Vulnerability Summary for the Week of November 21, 2011
Released
Nov 28, 2011
Document ID
SB11-332
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| alcatel -- speedtouch_5x6_router_firmware | The UPnP IGD implementation on SpeedTouch 5x6 devices with firmware before 6.2.29 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. | 2011-11-22 | 7.5 | CVE-2011-4505 |
| alephsystem -- cms_ariadna | SQL injection vulnerability in detResolucion.php in CMS Ariadna 1.1 allows remote attackers to execute arbitrary SQL commands via the tipodoc_id parameter. | 2011-11-22 | 7.5 | CVE-2010-5057 |
| alephsystem -- cms_ariadna | SQL injection vulnerability in detResolucion.php in CMS Ariadna 1.1 allows remote attackers to execute arbitrary SQL commands via the res_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2011-11-22 | 7.5 | CVE-2010-5058 |
| almnzm -- almnzm | SQL injection vulnerability in index.php in Almnzm 2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 2011-11-22 | 7.5 | CVE-2010-5055 |
| aviosoft -- dtv_player | Buffer overflow in Aviosoft DTV Player 1.0.1.2 allows remote attackers to execute arbitrary code via a crafted .plf (aka playlist) file. | 2011-11-21 | 9.3 | CVE-2011-4496 |
| canyon-tech -- cn-wf512_router_firmware | The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K with firmware before 3.25, Edimax 6114Wg, Canyon-Tech CN-WF512 with firmware 1.83, Canyon-Tech CN-WF514 with firmware 2.08, Sitecom WL-153 with firmware before 1.39, and Sweex LB000021 with firmware 3.15 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. | 2011-11-22 | 7.5 | CVE-2011-4501 |
| canyon-tech -- cn-wf512_router_firmware | The UPnP IGD implementation in Edimax EdiLinux on the Edimax BR-6104K with firmware before 3.25, Edimax 6114Wg, Canyon-Tech CN-WF512 with firmware 1.83, Canyon-Tech CN-WF514 with firmware 2.08, Sitecom WL-153 with firmware before 1.39, and Sweex LB000021 with firmware 3.15 allows remote attackers to execute arbitrary commands via shell metacharacters. | 2011-11-22 | 7.5 | CVE-2011-4502 |
| cisco -- linksys_wrt54g_router_firmware | The UPnP IGD implementation in the Broadcom UPnP stack on the Cisco Linksys WRT54G with firmware before 4.30.5, WRT54GS v1 through v3 with firmware before 4.71.1, and WRT54GS v4 with firmware before 1.06.1 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. | 2011-11-22 | 7.5 | CVE-2011-4499 |
| cisco -- linksys_wrt54gx_router_firmware | The UPnP IGD implementation on the Cisco Linksys WRT54GX with firmware 2.00.05, when UPnP is enabled, configures the SOAP server to listen on the WAN port, which allows remote attackers to administer the firewall via SOAP requests. | 2011-11-22 | 7.5 | CVE-2011-4500 |
| cmscout -- cmscout | SQL injection vulnerability in index.php in CMScout 2.0.8 allows remote attackers to execute arbitrary SQL commands via the album parameter in a photos action. | 2011-11-22 | 7.5 | CVE-2010-5059 |
| dlink -- dir-685 | The D-Link DIR-685 router, when certain WPA and WPA2 configurations are used, does not maintain an encrypted wireless network during transfer of a large amount of network traffic, which allows remote attackers to obtain sensitive information or bypass authentication via a Wi-Fi device. | 2011-11-22 | 7.5 | CVE-2011-4507 |
| gbu_grafici -- com_gbufacebook | SQL injection vulnerability in the GBU Facebook (com_gbufacebook) component 1.0.5 for Joomla! allows remote attackers to execute arbitrary SQL commands via the face_id parameter in a show_face action to index.php. | 2011-11-22 | 7.5 | CVE-2010-5056 |
| genmei_mori -- pseudoics | The UPnP IGD implementation in the Pseudo ICS UPnP software on the ZyXEL P-330W allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. | 2011-11-22 | 7.5 | CVE-2011-4504 |
| google -- chrome | Multiple unspecified vulnerabilities in Google Chrome before 16.0.912.44 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors. | 2011-11-23 | 10.0 | CVE-2011-4548 |
| joomla -- com_xobbix | SQL injection vulnerability in the XOBBIX (com_xobbix) component 1.0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the prodid parameter in a prod_desc action to index.php. | 2011-11-22 | 7.5 | CVE-2010-5053 |
| mh_products -- kleinanzeigenmarkt | SQL injection vulnerability in search.php in MH Products kleinanzeigenmarkt allows remote attackers to execute arbitrary SQL commands via the c parameter. | 2011-11-22 | 7.5 | CVE-2010-5062 |
