Vulnerability Summary for the Week of November 5, 2007
Released
Nov 12, 2007
Document ID
SB07-316
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| afcommerce -- AFCommerce | SQL injection vulnerability in Amazing Flash AFCommerce allows remote attackers to execute arbitrary SQL commands via the firstname parameter to an unspecified component, a different issue than CVE-2006-3794. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.5 | CVE-2007-5836 BID | ||
| Apple -- Quicktime | Unspecified vulnerability in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via a crafted image description atom in a movie file, related to "memory corruption." |
| 9.3 | CVE-2007-2395 OTHER-REF APPLE FRSIRT SECTRACK SECUNIA | ||
| Apple -- Quicktime | Heap-based buffer overflow in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via crafted Sample Table Sample Descriptor (STSD) atoms in a movie file. |
| 9.3 | CVE-2007-3750 OTHER-REF APPLE FRSIRT SECTRACK SECUNIA | ||
| Apple -- Quicktime | Unspecified vulnerability in QuickTime for Java in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via untrusted Java applets that gain privileges via unspecified vectors. |
| 9.3 | CVE-2007-3751 OTHER-REF APPLE FRSIRT SECTRACK SECUNIA | ||
| Apple -- Quicktime | Stack-based buffer overflow in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via an invalid UncompressedQuickTimeData opcode length in a PICT image. |
| 7.6 | CVE-2007-4672 BUGTRAQ OTHER-REF OTHER-REF APPLE FRSIRT SECTRACK SECUNIA | ||
| Apple -- Quicktime | Heap-based buffer overflow in the QuickTime VR extension 7.2.0.240 in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via a QTVR (QuickTime Virtual Reality) movie file containing a large size field in the atom header of a panorama sample atom. |
| 9.3 | CVE-2007-4675 IDEFENSE OTHER-REF APPLE FRSIRT SECTRACK SECUNIA | ||
| Apple -- Quicktime | Heap-based buffer overflow in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via malformed elements when parsing (1) Poly type (0x0070 through 0x0074) and (2) PackBitsRgn field (0x0099) opcodes in a PICT image. |
| 9.3 | CVE-2007-4676 BUGTRAQ BUGTRAQ OTHER-REF OTHER-REF OTHER-REF APPLE FRSIRT SECTRACK SECUNIA | ||
| Apple -- Quicktime | Heap-based buffer overflow in Apple QuickTime before 7.3 allows remote attackers to execute arbitrary code via an invalid color table size when parsing the color table atom (CTAB) in a movie file, related to the CTAB RGB values. |
| 9.3 | CVE-2007-4677 BUGTRAQ OTHER-REF OTHER-REF APPLE BID FRSIRT SECTRACK SECUNIA | ||
| Avaya -- Message Networking Avaya -- Messaging Storage Server | Unspecified vulnerability in the administrative interface in Avaya Messaging Storage Server (MSS) 3.1 before SP1, and Message Networking (MN) 3.1, allows remote attackers to cause a denial of service via unspecified vectors related to "input validation." |
| 7.8 | CVE-2007-5830 OTHER-REF SECUNIA | ||
| Ax Developer CMS -- Ax Developer CMS | Directory traversal vulnerability in index.php in Ax Developer CMS (AxDCMS) 0.1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter. |
| 9.3 | CVE-2007-5820 MILW0RM XF | ||
| easyGB -- easyGB | Directory traversal vulnerability in index.php in easyGB 2.1.1 allows remote attackers to include arbitrary files via the DatabaseType parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 10.0 | CVE-2007-5890 BID | ||
| EDraw -- Flowchart ActiveX | Absolute path traversal vulnerability in the EDraw Flowchart ActiveX control in EDImage.ocx 2.0.2005.1104 allows remote attackers to create or overwrite arbitrary files with arbitrary contents via a full pathname in the second argument to the HttpDownloadFile method, a different product than CVE-2007-4420. |
