Vulnerability Summary for the Week of January 22, 2007
Released
Jan 29, 2007
Document ID
SB07-029
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Advanced Guestbook -- Advanced Guestbook | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Advanced Guestbook 2.4.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) index.php, (2) addentry.php, or (3) picture.php, a different set of vectors than CVE-2006-5804. NOTE: this issue has been disputed by third party researchers, stating that the include_path variable is instantiated before use. |
| 7.0 | CVE-2007-0530 BUGTRAQ BUGTRAQ | ||
| Andrew Morgan -- Linux-PAM | pam_unix.so in Linux-PAM 0.99.7.0 allows context-dependent attackers to log into accounts whose password hash, as stored in /etc/passwd or /etc/shadow, has only two characters. |
| 7.0 | CVE-2007-0003 MLIST MLIST MLIST | ||
| Apple -- Mac OS X Apple -- Quicktime | The _GetSrcBits32ARGB function in Apple QuickDraw, as used by Quicktime 7.1.3 and other applications on Mac OS X 10.4.8 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PICT image with a malformed Alpha RGB (ARGB) record, which triggers memory corruption. |
| 10.0 | CVE-2007-0462 OTHER-REF | ||
| Apple -- Safari | Apple Safari does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS protection schemes by embedding certain HTML tags within an HTML comment. |
| 7.0 | CVE-2007-0478 BUGTRAQ OTHER-REF | ||
| AWFFull -- AWFFull | Multiple buffer overflows in (1) graphs.c, (2) output.c, and (3) preserve.c in AWFFull 3.7.1 and earlier have unknown impact and attack vectors. NOTE: some of these details are obtained from third party information. NOTE: There may not be any attack vector that crosses privilege boundaries. |
| 7.0 | CVE-2007-0510 MLIST OTHER-REF FRSIRT | ||
| BBClone -- BBClone | PHP remote file inclusion vulnerability in lib/selectlang.php in BBClone 0.31 allows remote attackers to execute arbitrary PHP code via a URL in the BBC_LANGUAGE_PATH parameter. |
| 7.0 | CVE-2007-0508 OTHER-REF FRSIRT SECUNIA | ||
| BEA System -- Weblogic Server | BEA Weblogic Server 8.1 through 8.1 SP4 does not properly validate client certificates when reusing cached connections, which allows remote attackers to obtain access via an untrusted X.509 certificate. |
| 7.0 | CVE-2007-0408 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | The WSEE runtime (WS-Security runtime) in BEA WebLogic Server 9.0 and 9.1 does not verify credentials when decrypting client messages, which allows remote attackers to bypass application security. |
| 7.0 | CVE-2007-0416 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 7.0 through 7.0 SP7, 8.1 through 8.1 SP5, 9.0, and 9.1, when using the WebLogic Server 6.1 compatibility realm, allows attackers to execute certain EJB container persistence operations with an administrative identity. |
| 10.0 | CVE-2007-0417 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1 does not enforce a security policy that declares permissions for EJB methods that have array parameters, which allows remote attackers to obtain unauthorized access to these methods. |
| 7.0 | CVE-2007-0418 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Platform and Server BEA Systems -- JRockit | Unspecified vulnerability in BEA WebLogic Platform and Server 8.1 through 8.1 SP5, and JRockit 1.4.2 R4.5 and earlier, allows attackers to gain privileges via unspecified vectors, related to an "overflow condition," probably a buffer overflow. |
| 7.0 | CVE-2007-0425 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- AquaLogic Service Bus | BEA AquaLogic Service Bus 2.0, 2.1, and 2.5 does not properly reject malformed request messages to a proxy service, which might allow remote attackers to bypass authorization policies and route requests to back-end services or conduct other unauthorized activities. |
| 7.0 | CVE-2007-0432 BEA SECTRACK SECUNIA | ||
| Bradabra -- Bradabra | PHP remote file inclusion vulnerability in include/includes.php in Bradabra 2.0.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter. |
| 7.0 | CVE-2007-0500 OTHER-REF FRSIRT SECUNIA | ||
| Check Point Software -- Connectra NGX | sre/params.php in Check Point Connectra NGX R62 and earlier allows remote attackers to bypass security requirements via a crafted Report parameter, which returns a valid ICSCookie authentication token. |
| 7.0 | CVE-2007-0471 BUGTRAQ BUGTRAQ FULLDISC FRSIRT XF | ||
| Cisco -- IOS XR Cisco -- IOS Transmission Control Protocol | Cisco IOS 9.x, 10.x, 11.x, and 12.x and IOS XR 2.0.x, 3.0.x, and 3.2.x allows remote attackers to cause a denial of service or execute arbitrary code via a crafted IP option in the IP header in a (1) ICMP, (2) PIMv2, (3) PGM, or (4) URD packet. |
| 10.0 | CVE-2007-0480 CISCO | ||
