Cach�Ã�© Database 5.x installs /cachesys/bin/cache with world-writable permissions, which allows local users to gain privileges by modifying cache and executing it via cuxs. Cach�Ã�© Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. Multiple SQL injection vulnerabilities in Simple Document Management System (SDMS) 2.0-CVS and earlier allow remote attackers to execute arbitrary SQL commands via the (1) folder_id parameter in list.php and (2) mid parameter in a view action to messages.php. ADV-2005-2614 15596 21375 21374 17746 http://pridels0.blogspot.com/2005/11/sdms-20-sql-inj-vuln.html The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information. 28483 http://tomcat.apache.org/security-4.html SQL injection vulnerability in login.php in Simple Document Management System (SDMS) 1.1.5 and 1.1.4, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the pass parameter. sdms-login-sql-injection(46342) 32114 6987 32502 SQL injection vulnerability in login.php in Simple Document Management System (SDMS) 1.1.5 and 1.1.4, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the login parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. sdms-login-sql-injection(48944) sdms-login-sql-injection(46342) 32114 32502 The kernel in Sun Solaris 10 and 11 snv_101b, and OpenSolaris before snv_108, allows remote attackers to cause a denial of service (system crash) via a crafted IPv6 packet, related to an "insufficient validation security vulnerability," as demonstrated by SunOSipv6.c. sun-solaris-ipv6packets-dos(48208) ADV-2009-0232 33435 7865 251006 1021635 33605 20090126 Solaris Devs Are Smoking Pot SQL injection vulnerability in notes.php in My Kazaam Notes Management System allows remote attackers to execute arbitrary SQL commands via vectors involving the "Enter Reference Number Below" text box. notes-notes-sql-injection(60254) 41542 14325 http://packetstormsecurity.org/1007-exploits/mykazaamnms-sqlxss.txt Cross-site scripting (XSS) vulnerability in notes.php in My Kazaam Notes Management System allows remote attackers to inject arbitrary web script or HTML via vectors involving the "Enter Reference Number Below" text box. notes-notes-xss(60253) 41542 14325 http://packetstormsecurity.org/1007-exploits/mykazaamnms-sqlxss.txt SQL injection vulnerability in detail.php in Simple Document Management System (SDMS) allows remote attackers to execute arbitrary SQL commands via the doc_id parameter. 41431 14262 SQL injection vulnerability in default.asp in KMSoft Guestbook (aka GBook) allows remote attackers to execute arbitrary SQL commands via the p parameter. kmsoft-guestbook-default-sql-injection(60198) ADV-2010-1768 41491 14281 PHP remote file inclusion vulnerability in mod_chatting/themes/default/header.php in Family Connections Who is Chatting 2.2.3 allows remote attackers to execute arbitrary PHP code via a URL in the TMPL[path] parameter. whoischatting-header-file-include(60057) ADV-2010-1687 41346 14186 Untrusted search path vulnerability in colorcpl.exe 6.0.6000.16386 in the Color Control Panel in Microsoft Windows Server 2008 SP2 allows local users to gain privileges via a Trojan horse sti.dll file in the current working directory, as demonstrated by a directory that contains a .camp, .cdmp, .gmmp, .icc, or .icm file. http://shinnai.altervista.org/exploits/SH-006-20100914.html The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. http://svn.apache.org/viewvc?view=rev&rev=1159309 http://svn.apache.org/viewvc?view=rev&rev=1158180 http://svn.apache.org/viewvc?view=rev&rev=1087655 RHSA-2011:1845 MDVSA-2011:156 http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html SUSE-SU-2012:0155 Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 and 7.0 before 7.0.0.19 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1308. was-incomplete-ivt-xss(69731) http://www-01.ibm.com/support/docview.wss?uid=swg27007951 PM65992 PM40733 Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. http://svn.php.net/viewvc?view=revision&revision=311369 http://svn.php.net/viewvc/php/php-src/trunk/ext/sockets/sockets.c?r1=311369&r2=311368&pathrev=311369 [oss-security] 20110524 Re: CVE request: PHP socket_connect() - stack buffer overflow [oss-security] 20110523 CVE request: PHP socket_connect() - stack buffer overflow php-socketconnect-bo(67606) 49241 RHSA-2011:1423 http://www.php.net/ChangeLog-5.php#5.3.7 http://www.php.net/archive/2011.php#id2011-08-18-1 MDVSA-2011:165 17318 DSA-2399 http://support.apple.com/kb/HT5130 8294 8262 72644 APPLE-SA-2012-02-01-1 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.3.x before 3.3.10.1 and 3.4.x before 3.4.1 allow remote attackers to inject arbitrary web script or HTML via a crafted table name that triggers improper HTML rendering on a Tracking page, related to (1) libraries/tbl_links.inc.php and (2) tbl_tracking.php. http://www.phpmyadmin.net/home_page/security/PMASA-2011-3.php http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=d3ccf798fdbd4f8a89d4088130637d8dee918492 http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=7e10c132a3887c8ebfd7a8eee356b28375f1e287 Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x before 3.4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=ecfc8ba4f7b4ea612c58ab5726054ed0f28e200d http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=b7a8179eb6bf0f1643970ac57a70b5b513a1cd4f http://www.phpmyadmin.net/home_page/security/PMASA-2011-4.php Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote attackers to affect availability via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 8.98 allows remote authenticated users to affect confidentiality, related to Enterprise Infrastructure SEC (JDNET). http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 8.98 allows remote authenticated users to affect confidentiality, related to Enterprise Infrastructure SEC (JDENET), a different vulnerability than CVE-2011-2326, CVE-2011-3509, and CVE-2011-3524. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. http://www.openwall.com/crypt/ php-cryptblowfish-info-disclosure(69319) USN-1229-1 49241 RHSA-2011:1423 RHSA-2011:1378 RHSA-2011:1377 http://www.postgresql.org/docs/8.4/static/release-8-4-9.html http://www.php.net/ChangeLog-5.php#5.3.7 http://www.php.net/archive/2011.php#id2011-08-18-1 MDVSA-2011:180 MDVSA-2011:179 MDVSA-2011:178 MDVSA-2011:165 DSA-2399 DSA-2340 http://support.apple.com/kb/HT5130 http://php.net/security/crypt_blowfish SUSE-SA:2011:035 APPLE-SA-2012-02-01-1 http://freshmeat.net/projects/crypt_blowfish Buffer overflow in the Error function in super.c in Super 3.30.0 might allow local users to execute arbitrary code via vectors related to syslog logging. NOTE: some of these details are obtained from third party information. super-error-bo(72243) 51319 DSA-2383 47514 47430 78213 Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow. https://bugzilla.redhat.com/show_bug.cgi?id=731246 [oss-security] 20110819 Re: CVE request: heap overflow in perl while decoding Unicode string http://perl5.git.perl.org/perl.git/commitdiff/e46d973584785af1f445c4dedbee4243419cb860#patch5 RHSA-2011:1424 [oss-security] 20110818 CVE request: heap overflow in perl while decoding Unicode string http://search.cpan.org/~flora/perl-5.14.2/pod/perldelta.pod#Encode_decode_xs_n-byte_heap-overflow_(CVE-2011-2939) Address Book in Apple Mac OS X before 10.7.3 automatically switches to unencrypted sessions upon failure of encrypted connections, which allows remote attackers to read CardDAV data by terminating an encrypted connection and then sniffing the network. http://support.apple.com/kb/HT5130 APPLE-SA-2012-02-01-1 The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a crafted session on TCP port 5631. http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00 51592 Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), uses world-writable permissions for product-installation files, which allows local users to gain privileges by modifying a file. http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00 51593 Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 8.98 allows remote authenticated users to affect integrity, related to Enterprise Infrastructure SEC (JDENET). http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 8.98 allows remote authenticated users to affect confidentiality, related to Enterprise Infrastructure SEC (JDENET), a different vulnerability than CVE-2011-2325, CVE-2011-2326, and CVE-2011-3509. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in the Oracle Web Services Manager component in Oracle Fusion Middleware 11.1.1.3, 11.1.1.4, and 11.1.1.5 allows remote attackers to affect availability via unknown vectors related to Web Services Security. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in Oracle Communications Unified 7.0 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Calendar Server. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in the Oracle Web Services Manager component in Oracle Fusion Middleware 11.1.1.3, 11.1.1.4, and 11.1.1.5 allows remote attackers to affect confidentiality via unknown vectors related to Web Services Security. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in Oracle Communications Unified 7.0 allows local users to affect confidentiality via unknown vectors related to Calendar Server. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in Oracle Communications Unified 7.0 allows remote authenticated users to affect availability via unknown vectors related to Calendar Server. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in Oracle Communications Unified 7.0 allows local users to affect confidentiality and integrity via unknown vectors related to Calendar Server. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Mozilla Firefox before 3.6.26 and 4.x through 6.0, Thunderbird before 3.1.18 and 5.0 through 6.0, and SeaMonkey before 2.4 do not properly enforce the IPv6 literal address syntax, which allows remote attackers to obtain sensitive information by making XMLHttpRequest calls through a proxy and reading the error messages. https://bugzilla.mozilla.org/show_bug.cgi?id=504014 http://www.mozilla.org/security/announce/2012/mfsa2012-02.html DSA-2400 Stack-based buffer overflow in libsysutils in Android 2.2.x through 2.2.2 and 2.3.x through 2.3.6 allows user-assisted remote attackers to execute arbitrary code via an application that calls the FrameworkListener::dispatchCommand method with the wrong number of arguments, as demonstrated by zergRush to trigger a use-after-free error. http://code.google.com/p/android/issues/detail?id=21681 https://github.com/revolutionary/zergRush/blob/master/zergRush.c [oss-security] 20111109 Re: Re: CVE request: Android: vold stack buffer overflow [oss-security] 20111108 Re: CVE request: Android: vold stack buffer overflow [oss-security] 20111108 CVE request: Android: vold stack buffer overflow Google Chrome before 17.0.963.46 does not prevent monitoring of the clipboard after a paste event, which has unspecified impact and remote attack vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=73478 Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service (application crash) via vectors that trigger a large amount of database usage. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=92550 Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors that trigger the aborting of an IndexedDB transaction. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=93106 The extension implementation in Google Chrome before 17.0.963.46 does not properly handle sandboxed origins, which might allow remote attackers to bypass the Same Origin Policy via a crafted extension. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=103630 Use-after-free vulnerability in the garbage-collection functionality in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving PDF documents. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=104056 Google Chrome before 17.0.963.46 does not properly perform casts of variables during handling of a column span, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document. Per: http://cwe.mitre.org/data/definitions/704.html 'CWE-704: Incorrect Type Conversion or Cast' http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=105459 Buffer overflow in the locale implementation in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=106441 Google Chrome before 17.0.963.46 does not properly decode audio data, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=108416 Race condition in Google Chrome before 17.0.963.46 allows remote attackers to execute arbitrary code via vectors that trigger a crash of a utility process. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=108871 Google Chrome before 17.0.963.46 does not properly perform path clipping, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=108901 Google Chrome before 17.0.963.46 does not properly handle PDF FAX images, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=109094 Google Chrome before 17.0.963.46 does not properly implement the drag-and-drop feature, which makes it easier for remote attackers to spoof the URL bar via unspecified vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=109245 Google Chrome before 17.0.963.46 does not properly check signatures, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=109664 Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to error handling for Cascading Style Sheets (CSS) token-sequence data. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=109716 Unspecified vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service (application crash) via a crafted certificate. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=109717 Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving Cascading Style Sheets (CSS) token sequences. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=109743 Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to layout of SVG documents. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=110112 libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=110277 Use-after-free vulnerability in Google Chrome before 17.0.963.46 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to mousemove events. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=110374 The shader translator implementation in Google Chrome before 17.0.963.46 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. http://googlechromereleases.blogspot.com/2012/02/stable-channel-update.html http://code.google.com/p/chromium/issues/detail?id=110559 Cross-site scripting (XSS) vulnerability in Invensys Wonderware HMI Reports 3.42.835.0304 and earlier, as used in Ocean Data Systems Dream Report before 4.0 and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. http://www.us-cert.gov/control_systems/pdf/ICSA-12-039-01.pdf http://www.us-cert.gov/control_systems/pdf/ICSA-12-024-01.pdf 47933 47742 Invensys Wonderware HMI Reports 3.42.835.0304 and earlier, as used in Ocean Data Systems Dream Report before 4.0 and other products, allows user-assisted remote attackers to execute arbitrary code via a malformed file that triggers a "write access violation." http://www.us-cert.gov/control_systems/pdf/ICSA-12-039-01.pdf http://www.us-cert.gov/control_systems/pdf/ICSA-12-024-01.pdf 47933 47742 webvrpcs.exe in Advantech/BroadWin WebAccess allows remote attackers to execute arbitrary code or obtain a security-code value via a long string in an RPC request to TCP port 4592. http://www.us-cert.gov/control_systems/pdf/ICSA-11-094-02A.pdf 47008 20110322 SCADA Trojans: Attacking the Grid + Advantech vulnerabilities http://www.reversemode.com/downloads/Scada_Trojans_Ruben_Rootedcon.pdf http://www.reversemode.com/downloads/exploit_advantech.zip http://reversemode.com/index.php?option=com_content&task=view&id=72&Itemid=1 Buffer overflow in the xfs_readlink function in fs/xfs/xfs_vnodeops.c in XFS in the Linux kernel 2.6, when CONFIG_XFS_DEBUG is disabled, allows local users to cause a denial of service (memory corruption and crash) and possibly execute arbitrary code via an XFS image containing a symbolic link with a long pathname. https://bugzilla.redhat.com/show_bug.cgi?id=749156 [oss-security] 20111026 Re: CVE Request -- kernel: xfs: potential buffer overflow in xfs_readlink() [oss-security] 20111026 CVE Request -- kernel: xfs: potential buffer overflow in xfs_readlink() [xfs] 20111018 [PATCH] Fix possible memory corruption in xfs_readlink http://xorl.wordpress.com/2011/12/07/cve-2011-4077-linux-kernel-xfs-readlink-memory-corruption/ The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program. NOTE: a similar vulnerability was reported for PAR, but this has been assigned a different CVE identifier. https://bugzilla.redhat.com/show_bug.cgi?id=753955 FEDORA-2011-16856 https://rt.cpan.org/Public/Bug/Display.html?id=69560 [oss-security] 20111104 Re: CVE request: unsafe use of /tmp in multiple CPAN modules [oss-security] 20111104 CVE request: unsafe use of /tmp in multiple CPAN modules FEDORA-2011-16859 EMC RSA enVision 4.0 before SP4 P5 and 4.1 before P3 allows remote attackers to obtain sensitive information about environment variables in the web system via unspecified vectors. 20120126 ESA-2012-007: RSA, The Security Division of EMC, announces security fixes for RSA enVision message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. http://openid.net/2011/05/05/attribute-exchange-security-alert/ https://issues.jboss.org/browse/SOA-3597 https://issues.jboss.org/browse/JBEPP-1368 RHSA-2011:1804 [oss-security] 20111116 Re: CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information [oss-security] 20111116 CVE Request: openid4java not properly verifying the signature of Attribute Exchange (AX) information 1026400 44496 Multiple cross-site scripting (XSS) vulnerabilities in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author privileges to inject arbitrary web script or HTML via (1) the profile parameter to extensions/profiledevkit/content/content.profile.php, as demonstrated via requests to (a) the default URI, (b) about/, or (c) drafts/; or (2) the filter parameter in symphony/lib/core/class.symphony.php, as demonstrated via requests to (d) symphony/publish/comments or (e) symphony/publish/images. NOTE: some of these details are obtained from third party information. http://symphony-cms.com/download/releases/version/2.2.4/ symphony-multiple-xss(71106) 76883 76882 [oss-security] 20111122 Re: CVE-request: Symphony CMS Multiple Cross-Site Scripting and SQL Injection Vulnerabilities (NS-11-008) http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/ 46663 20111101 XSS and SQL Injection Vulnerabilities on Symphony CMS 2.2.3 http://packetstormsecurity.org/files/view/106493/symphonycms-sqlxss.txt Multiple SQL injection vulnerabilities in symphony/content/content.publish.php in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author permissions to execute arbitrary SQL commands via the filter parameter to (1) symphony/publish/comments or (2) symphony/publish/images. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks via error messages. NOTE: some of these details are obtained from third party information. [oss-security] 20111122 Re: CVE-request: Symphony CMS Multiple Cross-Site Scripting and SQL Injection Vulnerabilities (NS-11-008) https://github.com/symphonycms/symphony-2/commit/476e4926e2773588eab10dd3036f27e1411521b5 symphony-filter-sql-injection(71105) 76884 http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/ http://symphony-cms.com/download/releases/version/2.2.4/ 46663 20111101 XSS and SQL Injection Vulnerabilities on Symphony CMS 2.2.3 http://packetstormsecurity.org/files/view/106493/symphonycms-sqlxss.txt crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts. https://bugzilla.redhat.com/show_bug.cgi?id=757909 http://rt.openssl.org/Ticket/Display.html?id=1593&user=guest&pass=guest [oss-security] 20111201 CVE-2011-4354 OpenSSL 0.9.8g (32-bit builds) bug leaks ECC private keys http://marc.info/?t=119271238800004 http://eprint.iacr.org/2011/633 http://cvs.openssl.org/filediff?f=openssl/crypto/bn/bn_nist.c&v1=1.14&v2=1.21 http://crypto.di.uminho.pt/CACE/CT-RSA2012-openssl-src.zip The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime generates predictable authentication tokens for cookies, which makes it easier for remote attackers to bypass authentication via a crafted cookie. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime has an improperly selected default password for the administrator account, which makes it easier for remote attackers to obtain access via a brute-force approach involving many HTTP requests. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf Cross-site scripting (XSS) vulnerability in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4511. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf Cross-site scripting (XSS) vulnerability in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-4510. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf CRLF injection vulnerability in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allow user-assisted remote attackers to execute arbitrary code via a crafted project file, related to the HMI web server and runtime loader. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf The TELNET daemon in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime does not perform authentication, which makes it easier for remote attackers to obtain access via a TCP session. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf zenAdminSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted packet to TCP port 50777, aka Reference Number 25240. http://www.us-cert.gov/control_systems/pdf/ICSA-12-013-01.pdf 47892 ZenSysSrv.exe in Ing. Punzenberger COPA-DATA zenon 6.51 SP0 allows remote attackers to cause a denial of service (service crash) or possibly execute arbitrary code via a series of connections and disconnections on TCP port 1101, aka Reference Number 25212. http://www.us-cert.gov/control_systems/pdf/ICSA-12-013-01.pdf 47892 Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP 5.4.0beta2 on 32-bit platforms allows remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708. Per: https://bugs.php.net/bug.php?id=60150 'The bug is only present in 32 bits version.' https://bugs.php.net/bug.php?id=60150 php-exifprocessifdtag-dos(71612) 50907 RHSA-2012:0019 DSA-2399 Cisco TelePresence Software before TE 4.1.1 on the Cisco IP Video Phone E20 has a default password for the root account after an upgrade to TE 4.1.0, which makes it easier for remote attackers to modify the configuration via an SSH session, aka Bug ID CSCtw69889, a different vulnerability than CVE-2011-2555. 20120118 Cisco IP Video Phone E20 Default Root Account The UberMedia UberSocial (com.twidroid) application 7.x before 7.2.4 for Android does not properly protect data, which allows remote attackers to read or modify Twitter information via a crafted application. http://www4.comp.polyu.edu.hk/~appsec/bugs/CVE-2011-4700-vulnerability-in-UberSocial.html The 360 MobileSafe (com.qihoo360.mobilesafe) application 2.x before 2.3.0 for Android does not properly protect data, which allows remote attackers to read or modify SMS messages and a contact list via a crafted application. http://www4.comp.polyu.edu.hk/~appsec/bugs/CVE-2011-4769-vulnerability-in-360MobileSafe.html A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4787. http://www.zerodayinitiative.com/advisories/ZDI-12-013/ "The specific flaw exists within the XMLCacheMgr class ActiveX control (CLSID 6F255F99-6961-48DC-B17E-6E1BCCBC0EE3). The CacheDocumentXMLWithId() method is vulnerable to directory traversal and arbitrary write, which allows an attacker to write malicious content to the filesystem. A remote attacker could leverage this vulnerability to gain code execution under the context of the web browser." HPSBPI02698 SSRT100404 A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4786. SSRT100404 HPSBPI02698 Absolute path traversal vulnerability in the web interface on HP StorageWorks P2000 G3 MSA array systems allows remote attackers to read arbitrary files via a pathname in the URI. http://zerodayinitiative.com/advisories/ZDI-12-015/ DBServer.exe in HP Data Protector Media Operations 6.11 and earlier allows remote attackers to execute arbitrary code via a crafted request containing a large value in a length field. http://zerodayinitiative.com/advisories/ZDI-11-112/ SSRT100280 HPSBMU02739 SQL injection vulnerability in wptouch/ajax.php in the WPTouch plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. 18039 Directory traversal vulnerability in the obSuggest (com_obsuggest) component before 1.8 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. 48944 46844 http://foobla.com/news/latest/obsuggest-1.8-security-release.html Cross-site scripting (XSS) vulnerability in pubDBLogon.jsp in SAP Crystal Report Server 2008 allows remote attackers to inject arbitrary web script or HTML via the service parameter. https://service.sap.com/sap/support/notes/1562292 20111117 [DSECRG-11-033] SAP Crystal Report Server pubDBLogon - Linked ÕSS vulnerability http://www.sdn.sap.com/irj/sdn/index?rid=/webcontent/uuid/c05604f6-4eb3-2d10-eea7-ceb666083a6a http://dsecrg.com/pages/vul/show.php?id=333 Multiple cross-site scripting (XSS) vulnerabilities in main.php in phpAlbum 0.4.1.16 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) var1 and (2) keyword parameters. 18045 Directory traversal vulnerability in main.php in phpAlbum 0.4.1.16 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the var1 parameter. 18045 SQL injection vulnerability in the HM Community (com_hmcommunity) component before 1.01 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a fnd_home action to index.php. 76727 18050 46656 http://joomlaextensions.co.in/index.php?option=com_jeshop&view=category_detail&Itemid=118&id=38 Multiple cross-site scripting (XSS) vulnerabilities in the HM Community (com_hmcommunity) component before 1.01 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) language[], (2) university[], (3) persent[], (4) company_name[], (5) designation[], (6) music[], (7) books[], (8) movies[], (9) games[], (10) syp[], (11) ft[], and (12) fa[] parameters in a save task for a profile to index.php. NOTE: some of these details are obtained from third party information. 76726 18050 46656 http://joomlaextensions.co.in/index.php?option=com_jeshop&view=category_detail&Itemid=118&id=38 Multiple directory traversal vulnerabilities in WHMCompleteSolution (WHMCS) 3.x and 4.x allow remote attackers to read arbitrary files via the templatefile parameter to (1) submitticket.php and (2) downloads.php, and (3) the report parameter to admin/reports.php. 18088 SQL injection vulnerability in pokaz_podkat.php in BestShopPro allows remote attackers to execute arbitrary SQL commands via the str parameter. 18063 Cross-site scripting (XSS) vulnerability in nowosci.php in BestShopPro allows remote attackers to inject arbitrary web script or HTML via the str parameter. 76880 18063 46662 Directory traversal vulnerability in clientarea.php in WHMCompleteSolution (WHMCS) 3.x.x allows remote attackers to read arbitrary files via an invalid action and a ../ (dot dot slash) in the templatefile parameter. 18081 Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr 3.1.0 RC and probably earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) admin/boxes.php, (3) comm/clients.php, (4) commande/index.php; and the optioncss parameter to (5) admin/ihm.php and (6) user/home.php. https://github.com/Dolibarr/dolibarr/commit/d08d28c0cda1f762a47cc205d4363de03df16675 https://github.com/Dolibarr/dolibarr/commit/c539155d6ac2f5b6ea75b87a16f298c0090e535a https://github.com/Dolibarr/dolibarr/commit/762f98ab4137749d0993612b4e3544a4207e78a1 https://github.com/Dolibarr/dolibarr/commit/63820ab37537fdff842539425b2bf2881f0d8e91 https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_dolibarr.html 50777 20111123 Multiple vulnerabilities in Dolibarr 77339 Multiple SQL injection vulnerabilities in Vik Real Estate (com_vikrealestate) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) contract parameter in a results action and (2) imm parameter in a show action to index.php. 18048 http://docs.joomla.org/Vulnerable_Extensions_List#Vik_Real_Estate_1.0 SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h allows remote attackers to execute arbitrary SQL commands via the login_username parameter. cacti-unspecified-sql-injection(71326) 50671 http://www.cacti.net/release_notes_0_8_7h.php http://svn.cacti.net/viewvc?view=rev&revision=6807 46876 44133 FEDORA-2011-15071 FEDORA-2011-15110 FEDORA-2011-15032 SQL injection vulnerability in session.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to process.php. NOTE: some of these details are obtained from third party information. 50706 http://www.autosectools.com/Advisory/V-CMS-1.0-SQL-Injection-235 46861 Multiple cross-site scripting (XSS) vulnerabilities in AutoSec Tools V-CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) p parameter to redirect.php and (2) box parameter to includes/TrueColorPicker/index.php, which is not properly handled in includes/TrueColorPicker/class.TrueColorPicker.php. 50706 http://www.autosectools.com/Advisory/V-CMS-1.0-Reflected-Cross-site-Scripting-234 46861 Directory traversal vulnerability in webFileBrowser.php in Web File Browser 0.4b14 allows remote authenticated users to read arbitrary files via a ..