| 9.3 | CVE-2007-5826 MILW0RM FRSIRT XF | ||
| FireFly -- Media Server | webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a stats method action to /xml-rpc with (1) an empty Authorization header line, which triggers a crash in the ws_decodepassword function; or (2) a header line without a ':' character, which triggers a crash in the ws_getheaders function. |
| 7.1 | CVE-2007-5824 BUGTRAQ BUGTRAQ BUGTRAQ MILW0RM | ||
| Firewolf Technologies -- Synergiser | Directory traversal vulnerability in index.php in Firewolf Technologies Synergiser 1.2 RC1 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter. NOTE: this can be leveraged to obtain the path by including a local PHP script with a duplicate function declaration. |
| 7.5 | CVE-2007-5802 BUGTRAQ OTHER-REF BID | ||
| GuppY -- GuppY | Directory traversal vulnerability in inc/includes.inc in GuppY 4.6.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the selskin parameter to index.php. NOTE: this can be leveraged for remote file inclusion by including inc/boxleft.inc and specifying a URL in the xposbox[L][] array parameter. |
| 7.5 | CVE-2007-5844 MILW0RM BID | ||
| GuppY -- GuppY | Directory traversal vulnerability in error.php in GuppY 4.6.3, 4.5.16, and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the id parameter. NOTE: this can be leveraged to bypass authentication and upload arbitrary files by including admin/inc/upload.inc and specifying certain multipart/form-data input for admin/inc/upload.inc. |
| 7.5 | CVE-2007-5845 MILW0RM MILW0RM OTHER-REF | ||
| IBM -- AIX | Stack-based buffer overflow in the domacro function in ftp in IBM AIX 5.2 and 5.3 allows local users to gain privileges via a long parameter to a macro, as demonstrated by executing a macro via the '$' command. |
| 7.2 | CVE-2007-4217 IDEFENSE OTHER-REF OTHER-REF AIXAPAR AIXAPAR BID XF | ||
| IBM -- AIX | Multiple stack-based buffer overflows in IBM AIX 5.2 and 5.3 allow local users to gain privileges via a long argument to the (1) "-p" option to lqueryvg or (2) the "-V" option to lquerypv. |
| 7.2 | CVE-2007-4513 IDEFENSE IDEFENSE OTHER-REF OTHER-REF AIXAPAR AIXAPAR AIXAPAR AIXAPAR BID BID | ||
| IBM -- AIX | Buffer overflow in crontab in IBM AIX 5.2 allows local users to gain privileges via long command line arguments. |
| 7.2 | CVE-2007-4621 IDEFENSE OTHER-REF AIXAPAR BID | ||
| IBM -- AIX | Integer underflow in the dns_name_fromtext function in (1) libdns_nonsecure.a and (2) libdns_secure.a in IBM AIX 5.2 allows local users to gain privileges via a crafted "-y" (TSIG key) command line argument to dig. |
| 7.2 | CVE-2007-4622 IDEFENSE OTHER-REF AIXAPAR BID | ||
| IBM -- AIX | Stack-based buffer overflow in the sendrmt function in bellmail in IBM AIX 5.2 and 5.3 allows local users to execute arbitrary code via a long parameter to the m command. |
| 7.2 | CVE-2007-4623 IDEFENSE OTHER-REF OTHER-REF AIXAPAR AIXAPAR BID XF | ||
| IDMOS -- IDMOS | Multiple PHP remote file inclusion vulnerabilities in IDMOS 1.0 Alpha (aka Phoenix) allow remote attackers to execute arbitrary PHP code via a URL in the site_absolute_path parameter to (1) admin.php, (2) menu_add.php, and (3) menu_operation.php in administrator/, different vectors than CVE-2007-5294. |
| 10.0 | CVE-2007-5889 BUGTRAQ XF | ||
| Infuseum -- ASP Message Board | SQL injection vulnerability in boards/printer.asp in ASP Message Board 2.2.1c allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.5 | CVE-2007-5887 MILW0RM BID XF | ||
