Vulnerability Summary for the Week of February 19, 2007
Released
Feb 26, 2007
Document ID
SB07-057
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| The administrator HTTP interface in Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier, allows remote attackers to bypass authentication controls via a direct URL request. |
| 7.0 | CVE-2007-1062 CISCO FRSIRT | |||
| AbleDesign -- MyCalendar | Multiple cross-site scripting (XSS) vulnerabilities in index.php in AbleDesign MyCalendar allow remote attackers to inject arbitrary web script or HTML via (1) the go parameter, (2) the search menu in a go=search action, or (3) the username or (4) the password in a go=Login action. |
| 7.0 | CVE-2007-1050 BUGTRAQ OTHER-REF | ||
| Aktueldownload -- Aktueldownload Haber Script | SQL injection vulnerability in HaberDetay.asp in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 10.0 | CVE-2007-1015 MILW0RM FRSIRT XF | ||
| Aktueldownload -- Aktueldownload Haber Script | SQL injection vulnerability in Aktueldownload Haber script allows remote attackers to execute arbitrary SQL commands via certain vectors related to the HaberDetay.asp and rss.asp components, and the id and kid parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the combination of the HaberDetay.asp component and the id parameter is already covered by another February 2007 CVE candidate. |
| 7.0 | CVE-2007-1016 FRSIRT | ||
| Apple -- iChat | The Bonjour functionality in iChat in Apple Mac OS X 10.3.9 allows remote attackers to cause a denial of service (persistent application crash) via unspecified vectors, possibly related to CVE-2007-0614. |
| 7.0 | CVE-2007-0710 OTHER-REF APPLE SECUNIA | ||
| Apple -- Mac OS X Server Apple -- Mac OS X | Integer overflow in the gifGetBandProc function in ImageIO in Apple Mac OS X 10.4.8 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a crafted GIF image that triggers the overflow during decompression. NOTE: this is a different issue than CVE-2006-3502 and CVE-2006-3503. |
| 10.0 | CVE-2007-1071 OTHER-REF BID | ||
| ASPcode.net -- Pollmentor | SQL injection vulnerability in pollmentorres.asp in PollMentor 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.0 | CVE-2007-0984 milw0rm BID | ||
| CedStat -- CedStat | Cross-site scripting (XSS) vulnerability in index.php in CedStat 1.31 allows remote attackers to inject arbitrary web script or HTML via the hier parameter. |
| 7.0 | CVE-2007-1020 BUGTRAQ OTHER-REF BID XF | ||
| Cisco -- Unified IP Conference Station 7935 Cisco -- Unified IP Phone 7911G Cisco -- Unified IP Conference Station 7936 Cisco -- Unified IP Phone 7906G Cisco -- Unified IP Phone 7970G Cisco -- Unified IP Phone 7971G Cisco -- Unified IP Phone 7941G Cisco -- Unified IP Phone 7961G | The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device. |
| 10.0 | CVE-2007-1063 CISCO FRSIRT | ||
| Cisco -- Unified IP Phone 7911G Cisco -- Unified IP Phone 7906G Cisco -- Unified IP Phone 7970G Cisco -- Unified IP Phone 7971G Cisco -- Unified IP Phone 7961G Cisco -- Unified IP Phone 7941G | The command line interface (CLI) in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier allows local users to obtain privileges or cause a denial of service via unspecified vectors. NOTE: this issue can be leveraged remotely via CVE-2007-1063. |
| 7.0 | CVE-2007-1072 CISCO CISCO SECUNIA | ||
| CodeAvalanche -- CodeAvalanche News | SQL injection vulnerability in inc_listnews.asp in CodeAvalanche News 1.x allows remote attackers to execute arbitrary SQL commands via the CAT_ID parameter. |
| 10.0 | CVE-2007-1021 MILW0RM BID FRSIRT XF | ||
