1373 1024067 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 40620 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4196 43068 42314 41856 40105 oval:org.mitre.oval:def:7552 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving DOM constructor objects, related to a "scope management issue." ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7464 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the contentEditable attribute and removing container elements. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-092 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 40647 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7288 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to a layout change during selection rendering and the DOCUMENT_POSITION_DISCONNECTED attribute in a container of an unspecified type. ADV-2010-1512 ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-095 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 20100608 ZDI-10-095: Apple Webkit DOCUMENT_POSITION_DISCONNECTED Attribute Remote Code Execution Vulnerability MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:6912 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly perform ordered list insertions, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document, related to the insertion of an unspecified element into an editable container and the access of an uninitialized element. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-097 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 20100608 ZDI-10-097: Apple Webkit ContentEditable moveParagraphs Uninitialized Element Remote Code Execution Vulnerability MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7556 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, accesses uninitialized memory during a selection change on a form input element, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0212 ADV-2010-1512 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 40196 40105 oval:org.mitre.oval:def:6709 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving caption elements. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7031 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 20100607 Multiple Vendor WebKit HTML Caption Use After Free Vulnerability Use-after-free vulnerability in the Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving the :first-letter pseudo-element. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-098 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 20100608 ZDI-10-098: Apple Webkit First-Letter Pseudo-Element Style Remote Code Execution Vulnerability MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:6981 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Double free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to an event listener in an SVG document, related to duplicate event listeners, a timer, and an AnimateTransform object. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-100 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 20100608 ZDI-10-100: Apple Webkit ConditionEventListener Remote Code Execution Vulnerability MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7071 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, accesses uninitialized memory during the handling of a use element in an SVG document, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted document containing XML that triggers a parsing error, related to ProcessInstruction. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-099/ ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 20100608 ZDI-10-099: Apple Webkit ProcessInstruction Target Error Message Insertion Remote Code Execution Vulnerability MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7519 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an SVG document that contains recursive Use elements, which are not properly handled during page deconstruction. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-096 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 20100608 ZDI-10-096: Apple Webkit Recursive Use Element Remote Code Execution Vulnerability MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7497 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an HTML element that has custom vertical positioning. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 40659 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7252 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain potentially sensitive information via standard HTTP logging, a related issue to CVE-2010-0660. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4196 1024067 43068 41856 40105 oval:org.mitre.oval:def:7197 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 WebKit in Apple iOS before 4 on the iPhone and iPod touch does not properly implement the history.replaceState method in certain situations involving IFRAME elements, which allows remote attackers to obtain sensitive information via a crafted HTML document. appleios-historyreplace-info-disclosure(59629) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 41016 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 43068 42314 41856 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to bypass intended restrictions on outbound connections to "non-default TCP ports" via a crafted port number, related to an "integer truncation issue." NOTE: this may overlap CVE-2010-1099. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 40697 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7295 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Incomplete blacklist vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to trigger disclosure of data over IRC via vectors involving an IRC service port. Per: http://cwe.mitre.org/data/definitions/184.html 'Incomplete Blacklist' ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:6836 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via an SVG document with nested use elements. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 40657 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7150 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Multiple integer overflows in the Fax3SetupState function in tif_fax3.c in the FAX3 decoder in LibTIFF before 3.9.3, as used in ImageIO in Apple Mac OS X 10.5.8 and Mac OS X 10.6 before 10.6.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TIFF file that triggers a heap-based buffer overflow. http://support.apple.com/kb/HT4188 https://bugzilla.redhat.com/show_bug.cgi?id=592361 ADV-2010-1761 ADV-2010-1731 ADV-2010-1512 ADV-2010-1481 ADV-2010-1435 USN-954-1 40823 http://www.remotesensing.org/libtiff/v3.9.3.html RHSA-2010:0520 RHSA-2010:0519 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024103 40536 40527 40478 40220 40196 40181 [oss-security] 20100623 CVE requests: LibTIFF SUSE-SR:2010:014 FEDORA-2010-10469 FEDORA-2010-10460 APPLE-SA-2010-06-16-1 APPLE-SA-2010-06-15-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to hover events. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7606 SUSE-SR:2011:002 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends NTLM credentials in cleartext in unspecified circumstances, which allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0212 40733 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4196 1024067 43068 40105 oval:org.mitre.oval:def:7255 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the removeChild DOM method. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7041 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly handle libxml contexts, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to an "API abuse issue." ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7374 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly restrict the reading of a canvas that contains an SVG image pattern from a different web site, which allows remote attackers to read images from other sites via a crafted canvas, related to a "cross-site image capture issue." ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7401 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 The Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via HTML content that contains multiple :after pseudo-selectors. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 40672 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:6876 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via a FRAME element with a SRC attribute composed of a javascript: sequence preceded by spaces. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:6871 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving a certain window close action that occurs during a drag-and-drop operation. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7314 SUSE-SR:2011:002 APPLE-SA-2010-06-16-1 Cross-site scripting (XSS) vulnerability in CFNetwork in Apple Safari before 5.0.6 allows remote attackers to inject arbitrary web script or HTML via a crafted text/plain file. APPLE-SA-2011-07-20-1 http://support.apple.com/kb/HT4808 The execCommand JavaScript function in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly restrict remote execution of clipboard commands, which allows remote attackers to modify the clipboard via a crafted HTML document. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:6739 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, does not properly handle changes to keyboard focus that occur during processing of key press events, which allows remote attackers to force arbitrary key presses via a crafted HTML document. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 https://bugzilla.mozilla.org/show_bug.cgi?id=552255 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7591 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information. VU#886582 ADV-2010-0853 jre-toolkit-command-execution(57615) 1023840 http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1 39260 63648 20100409 Java Deployment Toolkit Performs Insufficient Validation of Parameters Unspecified vulnerability in JustSystems Ichitaro and Ichitaro Government 2006 through 2010 allows user-assisted remote attackers to execute arbitrary code via a crafted font file. ADV-2010-0854 http://www.justsystems.com/jp/info/js10001.html 1023844 39256 63651 JVNDB-2010-000015 JVN#98467259 F-Secure Internet Security 2010 and earlier; Anti-Virus for Microsoft Exchange 9 and earlier, and for MIMEsweeper 5.61 and earlier; Internet Gatekeeper for Windows 6.61 and earlier, and for Linux 4.02 and earlier; Anti-Virus 2010 and earlier; Home Server Security 2009; Protection Service for Consumers 9 and earlier, for Business - Workstation security 9 and earlier, for Business - Server Security 8 and earlier, and for E-mail and Server security 9 and earlier; Mac Protection build 8060 and earlier; Client Security 9 and earlier; and various Anti-Virus products for Windows, Linux, and Citrix; does not properly detect malware in crafted (1) 7Z, (2) GZIP, (3) CAB, or (4) RAR archives, which makes it easier for remote attackers to avoid detection. ADV-2010-0855 http://www.f-secure.com/en_EMEA/support/security-advisory/fsc-2010-1.html 1023843 1023842 1023841 39396 SQL injection vulnerability in MODx Evolution before 1.0.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors related to WebLogin. http://modxcms.com/forums/index.php/topic,47759.msg280304.html#msg280304 JVNDB-2010-000012 JVN#19774883 modx-unspecified-sql-injection(57636) 39298 Cross-site scripting (XSS) vulnerability in the SearchHighlight plugin in MODx Evolution before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to AjaxSearch. http://modxcms.com/forums/index.php/topic,47759.msg280304.html#msg280304 JVNDB-2010-000013 JVN#46669729 modx-unspecified-xss(57635) 39298 The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method. RHSA-2010:0379 RHSA-2010:0378 RHSA-2010:0377 RHSA-2010:0376 https://bugzilla.redhat.com/show_bug.cgi?id=585899 jboss-webconsole-information-disclosure(58148) ADV-2010-0992 39710 1023917 39563 Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression. RHSA-2010:0379 RHSA-2010:0378 RHSA-2010:0377 RHSA-2010:0376 https://bugzilla.redhat.com/show_bug.cgi?id=585900 jboss-status-servlet-information-disclosure(58149) ADV-2010-0992 39710 1023918 39563 SQL injection vulnerability in templates_export.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the export_item_id parameter. http://www.cacti.net/downloads/patches/0.8.7e/sql_injection_template_export.patch http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578909 RHSA-2010:0635 ADV-2010-1107 ADV-2010-0986 39653 MDVSA-2010:092 http://www.exploit-db.com/sploits/Bonsai-SQL_Injection_in_Cacti.pdf DSA-2039 41041 39572 39568 20100421 Bonsai Information Security - SQL Injection in Cacti <= 0.8.7e SUSE-SR:2010:011 gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system. https://bugzilla.redhat.com/show_bug.cgi?id=586006 kernel-gfs2quota-dos(58839) http://www.vmware.com/security/advisories/VMSA-2011-0003.html 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX [oss-security] 20100427 Re: CVE request - gfs2 kernel issue [oss-security] 20100427 CVE request - gfs2 kernel issue 43315 oval:org.mitre.oval:def:10652 Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function. https://patchwork.kernel.org/patch/94664/ https://patchwork.kernel.org/patch/94038/ https://bugzilla.redhat.com/show_bug.cgi?id=585094 kernel-findkeyringbyname-dos(58254) ADV-2010-1857 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 39719 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0474 [oss-security] 20100427 Re: CVE request - kernel: find_keyring_by_name() can gain the freed keyring [oss-security] 20100427 CVE request - kernel: find_keyring_by_name() can gain the freed keyring DSA-2053 43315 40645 40218 39830 oval:org.mitre.oval:def:9715 [linux-kernel] 20100503 Re: [PATCH 2/7] KEYS: find_keyring_by_name() can gain access to a freed keyring [linux-kernel] 20100430 [PATCH 2/7] KEYS: find_keyring_by_name() can gain access to a freed keyring [linux-kernel] 20100422 [PATCH 0/1][BUG][IMPORTANT] KEYRINGS: find_keyring_by_name() can gain the freed keyring SUSE-SA:2010:031 Web Application Finger Printer (WAFP) 0.01-26c3 uses fixed pathnames under /tmp for temporary files and directories, which (1) allows local users to cause a denial of service (application outage) by creating a file with a pathname that the product expects is available for its own internal use, (2) allows local users to overwrite arbitrary files via symlink attacks on certain files in /tmp, (3) might allow local users to delete arbitrary files and directories via a symlink attack on a directory under /tmp, and (4) might make it easier for local users to obtain sensitive information by reading files in a directory under /tmp, related to (a) lib/wafp_pidify.rb, (b) utils/generate_wafp_fingerprint.sh, (c) utils/online_update.sh, and (d) utils/extract_from_db.sh. 39760 [oss-security] 20100427 Re: wafp insecure temporary directory [oss-security] 20100427 wafp insecure temporary directory http://code.google.com/p/webapplicationfingerprinter/issues/detail?id=8 yum-rhn-plugin in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Enterprise Linux (RHEL) 5 and Fedora uses world-readable permissions for the /var/spool/up2date/loginAuth.pkl file, which allows local users to access the Red Hat Network profile, and possibly prevent future security updates, by leveraging authentication data from this file. https://bugzilla.redhat.com/show_bug.cgi?id=585386 redhat-clienttools-loginauth-security-bypass(59114) ADV-2010-1311 40492 RHSA-2010:0449 65063 1024049 39996 oval:org.mitre.oval:def:9232 Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX Live 2009 and earlier, and teTeX, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a special command in a DVI file, related to the (1) predospecial and (2) bbdospecial functions, a different vulnerability than CVE-2010-0739. https://bugzilla.redhat.com/show_bug.cgi?id=586819 USN-937-1 oval:org.mitre.oval:def:10068 SUSE-SR:2010:013 SUSE-SR:2010:012 FEDORA-2010-8273 arch/powerpc/mm/fsl_booke_mmu.c in KGDB in the Linux kernel 2.6.30 and other versions before 2.6.33, when running on PowerPC, does not properly perform a security check for access to a kernel page, which allows local users to overwrite arbitrary kernel memory, related to Fsl booke. [linux-kernel] 20100510 [071/117] kgdb: dont needlessly skip PAGE_USER test for Fsl booke kernel-kgdb-memory-overwrite(58840) ADV-2010-1857 [oss-security] 20100430 Re: CVE request - Linux Kernel KGDB/ppc issue [oss-security] 20100429 Re: CVE request - Linux Kernel KGDB/ppc issue [oss-security] 20100429 CVE request - Linux Kernel KGDB/ppc issue DSA-2053 40645 39830 SUSE-SA:2010:031 The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution. ADV-2010-1167 https://bugzilla.redhat.com/show_bug.cgi?id=588269 https://bugs.launchpad.net/bugs/cve/2010-1447 1023988 40305 RHSA-2010:0458 RHSA-2010:0457 http://www.postgresql.org/about/news.1203 [oss-security] 20100520 CVE-2010-1974 reject request (dupe of CVE-2010-1168) and CVE-2010-1447 description modification request MDVSA-2010:116 MDVSA-2010:115 DSA-2267 http://security-tracker.debian.org/tracker/CVE-2010-1447 40052 40049 39845 oval:org.mitre.oval:def:7320 oval:org.mitre.oval:def:11530 64756 Cross-site scripting (XSS) vulnerability in lib/LXR/Common.pm in LXR Cross Referencer before 0.9.8 allows remote attackers to inject arbitrary web script or HTML via vectors related to a string in the search page's TITLE element, a different vulnerability than CVE-2009-4497 and CVE-2010-1625. http://sourceforge.net/projects/lxr/files/stable/lxr-0.9.8/lxr-0.9.8.tgz/download http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?r1=1.63&r2=1.64 lxr-title-xss(58294) 39865 64216 [oss-security] 20100514 Re: CVE request: lxr [oss-security] 20100506 Re: CVE request: lxr [oss-security] 20100503 Re: CVE request: lxr [oss-security] 20100503 CVE request: lxr 39686 [oss-security] 20100506 Re: CVE request: lxr [oss-security] 20100503 Re: CVE request: lxr [oss-security] 20100503 Re: CVE request: lxr http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?view=log#rev1.64 Integer overflow in rgbimgmodule.c in the rgbimg module in Python 2.5 allows remote attackers to have an unspecified impact via a large image that triggers a buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-3143.12. https://bugzilla.redhat.com/show_bug.cgi?id=541698 ADV-2011-0413 ADV-2011-0212 ADV-2011-0122 40363 RHSA-2011:0260 RHSA-2011:0027 MDVSA-2010:215 http://support.apple.com/kb/HT4435 43364 43068 42888 SUSE-SR:2011:002 APPLE-SA-2010-11-10-1 http://bugs.python.org/issue8678 Multiple buffer overflows in the RLE decoder in the rgbimg module in Python 2.5 allow remote attackers to have an unspecified impact via an image file containing crafted data that triggers improper processing within the (1) longimagedata or (2) expandrow function. https://bugzilla.redhat.com/show_bug.cgi?id=541698 http://bugs.python.org/issue8678 ADV-2011-0413 ADV-2011-0212 ADV-2011-0122 40365 RHSA-2011:0260 RHSA-2011:0027 MDVSA-2010:215 http://support.apple.com/kb/HT4435 43364 43068 42888 SUSE-SR:2011:002 APPLE-SA-2010-11-10-1 The TSB I-TLB load implementation in arch/sparc/kernel/tsb.S in the Linux kernel before 2.6.33 on the SPARC platform does not properly obtain the value of a certain _PAGE_EXEC_4U bit and consequently does not properly implement a non-executable stack, which makes it easier for context-dependent attackers to exploit stack-based buffer overflows via a crafted application. [linux-sparc] 20100219 Re: Execution possible in non-executable mappings in recent 2.6 kernels [oss-security] 20100505 Re: CVE Request [was Re: kernel: execution possible in non-executable mappings in recent 2.6 kernels (SPARC only)] [oss-security] 20100224 kernel: execution possible in non-executable mappings in recent 2.6 kernels (SPARC only) http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.33 DSA-2053 39830 [linux-sparc] 20100219 Execution possible in non-executable mappings in recent 2.6 kernels The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path. Per: http://httpd.apache.org/security/vulnerabilities_22.html 'A flaw was found in the handling of requests by mod_cache and mod_dav. A malicious remote attacker could send a carefully crafted request and cause a httpd child process to crash. This crash would only be a denial of service if using the worker MPM. This issue is further mitigated as mod_dav is only affected by requests that are most likely to be authenticated, and mod_cache is only affected if the uncommon "CacheIgnoreURLSessionIdentifiers" directive, introduced in version 2.2.14, is used.' [apache-announce] 20100725 [ANNOUNCEMENT] Apache HTTP Server 2.2.16 Released https://issues.apache.org/bugzilla/show_bug.cgi?id=49246 ADV-2011-0291 ADV-2010-3064 ADV-2010-2218 RHSA-2011:0897 RHSA-2011:0896 RHSA-2010:0659 USN-1021-1 http://support.apple.com/kb/HT4581 SSA:2010-240-02 42367 oval:org.mitre.oval:def:12341 oval:org.mitre.oval:def:11683 HPSBUX02612 HPSBUX02612 SUSE-SU-2011:1216 SUSE-SU-2011:1000 APPLE-SA-2011-03-21-1 http://httpd.apache.org/security/vulnerabilities_22.html http://blogs.sun.com/security/entry/cve_2010_1452_mod_dav Cross-site scripting (XSS) vulnerability in the Login form in Piwik 0.1.6 through 0.5.5 allows remote attackers to inject arbitrary web script or HTML via the form_url parameter. ADV-2010-1079 [oss-security] 20100505 Re: CVE Request - Piwik 0.5.5 - XSS vulnerability [oss-security] 20100505 CVE Request - Piwik 0.5.5 - XSS vulnerability 39666 http://piwik.org/blog/2010/04/piwik-0-6-security-advisory/ com.springsource.tcserver.serviceability.rmi.JmxSocketListener in VMware SpringSource tc Server Runtime 6.0.19 and 6.0.20 before 6.0.20.D, and 6.0.25.A before 6.0.25.A-SR01, does not properly enforce the requirement for an encrypted (aka s2enc) password, which allows remote attackers to obtain JMX interface access via a blank password. tcserver-listener-security-bypass(58684) http://www.springsource.com/security/cve-2010-1454 40205 20100517 CVE-2010-1454: SpringSource tc Server unauthenticated remote access to JMX interface 39778 The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 through 1.2.7 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed packet trace file. ADV-2010-1081 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4646 https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4644 wireshark-docsis-dos(58362) http://www.wireshark.org/security/wnpa-sec-2010-04.html http://www.wireshark.org/security/wnpa-sec-2010-03.html ADV-2011-0212 ADV-2011-0076 39950 64363 [oss-security] 20100507 Re: CVE Assignment (wireshark) MDVSA-2010:099 43068 42877 39661 oval:org.mitre.oval:def:7331 SUSE-SR:2011:002 SUSE-SR:2011:001 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-1455. Reason: This candidate is a duplicate of CVE-2010-1455. Notes: All CVE users should reference CVE-2010-1455 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 allows local users to read arbitrary files via a (1) -c or (2) -a option, which prints file contents in an error message. http://ftpmain.gnustep.org/pub/gnustep/core/gnustep-base-1.20.0.tar.gz https://bugs.launchpad.net/ubuntu/+source/gnustep-base/+bug/573108 40005 [oss-security] 20100507 CVE Assignment (gnustep) http://thread.gmane.org/gmane.comp.lib.gnustep.bugs/12336 39746 http://savannah.gnu.org/bugs/?29755 Stack-based buffer overflow in Create and Extract Zips TweakFS Zip Utility 1.0 for Flight Simulator X (FSX) allows remote attackers to execute arbitrary code via a long filename in a ZIP archive. tzu-zip-bo(57912) 39565 63899 http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-026-tweakfs-zip-utility-version-1-0-stack-bof/ http://www.corelan.be:8800/advisories.php?id=CORELAN-10-026 39519 20100419 [CORELAN-10-026] TweakFS Zip Stack BOF The default configuration of ASP.NET in Mono before 2.6.4 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by the __VIEWSTATE parameter to 2.0/menu/menu1.aspx in the XSP sample project. 40351 http://www.mono-project.com/Vulnerabilities#ASP.NET_View_State_Cross-Site_Scripting http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/04/29/asp-net-cross-site-scripting-followup-mono.aspx SUSE-SR:2010:014 SUSE-SR:2010:013 SUSE-SR:2010:012 The IBM BladeCenter with Advanced Management Module (AMM) firmware before bpet50g does not properly perform interrupt sharing for USB and iSCSI, which allows remote attackers to cause a denial of service (management module reboot) via TCP packets with malformed application data. http://www-947.ibm.com/systems/support/supportsite.wss/docdisplay?lndocid=MIGR-5083945&brandind=5000020 39499 20100415 [DSECRG-09-049] IBM BladeCenter Management Module - DoS vulnerability http://dsecrg.com/pages/vul/show.php?id=149 Directory traversal vulnerability in the Photo Battle (com_photobattle) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via the view parameter to index.php. 39504 12232 39469 63800 Directory traversal vulnerability in WebAsyst Shop-Script FREE has unknown impact and attack vectors via the sub parameter. http://www.vupen.com/english/research-web.php ADV-2010-0882 20100414 VUPEN Web Security Research - WebAsyst Shop-Script Multiple Input Validation Vulnerabilities Multiple SQL injection vulnerabilities in WebAsyst Shop-Script FREE allow attackers to execute arbitrary SQL commands via the (1) add2cart, (2) c_id, (3) categoryID, (4) list_price, (5) name, (6) new_offer, (7) price, (8) product_code, (9) productID, (10) rating, and (11) save_product parameters. http://www.vupen.com/english/research-web.php ADV-2010-0882 20100414 VUPEN Web Security Research - WebAsyst Shop-Script Multiple Input Validation Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in WebAsyst Shop-Script FREE allow remote attackers to inject arbitrary web script or HTML via the (1) currency_id_left, (2) currency_id_right, (3) darkcolor, (4) lightcolor, (5) middlecolor, and (6) w parameters. http://www.vupen.com/english/research-web.php ADV-2010-0882 20100414 VUPEN Web Security Research - WebAsyst Shop-Script Multiple Input Validation Vulnerabilities Stack-based buffer overflow in Trellian FTP client 3.01, including 3.1.3.1789, allows remote attackers to execute arbitrary code via a long PASV response. trellian-pasv-bo(57778) 12152 39370 Directory traversal vulnerability in scr/soustab.php in openUrgence Vaccin 1.03 allows remote attackers to read arbitrary files via the dsn[phptype] parameter. vaccin-soustab-file-include(57816) 39412 12193 39400 Multiple PHP remote file inclusion vulnerabilities in openUrgence Vaccin 1.03 allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) collectivite.class.php, (2) injection.class.php, (3) utilisateur.class.php, (4) droit.class.php, (5) laboratoire.class.php, (6) vaccin.class.php, (7) effetsecondaire.class.php, (8) medecin.class.php, (9) individu.class.php, and (10) profil.class.php in gen/obj/. vaccin-pathom-file-include(57815) 39412 12193 39400 SQL injection vulnerability in the Multi-Venue Restaurant Menu Manager (aka MVRMM or com_mv_restaurantmenumanager) component 1.5.2 Stable Update 3 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the mid parameter in a menu_display action to index.php. http://www.xenuser.org/documents/security/joomla_com_MVRMM_sql.txt 39382 12159 39217 http://packetstormsecurity.org/1004-exploits/joomlamvrmm-sql.txt Directory traversal vulnerability in the Ternaria Informatica JProject Manager (com_jprojectmanager) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 39383 12146 39282 http://packetstormsecurity.org/1004-exploits/joomlajprojectmanager-lfi.txt Directory traversal vulnerability in the Web TV (com_webtv) component 1.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0858 12166 39405 http://packetstormsecurity.org/1004-exploits/joomlawebtv-lfi.txt Directory traversal vulnerability in the AddressBook (com_addressbook) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0862 12170 39412 http://packetstormsecurity.org/1004-exploits/joomlaaddressbook-lfi.txt Directory traversal vulnerability in the Daily Horoscope (com_horoscope) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0859 12167 39406 http://packetstormsecurity.org/1004-exploits/joomlahoroscope-lfi.txt Directory traversal vulnerability in the Advertising (com_advertising) component 0.25 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 12171 39410 http://packetstormsecurity.org/1004-exploits/joomlaeasyadbanner-lfi.txt Directory traversal vulnerability in the Sweety Keeper (com_sweetykeeper) component 1.5.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. comsweetykeeper-controller-file-include(57662) 39399 12182 39388 http://packetstormsecurity.org/1004-exploits/joomlasweetykeeper-lfi.txt Directory traversal vulnerability in the Preventive & Reservation (com_preventive) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. compreventive-controller-file-include(57652) 39387 12147 39285 http://packetstormsecurity.org/1004-exploits/joomlapr-lfi.txt Directory traversal vulnerability in the AlphaUserPoints (com_alphauserpoints) component 1.5.5 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the view parameter to index.php. 39393 12150 http://www.alphaplug.com/ 39250 http://packetstormsecurity.org/1004-exploits/joomlaalphauserpoints-lfi.txt SQL injection vulnerability in the SermonSpeaker (com_sermonspeaker) component before 3.2.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a latest_sermons action to index.php. http://joomlacode.org/gf/project/sermon_speaker/news/?action=NewsThreadView&id=2549 http://joomlacode.org/gf/project/sermon_speaker/forum/?action=ForumBrowse&forum_id=7897&_forum_action=ForumMessageBrowse&thread_id=15219 39410 12184 39385 http://packetstormsecurity.org/1004-exploits/joomlasermonspeaker-sql.txt Directory traversal vulnerability in the Ternaria Informatica Jfeedback! (com_jfeedback) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 39390 12145 39262 http://packetstormsecurity.org/1004-exploits/joomlajfeedback-lfi.txt SQL injection vulnerability in the RokModule (com_rokmodule) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the moduleid parameter in a raw action to index.php. http://www.rockettheme.com/extensions-updates/673-rokmodule-security-update-released 39378 http://www.rockettheme.com/extensions-downloads/free/rokmodule/1040-rokmodule-component/download 12148 39255 http://packetstormsecurity.org/1004-exploits/joomlarokmodule-bsql.txt SQL injection vulnerability in the RokModule (com_rokmodule) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the module parameter to index.php. NOTE: some of these details are obtained from third party information. http://www.rockettheme.com/extensions-updates/673-rokmodule-security-update-released http://www.rockettheme.com/extensions-downloads/free/rokmodule/1040-rokmodule-component/download 39255 Cross-site scripting (XSS) vulnerability in the table feature in PmWiki 2.2.15 allows remote authenticated users to inject arbitrary web script or HTML via the width attribute. 