Vulnerability Summary for the Week of September 3, 2007
Released
Sep 10, 2007
Document ID
SB07-253
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| 212cafe -- 212cafeboard | SQL injection vulnerability in read.php in 212cafeBoard 6.30 Beta allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.5 | CVE-2007-4719 BUGTRAQ | ||
| CartKeeper -- CKGold Shopping Cart | SQL injection vulnerability in category.php in CartKeeper CKGold Shopping Cart 2.0 allows remote attackers to execute arbitrary SQL commands via the category_id parameter. |
| 7.5 | CVE-2007-4736 MILW0RM | ||
| Cisco -- Call Manager Cisco -- Unified Communications Manager | Multiple SQL injection vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to execute arbitrary SQL commands via the lang variable to the (1) user or (2) admin logon page, aka CSCsi64265. |
| 9.3 | CVE-2007-4634 CISCO BID SECTRACK SECUNIA | ||
| Cisco -- Video Surveillance SP_ISP Decoder Software Cisco -- Video Surveillance IP Gateway Encoder_Decoder Cisco -- Video Surveillance SP_ISP | The Cisco Video Surveillance IP Gateway Encoder/Decoder (Standalone and Module) firmware 1.8.1 and earlier, Video Surveillance SP/ISP Decoder Software firmware 1.11.0 and earlier, and the Video Surveillance SP/ISP firmware 1.23.7 and earlier have default passwords for the sypixx and root user accounts, which allows remote attackers to perform administrative actions, aka CSCsj34681. |
| 9.0 | CVE-2007-4746 CISCO BID FRSIRT SECTRACK SECUNIA XF | ||
| Cisco -- Video Surveillance SP_ISP Decoder Software Cisco -- Video Surveillance IP Gateway Encoder_Decoder Cisco -- Video Surveillance SP_ISP | The telnet service in Cisco Video Surveillance IP Gateway Encoder/Decoder (Standalone and Module) firmware 1.8.1 and earlier, Video Surveillance SP/ISP Decoder Software firmware 1.11.0 and earlier, and the Video Surveillance SP/ISP firmware 1.23.7 and earlier does not require authentication, which allows remote attackers to perform administrative actions, aka CSCsj31729. |
| 10.0 | CVE-2007-4747 CISCO BID FRSIRT SECTRACK SECUNIA XF | ||
| Claroline -- Claroline | Directory traversal vulnerability in inc/lib/language.lib.php in Claroline before 1.8.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. |
| 7.5 | CVE-2007-4718 OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| Doomsday -- Doomsday | Multiple buffer overflows in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allow remote attackers to execute arbitrary code via a long chat (PKT_CHAT) message that is not properly handled by the (1) D_NetPlayerEvent function in d_net.c or the (2) Msg_Write function in net_msg.c, or (3) many commands that are not properly handled by the NetSv_ReadCommands function in d_netsv.c; or (4) cause a denial of service (daemon crash) via a chat (PKT_CHAT) message without a final '\0' character. |
| 10.0 | CVE-2007-4642 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | ||
| Doomsday -- Doomsday | Format string vulnerability in the Cl_GetPackets function in cl_main.c in the client in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allows remote Doomsday servers to execute arbitrary code via format string specifiers in a PSV_CONSOLE_TEXT message. |
| 7.5 | CVE-2007-4644 BUGTRAQ OTHER-REF BID SECUNIA | ||
| eNetman -- eNetman | PHP remote file inclusion vulnerability in index.php in eNetman 1 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. |
| 7.5 | CVE-2007-4712 MILW0RM SECUNIA | ||
| Firebird Project -- Firebird | Unspecified vulnerability in the (1) attach database and (2) create database functionality in Firebird before 2.0.2, when a filename exceeds MAX_PATH_LEN, has unknown impact and attack vectors, aka CORE-1405. |
| 7.5 | CVE-2007-4664 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| GForge -- GForge | SQL injection vulnerability in Gforge before 3.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| 7.5 | CVE-2007-3913 | ||
| GNU -- tar | Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." |
