Vulnerability Summary for the Week of October 9, 2006
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities |
---|
Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
---|---|---|---|---|---|---|
4homepages -- 4images | SQL injection vulnerability in search.php in 4images 1.7.x allows remote authenticated users to execute arbitrary SQL commands via the search_user parameter. |
| 7.0 | CVE-2006-5236 BUGTRAQ OTHER-REF OTHER-REF BID XF | ||
AAIportal -- AAIportal | Multiple SQL injection vulnerabilities in AAIportal before 1.4.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| 7.0 | CVE-2006-5225 OTHER-REF OTHER-REF FRSIRT SECUNIA | ||
Adobe -- ColdFusion MX | Unspecified vulnerability in a Verity third party library, as used on Adobe ColdFusion MX 7 through MX 7.0.2 and possibly other products, allows local users to execute arbitrary code via unknown attack vectors. |
| 7.0 | CVE-2006-3978 OTHER-REF | ||
Adobe -- Contribute Publishing Server | Adobe Contribute Publishing Server leaks the administrator password in logs that are created during product installation, which allows local users to gain privileges to the server. |
| 7.0 | CVE-2006-5199 ADOBE | ||
AOL -- YGP Screensaver ActiveX Control | Buffer overflow in AOL You've Got Pictures (YGP) Screensaver ActiveX control allows remote attackers to execute arbitrary code via unspecified vectors. |
| 7.0 | CVE-2006-3887 OTHER-REF CERT-VN | ||
AOL -- YGP Pic Downloader ActiveX Control | Buffer overflow in AOL You've Got Pictures (YGP) Pic Downloader ActiveX control allows remote attackers to execute arbitrary code via unspecified vectors. |
| 7.0 | CVE-2006-3888 OTHER-REF CERT-VN | ||
AOL -- AOL Security Edition | Buffer overflow in the YGPPDownload ActiveX Control (AOL.PicDownloadCtrl.1, YGPPicDownload.dll) in America Online 9.0 Security Edition allows remote attackers to execute arbitrary code via a long argument to the SetAlbumName method. |
| 7.0 | CVE-2006-4840 IDEFENSE | ||
Baumedia -- Newswriter | PHP remote file inclusion vulnerability in include/main.inc.php in Sebastian Baumann and Philipp Wolfer Newswriter SW 1.42 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the NWCONF_SYSTEM[server_path] parameter, a different vector than CVE-2006-5102. |
| 7.0 | CVE-2006-5180 BUGTRAQ OTHER-REF | ||
Blue Smiley Organizer -- Blue Smiley Organizer | SQL injection vulnerability in Blue Smiley Organizer before 4.46 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| 7.0 | CVE-2006-5237 OTHER-REF BID FRSIRT SECUNIA | ||
Bulletin Board Ace -- Bulletin Board Ace | PHP remote file inclusion vulnerability in includes/functions.php in Bulletin Board Ace (BBaCE) 3.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. |
| 7.0 | CVE-2006-5187 Milw0rm BID FRSIRT SECUNIA XF | ||
Cahier de textes -- Cahier de textes | Multiple SQL injection vulnerabilities in Cahier de textes 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) matiere_ID parameter in lire.php or the (2) classe_ID parameter in lire_a_faire.php. |
| 7.0 | CVE-2006-5221 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
Computer Associates -- BrightStor ARCServe Backup | Stack-based buffer overflow in CA BrightStor ARCserver Backup R11.5 client and server allows remote attackers to execute arbitrary code via long messages to the CheyenneDS Mailslot. |
| 7.0 | CVE-2006-5142 OTHER-REF OTHER-REF | ||
Computer Associates -- BrightStor ARCServe Backup Computer Associates -- BrightStor Enterprise Backup Computer Associates -- Business Protection Suite | Stack-based buffer overflow in the Backup Agent RPC Server (DBASVR.exe) as used in CA BrightStor ARCserve Backup R11.5, Enterprise Backup 10.5, ARCserve Backup v9.01, and Protection Suite r2 allows remote attackers to execute arbitrary code via the RPC routines with opcode (1) 0x01, (2) 0x02, and (3) 0x18. |