39994 20100507 pmwiki: persistent cross site scripting (XSS), CVE-2010-1481 39698 http://int21.de/cve/CVE-2010-1481-pmwiki-xss.html Cross-site scripting (XSS) vulnerability in admin/editprefs.php in the backend in CMS Made Simple (CMSMS) before 1.7.1 might allow remote attackers to inject arbitrary web script or HTML via the date_format_string parameter. 39997 20100507 CMS Made Simple: backend cross site scripting (XSS), CVE-2010-1482 http://int21.de/cve/CVE-2010-1482-cmsmadesimple-xss-backend.html http://blog.cmsmadesimple.org/2010/05/01/announcing-cms-made-simple-1-7-1-escade/ Multiple cross-site scripting (XSS) vulnerabilities in _invoice.asp in CactuShop before 6.155 allow remote attackers to inject arbitrary web script or HTML via the (1) billing address or (2) shipping address. 39587 http://www.coresecurity.com/content/cactushop-xss-persistent-vulnerability IBM Lotus Notes 7.0, 8.0, and 8.5 stores administrative credentials in cleartext in SURunAs.exe, which allows local users to obtain sensitive information by examining this file, aka SPR JSTN837SEG. 39525 http://www-01.ibm.com/support/docview.wss?uid=swg21427073 39507 oval:org.mitre.oval:def:14725 The proc_oom_score function in fs/proc/base.c in the Linux kernel before 2.6.34-rc4 uses inappropriate data structures during selection of a candidate for the OOM killer, which might allow local users to cause a denial of service via unspecified patterns of task creation. https://bugzilla.redhat.com/show_bug.cgi?id=582068 [oss-security] 20100414 Couple of kernel issues http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.34-rc4 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b95c35e76b29ba812e5dabdd91592e25ec640e93 The XSS Filter in Microsoft Internet Explorer 8 does not properly perform neutering for the SCRIPT tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks against web sites that have no inherent XSS vulnerabilities, a different issue than CVE-2009-4074. http://p42.us/ie8xss/Abusing_IE8s_XSS_Filters.pdf http://p42.us/ie8xss/ oval:org.mitre.oval:def:12638 http://blogs.technet.com/msrc/archive/2010/04/19/guidance-on-internet-explorer-xss-filter.aspx Unspecified vulnerability in IBM Cognos 8 Business Intelligence before 8.4.1 FP1 has unknown impact and attack vectors. ibm-cognos-unspecified(57937) ADV-2010-0947 39580 39451 Directory traversal vulnerability in the MMS Blog (com_mmsblog) component 2.3.0 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 39607 12318 39533 http://packetstormsecurity.org/1004-exploits/joomlammsblog-lfi.txt Directory traversal vulnerability in help/frameRight.php in Elastix 1.6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the id_nodo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 39610 39164 63936 SQL injection vulnerability in the AWDwall (com_awdwall) component before 1.5.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cbuser parameter in an awdwall action to index.php. comawdwall-itemid-sql-injection(57694) 38194 63942 12113 http://www.awdwall.com/index.php/awdwall-updates-logs- 39553 http://packetstormsecurity.org/1004-exploits/joomlaawdwall-lfisql.txt Directory traversal vulnerability in the AWDwall (com_awdwall) component 1.5.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. comawdwall-controller-file-include(57693) 39331 63943 12113 http://www.awdwall.com/index.php/awdwall-updates-logs- 39553 http://packetstormsecurity.org/1004-exploits/joomlaawdwall-lfisql.txt Directory traversal vulnerability in the Matamko (com_matamko) component 1.01 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0929 39550 12286 39523 http://packetstormsecurity.org/1004-exploits/joomlamatamko-lfi.txt 63918 SQL injection vulnerability in the JoltCard (com_joltcard) component 1.2.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cardID parameter in a view action to index.php. joltcard-index-sql-injection(57910) http://www.xenuser.org/documents/security/joomla_com_joltcard_sqli.txt 39541 63913 12269 39520 http://packetstormsecurity.org/1004-exploits/joomlajoltcard-sql.txt Cross-site scripting (XSS) vulnerability in download_proc.php in dl_stats before 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. dlstats-id-xss(57918) http://www.xenuser.org/documents/security/dl_stats_multiple_vulnerabilities.txt http://www.xenuser.org/2010/04/18/dl_stats-multiple-vulnerabilities-sqli-xss-unprotected-admin-panel/ ADV-2010-0939 39592 63909 12280 39496 http://packetstormsecurity.org/1004-exploits/dlstats-sqlxssadmin.txt Multiple SQL injection vulnerabilities in dl_stats before 2.0 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) download.php and (2) view_file.php. dlstats-id-sql-injection(57917) http://www.xenuser.org/documents/security/dl_stats_multiple_vulnerabilities.txt http://www.xenuser.org/2010/04/18/dl_stats-multiple-vulnerabilities-sqli-xss-unprotected-admin-panel/ ADV-2010-0939 39592 63908 63907 12280 39496 http://packetstormsecurity.org/1004-exploits/dlstats-sqlxssadmin.txt SQL injection vulnerability in genre_artists.php in MusicBox 3.3 allows remote attackers to execute arbitrary SQL commands via the id parameter. musicbox-id-sql-injection(57979) 39581 12303 39476 http://packetstormsecurity.org/1004-exploits/musicbox33-sql.txt 63927 Google Chrome before 4.1.249.1059 does not properly support forms, which has unknown impact and attack vectors, related to a "type confusion error." 39603 39544 oval:org.mitre.oval:def:11906 http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html http://bugs.chromium.org/39443 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-1767. Reason: This candidate is a duplicate of CVE-2010-1767. Notes: All CVE users should reference CVE-2010-1767 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unspecified vulnerability in Google Chrome before 4.1.249.1059 allows remote attackers to access local files via vectors related to "developer tools." 39603 39544 oval:org.mitre.oval:def:12041 http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html http://bugs.chromium.org/40136 Cross-site scripting (XSS) vulnerability in Google Chrome before 4.1.249.1059 allows remote attackers to inject arbitrary web script or HTML via vectors related to a chrome://net-internals URI. 39667 39603 39544 oval:org.mitre.oval:def:11244 63999 http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html http://bugs.chromium.org/40137 Cross-site scripting (XSS) vulnerability in Google Chrome before 4.1.249.1059 allows remote attackers to inject arbitrary web script or HTML via vectors related to a chrome://downloads URI. 39669 39603 39544 oval:org.mitre.oval:def:11418 63998 http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html http://bugs.chromium.org/40138 Google Chrome before 4.1.249.1059 does not prevent pages from loading with the New Tab page's privileges, which has unknown impact and attack vectors. 39603 39544 oval:org.mitre.oval:def:11866 63997 http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html http://bugs.chromium.org/40575 The Google V8 bindings in Google Chrome before 4.1.249.1059 allow attackers to cause a denial of service (memory corruption) via unknown vectors. 39603 39544 oval:org.mitre.oval:def:11925 63996 http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html http://bugs.chromium.org/40635 WebYaST in yast2-webclient in SUSE Linux Enterprise (SLE) 11 on the WebYaST appliance uses a fixed secret key that is embedded in the appliance's image, which allows remote attackers to spoof session cookies by leveraging knowledge of this key. https://bugzilla.novell.com/show_bug.cgi?id=598834 https://bugzilla.novell.com/show_bug.cgi?id=591345 42128 http://support.novell.com/security/cve/CVE-2010-1507.html SUSE-SR:2010:014 Heap-based buffer overflow in Apple QuickTime before 7.6.9 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Track Header (aka tkhd) atoms. APPLE-SA-2010-12-07-1 http://zerodayinitiative.com/advisories/ZDI-10-258/ 1024830 http://support.apple.com/kb/HT4447 http://secunia.com/secunia_research/2010-72/ IrfanView before 4.27 does not properly handle an unspecified integer variable during processing of PSD images, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow, related to a "sign-extension error." irfanview-psd-bo(58548) 40104 20100512 Secunia Research: IrfanView PSD Image Parsing Sign-Extension Vulnerability http://secunia.com/secunia_research/2010-41 39036 oval:org.mitre.oval:def:6705 64627 http://irfanview.com/main_history.htm Heap-based buffer overflow in IrfanView before 4.27 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PSD image with RLE compression. irfanview-rle-psd-bo(58549) 40105 20100512 Secunia Research: IrfanView PSD RLE Decompression Buffer Overflow http://secunia.com/secunia_research/2010-42 39036 oval:org.mitre.oval:def:7397 64628 http://irfanview.com/main_history.htm KGet 2.4.2 in KDE SC 4.0.0 through 4.4.3 does not properly request download confirmation from the user, which makes it easier for remote attackers to overwrite arbitrary files via a crafted metalink file. kde-metalink-file-overwrite(58629) ADV-2010-3096 ADV-2010-1144 ADV-2010-1142 USN-938-1 40141 20100514 Re: Secunia Research: KDE KGet Insecure File Operation Vulnerability 20100513 Secunia Research: KDE KGet Insecure File Operation Vulnerability http://www.kde.org/info/security/advisory-20100513-1.txt 1023984 http://secunia.com/secunia_research/2010-70/ 39787 39528 64689 [oss-security] 20100513 KDENetwork vulnerabilities FEDORA-2010-18029 Directory traversal vulnerability in aria2 before 1.9.3 allows remote attackers to create arbitrary files via directory traversal sequences in the name attribute of a file element in a metalink file. 40142 ADV-2011-0116 ADV-2010-1229 ADV-2010-1228 20100513 Secunia Research: aria2 metalink "name" Directory Traversal Vulnerability 64592 MDVSA-2010:106 DSA-2047 GLSA-201101-04 http://secunia.com/secunia_research/2010-71/ 42906 39872 39529 SUSE-SR:2010:017 SUSE-SR:2010:014 FEDORA-2010-8915 FEDORA-2010-8908 FEDORA-2010-8905 http://downloads.sourceforge.net/project/aria2/stable/aria2-1.9.3/NEWS Multiple integer overflows in src/image.c in Ziproxy before 3.0.1 allow remote attackers to execute arbitrary code via (1) a large JPG image, related to the jpg2bitmap function or (2) a large PNG image, related to the png2bitmap function, leading to heap-based buffer overflows. http://ziproxy.sourceforge.net/#news 20100524 Secunia Research: Ziproxy Two Integer Overflow Vulnerabilities http://secunia.com/secunia_research/2010-75/ 39941 Unrestricted file upload vulnerability in TomatoCMS 2.0.6 and earlier allows remote authenticated users, with certain privileges, to execute arbitrary PHP code by uploading an image file, and then accessing it via a direct request to the file in an unspecified directory. 40544 http://secunia.com/secunia_research/2010-57/ 39680 http://holisticinfosec.org/content/view/148/45/ Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS 2.0.6 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) keyword or (2) article-id parameter in conjunction with a /admin/news/article/list PATH_INFO; the (3) keyword parameter in conjunction with a /admin/multimedia/set/list PATH_INFO; the (4) keyword or (5) fileId parameter in conjunction with a /admin/multimedia/file/list PATH_INFO; or the (6) name, (7) email, or (8) address parameter in conjunction with a /admin/ad/client/list PATH_INFO. 40544 http://secunia.com/secunia_research/2010-58/ 39680 http://holisticinfosec.org/content/view/148/45/ Multiple integer overflows in SWFTools 0.9.1 allow remote attackers to execute arbitrary code via (1) a crafted PNG file, related to the getPNG function in lib/png.c; or (2) a crafted JPEG file, related to the jpeg_load function in lib/jpeg.c. 20100813 Secunia Research: SWFTools Two Integer Overflow Vulnerabilities http://secunia.com/secunia_research/2010-80/ 39970 The GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers to (1) download arbitrary programs onto a client system, and execute these programs, via vectors involving the dl method; and (2) download arbitrary programs onto a client system via vectors involving the SetDLInfo method in conjunction with the Bdl method. http://secunia.com/secunia_research/2010-85/ 40161 Array index error in the SetDLInfo method in the GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via the item argument. http://secunia.com/secunia_research/2010-86/ 40161 Multiple integer overflows in glpng.c in glpng 1.45 allow context-dependent attackers to execute arbitrary code via a crafted PNG image, related to (1) the pngLoadRawF function and (2) the pngLoadF function, leading to heap-based buffer overflows. 20100811 Secunia Research: glpng PNG Processing Two Integer Overflow Vulnerabilities MDVSA-2010:179 http://secunia.com/secunia_research/2010-87/ 40354 Cross-site scripting (XSS) vulnerability in logout.php in TaskFreak! Original multi user before 0.6.4 allows remote attackers to inject arbitrary web script or HTML via the tznMessage parameter. http://www.taskfreak.com/original/versions 41221 20100629 Secunia Research: TaskFreak "tznMessage" Cross-Site Scripting Vulnerability http://secunia.com/secunia_research/2010-78/ 40025 SQL injection vulnerability in include/classes/tzn_user.php in TaskFreak! Original multi user before 0.6.4 allows remote attackers to execute arbitrary SQL commands via the password parameter to login.php. http://www.taskfreak.com/original/versions 41218 20100629 Secunia Research: TaskFreak "password" SQL Injection Vulnerability http://secunia.com/secunia_research/2010-79/ 40025 Multiple SQL injection vulnerabilities in the BookLibrary Basic (com_booklibrary) component 1.5.3 before 1.5.3_2010_06_20 for Joomla! allow remote attackers to execute arbitrary SQL commands via the bid[] parameter in a (1) lend_request or (2) save_lend_request action to index.php, the id parameter in a (3) mdownload or (4) downitsf action to index.php, or (5) the searchtext parameter in a search action to index.php. http://ordasoft.com/Download/View-document-details/3-BookLibrary-1.5.3-Basic-for-Joomla-1.5.html http://ordasoft.com/Download/Download-document/3-BookLibrary-1.5.3-Basic-for-Joomla-1.5.html booklibrary-index-sql-injection(59966) 41264 20100630 Secunia Research: Joomla BookLibrary Component Four SQL Injection Vulnerabilities http://secunia.com/secunia_research/2010-84/ 40131 65879 Multiple heap-based buffer overflows in vp6.w5s (aka the VP6 codec) in Winamp before 5.59 Beta build 3033 might allow remote attackers to execute arbitrary code via a crafted VP6 (1) video file or (2) video stream. 44466 20101027 Secunia Research: Winamp VP6 Content Parsing Buffer Overflow Vulnerability http://secunia.com/secunia_research/2010-95/ oval:org.mitre.oval:def:12056 http://forums.winamp.com/showthread.php?t=322995 The SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via unspecified vectors related to allocation of an array of pointers and "string indexing," which triggers memory corruption. http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-35/ Integer underflow in the SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted size for an unspecified record type, which triggers a heap-based buffer overflow. http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100727_01 41928 http://www-01.ibm.com/support/docview.wss?uid=swg21440812 http://secunia.com/secunia_research/2010-49/ Multiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow attackers to execute arbitrary code via (1) a crafted TIFF file, related to the gdip_load_tiff_image function in tiffcodec.c; (2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal function in jpegcodec.c; or (3) a crafted BMP file, related to the gdip_read_bmp_image function in bmpcodec.c, leading to heap-based buffer overflows. http://secunia.com/secunia_research/2010-102/ 40792 SUSE-SR:2010:018 Stack-based buffer overflow in Novell iPrint Client before 5.44 allows remote attackers to execute arbitrary code via a long call-back-url parameter in an op-client-interface-version action. Fix is included in "iPrint Client for Windows XP/Vista/Win7 5.44" novell-iprint-callbackurl-bo(61220) 42576 http://www.novell.com/support/viewContent.do?externalId=7006679 http://secunia.com/secunia_research/2010-104/ 40805 oval:org.mitre.oval:def:11973 PHP remote file inclusion vulnerability in include/template.php in Uiga Proxy, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the content parameter. uigaproxy-template-file-include(57515) 39365 63528 12049 39313 SQL injection vulnerability in the Freestyle FAQs Lite (com_fsf) component, possibly 1.3, for Joomla! allows remote attackers to execute arbitrary SQL commands via the faqid parameter in an faq action to index.php. freestylefaqlite-faqid-sql-injection(57588) 39220 12078 39288 http://packetstormsecurity.org/1004-exploits/joomlafreestyle-sql.txt Multiple cross-site scripting (XSS) vulnerabilities in the Internationalization module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with translate interface or administer blocks privileges, to inject arbitrary web script or HTML via (1) strings used in block translation or (2) the untranslated input. 39304 http://drupal.org/node/764998 http://drupal.org/node/764906 39361 63589 Directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. redshop-view-file-include(57512) 39206 63535 12054 39343 http://redcomponent.com/redshop/redshop-changelog http://packetstormsecurity.org/1004-exploits/joomlaredshop-lfi.txt Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 39348 12118 39226 http://packetstormsecurity.org/1004-exploits/joomlapowermail-lfi.txt Directory traversal vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. 12142 39258 Directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. shoutbox-controller-file-include(57534) 39213 12067 39352 63562 Directory traversal vulnerability in the TRAVELbook (com_travelbook) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 12151 39254 Cross-site scripting (XSS) vulnerability in the AddThis Button module 5.x before 5.x-2.2 and 6.x before 6.x-2.9 for Drupal allows remote authenticated users, with administer addthis privileges, to inject arbitrary web script or HTML via unspecified vectors. 38513 http://drupal.org/node/731578 http://drupal.org/node/731576 http://drupal.org/node/731568 38818 Multiple directory traversal vulnerabilities in phpCDB 1.0 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang_global parameter to (1) firstvisit.php, (2) newfolder.php, (3) showfolders.php, (4) newlang.php, (5) showinnerfolder.php, (6) writecode.php, and (7) showcode.php. phpcdb-langglobal-file-include(56579) 38507 11585 http://packetstormsecurity.org/1002-exploits/phpcdb-lfi.txt SQL injection vulnerability in print_raincheck.php in phpRAINCHECK 1.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. phpraincheck-printraincheck-sql-injection(56578) 38521 11586 http://packetstormsecurity.org/1002-exploits/phpraincheck-sql.txt Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2.x before 5.x-2.6 and 6.x-1.x before 6.x-1.4 for Drupal, when used with the Token module, might allow remote authenticated users to inject arbitrary web script or HTML via a certain Comment field. 38520 http://drupal.org/node/731648 http://drupal.org/node/731644 http://drupal.org/node/731624 workflow-comment-xss(56638) 38825 Directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter. NOTE: some of these details are obtained from third party information. 38530 11625 38777 Multiple cross-site scripting (XSS) vulnerabilities in DFD Cart 1.198, 1.197, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) category and (2) list_quantity parameters to index.php, and the (3) category parameter to your.order.php. 38505 38635 62672 62671 http://holisticinfosec.org/content/view/135/45/ Multiple cross-site request forgery (CSRF) vulnerabilities in admin/configure.php in DFD Cart 1.198, 1.197, and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks or (2) change unspecified settings. 38635 62673 http://holisticinfosec.org/content/view/135/45/ Cross-site scripting (XSS) vulnerability in the eTracker module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML by appending a crafted string to an arbitrary URL associated with the Drupal site. http://drupal.org/node/731682 http://drupal.org/node/731018 etracker-url-xss(56635) 38514 38826 micro_httpd on the RCA DCM425 cable modem allows remote attackers to cause a denial of service (device reboot) via a long string to TCP port 80. 38488 38778 http://packetstormsecurity.org/1002-exploits/rcadcm425-dos.txt Multiple eval injection vulnerabilities in the import functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with "administer page manager" privileges, to execute arbitrary PHP code via input to a text area, related to (1) the page_manager_page_import_subtask_validate function in page_manager/plugins/tasks/page.admin.inc and (2) the page_manager_handler_import_validate function in page_manager/page_manager.admin.inc. 40285 http://drupal.org/node/803944 chaos-tool-import-code-execution(58723) http://www.madirish.net/?article=458 39884 20100520 Drupal Chaos Tools Suite (Ctools) Module Multiple Vulns http://drupalcode.org/viewvc/drupal/contributions/modules/ctools/page_manager/plugins/tasks/page.admin.inc?view=log http://drupalcode.org/viewvc/drupal/contributions/modules/ctools/page_manager/plugins/tasks/page.admin.inc?r1=1.18.2.6&r2=1.18.2.7 http://drupalcode.org/viewvc/drupal/contributions/modules/ctools/page_manager/page_manager.admin.inc?view=log http://drupalcode.org/viewvc/drupal/contributions/modules/ctools/page_manager/page_manager.admin.inc?r1=1.27.2.9&r2=1.27.2.10 Multiple cross-site request forgery (CSRF) vulnerabilities in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a page via a q=admin/build/pages/nojs/enable/ value or (2) disable a page via a q=admin/build/pages/nojs/disable/ value. 40285 http://drupal.org/node/803944 chaos-tool-unspecified-csrf(58722) http://www.madirish.net/?article=458 39884 20100520 Drupal Chaos Tools Suite (Ctools) Module Multiple Vulns The auto-complete functionality in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal does not follow access restrictions, which allows remote authenticated users, with "access content" privileges, to read the title of an unpublished node via a q=ctools/autocomplete/node/ value accompanied by the first character of the node's title. 40285 http://drupal.org/node/803944 chaos-tool-permissions-sec-bypass(58724) http://www.madirish.net/?article=458 39884 20100520 Drupal Chaos Tools Suite (Ctools) Module Multiple Vulns Unspecified vulnerability in the Agent in HP LoadRunner before 9.50 and HP Performance Center before 9.50 allows remote attackers to execute arbitrary code via unknown vectors. SSRT071328 SSRT071328 HPSBMA02528 HPSBMA02528 Format string vulnerability in ovet_demandpoll.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via format string specifiers in the sel parameter. SSRT010098 http://zerodayinitiative.com/advisories/ZDI-10-081/ 20100511 ZDI-10-081: HP OpenView NNM ovet_demandpoll sel CGI Variable Format String Remote Code Execution Vulnerability Stack-based buffer overflow in the _OVParseLLA function in ov.dll in netmon.exe in Network Monitor in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via the sel parameter. http://zerodayinitiative.com/advisories/ZDI-10-082/ 40067 20100511 ZDI-10-082: HP OpenView NNM netmon sel CGI Variable Remote Code Execution Vulnerability SSRT090226 Stack-based buffer overflow in the doLoad function in snmpviewer.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via the act and app parameters. SSRT090227 http://zerodayinitiative.com/advisories/ZDI-10-083/ 20100511 ZDI-10-083: HP OpenView NNM snmpviewer.exe CGI Multiple Variable Remote Code Execution Vulnerability 8157 Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via an invalid MaxAge parameter. SSRT010098 http://zerodayinitiative.com/advisories/ZDI-10-084/ 20100511 ZDI-10-084: HP OpenView NNM getnnmdata.exe CGI Invalid MaxAge Remote Code Execution Vulnerability 8153 Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via an invalid iCount parameter. SSRT010098 http://zerodayinitiative.com/advisories/ZDI-10-085/ 20100511 ZDI-10-085: HP OpenView NNM getnnmdata.exe CGI Invalid ICount Remote Code Execution Vulnerability 14181 8154 Stack-based buffer overflow in getnnmdata.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via an invalid Hostname parameter. SSRT090230 http://zerodayinitiative.com/advisories/ZDI-10-086/ 40072 20100511 ZDI-10-086: HP OpenView NNM getnnmdata.exe CGI Invalid Hostname Remote Code Execution Vulnerability Unspecified vulnerability in HP Systems Insight Manager (SIM) 5.3, 5.3 Update 1, and 6.0 allows remote attackers to obtain sensitive information and modify data via unknown vectors. 40111 HPSBMA02520 HPSBMA02520 Multiple cross-site scripting (XSS) vulnerabilities in HP Insight Control Server Migration before 6.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 64615 SSRT100086 SSRT100086 Unspecified vulnerability in HP Multifunction Peripheral (MFP) Digital Sending Software before 4.18.3 allows local users to bypass intended restrictions on the MFP "Send to e-mail" feature, and obtain sensitive information, via unknown vectors. hp-mfp-sendtoemail-unauth-access(58618) 40147 64661 HPSBPI02532 HPSBPI02532 SQL injection vulnerability in the SermonSpeaker (com_sermonspeaker) component before 3.2.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a speakerpopup action to index.php. NOTE: some of these details are obtained from third party information. 39385 http://joomlacode.org/gf/project/sermon_speaker/news/?action=NewsThreadView&id=2549 http://joomlacode.org/gf/project/sermon_speaker/forum/?action=ForumBrowse&forum_id=7897&_forum_action=ForumMessageBrowse&thread_id=15219 Buffer overflow in the REPEAT function in IBM DB2 9.1 before FP9 allows remote authenticated users to cause a denial of service (trap) via unspecified vectors. NOTE: this might overlap CVE-2010-0462. http://www-01.ibm.com/support/docview.wss?uid=swg21426108 db2-repeat-dos(58070) ADV-2010-0982 IC65922 39500 oval:org.mitre.oval:def:14613 64041 20100423 IBM 'REPEAT' BoF advisory - APAR IC65922 The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S11 and 9.7(3)P before 9.7(3)P11 allows remote attackers to cause a denial of service (device crash) via a long message, aka Bug ID CSCsk44115. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40123 64685 The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (device crash) via a malformed Contact header, aka Bug ID CSCsj98521. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 64684 The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (device crash) via a malformed header, aka Bug ID CSCsk04588. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40125 64683 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1564. Reason: This candidate is a duplicate of CVE-2009-1564. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2009-1564 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unspecified vulnerability in the SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (TCP socket exhaustion) via unknown vectors, aka Bug ID CSCsk13561. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40128 64682 The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.8(1)S5 allows remote attackers to cause a denial of service (device crash) via a malformed header, aka Bug ID CSCsz13590. 20100512 Multiple Vulnerabilities in Cisco PGW Softswitch 40126 64681 The Send Secure functionality in the Cisco IronPort Desktop Flag Plug-in for Outlook before 6.5.0-006 does not properly handle simultaneously composed messages, which might allow remote attackers to obtain cleartext contents of e-mail messages that were intended to be encrypted, aka bug 65623. 20100511 Cisco IronPort Desktop Flag Plug-in for Outlook Information Disclosure The computer telephony integration (CTI) server component in Cisco Unified Contact Center Express (UCCX) 7.0 before 7.0(1)SR4 and 7.0(2), 6.0 before 6.0(1)SR1, and 5.0 before 5.0(2)SR3 allows remote attackers to cause a denial of service (CTI server and Node Manager failure) via a malformed CTI message. 20100609 Vulnerabilities in Cisco Unified Contact Center Express cisco-unified-ccx-cti-dos(59276) 1024081 40684 Directory traversal vulnerability in the bootstrap service in Cisco Unified Contact Center Express (UCCX) 7.0 before 7.0(1)SR4 and 7.0(2), unspecified 6.0 versions, and 5.0 before 5.0(2)SR3 allows remote attackers to read arbitrary files via a crafted bootstrap message to TCP port 6295. 20100609 Vulnerabilities in Cisco Unified Contact Center Express cisco-unified-bootstrap-dir-traversal(59277) 1024082 40680 Unspecified vulnerability in the tech support diagnostic shell in Cisco Application Extension Platform (AXP) 1.1 and 1.1.5 allows local users to obtain sensitive configuration information and gain administrator privileges via unspecified API calls. 20100609 Cisco Application Extension Platform Privilege Escalation Vulnerability cisco-aep-shell-privilege-escalation(59271) 40682 Linksys WAP54Gv3 firmware 3.04.03 and earlier uses a hard-coded username (Gemtek) and password (gemtekswd) for a debug interface for certain web pages, which allows remote attackers to execute arbitrary commands via the (1) data1, (2) data2, or (3) data3 parameters to (a) Debug_command_page.asp and (b) debug.cgi. wap54g-debug-command-execution(59286) ADV-2010-1419 40648 20100608 IS-2010-002 - Linksys WAP54Gv3 Remote Debug Root Shell http://www.icysilence.org/?p=268 http://tools.cisco.com/security/center/viewAlert.x?alertId=20682 40103 IOS 12.2(52)SE and 12.2(52)SE1 on Cisco Industrial Ethernet (IE) 3000 series switches has (1) a community name of public for RO access and (2) a community name of private for RW access, which makes it easier for remote attackers to modify the configuration or obtain potentially sensitive information via SNMP requests, aka Bug ID CSCtf25589. VU#732671 cisco-industrial-snmp-unauth-access(60145) ADV-2010-1754 41436 20100707 Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches Vulnerability 1024173 40407 66120 The Cisco Content Services Switch (CSS) 11500 with software 08.20.1.01 conveys authentication data through ClientCert-* headers but does not delete client-supplied ClientCert-* headers, which might allow remote attackers to bypass authentication via crafted header data, as demonstrated by a ClientCert-Subject-CN header, aka Bug ID CSCsz04690. http://www.vsecurity.com/resources/advisory/20100702-1/ 41315 20100702 VSR Advisory: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities 1024167 66091 The Cisco Content Services Switch (CSS) 11500 with software before 8.20.4.02 and the Application Control Engine (ACE) 4710 with software before A2(3.0) do not properly handle use of LF, CR, and LFCR as alternatives to the standard CRLF sequence between HTTP headers, which allows remote attackers to bypass intended header insertions or conduct HTTP request smuggling attacks via crafted header data, as demonstrated by LF characters preceding ClientCert-Subject and ClientCert-Subject-CN headers, aka Bug ID CSCta04885. http://www.vsecurity.com/resources/advisory/20100702-1/ 41315 20100702 VSR Advisory: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities 1024168 1024167 66092 Directory traversal vulnerability in Cisco Internet Streamer, as used in Cisco Content Delivery System (CDS) 2.2.x, 2.3.x, 2.4.x, and 2.5.x before 2.5.7 allows remote attackers to read arbitrary files via a crafted URL. 20100721 CDS Internet Streamer: Web Server Directory Traversal Vulnerability cisco-cds-streamer-directory-traversal(60567) ADV-2010-1881 1024234 40701 66508 Unspecified vulnerability in the SunRPC inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), and 8.2 before 8.2(2) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via crafted SunRPC UDP packets, aka Bug ID CSCtc77567. 