| Design4Online -- UserPages2 | SQL injection vulnerability in page.asp in Design4Online UserPages2 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-1077 BID | ||
| Distributed Checksum ClearingHouse -- DCC | Unspecified vulnerability in Distributed Checksum Clearinghouse (DCC) before 1.3.51 allows remote attackers to delete or add hosts in /var/dcc/maps. |
| 7.0 | CVE-2007-1047 OTHER-REF BID FRSIRT SECUNIA | ||
| DJI -- NewsBin Pro | Multiple buffer overflows in NewsBin Pro 5.33 and NewsBin Pro 4.x allow user-assisted remote attackers to execute arbitrary code via a long (1) DataPath or (2) DownloadPath attributed in a (a) NBI file, or (3) a long group field in a (b) NZB file. |
| 8.0 | CVE-2007-1074 MILW0RM BID SECUNIA XF | ||
| Ekiga -- Ekiga | Multiple format string vulnerabilities in the gm_main_window_flash_message function in Ekiga before 2.0.5 allow attackers to cause a denial of service and possibly execute arbitrary code via unknown vectors. |
| 10.0 | CVE-2007-1006 SECUNIA | ||
| Ezboo -- Webstats | Ezboo webstats, possibly 3.0.3, allows remote attackers to bypass authentication and gain access via a direct request to (1) update.php and (2) config.php. |
| 7.0 | CVE-2007-1043 BUGTRAQ OTHER-REF BID XF | ||
| FlashGameScript -- FlashGameScript | PHP remote file inclusion vulnerability in index.php in FlashGameScript 1.5.4 allows remote attackers to execute arbitrary PHP code via a URL in the func parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 10.0 | CVE-2007-1078 BID | ||
| JBoss -- JBoss Application Server | The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests. |
| 10.0 | CVE-2007-1036 BUGTRAQ BUGTRAQ BUGTRAQ CERT-VN | ||
| Jupiter CMS -- Jupiter CMS | PHP remote file inclusion vulnerability in index.php in Jupiter CMS 1.1.5, when PHP 5.0.0 or later is used, allows remote attackers to execute arbitrary PHP code via an ftp URL in the n parameter. |
| 8.0 | CVE-2007-0986 BUGTRAQ BUGTRAQ OTHER-REF OTHER-REF Milw0rm BID | ||
| Jupiter CMS -- Jupiter CMS | Directory traversal vulnerability in index.php in Jupiter CMS 1.1.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot), or an absolute pathname, in the n parameter. |
| 7.0 | CVE-2007-0987 BUGTRAQ BUGTRAQ OTHER-REF OTHER-REF OTHER-REF BID | ||
| mAlbum -- mAlbum | mAlbum 0.3 has default accunts (1) "login"/"pass" for its administrative account and (2) "dqsfg"/"sdfg", which allows remote attackers to gain privileges. |
| 10.0 | CVE-2007-1045 BUGTRAQ OTHER-REF XF | ||
| Marcello Vitagliano -- Meganoide's News | PHP remote file inclusion vulnerability in include.php in Meganoide's news 1.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the _SERVER[DOCUMENT_ROOT] parameter. |
| 10.0 | CVE-2007-1024 BUGTRAQ BID XF | ||
| McRefer -- McRefer | Static code injection vulnerability in install.php in mcRefer allows remote attackers to execute arbitrary PHP code via the bgcolor parameter, which is inserted into mcrconf.inc.php. |
| 10.0 | CVE-2007-1073 BUGTRAQ | ||
| MediaWiki -- MediaWiki | Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.9.x before 1.9.0rc2, and 1.8.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the rs parameter. NOTE: this issue might be a duplicate of CVE-2007-0177. |
| 7.0 | CVE-2007-1055 BUGTRAQ OTHER-REF OTHER-REF | ||
| Meetinghouse -- AEGIS SecureConnect Client Cisco -- Trust Agent Cisco -- Security Agent Cisco -- Secure Services Client | Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1, and the Meetinghouse AEGIS SecureConnect Client do not properly parse commands, which allows local users to gain privileges via unspecified vectors, aka CSCsh30624. |
| 7.0 | CVE-2007-1067 CISCO | ||