| njstar -- njstar_communicator | Buffer overflow in MiniSmtp 3.0.11818 in NJStar Communicator allows remote attackers to execute arbitrary code via a crafted packet. | 2011-11-21 | 10.0 | CVE-2011-4040 |
| nus -- newssystem | SQL injection vulnerability in Nus.php in NUs Newssystem 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 2011-11-22 | 7.5 | CVE-2010-5060 |
| realnetworks -- realplayer | Heap-based buffer overflow in the RealVideo renderer in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via unspecified vectors. | 2011-11-24 | 10.0 | CVE-2011-4244 |
| realnetworks -- realplayer | The RealVideo renderer in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. | 2011-11-24 | 10.0 | CVE-2011-4245 |
| realnetworks -- realplayer | The AAC codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. | 2011-11-24 | 10.0 | CVE-2011-4246 |
| realnetworks -- realplayer | RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted QCELP stream. | 2011-11-24 | 9.3 | CVE-2011-4247 |
| realnetworks -- realplayer | RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a malformed AAC file. | 2011-11-24 | 9.3 | CVE-2011-4248 |
| realnetworks -- realplayer | Array index error in the RV30 codec in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via unspecified vectors. | 2011-11-24 | 10.0 | CVE-2011-4249 |
| realnetworks -- realplayer | Unspecified vulnerability in the ATRC codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via unknown vectors. | 2011-11-24 | 10.0 | CVE-2011-4250 |
| realnetworks -- realplayer | RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted sample size in a RealAudio file. | 2011-11-24 | 9.3 | CVE-2011-4251 |
| realnetworks -- realplayer | The RV10 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via a crafted sample height. | 2011-11-24 | 9.3 | CVE-2011-4252 |
| realnetworks -- realplayer | Unspecified vulnerability in the RV20 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via unknown vectors. | 2011-11-24 | 10.0 | CVE-2011-4253 |
| realnetworks -- realplayer | RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted RTSP SETUP request. | 2011-11-24 | 10.0 | CVE-2011-4254 |
| realnetworks -- realplayer | Unspecified vulnerability in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via an invalid codec name. | 2011-11-24 | 10.0 | CVE-2011-4255 |
| realnetworks -- realplayer | The RV30 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 does not initialize an unspecified index value, which allows remote attackers to execute arbitrary code via unknown vectors. | 2011-11-24 | 10.0 | CVE-2011-4256 |
| realnetworks -- realplayer | The Cook codec in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via crafted channel data. | 2011-11-24 | 9.3 | CVE-2011-4257 |
| realnetworks -- realplayer | RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted length of an MLTI chunk in an IVR file. | 2011-11-24 | 9.3 | CVE-2011-4258 |
| realnetworks -- realplayer | Integer underflow in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted width value in an MPG file. | 2011-11-24 | 9.3 | CVE-2011-4259 |
| realnetworks -- realplayer | RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a malformed header in an MP4 file. | 2011-11-24 | 9.3 | CVE-2011-4260 |
| realnetworks -- realplayer | RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via crafted video dimensions in an MP4 file. | 2011-11-24 | 9.3 | CVE-2011-4261 |
| realnetworks -- realplayer | Unspecified vulnerability in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted MP4 file. | 2011-11-24 | 9.3 | CVE-2011-4262 |
| rsstatic -- rsstatic | SQL injection vulnerability in index.php in RSStatic allows remote attackers to execute arbitrary SQL commands via the maxarticles parameter. | 2011-11-22 | 7.5 | CVE-2010-5061 |
| sitecom -- wl-11 | The UPnP IGD implementation in Broadcom Linux on the Sitecom WL-111 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. | 2011-11-22 | 7.5 | CVE-2011-4503 |
| technicolor -- tg585_router_firmware | The UPnP IGD implementation on the Thomson (aka Technicolor) TG585 with firmware 7.x before 7.4.3.2 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability. | 2011-11-22 | 7.5 | CVE-2011-4506 |
| v-eva -- press_release_script | SQL injection vulnerability in page.php in V-EVA Press Release Script allows remote attackers to execute arbitrary SQL commands via the id parameter. | 2011-11-22 | 7.5 | CVE-2010-5047 |