20100804 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 40842 Unspecified vulnerability in the SunRPC inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), and 8.2 before 8.2(2) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via crafted SunRPC UDP packets, aka Bug ID CSCtc79922. 20100804 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 40842 Unspecified vulnerability in the SunRPC inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.19), 8.1 before 8.1(2.47), and 8.2 before 8.2(2) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via crafted SunRPC UDP packets, aka Bug ID CSCtc85753. 20100804 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 40842 Unspecified vulnerability in the Transport Layer Security (TLS) implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8.1 before 8.1(2.44), 8.2 before 8.2(2.17), and 8.3 before 8.3(1.6) and Cisco PIX Security Appliances 500 series devices allows remote attackers to cause a denial of service (device reload) via a sequence of crafted TLS packets, aka Bug ID CSCtd32627. 20100804 Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances 42187 40842 SQL injection vulnerability in the loadByKey function in the TznDbConnection class in tzn_mysql.php in Tirzen (aka TZN) Framework 1.5, as used in TaskFreak! before 0.6.3, allows remote attackers to execute arbitrary SQL commands via the username field in a login action. taskfreak-loadbykey-sql-injection(58241) http://www.taskfreak.com/versions.html 39793 http://www.madirish.net/?article=456 12452 Cross-site scripting (XSS) vulnerability in the Context module before 6.x-2.0-rc4 for Drupal allows remote authenticated users, with Administer Blocks privileges, to inject arbitrary web script or HTML via a block description. http://drupal.org/node/795118 context-adminblocks-xss(58521) http://www.theregister.co.uk/2010/05/10/drupal_security_bug/ 40056 http://www.packetstormsecurity.com/1005-exploits/drupalab-xss.txt http://www.madirish.net/?article=457 http://drupal.org/node/794718 http://drupal.org/cvs?commit=365210 http://crackingdrupal.com/blog/greggles/mitigation-against-cve-2010-1584-drupal-context-module-xss The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element. https://bugzilla.mozilla.org/show_bug.cgi?id=562547 20100421 Security-Assessment.com WhitePaper/Addendum: Cross Context Scripting with Firefox & Exploiting Cross Context Scripting vulnerabilities in Firefox http://www.security-assessment.com/files/whitepapers/Cross_Context_Scripting_with_Firefox.pdf http://www.mozilla.org/security/announce/2011/mfsa2011-08.html MDVSA-2011:042 MDVSA-2011:041 http://wizzrss.blat.co.za/2009/11/17/so-much-for-nsiscriptableunescapehtmlparsefragment/ oval:org.mitre.oval:def:12532 Open redirect vulnerability in red2301.html in HP System Management Homepage (SMH) 2.x.x.x allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the RedirectUrl parameter. http://yehg.net/lab/pr0js/advisories/hp_system_management_homepage_url_redirection_abuse hp-smh-redirecturl-phishing(58107) 39676 The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp. https://issues.apache.org/activemq/browse/AMQ-2700 ADV-2010-0979 39636 20100422 Apache ActiveMQ is prone to source code disclosure vulnerability. 64020 39567 20100422 Apache ActiveMQ is prone to source code disclosure vulnerability. SQL injection vulnerability in the Getwebsess function in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier allows remote attackers to execute arbitrary SQL commands via the websess parameter. shoppingcart-websess-sql-injection(55821) 38283 61890 20100120 Insufficient User Input Validation in VP-ASP 6.50 Demo Code Directory traversal vulnerability in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier might allow remote attackers to determine the existence of arbitrary files via directory traversal sequences in the client's DNS hostname (aka the REMOTE_HOST variable), related to the CookielessGenerateFilename and CookielessReadFile functions. shoppingcart-remotehost-dir-traversal(55824) 38283 61891 20100120 Insufficient User Input Validation in VP-ASP 6.50 Demo Code Cross-site scripting (XSS) vulnerability in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier might allow remote attackers to inject arbitrary web script or HTML via the client's DNS hostname (aka the REMOTE_HOST variable), related to the CookielessGenerateFilename and CookielessReadFile functions. 20100120 Insufficient User Input Validation in VP-ASP 6.50 Demo Code Beijing Rising International Rising Antivirus 2008 through 2010 does not properly validate input to certain IOCTLs, including 0x83003C07, which allows local users to gain privileges via crafted IOCTL requests to the (1) HookCont.sys, (2) HookNtos.sys, (3) HOOKREG.sys, or (4) HookSys.sys device driver; or the (5) RsNTGdi.sys kernel module, reachable through \Device\RSNTGDI. rising-antivirus-drivers-priv-escalation(55869) ADV-2010-0218 37951 http://www.ntinternals.org/ntiadv0902/ntiadv0902.html http://www.ntinternals.org/ntiadv0805/ntiadv0805.html 38335 61946 sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a denial of service (system crash) via unspecified vectors involving "Model-Specific Registers." ADV-2010-0223 http://www.ntinternals.org/ntiadv0808/ntiadv0808.html 38212 61947 Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (2) the Search parameter to forums/search (aka the search script). http://www.silverstripe.org/security-releases/ 37923 http://open.silverstripe.org/changeset/97074 http://groups.google.com/group/silverstripe-announce/browse_thread/thread/f51749342eee9456 silverstripe-search-xss(55839) silverstripe-comment-xss(55838) 20100122 Silverstripe <= v2.3.4: two XSS vulnerabilities 38347 38290 61923 61921 http://open.silverstripe.org/wiki/ChangeLog/2.3.5 20100122 Silverstripe <= v2.3.4: two XSS vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to inject arbitrary web script or HTML via (1) the query string, (2) the BASE parameter, or (3) the ega_1 parameter. NOTE: some of these details are obtained from third party information. ocsinventoryng-index-xss(55874) MDVSA-2010:178 38311 http://packetstormsecurity.org/1001-exploits/ocsinventoryng-sqlxss.txt 61943 Multiple SQL injection vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to execute arbitrary SQL commands via the (1) c, (2) val_1, or (3) onglet_bis parameter. ocsinventoryng-index-sql-injection(55872) MDVSA-2010:178 38311 http://packetstormsecurity.org/1001-exploits/ocsinventoryng-sqlxss.txt 61942 Support Incident Tracker before 3.51, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password. http://sitracker.org/wiki/ReleaseNotes351 supportincident-ldap-security-bypass(55871) 37949 http://sitracker.org/forum/viewtopic.php?f=4&t=1416979&p=2292 38329 61945 http://bugs.sitracker.org/view.php?id=1047 Stack-based buffer overflow in zgtips.dll in ZipGenius 6.3.1.2552 allows user-assisted remote attackers to execute arbitrary code via a ZIP file containing an entry with a long filename. zipgenius-zgtips-bo(58022) ADV-2010-0966 39622 12326 http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-029-zipgenius-v6-3-1-2552-zgtips-dll-stack-buffer-overflow/ http://www.corelan.be:8800/advisories.php?id=CORELAN-10-029 39497 63971 http://feeds.feedburner.com/zipgeniusnews phpThumb.php in phpThumb() 1.7.9 and possibly other versions, when ImageMagick is installed, allows remote attackers to execute arbitrary commands via the fltr[] parameter, as discovered in the wild in April 2010. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. phpthumb-phpthumb-command-execution(58040) 39605 39556 63939 SQL injection vulnerability in loadorder.php in NKInFoWeb 2.5 and 5.2.2.0 allows remote attackers to execute arbitrary SQL commands via the id_sp parameter. nkinfoweb-loadorder-sql-injection(58082) 12354 39609 http://packetstormsecurity.org/1004-exploits/nkinfoweb-sql.txt SQL injection vulnerability in the Media Mall Factory (com_mediamall) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter to index.php. mediamall-category-sql-injection(57906) http://www.thefactory.ro/shop/joomla-components/media-mall.html 39488 http://www.packetstormsecurity.com/1004-exploits/joomlamediamallfactory-bsql.txt 63940 12234 39546 Directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. comjacomment-index-file-inlclude(57848) 39516 63802 12236 39472 http://packetstormsecurity.org/1004-exploits/joomlajacomment-lfi.txt Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0932 39548 12283 http://packetstormsecurity.org/1004-exploits/joomlazimbcomment-lfi.txt Directory traversal vulnerability in the ZiMB Core (aka ZiMBCore or com_zimbcore) component 0.1 in the ZiMB Manager collection for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0931 39546 12284 http://packetstormsecurity.org/1004-exploits/joomlazimbmanager-lfi.txt Multiple SQL injection vulnerabilities in admin_login.php in NCT Jobs Portal Script allow remote attackers to execute arbitrary SQL commands via the (1) user parameter (aka login field) and (2) passwd parameter (aka password field). NOTE: some of these details are obtained from third party information. portalscript-adminlogin-sql-injection(58080) 12370 39601 http://packetstormsecurity.org/1004-exploits/nctjobsportal-sqlxss.txt Multiple SQL injection vulnerabilities in isearch.php in NCT Jobs Portal Script allow remote attackers to execute arbitrary SQL commands via the (1) anyword and (2) cityname parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. portalscript-isearch-sql-injection(58079) 39601 Multiple cross-site scripting (XSS) vulnerabilities in NCT Jobs Portal Script allow remote attackers to inject arbitrary web script or HTML via the (1) search, (2) Keywords, (3) Tags, or (4) Desired City field. portalscript-search-xss(58081) 12370 http://packetstormsecurity.org/1004-exploits/nctjobsportal-sqlxss.txt Directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. webmoney-index-file-inlcude(58032) 39608 12316 39539 63979 Stack-based buffer overflow in IBM Lotus Notes 8.5 and 8.5fp1, and possibly other versions, allows remote attackers to execute arbitrary code via unknown attack vectors, as demonstrated by the vd_ln module in VulnDisco 9.0. NOTE: as of 20100222, this disclosure has no actionable information. However, because the VulnDisco author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. https://forum.immunityinc.com/board/thread/1161/vulndisco-9-0/ lotusnotes-unspec-bo(58322) 38300 38622 oval:org.mitre.oval:def:14489 Cross-site scripting (XSS) vulnerability in SAP NetWeaver 2004 before SP21 and 2004s before SP13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. ADV-2010-0397 20100211 [Onapsis Security Advisory 2010-003] SAP WebDynpro Runtime XSS/CSS Injection 38629 20100211 [Onapsis Security Advisory 2010-003] SAP WebDynpro Runtime XSS/CSS Injection Cross-site request forgery (CSRF) vulnerability in index.php in OpenCart 1.4 allows remote attackers to hijack the authentication of an application administrator for requests that create an administrative account via a POST request with the route parameter set to "user/user/insert." NOTE: some of these details are obtained from third party information. opencart-admin-csrf(56061) 20100202 OpenCart CSRF Vulnerability 38419 http://forum.opencart.com/viewtopic.php?f=16&t=10203&p=49654&hilit=csrf#p49654 http://blog.visionsource.org/2010/01/28/opencart-csrf-vulnerability/ Cross-site request forgery (CSRF) vulnerability in AlegroCart 1.1 allows remote attackers to hijack the authentication of the administrator for requests that reset the administrator password via a POST to admin/ with an update action. http://forum.alegrocart.com/viewtopic.php?f=8&t=54 alegrocart-admin-csrf(56037) 38386 http://packetstormsecurity.org/1002-exploits/alegrocart-xsrf.txt 62073 The IBM WebSphere DataPower XML Accelerator XA35, Low Latency Appliance XM70, Integration Appliance XI50, B2B Appliance XB60, and XML Security Gateway XS40 SOA Appliances before 3.8.0.0, when a QLOGIC Ethernet interface is used, allow remote attackers to cause a denial of service (interface outage) via malformed ICMP packets to the 0.0.0.0 destination IP address. http://www-01.ibm.com/support/docview.wss?uid=swg24024774 http://www-01.ibm.com/support/docview.wss?uid=swg24024773 http://www-01.ibm.com/support/docview.wss?uid=swg24024772 http://www-01.ibm.com/support/docview.wss?uid=swg24024771 http://www-01.ibm.com/support/docview.wss?uid=swg24024770 IC61364 37952 20100126 [IBM Datapower XS40] Denial of Service Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks. ADV-2010-1107 http://moodle.org/security/ SUSE-SR:2010:011 Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified global search forms in the Global Search Engine. NOTE: vector 1 might be resultant from a cross-site request forgery (CSRF) vulnerability. ADV-2010-1107 http://moodle.org/security/ SUSE-SR:2010:011 Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php. ADV-2010-1107 http://moodle.org/security/ SUSE-SR:2010:011 http://cvs.moodle.org/moodle/mod/wiki/view.php?r1=1.76.2.6&r2=1.76.2.7 http://cvs.moodle.org/moodle/lib/form/selectgroups.php?r1=1.2.4.2&r2=1.2.4.3 Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability. ADV-2010-1107 http://tracker.moodle.org/browse/MDL-16658 http://moodle.org/security/ SUSE-SR:2010:011 user/view.php in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page. ADV-2010-1107 http://moodle.org/security/ SUSE-SR:2010:011 http://cvs.moodle.org/moodle/user/view.php?r1=1.168.2.28&r2=1.168.2.29 Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message. ADV-2010-1107 http://www.ja-sig.org/wiki/display/CASC/phpCAS+ChangeLog http://www.ja-sig.org/issues/browse/PHPCAS-52 http://moodle.org/security/ SUSE-SR:2010:011 Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities. ADV-2010-1107 http://moodle.org/security/ SUSE-SR:2010:011 Integer overflow in the load_iface function in Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 might allow context-dependent attackers to execute arbitrary code via a (1) file or (2) socket that provides configuration data with many entries, leading to a heap-based buffer overflow. http://ftpmain.gnustep.org/pub/gnustep/core/gnustep-base-1.20.0.tar.gz https://bugs.launchpad.net/ubuntu/+source/gnustep-base/+bug/573108 http://thread.gmane.org/gmane.comp.lib.gnustep.bugs/12336 39746 http://savannah.gnu.org/bugs/?29755 [oss-security] 20100507 Re: CVE Assignment (gnustep) [oss-security] 20100507 Re: CVE Assignment (gnustep) The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command. 39543 MDVSA-2010:093 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-46.html http://bugs.mysql.com/bug.php?id=51770 SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file. ADV-2011-0237 http://www.springsource.com/security/cve-2010-1622 40954 20100618 CVE-2010-1622: Spring Framework execution of arbitrary code RHSA-2011:0175 13918 43087 41025 41016 http://geronimo.apache.org/22x-security-report.html http://geronimo.apache.org/21x-security-report.html http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket. ADV-2010-2556 http://svn.apache.org/viewvc?view=revision&revision=1003626 http://svn.apache.org/viewvc?view=revision&revision=1003495 http://svn.apache.org/viewvc?view=revision&revision=1003494 http://svn.apache.org/viewvc?view=revision&revision=1003493 http://svn.apache.org/viewvc?view=revision&revision=1003492 ADV-2011-0358 ADV-2010-3074 ADV-2010-3065 ADV-2010-3064 ADV-2010-2806 ADV-2010-2557 USN-1022-1 43673 RHSA-2011:0897 RHSA-2011:0896 RHSA-2010:0950 MDVSA-2010:192 http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3 PM31601 PM31601 USN-1021-1 SSA:2011-041-01 http://security-tracker.debian.org/tracker/CVE-2010-1623 43285 43211 42537 42403 42367 42361 42015 41701 oval:org.mitre.oval:def:12800 SUSE-SU-2011:1229 FEDORA-2010-15916 FEDORA-2010-15953 http://blogs.sun.com/security/entry/cve_2010_1623_memory_leak The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a custom emoticon in a malformed SLP message. https://bugzilla.redhat.com/show_bug.cgi?id=589973 pidgin-slp-packets-dos(58559) ADV-2010-2755 ADV-2010-1141 USN-1014-1 40138 RHSA-2010:0788 http://www.pidgin.im/news/security/index.php?id=46 MDVSA-2010:097 41899 39801 http://developer.pidgin.im/viewmtn/revision/info/894460d22c434e73d60b71ec031611988e687c8b http://developer.pidgin.im/viewmtn/revision/diff/884d44222e8c81ecec51c25e07d005e002a5479b/with/894460d22c434e73d60b71ec031611988e687c8b/libpurple/protocols/msn/slp.c Cross-site scripting (XSS) vulnerability in LXR Cross Referencer before 0.9.7 allows remote attackers to inject arbitrary web script or HTML via vectors related to the search body and the results page for a search, a different vulnerability than CVE-2009-4497 and CVE-2010-1448. [oss-security] 20100514 Re: CVE request: lxr [oss-security] 20100506 Re: CVE request: lxr [oss-security] 20100503 Re: CVE request: lxr http://sourceforge.net/projects/lxr/files/stable/lxr-0.9.7/ChangeLog/download [oss-security] 20100506 Re: CVE request: lxr [oss-security] 20100503 Re: CVE request: lxr MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247. http://bugs.mysql.com/bug.php?id=40980 ADV-2010-1194 40257 RHSA-2010:0442 [oss-security] 20100518 Re: A mysql flaw. [oss-security] 20100510 Re: A mysql flaw. MDVSA-2010:101 1024004 oval:org.mitre.oval:def:9490 SUSE-SR:2010:021 SUSE-SR:2010:019 feed.php in phpBB 3.0.7 before 3.0.7-PL1 does not properly check permissions for feeds, which allows remote attackers to bypass intended access restrictions via unspecified attack vectors related to permission settings on a private forum. http://www.phpbb.com/community/viewtopic.php?f=14&t=2014195 [oss-security] 20100518 Re: CVE request: phpbb 3.0.7 and before 3.0.5 [oss-security] 20100517 CVE request: phpbb 3.0.7 and before 3.0.5 Ghostscript 8.64, 8.70, and possibly other versions allows context-dependent attackers to execute arbitrary code via a PostScript file containing unlimited recursive procedure invocations, which trigger memory corruption in the stack of the interpreter. https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/546009 ADV-2010-1138 USN-961-1 40107 20100512 Multiple memory corruption vulnerabilities in Ghostscript [oss-security] 20100518 Re: CVE assignment: ghostscript stack-based overflow [oss-security] 20100511 Re: CVE assignment: ghostscript stack-based overflow MDVSA-2010:134 40580 39753 20100511 Multiple memory corruption vulnerabilities in Ghostscript SUSE-SR:2010:014 http://bugs.ghostscript.com/show_bug.cgi?id=691295 Cross-site scripting (XSS) vulnerability in Phorum before 5.2.15 allows remote attackers to inject arbitrary web script or HTML via an invalid email address. http://www.facebook.com/note.php?note_id=371190874581 [oss-security] 20100518 Re: CVE request: phorum < 5.2.15 backend XSS [oss-security] 20100517 CVE request: phorum < 5.2.15 backend XSS 64759 Unspecified vulnerability in posting.php in phpBB before 3.0.5 has unknown impact and attack vectors related to the use of a "forum id" in circumstances related to a "global announcement." http://www.phpbb.com/community/viewtopic.php?f=14&p=9764445 [oss-security] 20100519 Re: CVE request: phpbb 3.0.7 and before 3.0.5 [oss-security] 20100518 Re: CVE request: phpbb 3.0.7 and before 3.0.5 [oss-security] 20100517 CVE request: phpbb 3.0.7 and before 3.0.5 http://github.com/phpbb/phpbb3/commit/4ea3402f9363c9259881bc8ea6ce7fc6cb212657 Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService. https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf https://issues.apache.org/jira/browse/GERONIMO-5383 https://issues.apache.org/jira/browse/AXIS2-4450 ADV-2010-1531 ADV-2010-1528 http://www-01.ibm.com/support/docview.wss?uid=swg21433581 41025 41016 40279 40252 http://markmail.org/message/e4yiij7lfexastvl http://geronimo.apache.org/22x-security-report.html http://geronimo.apache.org/21x-security-report.html http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors. NOTE: some of these details are obtained from third party information. ADV-2010-1313 https://bugzilla.redhat.com/show_bug.cgi?id=598732 40503 http://www.openssl.org/news/secadv_20100601.txt 40024 http://cvs.openssl.org/filediff?f=openssl/crypto/rsa/rsa_pmeth.c&v1=1.34&v2=1.34.2.1 http://cvs.openssl.org/chngview?cn=19693 Multiple integer overflows in audioop.c in the audioop module in Python 2.6, 2.7, 3.1, and 3.2 allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-3143.5. https://bugzilla.redhat.com/show_bug.cgi?id=590690 http://svn.python.org/view?rev=81079&view=rev http://svn.python.org/view?rev=81045&view=rev http://bugs.python.org/issue8674 ADV-2011-0212 ADV-2011-0122 ADV-2010-1448 40370 RHSA-2011:0027 http://support.apple.com/kb/HT5002 43068 42888 40194 39937 SUSE-SR:2011:002 SUSE-SR:2010:024 FEDORA-2010-9652 APPLE-SA-2011-10-12-3 The chain_reply function in process.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) via a Negotiate Protocol request with a certain 0x0003 field value followed by a Session Setup AndX request with a certain 0x8003 field value. Per: http://cwe.mitre.org/data/definitions/476.html 'NULL Pointer Dereference' http://git.samba.org/?p=samba.git;a=commit;h=25452a2268ac7013da28125f3df22085139af12d https://bugzilla.samba.org/show_bug.cgi?id=7229 https://bugzilla.redhat.com/show_bug.cgi?id=594921 ADV-2010-1933 http://www.stratsec.net/Research/Advisories/Samba-Multiple-DoS-Vulnerabilities-(SS-2010-005) 40097 MDVSA-2010:141 http://security-tracker.debian.org/tracker/CVE-2010-1635 http://samba.org/samba/history/samba-3.5.2.html http://samba.org/samba/history/samba-3.4.8.html The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the btrfs functionality in the Linux kernel 2.6.29 through 2.6.32, and possibly other versions, does not ensure that a cloned file descriptor has been opened for reading, which allows local users to read sensitive information from a write-only file descriptor. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/579585 [oss-security] 20100518 kernel: btrfs: check for read permission on src file in the clone ioctl http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395 https://bugzilla.redhat.com/show_bug.cgi?id=593226 [oss-security] 20100525 Re: kernel: btrfs: check for read permission on src file in the clone ioctl [oss-security] 20100518 Re: kernel: btrfs: check for read permission on src file in the clone ioctl The Mail Fetch plugin in SquirrelMail 1.4.20 and earlier allows remote authenticated users to bypass firewall restrictions and use SquirrelMail as a proxy to scan internal networks via a modified POP3 port number. [oss-security] 20100621 Re: [SquirrelMail-Security] CVE Request for Horde and Squirrelmail http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/options.php?r1=13951&r2=13950&pathrev=13951 http://squirrelmail.org/security/issue/2010-06-21 ADV-2010-1554 ADV-2010-1536 ADV-2010-1535 40307 40291 [oss-security] 20100525 Re: CVE Request for Horde and Squirrelmail [oss-security] 20100525 Re: CVE Request for Horde and Squirrelmail MDVSA-2010:120 http://support.apple.com/kb/HT5130 http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/plugins/mail_fetch/functions.php?r1=13951&r2=13950&pathrev=13951 40307 RHSA-2012:0103 FEDORA-2010-10264 FEDORA-2010-10259 FEDORA-2010-10244 APPLE-SA-2012-02-01-1 The IMP plugin in Horde allows remote attackers to bypass firewall restrictions and use Horde as a proxy to scan internal networks via a crafted request to an unspecified test script. NOTE: this is only a vulnerability when the administrator does not follow recommendations in the product's installation documentation. [oss-security] 20100524 Re: [core] CVE Request for Horde and Squirrelmail [oss-security] 20100521 Re: [core] CVE Request for Horde and Squirrelmail The cli_pdf function in libclamav/pdf.c in ClamAV before 0.96.1 allows remote attackers to cause a denial of service (crash) via a malformed PDF file, related to an inconsistency in the calculated stream length and the real stream length. https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2016 http://git.clamav.net/gitweb?p=clamav-devel.git;a=commitdiff;h=f0eb394501ec21b9fe67f36cbf5db788711d4236#patch2 clamav-clipdf-dos(58824) ADV-2010-1214 1024017 40317 MDVSA-2010:110 43752 39895 SUSE-SR:2010:014 FEDORA-2011-2743 FEDORA-2011-2741 Off-by-one error in the parseicon function in libclamav/pe_icons.c in ClamAV 0.96 allows remote attackers to cause a denial of service (crash) via a crafted PE icon that triggers an out-of-bounds read, related to improper rounding during scaling. http://git.clamav.net/gitweb?p=clamav-devel.git;a=blobdiff;f=libclamav/pe_icons.c;h=3f1bc5be69d0f9d84e576814d1a3cc6f40c4ff2c;hp=39a714f05968f9e929576bf171dd0eb58bf06bef;hb=7f0e3bbf77382d9782e0189bf80f5f59a95779b3;hpb=f0eb394501ec21b9fe67f36cbf5db788711d4236 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2031 clamav-parseicon-dos(58825) ADV-2010-1214 40318 [oss-security] 20100521 CVE Request: off by one DoS in pe_icons.c MDVSA-2010:110 39895 SUSE-SR:2010:014 http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.96.1 The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request. http://www.kernel.org/pub/linux/kernel/v2.6/snapshots/incr/patch-2.6.34-git9-git10.bz2 [cluster-devel] 20100525 [PATCH 3/3] GFS2: Fix permissions checking for setflags ioctl() https://bugzilla.redhat.com/show_bug.cgi?id=595579 kernel-gfs2-security-bypass(58926) ADV-2010-1857 http://www.vmware.com/security/advisories/VMSA-2011-0003.html 40356 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX [oss-security] 20100526 Re: CVE request - kernel: GFS2: The setflags ioctl() doesn't check file ownership [oss-security] 20100525 Re: CVE request - kernel: GFS2: The setflags ioctl() doesn't check file ownership [oss-security] 20100525 CVE request - kernel: GFS2: The setflags ioctl() doesn't check file ownership 43315 40645 oval:org.mitre.oval:def:9916 SUSE-SA:2010:033 SUSE-SA:2010:031 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7df0e0397b9a18358573274db9fdab991941062f The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to trigger an out-of-bounds read, and cause a denial of service (process crash), via a \xff\xff security blob length in a Session Setup AndX request. http://git.samba.org/?p=samba.git;a=commit;h=9280051bfba337458722fb157f3082f93cbd9f2b https://bugzilla.samba.org/show_bug.cgi?id=7254 https://bugzilla.redhat.com/show_bug.cgi?id=594921 ADV-2010-1933 http://www.stratsec.net/Research/Advisories/Samba-Multiple-DoS-Vulnerabilities-(SS-2010-005) 40097 MDVSA-2010:141 http://security-tracker.debian.org/tracker/CVE-2010-1642 http://samba.org/samba/history/samba-3.5.2.html http://samba.org/samba/history/samba-3.4.8.html mm/shmem.c in the Linux kernel before 2.6.28-rc3, when strict overcommit is enabled, does not properly handle the export of shmemfs objects by knfsd, which allows attackers to cause a denial of service (NULL pointer dereference and knfsd crash) or possibly have unspecified other impact via unknown vectors. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' https://bugzilla.redhat.com/show_bug.cgi?id=595970 linux-kernel-knfsd-dos(58957) ADV-2010-1857 40377 [oss-security] 20100526 Re: CVE request - kernel: nfsd: fix vm overcommit crash [oss-security] 20100526 CVE request - kernel: nfsd: fix vm overcommit crash MDVSA-2010:198 http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.28/ChangeLog-2.6.28-rc3 http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-via-knfsd-9666 40645 SUSE-SA:2010:031 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=731572d39fcd3498702eda4600db4c43d51e0b26 Multiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) hostname or (2) description parameter to host.php, or (3) the host_id parameter to data_sources.php. ADV-2010-1203 RHSA-2010:0635 https://bugzilla.redhat.com/show_bug.cgi?id=609093 40332 20100521 Cacti Multiple Parameter Cross Site Scripting Vulnerabilities http://www.cacti.net/release_notes_0_8_7f.php http://svn.cacti.net/viewvc?view=rev&revision=5901 41041 Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in (1) the FQDN field of a Device or (2) the Vertical Label field of a Graph Template. RHSA-2010:0635 https://bugzilla.redhat.com/show_bug.cgi?id=609115 http://www.cacti.net/release_notes_0_8_7f.php http://www.bonsai-sec.com/en/research/vulnerabilities/cacti-os-command-injection-0105.php http://svn.cacti.net/viewvc?view=rev&revision=5784 http://svn.cacti.net/viewvc?view=rev&revision=5782 http://svn.cacti.net/viewvc?view=rev&revision=5778 41041 The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and 1.7.0 through 1.7.2p6 does not properly handle an environment that contains multiple PATH variables, which might allow local users to gain privileges via a crafted value of the last PATH variable. http://www.sudo.ws/repos/sudo/rev/a09c6812eaec http://www.sudo.ws/repos/sudo/rev/3057fde43cf0 https://bugzilla.redhat.com/show_bug.cgi?id=598154 ADV-2011-0212 ADV-2010-1519 ADV-2010-1518 ADV-2010-1478 ADV-2010-1452 http://www.sudo.ws/sudo/alerts/secure_path.html 1024101 40538 20101027 rPSA-2010-0075-1 sudo RHSA-2010:0475 65083 MDVSA-2010:118 DSA-2062 http://wiki.rpath.com/Advisories:rPSA-2010-0075 GLSA-201009-03 43068 40508 40215 40188 40002 oval:org.mitre.oval:def:7338 oval:org.mitre.oval:def:10580 SUSE-SR:2011:002 FEDORA-2010-9415 FEDORA-2010-9417 FEDORA-2010-9402 Cross-site scripting (XSS) vulnerability in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to inject arbitrary web script or HTML via crafted Cascading Style Sheets (CSS) strings that are processed as script by Internet Explorer. https://bugzilla.wikimedia.org/show_bug.cgi?id=23687 [MediaWiki-announce] 20100528 MediaWiki security update: 1.15.4 and 1.16.0beta3 FEDORA-2010-10848 FEDORA-2010-10779 Cross-site request forgery (CSRF) vulnerability in the login interface in MediaWiki 1.15 before 1.15.4 and 1.16 before 1.16 beta 3 allows remote attackers to hijack the authentication of users for requests that (1) create accounts or (2) reset passwords, related to the Special:Userlogin form. [MediaWiki-announce] 20100528 MediaWiki security update: 1.15.4 and 1.16.0beta3 https://bugzilla.wikimedia.org/show_bug.cgi?id=23371 FEDORA-2010-10848 FEDORA-2010-10779 Multiple cross-site scripting (XSS) vulnerabilities in the back end in Joomla! 