| 7.0 | CVE-2006-5143 OTHER-REF OTHER-REF OTHER-REF | ||
Dan Jensen -- Travelsized CMS | PHP remote file inclusion vulnerability in frontpage.php in Dan Jensen Travelsized CMS 0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the setup_folder parameter. |
| 7.0 | CVE-2006-5182 OTHER-REF BID FRSIRT SECUNIA XF | ||
Dayfox Designs -- Dayfox Blog | Multiple PHP remote file inclusion vulnerabilities in Dayfox Designs Dayfox Blog 2.0 allow remote attackers to execute arbitrary PHP code via a URL in the slogin parameter in the (1) adminlog.php, (2) postblog.php, (3) index.php, or (4) index2.php script in /edit. |
| 7.0 | CVE-2006-5183 BUGTRAQ XF | ||
Deep CMS -- Deep CMS | PHP remote file inclusion vulnerability in index.php in Deep CMS 2.0a allows remote attackers to execute arbitrary PHP code via a URL in the ConfigDir parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 7.0 | CVE-2006-5251 BID | ||
DeltaScripts -- PHP Classifieds | Multiple SQL injection vulnerabilities in PHP Classifieds 7.1 allow remote attackers to execute arbitrary SQL commands via (1) the catid_search parameter in search.php and (2) the catid parameter in index.php. |
| 7.0 | CVE-2006-5208 OTHER-REF Milw0rm BID FRSIRT XF | ||
Dimension of phpBB -- Dimension of phpBB | Multiple PHP remote file inclusion vulnerabilities in Dimension of phpBB 0.2.6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter in (1) includes/themen_portal_mitte.php or (2) includes/logger_engine.php. |
| 7.0 | CVE-2006-5222 OTHER-REF BID FRSIRT SECUNIA XF | ||
Dimension of phpBB -- Dimension of phpBB | PHP remote file inclusion vulnerability in includes/functions_kb.php in Dimension of phpBB 0.2.6 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 7.0 | CVE-2006-5235 FRSIRT | ||
Dimitri Seitz -- Security Suite IP Logger | PHP remote file inclusion vulnerability in includes/logger_engine.php in Dimitri Seitz Security Suite IP Logger 1.0.0 in dwingmods for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. |
| 7.0 | CVE-2006-5224 OTHER-REF BID FRSIRT SECUNIA XF | ||
Eazy Cart -- Eazy Cart | Eazy Cart allows remote attackers to bypass authentication and gain administrative access via a direct request for admin/home/index.php, and possibly other PHP scripts under admin/. |
| 10.0 | CVE-2006-5245 BUGTRAQ OTHER-REF OTHER-REF SECUNIA | ||
Eazy Cart -- Eazy Cart | Multiple cross-site scripting (XSS) vulnerabilities in Eazy Cart allow remote attackers to inject arbitrary web script or HTML via easycart.php, possibly related to the (1) des and (2) qty parameters in an add action, and via other unspecified vectors. NOTE: some details are obtained from third party information. |
| 7.0 | CVE-2006-5247 BUGTRAQ OTHER-REF OTHER-REF SECUNIA | ||
Emek Portal -- Emek Portal | SQL injection vulnerability in giris_yap.asp in Emek Portal 2.1 allows remote attackers to execute arbitrary SQL commands by simultaneously injecting into the user name and pass fields in uyegiris.asp, also known as the Kullanici Adi (k_a) and Sifre (sifre) parameters. |
| 7.0 | CVE-2006-5217 BUGTRAQ BID | ||
FreeForum -- FreeForum | PHP remote file inclusion vulnerability in forum.php in FreeForum 0.9.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the fpath parameter. |
| 7.0 | CVE-2006-5230 BUGTRAQ OTHER-REF BID | ||
Freenews -- Freenews | PHP remote file inclusion vulnerability in moteur/moteur.php in Prologin.fr Freenews 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter. |
| 7.0 | CVE-2006-5226 BUGTRAQ OTHER-REF BID | ||
HAMweather -- HAMweather | Eval injection vulnerability in Template.php in HAMweather 3.9.8.4 and earlier allows remote attackers to execute arbitrary code via a modified query string, which is supplied to an eval function call within the do_parse_code function. |
| 7.0 | CVE-2006-5185 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