| Microsoft -- Internet Explorer | Stack-based buffer overflow in News File Grabber 4.1.0.1 and earlier allows remote attackers to execute arbitrary code via a .nzb file with a long subject field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 8.0 | CVE-2007-1037 BID FRSIRT | ||
| Online Web Building -- Online Web Building | SQL injection vulnerability in user_pages/page.asp in Online Web Building 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter. |
| 7.0 | CVE-2007-1058 MILW0RM FRSIRT SECUNIA | ||
| PBLang -- PBLang | ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in PBLang (PBL) 4.60 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the dbpath parameter, a different vector than CVE-2006-5062. NOTE: this issue has been disputed by a reliable third party for 4.65, stating that the dbpath variable is initialized in an included file that is created upon installation. |
| 10.0 | CVE-2007-1052 BUGTRAQ VIM | ||
| PHP-Nuke -- PHP-Nuke Emporium Module | SQL injection vulnerability in modules.php in the Emporium 2.3.0 and earlier module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the category_id parameter. |
| 7.0 | CVE-2007-1034 MILW0RM BID | ||
| phpbb_wordsearch -- phpbb_wordsearch | PHP remote file inclusion vulnerability in admin_rebuild_search.php in phpbb_wordsearch allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. |
| 7.0 | CVE-2007-1048 BUGTRAQ XF | ||
| phpCC -- phpCC | SQL injection vulnerability in nickpage.php in phpCC 4.2 beta and earlier allows remote attackers to execute arbitrary SQL commands via the npid parameter in a sign_gb action. |
| 7.0 | CVE-2007-0985 Milw0rm BID | ||
| phpTrafficA -- phpTrafficA | Multiple directory traversal vulnerabilities in phpTrafficA 1.4.1, and possibly earlier, allow remote attackers to include arbitrary local files via a .. (dot dot) in the (1) file parameter to plotStat.php and the (2) lang parameter to banref.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-1076 BID SECUNIA | ||
| Quicksoft -- EasyMail Objects | Stack-based buffer overflow in the Connect method in the IMAP4 component in Quiksoft EasyMail Objects before 6.5 allows remote attackers to execute arbitrary code via a long host name. |
| 10.0 | CVE-2007-1029 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA XF | ||
| Red Hat -- Red Hat Enterprise Linux AS Red Hat -- Red Hat Enterprise Linux ES Red Hat -- Red Hat Enterprise Linux WS Ekiga -- Ekiga Red Hat -- Red Hat Desktop | Format string vulnerability in GnomeMeeting 1.0.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in the name, which is not properly handled in a call to the gnomemeeting_log_insert function. |
| 10.0 | CVE-2007-1007 OTHER-REF REDHAT SECUNIA | ||
| S&H Computer Systems -- News Rover | Multiple stack-based buffer overflows in S&H Computer Systems News Rover 12.1 Rev 1 allow remote attackers to execute arbitrary code via a .nzb file with a long (1) group or (2) subject string. |
| 8.0 | CVE-2007-1041 MILW0RM BID FRSIRT SECUNIA | ||
| Sangwan Kim -- Bookmark4U | SQL injection vulnerability in admin/config.php in Bookmark4U 2.0 and 2.1 allows remote attackers to inject arbitrary SQL command via the sqlcmd parameter. |
| 7.0 | CVE-2006-7025 FULLDISC VIM FRSIRT OSVDB SECUNIA XF | ||
| ScriptDungeon -- XLAtunes | SQL injection vulnerability in view.php in XLAtunes 0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the album parameter in view mode. NOTE: some of these details are obtained from third party information. |
| 7.0 | CVE-2007-1026 MILW0RM BID FRSIRT | ||