1.5 through 1.5.17 allow remote attackers to inject arbitrary web script or HTML via unknown vectors related to "various administrator screens," possibly the search parameter in administrator/index.php. 40444 65011 39964 http://developer.joomla.org/security/news/314-20100501-core-xss-vulnerabilities-in-back-end.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+JoomlaSecurityNews+%28Joomla!+Security+News%29 IBM WebSphere Application Server (WAS) 6.0.x before 6.0.2.41, 6.1.x before 6.1.0.31, and 7.0.x before 7.0.0.11, when the -trace option (aka debugging mode) is enabled, executes debugging statements that print string representations of unspecified objects, which allows attackers to obtain sensitive information by reading the trace output. PM12247 ibm-was-debugging-information-disclosure(58323) ADV-2010-0994 PM06839 39628 IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.31 and 7.0.x before 7.0.0.11, when Basic authentication and SIP tracing (aka full trace logging for SIP) are enabled, logs the entirety of all inbound and outbound SIP messages, which allows local users to obtain sensitive information by reading the trace log. PM12247 ibm-was-trace-information-disclosure(58324) ADV-2010-1411 65437 PM15829 PM08892 40096 39628 Directory traversal vulnerability in the HelpCenter module in Help Center Live (HCL) 2.0.6 and 2.1.7 allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the file parameter to module.php. NOTE: some of these details are obtained from third party information. ADV-2010-1009 39732 12421 39615 http://packetstormsecurity.org/1004-exploits/helpcenterlive-lfi.txt Directory traversal vulnerability in graphics.php in the Graphics (com_graphics) component 1.0.6 and 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. ADV-2010-1004 39743 12430 39585 http://packetstormsecurity.org/1004-exploits/joomlagraphics-lfi.txt Multiple SQL injection vulnerabilities in system_member_login.php in Infocus Real Estate Enterprise Edition allow remote attackers to execute arbitrary SQL commands via the (1) username (aka login) and (2) password parameters. NOTE: some of these details are obtained from third party information. ADV-2010-1014 39731 12415 39625 http://packetstormsecurity.org/1004-exploits/ireee-sql.txt Cross-site scripting (XSS) vulnerability in User/User_ChkLogin.asp in PowerEasy 2006 and PowerEasy SiteWeaver 6.8 allows remote attackers to inject arbitrary web script or HTML via the ComeUrl parameter. 39696 20100424 A XSS in User_ChkLogin.asp of PowerEasy 2006 39627 64094 SQL injection vulnerability in the Airiny ABC (com_abc) component 1.1.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the sectionid parameter in an abc action to index.php. abc-index-sql-injection(58178) ADV-2010-1005 39741 12429 39588 Directory traversal vulnerability in the SmartSite (com_smartsite) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. comsmartsite-controller-file-include(58175) ADV-2010-1006 39740 12428 39592 http://packetstormsecurity.org/1004-exploits/joomlasmartsite-lfi.txt Directory traversal vulnerability in the Code-Garage NoticeBoard (com_noticeboard) component 1.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. comnoticeboard-controller-file-include(58176) ADV-2010-1007 39742 12427 39600 http://packetstormsecurity.org/1004-exploits/joomlnoticeboard-lfi.txt Directory traversal vulnerability in the Ultimate Portfolio (com_ultimateportfolio) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. ultimateportfolio-controller-file-include(58177) ADV-2010-1008 39739 12426 http://packetstormsecurity.org/1004-exploits/joomlaultimateportfolio-lfi.txt SQL injection vulnerability in help-details.php in CLScript Classifieds Script allows remote attackers to execute arbitrary SQL commands via the hpId parameter. classifiedsscript-helpdetails-sql-injection(58181) ADV-2010-1010 39737 12423 39612 http://packetstormsecurity.org/1004-exploits/clscriptclassfieds-sql.txt Multiple SQL injection vulnerabilities in PHP-Quick-Arcade (PHPQA) 3.0.21 allow remote attackers to execute arbitrary SQL commands via the (1) phpqa_user_c parameter to Arcade.php and the (2) id parameter to acpmoderate.php. phpquickarcade-arcade-sql-injection(58184) ADV-2010-1013 39733 12416 http://packetstormsecurity.org/1004-exploits/phpquickarcade-sqlxss.txt Cross-site scripting (XSS) vulnerability in acpmoderate.php in PHP-Quick-Arcade (PHPQA) 3.0.21 allows remote attackers to inject arbitrary web script or HTML via the serv parameter. phpquickarcade-acpmoderate-xss(58185) ADV-2010-1013 39733 12416 http://packetstormsecurity.org/1004-exploits/phpquickarcade-sqlxss.txt The Google URL Parsing Library (aka google-url or GURL) in Google Chrome before 4.1.249.1064 allows remote attackers to bypass the Same Origin Policy via unspecified vectors. ADV-2010-1016 39651 oval:org.mitre.oval:def:6813 http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-security-fixes.html http://bugs.chromium.org/40445 Google Chrome before 4.1.249.1064 does not properly handle HTML5 media, which allows remote attackers to cause a denial of service (memory corruption) and possibly have unspecified other impact via unknown vectors. ADV-2010-1016 ADV-2011-0552 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 41856 39651 oval:org.mitre.oval:def:6878 http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-security-fixes.html http://bugs.chromium.org/40487 Google Chrome before 4.1.249.1064 does not properly handle fonts, which allows remote attackers to cause a denial of service (memory corruption) and possibly have unspecified other impact via unknown vectors. ADV-2011-0552 ADV-2010-2722 ADV-2010-1016 USN-1006-1 MDVSA-2011:039 41856 39651 oval:org.mitre.oval:def:7034 http://googlechromereleases.blogspot.com/2010/04/stable-update-bug-and-security-fixes.html http://code.google.com/p/chromium/issues/detail?id=42294 Buffer overflow in Dan Pascu python-cjson 1.0.5, when UCS-4 encoding is enabled, allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors involving crafted Unicode input to the cjson.encode function. https://bugs.launchpad.net/ubuntu/+source/python-cjson/+bug/585274 ADV-2010-1774 DSA-2068 40500 40335 Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 41319 mahara-multiple-unspecified-xss(59993) http://wiki.mahara.org/Release_Notes/1.2.5 http://wiki.mahara.org/Release_Notes/1.1.9 http://wiki.mahara.org/Release_Notes/1.0.15 40431 Multiple cross-site request forgery (CSRF) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. mahara-multiple-unspecified-csrf(59994) 41319 http://wiki.mahara.org/Release_Notes/1.2.5 http://wiki.mahara.org/Release_Notes/1.1.9 http://wiki.mahara.org/Release_Notes/1.0.15 40431 SQL injection vulnerability in Mahara 1.1.x before 1.1.9 and 1.2.x before 1.2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 41319 mahara-unspecified-sql-injection(59995) http://wiki.mahara.org/Release_Notes/1.2.5 http://wiki.mahara.org/Release_Notes/1.1.9 40431 Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password. NOTE: some of these details are obtained from third party information. 41319 http://wiki.mahara.org/Release_Notes/1.2.5 http://wiki.mahara.org/Release_Notes/1.1.9 http://wiki.mahara.org/Release_Notes/1.0.15 40431 hsolinkcontrol in hsolink 1.0.118 allows local users to gain privileges via shell metacharacters in command-line arguments, as demonstrated by the second argument in a down action. 66649 40713 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590670 The extended-community parser in bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed Extended Communities attribute. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' https://bugzilla.redhat.com/show_bug.cgi?id=654603 quagga-community-dos(66211) ADV-2011-0711 46942 http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200 71259 MDVSA-2011:058 DSA-2197 43770 43499 SUSE-SU-2011:1316 bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (session reset) via a malformed AS_PATHLIMIT path attribute. https://bugzilla.redhat.com/show_bug.cgi?id=654614 quagga-aspath-dos(66212) ADV-2011-0711 46943 http://www.quagga.net/news2.php?y=2011&m=3&d=21#id1300723200 71258 MDVSA-2011:058 DSA-2197 43770 43499 SUSE-SU-2011:1316 Heap-based buffer overflow in Tor before 0.2.1.28 and 0.2.2.x before 0.2.2.20-alpha allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via unspecified vectors. http://blog.torproject.org/blog/tor-02220-alpha-out-security-patches http://blog.torproject.org/blog/tor-02128-released-security-patches [or-announce] 20101220 Tor 0.2.1.28 is released (security patches) https://gitweb.torproject.org/tor.git/blob/release-0.2.1:/ChangeLog ADV-2011-0114 ADV-2010-3290 45500 DSA-2136 1024910 GLSA-201101-02 42916 42783 42667 42536 FEDORA-2010-19147 FEDORA-2010-19159 MHonArc 2.6.16 allows remote attackers to cause a denial of service (CPU consumption) via start tags that are placed within other start tags, as demonstrated by a <bo<bo<bo<bo<body>dy>dy>dy>dy> sequence, a different vulnerability than CVE-2010-4524. mhonarc-start-tags-dos(64656) ADV-2011-0067 ADV-2010-3344 [mhonarc-dev] 20101230 [bug #32014] CVE-2010-1677: DoS when processing html messages with deep tag nesting 42694 http://savannah.nongnu.org/bugs/?32014 MDVSA-2011:003 Directory traversal vulnerability in dpkg-source in dpkg before 1.14.31 and 1.15.x allows user-assisted remote attackers to modify arbitrary files via directory traversal sequences in a patch for a source-format 3.0 package. dpkg-dpkgsource-directory-traversal(64615) ADV-2011-0196 ADV-2011-0044 ADV-2011-0040 USN-1038-1 45703 DSA-2142 43054 42831 42826 70368 FEDORA-2011-0345 FEDORA-2011-0362 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2010. Notes: none. Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF file, a different vulnerability than CVE-2010-0254 and CVE-2010-0256. 39836 1023938 20100504 [CORE-2010-0428] Microsoft Office Visio DXF File Insertion Buffer Overflow 14944 http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow Stack-based buffer overflow in CursorArts ZipWrangler 1.20 allows user-assisted remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename. http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-031-zip-wrangler-1-20-buffer-overflow/ 39575 64079 Stack-based buffer overflow in (1) Urgent Backup 3.20, and (2) ABC Backup Pro 5.20 and ABC Backup 5.50, allows user-assisted remote attackers to execute arbitrary code via a crafted ZIP archive. ADV-2010-1047 ADV-2010-1046 http://www.corelan.be:8800/advisories.php?id=CORELAN-10-034 39701 39699 Stack-based buffer overflow in lpd.exe in Mocha W32 LPD 1.9 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted "recieve jobs" request. NOTE: some of these details are obtained from third party information. 63902 http://www.corelan.be:8800/wp-content/forum-file-uploads/mr_me/mochalpd.py_.txt http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-023-mocha-lpd-remote-buffer-overflow/ 39394 Stack-based buffer overflow in 2BrightSparks SyncBack Freeware 3.2.20.0, and possibly other versions before 3.2.21, allows user-assisted remote attackers to execute arbitrary code via a long filename in a (1) .sps or (2) zip profile. http://www.2brightsparks.com/freeware/changes.html syncback-sps-bo(58727) 40311 http://www.corelan.be:8800/wp-content/forum-file-uploads/lincoln/syncbackup.rb_.txt http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-041-syncback-freeware-v3-2-20-0/ 39865 64752 The DNS implementation in smtpsvc.dll before 6.0.2600.5949 in Microsoft Windows 2000 SP4 and earlier, Windows XP SP3 and earlier, Windows Server 2003 SP2 and earlier, Windows Server 2008 SP2 and earlier, Windows Server 2008 R2, Exchange Server 2003 SP3 and earlier, Exchange Server 2007 SP2 and earlier, and Exchange Server 2010 uses predictable transaction IDs that are formed by incrementing a previous ID by 1, which makes it easier for man-in-the-middle attackers to spoof DNS responses, a different vulnerability than CVE-2010-0024 and CVE-2010-0025. 39908 http://www.coresecurity.com/content/CORE-2010-0424-windows-smtp-dns-query-id-bugs 1023939 20100504 [CORE-2010-0427] Windows SMTP Service DNS query Id vulnerabilities The DNS implementation in smtpsvc.dll before 6.0.2600.5949 in Microsoft Windows 2000 SP4 and earlier, Windows XP SP3 and earlier, Windows Server 2003 SP2 and earlier, Windows Server 2008 SP2 and earlier, Windows Server 2008 R2, Exchange Server 2003 SP3 and earlier, Exchange Server 2007 SP2 and earlier, and Exchange Server 2010 does not verify that transaction IDs of responses match transaction IDs of queries, which makes it easier for man-in-the-middle attackers to spoof DNS responses, a different vulnerability than CVE-2010-0024 and CVE-2010-0025. 39910 http://www.coresecurity.com/content/CORE-2010-0424-windows-smtp-dns-query-id-bugs 1023939 20100504 [CORE-2010-0427] Windows SMTP Service DNS query Id vulnerabilities openibd in OpenFabrics Enterprise Distribution (OFED) 1.5.2 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/ib_set_node_desc.sh temporary file. ofed-openibd-symlink(62753) 44332 68856 [oss-security] 20101022 CVE-2010-1693: OFED openibd startup script uses predictable tmpfile 41937 [ewg] 20101021 [PATCH] security fix in openibd script SQL injection vulnerability in browse.html in PHP Video Battle Script allows remote attackers to execute arbitrary SQL commands via the cat parameter. ADV-2010-1027 12444 39647 SQL injection vulnerability in submitticket.php in WHMCompleteSolution (WHMCS) 4.2 allows remote attackers to execute arbitrary SQL commands via the deptid parameter. whmcs-submitticket-sql-injection(58108) 39681 12371 http://packetstormsecurity.org/1004-exploits/whmcs-sql.txt Multiple cross-site scripting (XSS) vulnerabilities in index_search.php in 2daybiz Polls (aka Advanced Poll) Script allow remote attackers to inject arbitrary web script or HTML via the (1) category parameter or (2) search field. polls-indexsearch-xss(58190) aps-category-xss(58128) 39745 12395 39622 http://packetstormsecurity.org/1004-exploits/aps-sqlxss.txt Multiple SQL injection vulnerabilities in 2daybiz Polls (aka Advanced Poll) Script allow remote attackers to execute arbitrary SQL commands via (1) the password field to login.php, (2) the login field (aka email parameter) to login.php, (3) the password field (aka pass parameter) to the default URI under admin/, and possibly (4) the login field to the default URI under admin/. NOTE: some of these details are obtained from third party information. polls-login-sql-injection(58189) aps-login-sql-injection(58127) 39745 12395 39622 http://packetstormsecurity.org/1004-exploits/aps-sqlxss.txt SQL injection vulnerability in casting_view.php in Modelbook allows remote attackers to execute arbitrary SQL commands via the adnum parameter. ADV-2010-1028 12443 39646 Multiple SQL injection vulnerabilities in login.php in 2daybiz Auction Script allow remote attackers to execute arbitrary SQL commands via (1) the login field (aka the username parameter), and possibly (2) the password field, to index.php. NOTE: some of these details are obtained from third party information. 2daybiz-login-sql-injection(58188) ADV-2010-1015 39728 12414 39621 http://packetstormsecurity.org/1004-exploits/2daybizauctionscript-sql.txt 64097 Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters. ADV-2010-1034 http://piwigo.org/code/wsvn/Piwigo?op=revision&rev=5936 Multiple SQL injection vulnerabilities in agentadmin.php in Free Realty allow remote attackers to execute arbitrary SQL commands via the (1) login field (aka agentname parameter) or (2) password field (aka agentpassword parameter). freerealty-agentadmin-sql-injection(58193) 39712 12411 http://packetstormsecurity.org/1004-exploits/freerealty-sql.txt Multiple cross-site scripting (XSS) vulnerabilities in upload.cgi in G5-Scripts Auto-Img-Gallery 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) user and (2) pass parameters. aig-upload-xss(58139) http://www.xenuser.org/documents/security/auto-img-gallery_xss.txt 39714 39599 Directory traversal vulnerability in login.php in Siestta 2.0, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the idioma parameter. siestta-login-file-include(57900) 39526 63837 12260 39453 http://packetstormsecurity.org/1004-exploits/siestta-lfixss.txt Cross-site scripting (XSS) vulnerability in carga_foto_al.php in Siestta 2.0, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the usuario parameter. siestta-usuario-xss(57899) 39526 63836 12260 39453 http://packetstormsecurity.org/1004-exploits/siestta-lfixss.txt Multiple cross-site scripting (XSS) vulnerabilities in base/Comments.php in Webmobo WB News 2.3.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name and possibly (2) message parameters. NOTE: some of these details are obtained from third party information. wbnews-comments-xss(58025) 39626 63973 http://www.itsecteam.com/en/vulnerabilities/vulnerability44.htm http://www.hack0wn.com/view.php?xroot=1310.0&cat=exploits 12323 39516 http://inj3ct0r.com/exploits/11914 SQL injection vulnerability in modules.php in PostNuke 0.764 allows remote attackers to execute arbitrary SQL commands via the sid parameter in a News article modload action. modload-index-sql-injection(58204) 39713 12410 http://packetstormsecurity.org/1004-exploits/postnukemodload-sql.txt Directory traversal vulnerability in the Arcade Games (com_arcadegames) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. comarcadegames-controller-file-include(57683) ADV-2010-0860 63660 12168 39413 http://packetstormsecurity.org/1004-exploits/joomlaarcadegames-lfi.txt Directory traversal vulnerability in the Online Examination (aka Online Exam or com_onlineexam) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. comonlineexam-controller-file-include(57677) 63659 12174 39414 http://packetstormsecurity.org/1004-exploits/joomlaonlineexam-lfi.txt SQL injection vulnerability in the Agenda Address Book (com_agenda) component 1.0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. agenda-index-sql-injection(57770) 39380 63723 http://www.joomlanetprojects.com/index.php/en/joomla-projects-downloads/joomla-1/joomla-1/42-comagenda.html 12132 39238 Directory traversal vulnerability in the iF surfALERT (com_if_surfalert) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0924 12291 39526 Directory traversal vulnerability in archeryscores.php in the Archery Scores (com_archeryscores) component 1.0.6 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. 39545 12282 39521 Directory traversal vulnerability in the MT Fire Eagle (com_mtfireeagle) component 1.2 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. commtfireeagle-index-file-inlclude(57850) 39509 12233 39470 http://packetstormsecurity.org/1004-exploits/joomlamtfireeagle-lfi.txt 63806 SQL injection vulnerability in the Q-Personel (com_qpersonel) component 1.0.2 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the katid parameter in a qpListele action to index.php. qpersonel-index-sql-injection(57775) http://www.xenuser.org/documents/security/qpersonel_sql.txt 39466 12200 39445 63894 SQL injection vulnerability in the Intellectual Property (aka IProperty or com_iproperty) component 1.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an agentproperties action to index.php. intellectual-index-sql-injection(57875) 39495 12246 39427 63750 http://extensions.thethinkery.net/ Directory traversal vulnerability in the Online Market (com_market) component 2.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. commarket-controller-file-include(57674) 63671 12177 39409 http://packetstormsecurity.org/1004-exploits/joomlaonlinemarket-lfi.txt Directory traversal vulnerability in the iNetLanka Contact Us Draw Root Map (com_drawroot) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0926 12289 39524 Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php. zikula-index-xss(58224) 39717 20100427 XSS vulnerability in Zikula Application Framework 64095 http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework_1.html http://www.htbridge.ch/advisory/xss_vulnerability_in_zikula_application_framework.html 39614 64096 http://community.zikula.org/index.php?module=News&func=display&sid=3012&title=zikula-1.2.3-release-announcement SQL injection vulnerability in offers_buy.php in Alibaba Clone Platinum allows remote attackers to execute arbitrary SQL commands via the id parameter. alibabacloneplatinum-id-sql-injection(58262) 39846 12468 http://packetstormsecurity.org/1004-exploits/alibabacloneplatinum-sql.txt SQL injection vulnerability in offers_buy.php in EC21 Clone 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. ec21-offersbuyout-sql-injection(58266) 39832 12459 http://packetstormsecurity.org/1004-exploits/ec21clone-sql.txt SQL injection vulnerability in type.asp in JobPost 1.0 allows remote attackers to execute arbitrary SQL commands via the iType parameter. NOTE: some of these details are obtained from third party information. jobpost-type-sql-injection(58264) 39831 12461 39708 http://packetstormsecurity.org/1004-exploits/jobpost-sql.txt Opera before 10.53 on Windows and Mac OS X does not properly handle a series of document modifications that occur asynchronously, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via JavaScript that writes <marquee> sequences in an infinite loop, leading to attempted use of uninitialized memory. NOTE: this might overlap CVE-2006-6955. opera-documentwrite-code-execution(58231) ADV-2010-0999 http://www.opera.com/support/kb/view/953/ http://www.opera.com/docs/changelogs/windows/1053/ http://www.opera.com/docs/changelogs/mac/1053/ 39590 oval:org.mitre.oval:def:11927 http://my.opera.com/desktopteam/blog/2010/04/28/opera-10-53-rc1-for-windows-and-mac http://h.ackack.net/?p=258 WebKit.dll in WebKit, as used in Safari.exe 4.531.9.1 in Apple Safari, allows remote attackers to cause a denial of service (application crash) via JavaScript that writes <marquee> sequences in an infinite loop. ADV-2011-0212 43068 SUSE-SR:2011:002 http://h.ackack.net/?p=258 Dolphin Browser 2.5.0 on the HTC Hero allows remote attackers to cause a denial of service (application crash) via JavaScript that writes <marquee> sequences in an infinite loop. http://h.ackack.net/?p=258 Google Chrome on the HTC Hero allows remote attackers to cause a denial of service (application crash) via JavaScript that writes <marquee> sequences in an infinite loop. http://h.ackack.net/?p=258 Cross-site request forgery (CSRF) vulnerability in the users module in Zikula Application Framework before 1.2.3 allows remote attackers to hijack the authentication of administrators for requests that change the administrator email address (updateemail action). http://www.htbridge.ch/advisory/xsrf_csrf_in_zikula_application_framework.html http://community.zikula.org/index.php?module=News&func=display&sid=3012&title=zikula-1.2.3-release-announcement Multiple SQL injection vulnerabilities in OCS Inventory NG before 1.02.3 allow remote attackers to execute arbitrary SQL commands via (1) multiple inventory fields to the search form, reachable through index.php; or (2) the "Software name" field to the "All softwares" search form, reachable through index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ocsinventoryng-searchform-sql-injection(55873) MDVSA-2010:178 38311 61942 The SfnINSTRING function in win32k.sys in the kernel in Microsoft Windows 2000, XP, and Server 2003 allows local users to cause a denial of service (system crash) via a 0x18d value in the second argument (aka the Msg argument) of a PostMessage function call for the DDEMLEvent window. 39631 20100422 Windows 2000/XP/2003 win32k.sys SfnINSTRING local kernel Denial of Service Vulnerability http://vigilance.fr/vulnerability/Windows-denials-of-service-of-win32k-sys-9607 39456 The SfnLOGONNOTIFY function in win32k.sys in the kernel in Microsoft Windows 2000, XP, and Server 2003 allows local users to cause a denial of service (system crash) via a 0x4c value in the second argument (aka the Msg argument) of a PostMessage function call for the DDEMLEvent window. 39630 20100422 Windows 2000/XP/2003 win32k.sys SfnLOGONNOTIFY local kernel Denial of Service Vulnerability http://vigilance.fr/vulnerability/Windows-denials-of-service-of-win32k-sys-9607 39456 KrM Haber 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for d_atabase/Krmdb.mdb. krmhaber-krmdb-information-disclosure(58284) 39700 http://packetstormsecurity.org/1004-exploits/krmhaber-disclose.txt 64217 PHP remote file inclusion vulnerability in core/includes/gfw_smarty.php in Gallo 0.1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the config[gfwroot] parameter. ADV-2010-1060 39890 12488 39706 http://packetstormsecurity.org/1005-exploits/gallo-rfi.txt ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-1448. Reason: This candidate is a duplicate of CVE-2010-1448. Notes: All CVE users should reference CVE-2010-1448 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. SQL injection vulnerability in the Newsfeeds (com_newsfeeds) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the feedid parameter in a categories action to index.php. comnewsfeeds-feedid-sql-injection(58263) 39834 12465 http://packetstormsecurity.org/1004-exploits/joomlanewsfeeds-sql.txt SQL injection vulnerability in newsletter.php in GuppY 4.5.18 allows remote attackers to execute arbitrary SQL commands via the lng parameter. guppy-newsletter-sql-injection(58277) 39860 12484 http://packetstormsecurity.org/1005-exploits/guppy-sql.txt SQL injection vulnerability in request_account.php in Billwerx RC 5.2.2 PL2 allows remote attackers to execute arbitrary SQL commands via the primary_number parameter. billwerx-requestaccount-sql-injection(58278) 39867 http://packetstormsecurity.org/1005-exploits/billwerx-sql.txt Cross-site scripting (XSS) vulnerability in projects.php in Scratcher allows remote attackers to inject arbitrary web script or HTML via the show parameter. scratcher-projects-xss(58235) 39827 12458 39631 http://packetstormsecurity.org/1004-exploits/scratcher-sqlxss.txt 64219 SQL injection vulnerability in projects.php in Scratcher allows remote attackers to execute arbitrary SQL commands via the id parameter. scratcher-projects-sql-injection(58234) 39827 12458 39631 http://packetstormsecurity.org/1004-exploits/scratcher-sqlxss.txt 64220 SQL injection vulnerability in product.html in B2B Gold Script allows remote attackers to execute arbitrary SQL commands via the id parameter. b2bgoldscript-id-sql-injection(58265) 39830 12460 39710 http://packetstormsecurity.org/1004-exploits/b2bgoldscript-sql.txt 64212 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-1867. Reason: This candidate is a duplicate of CVE-2010-1867. Notes: All CVE users should reference CVE-2010-1867 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple cross-site scripting (XSS) vulnerabilities in the Table JX (com_grid) component for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) data_search and (2) rpp parameters to index.php. tablejx-index-xss(58270) ADV-2010-1053 39854 12473 The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs. 40871 http://support.apple.com/kb/HT4188 ADV-2011-0535 ADV-2010-1481 MDVSA-2010:234 MDVSA-2010:232 DSA-2176 43521 40220 oval:org.mitre.oval:def:9723 SUSE-SR:2010:023 APPLE-SA-2010-06-15-1 http://cups.org/str.php?L3577 http://cups.org/articles.php?L596 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the Cascading Style Sheets (CSS) run-in property and multiple invocations of a destructor for a child element that has been referenced multiple times. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://www.zerodayinitiative.com/advisories/ZDI-10-101 ADV-2011-0212 ADV-2010-1512 20100608 ZDI-10-101: Apple Webkit SVG RadialGradiant Run-in Remote Code Execution Vulnerability http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 40196 40105 oval:org.mitre.oval:def:7180 SUSE-SR:2011:002 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in Apple Safari before 5.0 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to improper window management. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://support.apple.com/kb/HT4196 1024067 40105 oval:org.mitre.oval:def:7143 Application Sandbox in Apple iOS before 4 on the iPhone and iPod touch does not prevent photo-library access, which might allow remote attackers to obtain location information via unspecified vectors. Per: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html 'Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.0 (8A293)" or later. appleios-sandbox-info-disclosure(59630) 41016 http://support.apple.com/kb/HT4225 APPLE-SA-2010-06-21-1 Stack-based buffer overflow in CFNetwork in Apple iOS before 4 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to URL handling. Per: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html 'Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.0 (8A293)" or later.' appleios-cfnetwork-bo(59631) 41016 http://support.apple.com/kb/HT4435 http://support.apple.com/kb/HT4225 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-10-1 ImageIO in Apple iOS before 4 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted JPEG image. Per: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html 'Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.0 (8A293)" or later.' appleios-imageio-code-execution(59632) 41016 http://support.apple.com/kb/HT4225 APPLE-SA-2010-06-21-1 Passcode Lock in Apple iOS before 4 on the iPhone and iPod touch does not properly handle alert-based unlocks in conjunction with subsequent Remote Lock operations through MobileMe, which allows physically proximate attackers to bypass intended passcode requirements via unspecified vectors. Per: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html 'Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.0 (8A293)" or later.' appleios-passcodelock-security-bypass(59633) 41016 http://support.apple.com/kb/HT4225 APPLE-SA-2010-06-21-1 Safari in Apple iOS before 4 on the iPhone and iPod touch does not properly implement the Accept Cookies preference, which makes it easier for remote web servers to track users via a cookie. Per: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html 'Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.0 (8A293)" or later.' appleios-safari-security-bypass(59634) 41016 http://support.apple.com/kb/HT4225 APPLE-SA-2010-06-21-1 The Settings application in Apple iOS before 4 on the iPhone and iPod touch does not properly report the wireless network that is in use, which might make it easier for remote attackers to trick users into communicating over an unintended network. Per: http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html 'Installation note: These updates are only available through iTunes, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from www.apple.com/itunes/ iTunes will automatically check Apple's update server on its weekly schedule. When an update is detected, it will download it. When the iPhone or iPod touch is docked, iTunes will present the user with the option to install the update. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iPhone or iPod touch. The automatic update process may take up to a week depending on the day that iTunes checks for updates. You may manually obtain the update via the Check for Updates button within iTunes. After doing this, the update can be applied when your iPhone or iPod touch is docked to your computer. To check that the iPhone or iPod touch has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "4.0 (8A293)" or later.' 41016 http://support.apple.com/kb/HT4225 APPLE-SA-2010-06-21-1 WebKit in Apple iOS before 4 on the iPhone and iPod touch does not enforce the expected boundary restrictions on content display by an IFRAME element, which allows remote attackers to spoof the user interface via a crafted HTML document. ADV-2011-0212 41068 41016 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 43068 42314 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving DOM Range objects. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:7335 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the Node.normalize method. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7005 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 loader/DocumentThreadableLoader.cpp in the XMLHttpRequest implementation in WebCore in WebKit before r58409 does not properly handle credentials during a cross-origin synchronous request, which has unspecified impact and remote attack vectors, aka rdar problem 7905150. https://bugs.webkit.org/show_bug.cgi?id=37781 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 42494 MDVSA-2011:039 http://trac.webkit.org/changeset/58409 http://security-tracker.debian.org/tracker/CVE-2010-1760 43068 41856 SUSE-SR:2011:002 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving HTML document subtrees. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7157 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via vectors involving HTML in a TEXTAREA element. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4196 1024067 43068 41856 40105 oval:org.mitre.oval:def:7503 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 Unspecified vulnerability in WebKit in Apple iTunes before 9.2 on Windows has unknown impact and attack vectors, a different vulnerability than CVE-2010-1387 and CVE-2010-1769. itunes-webkit-unspecified-var2(59507) ADV-2011-0212 ADV-2010-1512 http://support.apple.com/kb/HT4220 1024108 43068 40196 oval:org.mitre.oval:def:7221 SUSE-SR:2011:002 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, follows multiple redirections during form submission, which allows remote web servers to obtain sensitive information by recording the form data. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40105 oval:org.mitre.oval:def:7347 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 Off-by-one error in the WebSocketHandshake::readServerHandshake function in websockets/WebSocketHandshake.cpp in WebCore in WebKit before r56380, as used in Qt and other products, allows remote websockets servers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an upgrade header that is long and invalid. https://bugzilla.redhat.com/show_bug.cgi?id=596494 https://bugs.webkit.org/show_bug.cgi?id=36339 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1801 USN-1006-1 MDVSA-2011:039 http://trac.webkit.org/changeset/56380 43068 41856 40557 SUSE-SR:2011:002 FEDORA-2010-11020 FEDORA-2010-11011 Cross-site request forgery (CSRF) vulnerability in loader/DocumentThreadableLoader.cpp in WebCore in WebKit before r57041, as used in Google Chrome before 4.1.249.1059, allows remote attackers to hijack the authentication of unspecified victims via a crafted synchronous preflight XMLHttpRequest operation. https://bugs.webkit.org/show_bug.cgi?id=36843 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 39603 MDVSA-2011:039 http://trac.webkit.org/changeset/57041 http://security-tracker.debian.org/tracker/CVE-2010-1767 43068 41856 39544 oval:org.mitre.oval:def:11140 64002 SUSE-SR:2011:002 http://googlechromereleases.blogspot.com/2010/04/stable-update-security-fixes.html http://code.google.com/p/chromium/issues/detail?id=39698 Unspecified vulnerability in Apple iTunes before 9.1 allows local users to gain console privileges via vectors related to log files, "insecure file operation," and syncing an iPhone, iPad, or iPod touch. itunes-operations-privilege-escalation(61222) 42538 http://support.apple.com/kb/HT4105 oval:org.mitre.oval:def:7604 WebKit in Apple iTunes before 9.2 on Windows, and Apple iOS before 4 on the iPhone and iPod touch, accesses out-of-bounds memory during the handling of tables, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, a different vulnerability than CVE-2010-1387 and CVE-2010-1763. itunes-webkit-unspecified-var3(59508) ADV-2011-0212 ADV-2010-1512 41016 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 1024108 43068 40196 oval:org.mitre.oval:def:7178 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, Apple Safari before 4.1 on Mac OS X 10.4, and Google Chrome before 5.0.375.70 does not properly handle a transformation of a text node that has the IBM1147 character set, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document containing a BR element, related to a "type checking issue." ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 http://zerodayinitiative.com/advisories/ZDI-10-093/ ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 40072 oval:org.mitre.oval:def:7099 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 http://googlechromereleases.blogspot.com/2010/06/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=43487 Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving fonts. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 safari-webkit-fonts-ce(59214) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 42314 41856 40196 40105 oval:org.mitre.oval:def:6862 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-06-16-1 Use-after-free vulnerability in page/Geolocation.cpp in WebCore in WebKit before r59859, as used in Google Chrome before 5.0.375.70, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted web site, related to failure to stop timers associated with geolocation upon deletion of a document. https://bugzilla.redhat.com/show_bug.cgi?id=596498 https://bugs.webkit.org/show_bug.cgi?id=39388 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1801 USN-1006-1 MDVSA-2011:039 http://trac.webkit.org/changeset/59859 43068 41856 40557 40072 oval:org.mitre.oval:def:11661 SUSE-SR:2011:002 FEDORA-2010-11020 FEDORA-2010-11011 http://googlechromereleases.blogspot.com/2010/06/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=44868 Off-by-one error in the toAlphabetic function in rendering/RenderListMarker.cpp in WebCore in WebKit before r59950, as used in Google Chrome before 5.0.375.70, allows remote attackers to obtain sensitive information, cause a denial of service (memory corruption and application crash), or possibly execute arbitrary code via vectors related to list markers for HTML lists, aka rdar problem 8009118. https://bugzilla.redhat.com/show_bug.cgi?id=596500 https://bugs.webkit.org/show_bug.cgi?id=39508 ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1801 USN-1006-1 41575 MDVSA-2011:039 http://trac.webkit.org/changeset/59950 43068 41856 40557 40072 oval:org.mitre.oval:def:11830 SUSE-SR:2011:002 FEDORA-2010-11020 FEDORA-2010-11011 http://googlechromereleases.blogspot.com/2010/06/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=44955 WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, accesses out-of-bounds memory during processing of HTML tables, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document. ADV-2010-1373 40620 APPLE-SA-2010-06-07-1 safari-webkit-htmltables-ce(59218) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 ADV-2010-1512 USN-1006-1 MDVSA-2011:039 http://support.apple.com/kb/HT4225 http://support.apple.com/kb/HT4220 http://support.apple.com/kb/HT4196 1024067 43068 41856 40196 40105 oval:org.mitre.oval:def:7476 SUSE-SR:2011:002 APPLE-SA-2010-06-21-1 APPLE-SA-2010-06-16-1 Race condition in Passcode Lock in Apple iOS before 4 on the iPhone and iPod touch allows physically proximate attackers to bypass intended passcode requirements, and pair a locked device with a computer and access arbitrary data, via vectors involving the initial boot. appleios-passcode-lock-sec-bypass(59637) 41016 http://support.apple.com/kb/HT4225 APPLE-SA-2010-06-21-1 Buffer overflow in Apple iTunes before 9.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted itpc: URL. http://support.apple.com/kb/HT4263 oval:org.mitre.oval:def:6988 APPLE-SA-2010-07-19-1 Cross-site scripting (XSS) vulnerability in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to inject arbitrary web script or HTML via an RSS feed. 42020 APPLE-SA-2010-07-28-1 http://support.apple.com/kb/HT4276 oval:org.mitre.oval:def:11639 Use-after-free vulnerability in WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to element focus. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:10964 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 Double free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the rendering of an inline element. appleios-inline-elements-code-exec(61698) ADV-2011-0552 ADV-2011-0212 ADV-2010-2722 USN-1006-1 43077 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 43068 42314 41856 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors related to the rendering of an inline element. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11935 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; does not properly handle dynamic modification of a text node, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11820 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 The counters functionality in the Cascading Style Sheets (CSS) implementation in WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11766 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; accesses uninitialized memory during processing of the (1) :first-letter and (2) :first-line pseudo-elements in an SVG text element, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted document. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11941 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 Use-after-free vulnerability in WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a foreignObject element in an SVG document. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11837 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a floating element in an SVG document. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11877 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a use element in an SVG document. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11962 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 Heap-based buffer overflow in WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a JavaScript string object. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0212 ADV-2010-3046 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4276 43068 42314 oval:org.mitre.oval:def:11524 SUSE-SR:2011:002 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; does not properly handle just-in-time (JIT) compiled JavaScript stubs, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to a "reentrancy issue." 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4276 43086 43068 41856 oval:org.mitre.oval:def:11777 SUSE-SR:2011:002 SUSE-SR:2010:018 Integer signedness error in WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving a JavaScript array index. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0212 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43068 42314 oval:org.mitre.oval:def:11802 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted regular expression. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4564 http://support.apple.com/kb/HT4276 43086 43068 41856 oval:org.mitre.oval:def:11898 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2011-03-09-1 Multiple use-after-free vulnerabilities in WebKit in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4; and webkitgtk before 1.2.6; allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a (1) font-face or (2) use element in an SVG document. 42020 APPLE-SA-2010-07-28-1 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4334 http://support.apple.com/kb/HT4276 43086 43068 42314 41856 oval:org.mitre.oval:def:11923 SUSE-SR:2011:002 SUSE-SR:2010:018 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 The webdav_mount function in webdav_vfsops.c in the WebDAV kernel extension (aka webdav_fs.kext) for Mac OS X 10.6 allows local users to cause a denial of service (panic) via a mount request with a large integer in the pa_socket_namelen field. 20100726 Mac OS X WebDAV kernel extension local denial-of-service 41958 1024250 Untrusted search path vulnerability in Apple iTunes before 9.1, when running on Windows 7, Vista, and XP, allows local users and possibly remote attackers to gain privileges via a Trojan horse DLL in the current working directory. itunes-dll-code-execution(61223) 42541 20100818 ACROS Security: Remote Binary Planting in Apple iTunes for Windows (ASPR #2010-08-18-1) http://www.acrossecurity.com/aspr/ASPR-2010-08-18-1-PUB.txt http://support.apple.com/kb/HT4105 oval:org.mitre.oval:def:7217 The AutoFill feature in Apple Safari before 5.0.1 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.1 on Mac OS X 10.4, allows remote attackers to obtain sensitive Address Book Card information via JavaScript code that forces keystroke events for input fields. 42020 APPLE-SA-2010-07-28-1 http://support.apple.com/kb/HT4276 oval:org.mitre.oval:def:11112 Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information. https://bugzilla.redhat.com/show_bug.cgi?id=621144 https://bugs.launchpad.net/ubuntu/maverick/+source/freetype/+bug/617019 appleios-pdf-code-execution(60856) ADV-2010-2106 ADV-2010-2018 USN-972-1 42151 http://www.f-secure.com/weblog/archives/00002002.html 14538 http://support.apple.com/kb/HT4292 http://support.apple.com/kb/HT4291 http://sourceforge.net/projects/freetype/files/freetype2/2.4.2/NEWS/view 40982 40816 40807 66828 APPLE-SA-2010-08-11-2 APPLE-SA-2010-08-11-1 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=11d65e8a1f1f14e56148fd991965424d9bd1cdbc http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=018f5c27813dd7eef4648fe254632ecea0c85a50 http://freetype.sourceforge.net/index2.html#release-freetype-2.4.2 Stack-based buffer overflow in the error-logging functionality in Apple QuickTime before 7.6.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. 41962 http://support.apple.com/kb/HT4290 oval:org.mitre.oval:def:11800 APPLE-SA-2010-08-12-1 CFNetwork in Apple Mac OS X 10.6.3 and 10.6.4 supports anonymous SSL and TLS connections, which allows man-in-the-middle attackers to redirect a connection and obtain sensitive information via crafted responses. http://support.apple.com/kb/HT4312 1024359 APPLE-SA-2010-08-24-1 Heap-based buffer overflow in CoreGraphics in Apple Mac OS X 10.5.8 and 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file. http://support.apple.com/kb/HT4312 1024359 APPLE-SA-2010-08-24-1 libsecurity in Apple Mac OS X 10.5.8 and 10.6.4 does not properly perform comparisons to domain-name strings in X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a certificate associated with a similar domain name, as demonstrated by use of a www.example.con certificate to spoof www.example.com. http://support.apple.com/kb/HT4312 1024359 APPLE-SA-2010-08-24-1 Time Machine in Apple Mac OS X 10.6.x before 10.6.5 does not verify the unique identifier of its remote AFP volume, which allows remote attackers to obtain sensitive information by spoofing this volume. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Unspecified vulnerability in the network bridge functionality on the Apple Time Capsule, AirPort Extreme Base Station, and AirPort Express Base Station with firmware before 7.5.2 allows remote attackers to cause a denial of service (networking outage) via a crafted DHCP reply. http://support.apple.com/kb/HT4298 APPLE-SA-2010-12-16-1 1024907 Untrusted search path vulnerability in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2 on Windows allows local users to gain privileges via a Trojan horse explorer.exe (aka Windows Explorer) program in a directory containing a file that had been downloaded by Safari. 43048 http://support.apple.com/kb/HT4333 oval:org.mitre.oval:def:11956 APPLE-SA-2010-09-07-1 Use-after-free vulnerability in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via run-in styling in an element, related to object pointers. 43049 ADV-2010-3046 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4333 42314 oval:org.mitre.oval:def:11729 APPLE-SA-2010-09-07-1 APPLE-SA-2010-11-22-1 WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to non-standard NaN representation. 43047 https://bugzilla.redhat.com/show_bug.cgi?id=627703 ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-3046 ADV-2010-2722 USN-1006-1 RHSA-2011:0177 MDVSA-2011:039 http://www.computerworld.com/s/article/9195058/Researcher_to_release_Web_based_Android_attack http://trac.webkit.org/changeset/64706 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4333 43086 43068 42314 41856 oval:org.mitre.oval:def:11964 SUSE-SR:2011:002 APPLE-SA-2010-09-07-1 APPLE-SA-2010-11-22-1 Stack-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 and 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded font in a document. http://support.apple.com/kb/HT4312 1024359 APPLE-SA-2010-08-24-1 The Accessibility component in Apple iOS before 4.1 on the iPhone and iPod touch does not perform the expected VoiceOver announcement associated with the location services icon, which has unspecified impact and attack vectors. appleios-voiceover-weak-security(61694) http://support.apple.com/kb/HT4334 APPLE-SA-2010-09-08-1 FaceTime in Apple iOS before 4.1 on the iPhone and iPod touch does not properly handle invalid X.509 certificates, which allows man-in-the-middle attackers to redirect calls via a crafted certificate. appleios-facetime-sec-bypass(61695) http://support.apple.com/kb/HT4334 APPLE-SA-2010-09-08-1 ImageIO in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted TIFF file. appleios-tiff-code-exec(61696) http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4435 http://support.apple.com/kb/HT4334 42314 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-10-1 Use-after-free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch, and webkitgtk before 1.2.6, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving selections. appleios-selections-code-exec(61699) ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 43079 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4455 http://support.apple.com/kb/HT4334 43086 43068 42314 41856 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-18-1 WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors involving HTML object outlines. appleios-html-object-code-exec(61700) ADV-2011-0212 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4455 http://support.apple.com/kb/HT4334 43068 42314 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-18-1 WebKit in Apple iOS before 4.1 on the iPhone and iPod touch, and webkitgtk before 1.2.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors involving form menus. appleios-formmenus-code-exec(61701) ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 43083 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4455 http://support.apple.com/kb/HT4334 43086 43068 42314 41856 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-18-1 Use-after-free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch, and webkitgtk before 1.2.6, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving scrollbars. appleios-scrollbars-code-exec(61702) ADV-2011-0552 ADV-2011-0216 ADV-2011-0212 ADV-2010-2722 USN-1006-1 43081 RHSA-2011:0177 MDVSA-2011:039 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4455 http://support.apple.com/kb/HT4334 43086 43068 42314 41856 SUSE-SR:2011:002 APPLE-SA-2010-09-08-1 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-18-1 Buffer overflow in ImageIO in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file. appleios-gif-bo(61697) http://support.apple.com/kb/HT4334 APPLE-SA-2010-09-08-1 The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshaling of an untrusted pointer. https://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb http://threatpost.com/en_us/blogs/new-remote-flaw-apple-quicktime-bypasses-aslr-and-dep-083010 http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1 oval:org.mitre.oval:def:7523 Apple Filing Protocol (AFP) Server in Apple Mac OS X 10.6.x through 10.6.4 does not properly handle errors, which allows remote attackers to bypass the password requirement for shared-folder access by leveraging knowledge of a valid account name. APPLE-SA-2010-09-20-1 43341 http://support.apple.com/kb/HT4361 oval:org.mitre.oval:def:12109 WebKit, as used in Apple Safari before 4.1.3 and 5.0.x before 5.0.3 and Google Chrome before 6.0.472.62, does not properly perform a cast of an unspecified variable, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an SVG element in a non-SVG document. https://bugs.webkit.org/show_bug.cgi?id=45562 ADV-2011-0212 ADV-2010-3046 http://support.apple.com/kb/HT4456 http://support.apple.com/kb/HT4455 43068 42314 oval:org.mitre.oval:def:6691 SUSE-SR:2011:002 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-18-1 http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_17.html http://code.google.com/p/chromium/issues/detail?id=55114 Use-after-free vulnerability in WebKit before r65958, as used in Google Chrome before 6.0.472.59, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger use of document APIs such as document.close during parsing, as demonstrated by a Cascading Style Sheets (CSS) file referencing an invalid SVG font, aka rdar problem 8442098. https://bugs.webkit.org/show_bug.cgi?id=44533 https://bugs.webkit.org/show_bug.cgi?id=43055 ADV-2011-0212 http://support.apple.com/kb/HT4981 http://support.apple.com/kb/HT4808 43068 oval:org.mitre.oval:def:7405 SUSE-SR:2011:002 APPLE-SA-2011-10-11-1 APPLE-SA-2011-07-20-1 http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html http://code.google.com/p/chromium/issues/detail?id=50250 Use-after-free vulnerability in WebKit, as used in Apple iTunes before 10.2 on Windows, Apple Safari, and Google Chrome before 6.0.472.59, allows remote attackers to execute arbitrary code or cause a denial of service via vectors related to SVG styles, the DOM tree, and error messages. https://bugs.webkit.org/show_bug.cgi?id=43260 http://www.zerodayinitiative.com/advisories/ZDI-11-095 ADV-2011-0212 http://support.apple.com/kb/HT4566 http://support.apple.com/kb/HT4554 43068 oval:org.mitre.oval:def:7151 SUSE-SR:2011:002 APPLE-SA-2011-03-02-1 http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html http://code.google.com/p/chromium/issues/detail?id=50712 Use-after-free vulnerability in WebKit, as used in Google Chrome before 6.0.472.59, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to nested SVG elements. https://bugs.webkit.org/show_bug.cgi?id=43587 ADV-2011-0212 43068 oval:org.mitre.oval:def:7202 SUSE-SR:2011:002 http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_14.html http://code.google.com/p/chromium/issues/detail?id=51252 AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon restart) via crafted reconnect authentication packets. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Directory traversal vulnerability in AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote authenticated users to execute arbitrary code by creating files that are outside the bounds of a share. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 generates different error messages depending on whether a share exists, which allows remote attackers to enumerate valid share names via unspecified vectors. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code via a long name of an embedded font in a document. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Stack-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code via a crafted embedded font in a document. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Apple Type Services (ATS) in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted embedded font in a document. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 CFNetwork in Apple Mac OS X 10.6.x before 10.6.5 does not properly validate the domains of cookies, which makes it easier for remote web servers to track users by setting a cookie that is associated with a partial IP address. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Stack-based buffer overflow in CoreGraphics in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 CoreText in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font in a PDF document. http://support.apple.com/kb/HT4435 1024723 44808 APPLE-SA-2010-11-10-1 Directory Services in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not properly handle errors associated with disabled mobile accounts, which allows remote attackers to bypass authentication by providing a valid account name. http://support.apple.com/kb/HT4435 1024723 44817 APPLE-SA-2010-11-10-1 Stack-based buffer overflow in the password-validation functionality in Directory Services in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Disk Images in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted UDIF image. http://support.apple.com/kb/HT4435 1024723 44815 APPLE-SA-2010-11-10-1 Buffer overflow in AppKit in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a bidirectional text string with ellipsis truncation. http://support.apple.com/kb/HT4435 1024723 44803 APPLE-SA-2010-11-10-1 Networking in Apple Mac OS X 10.6.2 through 10.6.4 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted PIM packet. http://support.apple.com/kb/HT4435 ADV-2010-3046 1024723 http://support.apple.com/kb/HT4456 42314 APPLE-SA-2010-11-22-1 APPLE-SA-2010-11-10-1 Unspecified vulnerability in Image Capture in Apple Mac OS X 10.6.x before 10.6.5 allows remote attackers to cause a denial of service (memory consumption and system crash) via a crafted image. http://support.apple.com/kb/HT4435 1024723 44813 APPLE-SA-2010-11-10-1 ImageIO in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted PSD image. http://support.apple.com/kb/HT4435 1024723 20101122 NGS00015 Patch Notification: ImageIO Memory Corruption APPLE-SA-2010-11-10-1 Heap-based buffer overflow in Image RAW in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted RAW image. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 The kernel in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform memory management associated with terminal devices, which allows local users to cause a denial of service (system crash) via unspecified vectors. http://support.apple.com/kb/HT4435 1024723 APPLE-SA-2010-11-10-1 Directory traversal vulnerability in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to bypass intended table grants to read field definitions of arbitrary tables, and on 5.1 to read or delete content of arbitrary tables, via a .. (dot dot) in a table name. RHSA-2010:0824 RHSA-2010:0442 MDVSA-2010:107 http://support.apple.com/kb/HT4435 1024031 oval:org.mitre.oval:def:7210 oval:org.mitre.oval:def:10258 SUSE-SR:2010:021 SUSE-SR:2010:019 http://lists.mysql.com/commits/107532 APPLE-SA-2010-11-10-1 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://bugs.mysql.com/bug.php?id=53371 The my_net_skip_rest function in sql/net_serv.cc in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a large number of packets that exceed the maximum length. Per: http://cwe.mitre.org/data/definitions/371.html 'CWE-371: State Issues' MDVSA-2010:107 http://support.apple.com/kb/HT4435 1024032 oval:org.mitre.oval:def:7328 SUSE-SR:2010:021 SUSE-SR:2010:019 http://lists.mysql.com/commits/106060 APPLE-SA-2010-11-10-1 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://bugs.mysql.com/bug.php?id=50974 Buffer overflow in MySQL 5.0 through 5.0.91 and 5.1 before 5.1.47 allows remote authenticated users to execute arbitrary code via a COM_FIELD_LIST command with a long table name. RHSA-2010:0442 MDVSA-2010:107 http://support.apple.com/kb/HT4435 1024033 oval:org.mitre.oval:def:6693 oval:org.mitre.oval:def:10846 SUSE-SR:2010:019 APPLE-SA-2010-11-10-1 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-47.html http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html http://bugs.mysql.com/bug.php?id=53237 Google Chrome, when the Invisible Hand extension is enabled, uses cookies during background HTTP requests in a possibly unexpected manner, which might allow remote web servers to identify specific persons and their product searches via HTTP request logging, related to a "cross-site data leakage" issue. http://www.cnet.com/8301-31361_1-20004265-254.html oval:org.mitre.oval:def:11757 Microsoft Internet Explorer, when the Invisible Hand extension is enabled, uses cookies during background HTTP requests in a possibly unexpected manner, which might allow remote web servers to identify specific persons and their product searches via HTTP request logging, related to a "cross-site data leakage" issue. http://www.cnet.com/8301-31361_1-20004265-254.html Multiple stack-based buffer overflows in the tr_magnetParse function in libtransmission/magnet.c in Transmission 1.91 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted magnet URL with a large number of (1) tr or (2) ws links. 38814 ADV-2010-0655 63066 http://trac.transmissionbt.com/wiki/Changes http://trac.transmissionbt.com/ticket/2965 http://trac.transmissionbt.com/changeset/10279 39031 Cross-site scripting (XSS) vulnerability in auktion.php in Pay Per Watch & Bid Auktions System allows remote attackers to inject arbitrary web script or HTML via the id_auk parameter, which is not properly handled in a forced SQL error message. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: this might be resultant from CVE-2010-1855. 39059 SQL injection vulnerability in auktion.php in Pay Per Watch & Bid Auktions System allows remote attackers to execute arbitrary SQL commands via the id_auk parameter. payperwatch-auktion-sql-injection(57055) ADV-2010-0670 38878 11816 39059 http://packetstormsecurity.org/1003-exploits/ppwb-sql.txt 63131 Cross-site scripting (XSS) vulnerability in index.php in RepairShop2 1.9.023 Trial, when magic_quotes_gpc is disabled, allows remote attackers to inject arbitrary web script or HTML via the prod parameter in a products.details action. 38907 39043 http://packetstormsecurity.org/1003-exploits/repairshop2-xss.txt SQL injection vulnerability in index.php in RepairShop2 1.9.023 Trial, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the prod parameter in a products.details action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. TA10-159B 38907 39043 Directory traversal vulnerability in the SMEStorage (com_smestorage) component before 1.1 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. smestorage-index-file-include(57108) 38911 11853 39071 http://packetstormsecurity.org/1003-exploits/joomlasmestorage-lfi.txt SQL injection vulnerability in newpost.php in DeluxeBB 1.