| Citrix -- Citrix MetaFrame XP Citrix -- Citrix Presentation Server | Stack-based buffer overflow in the print provider library (cpprov.dll) Citrix Presentation Server 4.0, MetaFrame Presentation Server 3.0, and MetaFrame XP 1.0 allows local users and remote attackers to execute arbitrary code via long arguments to the (1) EnumPrintersW and (2) OpenPrinter functions. |
| 7.0 | CVE-2007-0444 OTHER-REF OTHER-REF | ||
| Computer Associates -- Host Intrusion Prevention System | Computer Associates Host Intrusion Prevention System (HIPS) drivers (1) Core kmxstart.sys 6.5.4.31 and (2) Firewall kmxfw.sys 6.5.4.10 allow local users to gain privileges by using certain privileged IOCTLs to modify callback function pointers. |
| 7.0 | CVE-2006-6952 BUGTRAQ BUGTRAQ OTHER-REF BID SECUNIA | ||
| Computer Associates -- Desktop Protection Suite Computer Associates -- BrightStor ARCserve Backup for Laptops & Desktops Computer Associates -- Desktop Management Suite Computer Associates -- Mobile Backup Computer Associates -- Business Protection Suite | Multiple buffer overflows in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via unknown vectors. |
| 10.0 | CVE-2007-0449 OTHER-REF | ||
| Enthusiast -- Enthusiast | Multiple cross-site scripting (XSS) vulnerabilities in Enthusiast 3.1 allow remote attackers to inject arbitrary web script or HTML via the URI for (1) show_owned.php or (2) show_joined.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-0483 SECUNIA | ||
| Enthusiast -- Enthusiast | Multiple SQL injection vulnerabilities in Enthusiast 3.1 allow remote attackers to execute arbitrary SQL commands via the cat parameter to (1) show_owned.php, (2) show_joined.php, and possibly other files. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-0484 SECUNIA | ||
| FreeWebShop -- FreeWebShop | PHP remote file inclusion vulnerability in includes/login.php in FreeWebShop 2.2.3 and 2.2.4 before 20070123 allows remote attackers to execute arbitrary PHP code via a URL in the lang_file parameter. |
| 7.0 | CVE-2007-0531 OTHER-REF OTHER-REF FRSIRT SECUNIA | ||
| Grigoriadis -- Mini Web server | Multiple buffer overflows in Nickolas Grigoriadis Mini Web server (MiniWebsvr) before 0.05 have unknown impact and attack vectors. |
| 7.0 | CVE-2007-0525 OTHER-REF FRSIRT | ||
| Hitachi -- uCosminexus Service Architect Hitachi -- uCosminexus Application Server Standard Hitachi -- uCosminexus Developer Light Hitachi -- Cosminexus Developer Professional Version 6 Hitachi -- uCosminexus Service Platform Hitachi -- uCosminexus Developer Standard Hitachi -- Cosminexus Application Server Enterprise Version 6 Hitachi -- uCosminexus Application Server Enterprise Hitachi -- Cosminexus Application Server Standard Version 6 Hitachi -- Cosminexus Server - Standard Edition Hitachi -- Hitachi Web Server for VOS3 Hitachi -- Cosminexus Server - Enterprise Edition Hitachi -- Cosminexus Server - Standard Edition Version 4 Hitachi -- Cosminexus Application Server Version 5 Hitachi -- Cosminexus Server - Web Edition Version 4 Hitachi -- Hitachi Web Server Hitachi -- Cosminexus Server - Web Edition Hitachi -- uCosminexus Application Server Smart Edition Hitachi -- Cosminexus Developer Light Version 6 Hitachi -- Cosminexus Developer Standard Version 6 Hitachi -- Cosminexus Developer Version 5 Hitachi -- Hitachi Web Server - Security Enhancement Hitachi -- Hitachi Web Server - Custom Edition | Multiple cross-site scripting (XSS) vulnerabilities in multiple Hitachi Web Server, uCosminexus, and Cosminexus products before 20070124 allow remote attackers to inject arbitrary web script or HTML via (1) HTTP Expect headers or (2) image maps. |
| 7.0 | CVE-2007-0514 OTHER-REF FRSIRT | ||
| Mafia Scum Tools -- Mafia Scum Tools | PHP remote file inclusion vulnerability in index.php in Mafia Scum Tools 2.0.0 in Matthew Wardrop Advanced Random Generators (adv-random-gen) allows remote attackers to execute arbitrary PHP code via a URL in the gen parameter. |
| 7.0 | CVE-2007-0501 Milw0rm FRSIRT | ||
| MagicVideoSoftare -- Magic Music Editor XWaver.com -- Magic Music Studio Pro Movavi -- ConvertMovie Joshua Mediasoft -- Video Converter Plus NCTsoft Products -- NCTDialogicVoice SoftDiv Softare -- iVideoMAX Movavi -- VideoMessage Quikscribe -- Quikscribe Player Mystik Media Products -- Blaze Media Pro McFunSoft -- iPod Music Converter J Hepple Products -- Fx Video Converter CheetahBurner -- Cheetah DVD Burner J Hepple Products -- Fx Audio Editor Joshua Mediasoft -- Audio Convertor Plus NCTsoft Products -- NCTAudioFile2 Roemer Software -- Easy Hi-Q Recorder MagicVideoSoftare -- Magic Audio Recorder Mystik Media Products -- Blaze MediaConvert iAudioSoft.com -- Absolute MP3 Splitter CheetahBurner -- Cheetah CD Burner RMBSoft -- SoundEdit Pro Code-It Softare -- aBasic