| 7.5 | CVE-2007-4476 SUSE SECUNIA | ||
| Hexamail -- Hexamail Server | Buffer overflow in the pop3 service in Hexamail Server 3.0.0.001 Lite allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long USER command. |
| 10.0 | CVE-2007-4646 MILW0RM | ||
| Hitachi -- JP1_Cm2_Network Node Manager | Unspecified vulnerability in the Shared Trace Service in Hitachi JP1/Cm2/Network Node Manager (NNM) 07-10 through 07-10-05, and NNM Starter Edition Enterprise and 250 08-00 through 08-10, allows remote attackers to execute arbitrary code via unspecified vectors. |
| 9.3 | CVE-2007-4720 OTHER-REF BID FRSIRT SECUNIA XF | ||
| Intuit -- Quickbooks | Multiple stack-based buffer overflows in the Intuit QuickBooks Online Edition ActiveX control before 10 allow remote attackers to execute arbitrary code via unspecified vectors. |
| 9.3 | CVE-2007-0322 CERT-VN | ||
| Intuit -- Quickbooks | Multiple unspecified vulnerabilities in the Intuit QuickBooks Online Edition ActiveX control before 10 allow remote attackers to create or overwrite arbitrary files via unspecified arguments to the (1) httpGETToFile, (2) httpPOSTFromFile, and possibly other methods, probably involving path traversal vulnerabilities in exposed dangerous methods. NOTE: this can be leveraged for code execution by writing to a Startup folder. |
| 9.3 | CVE-2007-4471 CERT-VN | ||
| Microsoft -- MSN Messenger Service Microsoft -- Windows Live Messenger | Heap-based buffer overflow in Microsoft MSN Messenger 7.x and Live Messenger before 8.1 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving video conversation handling in Web Cam sessions. |
| 9.3 | CVE-2007-2931 OTHER-REF BID FRSIRT SECUNIA | ||
| MicroWorld Technologies -- eScan Anti-Virus MicroWorld Technologies -- eScan Internet Security MicroWorld Technologies -- eScan Virus Control | MicroWorld eScan Virus Control 9.0.722.1, Anti-Virus 9.0.722.1, and Internet Security 9.0.722.1 use weak permissions (Everyone:Full Control) for their installation directory trees, which allows local users to gain privileges by replacing application files, as demonstrated by traysser.exe. |
| 7.2 | CVE-2007-4649 FULLDISC BID SECUNIA XF | ||
| MIT -- Kerberos 5 | Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message. |
| 10.0 | CVE-2007-3999 OTHER-REF OTHER-REF REDHAT | ||
| MIT -- Kerberos 5 | The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer. |
| 8.5 | CVE-2007-4000 OTHER-REF OTHER-REF REDHAT | ||
| MIT -- Kerberos 5 | The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack. |
| 10.0 | CVE-2007-4743 OTHER-REF | ||
| Next Generation Software -- Virtual DJ (VDJ) | Buffer overflow in Next Generation Software Virtual DJ (VDJ) 5.0 allows user-assisted remote attackers to execute arbitrary code via a long file path in an m3u file. |
| 9.3 | CVE-2007-4735 MILW0RM BID BID FRSIRT SECUNIA | ||
| Norman -- Norman Virus Control | The nvcoaft51 driver in Norman Virus Control (NVC) 5.82 uses weak permissions (unrestricted write access) for the NvcOa device, which allows local users to gain privileges by (1) triggering a buffer overflow in a kernel pool via a string argument to ioctl 0xBF67201C; or by (2) sending a crafted KEVENT structure through ioctl 0xBF672028 to overwrite arbitrary memory locations. |
| 7.2 | CVE-2007-4648 BUGTRAQ OTHER-REF | ||
| Novell -- Novell client | Multiple stack-based buffer overflows in the Spooler service (nwspool.dll) in Novell Client 4.91 SP2 through SP4 for Windows allow remote attackers to execute arbitrary code via certain long arguments to the (1) RpcAddPrinterDriver, (2) RpcGetPrinterDriverDirectory, and other unspecified RPC requests, a different vulnerability than CVE-2006-5854. |
| 9.3 | CVE-2007-2954 OTHER-REF OTHER-REF BID FRSIRT SECTRACK SECUNIA | ||