| Snitz Communications -- Snitz Forums 2000 | SQL injection vulnerability in pop_profile.asp in Snitz Forums 2000 3.1 SR4 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.0 | CVE-2007-1023 MILW0RM BID XF | ||
| Snort -- Snort | Stack-based buffer overflow in the DCE/RPC preprocessor in Snort before 2.6.1.3, and 2.7 before beta 2; and Sourcefire Intrusion Sensor; allows remote attackers to execute arbitrary code via crafted SMB traffic. |
| 10.0 | CVE-2006-5276 ISS OTHER-REF CERT XF | ||
| Symantec -- Automated Support Assistant Symantec -- Norton Internet Security SupportSoft -- SmartIssue Symantec -- Norton System Works Symantec -- Norton Antivirus SupportSoft -- ScriptRunner | Multiple buffer overflows in the SupportSoft (1) SmartIssue (tgctlsi.dll) and (2) ScriptRunner (tgctlsr.dll) ActiveX controls, as used by Symantec Automated Support Assistant and Norton AntiVirus, Internet Security, and System Works 2006, allows remote attackers to execute arbitrary code via a crafted HTML message. |
| 10.0 | CVE-2006-6490 IDEFENSE OTHER-REF CERT-VN | ||
| Trend Micro -- Client/Server/Messaging Security Trend Micro -- OfficeScan Corporate Edition | Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document. |
| 8.0 | CVE-2007-0325 OTHER-REF OTHER-REF CERT-VN BID FRSIRT SECTRACK SECUNIA | ||
| Trend Micro -- ServerProtect | Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll. |
| 10.0 | CVE-2007-1070 OTHER-REF OTHER-REF OTHER-REF OTHER-REF | ||
| Turuncu Portal -- Turuncu Portal | SQL injection vulnerability in h_goster.asp in Turuncu Portal 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-1022 BID SECUNIA | ||
| TYPO3 -- TYPO3 | The start function in class.t3lib_formmail.php in TYPO3 before 4.0.5, 4.1beta, and 4.1RC1 allows attackers to inject arbitrary email headers via unknown vectors. NOTE: some details were obtained from third party information. |
| 7.0 | CVE-2007-1081 OTHER-REF FRSIRT | ||
| VicFTPS -- VicFTPS | Stack-based buffer overflow in VicFTPS before 5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long CWD command. |
| 10.0 | CVE-2007-1014 MILW0RM OTHER-REF BID FRSIRT SECUNIA | ||
| VirtualSystem -- Htaccess Passwort Generator | PHP remote file inclusion vulnerability in generate.php in VirtualSystem Htaccess Passwort Generator 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the ht_pfad parameter. |
| 10.0 | CVE-2007-1013 MILW0RM BID FRSIRT | ||
| VirtualSystem -- VS-News-System | PHP remote file inclusion vulnerability in show_news_inc.php in VirtualSystem VS-News-System 1.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the newsordner parameter. |
| 8.0 | CVE-2007-1017 MILW0RM BID SECUNIA XF | ||
| VirtualSystem -- VS-News-System | PHP remote file inclusion vulnerability in tpl/header.php in VirtualSystem VS-News-System 1.2.1 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the newsordner parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 8.0 | CVE-2007-1018 SECUNIA | ||
| VirtualSystem -- VS-Link-Partner | PHP remote file inclusion vulnerability in inc/functions_inc.php in VS-Link-Partner 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gb_pfad, or possibly script_pfad, parameter. |
| 7.0 | CVE-2007-1025 MILW0RM BID FRSIRT XF | ||
| VMWare -- VMWare Workstation | VMware Workstation 5.5.3 build 34685 does not provide per-user restrictions on certain privileged actions, which allows local users to perform restricted operations such as changing system time, accessing hardware components, and stop the "VMware tools service" service. NOTE: exploitation is simplified via (1) weak file permisssions (Users = Read & Execute) for %PROGRAMFILES%\VMware; and weak registry key permissions (access by Users) for (2) vmmouse, (3) vmscsi, (4) VMTools, (5) vmx_svga, and (6) vmxnet in HKLM\SYSTEM\CurrentControlSet\Services\; which allows local users to perform various privileged actions outside of the guest OS by executing certain files under %PROGRAMFILES%\VMware\VMware Tools, as demonstrated by (a) VMControlPanel.cpl and (b) vmwareservice.exe. |