Editor Dandans Digital Media Products -- Easy Audio Editor McFunSoft -- Audio Editor Digital Borneo -- Audio Mixer And Editor Mystik Media Products -- AudioEdit Deluxe iMesh.com -- iMesh Smart Media Systems -- Power Audio Editor iAudioSoft.com -- Absolute Sound Recorder Quikscribe -- Quikscribe Recorder J Hepple Products -- Fx Movie Joiner Virtual CD -- Virtual CD File Server Movavi -- ChiliBurner Dandans Digital Media Products -- Visual Video Converter Mediatox -- Aurora Media Workshop Mystik Media Products -- ContextConvert Pro Movavi -- DVD to iPod McFunSoft -- Recording to iPod Solution Altdo -- Convert Mp3 Master Dandans Digital Media Products -- Music Editing Master NCTsoft Products -- NCTAudioStudio Sienzo -- Digital Music Mentor Dandans Digital Media Products -- Full Audio Converter Easy Ringtone Maker -- Easy Ringtone Maker MP3-Soft -- MP3 Normalizer AmericanShareware -- MP3 WAV Converter RecordNRip -- RecordNRip J Hepple Products -- Fx Audio Tools McFunSoft -- Audio Studio McFunSoft -- iPod Audio Studio NextLevel Systems -- Audio Studio Gold J Hepple Products -- Fx New Sound Xrlly Software -- Arial Audio Converter Movavi -- Suite CDBurnerXP -- CDBurnerXP Pro XWaver.com -- Magic Audio Editor Pro J Hepple Products -- Fx Movie Splitter MagicVideoSoftare -- Magic Audio Converter Xrlly Software -- Arial Sound Recorder J Hepple Products -- Fx Audio ConCat Movavi -- SplitMovie SoftDiv Softare -- Dexster RMBSoft -- AudioConvert Code-It Softare -- Wave MP3 Editor Roemer Software -- Easy Hi-Q Converter SoftDiv Softare -- VIDEOzilla EXPStudio -- Audio Editor Virtual CD -- Virtual CD iAudioSoft.com -- Absolute Video to Audio Converter Roemer Software -- FREE Hi-Q Recorder Xrlly Software -- Text to Speech Maker J Hepple Products -- Fx Movie Joiner and Splitter J Hepple Products -- Fx Magic Music Altdo -- Mp3 Record&Edit Audio Master SoftDiv Softare -- Snosh Audio Edit Magic -- Audio Edit Magic McFunSoft -- Audio Recorder for Free NextLevel Systems -- Audio Editor Gold NCTsoft Products -- NCTAudioEditor SoftDiv Softare -- MP3 to WAV Converter | Stack-based buffer overflow in the NCTAudioFile2.AudioFile ActiveX control (NCTAudioFile2.dll), as used by multiple products, allows remote attackers to execute arbitrary code via a long argument to the SetFormatLikeSample function. NOTE: the products include (1) NCTsoft NCTAudioStudio, NCTAudioEditor, and NCTDialogicVoice; (2) Magic Audio Recorder, Music Editor, and Audio Converter; (3) Aurora Media Workshop; DB Audio Mixer And Editor; (4) J. Hepple Products including Fx Audio Editor and others; (5) EXPStudio Audio Editor; (6) iMesh; (7) Quikscribe; (8) RMBSoft AudioConvert and SoundEdit Pro 2.1; (9) CDBurnerXP; (10) Code-it Software Wave MP3 Editor and aBasic Editor; (11) Movavi VideoMessage, DVD to iPod, and others; (12) SoftDiv Software Dexster, iVideoMAX, and others; (13) Sienzo Digital Music Mentor (DMM); (14) MP3 Normalizer; (15) Roemer Software FREE and Easy Hi-Q Recorder, and Easy Hi-Q Converter; (16) Audio Edit Magic; (17) Joshua Video and Audio Converter; (1! 8) Virtual CD; (19) Cheetah CD and DVD Burner; (20) Mystik Media AudioEdit Deluxe, Blaze Media, and others; (21) Power Audio Editor; (22) DanDans Digital Media Full Audio Converter, Music Editing Master, and others; (23) Xrlly Software Text to Speech Makerand Arial Sound Recorder / Audio Converter; (24) Absolute Sound Recorder, Video to Audio Converter, and MP3 Splitter; (25) Easy Ringtone Maker; (26) RecordNRip; (27) McFunSoft iPod Audio Studio, Audio Recorder for Free, and others; and (28) MP3 WAV Converter. |
| 8.0 | CVE-2007-0018 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF FRSIRT SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA SECUNIA | ||
| MaklerPlus -- MaklerPlus | Multiple unspecified vulnerabilities in MaklerPlus before 1.2 have unknown impact and attack vectors, possibly relating to cross-site scripting (XSS) in the slogan parameter in main.tpl, or information leaks in error messages. |
| 7.0 | CVE-2007-0509 OTHER-REF FRSIRT SECUNIA | ||
| Microsoft -- Help Workshop | Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file with a long HLP field in the OPTIONS section. |
| 8.0 | CVE-2007-0427 BUGTRAQ OTHER-REF BID | ||
| Microsoft -- Office Word Microsoft -- Office Microsoft -- Word | Unspecified vulnerability in Microsoft Word allows user-assisted remote attackers to execute arbitrary code on Word 2000, and cause a denial of service (crash) on Word 2003, via unknown attack vectors, as exploited by Trojan.Mdropper.W. NOTE: a reliable source has claimed that this is a different issue than CVE-2006-6456, CVE-2006-5994, and CVE-2006-6561, but as of 20070125, Microsoft has not confirmed this. |
| 8.0 | CVE-2007-0515 OTHER-REF BID | ||