| PHD -- Help Desk | Multiple SQL injection vulnerabilities in PHD Help Desk before 1.31 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| 7.5 | CVE-2007-4716 OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| PHP -- PHP | Multiple integer overflows in libgd in PHP before 5.2.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large (1) srcW or (2) srcH value to the (a) gdImageCopyResized function, or a large (3) sy (height) or (4) sx (width) value to the (b) gdImageCreate or the (c) gdImageCreateTrueColor function. |
| 7.5 | CVE-2007-3996 OTHER-REF OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to bypass safe_mode and open_basedir restrictions via MySQL LOCAL INFILE operations, as demonstrated by a query with LOAD DATA LOCAL INFILE. |
| 7.5 | CVE-2007-3997 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | PHP before 5.2.4 might allow local users to bypass open_basedir restrictions via a session file that is a symlink. |
| 7.5 | CVE-2007-4652 OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to obtain sensitive information (memory contents) or cause a denial of service (thread crash) via a large len value to the (1) strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE: this affects different product versions than CVE-2007-3996. |
| 7.5 | CVE-2007-4657 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | The money_format function in PHP before 5.2.4 permits multiple (1) %i and (2) %n tokens, which has unknown impact and attack vectors, possibly related to a format string vulnerability. |
| 7.5 | CVE-2007-4658 OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | The zend_alter_ini_entry function in PHP before 5.2.4 does not properly handle an interruption to the flow of execution triggered by a memory_limit violation, which has unknown impact and attack vectors. |
| 7.5 | CVE-2007-4659 OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | Unspecified vulnerability in the chunk_split function in PHP before 5.2.4 has unknown impact and attack vectors, related to an incorrect size calculation. |
| 7.5 | CVE-2007-4660 OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | The chunk_split function in string.c in PHP 5.2.3 does not properly calculate the needed buffer size due to precision loss when performing integer arithmetic with floating point numbers, which has unknown attack vectors and impact, possibly resulting in a heap-based buffer overflow. NOTE: this is due to an incomplete fix for CVE-2007-2872. |
| 7.5 | CVE-2007-4661 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4 has unknown impact and attack vectors. |
| 7.5 | CVE-2007-4662 OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | Directory traversal vulnerability in PHP before 5.2.4 allows attackers to bypass open_basedir restrictions via unspecified vectors involving the glob function. |
| 7.5 | CVE-2007-4663 OTHER-REF OTHER-REF SECUNIA | ||
| phpBB -- phpBB | SQL injection vulnerability in links.php in the Links MOD 1.2.2 and earlier for phpBB 2.0.22 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter in a search action. |
| 7.5 | CVE-2007-4653 MILW0RM | ||
| phpBG -- phpBG | Multiple PHP remote file inclusion vulnerabilities in phpBG 0.9.1 allow remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter to (1) intern/admin/other/backup.php, (2) intern/admin/, (3) intern/clan/member_add.php, (4) intern/config/key_2.php, or (5) intern/config/forum.php. |
| 7.5 | CVE-2007-4636 MILW0RM | ||
| SpeedTech -- STPHPLibrary | Multiple PHP remote file inclusion vulnerabilities in SpeedTech PHP Library (STPHPLibrary) 0.8.0 allow remote attackers to execute arbitrary PHP code via a URL in the STPHPLIB_DIR parameter to (1) stphpapplication.php, (2) stphpbtnimage.php, or (3) stphpform.php. |
| 7.5 | CVE-2007-4737 MILW0RM SECUNIA | ||