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the membercookie cookie when adding a new thread. 39962 http://php-security.org/2010/05/06/mops-2010-011-deluxebb-newthread-sql-injection-vulnerability/index.html The html_entity_decode function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal call, related to the call time pass by reference feature. http://php-security.org/2010/05/06/mops-2010-010-php-html_entity_decode-interruption-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 The sysvshm extension for PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to write to arbitrary memory addresses by using an object's __sleep function to interrupt an internal call to the shm_put_var function, which triggers access of a freed resource. http://php-security.org/2010/05/05/mops-2010-009-php-shm_put_var-already-freed-resource-access-vulnerability/index.html The chunk_split function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. http://php-security.org/2010/05/04/mops-2010-008-php-chunk_split-interruption-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 SQL injection vulnerability in the shoutbox module (modules/shoutbox.php) in ClanTiger 1.1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the s_email parameter. http://php-security.org/2010/05/04/mops-2010-007-clantiger-shoutbox-module-s_email-sql-injection-vulnerability/index.html The addcslashes function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. http://php-security.org/2010/05/03/mops-2010-006-php-addcslashes-interruption-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 Multiple SQL injection vulnerabilities in ClanSphere 2009.0.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the IP address to the cs_getip function in generate.php in the Captcha module, or (2) the s_email parameter to the cs_sql_select function in the MySQL database driver (mysql.php). http://trac.clansphere.de/csp/changeset/3808/ http://trac.clansphere.de/csp/changeset/3803/ clansphere-captcha-sql-injection(58311) ADV-2010-1066 39896 http://www.csphere.eu/index/news/view/id/487/start/0 39685 http://php-security.org/2010/05/03/mops-2010-005-clansphere-mysql-driver-generic-sql-injection-vulnerability/index.html http://php-security.org/2010/05/03/mops-2010-004-clansphere-captcha-generator-blind-sql-injection-vulnerability/index.html 64321 64320 The dechunk filter in PHP 5.3 through 5.3.2, when decoding an HTTP chunked encoding stream, allows context-dependent attackers to cause a denial of service (crash) and possibly trigger memory corruption via a negative chunk size, which bypasses a signed comparison, related to an integer overflow in the chunk size decoder. http://php-security.org/2010/05/02/mops-2010-003-php-dechunk-filter-signed-comparison-vulnerability/index.html SUSE-SR:2010:017 SQL injection vulnerability in the ArticleAttachment::GetAttachmentsByArticleNumber method in javascript/tinymcs/plugins/campsiteattachment/attachments.php in Campsite 3.3.5 and earlier allows remote attackers to execute arbitrary SQL commands via the article_id parameter. campsite-articleid-sql-injection(58285) 39862 http://www.campware.org/en/camp/campsite_news/832/ 39580 http://php-security.org/2010/05/01/mops-2010-002-campsite-tinymce-article-attachment-sql-injection-vulnerability/index.html 64215 The (1) sqlite_single_query and (2) sqlite_array_query functions in ext/sqlite/sqlite.c in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to execute arbitrary code by calling these functions with an empty SQL query, which triggers access of uninitialized memory. http://php-security.org/2010/05/07/mops-submission-03-sqlite_single_query-sqlite_array_query-uninitialized-memory-usage/index.html http://php-security.org/2010/05/07/mops-2010-013-php-sqlite_array_query-uninitialized-memory-usage-vulnerability/index.html http://php-security.org/2010/05/07/mops-2010-012-php-sqlite_single_query-uninitialized-memory-usage-vulnerability/index.html Stack-based buffer overflow in the parser function in GhostScript 8.70 and 8.64 allows context-dependent attackers to execute arbitrary code via a crafted PostScript file. ADV-2010-1195 ADV-2010-1138 USN-961-1 1024003 40103 20100512 Multiple memory corruption vulnerabilities in Ghostscript MDVSA-2010:102 http://www.checkpoint.com/defense/advisories/public/2010/cpai-10-May.html 40580 39753 SUSE-SR:2010:014 The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. 41592 66280 14360 http://struts.apache.org/2.2.1/docs/s2-005.html 8345 20100713 CVE-2010-1870: Struts2 remote commands execution http://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-06-16 http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured. https://bugzilla.redhat.com/show_bug.cgi?id=615956 seam-expressions-code-execution(60794) ADV-2010-1929 1024253 41994 RHSA-2010:0564 Cross-site scripting (XSS) vulnerability in cPlayer.php in FlashCard 2.6.5 and 3.0.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: some of these details are obtained from third party information. http://www.xenuser.org/documents/security/flashcard_xss.txt 39648 39484 http://packetstormsecurity.org/1004-exploits/flashcard-xss.txt SQL injection vulnerability in the Jvehicles (com_jvehicles) component 1.0, 2.0, and 2.1111 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information. jvehicles-index-sql-injection(57774) 39409 63669 12190 39401 http://packetstormsecurity.org/1004-exploits/joomlajvehicles-sql.txt http://indonesiancoder.org/joomla-component-jvehicles-aid-sql-injection-vulnerability SQL injection vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information. properties-index-sql-injection(57765) 39374 12136 39074 Directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. realestate-index-file-include(57110) 38912 63143 11851 39074 SQL injection vulnerability in index.php in AJ Shopping Cart 1.0 allows remote attackers to execute arbitrary SQL commands via the maincatid parameter in a showmaincatlanding action. ajshopping-index-sql-injection(58049) 12349 39551 http://packetstormsecurity.org/1004-exploits/ajshoppingcart-sql.txt SQL injection vulnerability in the JTM Reseller (com_jtm) component 1.9 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the author parameter in a search action to index.php. jtmreseller-author-sql-injection(57977) 39584 12306 http://packetstormsecurity.org/1004-exploits/joomlajtmreseller-sql.txt Directory traversal vulnerability in the OrgChart (com_orgchart) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. orgchart-index-file-include(58031) 39606 12317 http://packetstormsecurity.org/1004-exploits/joomlaorgchart-lfi.txt Unspecified vulnerability in Quartz.dll for DirectShow; Windows Media Format Runtime 9, 9.5, and 11; Media Encoder 9; and the Asycfilt.dll COM component allows remote attackers to execute arbitrary code via a media file with crafted compression data, aka "Media Decompression Vulnerability." TA10-159B MS10-033 oval:org.mitre.oval:def:7517 Unspecified vulnerability in Quartz.dll for DirectShow on Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista SP1, and Server 2008 allows remote attackers to execute arbitrary code via a media file with crafted compression data, aka "MJPEG Media Decompression Vulnerability." TA10-159B MS10-033 oval:org.mitre.oval:def:6641 65222 The FieldList ActiveX control in the Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office Access 2003 SP3 does not properly interact with the memory-access approach used by Internet Explorer and Office during instantiation, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTML document that references this control along with crafted persistent storage data, aka "ACCWIZ.dll Uninitialized Variable Vulnerability." TA10-194A MS10-044 oval:org.mitre.oval:def:11756 Multiple buffer overflows in the MPEG Layer-3 Audio Codec for Microsoft DirectShow in l3codecx.ax in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allow remote attackers to execute arbitrary code via an MPEG Layer-3 audio stream in (1) a crafted media file or (2) crafted streaming content, aka "MPEG Layer-3 Audio Decoder Buffer Overflow Vulnerability." TA10-222A MS10-052 oval:org.mitre.oval:def:11585 Integer overflow in the Embedded OpenType (EOT) Font Engine in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to execute arbitrary code via a crafted table in an embedded font, aka "Embedded OpenType Font Integer Overflow Vulnerability." TA10-285A MS10-076 oval:org.mitre.oval:def:6881 The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL, aka "Help Center URL Validation Vulnerability." Per: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx "customers running Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this issue, or at risk of attack." TA10-194A VU#578319 ms-win-helpctr-command-execution(59267) ADV-2010-1417 1024084 40725 20100610 Re: Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly 20100609 Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly MS10-042 http://www.microsoft.com/technet/security/advisory/2219475.mspx 13808 40076 oval:org.mitre.oval:def:11733 http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx 20100609 Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2, and Windows 7 allow local users to gain privileges by leveraging access to a process with NetworkService credentials, as demonstrated by TAPI Server, SQL Server, and IIS processes, and related to the Windows Service Isolation feature. NOTE: the vendor states that privilege escalation from NetworkService to LocalSystem does not cross a "security boundary." 982316 2264072 http://www.microsoft.com/technet/security/advisory/2264072.mspx The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 do not properly validate an unspecified system-call argument, which allows local users to cause a denial of service (system hang) via a crafted application, aka "Win32k Bounds Checking Vulnerability." MS10-048 oval:org.mitre.oval:def:11020 Race condition in the kernel in Microsoft Windows XP SP3 allows local users to gain privileges via vectors involving thread creation, aka "Windows Kernel Data Initialization Vulnerability." TA10-222A MS10-047 oval:org.mitre.oval:def:11825 Double free vulnerability in the kernel in Microsoft Windows Vista SP1 and SP2, and Windows Server 2008 Gold and SP2, allows local users to gain privileges via a crafted application, related to object initialization during error handling, aka "Windows Kernel Double Free Vulnerability." TA10-222A MS10-047 oval:org.mitre.oval:def:11044 The kernel in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate ACLs on kernel objects, which allows local users to cause a denial of service (reboot) via a crafted application, aka "Windows Kernel Improper Validation Vulnerability." MS10-047 oval:org.mitre.oval:def:11789 The Client/Server Runtime Subsystem (aka CSRSS) in the Win32 subsystem in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2, when a Chinese, Japanese, or Korean locale is enabled, does not properly allocate memory for transactions, which allows local users to gain privileges via a crafted application, aka "CSRSS Local Elevation of Privilege Vulnerability." MS10-069 oval:org.mitre.oval:def:7536 The TCP/IP stack in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly handle malformed IPv6 packets, which allows remote attackers to cause a denial of service (system hang) via multiple crafted packets, aka "IPv6 Memory Corruption Vulnerability." TA10-222A MS10-058 oval:org.mitre.oval:def:11845 Integer overflow in the TCP/IP stack in Microsoft Windows Vista SP1, Windows Server 2008 Gold and R2, and Windows 7 allows local users to gain privileges via a buffer of user-mode data that is copied to kernel mode, aka "Integer Overflow in Windows Networking Vulnerability." TA10-222A MS10-058 oval:org.mitre.oval:def:12087 The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP3, and Windows Server 2003 SP2, do not properly handle unspecified exceptions, which allows local users to gain privileges via a crafted application, aka "Win32k Exception Handling Vulnerability." TA10-222A MS10-048 oval:org.mitre.oval:def:11769 The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP3, and Windows Server 2003 SP2, do not properly perform memory allocation before copying user-mode data to kernel mode, which allows local users to gain privileges via a crafted application, aka "Win32k Pool Overflow Vulnerability." TA10-222A MS10-048 oval:org.mitre.oval:def:11844 The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, and Windows Server 2008 Gold and SP2 do not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Win32k User Input Validation Vulnerability." TA10-222A MS10-048 oval:org.mitre.oval:def:12006 The Windows kernel-mode drivers in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 do not properly validate pseudo-handle values in callback parameters during window creation, which allows local users to gain privileges via a crafted application, aka "Win32k Window Creation Vulnerability." TA10-222A MS10-048 oval:org.mitre.oval:def:11663 The Common Language Runtime (CLR) in Microsoft .NET Framework 2.0 SP1, 2.0 SP2, 3.5, 3.5 SP1, and 3.5.1, and Microsoft Silverlight 2 and 3 before 3.0.50611.0 on Windows and before 3.0.41130.0 on Mac OS X, does not properly handle interfaces and delegations to virtual methods, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Microsoft Silverlight and Microsoft .NET Framework CLR Virtual Method Delegate Vulnerability." TA10-222A MS10-060 oval:org.mitre.oval:def:12033 Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services (IIS) 5.1, 6.0, 7.0, and 7.5 allows remote attackers to cause a denial of service (daemon outage) via a crafted request, related to asp.dll, aka "IIS Repeated Parameter Request Denial of Service Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-065.mspx 'ASP pages are prohibited by default on IIS 6.0. - The vulnerability is only exploitable when the ASP script writes parameters from the request in the response.' MS10-065 oval:org.mitre.oval:def:7127 Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP2; Microsoft Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Word Viewer; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; and Works 9 do not properly handle malformed records in a Word file, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, aka "Word Record Parsing Vulnerability." TA10-222A MS10-056 oval:org.mitre.oval:def:11490 Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP2; Microsoft Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Word Viewer; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 do not properly handle unspecified properties in rich text data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RTF document, aka "Word RTF Parsing Engine Memory Corruption Vulnerability." TA10-222A MS10-056 oval:org.mitre.oval:def:11612 Buffer overflow in Microsoft Office Word 2002 SP3, 2003 SP3, and 2007 SP2; Microsoft Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Word Viewer; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via unspecified properties in the data in a crafted RTF document, aka "Word RTF Parsing Buffer Overflow Vulnerability." TA10-222A MS10-056 oval:org.mitre.oval:def:11472 Microsoft Office Word 2002 SP3 and 2003 SP3, and Office Word Viewer, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed record in a Word file, aka "Word HTML Linked Objects Memory Corruption Vulnerability." TA10-222A MS10-056 oval:org.mitre.oval:def:12039 SQL injection vulnerability in EMC RSA Key Manager (RKM) C Client 1.5.x allows user-assisted remote attackers to execute arbitrary SQL commands via the metadata section of encrypted key data. rsakey-metadata-sql-injection(59133) ADV-2011-0206 1024989 1024059 40553 20100603 RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 ) 43057 20110121 ESA-2011-001: RSA, The Security Division of EMC, addresses RKM 1.5 C Client SQL Injection Vulnerability 20100603 RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 ) Multiple cross-site scripting (XSS) vulnerabilities in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allow remote attackers to inject arbitrary web script or HTML via crafted input to ASP pages, as demonstrated using the backurl parameter to sdccommon/verify/asp/n6plugindestructor.asp. VU#602801 http://www.consona.com/Content/CRM/Support/SecurityBulletin_April2010.pdf http://www.wintercore.com/downloads/rootedcon_0day.pdf 39999 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html 39740 tgsrv.exe in the Repair Service in Consona Dynamic Agent, Repair Manager, Subscriber Activation, and Subscriber Agent relies on a predictable timestamp field to validate input to the \\.\pipe\__RepairService_pipe__company named pipe, which allows remote authenticated users to execute arbitrary code by obtaining the current time from (1) tcpip.sys or (2) an SMB2 service. VU#602801 http://www.consona.com/Content/CRM/Support/SecurityBulletin_April2010.pdf http://www.wintercore.com/downloads/rootedcon_0day.pdf 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html 39752 The SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to discover the username of the client user, and consequently determine a pathname to a certain user directory, via a call to the GetUserName method. VU#602801 http://www.wintercore.com/downloads/rootedcon_0day.pdf 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html The SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance does not properly restrict access to the HTTPDownloadFile, HTTPGetFile, Install, and RunCmd methods, which allows remote attackers to execute arbitrary programs via a URL in the url argument to (1) HTTPDownloadFile or (2) HTTPGetFile. VU#602801 http://www.wintercore.com/downloads/rootedcon_0day.pdf 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html 39751 Buffer overflow in the RunCmd method in the SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to execute arbitrary code via vectors involving "CreateProcess params." NOTE: some of these details are obtained from third party information. VU#602801 http://www.wintercore.com/downloads/rootedcon_0day.pdf 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html 39751 The Forgot Password implementation in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to reset passwords of accounts with blank Hint questions and Hint answers by sending an empty value for each of these two Hint fields. VU#602801 http://www.consona.com/Content/CRM/Support/SecurityBulletin_April2010.pdf 40003 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html 39740 The site-locking implementation in the SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance relies on a list of server domain names to restrict execution of ActiveX controls, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a DNS hijacking attack. VU#602801 http://www.consona.com/Content/CRM/Support/SecurityBulletin_April2010.pdf consona-sdcwebsecurebase-code-exec(58608) http://www.wintercore.com/downloads/rootedcon_0day.pdf 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html The SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to bypass intended restrictions on ActiveX execution via "instantiation/free attacks." VU#602801 consona-sdcwebsecurebase-sec-bypass(58607) http://www.wintercore.com/downloads/rootedcon_0day.pdf 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html The default configuration of pluginlicense.ini for the SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance, when downloaded from a server operated by Telefonica or possibly other companies, contains an incorrect DNS whitelist that includes the DNS hostnames of home computers of many persons, which allows remote attackers to bypass intended restrictions on ActiveX execution by hosting an ActiveX control on an applicable home web server. VU#602801 http://www.wintercore.com/downloads/rootedcon_0day.pdf 20100507 [Wintercore Research] Consona Products - Multiple vulnerabilities http://wintercore.com/en/component/content/article/7-media/18-wintercore-releases-an-advisory-for-consona-products.html The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information by interrupting the handler for the (1) ZEND_BW_XOR opcode (shift_left_function), (2) ZEND_SL opcode (bitwise_xor_function), or (3) ZEND_SR opcode (shift_right_function), related to the convert_to_long_base function. php-zendengine-info-disclosure(58587) http://www.php-security.org/2010/05/08/mops-2010-016-php-zend_sr-opcode-interruption-address-information-leak-vulnerability/index.html http://www.php-security.org/2010/05/08/mops-2010-015-php-zend_sl-opcode-interruption-address-information-leak-vulnerability/index.html http://www.php-security.org/2010/05/08/mops-2010-014-php-zend_bw_xor-opcode-interruption-address-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature, modification of ZVALs whose values are not updated in the associated local variables, and access of previously-freed memory. php-pregquote-information-disclosure(58586) http://www.php-security.org/2010/05/09/mops-2010-017-php-preg_quote-interruption-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin. https://bugzilla.redhat.com/show_bug.cgi?id=591701 ADV-2010-1401 40033 http://www.php-security.org/2010/05/10/mops-2010-020-xinha-wysiwyg-plugin-configuration-injection-vulnerability/index.html http://www.php-security.org/2010/05/10/mops-2010-019-serendipity-wysiwyg-editor-plugin-configuration-injection-vulnerability/index.html http://trac.xinha.org/ticket/1518 40124 39782 FEDORA-2010-9320 Stack consumption vulnerability in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (PHP crash) via a crafted first argument to the fnmatch function, as demonstrated using a long string. php-fnmatchfunction-dos(58585) ADV-2010-3081 RHSA-2010:0919 http://www.php-security.org/2010/05/11/mops-2010-021-php-fnmatch-stack-exhaustion-vulnerability/index.html DSA-2089 42410 40860 SSRT100409 HPSBMA02662 SUSE-SR:2010:018 SUSE-SR:2010:017 SQL injection vulnerability in ask_chat.php in eFront 3.6.2 and earlier allows remote attackers to execute arbitrary SQL commands via the chatrooms_ID parameter. ADV-2010-1101 40032 http://www.php-security.org/2010/05/09/mops-2010-018-efront-ask_chat-chatrooms_id-sql-injection-vulnerability/index.html 39728 http://packetstormsecurity.org/1005-exploits/MOPS-2010-018.pdf 64506 Unspecified vulnerability in EMC Avamar 4.1.x and 5.0 before SP1 allows remote attackers to cause a denial of service (gsan service hang) by sending a crafted message using TCP. ADV-2010-1253 40390 http://www.packetstormsecurity.org/1005-advisories/ESA-2010-007.txt 1024036 39919 20100526 ESA-2010-007: EMC Avamar Denial Of Service Vulnerability Directory traversal vulnerability in scr/soustab.php in OpenMairie openAnnuaire 2.00, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069. ADV-2010-1059 23505 12486 39673 http://packetstormsecurity.org/1005-exploits/openmairie-rfilfi.txt Multiple PHP remote file inclusion vulnerabilities in OpenMairie openAnnuaire 2.00, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) annuaire.class.php, (2) droit.class.php, (3) collectivite.class.php, (4) profil.class.php, (5) direction.class.php, (6) service.class.php, (7) directiongenerale.class.php, and (8) utilisateur.class.php in obj/. ADV-2010-1059 39887 64184 64182 64181 64180 64179 64178 64177 64176 12486 39673 http://packetstormsecurity.org/1005-exploits/openmairie-rfilfi.txt Multiple PHP remote file inclusion vulnerabilities in 29o3 CMS 0.1 allow remote attackers to execute arbitrary PHP code via a URL in the LibDir parameter to (1) lib/page/pageDescriptionObject.php, and (2) layoutHeaderFuncs.php, (3) layoutManager.php, and (4) layoutParser.php in lib/layout/. ADV-2010-1120 40049 20100511 29o3 CMS (LibDir) Multiple Remote File Inclusion Vulnerability 12558 http://packetstormsecurity.org/1005-exploits/29o3cms-rfi.txt SQL injection vulnerability in user.php in Hi Web Wiesbaden Web 2.0 Social Network Freunde Community System allows remote attackers to execute arbitrary SQL commands via the id parameter in a showgallery action. socialnetworking-user-sql-injection(58583) 39761 http://packetstormsecurity.org/1005-exploits/web20snfcs-sql.txt 64513 SQL injection vulnerability in index.php in Hi Web Wiesbaden Live Shopping Multi Portal System allows remote attackers to execute arbitrary SQL commands via the artikel parameter. liveshopping-index-sql-injection(58392) 40040 12545 39718 64512 SQL injection vulnerability in makale.php in tekno.Portal 0.1b allows remote attackers to execute arbitrary SQL commands via the id parameter, a different vector than CVE-2006-2817. ADV-2010-1117 40030 12552 20464 http://packetstormsecurity.org/1005-exploits/teknoportal-sql.txt Directory traversal vulnerability in scr/soustab.php in openMairie openCourrier 2.02 and 2.03 beta, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069. NOTE: some of these details are obtained from third party information. ADV-2010-1003 64201 12398 39624 http://packetstormsecurity.org/1004-exploits/opencourrier-rfilfi.txt Multiple PHP remote file inclusion vulnerabilities in openMairie openCourrier 2.02 and 2.03 beta, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) bible.class.php, (2) dossier.class.php, (3) service.class.php, (4) collectivite.class.php, (5) droit.class.php, (6) tache.class.php, (7) emetteur.class.php, (8) utilisateur.class.php, (9) courrier.recherche.tab.class.php, and (10) profil.class.php in obj/. NOTE: some of these details are obtained from third party information. ADV-2010-1003 64210 64209 64208 64207 64206 64205 64204 64203 64202 12398 39624 http://packetstormsecurity.org/1004-exploits/opencourrier-rfilfi.txt Directory traversal vulnerability in scr/soustab.php in openMairie openPlanning 1.00, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069. openpresse-soustab-file-include(58090) 64185 12365 39606 http://packetstormsecurity.org/1004-exploits/openplanning-rfilfi.txt Multiple stack-based buffer overflows in the jclient._Java_novell_jclient_JClient_defineClass@20 function in jclient.dll in the Tomcat web server in Novell iManager 2.7, 2.7.3, and 2.7.3 FTF2 allow remote authenticated users to execute arbitrary code via the (1) EnteredClassID or (2) NewClassName parameter to nps/servlet/webacc. imanager-class-bo(59694) ADV-2010-1575 40480 20100623 CORE-2010-0316 - Novell iManager Multiple Vulnerabilities 65737 14010 http://www.coresecurity.com/content/novell-imanager-buffer-overflow-off-by-one-vulnerabilities 1024152 40281 Off-by-one error in Novell iManager 2.7, 2.7.3, and 2.7.3 FTF2 allows remote attackers to cause a denial of service (daemon crash) via a long tree parameter in a login request to nps/servlet/webacc. imanager-tree-dos(59695) ADV-2010-1575 40485 20100623 CORE-2010-0316 - Novell iManager Multiple Vulnerabilities 65738 14010 http://www.coresecurity.com/content/novell-imanager-buffer-overflow-off-by-one-vulnerabilities 1024152 40281 SQL injection vulnerability in includes/content/cart.inc.php in CubeCart PHP Shopping cart 4.3.4 through 4.3.9 allows remote attackers to execute arbitrary SQL commands via the shipKey parameter to index.php. http://forums.cubecart.com/index.php?showtopic=41469 cubecart-shipkey-sql-injection(59245) 40641 20100608 [CORE-2010-0415] SQL Injection in CubeCart PHP Free & Commercial Shopping Cart Application http://www.coresecurity.com/content/cubecart-php-shopping-cart-sql-injection 40102 65250 Heap-based buffer overflow in XnView 1.97.4 and possibly earlier allows remote attackers to execute arbitrary code via a MultiBitMap (MBM) file with a Paint Data Section that contains a malformed Encoding field. xnview-mbm-bo(59421) ADV-2010-1468 1024100 40852 http://www.coresecurity.com/content/XnView-MBM-Processing-Heap-Overflow 40141 Multiple PHP remote file inclusion vulnerabilities in openMairie openPlanning 1.00, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) categorie.class.php, (2) profil.class.php, (3) collectivite.class.php, (4) ressource.class.php, (5) droit.class.php, (6) utilisateur.class.php, and (7) planning.class.php in obj/. 64192 64191 64189 64188 64187 64186 12365 39606 http://packetstormsecurity.org/1004-exploits/openplanning-rfilfi.txt Directory traversal vulnerability in scr/soustab.php in openMairie Openpresse 1.01, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069. openpresse-soustab-file-include(58090) 64194 12364 39605 http://packetstormsecurity.org/1004-exploits/openpresse-lfi.txt Directory traversal vulnerability in scr/soustab.php in openMairie openComInterne 1.01, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069. opencominterne-soustab-file-include(58129) 64211 12396 39623 http://packetstormsecurity.org/1004-exploits/opencominterne-lfi.txt Heap-based buffer overflow in httpAdapter.c in httpAdapter in SBLIM SFCB before 1.3.8 might allow remote attackers to execute arbitrary code via a Content-Length HTTP header that specifies a value too small for the amount of POST data, aka bug #3001896. ADV-2010-1312 http://sourceforge.net/tracker/index.php?func=detail&aid=3001896&group_id=128809&atid=712784 40018 http://sblim.cvs.sourceforge.net/viewvc/sblim/sfcb/httpAdapter.c?r1=1.84&r2=1.85 [oss-security] 20100601 SFCB vulnerabilities Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd. 40403 12762 DSA-2281 http://site.pi3.com.pl/adv/libopie-adv.txt 1025709 1024040 7450 20100527 libopie __readrec() off-by one (FreeBSD ftpd remote PoC) FreeBSD-SA-10:05 45136 39966 39963 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584932 http://blog.pi3.com.pl/?p=111 Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window for a crafted HTML document, and then calling the parent window's close method, which triggers improper handling of a deleted window object. CWE-416 'Use After Free' http://cwe.mitre.org/data/definitions/416.html VU#943165 ADV-2010-1097 39990 64482 1023958 39670 http://reviews.cnet.com/8301-13727_7-20004709-263.html oval:org.mitre.oval:def:6748 http://h07.w.interia.pl/Safari.rar Apple Safari 4.0.5 on Windows sends the "Authorization: Basic" header appropriate for one web site to a different web site named in a Location header received from the first site, which allows remote web servers to obtain sensitive information by logging HTTP requests. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. safari-http-request-information-disclosure(58620) 39670 Unspecified vulnerability in NEC WebSAM DeploymentManager 5.13 and earlier, as used in SigmaSystemCenter 2.1 Update2 and earlier, BladeSystemCenter, ExpressSystemCenter, and VirtualPCCenter 2.2 and earlier, allows remote attackers to cause a denial of service (OS shutdown or restart) via unknown vectors related to Client Service for DPM and crafted packets to port 56010. 