| Link Grammar -- Link Grammar AbiWord -- AbiWord Link Grammar | Stack-based buffer overflow in the separate_word function in tokenize.c in Link Grammar 4.1b and possibly other versions, as used in AbiWord Link Grammar 4.2.4, allows remote attackers to execute arbitrary code via a long word, as reachable through the separate_sentence function. |
| 10.0 | CVE-2007-5395 OTHER-REF OTHER-REF SECUNIA SECUNIA | ||
| Microsoft -- Sysinternals DebugView | Dbgv.sys in Microsoft Sysinternals DebugView before 4.72 provides an unspecified mechanism for copying data into kernel memory, which allows local users to gain privileges via unspecified vectors. |
| 7.2 | CVE-2007-4223 IDEFENSE FRSIRT SECTRACK SECUNIA | ||
| Mozilla -- Firefox | Mozilla Firefox 2.0.0.9 allows remote attackers to cause a denial of service (CPU consumption and crash) via an iframe with Javascript that sets the document.location to contain a leading NULL byte (\x00) and a (1) res://, (2) about:config, or (3) file:/// URI. |
| 7.1 | CVE-2007-5896 FULLDISC OTHER-REF XF | ||
| Net-SNMP -- Net-SNMP | The SNMP agent in net-snmp 5.4.1 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value. |
| 7.8 | CVE-2007-5846 OTHER-REF | ||
| Oracle -- E-Business Suite 11i Oracle -- E-Business Suite 12 | SQL injection vulnerability in okxLOV.jsp in Oracle E-Business Suite 11 and 12 allows remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: this is probably the same issue as CVE-2007-5527 or CVE-2007-5528, but there are insufficient details to be sure. |
| 7.5 | CVE-2007-5766 BUGTRAQ OTHER-REF OTHER-REF | ||
| Oracle -- Oracle9i Database Server Release 1 Oracle -- Oracle8i Database Server Release 3 Oracle -- Oracle10g Database Server Release 1 Oracle -- Oracle9i Database Server Release 2 | Buffer overflow in MDSYS.SDO_CS in Oracle Database Server 8iR3, 9iR1, 9iR2 up to 9.2.0.6, and 10gR1 up to 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) and execute arbitrary code via the TRANSFORM function. NOTE: this issue might already be covered by CVE-2007-5515, CVE-2007-5509, or CVE-2007-5505, but there are insufficient details to be sure. |
| 8.5 | CVE-2007-5897 BUGTRAQ OTHER-REF | ||
| PCRE -- PCRE | Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patters containing unmatched "\Q\E" sequences with orphan "\E" codes. |
| 7.5 | CVE-2007-1659 OTHER-REF DEBIAN FRSIRT | ||
| PCRE -- PCRE | Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly calculate sizes for unspecified "multiple forms of character class", which triggers a buffer overflow that allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code. |
| 7.5 | CVE-2007-1660 DEBIAN FRSIRT | ||
| PCRE -- PCRE | Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 7.3 allow context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via unspecified escape (backslash) sequences. |
| 7.5 | CVE-2007-4766 OTHER-REF DEBIAN FRSIRT | ||
| PCRE -- PCRE | Heap-based buffer overflow in Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to execute arbitrary code via a singleton Unicode sequence in a character class in a regex pattern, which is incorrectly optimized. |
| 10.0 | CVE-2007-4768 DEBIAN FRSIRT | ||
| Plone -- Plone | Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes. |
| 7.5 | CVE-2007-5741 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
| Red Hat -- enterprise_linux_application_stack Larry Wall -- Perl MandrakeSoft -- Multi Network Firewall OpenPKG -- OpenPKG | Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression. |
| 10.0 | CVE-2007-5116 OTHER-REF MANDRIVA REDHAT REDHAT BID FRSIRT SECUNIA SECUNIA | ||