Invision Power Services -- Invision Gallery | SQL injection vulnerability in Invision Gallery 2.0.7 allows remote attackers to execute arbitrary SQL commands via the album parameter in (1) index.php and (2) forum/index.php, when the rate command in the gallery automodule is used. |
| 7.0 | CVE-2006-5206 Milw0rm BID XF | ||
iSearch -- iSearch | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in iSearch 2.16 allow remote attackers to execute arbitrary PHP code via a URL in the isearch_path parameter in (1) index.php, (2) viewcache.php, (3) sitemap.php, (4) isearch.inc.php, (5) google_sitemap.php, (6) stats.php, or (7) auto_spider_img.php. NOTE: this issue has been disputed by a third party who shows that $isearch_path is set to a constant value. CVE analysis as of 20061010 is inconclusive, although the original researcher is known to make mistakes. |
| 7.0 | CVE-2006-5232 BUGTRAQ BUGTRAQ BID | ||
Joshua Muheim -- phpMyWebmin | Multiple PHP remote file inclusion vulnerabilities in Joshua Muheim phpMyWebmin 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the target parameter in (1) change_preferences2.php, (2) create_file.php, (3) upload_local.php, and (4) upload_multi.php, different vectors than CVE-2006-5124. |
| 7.0 | CVE-2006-5181 BUGTRAQ OTHER-REF SECUNIA XF | ||
Klinza -- Klinza Professional CMS | PHP remote file inclusion vulnerability in funzioni/lib/show_hlp.php in klinza professional cms 5.0.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the appl[APPL] parameter. |
| 7.0 | CVE-2006-5189 Milw0rm BID XF | ||
MailEnable -- MailEnable Enterprise MailEnable -- MailEnable Professional | Buffer overflow in NTLM authentication in MailEnable Professional 2.0 and Enterprise 2.0 allows remote attackers to execute arbitrary code via "the signature field of NTLM Type 1 messages". |
| 7.0 | CVE-2006-5176 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
MailEnable -- MailEnable Enterprise MailEnable -- MailEnable Professional | The NTLM authentication in MailEnable Professional 2.0 and Enterprise 2.0 allows remote attackers to (1) execute arbitrary code via unspecified vectors involving crafted base64 encoded NTLM Type 3 messages, or (2) cause a denial of service via crafted base64 encoded NTLM Type 1 messages, which trigger a buffer over-read. |
| 7.0 | CVE-2006-5177 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF XF | ||
Microsoft -- .NET Framework | Cross-site scripting (XSS) vulnerability in Microsoft .NET Framework 2.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving "ASP.NET controls that set the AutoPostBack property to true". |
| 7.0 | CVE-2006-3436 MS | ||
Microsoft -- XML Core Services Microsoft -- XML Parser | Buffer overflow in the Extensible Stylesheet Language Transformations (XSLT) processing in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 allows remote attackers to execute arbitrary code via a crafted Web page. |
| 7.0 | CVE-2006-4686 MS | ||
Microsoft -- Windows 2000 Microsoft -- Windows Server 2003 Microsoft -- Windows XP | Unspecified vulnerability in the Server service in Microsoft Windows 2000 SP4, Server 2003 SP1 and earlier, and XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted packet, aka "SMB Rename Vulnerability." |
| 7.0 | CVE-2006-4696 MS | ||
Minichat -- Minichat | PHP remote file inclusion vulnerability in ftag.php in Minichat 6.0 allows remote attackers to execute arbitrary PHP code via a URL in the mostrar parameter. |
| 7.0 | CVE-2006-5283 Milw0rm FRSIRT SECUNIA | ||
navyism -- n@board | PHP remote file inclusion vulnerability in naboard_pnr.php in n@board 3.1.9e and earlier allows remote attackers to execute arbitrary PHP code via a URL in the skin parameter. |
| 7.0 | CVE-2006-5281 Milw0rm FRSIRT SECUNIA XF | ||
