Vulnerability Summary for the Week of January 24, 2011
Released
Jan 31, 2011
Document ID
SB11-031
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| anserv -- php_low_bids | SQL injection vulnerability in viewfaqs.php in PHP LOW BIDS allows remote attackers to execute arbitrary SQL commands via the cat parameter. | 2011-01-25 | 7.5 | CVE-2011-0646 XF BID EXPLOIT-DB SECUNIA OSVDB |
| apple -- mac_os_x | Apple Mac OS X does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. | 2011-01-24 | 9.3 | CVE-2011-0639 MISC MISC MISC |
| automatedsolutions -- modbus/tcp_master_opc_server | Heap-based buffer overflow in Automated Solutions Modbus/TCP Master OPC Server before 3.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a MODBUS response packet with a crafted length field. | 2011-01-28 | 7.6 | CVE-2010-4709 VUPEN BID EXPLOIT-DB SECUNIA CONFIRM |
| cisco -- linksys_wrt54gc_router_firmware | Buffer overflow in the web-based management interface on the Cisco Linksys WRT54GC router with firmware before 1.06.1 allows remote attackers to cause a denial of service (device crash) via a long string in a POST request. | 2011-01-24 | 7.8 | CVE-2011-0352 CONFIRM SECUNIA JVNDB JVN |
| ffmpeg -- ffmpeg | Integer overflow in the vorbis_residue_decode_internal function in libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg, possibly 0.6, has unspecified impact and remote attack vectors, related to the sizes of certain integer data types. NOTE: this might overlap CVE-2011-0480. | 2011-01-22 | 9.3 | CVE-2010-4705 CONFIRM |
| hp -- openview_storage_data_protector | Buffer overflow in crs.exe in HP OpenView Storage Data Protector Cell Manager 6.11 allows remote attackers to execute arbitrary code via unspecified message types. | 2011-01-24 | 9.3 | CVE-2011-0273 HP HP SECTRACK SECUNIA |
| kernel -- linux-pam | The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the .pam_environment file in a user's home directory, which might allow local users to run programs with an unintended environment by executing a program that relies on the pam_env PAM check. | 2011-01-24 | 7.2 | CVE-2010-4708 MISC CONFIRM MLIST CONFIRM |
| linux -- linux_kernel | The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. | 2011-01-24 | 9.3 | CVE-2011-0640 MISC MISC MISC |
| microsoft -- windows | Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. | 2011-01-24 | 9.3 | CVE-2011-0638 MISC MISC MISC |
| mozilla -- bugzilla | Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly generate random values for cookies and tokens, which allows remote attackers to obtain access to arbitrary accounts via unspecified vectors, related to an insufficient number of calls to the srand function. | 2011-01-28 | 7.5 | CVE-2010-4568 CONFIRM CONFIRM CONFIRM VUPEN BID CONFIRM SECUNIA |
| openvas -- openvas_manager | The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA). | 2011-01-28 | 9.0 | CVE-2011-0018 CONFIRM VUPEN BID BUGTRAQ |
| pango -- pango | Heap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object. | 2011-01-24 | 7.6 | CVE-2011-0020 CONFIRM CONFIRM VUPEN MLIST MLIST |
| phpcms -- phpcms_2008 | SQL injection vulnerability in include/admin/model_field.class.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the modelid parameter to flash_upload.php. | 2011-01-25 | 7.5 | CVE-2011-0644 XF BID EXPLOIT-DB SECUNIA OSVDB |
| phpcms -- phpcms_2008 | SQL injection vulnerability in data.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the where_time parameter in a get action. | 2011-01-25 | 7.5 | CVE-2011-0645 XF BID MISC |
| videolan -- vlc_media_player | Multiple heap-based buffer overflows in cdg.c in the CDG decoder in VideoLAN VLC Media Player before 1.1.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted CDG video. | 2011-01-25 | 9.3 | CVE-2011-0021 MLIST CONFIRM CONFIRM VUPEN MLIST |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| citrix -- xen | The vbd_create function in Xen 3.1.2, when the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 is used, allows guest OS users to cause a denial of service (host OS panic) via an attempted access to a virtual CD-ROM device through the blkback driver. NOTE: some of these details are obtained from third party information. | 2011-01-22 | 5.5 | CVE-2010-4238 CONFIRM XF BID MISC |