| zabbix -- zabbix | SQL injection vulnerability in events.php in Zabbix 1.8.1 and earlier allows remote attackers to execute arbitrary SQL commands via the nav_time parameter. | 2011-11-22 | 7.5 | CVE-2010-5049 |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ca -- directory | Unspecified vulnerability in dxserver before 6279 in CA Directory 8.1 and CA Directory r12 before SP7 CR1 allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP packet. | 2011-11-18 | 5.0 | CVE-2011-3849 |
| cagintranetworks -- getsimple_cms | Cross-site scripting (XSS) vulnerability in admin/components.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the val[] parameter. | 2011-11-22 | 4.3 | CVE-2010-5052 |
| ecocms -- ecocms | Cross-site scripting (XSS) vulnerability in admin.php in ecoCMS allows remote attackers to inject arbitrary web script or HTML via the p parameter. | 2011-11-22 | 4.3 | CVE-2010-5046 |
| hp -- event_monitoring_service | Unspecified vulnerability in System Administration Manager (SAM) in EMS before A.04.20.11.04_01 on HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to gain privileges via unknown vectors. | 2011-11-18 | 6.8 | CVE-2011-4159 |
| ibm -- lotus_mobile_connect | Cross-site scripting (XSS) vulnerability in IBM Lotus Mobile Connect (LMC) 6.1.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to a hidden redirect URL. | 2011-11-18 | 4.3 | CVE-2011-4465 |
| jamwiki -- jamwiki | Cross-site scripting (XSS) vulnerability in Special:Login in JAMWiki before 0.8.4 allows remote attackers to inject arbitrary web script or HTML via the message parameter. | 2011-11-22 | 4.3 | CVE-2010-5054 |
| joomla -- joomla! | The password reset functionality in Joomla! 1.5.x through 1.5.24 uses weak random numbers, which makes it easier for remote attackers to change the passwords of arbitrary users via unspecified vectors. | 2011-11-23 | 5.0 | CVE-2011-4321 |
| joomla -- joomla! | Multiple cross-site scripting (XSS) vulnerabilities in Joomla! 1.6.3 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2011-11-23 | 4.3 | CVE-2011-4332 |
| joomlatune -- com_jcomments | Cross-site scripting (XSS) vulnerability in admin.jcomments.php in the JoomlaTune JComments (com_jcomments) component 2.1.0.0 for Joomla! allows remote authenticated users to inject arbitrary web script or HTML via the name parameter to index.php. | 2011-11-22 | 4.3 | CVE-2010-5048 |
| montala -- resourcespace | ResourceSpace before 4.2.2833 does not properly validate access keys, which allows remote attackers to bypass intended resource restrictions via unspecified vectors. | 2011-11-18 | 5.0 | CVE-2011-4311 |
| razorcms -- razorcms | Cross-site scripting (XSS) vulnerability in admin/core/admin_func.php in razorCMS 1.0 stable allows remote attackers to inject arbitrary web script or HTML via the content parameter in an edit action to admin/index.php. | 2011-11-22 | 4.3 | CVE-2010-5051 |
| reviewboard -- review_board | Multiple cross-site scripting (XSS) vulnerabilities in the commenting system in Review Board before 1.5.7 and 1.6.x before 1.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) diff viewer or (2) screenshot component. | 2011-11-23 | 4.3 | CVE-2011-4312 |
| vmware -- vcenter_update_manager | The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523. | 2011-11-18 | 5.0 | CVE-2011-4404 |
| zenprise -- zenprise_device_manager | Cross-site request forgery (CSRF) vulnerability in the web console in Zenprise Device Manager 6.x through 6.1.8 allows remote attackers to hijack the authentication of administrators for requests that wipe mobile devices. | 2011-11-21 | 6.8 | CVE-2011-4498 |
| zohocorp -- manageengine_admanager_plus | Cross-site scripting (XSS) vulnerability in jsp/admin/tools/remote_share.jsp in ManageEngine ADManager Plus 4.4.0 allows remote attackers to inject arbitrary web script or HTML via the computerName parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2011-11-22 | 4.3 | CVE-2010-5050 |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| asus -- rt-n56u_firmware | QIS_wizard.htm on the ASUS RT-N56U router with firmware before 1.0.1.4o allows remote attackers to obtain the administrator password via a flag=detect request. | 2011-11-21 | 3.3 | CVE-2011-4497 |
| hp -- operations_agent | Unspecified vulnerability in HP Operations Agent 11.00 and Performance Agent 4.73 and 5.0 on AIX, HP-UX, Linux, and Solaris allows local users to bypass intended directory-access restrictions via unknown vectors. | 2011-11-23 | 3.2 | CVE-2011-4160 |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.