40196 http://www.nec.co.jp/security-info/secinfo/nv10-004.html 39802 64700 JVNDB-2010-000019 JVN#90872372 Unspecified vulnerability in the Servlet service in Fujitsu Limited Interstage Application Server 3.0 through 7.0, as used in Interstage Application Framework Suite, Interstage Business Application Server, and Interstage List Manager, allows attackers to obtain sensitive information or force invalid requests to be processed via unknown vectors related to unspecified invalid requests and settings on the load balancing device. ADV-2010-1165 http://www.fujitsu.com/global/support/software/security/products-f/interstage-201001e.html interstage-servlet-information-disclosure(58634) 40189 http://software.fujitsu.com/jp/security/vulnerabilities/jvn-90248889.html 39803 64703 JVNDB-2010-000018 JVN#90248889 Unspecified vulnerability in NEC CapsSuite Small Edition PatchMeister 2.0 Update2 and earlier allows remote attackers to cause a denial of service (OS shutdown or restart) via vectors related to Client Service for PTM and crafted packets to port 56015. ADV-2010-1166 40190 http://www.nec.co.jp/security-info/secinfo/nv10-005.html http://www.ipa.go.jp/about/press/20100517_2.html 39800 64701 JVNDB-2010-000020 JVN#82749282 Multiple PHP remote file inclusion vulnerabilities in openMairie openCimetiere 2.01, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) autorisation.class.php, (2) courrierautorisation.class.php, (3) droit.class.php, (4) profil.class.php, (5) temp_defunt_sansemplacement.class.php, (6) utils.class.php, (7) cimetiere.class.php, (8) defunt.class.php, (9) emplacement.class.php, (10) tab_emplacement.class.php, (11) temp_emplacement.class.php, (12) voie.class.php, (13) collectivite.class.php, (14) defunttransfert.class.php, (15) entreprise.class.php, (16) temp_autorisation.class.php, (17) travaux.class.php, (18) zone.class.php, (19) courrier.class.php, (20) dossier.class.php, (21) plans.class.php, (22) temp_defunt.class.php, and (23) utilisateur.class.php in obj/. opencimetiere-pathom-file-include(58267) ADV-2010-1050 39883 64245 64244 64243 64242 64241 64240 64239 64238 64237 64236 64235 64234 64233 64232 64231 64230 64229 64228 64227 64226 64225 64224 64223 12476 39687 http://packetstormsecurity.org/1005-exploits/opencimetiere-rfi.txt Multiple PHP remote file inclusion vulnerabilities in openMairie Openfoncier 2.00, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) action.class.php, (2) architecte.class.php, (3) avis.class.php, (4) bible.class.php, and (5) blocnote.class.php in obj/. 64200 64199 64198 64197 64196 12366 39607 http://packetstormsecurity.org/1004-exploits/openfoncier-rfilfi.txt Multiple PHP remote file inclusion vulnerabilities in openMairie Openregistrecil 1.02, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) autorisation_normale.class.php, (2) collectivite.class.php, (3) dossier.class.php, (4) norme_simplifiee.class.php, (5) registre.class.php, (6) autorisation_unique.class.php, (7) demande_avis.class.php, (8) droit.class.php, (9) organisme.class.php, (10) service.class.php, (11) categorie_donnee.class.php, (12) destinataire.class.php, (13) profil.class.php, (14) tabdyn_visu.class.php, (15) categorie_personne.class.php, (16) dispense.class.php, (17) modificatif.class.php, (18) reference.class.php, and (19) utilisateur.class.php in obj/. 39611 63963 63962 63961 63960 63959 63958 63957 63956 63955 63954 63953 63952 63951 63950 63949 63948 63947 63946 63945 12313 39534 http://packetstormsecurity.org/1004-exploits/openregistrecil-rfilfi.txt Directory traversal vulnerability in scr/soustab.php in openMairie Openregistrecil 1.02, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter. NOTE: this may be related to CVE-2007-2069. 39611 63964 12313 39534 http://packetstormsecurity.org/1004-exploits/openregistrecil-rfilfi.txt Directory traversal vulnerability in scr/soustab.php in openMairie Openfoncier 2.00, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069. 64195 12366 39607 http://packetstormsecurity.org/1004-exploits/openfoncier-rfilfi.txt SQL injection vulnerability in the Online News Paper Manager (com_jnewspaper) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter to index.php. NOTE: some of these details are obtained from third party information. 12305 39536 SQL injection vulnerability in the Online News Paper Manager (com_jnewspaper) component 1.0 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the date_info parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 39536 Multiple directory traversal vulnerabilities in 60cycleCMS allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the DOCUMENT_ROOT parameter to (1) news.php, (2) submitComment.php, and (3) sqlConnect.php. 60cyclecms-documentroot-file-include(57873) 39473 20100414 60cycleCMS (DOCUMENT_ROOT) Multiple Local File Inclusion Vulnerability 12249 Directory traversal vulnerability in the BeeHeard (com_beeheard) and BeeHeard Lite (com_beeheardlite) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. combeeheard-index-file-inlclude(57845) 39506 12239 39475 http://packetstormsecurity.org/1004-exploits/joomlabeeheardlite-lfi.txt Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. ADV-2010-0927 39551 12288 39530 Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. ADV-2010-0928 39552 12287 39531 Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. comblogfactory-index-file-inlclude(57846) 39508 12238 39473 http://packetstormsecurity.org/1004-exploits/joomladeluxeblog-lfi.txt 63801 Directory traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information. http://www.thefactory.ro/all-thefactory-products/gadget-factory-for-joomla-1.5.x/detailed-product-flyer.html comgadgetfactory-controller-file-include(57895) ADV-2010-0930 39547 12285 39522 http://packetstormsecurity.org/1004-exploits/joomlagadgetfactory-lfi.txt 63917 Directory traversal vulnerability in the Love Factory (com_lovefactory) component 1.3.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. comlovefactory-index-file-inlclude(57849) 39512 12235 39471 http://packetstormsecurity.org/1004-exploits/joomlalovefactory-lfi.txt 63803 Cross-site scripting (XSS) vulnerability in the FileField module 5.x before 5.x-2.5 and 6.x before 6.x-3.4 for Drupal allows remote authenticated users, with create or edit permissions and 'Path to File' or 'URL to File' display enabled, to inject arbitrary web script or HTML via the file name (filepath parameter). 40923 http://drupal.org/node/829808 filefieldmodule-filepath-xss(59500) http://www.madirish.net/?article=461 40186 65611 Unspecified vulnerability in HP TestDirector for Quality Center 9.2 before Patch8 allows remote attackers to modify data via unknown vectors. 40371 1024025 39943 64917 SSRT071487 SSRT071487 Buffer overflow in the error handling functionality in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long, invalid option to jovgraph.exe. HPSBMA02537 HPSBMA02537 ovnnm-ovwebsnmpsrv-bo(59249) http://www.zerodayinitiative.com/advisories/ZDI-10-105/ 1024071 40637 20100608 ZDI-10-105: Hewlett-Packard OpenView NNM ovwebsnmpsrv.exe Bad Option Remote Code Execution Vulnerability 40101 Buffer overflow in ovutil.dll in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unspecified variables to jovgraph.exe, which are not properly handled in a call to the sprintf function. SSRT010027 SSRT010027 ovnnm-getproxiedstorageaddress-bo(59250) http://www.zerodayinitiative.com/advisories/ZDI-10-106/ 1024071 40638 20100608 ZDI-10-106: Hewlett-Packard OpenView NNM ovutil.dll getProxiedStorageAddress Remote Code Execution Vulnerability 40101 Unspecified vulnerability in HP StorageWorks Storage Mirroring 5 before 5.2.1.870.0 allows remote attackers to execute arbitrary code via unknown vectors. HPSBST02536 hp-storageworks-mirroring-unauth-access(59099) ADV-2010-1319 1024054 40539 40044 65142 Cross-site scripting (XSS) vulnerability in HP ServiceCenter allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. HPSBMA02538 Buffer overflow in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unspecified parameters to jovgraph.exe, aka ZDI-CAN-683. SSRT010027 SSRT010027 http://www.zerodayinitiative.com/advisories/ZDI-10-108 40873 20100616 ZDI-10-108: HP OpenView NNM ovwebsnmpsrv.exe Command Line Argument Remote Code Execution Vulnerability 8155 65552 Unspecified vulnerability in HP Insight Orchestration for Windows before 6.1 allows remote attackers to read or modify data via unknown vectors. ADV-2010-1794 1024183 40549 HPSBMA02548 HPSBMA02548 Unspecified vulnerability in HP Insight Control power management for Windows before 6.1 allows local users to read or modify data, or cause a denial of service, via unknown vectors. ADV-2010-1795 1024184 40550 HPSBMA02549 HPSBMA02549 Unspecified vulnerability in HP Insight Software Installer for Windows before 6.1 allows local users to read or modify data via unknown vectors. ADV-2010-1792 1024185 40544 HPSBMA02550 HPSBMA02550 Cross-site request forgery (CSRF) vulnerability in HP Insight Software Installer for Windows before 6.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, a different vulnerability than CVE-2010-1971. ADV-2010-1792 1024185 40544 HPSBMA02550 HPSBMA02550 Cross-site scripting (XSS) vulnerability in HP Virtual Connect Enterprise Manager for Windows before 6.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. SSRT100165 SSRT100165 ADV-2010-1797 1024181 40552 Unspecified vulnerability in HP Insight Software Installer for Windows before 6.1 allows local users to read or modify data, and consequently gain privileges, via unknown vectors. ADV-2010-1792 1024186 40553 HPSBMA02553 HPSBMA02553 Cross-site request forgery (CSRF) vulnerability in HP Insight Software Installer for Windows before 6.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, a different vulnerability than CVE-2010-1968. ADV-2010-1792 1024186 40553 HPSBMA02553 HPSBMA02553 The default configuration of HP Client Automation (HPCA) Enterprise Infrastructure (aka Radia) allows remote attackers to read log files, and consequently cause a denial of service or have unspecified other impact, via web requests. 1024191 40592 HPSBMA02555 HPSBMA02555 Unspecified vulnerability in the Auditing subsystem in HP OpenVMS 8.3, 8.2, 7.3-2, and earlier on the ALPHA platform, and 8.3-1H1, 8.3, 8.2-1, and earlier on the Itanium platform, allows local users to gain privileges or obtain sensitive information via unknown vectors. Per: http://marc.info/?l=bugtraq&m=127905660900687&w=2 'impacted versions are listed. HP OpenVMS ALPHA v 8.3, v 8.2, v 7.3-2 and earlier HP OpenVMS Itanium v 8.3-1H1, v 8.3, v 8.2-1 and earlier' Per: http://marc.info/?l=bugtraq&m=127905660900687&w=2 'HP has made the following patch kits available to resolve the vulnerability. Patch kit information and installation instructions are provided with each kit as noted below . The patch kits and installation instructions are available from the following location using anonymous ftp: ftp://ftp.itrc.hp.com/openvms_patches HPSBOV02539 HPSBOV02539 1024190 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-1168. Reason: This candidate is a duplicate of CVE-2010-1168. Notes: All CVE users should reference CVE-2010-1168 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement. ADV-2010-1221 ADV-2010-1207 40304 http://www.postgresql.org/docs/current/static/release-8-4-4.html http://www.postgresql.org/docs/current/static/release-8-3-11.html http://www.postgresql.org/docs/current/static/release-8-2-17.html http://www.postgresql.org/docs/current/static/release-8-1-21.html http://www.postgresql.org/docs/current/static/release-8-0-25.html http://www.postgresql.org/docs/current/static/release-7-4-29.html MDVSA-2010:103 DSA-2051 39939 oval:org.mitre.oval:def:11004 SUSE-SR:2010:014 Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the node title in a Breadcrumb display. http://drupal.org/node/758456 taxonomy-breadcrumb-name-xss(57446) 39138 63424 http://drupal.org/node/757980 http://drupal.org/node/757974 Directory traversal vulnerability in the J!WHMCS Integrator (com_jwhmcs) component 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. 39243 12083 39356 PHP remote file inclusion vulnerability in default_theme.php in FreePHPBlogSoftware 1.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the phpincdir parameter. NOTE: some of these details are obtained from third party information. fpbs-phpincdir-file-include(57560) 39233 63558 12063 39321 Directory traversal vulnerability in the Affiliate Datafeeds (com_datafeeds) component build 880 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. comdatafeeds-index-file-include(57570) 39246 12088 39360 Directory traversal vulnerability in joomlaflickr.php in the Joomla Flickr (com_joomlaflickr) component 1.0.3 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. 39251 http://bitbucket.org/roberto.aloi/joomla-flickr/changeset/64ebf6b25030 comjoomlaflickr-index-file-include(57573) 12085 39358 http://packetstormsecurity.org/1004-exploits/joomlaflickr-lfi.txt Directory traversal vulnerability in the Fabrik (com_fabrik) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. comfabrik-index-file-include(57571) 12087 http://packetstormsecurity.org/1004-exploits/joomlafabrik-lfi.txt Directory traversal vulnerability in the JA Voice (com_javoice) component 2.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. 39343 12121 39202 http://packetstormsecurity.org/1004-exploits/joomlajavoice-lfi.txt Directory traversal vulnerability in the redTWITTER (com_redtwitter) component 1.0.x including 1.0b11 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php. NOTE: some of these details are obtained from third party information. redtwitter-view-file-include(57511) 39211 12055 39342 http://packetstormsecurity.org/1004-exploits/joomlaredtwitter-lfi.txt 63533 http://evilc0de.blogspot.com/2010/04/joomla-component-redtwitter-lfi-vuln.html Cross-site scripting (XSS) vulnerability in the Taxonomy Breadcrumb module 5.x before 5.x-1.5 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via the taxonomy term name in a Breadcrumb display. http://drupal.org/node/758456 http://drupal.org/node/757980 http://drupal.org/node/757974 taxonomy-breadcrumb-name-xss(57446) 39138 63424 Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in Six Apart Movable Type 5.0 and 5.01 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. ADV-2010-1136 http://www.movabletype.org/documentation/appendices/release-notes/movable-type-502.html http://www.movabletype.com/blog/2010/05/movable-type-502.html 39741 JVNDB-2010-000017 JVN#92854093 Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to cause a denial of service (memory consumption and application crash) via JavaScript code that creates multiple arrays containing elements with long string values, and then appends long strings to the content of a P element, related to the gfxWindowsFontGroup::MakeTextRun function in xul.dll, a different vulnerability than CVE-2009-1571. firefox-javascriptcode-dos(58761) http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt 20100518 Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities 64791 12678 oval:org.mitre.oval:def:12433 Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to cause a denial of service (memory consumption, out-of-bounds read, and application crash) via JavaScript code that appends long strings to the content of a P element, and performs certain other string concatenation and substring operations, related to the DoubleWideCharMappedString class in USP10.dll and the gfxWindowsFontGroup::GetUnderlineOffset function in xul.dll, a different vulnerability than CVE-2009-1571. firefox-pelement-dos(58762) http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt 20100518 Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities 12678 oval:org.mitre.oval:def:12013 64790 Mozilla Firefox 3.6.3 on Windows XP SP3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via JavaScript code that performs certain string concatenation and substring operations, a different vulnerability than CVE-2009-1571. Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' firefox-substring-code-execution(58763) http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt 20100518 Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities 12678 oval:org.mitre.oval:def:12050 64789 Opera 9.52 executes a mail application in situations where an IMG element has a SRC attribute that is a redirect to a mailto: URL, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many images, a related issue to CVE-2010-0181. 20100518 DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers http://websecurity.com.ua/4206/ oval:org.mitre.oval:def:11664 Mozilla Firefox 3.6.x, 3.5.x, 3.0.19, and earlier, and SeaMonkey, executes a mail application in situations where an IFRAME element has a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many IFRAME elements. 20100518 DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers http://websecurity.com.ua/4206/ oval:org.mitre.oval:def:12386 Microsoft Internet Explorer 6.0.2900.2180, 7, and 8.0.7600.16385 executes a mail application in situations where an IFRAME element has a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many IFRAME elements. 20100518 DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers http://websecurity.com.ua/4206/ Google Chrome 1.0.154.48 executes a mail application in situations where an IFRAME element has a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (excessive application launches) via an HTML document with many IFRAME elements. 20100518 DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers http://websecurity.com.ua/4206/ oval:org.mitre.oval:def:11363 Opera 9.52 does not properly handle an IFRAME element with a mailto: URL in its SRC attribute, which allows remote attackers to cause a denial of service (resource consumption) via an HTML document with many IFRAME elements. 20100518 DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers http://websecurity.com.ua/4206/ oval:org.mitre.oval:def:11952 SUSE-SR:2010:014 SQL injection vulnerability in index.php in TomatoCMS before 2.0.5 allows remote attackers to execute arbitrary SQL commands via the q parameter in conjunction with a /news/search PATH_INFO. tomatocms-index-sql-injection(58470) 40108 20100512 Secunia Research: TomatoCMS "q" SQL Injection Vulnerability http://secunia.com/secunia_research/2010-56 39320 64551 http://holisticinfosec.org/content/view/141/45/ Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS before 2.0.5 allow remote authenticated users, with "Add new article" privileges, to inject arbitrary web script or HTML via the (1) title, (2) subTitle, and (3) author parameters in conjunction with a /admin/news/article/add PATH_INFO. tomatocms-index-title-xss(58471) 40108 20100512 Secunia Research: TomatoCMS Script Insertion Vulnerabilities http://secunia.com/secunia_research/2010-59/ 39320 64550 http://holisticinfosec.org/content/view/141/45/ Multiple cross-site scripting (XSS) vulnerabilities in index.php in TomatoCMS before 2.0.5 allow remote authenticated users, with certain creation privileges, to inject arbitrary web script or HTML via the (1) content parameter in conjunction with a /admin/poll/add PATH_INFO, the (2) meta parameter in conjunction with a /admin/category/add PATH_INFO, and the (3) keyword parameter in conjunction with a /admin/tag/add PATH_INFO. tomatocms-index-keyword-xss(58492) tomatocms-index-meta-xss(58491) tomatocms-index-content-xss(58475) 40108 39320 64554 64553 64552 http://holisticinfosec.org/content/view/141/45/ Cross-site scripting (XSS) vulnerability in admin/edit.php in Saurus CMS 4.7.0 allows remote authenticated users, with "Article list" edit privileges, to inject arbitrary web script or HTML via the pealkiri parameter. 40059 20100511 XSS in Saurus CMS http://www.htbridge.ch/advisory/xss_in_saurus_cms.html 39773 http://packetstormsecurity.org/1005-exploits/sauruscms-xss.txt 64570 Cross-site scripting (XSS) vulnerability in the CCK TableField module 6.x before 6.x-1.2 for Drupal allows remote authenticated users, with certain node creation or editing privileges, to inject arbitrary web script or HTML via table headers. ADV-2010-1080 http://drupal.org/node/790998 http://drupal.org/node/790364 ccktablefield-tableheaders-xss(58353) 39954 64358 39644 Directory traversal vulnerability in scr/soustab.php in OpenMairie Opencatalogue 1.024, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069. ADV-2010-1051 64183 12475 39688 http://packetstormsecurity.org/1005-exploits/opencatalogue-lfi.txt Cross-site scripting (XSS) vulnerability in the Bibliography (Biblio) module 5.x through 5.x-1.17 and 6.x through 6.x-1.9 for Drupal allows remote authenticated users, with "administer biblio" privileges, to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-1358. 40127 http://drupal.org/node/797192 http://drupal.org/node/796502 http://drupal.org/node/796498 39810 Cross-site scripting (XSS) vulnerability in the CiviRegister module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI. 40130 http://drupal.org/node/797352 http://drupal.org/node/797342 39806 Cross-site scripting (XSS) vulnerability in the Wordfilter module 5.x before 5.x-1.1 and 6.x before 6.x-1.1 for Drupal allows remote authenticated users, with "administer words filtered" privileges, to inject arbitrary web script or HTML via the word list. 40119 http://drupal.org/node/797208 http://drupal.org/node/796620 http://drupal.org/node/796618 39811 Cross-site scripting (XSS) vulnerability in misc/get_admin.php in Advanced Poll 2.08 allows remote attackers to inject arbitrary web script or HTML via the mysql_host parameter. advancedpoll-getadmin-xss(58503) 40045 20100510 XSS vulnerability in Advanced Poll http://www.htbridge.ch/advisory/xss_vulnerability_in_advanced_poll.html 39768 http://packetstormsecurity.org/1005-exploits/advancedpoll208-xss.txt 64524 Stack-based buffer overflow in BS.Global BS.Player 2.51 Build 1022 Free, and possibly other versions, allows user-assisted remote attackers to execute arbitrary code via the Skin parameter in the Options section of a skins file (.bsi), a different vulnerability than CVE-2009-1068. bsplayer-bsi-bo(55708) ADV-2010-0148 37831 http://www.mertsarica.com/codes/bsplayer_seh_overwrite.py http://www.mertsarica.com/?p=511 11154 38221 Multiple PHP remote file inclusion vulnerabilities in DataLife Engine (DLE) 8.3 allow remote attackers to execute arbitrary PHP code via a URL in (1) the selected_language parameter to engine/inc/include/init.php, (2) the config[langs] parameter to engine/inc/help.php, (3) the config[lang] parameter to engine/ajax/pm.php, (4) and the _REQUEST[skin] parameter to engine/ajax/addcomments.php. datalife-multiple-file-include(55757) 37851 http://www.packetstormsecurity.com/1001-exploits/datalifeengine83-rfi.txt Directory traversal vulnerability in op/op.Login.php in LetoDMS (formerly MyDMS) 1.7.2 and earlier allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. https://www.sec-consult.com/files/20100115-0_mydms_file_inclusion.txt letodms-oplogin-file-include(55709) 37828 20100115 SEC Consult SA-20100115-0 :: Local file inclusion/execution and multiple CSRF vulnerabilities in LetoDMS (formerly MyDMS) DSA-2146 42900 38237 61834 Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) 1.7.2 and earlier allow remote attackers to hijack the authentication of administrators for requests that use (1) op/op.EditUserData.php, (2) op/op.UsrMgr.php, (3) out/out.RemoveVersion.php, (4) op/op.RemoveFolder.php, (5) op/op.DefaultKeywords.php, (6) op/op.GroupMgr.php, (7) op/op.FolderAccess.php, (8) op/op.FolderNotify.php, or (9) op.MoveFolder.php in mydms. https://www.sec-consult.com/files/20100115-0_mydms_file_inclusion.txt letodms-multiple-csrf(55710) 20100115 SEC Consult SA-20100115-0 :: Local file inclusion/execution and multiple CSRF vulnerabilities in LetoDMS (formerly MyDMS) 38237 61835 MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory. ADV-2010-1918 USN-1017-1 1024160 41198 MDVSA-2010:155 40762 40333 oval:org.mitre.oval:def:11869 FEDORA-2010-11135 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-48.html http://bugs.mysql.com/bug.php?id=53804 Stack-based buffer overflow in the media library in BS.Global BS.Player 2.51 build 1022, 2.41 build 1003, and possibly other versions allows user-assisted remote attackers to execute arbitrary code via a long ID3 tag in a .MP3 file. NOTE: some of these details are obtained from third party information. http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4932.php 38568 http://www.packetstormsecurity.org/1003-advisories/bsplayerml-overflow.txt 38221 Multiple cross-site scripting (XSS) vulnerabilities in the Chaos Tool Suite (aka CTools) module 6.x before 6.x-1.4 for Drupal allow remote attackers to inject arbitrary web script or HTML via a node title. 40285 http://drupal.org/node/803944 chaos-tool-titles-xss(58721) 39884 Microsoft Dynamics GP uses a substitution cipher to encrypt the system password field and unspecified other fields, which makes it easier for remote authenticated users to obtain sensitive information by decrypting a field's contents. http://www.christopherkois.com/?p=448 http://slashdot.org/story/10/05/21/1437227 http://blogs.msdn.com/developingfordynamicsgp/archive/2008/10/02/why-does-microsoft-dynamics-gp-encrypt-passwords.aspx SQL injection vulnerability in function.php in MigasCMS 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the categorie parameter in a catalogo action. NOTE: some of these details are obtained from third party information. 40256 http://www.itsecteam.com/en/vulnerabilities/vulnerability54.htm 39878 http://packetstormsecurity.org/1005-exploits/migascms-sql.txt 64732 Cross-site scripting (XSS) vulnerability in cp/edit_email.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the id parameter. 20100520 XSS vulnerability in LiSK CMS http://www.htbridge.ch/advisory/xss_vulnerability_in_product.html 39912 Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the cl or possibly id parameter. http://www.htbridge.ch/advisory/xss_vulnerability_in_lisk_cms.html 39912 Multiple SQL injection vulnerabilities in LiSK CMS 4.4 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in a view_inbox action to cp/cp_messages.php or (2) the id parameter to cp/edit_email.php. http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_lisk_cms_1.html http://www.htbridge.ch/advisory/sql_injection_vulnerability_in_lisk_cms.html 39912 SQL injection vulnerability in details.php in Iceberg CMS allows remote attackers to execute arbitrary SQL commands via the p_id parameter. icebergcms-details-sql-injection(58617) ADV-2010-1161 64694 12620 39833 http://packetstormsecurity.org/1005-exploits/iceberg-sql.txt Cross-site scripting (XSS) vulnerability in hasil-pencarian.html in Lokomedia CMS 1.4.1 and 2.0 allows remote attackers to inject arbitrary web script or HTML via the kata parameter. NOTE: some of these details are obtained from third party information. 39863 http://packetstormsecurity.org/1005-exploits/lokomediacms-xss.txt 64748 Directory traversal vulnerability in downlot.php in Lokomedia CMS 1.4.1 and 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. lokomedia-downlot-directory-traversal(58670) 12651 39863 http://packetstormsecurity.org/1005-exploits/lokomediacms-disclose.txt 64747 SQL injection vulnerability in downlot.php in Lokomedia CMS 1.4.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the file parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 39863 sys/nfsclient/nfs_vfsops.c in the NFS client in the kernel in FreeBSD 7.2 through 8.1-PRERELEASE, when vfs.usermount is enabled, does not validate the length of a certain fhsize parameter, which allows local users to gain privileges via a crafted mount request. 1024039 FreeBSD-SA-10:06 jail.c in jail in FreeBSD 8.0 and 8.1-PRERELEASE, when the "-l -U root" options are omitted, does not properly restrict access to the current working directory, which might allow local users to read, modify, or create arbitrary files via standard filesystem operations. ADV-2010-1247 40399 1024038 FreeBSD-SA-10:04 transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file. http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.24&r2=1.25 https://bugzilla.redhat.com/show_bug.cgi?id=600093 exim-mail-directory-priv-escalation(59043) ADV-2011-0364 ADV-2010-1402 USN-1060-1 40451 20100603 Multiple vulnerabilities in Exim http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup&pathrev=exim-4_72_RC2 43243 40123 40019 SUSE-SR:2010:014 FEDORA-2010-9524 FEDORA-2010-9506 [exim-dev] 20100524 Security issues in exim4 local delivery http://bugs.exim.org/show_bug.cgi?id=988 20100603 Multiple vulnerabilities in Exim transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/. http://vcs.exim.org/viewvc/exim/exim-src/src/transports/appendfile.c?r1=1.25&r2=1.26 http://bugs.exim.org/show_bug.cgi?id=989 https://bugzilla.redhat.com/show_bug.cgi?id=600097 exim-mbx-symlink(59042) ADV-2011-0364 ADV-2010-1402 USN-1060-1 40454 20100603 Multiple vulnerabilities in Exim http://vcs.exim.org/viewvc/exim/exim-doc/doc-txt/ChangeLog?view=markup&pathrev=exim-4_72_RC2 43243 40123 40019 SUSE-SR:2010:014 FEDORA-2010-9524 FEDORA-2010-9506 [exim-dev] 20100524 Security issues in exim4 local delivery 20100603 Multiple vulnerabilities in Exim Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl. 40346 20100524 Scientific Atlanta DPC2100 WebSTAR Cable Modem vulnerabilities The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allows remote attackers to bypass authentication, and reset the modem or replace the firmware, via a direct request to an unspecified page. 40346 20100524 Scientific Atlanta DPC2100 WebSTAR Cable Modem vulnerabilities Mathematica 7, when running on Linux, allows local users to overwrite arbitrary files via a symlink attack on (1) files within /tmp/MathLink/ or (2) /tmp/fonts$$.conf. 20100514 Mathematica on Linux /tmp/MathLink vulnerability 39805 20100514 Mathematica on Linux /tmp/MathLink vulnerability Buffer overflow in k23productions TFTPUtil GUI (aka TFTPGUI) 1.4.