%2f (encoded dot dot) in the file parameter in a download action. 18070 Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php. https://www.htbridge.ch/advisory/sql_injection_in_sugarcrm.html sugarcrm-index-sql-injection(71586) http://www.sugarcrm.com/crm/support/bugs.html#issue_47839 http://www.sugarcrm.com/crm/support/bugs.html#issue_47806 http://www.sugarcrm.com/crm/support/bugs.html#issue_47805 http://www.sugarcrm.com/crm/support/bugs.html#issue_47800 20111130 Sql injection in SugarCRM 77459 1026369 47011 The Tencent QQPhoto (com.tencent.qqphoto) application 0.97 for Android does not properly protect data, which allows remote attackers to read or modify contact information and a password hash via a crafted application. http://www4.comp.polyu.edu.hk/~appsec/bugs/CVE-2011-4867-vulnerability-in-QQPhoto.html Multiple HTC Android devices including Desire HD FRG83D and GRI40, Glacier FRG83, Droid Incredible FRF91, Thunderbolt 4G FRG83D, Sensation Z710e GRI40, Sensation 4G GRI40, Desire S GRI40, EVO 3D GRI40, and EVO 4G GRI40 allow remote attackers to obtain 802.1X Wi-Fi credentials and SSID via a crafted application that uses the android.permission.ACCESS_WIFI_STATE permission to call the toString method on the WifiConfiguration class. VU#763355 51790 47837 http://blog.mywarwithentropy.com/2012/02/8021x-password-exploit-on-many-htc.html 20120201 802.1X password exploit on many HTC Android devices Stack-based buffer overflow in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute arbitrary code via vectors related to Unicode strings. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf http://aluigi.altervista.org/adv/winccflex_1-adv.txt Directory traversal vulnerability in HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to execute, read, create, modify, or delete arbitrary files via a .. (dot dot) in a string. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf http://aluigi.altervista.org/adv/winccflex_1-adv.txt HmiLoad in the runtime loader in Siemens WinCC flexible 2004, 2005, 2007, and 2008; WinCC V11 (aka TIA portal); the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime, when Transfer Mode is enabled, allows remote attackers to cause a denial of service (application crash) by sending crafted data over TCP. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf http://aluigi.altervista.org/adv/winccflex_1-adv.txt Directory traversal vulnerability in miniweb.exe in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime allows remote attackers to read arbitrary files via a ..%5c (dot dot backslash) in a URI. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf http://aluigi.altervista.org/adv/winccflex_1-adv.txt miniweb.exe in the HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 (aka TIA portal) before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime does not properly handle URIs beginning with a 0xfa character, which allows remote attackers to read data from arbitrary memory locations or cause a denial of service (application crash) via a crafted POST request. http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-345442.pdf http://aluigi.altervista.org/adv/winccflex_1-adv.txt PHP before 5.3.9 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. VU#903934 https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py 51193 RHSA-2012:0019 http://www.ocert.org/advisories/ocert-2011-003.html http://www.nruns.com/_downloads/advisory28122011.pdf 18305 18296 DSA-2399 http://svn.php.net/viewvc?view=revision&revision=321040 http://svn.php.net/viewvc?view=revision&revision=321003 MySQL 5.5.8, when running on Windows, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted packet to TCP port 3306. mysql-port-dos(71965) 18269 functions.php in WHMCompleteSolution (WHMCS) 4.0.x through 5.0.x allows remote attackers to trigger arbitrary code execution in the Smarty templating system by submitting a crafted ticket, related to improper handling of characters in the subject field. http://forum.whmcs.com/showthread.php?t=43462 http://www.webhostingtalk.com/showpost.php?p=7848685&postcount=35 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. http://svn.apache.org/viewvc?view=rev&rev=1159309 http://svn.apache.org/viewvc?view=rev&rev=1158180 http://svn.apache.org/viewvc?view=rev&rev=1087655 RHSA-2011:1845 http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html SUSE-SU-2012:0155 The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. http://svn.apache.org/viewvc?view=rev&rev=1159309 http://svn.apache.org/viewvc?view=rev&rev=1158180 http://svn.apache.org/viewvc?view=rev&rev=1087655 RHSA-2011:1845 http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html SUSE-SU-2012:0155 DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. http://svn.apache.org/viewvc?view=rev&rev=1159309 http://svn.apache.org/viewvc?view=rev&rev=1158180 http://svn.apache.org/viewvc?view=rev&rev=1087655 RHSA-2011:1845 http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html SUSE-SU-2012:0155 The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file. http://www-01.ibm.com/support/docview.wss?uid=swg27007951 PM36685 SQL injection vulnerability in model/comment.class.php in HDWiki 5.0, 5.1, and possibly other versions allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. NOTE: some of these details are obtained from third party information. 51871 47907 http://bbs.wolvez.org/viewtopic.php?id=208 Unrestricted file upload vulnerability in attachement.php in HDWiki 5.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in image directory. http://bbs.wolvez.org/viewtopic.php?id=208 The web administration interface in the server in Sybase M-Business Anywhere 6.7 before ESD# 3 and 7.0 before ESD# 7 does not require admin authentication for unspecified scripts, which allows remote authenticated users to list or delete user accounts, modify passwords, or read log files via HTTP requests, aka Bug IDs 678497 and 678499. 20111014 Sybase M-Business Anywhere Insecure Permissions Vulnerability http://www.sybase.com/detail?id=1095200 ** DISPUTED ** GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application. https://bugzilla.redhat.com/show_bug.cgi?id=772720 [oss-security] 20120110 glib2 hash dos oCert-2011-003 [gtk-devel-list] 20030529 Algorimic Complexity Attack on GLIB 2.2.1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044 PHP before 5.3.9 has improper libxslt security settings, which allows remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension. https://bugs.php.net/bug.php?id=54446 DSA-2399 http://php.net/ChangeLog-5.php#5.3.9 [oss-security] 20120117 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120114 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120115 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120115 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120114 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120114 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120113 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120113 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120113 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120113 Re: CVE affected for PHP 5.3.9 ? [oss-security] 20120113 CVE affected for PHP 5.3.9 ? [oss-security] 20120113 Re: CVE affected for PHP 5.3.9 ? Unspecified vulnerability in Oracle OpenSSO 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Administration. sun-opensso-cve20120079(72501) 1026536 51492 http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html 46646 78412 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization 4.1 allows local users to affect confidentiality and integrity via unknown vectors related to Shared Folders. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, CVE-2012-0485, and CVE-2012-0492. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect confidentiality and availability via unknown vectors, a different vulnerability than CVE-2012-0118. http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html The TCP implementation in IBM AIX 5.3, 6.1, and 7.1, when the Large Send Offload option is enabled, allows remote attackers to cause a denial of service (assertion failure and panic) via an unspecified series of packets. http://aix.software.ibm.com/aix/efixes/security/large_send_advisory.asc aix-tcpstack-dos(72562) 51864 IV14211 IV14210 IV14209 IV13827 IV13820 IV13751 1026640 47865 Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), Altiris Client Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), and Altiris Deployment Solution Remote pcAnywhere Solution 7.1 (aka 12.5.x and 12.6.x) do not properly handle the client state after abnormal termination of a remote session, which allows remote attackers to obtain access to the client by leveraging an "open client session." http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00 51862 Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://sourceforge.jp/forum/forum.php?forum_id=28119 JVNDB-2012-000004 JVN#36559450 Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merchant before 2.3.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://sourceforge.jp/forum/forum.php?forum_id=28119 JVNDB-2012-000005 JVN#64386898 Multiple cross-site request forgery (CSRF) vulnerabilities on the eAccess Pocket WiFi (aka GP02) router before 2.00 with firmware 11.203.11.05.168 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) initialize settings or (2) reboot the device. 51782 47795 JVNDB-2012-000010 JVN#33021167 http://emobile.jp/topics/info20120201_01.html Buffer overflow in the server in EMC NetWorker 7.5.x and 7.6.x before 7.6.3 SP1 Cumulative Release build 851 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via unspecified vectors. 20120126 ESA-2012-005: EMC NetWorker buffer overflow vulnerability EMC Documentum xPlore 1.0, 1.1 before P07, and 1.2 does not properly enforce the requirement for BROWSE permission, which allows remote authenticated users to determine the existence of an object, or read object metadata, via a search. emc-documentum-info-disc(72994) 51863 1026639 47920 20120203 ESA-2012-010: EMC Documentum xPlore information disclosure vulnerability Cross-site request forgery (CSRF) vulnerability in jsonrpc.cgi in Bugzilla 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 allows remote attackers to hijack the authentication of arbitrary users for requests that use the JSON-RPC API. https://bugzilla.mozilla.org/show_bug.cgi?id=718319 bugzilla-jsonrpc-csrf(72882) 1026623 http://www.bugzilla.org/security/3.4.13/ 47814 Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. https://bugzilla.mozilla.org/show_bug.cgi?id=705347 https://bugzilla.mozilla.org/show_bug.cgi?id=693399 http://www.mozilla.org/security/announce/2012/mfsa2012-01.html DSA-2400 Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize nsChildView data structures, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Ogg Vorbis file. https://bugzilla.mozilla.org/show_bug.cgi?id=719612 http://www.mozilla.org/security/announce/2012/mfsa2012-07.html DSA-2400 Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address. https://bugzilla.mozilla.org/show_bug.cgi?id=714472 1026623 http://www.bugzilla.org/security/3.4.13/ 47814 Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a malformed XSLT stylesheet that is embedded in a document. https://bugzilla.mozilla.org/show_bug.cgi?id=702466 https://bugzilla.mozilla.org/show_bug.cgi?id=701806 http://www.mozilla.org/security/announce/2012/mfsa2012-08.html DSA-2400 Use-after-free vulnerability in Mozilla Firefox 10.x before 10.0.1, Thunderbird 10.x before 10.0.1, and SeaMonkey 2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger failure of an nsXBLDocumentInfo::ReadPrototypeBindings function call, related to the cycle collector's access to a hash table containing a stale XBL binding. https://bugzilla.mozilla.org/show_bug.cgi?id=724284 http://www.mozilla.org/security/announce/2012/mfsa2012-10.html Multiple unspecified vulnerabilities in Google Chrome before 17.0.963.27 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors. oval:org.mitre.oval:def:14268 http://googlechromereleases.blogspot.com/2012/01/beta-channel-update-for-chromebooks.html Multiple cross-site scripting (XSS) vulnerabilities in the Executive Viewer (EV) in IBM Cognos TM1 before 9.5 FP1 allow remote attackers to inject arbitrary web script or HTML via unspecified requests to (1) aspnet_client or (2) evserver/createcontrol.js. cevtm1-aspnetclient-createcontrol-xss(72198) 51326 78217 78216 PM26682 1026491 47487 Buffer overflow in Bip 0.8.8 and earlier might allow remote authenticated users to execute arbitrary code via vectors involving a series of TCP connections that triggers use of many open file descriptors. https://projects.duckcorp.org/projects/bip/repository/revisions/222a33cb84a2e52ad55a88900b7895bf9dd0262c https://projects.duckcorp.org/issues/269 [oss-security] 20120124 Re: CVE request: bip buffer overflow http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657217 47679 [oss-security] 20120124 CVE request: bip buffer overflow Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header. https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa https://bugzilla.redhat.com/show_bug.cgi?id=783350 20120119 Advisory 01/2012: Suhosin PHP Extension Transparent Cookie Encryption Stack Buffer Overflow The php_register_variable_ex function in php_variables.c in PHP 5.3.9 allows remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885. https://gist.github.com/1725489 php-phpregistervariableex-code-exec(72911) 51830 http://www.php.net/ChangeLog-5.php#5.3.10 78819 http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/ http://svn.php.net/viewvc?view=revision&revision=323007 1026631 47806 [oss-security] 20120203 Re: PHP remote code execution introduced via HashDoS fix [oss-security] 20120202 PHP remote code execution introduced via HashDoS fix PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c. USN-1358-1 51954 https://launchpadlibrarian.net/92454212/php5_5.3.2-1ubuntu4.13.diff.gz http://svn.php.net/viewvc?view=revision&revision=323016 Cross-site scripting (XSS) vulnerability in lib/QueryRender.php in phpLDAPadmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the base parameter in a query_engine action to cmd.php. https://sourceforge.net/tracker/index.php?func=detail&aid=3477910&group_id=61828&atid=498546 47852 http://phpldapadmin.git.sourceforge.net/git/gitweb.cgi?p=phpldapadmin/phpldapadmin;a=commit;h=7dc8d57d6952fe681cb9e8818df7f103220457bd [oss-security] 20120203 Re: CVE request: phpldapadmin [oss-security] 20120202 CVE request: phpldapadmin OCaml 3.12.1 and earlier computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. http://www.ocert.org/advisories/ocert-2011-003.html http://www.nruns.com/_downloads/advisory28122011.pdf [caml-list] 20111230 Re: Hashtbl and security [caml-list] 20111230 Hashtbl and security [oss-security] 20120206 Re: CVE request: Hash DoS vulnerability (ocert-2011-003) [oss-security] 20120206 CVE request: Hash DoS vulnerability (ocert-2011-003) tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. http://svn.apache.org/viewvc?rev=1231605&view=rev apacheapr-hash-dos(73096) [dev] 20120114 Re: Hash collision vectors in APR? [dev] 20120113 Re: Hash collision vectors in APR? [dev] 20120105 Hash collision vectors in APR? 47862 [oss-security] 20120208 Re: CVE request: apr - Hash DoS vulnerability [oss-security] 20120208 CVE request: apr - Hash DoS vulnerability [apr-commits] 20120115 svn commit: r1231605 - /apr/apr/trunk/tables/apr_hash.c rvrender.dll in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via crafted flags in an RMFF file. http://service.real.com/realplayer/security/02062012_player/en/ The RV20 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, does not properly handle the frame size array, which allows remote attackers to execute arbitrary code via a crafted RV20 RealVideo video stream. http://service.real.com/realplayer/security/02062012_player/en/ RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via vectors involving a VIDOBJ_START_CODE code in a header within a video stream. http://service.real.com/realplayer/security/02062012_player/en/ Unspecified vulnerability in the RV40 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via a crafted RV40 RealVideo video stream. http://service.real.com/realplayer/security/02062012_player/en/ The RV10 codec in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, does not properly handle height and width values, which allows remote attackers to execute arbitrary code via a crafted RV10 RealVideo video stream. http://service.real.com/realplayer/security/02062012_player/en/ Unspecified vulnerability in RealNetworks RealPlayer 11.x, 14.x, and 15.x before 15.02.71, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via vectors involving the coded_frame_size value in a RealAudio audio stream. http://service.real.com/realplayer/security/02062012_player/en/ The ATRAC codec in RealNetworks RealPlayer 11.x and 14.x through 14.0.7, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer 12.x before 12.0.0.1703 does not properly decode samples, which allows remote attackers to execute arbitrary code via a crafted ATRAC audio file. http://service.real.com/realplayer/security/02062012_player/en/ Stack-based buffer overflow in jp2_x.dll in LuraWave JP2 ActiveX Control 2.1.5.5 and other versions before 2.1.5.11 allows remote attackers to execute arbitrary code via a JPEG2000 (JP2) file with a crafted Quantization Default (QCD) marker segment. lurawave-jp2-qcd-bo(72807) 51744 47350 78661 Cross-site scripting (XSS) vulnerability in TWiki allows remote attackers to inject arbitrary web script or HTML via the organization field in a profile, involving (1) registration or (2) editing of the user. Per: http://secunia.com/advisories/47784 'The vulnerability is confirmed in version 5.1.1. Other versions may also be affected.' twiki-organization-xss(72821) 1026604 51731 http://st2tea.blogspot.com/2012/01/cross-site-scripting-twiki.html 47784 http://packetstormsecurity.org/files/109246/twiki-xss.txt 78664 SQL injection vulnerability in download.php in phux Download Manager allows remote attackers to execute arbitrary SQL commands via the file parameter. phux-download-sql-injection(72826) 51725 18432 SQL injection vulnerability in search.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the price_from parameter. 51773 18441 SQL injection vulnerability in Scriptsez.net Ez Album allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php. ezalbum-index-sql-injection(72809) 18438 Cross-site request forgery (CSRF) vulnerability in admin/settings/update in DClassifieds 0.1 final allows remote attackers to hijack the authentication of administrators for requests that modify account settings such as the administrator password or email via certain Settings[] parameters. http://sourceforge.net/projects/dclassifieds/files/csrf_fix_120105.rar/download https://www.htbridge.ch/advisory/HTB23067 dclassifieds-settings-csrf(72733) 51671 78557 47691 20120125 CSRF (Cross-Site Request Forgery) in DClassifieds Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in interface/patient_file/encounter. https://www.htbridge.ch/advisory/HTB23069 http://www.open-emr.org/wiki/index.php/OpenEMR_Patches 20120201 Multiple vulnerabilities in OpenEMR openemr-formname-file-include(72914) 51788 47781 78730 78729 78728 78727 interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter. http://www.open-emr.org/wiki/index.php/OpenEMR_Patches 20120201 Multiple vulnerabilities in OpenEMR https://www.htbridge.ch/advisory/HTB23069 openemr-faxdispatch-command-execution(72915) 51788 47781 78731 Unspecified vulnerability in OpenConf 4.x before 4.12 has unknown impact and attack vectors. http://www.openconf.com/news/#20120202 Multiple integer overflows in Opera 11.60 and earlier allow remote attackers to cause a denial of service (application crash) via a large integer argument to the (1) Int32Array, (2) Float32Array, (3) Float64Array, (4) Uint32Array, (5) Int16Array, or (6) ArrayBuffer function. NOTE: the vendor reportedly characterizes this as "a stability issue, not a security issue." http://blog.vulnhunt.com/index.php/2012/02/02/cal-2012-0004-opera-array-integer-overflow/ Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephone, (12) VoIP, (13) InstantMessagingIM, (14) Email, (15) HomePage, or (16) Comment parameter. NOTE: some of these details are obtained from third party information. Per: http://foswiki.org/Support/SecurityAlert-CVE-2012-1004 'Vulnerable Software Versions - All versions 1.0.0 - 1.1.4 inclusive for sites that use the user registration process' http://st2tea.blogspot.com/2012/02/foswiki-cross-site-scripting.html 47849 http://foswiki.org/Tasks/Item11501 http://foswiki.org/Tasks/Item11498 http://foswiki.org/Support/SecurityAlert-CVE-2012-1004 Multiple cross-site scripting (XSS) vulnerabilities in Sphinx Software Mobile Web Server 3.1.2.47 allow remote attackers to inject arbitrary web script or HTML via the comment parameter to a blog, as demonstrated using (1) Blog/MyFirstBlog.txt or (2) Blog/AboutSomething.txt. sphinixsoftware-comment-xss(72913) 51820 47876 http://secpod.org/blog/?p=453 Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders. http://secpod.org/blog/?p=450 http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do. http://secpod.org/blog/?p=450 http://secpod.org/advisories/SecPod_Apache_Struts_Multiple_Parsistant_XSS_Vulns.txt OfficeSIP Server 3.1 allows remote attackers to cause a denial of service (daemon crash) via a crafted To header in a SIP INVITE message. http://secpod.org/exploits/SecPod_Exploit_OfficeSIP_Server_DOS.py http://secpod.org/blog/?p=461 http://secpod.org/advisories/SecPod_Exploit_OfficeSIP_Server_DOS_Vuln.txt Unrestricted file upload vulnerability in actions.php in the AllWebMenus plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory. allwebmenus-actions-file-upload(72640) 