| citrix -- xen | The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled, does not verify that kernel mode is used to call the handle_gdt_ldt_mapping_fault function, which allows guest OS users to cause a denial of service (host OS BUG_ON) via a crafted memory access. | 2011-01-24 | 6.1 | CVE-2010-4255 CONFIRM MLIST MLIST MLIST |
| collabnet -- scrumworks | CollabNet ScrumWorks Basic 1.8.4 uses cleartext credentials for network communication and the internal database, which makes it easier for context-dependent attackers to obtain sensitive information by (1) sniffing the network for transmissions of Java objects or (2) reading the database. | 2011-01-24 | 5.0 | CVE-2011-0410 CERT-VN SECUNIA |
| ffmpeg -- ffmpeg | libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. NOTE: this might overlap CVE-2011-0480. | 2011-01-22 | 4.3 | CVE-2010-4704 CONFIRM CONFIRM |
| fuse -- fuse | FUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789. | 2011-01-22 | 5.8 | CVE-2010-3879 CONFIRM MISC CONFIRM CONFIRM CONFIRM XF VUPEN UBUNTU UBUNTU BID SECUNIA OSVDB MLIST MLIST FULLDISC |
| heart5 -- statpresscn | Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2011-01-25 | 4.3 | CVE-2011-0641 BID SECUNIA OSVDB |
| hp -- business_availability_center | Cross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 7.x through 7.55 and 8.x through 8.05, and Business Service Management (BSM) through 9.01, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2011-01-24 | 4.3 | CVE-2011-0274 VUPEN BID SECTRACK SECUNIA SECUNIA HP HP |
| ibm -- aix | The FC SCSI protocol driver in IBM AIX 6.1 does not verify that a timer is unused before deallocating this timer, which might allow attackers to cause a denial of service (system crash) via unspecified vectors. | 2011-01-24 | 4.9 | CVE-2011-0637 VUPEN AIXAPAR SECUNIA |
| kernel -- linux-pam | The privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not perform the required setfsgid and setgroups system calls, which might allow local users to obtain sensitive information by leveraging unintended group permissions, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435. | 2011-01-24 | 4.7 | CVE-2010-3430 CONFIRM MLIST MLIST MLIST MLIST MLIST MLIST MLIST CONFIRM MLIST MLIST MLIST MLIST MLIST |
| kernel -- linux-pam | The privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not check the return value of the setfsuid system call, which might allow local users to obtain sensitive information by leveraging an unintended uid, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435. | 2011-01-24 | 4.7 | CVE-2010-3431 CONFIRM MLIST MLIST MLIST MLIST MLIST MLIST MLIST CONFIRM MLIST MLIST MLIST MLIST MLIST |
| kernel -- linux-pam | The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. | 2011-01-24 | 4.7 | CVE-2010-3435 CONFIRM MLIST MLIST MLIST MLIST MLIST CONFIRM REDHAT REDHAT MLIST MLIST MLIST |
| kernel -- linux-pam | pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program. | 2011-01-24 | 6.9 | CVE-2010-3853 CONFIRM CONFIRM REDHAT REDHAT |
| kernel -- linux-pam | The pam_sm_close_session function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not properly handle a failure to determine a certain target uid, which might allow local users to delete unintended files by executing a program that relies on the pam_xauth PAM check. | 2011-01-24 | 4.9 | CVE-2010-4706 MLIST CONFIRM |
| kernel -- linux-pam | The check_acl function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not verify that a certain ACL file is a regular file, which might allow local users to cause a denial of service (resource consumption) via a special file. | 2011-01-24 | 4.9 | CVE-2010-4707 MLIST CONFIRM |
| linux -- kernel | fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an "OOM dodging issue," a related issue to CVE-2010-3858. | 2011-01-22 | 4.9 | CVE-2010-4243 CONFIRM MLIST MLIST MLIST CONFIRM XF CONFIRM EXPLOIT-DB MLIST MLIST MLIST MLIST MISC |
| lunascape -- lunascape | Untrusted search path vulnerability in Lunascape before 6.4.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory. | 2011-01-24 | 6.9 | CVE-2010-3927 SECUNIA CONFIRM JVNDB JVN MISC CONFIRM |