| 7.0 | CVE-2007-1056 BUGTRAQ | ||
| VS-Gastebuch -- VS-Gastebuch | PHP remote file inclusion vulnerability in functions_inc.php in VS-Gastebuch 1.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the gb_pfad parameter. |
| 7.0 | CVE-2007-1011 OTHER-REF BID FRSIRT SECUNIA | ||
| Warped Systems -- phpXmms | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in phpXmms 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the tcmdp parameter to (1) phpxmmsb.php or (2) phpxmmst.php. NOTE: this issue has been disputed by a reliable third party, stating that the tcmdp variable is initialized by config.php. |
| 10.0 | CVE-2007-1053 BUGTRAQ VIM | ||
| Xpression News -- Xpression News | Directory traversal vulnerability in archives.php in Xpression News (X-News) 1.0.1 allows remote attackers to include arbitrary files or obtain sensitive information via a .. (dot dot) in the xnews-template parameter. |
| 7.0 | CVE-2007-1040 MILW0RM BID FRSIRT SECUNIA XF | ||
| Xpression News -- Xpression News | Directory traversal vulnerability in news.php in Xpression News (X-News) 1.0.1, when magic_quotes_gpc is disabled, allows remote attackers to include arbitrary files or obtain sensitive information via a .. (dot dot) in the xnews-template parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 8.0 | CVE-2007-1042 SECUNIA XF |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .mp3 files via unknown vectors. |
| 4.9 | CVE-2007-1035 OTHER-REF OTHER-REF BID FRSIRT XF | |||
| Ansatheus -- AT Contenator | PHP remote file inclusion vulnerability in _admin/nav.php in AT Contenator 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the Root_To_Script parameter. |
| 4.8 | CVE-2007-0983 milw0rm XF | ||
| Barry Jaspan -- Image Pager | Cross-site scripting (XSS) vulnerability in the Barry Jaspan Image Pager 4.7.x-1.x-dev and 5.x-1.x-dev before 2007-02-08 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to HTML entities and the IMG element. |
| 5.6 | CVE-2007-1028 OTHER-REF BID FRSIRT XF | ||
| Clam Anti-Virus -- ClamAV | Directory traversal vulnerability in clamd in Clam AntiVirus ClamAV before 0.90 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the id MIME header parameter in a multi-part message. |
| 4.7 | CVE-2007-0898 IDEFENSE BID FRSIRT SECUNIA | ||
| Comodo -- Comodo Firewall Pro | Comodo Firewall Pro (formerly Comodo Personal Firewall) 2.4.17.183 and earlier uses a weak cryptographic hashing function (CRC32) to identify trusted modules, which allows local users to bypass security protections by substituting modified modules that have the same CRC32 value. |
| 4.9 | CVE-2007-1051 BUGTRAQ FULLDISC OTHER-REF XF | ||
| DeskPro -- DeskPro | Cross-site scripting (XSS) vulnerability in faq.php in DeskPRO 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the article parameter. |
| 5.6 | CVE-2007-1012 BUGTRAQ XF | ||
| Drupal -- Secure Site module | Unspecified vulnerability in the Secure site 4.7.x-1.x-dev and 5.x-1.x-dev module for Drupal allows remote attackers to bypass access restrictions via a crafted URL. |
| 5.6 | CVE-2007-1033 OTHER-REF FRSIRT XF | ||
| Francisco Burzi -- PHP-Nuke | SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header (HTTP_REFERER variable). |
| 5.6 | CVE-2007-1061 MILW0RM FRSIRT SECUNIA | ||