Nivisec -- User Viewed Posts Tracker | PHP remote file inclusion vulnerability in includes/functions_user_viewed_posts.php in the Nivisec User Viewed Posts Tracker module 1.0 and earlier for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. |
| 7.0 | CVE-2006-5223 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
Objective Development -- WebYep | Multiple PHP remote file inclusion vulnerabilities in WebYep 1.1.9, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via the webyep_sIncludePath in (1) files in the programm/lib/ directory including (a) WYApplication.php, (b) WYDocument.php, (c) WYEditor.php, (d) WYElement.php, (e) WYFile.php, (f) WYHTMLTag.php, (g) WYImage.php, (h) WYLanguage.php, (i) WYLink.php, (j) WYPath.php, (k) WYPopupWindowLink.php, (l) WYSelectMenu.php, and (m) WYTextArea.php; (2) files in the programm/elements/ directory including (n) WYGalleryElement.php, (o) WYGuestbookElement.php, (p) WYImageElement.php, (q) WYLogonButtonElement.php, (r) WYLongTextElement.php, (s) WYLoopElement.php, (t) WYMenuElement.php, and (u) WYShortTextElement.php; and (3) programm/webyeb.php. |
| 7.0 | CVE-2006-5220 BUGTRAQ BID | ||
OpenDock -- Easy Doc | Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Doc 1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the doc_directory parameter in (1) down_stat.php, (2) file.php, (3) find_file.php, (4) lib_file.php, and (5) lib_form_file.php in sw/lib_up_file/; (6) find_comment.php, (7) comment.php, and (8) lib_comment.php in sw/lib_comment/; (9) sw/lib_find/find.php; and other unspecified PHP scripts. |
| 7.0 | CVE-2006-5243 BUGTRAQ ECHO BID FRSIRT SECTRACK SECUNIA XF | ||
PHP -- PHP | Integer overflow in PHP 5 up to 5.1.6 and 4 before 4.3.0 allows remote attackers to execute arbitrary code via an argument to the unserialize PHP function with a large value for the number of array elements, which triggers the overflow in the Zend Engine ecalloc function (Zend/zend_alloc.c). |
| 7.0 | CVE-2006-4812 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF REDHAT BID FRSIRT SECTRACK SECUNIA XF | ||
phpBB Group -- phpBB | PHP remote file inclusion vulnerability in admin/admin_topic_action_logging.php in Admin Topic Action Logging Mod 0.95 and earlier, as used in phpBB 2.0 up to 2.0.21, allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. |
| 7.0 | CVE-2006-5209 Milw0rm XF | ||
phpGreetz -- phpGreetz | PHP remote file inclusion vulnerability in includes/footer.php in phpGreetz 0.99 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the PHPGREETZ_INCLUDE_DIR parameter. |
| 7.0 | CVE-2006-5192 OTHER-REF BID FRSIRT XF | ||
phpWebSite -- phpWebSite | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in phpWebSite 0.10.2 allow remote attackers to execute arbitrary PHP code via a URL in the PHPWS_SOURCE_DIR parameter in (1) init.php, (2) users.php, (3) Cookie.php, (4) forms.php, (5) Groups.php, (6) ModSetting.php, (7) Calendar.php, (8) DateTime.php, (9) core.php, (10) ImgLibrary.php, (11) Manager.php, and (12) Template.php, and (13) EZform.php. NOTE: CVE disputes this report, since "PHPWS_SOURCE_DIR" is defined as a constant, not accessed as a variable. |
| 7.0 | CVE-2006-5234 BUGTRAQ MLIST BID | ||
PKR Internet -- Taskjitsu | SQL injection vulnerability in PKR Internet Taskjitsu before 2.0.6 allows remote attackers to execute arbitrary SQL commands via the key parameter, when the limit query parameter is set to customerid. |
| 7.0 | CVE-2006-5184 OTHER-REF BID SECUNIA | ||
Python Software Foundation -- Python | Buffer overflow in the repr function in Python 2.3 through 2.6 before 20060822 allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via crafted wide character UTF-32/UCS-4 strings to certain scripts. |
| 7.0 | CVE-2006-4980 OTHER-REF OTHER-REF OTHER-REF OTHER-REF UBUNTU BID SECUNIA SECUNIA | ||