| NEC -- MultiWriter | The web server in the NEC MultiWriter 1700C allows remote attackers to modify the device configuration via unspecified vectors. |
| 7.0 | CVE-2006-6946 OTHER-REF | ||
| Neon Labs -- Neon Labs Website | PHP remote file inclusion vulnerability in lib/nl/nl.php in Neon Labs Website (nlws) 3.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the g_strRootDir parameter. |
| 10.0 | CVE-2007-0496 OTHER-REF FRSIRT | ||
| Odysseus Blog -- Odysseus Blog | Cross-site scripting (XSS) vulnerability in blog.php in OdysseusBlog allows remote attackers to inject arbitrary web script or HTML via the page parameter. |
| 7.0 | CVE-2006-6951 BUGTRAQ VIM BID XF | ||
| Openads -- Openads | Cross-site scripting (XSS) vulnerability in Openads before 2.3.31 (aka Max Media Manager before 0.3.31-alpha) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) admin-search.php and (2) affiliate-search.php. NOTE: this issue may overlap CVE-2007-0363. |
| 7.0 | CVE-2007-0477 OTHER-REF OTHER-REF OTHER-REF FRSIRT | ||
| Panic Transmit -- Panic Transmit | Heap-based buffer overflow in the SFTP protocol handler for Panic Transmit (Transmit.app) up to 3.5.5 allows remote attackers to execute arbitrary code via a long ftps:// URL. |
| 8.0 | CVE-2007-0020 OTHER-REF OTHER-REF FRSIRT SECUNIA | ||
| phpAdsNew -- phpAdsNew | Multiple PHP remote file inclusion vulnerabilities in Openads (aka phpAdsNew) 2.0.7 allow remote attackers to execute arbitrary PHP code via a URL in the (1) phpAds_geoPlugin parameter to libraries/lib-remotehost.inc, the (2) filename parameter to admin/report-index, or the (3) phpAds_config[my_footer] parameter to admin/lib-gui.inc. |
| 7.0 | CVE-2007-0486 BUGTRAQ | ||
| PhpSherpa -- PhpSherpa | PHP remote file inclusion vulnerability in include/config.inc.php in PhpSherpa allows remote attackers to execute arbitrary PHP code via a URL in the racine parameter. |
| 10.0 | CVE-2007-0495 OTHER-REF FRSIRT SECUNIA | ||
| rPath -- rPath Linux | The chroot helper in rMake for rPath Linux 1 does not drop supplemental groups, which causes packages to be installed with insecure permissions and might allow local users to gain privileges. |
| 7.0 | CVE-2007-0536 OTHER-REF OTHER-REF | ||
| RubyForge -- RubyGems | The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages. |
| 8.0 | CVE-2007-0469 OTHER-REF FRSIRT | ||
| Sangwan Kim -- phpIndexPage | PHP remote file inclusion vulnerability in config.php in Sangwan Kim phpIndexPage 1.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the env[inc_path] parameter. |
| 7.0 | CVE-2007-0499 Milw0rm FRSIRT | ||
| Scriptsez -- Random PHP Quote | Scriptsez Random PHP Quote 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password information via a direct request for pwd.txt. |
| 7.0 | CVE-2007-0517 BUGTRAQ | ||
| Scriptsez -- Smart PHP Subscriber | Scriptsez Smart PHP Subscriber (aka subscribe) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain encoded passwords via a direct request for pwd.txt. |
| 7.0 | CVE-2007-0518 BUGTRAQ SECUNIA | ||
| Sky Gunning -- MySpeach | PHP remote file inclusion vulnerability in up.php in MySpeach 2.1 beta and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the my[root] parameter. |
| 7.0 | CVE-2007-0498 OTHER-REF | ||
| Sun -- Solaris | Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors. |
| 7.0 | CVE-2007-0470 SUNALERT | ||
| SuSE -- SuSE Linux | Buffer overflow in ulogd for SUSE Linux 9.3 up to 10.1, and possibly other distributions, has unknown impact and attack vectors related to "improper string length calculations." |
| 7.0 | CVE-2007-0460 SUSE SECUNIA | ||
| T-Com -- Speedport 500V | T-Com Speedport 500V routers with firmware 1.31 allow remote attackers to bypass authentication and reconfigure the device via a LOGINKEY=TECOM cookie value. |
| 7.0 | CVE-2007-0435 BUGTRAQ | ||
| Unique Ads -- Unique Ads | SQL injection vulnerability in banner.php in Unique Ads (UDS) 1.x allows remote attackers to execute arbitrary SQL commands via the bid parameter. |
| 7.0 | CVE-2007-0520 BUGTRAQ XF | ||
| Vote! Pro -- Vote! Pro | Eval injection vulnerability in poll_frame.php in Vote! Pro 4.0, and possibly other scripts, allows remote attackers to execute arbitrary code via the poll_id parameter, which is supplied to an eval function call, a different vulnerability type than CVE-2005-4632. |
| 10.0 | CVE-2007-0504 OTHER-REF FRSIRT SECUNIA | ||
| Vote! Pro -- Vote! Pro | Multiple eval injection vulnerabilities in Vote! Pro 4.0, and possibly earlier, allow remote attackers to execute arbitrary code via requests to unspecified PHP scripts with the poll_id parameter, which is supplied to eval function calls, a different set of vectors than CVE-2007-0504. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-0535 FRSIRT SECUNIA | ||