| SpeedTech -- STPHPLibrary | Multiple PHP remote file inclusion vulnerabilities in SpeedTech PHP Library (STPHPLibrary) 0.8.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) db_conf or (2) ADODB_DIR parameter to utils/stphpimage_show.php; or a URL in the STPHPLIB_DIR parameter to (3) stphpbutton.php, (4) stphpcheckbox.php, (5) stphpcheckboxwithcaption.php, (6) stphpcheckgroup.php, (7) stphpcomponent.php, (8) stphpcontrolwithcaption.php, (9) stphpedit.php, (10) stphpeditwithcaption.php, (11) stphphr.php, (12) stphpimage.php, (13) stphpimagewithcaption.php, (14) stphplabel.php, (15) stphplistbox.php, (16) stphplistboxwithcaption.php, (17) stphplocale.php, (18) stphppanel.php, (19) stphpradiobutton.php, (20) stphpradiobuttonwithcaption.php, (21) stphpradiogroup.php, (22) stphprichbutton.php, (23) stphpspacer.php, (24) stphptable.php, (25) stphptablecell.php, (26) stphptablerow.php, (27) stphptabpanel.php, (28) stphptabtitle.php, (29) stphptextarea.php, (30) stphptextareawith! caption.php, (31) stphptoolbar.php, (32) stphpwindow.php, (33) stphpxmldoc.php, or (34) stphpxmlelement.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.5 | CVE-2007-4738 SECUNIA | ||
| SuSE -- SuSE Linux Enterprise Server | Unspecified vulnerability in the NFSv4 ID mapper (nfsidmap) on SUSE Linux Enterprise 10 has unspecified attack vectors and impact, involving the name to uid translation in NFSv4 name lookups. |
| 7.5 | CVE-2007-4135 SUSE SECUNIA | ||
| Telecom Italy -- Alice Messenger | The HPRevolutionRegistryManager ActiveX control in Hp.Revolution.RegistryManager.dll 1 in Telecom Italy Alice Messenger allows remote attackers to create registry keys and values via the arguments to the WriteRegistry method. |
| 9.3 | CVE-2007-4740 BUGTRAQ OTHER-REF SECTRACK | ||
| Weblogicnet -- Weblogicnet | Multiple PHP remote file inclusion vulnerabilities in Weblogicnet allow remote attackers to execute arbitrary PHP code via a URL in the files_dir parameter in (1) es_desp.php, (2) es_custom_menu.php, and (3) es_offer.php. |
| 7.5 | CVE-2007-4715 BUGTRAQ MILW0RM OTHER-REF BID | ||
| Yahoo -- Messenger | Buffer overflow in a certain ActiveX control in YVerInfo.dll before 2007.8.27.1 in the Yahoo! services suite for Yahoo! Messenger before 8.1.0.419 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: some of these details are obtained from third party information. |
| 9.3 | CVE-2007-4515 IDEFENSE OTHER-REF SECUNIA | ||
| Yvora -- Yvora | SQL injection vulnerability in error_view.php in Yvora 1.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. |
| 7.5 | CVE-2007-4714 MILW0RM BID |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| 2coolcode -- Our Space | newswire/uploadmedia.cgi in 2coolcode Our Space (Ourspace) 2.0.9 allows remote attackers to upload certain files via unspecified vectors, probably involving unrestricted functionality in uploadmedia.cgi. |
| 5.0 | CVE-2007-4647 MILW0RM | ||
| AnyInventory -- AnyInventory | PHP remote file inclusion vulnerability in environment.php in AnyInventory 1.9.1 and 2.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the DIR_PREFIX parameter. |
| 6.8 | CVE-2007-4744 MILW0RM BID SECUNIA XF | ||
| Apache Software Foundation -- Apache HTTP Server Jasio.net -- Ragnarok Online Control Panel | Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a "/...../" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page. |
| 6.8 | CVE-2007-4723 BUGTRAQ | ||
| Apache Software Foundation -- Tomcat | Cross-site request forgery (CSRF) vulnerability in cal2.jsp in the calendar examples application in Apache Tomcat 4.1.31 allows remote attackers to add events as arbitrary users via the time and description parameters. |
| 4.3 | CVE-2007-4724 BUGTRAQ | ||
| Apple -- iTunes | Buffer overflow in Apple iTunes before 7.4 allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a music file with crafted album cover art. |
| 6.8 | CVE-2007-3752 OTHER-REF SECUNIA SECUNIA | ||
| Aztech -- DSL 600EU router | The Aztech DSL600EU router, when WAN access to the web interface is disabled, does not properly block inbound traffic on TCP port 80, which allows remote attackers to connect to the web interface by guessing a TCP sequence number, possibly involving spoofing of an ARP packet, a related issue to CVE-1999-0077. |
| 4.3 | CVE-2007-4733 BUGTRAQ SECTRACK | ||