Red Hat -- Red Hat Fedora Core Red Hat -- Red Hat Enterprise Linux | pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver. |
| 7.0 | CVE-2006-5170 OTHER-REF | ||
Rob Hensley -- AckerTodo | Multiple SQL injection vulnerabilities in the Google Gadget login.php (gadget/login.php) in Rob Hensley ackerTodo 4.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) up_login, (2) up_pass, or (3) up_num_tasks parameters. |
| 7.0 | CVE-2006-5228 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
Sergey Lyubka -- Simple HTTPD | Stack-based buffer overflow in Sergey Lyubka Simple HTTPD (shttpd) 1.34 allows remote attackers to execute arbitrary code via a long URI. |
| 7.0 | CVE-2006-5216 OTHER-REF FRSIRT SECUNIA XF | ||
SH-News -- SH-News | Multiple PHP remote file inclusion vulnerabilities in SH-News 3.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the scriptpath parameter to (1) report.php, (2) archive.php, (3) comments.php, (4) init.php, or (5) news.php. |
| 7.0 | CVE-2006-5282 Milw0rm BID FRSIRT SECUNIA | ||
TagIt! -- Tagboard | PHP remote file inclusion vulnerability in tagmin/delTagUser.php in TagIt! Tagboard 2.1.B Build 2 (tagit2b) allows remote attackers to execute arbitrary PHP code via a URL in the configpath parameter. |
| 7.0 | CVE-2006-5249 BUGTRAQ MLIST | ||
TorrentFlux -- TorrentFlux | Cross-site scripting (XSS) vulnerability in admin.php in TorrentFlux 2.1 allows remote attackers to inject arbitrary web script or HTML via 91) the $user_agent variable, probably obtained from the User-Agent HTTP header, and possibly (2) the $ip_resolved variable. |
| 7.0 | CVE-2006-5227 BUGTRAQ OTHER-REF BID SECTRACK SECUNIA XF | ||
Wheatblog -- Wheatblog | Multiple cross-site scripting (XSS) vulnerabilities in Wheatblog 1.0 and 1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 7.0 | CVE-2006-5195 BID | ||
WikyBlog -- WikyBlog | PHP remote file inclusion vulnerability in index.php in Josh Schmidt WikyBlog 1.2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the includeDir parameter. |
| 7.0 | CVE-2006-5193 BUGTRAQ BUGTRAQ BID XF |
Medium Vulnerabilities |
---|
Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
---|---|---|---|---|---|---|
Blue Smiley Organizer -- Blue Smiley Organizer | Unspecified vulnerability in the file upload module in Blue Smiley Organizer before 4.45 has unknown impact and attack vectors. |
| 4.9 | CVE-2006-5238 OTHER-REF FRSIRT | ||
BlueShoes -- BlueShoes Framework | PHP remote file inclusion vulnerability in lib/googlesearch/GoogleSearch.php in BlueShoes 4.6_public and earlier allows remote attackers to execute arbitrary PHP code via a URL in the APP[path][lib] parameter, a different vector than CVE-2006-2864. |
| 5.6 | CVE-2006-5250 BUGTRAQ BLUESHOES | ||
Docmint -- Docmint CMS | PHP remote file inclusion vulnerability in engine/require.php in Docmint 2.0 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the MY_ENV[BASE_ENGINE_LOC] parameter. |
| 5.6 | CVE-2006-5240 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA XF | ||
Invision Power Services -- Invision Power Board | Invision Power Board (IPB) 2.1.7 and earlier allows remote restricted administrators to inject arbitrary web script or HTML, or execute arbitrary SQL commands, via a forum description that contains a crafted image with PHP code, which is executed when the user visits the "Manage Forums" link in the Admin control panel. |
| 5.6 | CVE-2006-5203 BUGTRAQ XF | ||
Leicestershire Community Portals -- Leicestershire Community Portals | PHP remote file inclusion vulnerability in includes/import-archive.php in Leicestershire communityPortals 1.0 build 20051018 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cp_root_path parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 5.6 | CVE-2006-5280 BID FRSIRT SECUNIA | ||