| WebChat.org -- WebChat | PHP remote file inclusion vulnerability in defines.php in WebChat 0.77 allows remote attackers to execute arbitrary PHP code via a URL in the WEBCHATPATH parameter. |
| 7.0 | CVE-2007-0485 OTHER-REF XF | ||
| webSPELL -- webSPELL | Multiple SQL injection vulnerabilities in gallery.php in webSPELL 4.01.02 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) galleryID parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-0492 FRSIRT | ||
| webSPELL -- webSPELL | SQL injection vulnerability in gallery.php in webSPELL 4.01.02 allows remote attackers to execute arbitrary SQL commands via the picID parameter, a different vector than CVE-2007-0492. |
| 7.0 | CVE-2007-0502 OTHER-REF FRSIRT | ||
| ZoneO-Soft -- freeForum | PHP remote file inclusion vulnerability in index.php in FreeForum 0.9.0 allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter. |
| 7.0 | CVE-2007-0487 BUGTRAQ |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apple -- Mac OS X | The CFUserNotificationSendRequest function in UserNotificationCenter.app in Apple Mac OS X 10.4.8, when used in combination with diskutil, allows local users to gain privileges via a malicious InputManager in Library/InputManagers in a user's home directory, which is executed when Cocoa applications attempt to notify the user. |
| 5.6 | CVE-2007-0023 OTHER-REF | ||
| BEA System -- WebLogic | BEA WebLogic Server 8.1 through 8.1 SP5, 9.0, 9.1, and 9.2 Gold, when WS-Security is used, does not properly validate certificates, which allows remote attackers to conduct a man-in-the-middle (MITM) attack. |
| 5.6 | CVE-2007-0411 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 6.1 through 6.1 SP7, and 7.0 through 7.0 SP7 allows remote attackers to cause a denial of service (disk consumption) via requests containing malformed headers, which cause a large amount of data to be written to the server log. |
| 4.7 | CVE-2007-0421 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Portal | BEA WebLogic Portal 9.2, when running in a WebLogic Server clustered environment using WebLogic Portal entitlements, does not properly propagate entitlement policy changes if the changes are made on a managed server while the Administrative Server is unavailable, which might allow attackers to bypass intended restrictions. |
| 5.6 | CVE-2007-0426 BEA FRSIRT SECUNIA | ||
| BEA Systems -- AquaLogic Service Bus | Unspecified vulnerability in BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2, when using Active Directory LDAP for authentication, allows remote authenticated users to access the server even after the account has been disabled. |
| 4.2 | CVE-2007-0433 BEA SECTRACK SECUNIA | ||
| BEA Systems -- AquaLogic Enterprise Security | BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2 does not properly set the severity level of audit events when the system load is high, which might make it easier for attackers to avoid detection. |
| 4.9 | CVE-2007-0434 BEA SECUNIA | ||
| Centrality Communications -- PA168 chipset | The admin web console implemented by the Centrality Communications (aka Aredfox) PA168 chipset and firmware 1.54 and earlier, as provided by various IP phones, does not require passwords or authentication tokens when using HTTP, which allows remote attackers to connect to existing superuser sessions and obtain sensitive information (passwords and configuration data). |
| 6.0 | CVE-2007-0528 BUGTRAQ OTHER-REF | ||
| Conti -- FTPServer | Conti FTPServer 1.0 Build 2.8 stores user passwords in cleartext in MyServerSettings.ini, which allows local users to obtain sensitive information by reading this file. |
| 4.9 | CVE-2006-6949 OTHER-REF BID FRSIRT SECUNIA XF | ||
| Drupal -- Project issue tracking Drupal -- Project | Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue. |
| 4.8 | CVE-2007-0505 OTHER-REF FRSIRT | ||
| Gentoo -- Gentoo Linux | The gencert.sh script, when installing OpenLDAP before 2.1.30-r10, 2.2.x before 2.2.28-r7, and 2.3.x before 2.3.30-r2 as an ebuild in Gentoo Linux, does not create temporary directories in /tmp securely during emerge, which allows local users to overwrite arbitrary files via a symlink attack. |
| 4.9 | CVE-2007-0476 GENTOO SECUNIA | ||
| HP -- OpenView Network Node Manager | Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to execute arbitrary commands via unknown vectors. |
| 5.6 | CVE-2007-0441 HP SECTRACK | ||
| Microsoft -- Visual Studio | Stack-based buffer overflow in rcdll.dll in msdev.exe in Visual C++ (MSVC) in Microsoft Visual Studio 6.0 SP6 allows user-assisted remote attackers to execute arbitrary code via a long file path in the "1 TYPELIB MOVEABLE PURE" option in an RC file. |
| 5.6 | CVE-2007-0468 BUGTRAQ OTHER-REF SECUNIA | ||