| Bharat Mediratta -- Gallery | Multiple unspecified vulnerabilities in Gallery before 2.2.3 allow attackers to (1) rename items, (2) read and modify item properties, or (3) lock and replace items via unknown vectors in (a) the WebDAV module; and (4) edit unspecified data files using "linked items" in WebDAV and (b) Reupload modules. |
| 6.4 | CVE-2007-4650 OTHER-REF | ||
| Blizzard Entertainment -- Starcraft Brood War | Blizzard Entertainment StarCraft Brood War 1.15.1 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed map, which triggers an out-of-bounds read during a minimap preview. |
| 4.3 | CVE-2007-4638 BUGTRAQ BID | ||
| Broderbund -- Expressit 3DGreetings Player | Multiple buffer overflows in the Broderbund Expressit 3DGreetings Player ActiveX control could allow remote attackers to execute arbitrary code via unspecified vectors. |
| 6.8 | CVE-2007-4472 CERT-VN SECUNIA | ||
| CGI-RESCUE -- Shopping Basket Professional | Multiple directory traversal vulnerabilities in CGI RESCUE Shopping Basket Professional 7.51 and earlier allow remote attackers to list arbitrary directories, and possibly read arbitrary files, via directory traversal sequences in unspecified parameters to (1) list.cgi or (2) list2.cgi. |
| 5.0 | CVE-2007-4655 OTHER-REF SECUNIA | ||
| Cisco -- Cisco IOS | Cisco IOS 12.2E, 12.2F, and 12.2S places a "no login" line into the VTY configuration when an administrator makes certain changes to a (1) VTY/AUX or (2) CONSOLE setting on a device without AAA enabled, which allows remote attackers to bypass authentication and obtain a terminal session, a different vulnerability than CVE-1999-0293 and CVE-2005-2105. |
| 4.3 | CVE-2007-4632 CISCO BID | ||
| Cisco -- Call Manager Cisco -- Unified Communications Manager | Multiple cross-site scripting (XSS) vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to inject arbitrary web script or HTML via the lang variable to the (1) user or (2) admin logon page, aka CSCsi10728. |
| 6.4 | CVE-2007-4633 CISCO BID SECTRACK SECUNIA | ||
| Cisco -- WebNS TeamF1 -- SSHield OpenBSD -- OpenSSH | Unspecified vulnerability in SSHield 1.6.1 with OpenSSH 3.0.2p1 on Cisco WebNS 8.20.0.1 on Cisco Content Services Switch (CSS) series 11000 devices allows remote attackers to cause a denial of service (connection slot exhaustion and device crash) via a series of large packets designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144), possibly a related issue to CVE-2002-1024. |
| 5.0 | CVE-2007-4654 BUGTRAQ | ||
| Claroline -- Claroline | Claroline before 1.8.6 allows remote authenticated administrators to obtain sensitive information via an invalid value in the sort parameter to admin/adminusers.php, which reveals the path in an error message in some circumstances, as demonstrated by a parameter value containing an XSS sequence. |
| 4.3 | CVE-2007-4742 OTHER-REF OTHER-REF | ||
| Debian -- reprepro | reprepro 1.3.0 through 2.2.3 does not properly verify signatures when updating repositories, which allows remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing it with an unknown key, related to the update command. |
| 5.0 | CVE-2007-4739 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| Doomsday -- Doomsday | Integer underflow in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via a PKT_CHAT packet with a data length less than 3, which triggers an erroneous malloc, possibly related to the Sv_HandlePacket function in sv_main.c. |
| 5.0 | CVE-2007-4643 BUGTRAQ OTHER-REF BID SECUNIA | ||
| EnterpriseDB -- EnterpriseDB Advanced Server | EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer. |
| 6.5 | CVE-2007-4639 BUGTRAQ BID | ||
| Firebird Project -- Firebird | Unspecified vulnerability in the server in Firebird before 2.0.2 allows remote attackers to cause a denial of service (daemon crash) via an XNET session that makes multiple simultaneous requests to register events, aka CORE-1403. |