| redhat -- rhel_certificate_server | Certificate Server 7.2 in Red Hat Certificate System (RHCS) does not properly handle new revocations that occur while a Certificate Revocation List (CRL) is being generated, which might prevent certain revoked certificates from appearing on the CRL quickly and allow users with revoked certificates to bypass the intended CRL. |
| 7.5 | CVE-2007-4994 REDHAT FRSIRT | ||
| sBLOG -- sBlog | Cross-site request forgery (CSRF) vulnerability in blocks_edit_do.php in sBlog 0.7.3 Beta allows remote attackers to change arbitrary blocks as administrators. |
| 7.6 | CVE-2007-5818 BUGTRAQ OTHER-REF XF | ||
| Scribe -- Scribe | Direct static code injection vulnerability in forum.php in Ben Ng Scribe 0.2 and earlier allows remote attackers to inject arbitrary PHP code into a certain file in regged/ via the username parameter in a Register action. |
| 7.5 | CVE-2007-5822 BUGTRAQ MILW0RM OTHER-REF XF | ||
| Scribe -- Scribe | Directory traversal vulnerability in forum.php in Ben Ng Scribe 0.2 and earlier allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in the username parameter in a Register action. |
| 7.5 | CVE-2007-5823 BUGTRAQ MILW0RM OTHER-REF | ||
| SonicWall -- SSL VPN | Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote attackers to execute arbitrary code via a long string in the second argument to the AddRouteEntry method. |
| 9.3 | CVE-2007-5603 BUGTRAQ MILW0RM OTHER-REF OTHER-REF OTHER-REF CERT-VN BID SECUNIA | ||
| SonicWall -- SSL VPN | Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allow remote attackers to execute arbitrary code via a long (1) serverAddress, (2) sessionId, (3) clientIPLower, (4) clientIPHigher, (5) userName, (6) domainName, or (7) dnsSuffix Unicode property value. NOTE: the AddRouteEntry vector is covered by CVE-2007-5603. |
| 9.3 | CVE-2007-5814 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | ||
| SonicWall -- SSL VPN | Absolute path traversal vulnerability in the WebCacheCleaner ActiveX control 1.3.0.3 in SonicWall SSL-VPN 200 before 2.1, and SSL-VPN 2000/4000 before 2.5, allows remote attackers to delete arbitrary files via a full pathname in the argument to the FileDelete method. |
| 10.0 | CVE-2007-5815 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | ||
| SSL-Explorer -- SSL-Explorer | Directory traversal vulnerability in fileSystem.do in SSL-Explorer before 0.2.14 allows remote attackers to access arbitrary files via directory traversal sequences in the path parameter. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2007-5831 OTHER-REF SECUNIA | ||
| SSL-Explorer -- SSL-Explorer | Unspecified vulnerability in selectLanguage.do in SSL-Explorer before 0.2.15 allows remote attackers to inject (1) headers or (2) body data in an HTTP transaction, a different vulnerability than CVE-2007-2907. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2007-5832 OTHER-REF OTHER-REF SECUNIA | ||
| ssreader -- Ultra Star Reader | Stack-based buffer overflow in the pdg2.dll ActiveX control in SSReader 4.0 and earlier allow remote attackers to execute arbitrary code via a long argument to the Register method. NOTE: some details were obtained from third party sources. |
| 10.0 | CVE-2007-5892 OTHER-REF FRSIRT SECUNIA | ||
| Symantec -- Altiris Deployment Solution | Aclient in Symantec Altiris Deployment Solution 6.x before 6.8.380.0 allows local users to gain local System privileges via the "Enable key-based authentication to Deployment server" browser option, a different issue than CVE-2007-4380. |
| 7.2 | CVE-2007-5838 OTHER-REF OTHER-REF OTHER-REF BID SECTRACK SECUNIA XF | ||