| phpXMLDOM -- phpXMLDOM | Multiple PHP remote file inclusion vulnerabilities in phpXMLDOM (phpXD) 0.3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) dom.php, (2) dtd.php, or (3) parser.php in include/. |
| 5.6 | CVE-2007-0511 OTHER-REF SECUNIA | ||
| Sky Gunning -- MySpeach | PHP remote file inclusion vulnerability in up.php in Sky GUNNING MySpeach 3.0.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the my_ms[root] parameter, a different vector than CVE-2006-4630. NOTE: Some of these details are obtained from third party information. |
| 5.6 | CVE-2007-0491 FRSIRT SECUNIA | ||
| Sun -- Ray Server Software | cgi-bin/main in Sun Ray Server Software 2.0 and 3.0 before 20070123 allows local users to obtain the utadmin password by reading a web server's log file, or by conducting a different, unspecified local attack. |
| 4.9 | CVE-2007-0482 SUNALERT | ||
| Sun -- Solaris | Unspecified vulnerability in kcms_calibrate in Sun Solaris 8 and 9 before 20071122 allows local users to execute arbitrary commands via unknown vectors. |
| 5.6 | CVE-2007-0503 SUNALERT FRSIRT SECTRACK SECUNIA XF | ||
| Upload-Service -- Upload-Service | PHP remote file inclusion vulnerability in upload/top.php in Upload-Service 1.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the maindir parameter. |
| 5.6 | CVE-2007-0497 OTHER-REF FRSIRT SECUNIA | ||
| VisoHotlink -- VisoHotlink | PHP remote file inclusion vulnerability in includes/functions.visohotlink.php in VisoHotlink 1.01 and possibly earlier allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
| 5.6 | CVE-2007-0489 OTHER-REF FRSIRT SECUNIA XF | ||
| Website Baker -- Website Baker | SQL injection vulnerability in class.login.php in Website Baker 2.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the REMEMBER_KEY cookie parameter. |
| 5.6 | CVE-2007-0527 BUGTRAQ SECUNIA |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apple -- Mac OS X | The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and earlier kernel allows local users to cause a denial of service (memory corruption) via a large mappingCount value. |
| 2.3 | CVE-2007-0430 BUGTRAQ | ||
| AToZed Software -- IntraWeb Component | The AToZed IntraWeb component 8.0 and earlier for Borland Delphi and Kylix, and IntraWeb 9.0 before build (9.0.12), allows remote attackers to cause a denial of service (thread hang or CPU consumption) via a crafted HTTP request, related to the OnBeforeDispatch function in the TIWServerController object. |
| 2.3 | CVE-2007-0533 BUGTRAQ BUGTRAQ OTHER-REF OTHER-REF XF | ||
| AVM -- FRITZ!Box | AVM Fritz!Box 7050, and possibly other product models, allows remote attackers to cause a denial of service (VoIP application crash) via a zero-length UDP packet to the SIP port (port 5060). |
| 3.3 | CVE-2007-0431 BUGTRAQ FULLDISC OTHER-REF BID | ||
| BEA System -- WebLogic | BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP4, and 9.0 initial release does not encrypt passwords stored in the JDBCDataSourceFactory MBean Properties, which allows local administrative users to read the cleartext password. |
| 0.8 | CVE-2007-0409 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA System -- WebLogic | Unspecified vulnerability in the thread management in BEA WebLogic 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, 9.0, and 9.1, when T3 authentication is used, allows remote attackers to cause a denial of service (thread and system hang) via unspecified "sequences of events." |
| 2.3 | CVE-2007-0410 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP7, and 8.1 through 8.1 SP5 allows remote attackers to read arbitrary files inside the class-path property via .ear or exploded .ear files that use the manifest class-path property to point to utility jar files. |
| 2.3 | CVE-2007-0412 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 8.1 through 8.1 SP5 improperly cleartext data in a backup of config.xml after offline editing, which allows local users to obtain sensitive information by reading this backup file. |
| 3.9 | CVE-2007-0413 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 6.1 through 6.1 SP7, 7.0 through 7.0 SP6, 8.1 through 8.1 SP5, and 9.0 allows remote attackers to cause a denial of service (server hang) via certain requests that cause muxer threads to block when processing error pages. |
| 2.3 | CVE-2007-0414 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 8.1 through 8.1 SP5 does not properly enforce access control after a dynamic update and dynamic redeployment of an application that is implemented through exploded jars, which allows attackers to bypass intended access restrictions. |
| 2.3 | CVE-2007-0415 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | The BEA WebLogic Server proxy plug-in before June 2006 for the Apache HTTP Server does not properly handle protocol errors, which allows remote attackers to cause a denial of service (server outage). |