| 5.0 | CVE-2007-4665 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Firebird Project -- Firebird | Unspecified vulnerability in the server in Firebird before 2.0.2, when a Superserver/TCP/IP environment is configured, allows remote attackers to cause a denial of service (CPU and memory consumption) via "large network packets with garbage", aka CORE-1397. |
| 5.0 | CVE-2007-4666 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Firebird Project -- Firebird | Unspecified vulnerability in the Services API in Firebird before 2.0.2 allows remote attackers to cause a denial of service, aka CORE-1149. |
| 5.0 | CVE-2007-4667 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Firebird Project -- Firebird | Unspecified vulnerability in the server in Firebird before 2.0.2 allows remote attackers to determine the existence of arbitrary files, and possibly obtain other "file access," via unknown vectors, aka CORE-1312. |
| 5.0 | CVE-2007-4668 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT | ||
| Firebird Project -- Firebird | The Services API in Firebird before 2.0.2 allows remote authenticated users without SYSDBA privileges to read the server log (firebird.log), aka CORE-1148. |
| 4.0 | CVE-2007-4669 OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID | ||
| Igor Pavlov -- 7-Zip | Stack consumption vulnerability in AkkyWareHOUSE 7-zip32.dll before 4.42.00.04, as derived from Igor Pavlov 7-Zip before 4.53 beta, allows user-assisted remote attackers to execute arbitrary code via a long filename in an archive, leading to a heap-based buffer overflow. |
| 6.8 | CVE-2007-4725 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| Joomla -- AkoBook Mambo -- Mambo Site Server | Multiple cross-site scripting (XSS) vulnerabilities in the AkoBook 3.42 and earlier component (com_akobook) for Mambo allow remote attackers to inject arbitrary web script or HTML via Javascript events in the (1) gbmail and (2) gbpage parameters in the sign function. |
| 4.3 | CVE-2007-4745 OTHER-REF SECUNIA | ||
| Move Networks Inc -- Qunatum Streaming Player | Multiple stack-based buffer overflows in the Quantum Streaming Internet Explorer Player ActiveX control in qsp2ie07051001.dll 1.0.0.1 in Move Media Player allow remote attackers to execute arbitrary code via a long string to the (1) Play and (2) Buzzer methods. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 6.8 | CVE-2007-4722 SECUNIA | ||
| NMDeluxe -- NMDeluxe | SQL injection vulnerability in index.php in NMDeluxe 2.0.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a newspost do action, a different vulnerability than CVE-2006-1108. |
| 6.4 | CVE-2007-4645 MILW0RM | ||
| Ots Labs -- OTSTurntables | Buffer overflow in Ots Labs OTSTurntables 1.00 allows user-assisted remote attackers to execute arbitrary code via a long file path in an m3u file. |
| 4.3 | CVE-2007-4734 MILW0RM BID SECUNIA | ||
| Pakupaku -- Pakupaku CMS | Unrestricted file upload vulnerability in index.php in Pakupaku CMS 0.4 and earlier allows remote attackers to upload and execute arbitrary PHP files in uploads/ via an Uploads action. |
| 6.4 | CVE-2007-4640 MILW0RM SECUNIA | ||
| Pakupaku -- Pakupaku CMS | Directory traversal vulnerability in index.php in Pakupaku CMS 0.4 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter, as demonstrated by injecting code into an Apache log file. |
| 6.4 | CVE-2007-4641 MILW0RM SECUNIA | ||
| PHP -- PHP | The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not properly use the breakcharlen variable, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash, or infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""' argument set. |
| 5.0 | CVE-2007-3998 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| PHP -- PHP | Unspecified vulnerability in PHP before 5.2.4 has unknown impact and attack vectors, related to an "Improved fix for MOPB-03-2007," probably a variant of CVE-2007-1285. |
| 5.0 | CVE-2007-4670 OTHER-REF OTHER-REF | ||
| PPStream -- PPStream | Buffer overflow in the PowerPlayer.dll ActiveX control in PPStream 2.0.1.3829 allows remote attackers to execute arbitrary code via a long Logo parameter. |