| Interspire -- SendStudio | Multiple PHP remote file inclusion vulnerabilities in Interspire SendStudio 2004.14 and earlier, when register_globals and allow_fopenurl are enabled, allow remote attackers to execute arbitrary PHP code via a URL in the ROOTDIR parameter to (1) createemails.inc.php and (2) send_emails.inc.php in /admin/includes/. |
| 5.6 | CVE-2007-1060 MILW0RM OTHER-REF FRSIRT SECUNIA | ||
| MediaWiki -- MediaWiki | Cross-site scripting (XSS) vulnerability in the AJAX features in index.php in MediaWiki 1.6.x through 1.9.2, when $wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded value of the rs parameter, which is processed by Internet Explorer. |
| 5.6 | CVE-2007-1054 BUGTRAQ OTHER-REF OTHER-REF VIM | ||
| Meetinghouse -- AEGIS SecureConnect Client Cisco -- Trust Agent Cisco -- Security Agent Cisco -- Secure Services Client | Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1, and the Meetinghouse AEGIS SecureConnect Client do not drop privileges when the help facility in the supplicant GUI is invoked, which allows local users to gain privileges, aka CSCsf14120. |
| 4.2 | CVE-2007-1064 CISCO | ||
| Meetinghouse -- AEGIS SecureConnect Client Cisco -- Trust Agent Cisco -- Security Agent Cisco -- Secure Services Client | Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1, and the Meetinghouse AEGIS SecureConnect Client allows local users to gain SYSTEM privileges via unspecified vectors in the supplicant, aka CSCsf15836. |
| 4.2 | CVE-2007-1065 CISCO | ||
| Meetinghouse -- AEGIS SecureConnect Client Cisco -- Trust Agent Cisco -- Security Agent Cisco -- Secure Services Client | Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1, and the Meetinghouse AEGIS SecureConnect Client use an insecure default Discretionary Access Control Lists (DACL) for the connection client GUI, which allows local users to gain privileges by injecting "a thread under ConnectionClient.exe," aka CSCsg20558. |
| 4.2 | CVE-2007-1066 CISCO | ||
| Meetinghouse -- AEGIS SecureConnect Client Cisco -- Trust Agent Cisco -- Security Agent Cisco -- Secure Services Client | The (1) TTLS CHAP, (2) TTLS MSCHAP, (3) TTLS MSCHAPv2, (4) TTLS PAP, (5) MD5, (6) GTC, (7) LEAP, (8) PEAP MSCHAPv2, (9) PEAP GTC, and (10) FAST authentication methods in Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1, and the Meetinghouse AEGIS SecureConnect Client store transmitted authentication credentials in plaintext log files, which allows local users to obtain sensitive information by reading these files, aka CSCsg34423. |
| 4.2 | CVE-2007-1068 CISCO | ||
| Microsoft -- Windows Server 2003 Microsoft -- Windows Vista Microsoft -- Windows XP | The ReadDirectoryChangesW API function on Microsoft Windows 2000, XP, 2003, and Vista does not check permissions for child objects, which allows local users to bypass permissions by opening a directory with LIST (READ) access and using ReadDirectoryChangesW to monitor changes of files that do not have LIST permissions, which can be leveraged to determine filenames, access times, and other sensitive information. |
| 4.9 | CVE-2007-0843 BUGTRAQ BUGTRAQ OTHER-REF BID | ||
| Mozilla -- Firefox | Firefox does not prompt users before saving bookmarklets, which allows remote attackers to bypass the same-domain policy by tricking a user into saving a bookmarklet with a data: scheme, which is executed in the context of the last visited web page. |
| 5.6 | CVE-2007-1084 BUGTRAQ BUGTRAQ BUGTRAQ OTHER-REF OTHER-REF BID | ||