| 2.3 | CVE-2007-0419 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 9.0, 9.1, and 9.2 Gold allows remote attackers to obtain sensitive information via malformed HTTP requests, which reveal data from previous requests. |
| 2.3 | CVE-2007-0420 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Server | BEA WebLogic Server 9.0, 9.1, and 9.2 Gold, when running on Solaris 9, allows remote attackers to cause a denial of service (server inaccessibility) via manipulated socket connections. |
| 2.3 | CVE-2007-0422 BEA FRSIRT SECTRACK SECUNIA | ||
| BEA Systems -- WebLogic Portal | BEA WebLogic Portal 9.2 does not properly handle when an administrator deletes entitlements for a role, which causes other role entitlements to be "inadvertently affected," which has an unknown impact. |
| 3.9 | CVE-2007-0423 BEA FRSIRT SECUNIA | ||
| BEA Systems -- WebLogic Server | Unspecified vulnerability in the BEA WebLogic Server proxy plug-in for Netscape Enterprise Server before September 2006 for Netscape Enterprise Server allow remote attackers to cause a denial of service via certain requests that trigger errors that lead to a server being marked as unavailable, hosting web server failure, or CPU consumption. |
| 2.3 | CVE-2007-0424 BEA FRSIRT SECTRACK SECUNIA | ||
| Bitweaver -- Bitweaver | Multiple cross-site scripting (XSS) vulnerabilities in Bitweaver 1.3.1 allow remote attackers to inject arbitrary web script or HTML via the URL (PATH_INFO) to (1) articles/edit.php, (2) articles/list.php, (3) blogs/list_blogs.php, or (4) blogs/rankings.php. |
| 2.3 | CVE-2007-0526 BUGTRAQ XF | ||
| Cisco -- IOS Transmission Control Protocol | Memory leak in the TCP listener in Cisco IOS 9.x, 10.x, 11.x, and 12.x allows remote attackers to cause a denial of service by sending crafted TCP traffic to an IPv4 address on the IOS device. |
| 3.3 | CVE-2007-0479 CISCO | ||
| Cisco -- IOS | Cisco IOS allows remote attackers to cause a denial of service (crash) via a crafted IPv6 Type 0 Routing header. |
| 3.3 | CVE-2007-0481 CISCO | ||
| Conti -- FTPServer | Directory traversal vulnerability in Conti FTPServer 1.0 Build 2.8 allows remote attackers to read arbitrary files and list arbitrary directories via a .. (dot dot) in a filename argument. |
| 2.3 | CVE-2006-6950 OTHER-REF BID FRSIRT SECUNIA XF | ||
| Dazuko -- Dazuko | Multiple memory leaks in the Dazuko anti-virus helper module before 2.3.2 allow attackers to cause a denial of service (memory consumption) via unknown vectors. |
| 2.3 | CVE-2007-0461 SUSE | ||
| DivX Inc. -- DivX Player | DivXBrowserPlugin (aka DivX Web Player) npdivx32.dll, as distributed with DivX Player 6.4.1, allows remote attackers to cause a denial of service (Internet Explorer 7 crash) by invoking the GoWindowed method for a certain instance of the ActiveX object. |
| 2.3 | CVE-2007-0429 OTHER-REF BID XF | ||
| Drupal -- Project issue tracking Drupal -- Project | The project_issue_access function in the Project issue tracking 4.7.0 through 5.x before 20070123 module for Drupal allows remote authenticated users to bypass other access control modules and obtain attached files by guessing the filename, and obtain issue information via direct requests. |
| 3.4 | CVE-2007-0506 OTHER-REF FRSIRT | ||
| Drupal -- Acidfree | SQL injection vulnerability in the Acidfree module for Drupal before 4.6.x-1.0, and before 4.7.x-1.0 in the 4.7 series, allows remote authenticated users with "create acidfree albums" privileges to execute arbitrary SQL commands via node titles. |
| 3.4 | CVE-2007-0507 OTHER-REF FRSIRT SECUNIA | ||
| Drupal -- Project module Drupal -- Project Issue Tracking module | Multiple cross-site scripting (XSS) vulnerabilities in the (1) Project issue tracking 4.7.0 through 5.x before 20070123 and (2) Project 4.6.0 through 5.x before 20070123 modules for Drupal allow remote authenticated users to inject arbitrary web script or HTML via (a) certain "fields on project nodes" or (b) "certain project-specific settings regarding issue tracking." |
| 2.3 | CVE-2007-0534 OTHER-REF FRSIRT | ||
| Hitachi -- TP1/Link Hitachi -- TP1/Server Base | Hitachi TP1/LiNK 05-00 through 05-03-/F, 03-04 through 03-06-/K, and 03-00 through 03-03-/H; and TP1/Server Base 05-00 through 05-00-/M, 03-01-E through 03-01-FD, 03-01 through 03-01-DB, and 05-03; allow attackers to cause a denial of service (process crash) via invalid data to an OpenTP1 port. |
| 2.3 | CVE-2007-0512 OTHER-REF FRSIRT | ||
| Hitachi -- HiRDB/Parallel Server Hitachi -- HiRDB/Workgroup Server Hitachi -- HiRDB/Single Server Workgroup Edition Hitachi -- HiRDB/Single Server Hitachi -- HiRDB Datareplicator | Hitachi HiRDB Datareplicator 7HiRDB, 7(64), 6, 6(64), 5.0, and 5.0(64); and various products that bundle HiRDB Datareplicator; allows attackers to cause a denial of service (CPU consumption) via certain data. |