| 6.8 | CVE-2007-4748 MILW0RM BID XF | ||
| QGit -- QGit | The DataLoader::doStart function in dataloader.cpp in QGit 1.5.6 and other versions up to 2pre1 allows local users to overwrite arbtirary files and execute arbitrary code via a symlink attack on temporary files with predictable filenames. |
| 4.6 | CVE-2007-4631 OTHER-REF | ||
| Red Hat -- Enterprise Linux Desktop Red Hat -- Enterprise Linux | Red Hat Enterprise Linux (RHEL) 5 creates the Advanced Intrusion Detection Environment (AIDE) before 0.13.1 rpm with a database that lacks checksum information, which allows context-dependent attackers to bypass file integrity checks and modify certain files. |
| 5.0 | CVE-2007-3849 OTHER-REF REDHAT | ||
| ROI Revolution -- Urchin | Multiple cross-site scripting (XSS) vulnerabilities in urchin.cgi in Urchin 5.6.00r2 allow remote attackers to inject arbitrary web script or HTML via the (1) dtc, (2) vid, (3) n, (4) dt, (5) ed, and (6) bd parameters. |
| 4.3 | CVE-2007-4713 OTHER-REF | ||
| Sun -- Solaris | Unspecified vulnerability in the strfreectty function in the Special File System (SPECFS) in Sun Solaris 8 through 10 allows local users to cause a denial of service (system panic), related to passing a NULL pointer to the pgsignal function. |
| 4.9 | CVE-2007-4732 SUNALERT FRSIRT SECTRACK SECUNIA | ||
| WebOddity -- WebOddity | Directory traversal vulnerability in Web Oddity 0.09b allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. |
| 5.0 | CVE-2007-4726 MILW0RM BID | ||
| Wireshark -- Wireshark | Integer signedness error in the DNP3 dissector in Wireshark 0.99.5 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain DNP3 packet. |
| 5.0 | CVE-2007-4721 BUGTRAQ MILW0RM OTHER-REF SECTRACK XF | ||
| www.toms-seiten.at -- Toms Gaestebuch | Multiple cross-site scripting (XSS) vulnerabilities in Toms Gaestebuch 1.00 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage, (2) mail, and (3) name parameters in a show action to (a) form.php; the (4) language and (5) anzeigebreite parameters to (b) admin/header.php; and the (6) msg parameter to (c) install.php, different vectors than CVE-2006-0706. |
| 4.3 | CVE-2007-4711 BUGTRAQ BID SECUNIA | ||
| xGB -- xGB | xGB.php in xGB 2.0 does not require authentication for an admin edit action, which allows remote attackers to make unspecified changes via an unknown series of steps. |
| 6.4 | CVE-2007-4637 MILW0RM | ||
| Yahoo -- Messenger | Yahoo! Messenger 8.1.0.209 and 8.1.0.402 allows remote attackers to cause a denial of service (application crash) via certain file-transfer packets, possibly involving a buffer overflow, as demonstrated by ym8bug.exe. NOTE: this might be related to CVE-2007-4515. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 5.0 | CVE-2007-4635 BID |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Backup Manager -- Backup Manager | backup-manager-upload in Backup Manager before 0.6.3 provides the FTP server hostname, username, and password as plaintext command line arguments during FTP uploads, which allows local users to obtain sensitive information by listing the process and its arguments, a different vulnerability than CVE-2007-2766. |
| 2.1 | CVE-2007-4656 OTHER-REF OTHER-REF OTHER-REF SECUNIA | ||
| Claroline -- Claroline | Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.8.6 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) dir parameter in admin/adminusers.php, the (2) action parameter in admin/advancedUserSearch.php, and the (3) view parameter in admin/campusProblem.php. |
| 3.5 | CVE-2007-4717 OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| Claroline -- Claroline | Cross-site scripting (XSS) vulnerability in admin/adminusers.php in Claroline before 1.8.6 allows remote authenticated administrators to inject arbitrary web script or HTML via the sort parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 3.5 | CVE-2007-4741 OTHER-REF SECUNIA |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.