| Xpdf -- Xpdf | Array index error in the DCTStream::readProgressiveDataUnit method in xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote attackers to trigger memory corruption and execute arbitrary code via a crafted PDF file. |
| 7.6 | CVE-2007-4352 OTHER-REF SECUNIA | ||
| Xpdf -- Xpdf | Integer overflow in the DCTStream::reset method in xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote attackers to execute arbitrary code via a crafted PDF file, resulting in a heap-based buffer overflow. |
| 9.3 | CVE-2007-5392 OTHER-REF SECUNIA | ||
| Xpdf -- Xpdf | Heap-based buffer overflow in the CCITTFaxStream::lookChar method in xpdf/Stream.cc in Xpdf 3.02 with xpdf-3.02pl1.patch allows remote attackers to execute arbitrary code via a PDF file that contains a crafted CCITTFaxDecode filter. |
| 9.3 | CVE-2007-5393 OTHER-REF SECUNIA |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Cross-site scripting (XSS) vulnerability in Hitachi Web Server 01-00 through 03-10, as used by certain Cosminexus products, allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP requests that trigger creation of a server-status page. |
| 4.3 | CVE-2007-5809 OTHER-REF FRSIRT SECUNIA | |||
| alhem -- C++ Sockets Library | HTTPSocket.cpp in the C++ Sockets Library before 2.2.5 allows remote attackers to cause a denial of service (crash) via an HTTP request with a missing protocol version number, which triggers an exception. NOTE: some of these details were obtained from third party sources. |
| 5.0 | CVE-2007-5893 OTHER-REF SECUNIA | ||
| Altiris -- Deployment Solution | Directory traversal vulnerability in the tftp/mftp daemon in the PXE server component (pxemtftp.exe) in Symantec Altiris Deployment Solution 6.x before 6.8.380.0 allows remote attackers to read arbitrary files via unspecified vectors. |
| 6.8 | CVE-2007-3874 IDEFENSE OTHER-REF BID SECTRACK SECUNIA XF | ||
| BitchX -- BitchX | The e_hostname function in commands.c in BitchX 1.1a allows local users to overwrite arbitrary files via a symlink attack on temporary files when using the (1) HOSTNAME or (2) IRCHOST command. |
| 4.6 | CVE-2007-5839 OTHER-REF BID FRSIRT SECUNIA | ||
| BosDev -- BosNews | Cross-site scripting (XSS) vulnerability in BosDev BosNews 4 allows remote attackers to inject arbitrary web script or HTML via a SCRIPT element in a news post. |
| 4.3 | CVE-2007-5834 BUGTRAQ | ||
| BosDev -- BosNews | Install.php in BosDev BosNews 4 and 5 does not require authentication for replacing an existing product installation or creating a new admin account, which allows remote attackers to cause a denial of service (overwritten files) and possibly obtain administrative access. |
| 5.0 | CVE-2007-5835 BUGTRAQ | ||
| Cisco -- Unified MeetingPlace | Multiple cross-site scripting (XSS) vulnerabilities in mpweb/scripts/mpx.dll in Cisco Unified MeetingPlace 5.4 and earlier and 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) FirstName and (2) LastName parameters. |
| 4.3 | CVE-2007-5581 CISCO FRSIRT SECUNIA | ||
| Citrix -- Advanced Access Control Citrix -- Access Gateway | The web portal interface in Citrix Access Gateway (aka Citrix Advanced Access Control) before Advanced Edition 4.5 HF1 places a session ID in the URL, which allows context-dependent attackers to hijack sessions by reading "residual information", including the a referer log, browser history, or browser cache. |
| 5.0 | CVE-2007-0011 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
| CONTENTCustomizer -- CONTENTCustomizer | dialog.php in CONTENTCustomizer 3.1mp and earlier allows remote attackers to obtain sensitive author credentials by making a request with an editauthor action, then reading the value of the newlocalpassword password input field in the HTML source of the resulting page. |