| 2.3 | CVE-2007-0513 OTHER-REF FRSIRT | ||
| Huawei -- Versatile Routing Platform | The Huawei Versatile Routing Platform 1.43 2500E-003 firmware on the Quidway R1600 Router, and possibly other models, allows remote attackers to cause a denial of service (device crash) via a long show arp command. |
| 2.3 | CVE-2007-0488 FULLDISC XF | ||
| IBM -- OS/400 | Unspecified vulnerability in IBM OS/400 R530 and R535 has unknown impact and remote attack vectors, related to an "Integrity Problem" involving LIC-TCPIP and TCP reset. NOTE: it is possible that this issue is related to CVE-2004-0230, but this is not certain. |
| 2.3 | CVE-2007-0442 AIXAPAR AIXAPAR SECUNIA | ||
| Internet Systems Consortium -- BIND | Use-after-free vulnerability in ISC BIND 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (named daemon crash) via unspecified vectors that cause named to "dereference a freed fetch context." |
| 3.3 | CVE-2007-0493 FULLDISC MLIST OTHER-REF OTHER-REF FRSIRT SECUNIA | ||
| ISC -- BIND | ISC BIND 9.0.x, 9.1.x, 9.2.0 up to 9.2.7, 9.3.0 up to 9.3.3, 9.4.0a1 up to 9.4.0a6, 9.4.0b1 up to 9.4.0b4, 9.4.0rc1, and 9.5.0a1 (Bind Forum only) allows remote attackers to cause a denial of service (exit) via a type * (ANY) DNS query response that contains multiple RRsets, which triggers an assertion error. |
| 1.9 | CVE-2007-0494 MLIST OTHER-REF OTHER-REF SECUNIA | ||
| LG Electronics -- Chocolate KG800 | The LG Chocolate KG800 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. |
| 1.9 | CVE-2007-0524 BUGTRAQ BUGTRAQ | ||
| Motorola -- MOTORAZR | The Motorola MOTORAZR V3 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. |
| 1.9 | CVE-2007-0522 BUGTRAQ BUGTRAQ | ||
| MyODBC -- MyODBC | MyODBC Japanese conversion edition 3.51.06, 2.50.29, and 2.50.25 allows remote attackers to cause a denial of service via a certain string in a response, which has unspecified impact on the MySQL database. |
| 3.3 | CVE-2006-6948 OTHER-REF | ||
| NEC -- MultiWriter | The FTP server in the NEC MultiWriter 1700C allows remote attackers to redirect traffic to other sites (aka FTP bounce) via the PORT command, a variant of CVE-1999-0017. |
| 3.3 | CVE-2006-6947 OTHER-REF | ||
| Nokia -- N70 | The Nokia N70 phone allows remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. |
| 1.9 | CVE-2007-0523 BUGTRAQ BUGTRAQ | ||
| Open-Realty -- Open-Realty | index.php in Open-Realty 2.3.4 allows remote attackers to obtain sensitive information (the full path) via an invalid listingID parameter in a listingview action. |
| 2.3 | CVE-2007-0490 BUGTRAQ | ||
| PHP Link Directory -- PHP Link Directory | Cross-site scripting (XSS) vulnerability in index.html (aka the administration page) in PHP Link Directory (phpLD) 3.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted link, which is triggered when the administrator uses the "Validate Links" functionality. |
| 2.3 | CVE-2007-0529 BUGTRAQ OTHER-REF XF | ||
| Sony Ericsson -- W810i Sony Ericsson -- K700i | The Sony Ericsson K700i and W810i phones allow remote attackers to cause a denial of service (continual modal dialogs and UI unavailability) by repeatedly trying to OBEX push a file over Bluetooth, as demonstrated by ussp-push. |
| 1.9 | CVE-2007-0521 BUGTRAQ BUGTRAQ | ||
| The GIMP Team -- GIMP ToolKit | The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. |
| 1.6 | CVE-2007-0010 OTHER-REF REDHAT | ||
| Tuan Do -- Uploader | Tuan Do Uploader (aka php-uploader) 6 beta 1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the administrator password hash via a direct request for userdata/user_1.txt. |
| 2.3 | CVE-2007-0532 BUGTRAQ XF | ||
| wzdftpd -- wzdftpd | Unspecified vulnerability in the chtbl_lookup function in hash.c for WzdFTPD 8.0 and earlier allows remote attackers to cause a denial of service via a crafted FTP command, probably due to a NULL pointer dereference. |
| 2.3 | CVE-2007-0428 BUGTRAQ FULLDISC OTHER-REF SECTRACK XF | ||
| XMB Software -- U2U Instant Messenger | Cross-site scripting (XSS) vulnerability in memcp.php in XMB U2U Instant Messenger allows remote authenticated users to inject arbitrary web script or HTML via the recipient field. |
| 1.1 | CVE-2007-0519 BUGTRAQ OTHER-REF XF | ||
| Yana Framework -- Yana Framework | Yana Framework before 2.8.5a allows remote authenticated users with permissions to modify a guestbook profile to modify or delete arbitrary guestbook profiles via unspecified vectors. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 1.1 | CVE-2007-0516 OTHER-REF OSVDB SECUNIA XF |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.