| menalto -- gallery | Unrestricted file upload vulnerability in modules/gallery/models/item.php in Menalto Gallery before 3.0 and beta allows remote authenticated users with upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | 2011-01-24 | 6.0 | CVE-2010-4353 BID CONFIRM SECUNIA |
| miloslav_trmac -- libuser | libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. | 2011-01-22 | 6.4 | CVE-2011-0002 CONFIRM CONFIRM XF VUPEN BID REDHAT OSVDB SECTRACK SECUNIA SECUNIA FEDORA |
| mozilla -- bugzilla | Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field. | 2011-01-28 | 4.3 | CVE-2010-4567 CONFIRM VUPEN BID CONFIRM SECUNIA |
| mozilla -- bugzilla | Cross-site scripting (XSS) vulnerability in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the real name field of a user account, related to the AutoComplete widget in YUI. | 2011-01-28 | 4.3 | CVE-2010-4569 CONFIRM MISC MISC VUPEN BID CONFIRM |
| mozilla -- bugzilla | Cross-site scripting (XSS) vulnerability in the duplicate-detection functionality in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the summary field, related to the DataTable widget in YUI. | 2011-01-28 | 4.3 | CVE-2010-4570 CONFIRM MISC MISC VUPEN BID CONFIRM |
| mozilla -- bugzilla | CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the query string, a different vulnerability than CVE-2010-2761 and CVE-2010-4411. | 2011-01-28 | 4.3 | CVE-2010-4572 CONFIRM VUPEN BID CONFIRM SECUNIA |
| network-13 -- n-13_news | Cross-site request forgery (CSRF) vulnerability in news/admin.php in N-13 News 3.4, 3.7, and 4.0 allows remote attackers to hijack the authentication of administrators for requests that create new users via the options action. NOTE: some of these details are obtained from third party information. | 2011-01-25 | 6.8 | CVE-2011-0642 XF EXPLOIT-DB SECUNIA OSVDB |
| phplinkdirectory -- php_link_directory | Cross-site request forgery (CSRF) vulnerability in admin/conf_users_edit.php in PHP Link Directory (phpLD) 4.1.0 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via the N action. | 2011-01-25 | 6.8 | CVE-2011-0643 EXPLOIT-DB SECUNIA |
| simploo -- simploo_cms | Static code injection vulnerability in Simploo CMS 1.7.1 and earlier allows remote authenticated users to inject arbitrary PHP code into config/custom/base.ini.php via the ftpserver parameter (FTP-Server field) to the sicore/updates/optionssav operation for index.php. | 2011-01-22 | 6.0 | CVE-2011-0635 BID BUGTRAQ EXPLOIT-DB SECUNIA OSVDB |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| bestpractical -- rt | Best Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database. | 2011-01-25 | 3.3 | CVE-2011-0009 CONFIRM MLIST CONFIRM VUPEN BID DEBIAN |
| fedorahosted -- sssd | The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet. | 2011-01-24 | 2.1 | CVE-2010-4341 CONFIRM FEDORA FEDORA VUPEN BID SECUNIA SECUNIA |
| kernel -- linux-pam | The run_coprocess function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) before 1.1.2 does not check the return values of the setuid, setgid, and setgroups system calls, which might allow local users to read arbitrary files by executing a program that relies on the pam_xauth PAM check. | 2011-01-24 | 3.3 | CVE-2010-3316 CONFIRM MLIST MLIST MLIST MLIST MLIST MLIST MLIST CONFIRM MISC REDHAT REDHAT MLIST MLIST |
| linux -- kernel | The pipe_fcntl function in fs/pipe.c in the Linux kernel before 2.6.37 does not properly determine whether a file is a named pipe, which allows local users to cause a denial of service via an F_SETPIPE_SZ fcntl call. | 2011-01-25 | 2.1 | CVE-2010-4256 MLIST MLIST CONFIRM CONFIRM |
| nvidia -- cuda_toolkit | The (1) cudaHostAlloc and (2) cuMemHostAlloc functions in the NVIDIA CUDA Toolkit 3.2 developer drivers for Linux 260.19.26, and possibly other versions, do not initialize pinned memory, which allows local users to read potentially sensitive memory, such as file fragments during read or write operations. | 2011-01-22 | 2.1 | CVE-2011-0636 XF SECTRACK BID BUGTRAQ SECUNIA OSVDB MISC MISC |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.