| Nortel -- Net Direct client | The Net Direct client for Linux before 6.0.5 in Nortel Application Switch 2424, VPN 3050 and 3070, and SSL VPN Module 1000 extracts and executes files with insecure permissions, which allows local users to exploit a race condition to replace a world-writable file in /tmp/NetClient and cause another user to execute arbitrary code when attempting to execute this client, as demonstrated by replacing /tmp/NetClient/client. |
| 5.6 | CVE-2007-1057 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| PeanutKB -- Peanut Knowledge Base | Unspecified vulnerability in Peanut Knowledge Base (PeanutKB) 0.0.3 and earlier has unknown impact and attack vectors. |
| 4.9 | CVE-2007-1039 OTHER-REF FRSIRT | ||
| phpMyFAQ -- phpMyFAQ | Unspecified vulnerability in phpMyFAQ before 1.6.9, when register_globals is enabled, allows remote attackers to "gain the privilege for uploading files on the server." |
| 5.6 | CVE-2007-1032 OTHER-REF SECUNIA | ||
| Ultimate Fun Book -- Ultimate Fun Book | PHP remote file inclusion vulnerability in function.php in Ultimate Fun Book 1.02 allows remote attackers to execute arbitrary PHP code via a URL in the gbpfad parameter. NOTE: some sources mention "Ultimate Fun Board," but this appears to be an error. |
| 5.6 | CVE-2007-1059 MILW0RM BID FRSIRT SECUNIA | ||
| Verisign -- MPKI | Buffer overflow in the Verisign Managed PKI Service Configuration Checker (ConfigChk) ActiveX control in VSCnfChk.dll 2.0.0.2 allows remote attackers to execute arbitrary code via long arguments to the VerCompare method. |
| 5.6 | CVE-2007-1083 IDEFENSE OTHER-REF OTHER-REF OTHER-REF CERT-VN BID | ||
| Vivvo -- Article Manager CMS | Directory traversal vulnerability in include/db_conn.php in SpoonLabs Vivvo Article Management CMS 3.4 allows remote attackers to include and execute arbitrary local files via the root parameter. |
| 5.6 | CVE-2007-1031 MILW0RM BID XF | ||
| webSPELL -- webSPELL | SQL injection vulnerability in news.php in webSPELL 4.01.02, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands via the showonly parameter to index.php, a different vector than CVE-2006-5388. |
| 5.6 | CVE-2007-1019 MILW0RM BID SECUNIA XF | ||
| ZebraFeeds -- ZebraFeeds | Multiple PHP remote file inclusion vulnerabilities in ZebraFeeds 1.0, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the zf_path parameter to (1) aggregator.php and (2) controller.php in newsfeeds/includes/. |
| 5.6 | CVE-2007-1010 MILW0RM OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apache -- SpamAssassin | Unspecified vulnerability in Apache SpamAssassin before 3.1.8 allows remote attackers to cause an unspecified denial of service via long URLs in an email. |
| 3.3 | CVE-2007-0451 OTHER-REF FEDORA FEDORA FRSIRT BID SECUNIA SECUNIA | ||
| Apple -- iTunes | Apple iTunes 7.0.2 allows user-assisted remote attackers to cause a denial of service (application crash) via a crafted XML list of radio stations, which results in memory corruption. NOTE: iTunes retrieves the XML document from a static URL, which requires an attacker to perform DNS spoofing or man-in-the-middle attacks for exploitation. |
| 1.9 | CVE-2007-1008 BUGTRAQ BID | ||
| Clam Anti-Virus -- ClamAV | Clam AntiVirus ClamAV before 0.90 does not close open file descriptors under certain conditions, which allows remote attackers to cause a denial of service (file descriptor consumption and failed scans) via CAB archives with a cabinet header record length of zero, which causes a function to return without closing a file descriptor. |
| 2.3 | CVE-2007-0897 IDEFENSE BID FRSIRT SECUNIA | ||
| Dem_trac -- Dem_trac | Dem_trac allows remote attackers to read log file contents via a direct request for /anc_sit.txt. |
| 2.3 | CVE-2007-1046 BUGTRAQ OTHER-REF XF | ||