| 5.0 | CVE-2007-5816 OTHER-REF SECUNIA | ||
| CONTENTCustomizer -- CONTENTCustomizer | dialog.php in CONTENTCustomizer 3.1mp and earlier allows remote attackers to perform certain privileged actions via a (1) del, (2) delbackup, (3) res, or (4) ren action. NOTE: this issue can be leveraged to conduct cross-site scripting (XSS) and possibly other attacks. |
| 4.3 | CVE-2007-5817 OTHER-REF | ||
| Coppermine -- Coppermine Photo Gallery | Cross-site scripting (XSS) vulnerability in displayecard.php in Coppermine Photo Gallery (CPG) before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the data parameter. |
| 4.3 | CVE-2007-5888 OTHER-REF SECUNIA | ||
| Django Project -- Django | Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. |
| 6.8 | CVE-2007-5828 BUGTRAQ | ||
| DM Guestbook -- DM Guestbook | Multiple directory traversal vulnerabilities in DM Guestbook 0.4.1 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lng parameter to (a) guestbook.php, (b) admin/admin.guestbook.php, or (c) auto/glob_new.php; or (2) the lngdefault parameter to auto/ch_lng.php. |
| 6.8 | CVE-2007-5821 MILW0RM XF | ||
| FireFly -- Media Server | Format string vulnerability in the ws_addarg function in webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to execute arbitrary code via a stats method action to /xml-rpc with format string specifiers in the (1) username or (2) password portion of base64-encoded data on the "Authorization: Basic" HTTP header line. |
| 6.8 | CVE-2007-5825 BUGTRAQ BUGTRAQ | ||
| Hitachi -- Groupmax Collaboration Web Client Hitachi -- Groupmax Collaboration Portal Hitachi -- uCosminexus Collaboration Portal | Unspecified vulnerability in the Groupmax Collaboration - Schedule component in Hitachi Groupmax Collaboration Portal 07-30 through 07-30-/F and 07-32 through 07-32-/C, uCosminexus Collaboration Portal 06-30 through 06-30-/F and 06-32 through 06-32-/C, and Groupmax Collaboration Web Client - Mail/Schedule 07-30 through 07-30-/F and 07-32 through 07-32-/B might allow remote attackers to obtain sensitive information via unspecified vectors related to schedule portlets. |
| 5.0 | CVE-2007-5808 OTHER-REF FRSIRT SECUNIA | ||
| Hitachi -- uCosminexus Application Server Enterprise | Hitachi Web Server 01-00 through 03-00-01, as used by certain Cosminexus products, does not properly validate SSL client certificates, which might allow remote attackers to spoof authentication via a client certificate with a forged signature. |
| 5.0 | CVE-2007-5810 OTHER-REF FRSIRT SECUNIA | ||
| IBM -- AIX | cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument to the "-p" option to swcons, which allows local users in the system group to create or overwrite an arbitrary file, and enable world writability of this file, by using the file's name as the argument. |
| 6.9 | CVE-2007-5804 IDEFENSE OTHER-REF OTHER-REF AIXAPAR AIXAPAR BID XF | ||
| IBM -- AIX | cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument to the "-p" option to swcons, which allows local users in the system group to create an arbitrary file, and enable world writability of this file, via a symlink attack involving use of the file's name as the argument. NOTE: this issue is due to an incomplete fix for CVE-2007-5804. |
| 6.9 | CVE-2007-5805 IDEFENSE OTHER-REF OTHER-REF AIXAPAR AIXAPAR BID XF | ||
| ILIAS -- ILIAS | Cross-site scripting (XSS) vulnerability in Services/Utilities/classes/class.ilUtil.php in ILIAS 3.8.3 and earlier allows remote attackers to inject arbitrary web script or HTML via attributes inside a domain-name string in the (1) mailing or (2) forum component, as demonstrated using the style and onmouseover HTML attributes. |