51615 18407 http://wordpress.org/extend/plugins/allwebmenus-wordpress-menu-plugin/changelog/ 47659 20120122 AllWebMenus < 1.1.9 WordPress Menu Plugin Arbitrary file upload actions.php in the AllWebMenus plugin 1.1.8 for WordPress allows remote attackers to bypass intended access restrictions to upload and execute arbitrary PHP code by setting the HTTP_REFERER to a certain value, then uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory. http://wordpress.org/extend/plugins/allwebmenus-wordpress-menu-plugin/changelog/ allwebmenus-actions-file-upload(72640) 51615 18407 47659 20120122 AllWebMenus < 1.1.9 WordPress Menu Plugin Arbitrary file upload Multiple SQL injection vulnerabilities in base_qry_main.php in Basic Analysis and Security Engine (BASE) 1.4.5 allow remote attackers to execute arbitrary SQL commands via the (1) ip_addr[0][1], (2) ip_addr[0][2], or (3) ip_addr[0][9] parameters. base-ipaddr-sql-injection(72998) 51874 18465 Cross-site scripting (XSS) vulnerability in includes/convert.php in D-Mack Media Currency Converter (mod_currencyconverter) module 1.0.0 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the from parameter. currencyconverter-convert-xss(72917) 51804 http://dl.packetstormsecurity.net/1202-exploits/joomlacurrencyconverter-xss.txt Multiple cross-site scripting (XSS) vulnerabilities in XWiki Enterprise 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) XWiki.XWikiComments_comment parameter to xwiki/bin/commentadd/Main/WebHome, (2) XWiki.XWikiUsers_0_company parameter when editing a user profile, or (3) projectVersion parameter to xwiki/bin/view/DownloadCode/DownloadFeedback. NOTE: some of these details are obtained from third party information. 51867 http://st2tea.blogspot.com/2012/02/xwiki-cross-site-scripting.html 47885 http://packetstormsecurity.org/files/109447/XWiki-Enterprise-3.4-Cross-Site-Scripting.html Multiple cross-site scripting (XSS) vulnerabilities in login.php in NexorONE Online Banking allow remote attackers to inject arbitrary web script or HTML via the (1) visitor_language parameter to register.php or (2) message parameter. http://www.vulnerability-lab.com/get_content.php?id=304 51876 47897 20120205 NexorONE Online Banking - Multiple Cross Site Vulnerabilities Cross-site scripting (XSS) vulnerability in admin/categories.php in 4images 1.7.10 allows remote attackers to inject arbitrary web script or HTML via the cat_parent_id parameter in an addcat action. 4images-categories-xss(72924) 51774 47811 http://packetstormsecurity.org/files/109290/4images-xss.txt 78711 SQL injection vulnerability in admin/categories.php in 4images 1.7.10 remote attackers to execute arbitrary SQL commands via the cat_parent_id parameter in an addcat action. 4images-catparentid-sql-injection(72932) 51774 http://packetstormsecurity.org/files/109290/4images-xss.txt Open redirect vulnerability in admin/index.php in 4images 1.7.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter. 51774 http://packetstormsecurity.org/files/109290/4images-xss.txt 78779 Directory traversal vulnerability in file in Enigma2 Webinterface 1.5rc1 and 1.5beta4 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. 18343 Absolute path traversal vulnerability in file in Enigma2 Webinterface 1.6.0 through 1.6.8, 1.6rc3, and 1.7.0 allows remote attackers to read arbitrary files via a full pathname in the file parameter. 18343 Multiple SQL injection vulnerabilities in login2.php in XRay CMS 1.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters. xraycms-login2-sql-injection(73000) 51870 18467 Cross-site scripting (XSS) vulnerability in account-closed.tcl in ]project-open[ (aka ]po[) 3.4.x, 3.5.0.1-2, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the message parameter to register/account-closed. VU#732115 projectopen-accountclosed-xss(72952) 51842 47854 78823 http://dl.packetstormsecurity.net/1202-exploits/projectopen-xss.txt Cross-site scripting (XSS) vulnerability in bin/index.php in SimpleGroupware 0.742 and other versions before 0.743 allows remote attackers to inject arbitrary web script or HTML via the export parameter. http://voxel.dl.sourceforge.net/project/simplgroup/README.md 20120206 SimpleGroupware 0.742 Cross-Site-Scripting vulnerability SQL injection vulnerability in mobile/search/index.php in Tube Ace (Adult PHP Tube Script) 1.6 allows remote attackers to execute arbitrary SQL commands via the q parameter. NOTE: some of these details are obtained from third party information. tubeace-q-sql-injection(72999) 51873 18466 47874 Unspecified vulnerability in EPiServer CMS 5 and 6 through 6R2, in certain configurations using Forms Authentication, allows remote authenticated users to obtain WebAdmins access by leveraging Edit Mode privileges, a different vulnerability than CVE-2011-3416 and CVE-2011-3417. http://world.episerver.com/Blogs/Shahid-Nawaz/Dates/2012/1/General-Hotfix-CMS-6-R2/ http://world.episerver.com/Blogs/Jens-N/Dates/2012/1/Security-vulnerability---Elevation-of-privilege/ 47910 The resolver in ISC BIND 9 through 9.8.1-P1 does not properly implement a cache update policy, which allows remote attackers to trigger continued resolvability of domain names that are no longer registered via an unspecified "Ghost Names exploit." Per: https://www.isc.org/software/bind/advisories/cve-2012-1033 'Solution: On further review, ISC has determined that this is not an issue which needs an immediate patch. The issue is being reviewed at the protocol level and will be addressed there. Implementing DNSSEC is the safest mitigation measure.' https://www.isc.org/software/bind/advisories/cve-2012-1033 Multiple cross-site scripting (XSS) vulnerabilities in the admin interface in EPiServer CMS through 6R2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://world.episerver.com/PageFiles/110367/BugList.txt http://world.episerver.com/Blogs/Shahid-Nawaz/Dates/2012/1/General-Hotfix-CMS-6-R2/ 47910 AdaCore Ada Web Services (AWS) before 2.10.2 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. http://www.ocert.org/advisories/ocert-2011-003.html http://www.nruns.com/_downloads/advisory28122011.pdf http://www.adacore.com/2012/01/27/security-advisory-sa-2012-l119-003-hash-collisions-in-aws/ 20120127 AdaCore Security Advisory SA-2012-L119-003 Hash collisions in AWS Cross-site scripting (XSS) vulnerability in TM1 Web in IBM Cognos TM1 9.5.2 FP1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-0696. 51905 78917 PM49009 http://www-01.ibm.com/support/docview.wss?uid=swg27023584 http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1PM49009 1026648 47889 Directory traversal vulnerability in the WWWHELP Service (js/html/wwhelp.htm) in Cyberoam Central Console (CCC) 2.00.2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter in an Online_help action. http://www.vulnerability-lab.com/get_content.php?id=405 51901 20120207 Cyberoam Central Console v2.00.2 - File Include Vulnerability Cross-site scripting (XSS) vulnerability in communityplusplus/www/administrator.php in eFront Community++ edition 3.6.10, and possibly other editions, allows remote attackers to inject arbitrary web script or HTML via the filter parameter. efrontcommunity-administrator-xss(73043) http://www.vulnerability-lab.com/get_content.php?id=423 51894 20120207 eFronts Community++ v3.6.10 - Cross Site Vulnerability