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long transport mode. tftpgui-mode-bo(58283) 39872 12530 12482 Cybozu Office 7 Ktai and Dotsales do not properly restrict access to the login page, which allows remote attackers to bypass authentication and obtain or modify sensitive information by using the unique ID of the user's cell phone. cybozu-office-dotsales-sec-bypass(57976) 63933 http://www.ipa.go.jp/security/english/vuln/201004_cybozu_en.html 39508 JVNDB-2010-000016 JVN#87730223 http://cybozu.co.jp/products/dl/notice/detail/0034.html Cross-site scripting (XSS) vulnerability in the External Link Page module 5.x before 5.x-1.0 and 6.x before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the administration and redirect pages. http://drupal.org/node/803766 externallinkpage-redirect-xss(58714) 39888 64762 KAVSafe.sys 2010.4.14.609 and earlier, as used in Kingsoft Webshield 3.5.1.2 and earlier, allows local users to overwrite arbitrary kernel memory via a crafted request to IOCTL 0x830020d4 on the KAVSafe device. webshield-kavsafe-privilege-escalation(58780) 40342 12710 39916 Multiple cross-site scripting (XSS) vulnerabilities in resin-admin/digest.php in Caucho Technology Resin Professional 3.1.5, 3.1.10, 4.0.6, and possibly other versions allow remote attackers to inject arbitrary web script or HTML via the (1) digest_realm or (2) digest_username parameters. NOTE: some of these details are obtained from third party information. caucho-resin-digest-xss(58733) ADV-2010-1201 40251 20100518 Caucho Technology Resin digest.php Cross Site Scripting Vulnerability 39839 http://packetstormsecurity.org/1005-exploits/cauchoresin312-xss.txt Directory traversal vulnerability in the Percha Multicategory Article (com_perchacategoriestree) component 0.6 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 40244 39873 http://packetstormsecurity.org/1005-exploits/joomlaperchact-lfi.txt Directory traversal vulnerability in the Percha Image Attach (com_perchaimageattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 40244 http://packetstormsecurity.org/1005-exploits/joomlaperchaia-lfi.txt Directory traversal vulnerability in the Percha Gallery (com_perchagallery) component 1.6 Beta for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 40244 http://packetstormsecurity.org/1005-exploits/joomlaperchagl-lfi.txt Directory traversal vulnerability in the Percha Fields Attach (com_perchafieldsattach) component 1.x for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 40244 http://packetstormsecurity.org/1005-exploits/joomlaperchafa-lfi.txt Directory traversal vulnerability in the Percha Downloads Attach (com_perchadownloadsattach) component 1.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. 40244 http://packetstormsecurity.org/1005-exploits/joomlaperchada-lfi.txt Cross-site scripting (XSS) vulnerability in include/tool/editing_files.php in gpEasy CMS 1.6.2 allows remote authenticated users, with Edit privileges, to inject arbitrary web script or HTML via the gpcontent parameter to index.php. NOTE: some of these details are obtained from third party information. 40330 20100520 XSS vulnerability in gpEasy CMS http://www.htbridge.ch/advisory/xss_vulnerability_in_gpeasy_cms.html 39643 http://packetstormsecurity.org/1005-exploits/gpeasycms-xss.txt Cross-site request forgery (CSRF) vulnerability in gpEasy CMS 1.6.2, 1.6.1, and earlier allows remote attackers to hijack the authentication of administrators for requests that create new administrative users via an Admin_Users action to index.php. NOTE: some of these details are obtained from third party information. gpeasy-admin-interface-csrf(58214) ADV-2010-1030 64130 12441 39643 http://packetstormsecurity.org/1004-exploits/gpeasy-xsrf.txt Cross-site scripting (XSS) vulnerability in search.php in V-EVA Shopzilla Affiliate Script PHP allows remote attackers to inject arbitrary web script or HTML via the s parameter. shopzilla-search-xss(58749) 40246 http://www.packetstormsecurity.org/1005-exploits/shopzillaas-xss.txt 39877 64746 Multiple cross-site scripting (XSS) vulnerabilities in index.php in PHP-Calendar before 2.0 Beta7 allow remote attackers to inject arbitrary web script or HTML via the (1) description and (2) lastaction parameters. 40334 phpcalendar-description-xss(58861) ADV-2010-1202 20100521 PHP-Calendar "description" and "lastaction" Cross Site Scripting Vulnerabilities 33899 http://php-calendar.blogspot.com/2010/05/php-calendar-20-beta7.html http://packetstormsecurity.org/1005-advisories/phpcalendar-xss.txt SQL injection vulnerability in search.php in ECShop 2.7.2 allows remote attackers to execute arbitrary SQL commands via the encode parameter. NOTE: some of these details are obtained from third party information. 40338 12702 39930 http://packetstormsecurity.org/1005-exploits/ecshopsearch-sql.txt Cross-site scripting (XSS) vulnerability in Home.aspx in DataTrack System 3.5 and 3.5.8019.4 allows remote attackers to inject arbitrary web script or HTML via the Work_Order_Summary parameter (aka the request summary). NOTE: some of these details are obtained from third party information. datatrack-workordersummary-xss(58732) 40249 39868 http://packetstormsecurity.org/1005-exploits/datatrackserver35-xss.txt 64727 http://cross-site-scripting.blogspot.com/2010/05/datatrack-system-35-persistent-xss.html SQL injection vulnerability in the Konsultasi (com_konsultasi) component 1.0.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in a detail action to index.php. konsultasi-sid-sql-injection(58584) 40160 12590 39816 http://packetstormsecurity.org/1005-exploits/joomlakonsultasi-sql.txt 64637 Directory traversal vulnerability in the Dione Form Wizard (aka FDione or com_dioneformwizard) component 1.0.2 for Joomla! allows remote attackers to read arbitrary files via directory traversal sequences in the controller parameter to index.php. dioneformwizard-controller-file-include(58574) 40166 12595 39755 http://packetstormsecurity.org/1005-exploits/joomlafdione-lfi.txt 64633 Multiple cross-site scripting (XSS) vulnerabilities in the ActiveHelper LiveHelp (com_activehelper_livehelp) component 2.0.3 for Joomla! allow remote attackers to inject arbitrary web script or HTML via (1) the DOMAINID parameter to server/cookies.php or (2) the SERVER parameter to server/index.php. http://xenuser.org/documents/security/joomla_com_activehelper_livehelp_xss.txt http://www.xenuser.org/2010/05/19/joomla-component-activehelper-livehelp-xss-vulnerabilities/ 40278 39870 http://packetstormsecurity.org/1005-exploits/joomlaactivehelper-xss.txt SQL injection vulnerability in index.php in JE CMS 1.0.0 and 1.1 allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewcategory action. NOTE: some of these details are obtained from third party information. jecms-index-sql-injection(58646) 40231 12641 39851 64716 Multiple cross-site scripting (XSS) vulnerabilities in the Heartbeat module 6.x before 6.x-4.9 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. 40268 http://drupal.org/node/803570 http://drupal.org/node/802508 heartbeat-unspecified-xss(58702) 39893 Cross-site scripting (XSS) vulnerability in jsp/audit/reports/ExportReport.jsp in ManageEngine ADAudit Plus 4.0.0 build 4043 allows remote attackers to inject arbitrary web script or HTML via the reportList parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 40253 39876 64726 Directory traversal vulnerability in the Moron Solutions MS Comment (com_mscomment) component 0.8.0b for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. mscomment-controller-file-include(58619) ADV-2010-1159 40185 12611 http://packetstormsecurity.org/1005-exploits/joomlamscomment-lfi.txt SQL injection vulnerability in article.php in Debliteck DBCart allows remote attackers to execute arbitrary SQL commands via the id parameter. 12661 39867 http://packetstormsecurity.org/1005-exploits/dbcart-sql.txt ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2155. Reason: This candidate is a duplicate of CVE-2010-2155. Notes: All CVE users should reference CVE-2010-2155 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. emesenelib/ProfileManager.py in emesene before 1.6.2 allows local users to overwrite arbitrary files via a symlink attack on the emsnpic temporary file. http://forum.emesene.org/index.php?topic=3441.0 emesene-emsnpic-symlink(59045) ADV-2010-1423 40455 http://www.emesene.org/ 40115 39945 65018 [oss-security] 20100529 Fwd: emesene preditable temporary filename FEDORA-2010-9679 FEDORA-2010-9692 FEDORA-2010-9696 Integer overflow in httpAdapter.c in httpAdapter in SBLIM SFCB 1.3.4 through 1.3.7, when the configuration sets httpMaxContentLength to a zero value, allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header, aka bug #3001915. NOTE: some of these details are obtained from third party information. ADV-2010-1312 http://sourceforge.net/tracker/index.php?func=detail&aid=3001915&group_id=128809&atid=712784 40018 http://sblim.cvs.sourceforge.net/viewvc/sblim/sfcb/httpAdapter.c?r1=1.85&r2=1.86 [oss-security] 20100601 SFCB vulnerabilities Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program. https://bugzilla.redhat.com/show_bug.cgi?id=599564 https://bugzilla.novell.com/show_bug.cgi?id=608071 ADV-2010-1757 20100526 Re: Ghostscript 8.64 executes random code at startup 20100526 Re: Ghostscript 8.64 executes random code at startup 20100526 Re: Ghostscript 8.64 executes random code at startup 20100522 Ghostscript 8.64 executes random code at startup 66247 40532 40475 40452 http://savannah.gnu.org/forum/forum.php?forum_id=6368 SUSE-SR:2010:014 FEDORA-2010-10642 FEDORA-2010-10660 http://bugs.ghostscript.com/show_bug.cgi?id=691350 http://bugs.ghostscript.com/show_bug.cgi?id=691339 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583316 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=583183 GNU gv before 3.7.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file. http://savannah.gnu.org/forum/forum.php?forum_id=6368 https://bugzilla.redhat.com/show_bug.cgi?id=599621 ADV-2010-1757 66249 40532 40475 FEDORA-2010-10642 FEDORA-2010-10660 shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack. http://svn.apache.org/viewvc/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?r1=943327&r2=951801 https://issues.apache.org/jira/browse/MYFACES-2749 https://bugzilla.redhat.com/show_bug.cgi?id=623799 setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable permissions, which allows local users to obtain the SQL database password. https://dev.prelude-technologies.com/projects/prewikka/repository/revisions/17e38c310410be1b7811152172cda4438936063d [oss-security] 20100602 prewikka permission bug FEDORA-2009-3789 https://dev.prelude-technologies.com/projects/prewikka/repository/revisions/17e38c310410be1b7811152172cda4438936063d/diff/setup.py https://bugs.gentoo.org/show_bug.cgi?id=270056 prewikka-setup-information-disclosure(59223) GLSA-201101-07 42820 lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file. http://distrib-coffee.ipsl.jussieu.fr/pub/mirrors/rpm/files/rpm/rpm-4.4/rpm-4.4.3.tar.gz https://bugzilla.redhat.com/show_bug.cgi?id=598775 https://bugzilla.redhat.com/show_bug.cgi?id=125517 ADV-2011-0606 http://www.vmware.com/security/advisories/VMSA-2011-0004.html 20110308 VMSA-2011-0004 VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm. RHSA-2010:0679 65143 [oss-security] 20100604 Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) [oss-security] 20100603 Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) [oss-security] 20100602 Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) [oss-security] 20100602 CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) MDVSA-2010:180 40028 http://rpm.org/gitweb?p=rpm.git;a=commit;h=ca2d6b2b484f1501eafdde02e1688409340d2383 [oss-security] 20100603 Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) [security-announce] 20110307 VMSA-2011-0004 VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm SUSE-SR:2010:017 SUSE-SR:2010:014 The put command functionality in beanstalkd 1.4.5 and earlier allows remote attackers to execute arbitrary Beanstalk commands via the body in a job that is too big, which is not properly handled by the dispatch_cmd function in prot.c. Per: http://cwe.mitre.org/data/definitions/77.html 'CWE-77: Improper Sanitization of Special Elements used in a Command ('Command Injection')' beanstalkd-put-command-execution(59107) 40516 40032 65113 http://kr.github.com/beanstalkd/2010/05/23/1.4.6-release-notes.html http://github.com/kr/beanstalkd/commit/2e8e8c6387ecdf5923dfc4d7718d18eba1b0873d Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. http://www.samba.org/samba/ftp/patches/security/samba-3.3.12-CVE-2010-2063.patch http://www.samba.org/samba/ftp/patches/security/samba-3.0.37-CVE-2010-2063.patch [samba-announce] 20100616 Samba 3.3.13 Security Release Available for Download samba-smb1-code-execution(59481) ADV-2010-3063 ADV-2010-1517 ADV-2010-1507 ADV-2010-1505 ADV-2010-1504 ADV-2010-1486 1024107 40884 http://www.samba.org/samba/security/CVE-2010-2063.html http://www.samba.org/samba/ftp/history/samba-3.3.13.html RHSA-2010:0488 MDVSA-2010:119 DSA-2061 USN-951-1 http://support.apple.com/kb/HT4312 SSA:2010-169-01 42319 40293 40221 40210 40145 oval:org.mitre.oval:def:9859 oval:org.mitre.oval:def:7115 oval:org.mitre.oval:def:12427 65518 SSRT100460 HPSBUX02657 HPSBUX02609 HPSBUX02609 SUSE-SR:2010:014 APPLE-SA-2010-08-24-1 20100616 Samba 3.3.12 Memory Corruption Vulnerability Integer overflow in the TIFFroundup macro in LibTIFF before 3.9.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TIFF file that triggers a buffer overflow. https://bugzilla.redhat.com/show_bug.cgi?id=601274 https://bugs.launchpad.net/ubuntu/+source/tiff/+bug/589565 ADV-2011-0621 ADV-2011-0204 USN-954-1 http://www.remotesensing.org/libtiff/v3.9.3.html MDVSA-2011:043 40181 [oss-security] 20100623 CVE requests: LibTIFF http://blogs.sun.com/security/entry/cve_2010_2065_cve_2010 The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor. https://bugzilla.redhat.com/show_bug.cgi?id=601006 http://www.vmware.com/security/advisories/VMSA-2011-0003.html USN-1000-1 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0610 [oss-security] 20100609 Re: CVE request - kernel: ext4: Make sure the MOVE_EXT ioctl can't overwrite append-only files [oss-security] 20100607 CVE request - kernel: ext4: Make sure the MOVE_EXT ioctl can't overwrite append-only files http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.35 43315 SUSE-SA:2010:033 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1f5a81e41f8b1a782c68d3843e9ec1bfaadf7d72 Stack-based buffer overflow in the TIFFFetchSubjectDistance function in tif_dirread.c in LibTIFF before 3.9.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long EXIF SubjectDistance field in a TIFF file. https://bugzilla.redhat.com/show_bug.cgi?id=599576 USN-954-1 http://www.remotesensing.org/libtiff/v3.9.4.html 40241 65676 [oss-security] 20100623 CVE requests: LibTIFF SUSE-SR:2010:014 http://bugzilla.maptools.org/show_bug.cgi?id=2212 mod_proxy_http.c in mod_proxy_http in the Apache HTTP Server 2.2.9 through 2.2.15, 2.3.4-alpha, and 2.3.5-alpha on Windows, NetWare, and OS/2, in certain configurations involving proxy worker pools, does not properly detect timeouts, which allows remote attackers to obtain a potentially sensitive response intended for a different client in opportunistic circumstances via a normal HTTP request. Per: http://httpd.apache.org/security/vulnerabilities_22.html 'Only Windows, Netware and OS2 operating systems are affected.' ADV-2010-1436 http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/CVE-2010-2068-r953418.patch http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/CVE-2010-2068-r953616.patch http://httpd.apache.org/security/vulnerabilities_22.html apache-modproxyhttp-timeout-info-disc(59413) 40827 20100611 [advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068 RHSA-2011:0896 SSRT100219 SSRT100219 PM16366 SI4053 http://support.apple.com/kb/HT4581 1024096 41722 41490 41480 40824 40206 oval:org.mitre.oval:def:6931 oval:org.mitre.oval:def:11491 [apache-announce] 20100725 [ANNOUNCEMENT] Apache HTTP Server 2.2.16 Released [httpd-announce] 20100611 [advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068 APPLE-SA-2011-03-21-1 arch/ia64/xen/faults.c in Xen 3.4 and 4.0 in Linux kernel 2.6.18, and possibly other kernel versions, when running on IA-64 architectures, allows local users to cause a denial of service and "turn on BE by modifying the user mask of the PSR," as demonstrated via exploitation of CVE-2006-0742. https://bugzilla.redhat.com/show_bug.cgi?id=586415 xen-faults-dos(59373) http://xenbits.xensource.com/xen-4.0-testing.hg?rev/42caadb14edb http://www.vmware.com/security/advisories/VMSA-2011-0003.html 40776 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX RHSA-2010:0610 [oss-security] 20100611 CVE-2010-2070 kernel-xen: ia64-xen: unset be from the task psr 43315 65541 The btrfs_xattr_set_acl function in fs/btrfs/acl.c in btrfs in the Linux kernel 2.6.34 and earlier does not check file ownership before setting an ACL, which allows local users to bypass file permissions by setting arbitrary ACLs, as demonstrated using setfacl. [linux-kernel] 20100518 [PATCH] btrfs: should add a permission check for setfacl http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2f26afba [oss-security] 20100614 Re: CVE request - kernel: btrfs: prevent users from setting ACLs on files they do not own [oss-security] 20100611 CVE request - kernel: btrfs: prevent users from setting ACLs on files they do not own Pyftpd 0.8.4 creates log files with predictable names in a temporary directory, which allows local users to cause a denial of service and obtain sensitive information. pyftpd-logfile-symlink(59429) 40842 [oss-security] 20100613 CVE request - pyftpd insecure usage of temporary directory http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585773 auth_db_config.py in Pyftpd 0.8.4 contains hard-coded usernames and passwords for the (1) test, (2) user, and (3) roxon accounts, which allows remote attackers to read arbitrary files from the FTP server. pyftpd-default-account(59431) 40839 [oss-security] 20100613 CVE request - pyftpd default username and password vulnerability http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=585776 istream.c in w3m 0.5.2 and possibly other versions, when ssl_verify_server is enabled, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. ADV-2010-1928 ADV-2010-1879 ADV-2010-1467 1024252 40837 RHSA-2010:0565 [oss-security] 20100614 CVE Request: w3m does not check null bytes CN/subjAltName 40733 40134 65538 SUSE-SR:2010:014 FEDORA-2010-10369 UnrealIRCd 3.2.8.1, as distributed on certain mirror sites from November 2009 through June 2010, contains an externally introduced modification (Trojan Horse) in the DEBUG3_DOLOG_SYSTEM macro, which allows remote attackers to execute arbitrary commands. Per: http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt 'Official precompiled Windows binaries (SSL and non-ssl) are NOT affected. CVS is also not affected. 3.2.8 and any earlier versions are not affected. Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check, see next.' ADV-2010-1437 http://www.unrealircd.com/txt/unrealsecadvisory.20100612.txt 40820 [oss-security] 20100614 Re: CVE request: UnrealIRCd 3.2.8.1 source code contained a backdoor allowing for remote command execution 13853 GLSA-201006-21 40169 20100612 Re: Fw: [irc-security] UnrealIRCd 3.2.8.1 backdoored on official ftp and site 20100612 Fw: [irc-security] UnrealIRCd 3.2.8.1 backdoored on official ftp and site 65445 Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632. https://issues.apache.org/jira/browse/GERONIMO-5383 42492 [cxf-users] 20100616 Important - Apache CXF security advisory CVE-2010-2076 http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf 41025 41016 40969 http://geronimo.apache.org/22x-security-report.html http://geronimo.apache.org/21x-security-report.html http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-1640. Reason: This candidate is a duplicate of CVE-2010-1640. Notes: All CVE users should reference CVE-2010-1640 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. DataTrack System 3.5 allows remote attackers to list the root directory via a (1) /%u0085/ or (2) /%u00A0/ URI. datatrack-unicode-info-disc(58734) http://packetstormsecurity.org/1005-exploits/datatrackserver35-xss.txt http://cross-site-scripting.blogspot.com/2010/05/datatrack-system-35-persistent-xss.html DataTrack System 3.5 allows remote attackers to bypass intended restrictions on file extensions, and read arbitrary files, via a trailing backslash in a URI, as demonstrated by (1) web.config\ and (2) .ascx\ files. datatrack-backslash-info-disc(58735) http://packetstormsecurity.org/1005-exploits/datatrackserver35-xss.txt http://cross-site-scripting.blogspot.com/2010/05/datatrack-system-35-persistent-xss.html Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. otrs-unspecified-xss(61868) 43264 http://security-tracker.debian.org/tracker/CVE-2010-2080 41381 http://otrs.org/advisory/OSA-2010-02-en/ SUSE-SR:2010:024 The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 has a default administrative password (aka SAPassword) of W2402, which makes it easier for remote attackers to obtain privileged access. 20100524 Scientific Atlanta DPC2100 WebSTAR Cable Modem vulnerabilities Microsoft Dynamics GP has a default value of ACCESS for the system password, which might make it easier for remote authenticated users to bypass intended access restrictions via unspecified vectors. http://www.christopherkois.com/?p=448 Microsoft ASP.NET 2.0 does not prevent setting the InnerHtml property on a control that inherits from HtmlContainerControl, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to an attribute. http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/03/30/configuration-is-half-the-battle-asp-net-and-cross-site-scripting.aspx The default configuration of ASP.NET in Microsoft .NET before 1.1 has a value of FALSE for the EnableViewStateMac property, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the __VIEWSTATE parameter. https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application Server and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf Oracle Mojarra 1.2_14 and 2.0.2, as used in IBM WebSphere Application Server, Caucho Resin, and other applications, does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf ASP.NET in Microsoft .NET 3.5 does not properly handle an unencrypted view state, which allows remote attackers to conduct cross-site scripting (XSS) attacks against the form control via the __VIEWSTATE parameter. https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf The audioop module in Python 2.7 and 3.2 does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634. http://bugs.python.org/issue7673 https://bugzilla.redhat.com/show_bug.cgi?id=598197 ADV-2011-0212 ADV-2011-0122 ADV-2010-1448 40863 RHSA-2011:0027 http://support.apple.com/kb/HT5002 43068 42888 40194 SUSE-SR:2011:002 SUSE-SR:2010:024 FEDORA-2010-9652 APPLE-SA-2011-10-12-3 The npb_protocol_error function in sna V5router64 in IBM Communications Server for Windows 6.1.3 and Communications Server for AIX (aka CSAIX or CS/AIX) in sna.rte before 6.3.1.2 allows remote attackers to cause a denial of service (daemon crash) via APPC data containing a GDSID variable with a GDS length that is too small. csa-appc-dos(58874) ADV-2010-1244 40372 http://www-01.ibm.com/support/docview.wss?uid=swg24013012 JR36026 IZ68810 39909 Microsoft Outlook Web Access (OWA) 8.2.254.0, when Internet Explorer 7 on Windows Server 2003 is used, does not properly handle the id parameter in a Folder IPF.Note action to the default URI, which might allow remote attackers to obtain sensitive information or conduct cross-site scripting (XSS) attacks via an invalid value. ms-owa-id-xss(58835) 20100525 Re: Microsoft Outlook Web Access (OWA) v8.2.254.0 "id" parameter Information Disclosure Vulnerability 20100521 Re: Microsoft Outlook Web Access (OWA) v8.2.254.0 "id" parameter Information Disclosure Vulnerability 20100520 Microsoft Outlook Web Access (OWA) v8.2.254.0 "id" parameter Information Disclosure Vulnerability 12728 SQL injection vulnerability in graph.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via a crafted rra_id parameter in a GET request in conjunction with a valid rra_id value in a POST request or a cookie, which causes the POST or cookie value to bypass the validation routine, but inserts the $_GET value into the resulting query. RHSA-2010:0635 DSA-2060 http://www.cacti.net/changelog.php 41041 http://php-security.org/2010/05/13/mops-2010-023-cacti-graph-viewer-sql-injection-vulnerability/index.html Use-after-free vulnerability in the request shutdown functionality in PHP 5.2 before 5.2.13 and 5.3 before 5.3.2 allows context-dependent attackers to cause a denial of service (crash) via a stream context structure that is freed before destruction occurs. http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function. ADV-2011-0068 MDVSA-2011:004 http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 SQL injection vulnerability in index.php in CMSQlite 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the c parameter. http://php-security.org/2010/05/15/mops-2010-029-cmsqlite-c-parameter-sql-injection-vulnerability/index.html Directory traversal vulnerability in index.php in CMSQlite 1.2 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the mod parameter. http://php-security.org/2010/05/15/mops-2010-030-cmsqlite-mod-parameter-local-file-inclusion-vulnerability/index.html The (1) iconv_mime_decode, (2) iconv_substr, and (3) iconv_mime_encode functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. http://php-security.org/2010/05/18/mops-2010-034-php-iconv_mime_encode-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/18/mops-2010-033-php-iconv_substr-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/18/mops-2010-032-php-iconv_mime_decode-interruption-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 Incomplete blacklist vulnerability in usersettings.php in e107 0.7.20 and earlier allows remote attackers to conduct SQL injection attacks via the loginname parameter. Per: http://cwe.mitre.org/data/definitions/184.html 'CWE-184: Incomplete Blacklist' http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/usersettings.php?r1=11538&r2=11541 http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_0.7/usersettings.php?r1=11521&r2=11538 bbcode/php.bb in e107 0.7.20 and earlier does not perform access control checks for all inputs that could contain the php bbcode tag, which allows remote attackers to execute arbitrary PHP code, as demonstrated using the toEmail method in contact.php, related to invocations of the toHTML method. 40252 http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html The (1) htmlentities, (2) htmlspecialchars, (3) str_getcsv, (4) http_build_query, (5) strpbrk, and (6) strtr functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. http://php-security.org/2010/05/21/mops-2010-040-php-strtr-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/21/mops-2010-039-php-strpbrk-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/21/mops-2010-038-php-http_build_query-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/21/mops-2010-037-php-str_getcsv-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/21/mops-2010-036-php-htmlentities-and-htmlspecialchars-interruption-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 The (1) strip_tags, (2) setcookie, (3) strtok, (4) wordwrap, (5) str_word_count, and (6) str_pad functions in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature. http://php-security.org/2010/05/26/mops-2010-046-php-str_pad-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/26/mops-2010-045-php-str_word_count-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/26/mops-2010-044-php-wordwrap-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/26/mops-2010-043-php-strtok-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/26/mops-2010-042-php-setcookie-interruption-information-leak-vulnerability/index.html http://php-security.org/2010/05/26/mops-2010-041-php-strip_tags-interruption-information-leak-vulnerability/index.html SUSE-SR:2010:018 SUSE-SR:2010:017 Buffer overflow in Webby Webserver 1.01 allows remote attackers to execute arbitrary code via a long HTTP GET request. webby-get-bo(58892) 40353 20100525 Webby Webserver v1.01 - Buffer overflow vulnerability with overwritten structured exception handler (SEH) 12740 Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information. axis2-modules-xss(58790) ADV-2010-1215 40327 20100521 PR10-03: Authenticated Cross-Site Scripting (XSS) within the Apache Axis2 administration console http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-03 12689 http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf 39906 64844 Directory traversal vulnerability in Orbit Downloader 3.0.0.4 and 3.0.0.5 allows user-assisted remote attackers to write arbitrary files via a metalink file containing directory traversal sequences in the name attribute of a file element. 20100519 Secunia Research: Orbit Downloader metalink "name" Directory Traversal http://secunia.com/secunia_research/2010-73/ 39527 Google Chrome before 5.0.375.55 does not properly follow the Safe Browsing specification's requirements for canonicalization of URLs, which has unspecified impact and remote attack vectors. oval:org.mitre.oval:def:12113 http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=7713 Unspecified vulnerability in Google Chrome before 5.0.375.55 might allow remote attackers to spoof the URL bar via vectors involving unload event handlers. oval:org.mitre.oval:def:11644 http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=16535 Unspecified vulnerability in Google Chrome before 5.0.375.55 allows attackers to cause a denial of service (memory error) or possibly have unspecified other impact via vectors related to the Safe Browsing functionality. oval:org.mitre.oval:def:12128 http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=30079 Unspecified vulnerability in Google Chrome before 5.0.375.55 allows remote attackers to bypass the whitelist-mode plugin blocker via unknown vectors. oval:org.mitre.oval:def:12126 http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=39740 Unspecified vulnerability in Google Chrome before 5.0.375.55 allows user-assisted remote attackers to cause a denial of service (memory error) or possibly have unspecified other impact via vectors related to the "drag + drop" functionality. oval:org.mitre.oval:def:12083 http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=41469 Google Chrome before 5.0.375.55 does not properly execute JavaScript code in the extension context, which has unspecified impact and remote attack vectors. oval:org.mitre.oval:def:12123 http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=42228 Cross-site request forgery (CSRF) vulnerability in user/user-set.do in Pacific Timesheet 6.74 build 363 allows remote attackers to hijack the authentication of administrators for requests that create a new administrator via a new_admin action. pacific-timesheet-unspecified-csrf(58934) 39951 64924 http://cross-site-scripting.blogspot.com/2010/05/pacific-timesheet-674-cross-site.html Directory traversal vulnerability in the FTP service in FileCOPA before 5.03 allows remote attackers to read or overwrite arbitrary files via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 39843 64823 Multiple cross-site request forgery (CSRF) vulnerabilities in The Uniform Server 5.6.5 allow remote attackers to hijack the authentication of administrators for requests that change passwords via (1) apsetup.php, (2) psetup.php, (3) sslpsetup.php, or (4) mqsetup.php. uniform-server-unspecified-csrf(58844) 39913 64858 http://cross-site-scripting.blogspot.com/2010/05/uniform-server-565-xsrf.html Cross-site request forgery (CSRF) vulnerability in pbx/gate in Brekeke PBX 2.4.4.8 allows remote attackers to hijack the authentication of users for requests that change passwords via the pbxadmin.web.PbxUserEdit bean. 39952 64950 http://cross-site-scripting.blogspot.com/2010/05/brekeke-pbx-2448-cross-site-request.html