| 4.3 | CVE-2007-5806 BUGTRAQ OTHER-REF OTHER-REF BID | ||
| ISPworker -- ISPworker | Multiple directory traversal vulnerabilities in download.php in ISPworker 1.21 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ticketid and (2) filename parameters. |
| 5.0 | CVE-2007-5813 MILW0RM | ||
| Linux -- Kernel | Integer underflow in the ieee80211_rx function in net/ieee80211/ieee80211_rx.c in the Linux kernel 2.6.x before 2.6.23 allows remote attackers to cause a denial of service (crash) via a crafted SKB length value in a runt IEEE 802.11 frame when the IEEE80211_STYPE_QOS_DATA flag is set, aka an "off-by-two error." |
| 6.8 | CVE-2007-4997 OTHER-REF OTHER-REF OTHER-REF FRSIRT | ||
| ManageEngine -- OpManager ManageEngine -- OpManager MSP | Multiple cross-site scripting (XSS) vulnerabilities in jsp/Login.do in ManageEngine OpManager MSP Edition and OpManager 7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) requestid, (2) fileid, (3) woMode, and (2) woID parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 4.3 | CVE-2007-5891 BID SECUNIA | ||
| ModuleBuilder -- ModuleBuilder | Directory traversal vulnerability in modules/Builder/DownloadModule.php in ModuleBuilder 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. |
| 5.0 | CVE-2007-5812 MILW0RM | ||
| nuBoard -- nuBoard | PHP remote file inclusion vulnerability in admin/index.php in nuBoard 0.5 allows remote attackers to execute arbitrary PHP code via a URL in the site parameter. |
| 6.8 | CVE-2007-5841 MILW0RM | ||
| Oracle -- Oracle10g Database Server | Buffer overflow in the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure in Oracle 10g R2 allows remote authenticated users to execute arbitrary code via a long (1) OWNER or (2) NAME argument. |
| 6.0 | CVE-2007-4517 IDEFENSE BID FRSIRT SECTRACK SECUNIA | ||
| PCRE -- PCRE | Multiple integer overflows in Perl-Compatible Regular Expression (PCRE) library before 6.7 allow context-dependent attackers to execute arbitrary code via a regular expression containing (1) a large number of named subpatterns (name_count), (2) long subpattern names (max_name_size), (3) a repeated subpattern with a long name, or (4) an unspecified vector involving the (a) max, (b) min, and (c) duplength variables in the length calculation in pcre_compile. |
| 6.8 | CVE-2006-7224 OTHER-REF OTHER-REF SECUNIA | ||
| PCRE -- PCRE | Perl-Compatible Regular Expression (PCRE) library before 7.3 backtracks too far when matching certain input bytes against some regex patterns in non-UTF-8 mode, which allows context-dependent attackers to obtain sensitive information or cause a denial of service (crash), as demonstrated by the "\X?\d" and "\P{L}?\d" patterns. |
| 6.4 | CVE-2007-1661 OTHER-REF DEBIAN FRSIRT | ||
| PCRE -- PCRE | Perl-Compatible Regular Expression (PCRE) library before 7.3 reads past the end of the string when searching for unmatched brackets and parentheses, which allows context-dependent attackers to cause a denial of service (crash), possibly involving forward references. |
| 5.0 | CVE-2007-1662 OTHER-REF DEBIAN FRSIRT | ||
| PCRE -- PCRE | Perl-Compatible Regular Expression (PCRE) library before 7.3 does not properly compute the length of (1) a \p sequence, (2) a \P sequence, or (3) a \P{x} sequence, which allows context-dependent attackers to cause a denial of service (infinite loop or crash) or execute arbitrary code. |
| 5.0 | CVE-2007-4767 OTHER-REF DEBIAN FRSIRT | ||