| FTPx -- FTP Explorer | FTP Explorer 1.0.1 Build 047 allows remote servers to cause a denial of service (CPU consumption) via a long response to a PWD command. |
| 2.3 | CVE-2007-1082 MILW0RM BID XF | ||
| GNUCash -- GNUCash | gnucash 2.0.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) gnucash.trace, (2) qof.trace, and (3) qof.trace.[PID] temporary files. |
| 3.3 | CVE-2007-0007 OTHER-REF SECUNIA | ||
| IBM -- DB2 | Certain setuid DB2 binaries in IBM DB2 before 9 Fix Pack 2 for Linux and Unix allow local users to overwrite arbitrary files via a symlink attack on the DB2DIAG.LOG temporary file. |
| 2.3 | CVE-2007-1027 AIXAPAR FRSIRT SECUNIA | ||
| Linux -- Kernel | The Linux kernel before 2.6.20.1 allows remote attackers to cause a denial of service (oops) via a crafed NFSACL 2 ACCESS request that triggers a free of an incorrect pointer. |
| 2.3 | CVE-2007-0772 OTHER-REF FRSIRT SECUNIA | ||
| Mozilla -- Firefox | Mozilla Firefox mmight allow remote attackers to condut spoofing and phishing attacks by writing to an about:blank tab and overlaying the location bar. |
| 1.9 | CVE-2007-1004 BUGTRAQ BUGTRAQ BID | ||
| Niels Provos -- libevent | Niels Provos libevent 1.2 and 1.2a allows remote attackers to cause a denial of service (infinite loop) via a DNS response containing a label pointer that references its own offset. |
| 3.3 | CVE-2007-1030 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
| Pearson Education -- Powerschool | Pearson Education PowerSchool 4.3.6 allows remote attackers to list the contents of the admin folder via a URI composed of the admin/ directory name and an arbitrary filename ending in ".js." |
| 2.3 | CVE-2007-1044 BUGTRAQ BID | ||
| Red Hat -- Red Hat Enterprise Linux ES Red Hat -- Red Hat Enterprise Linux AS Red Hat -- Red Hat Enterprise Linux WS | The zend_hash_init function in PHP, when running on a 64-bit platform, allows user-assisted remote attackers to cause a denial of service (resource consumption) by unserializing crafted data, which causes an infinite loop. |
| 1.9 | CVE-2007-0988 OTHER-REF OTHER-REF REDHAT SECUNIA | ||
| RhinoSoft -- FTP Voyager | Stack-based buffer overflow in Rhino Software, Inc. FTP Voyager 14.0.0.3 and earlier allows remote servers to cause a denial of service (crash) via a long response to a CWD command, which triggers the overflow when the user aborts the command. |
| 3.3 | CVE-2007-1079 MILW0RM BID XF | ||
| Shemes.com -- Grabit | Shemes.com Grabit 1.5.3, and possibly earlier, allows remote attackers to cause a denial of service (application crash) via a .nzb file with a subject field containing ';' (semicolon) characters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 2.3 | CVE-2007-1038 BID FRSIRT | ||
| TaskFreak! -- TaskFreak! | Cross-site scripting (XSS) vulnerability in error.php in TaskFreak! 0.5.5 allows remote attackers to inject arbitrary web script or HTML via the tznMessage parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 1.9 | CVE-2007-0982 BID SECUNIA | ||
| TurboSoft -- TurboFTP | TurboFTP 5.30 Build 572 allows remote servers to cause a denial of service (CPU consumption) via a response with a large number of newline characters. |
| 3.3 | CVE-2007-1075 MILW0RM BID | ||
| TurboSoft -- TurboFTP | Multiple heap-based buffer overflows in TurboFTP 5.30 Build 572 allow remote servers to cause a denial of service via (1) long filename in a response to a LIST command, and (2) a long response to a CWD command. |
| 3.3 | CVE-2007-1080 MILW0RM BID | ||
| WordPress -- WordPress | Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable. |
| 1.9 | CVE-2007-1049 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.