| phpMyConferences -- phpMyConferences | ** DISPUTED ** Directory traversal vulnerability in PageTraiteDownload.php in phpMyConferences 8.0.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the dir parameter. NOTE: this issue is disputed for 8.0.2 by a reliable third party, who notes that the PHP code is syntactically incorrect and cannot be executed. |
| 5.0 | CVE-2007-5811 MILW0RM VIM VIM | ||
| scwiki -- scWiki | PHP remote file inclusion vulnerability in includes/common.php in scWiki 1.0 Beta 2 allows remote attackers to execute arbitrary PHP code via a URL in the pathdot parameter. |
| 6.8 | CVE-2007-5843 MILW0RM BID | ||
| ssreader -- Ultra Star Reader | Buffer overflow in the register function in Ultra Star Reader ActiveX control in SSReader allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 6.8 | CVE-2007-5807 BID | ||
| Symantec -- AntiVirus Symantec -- Norton Antivirus Symantec -- Norton Internet Security | The Disk Mount scanner in Symantec AntiVirus for Macintosh 9.x and 10.x, Norton AntiVirus for Macintosh 10.0 and 10.1, and Norton Internet Security for Macintosh 3.x, uses a directory with weak permissions (group writable), which allows local admin users to gain root privileges by replacing certain files, which are executed when a user with physical access inserts a disk and the "Show Progress During Mount Scans" option is enabled. |
| 6.0 | CVE-2007-5829 OTHER-REF BID FRSIRT SECTRACK SECTRACK SECUNIA | ||
| SyndeoCMS -- SyndeoCMS | PHP remote file inclusion vulnerability in starnet/themes/c-sky/main.inc.php in Fred Stuurman SyndeoCMS 2.5.01 allows remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter, a different vector than CVE-2006-4920.2. |
| 6.8 | CVE-2007-5840 MILW0RM | ||
| Vortex Portal -- Vortex Portal | Multiple PHP remote file inclusion vulnerabilities in Vortex Portal 1.0.42 allow remote attackers to execute arbitrary PHP code via a URL in the cfgProgDir parameter to (1) admincp/auth/secure.php or (2) admincp/auth/checklogin.php. |
| 6.8 | CVE-2007-5842 MILW0RM | ||
| yarssr -- yarssr | GUI.pm in yarssr 0.2.2, when Gnome default URL handling is disabled, allows remote attackers to execute arbitrary commands via shell metacharacters in a link element in a feed. |
| 6.8 | CVE-2007-5837 OTHER-REF BID SECUNIA |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| BosDev -- BosMarket Business Directory System | Multiple cross-site scripting (XSS) vulnerabilities in BosDev BosMarket Business Directory System allow remote authenticated users to inject arbitrary web script or HTML via (1) user info (account details) or (2) a post. |
| 3.5 | CVE-2007-5833 BUGTRAQ | ||
| fedoraproject -- Coolkey | CoolKey 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on temporary files in the /tmp/.pk11ipc1/ directory. |
| 3.3 | CVE-2007-4129 OTHER-REF REDHAT BID | ||
| GForge -- GForge | gforge 3.1 and 4.5.14 allows local users to truncate arbitrary files via a symlink attack on temporary files. |
| 3.3 | CVE-2007-3921 DEBIAN | ||
| IBM -- Tivoli Continuous Data Protection for Files | IBM Tivoli Continuous Data Protection for Files (CDP) 3.1.0 uses weak permissions (unrestricted write) for the Central Admin Global download directory, which allows local users to place arbitrary files into a location used for updating CDP clients. |
| 2.1 | CVE-2007-5819 AIXAPAR FRSIRT SECUNIA XF | ||
| iscsitarget -- iscsitarget | iSCSI Enterprise Target (iscsitarget) 0.4.15 uses weak permissions for /etc/ietd.conf, which allows local users to obtain passwords. |
| 2.1 | CVE-2007-5827 OTHER-REF BID SECUNIA |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.