Microsoft -- Office | Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted DATETIME record in an XLS file, a different vulnerability than CVE-2006-3867 and CVE-2006-3875. |
| 5.6 | CVE-2006-2387 MS | ||
Microsoft -- Office | Unspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string that triggers memory corruption. |
| 5.6 | CVE-2006-3434 MS | ||
Microsoft -- Office | Unspecified vulnerability in PowerPoint in Microsoft Office 2003 allows user-complicit attackers to execute arbitrary code via a crafted object pointer in a PPT file. NOTE: this issue is different than other PowerPoint vulnerabilities including CVE-2006-4694. |
| 5.6 | CVE-2006-3435 MS | ||
Microsoft -- Office | Unspecified vulnerability in Microsoft Word 2000, 2002, Office 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string in a Word file, a different vulnerability than CVE-2006-3651 and CVE-2006-4693. |
| 5.6 | CVE-2006-3647 MS | ||
Microsoft -- Office | Unspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a malformed chart record, a different vulnerability than CVE-2006-3434, CVE-2006-3864, and CVE-2006-3868. |
| 5.6 | CVE-2006-3650 MS | ||
Microsoft -- Office Microsoft -- Word | Unspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via a crafted mail merge file, a different vulnerability than CVE-2006-3647 and CVE-2006-4693. |
| 5.6 | CVE-2006-3651 MS | ||
Microsoft -- Visio Microsoft -- Office Microsoft -- Project Microsoft -- Office XP | Unspecified vulnerability in Microsoft Office 2000, XP, 2003, 2004 for Mac, and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a malformed record that triggers memory corruption, a different vulnerability than CVE-2006-3434, CVE-2006-3650, and CVE-2006-3868. |
| 5.6 | CVE-2006-3864 MS | ||
Microsoft -- Excel Microsoft -- Excel Viewer | Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted Lotus 1-2-3 file, a different vulnerability than CVE-2006-2387 and CVE-2006-3875. |
| 5.6 | CVE-2006-3867 MS | ||
Microsoft -- Office | Unspecified vulnerability in Microsoft Office XP and 2003 allows remote user-assisted attackers to execute arbitrary code via a malformed Smart Tag. |
| 5.6 | CVE-2006-3868 MS | ||
Microsoft -- Excel Microsoft -- Excel Viewer | Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, and Excel Viewer 2003 allows user-assisted attackers to execute arbitrary code via a crafted COLINFO record in an XLS file, a different vulnerability than CVE-2006-2387 and CVE-2006-3867. |
| 5.6 | CVE-2006-3875 MS | ||
Microsoft -- Office | Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-complicit attackers to execute arbitrary code via a crafted Data record in a PPT file, a different vulnerability than CVE-2006-3435 and CVE-2006-4694. |
| 5.6 | CVE-2006-3876 MS | ||
Microsoft -- PowerPoint | Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-complicit attackers to execute arbitrary code via an unspecified "crafted file," a different vulnerability than CVE-2006-3435, CVE-2006-4694, and CVE-2006-3876. |
| 5.6 | CVE-2006-3877 MS | ||
Microsoft -- XML Core Services Microsoft -- XML Parser | The XMLHTTP ActiveX control in Microsoft XML Parser 2.6 and XML Core Services 3.0 through 6.0 does not properly handle HTTP server-side redirects, which allows remote user-assisted attackers to access content from other domains. |
| 5.6 | CVE-2006-4685 MS | ||
Microsoft -- Windows Server 2003 Microsoft -- Windows XP | The Windows Object Packager in Microsoft Windows XP SP1 and SP2 and Server 2003 SP1 and earlier does not properly handle file extensions, which allows remote user-assisted attackers to execute arbitrary code via a crafted file (aka "Object Packager Dialogue Spoofing Vulnerability"). |
| 5.6 | CVE-2006-4692 MS | ||
Microsoft -- Word Microsoft -- Office v.X | Unspecified vulnerability in Microsoft Word 2004 for Mac and v.X for Mac allows remote user-assisted attackers to execute arbitrary code via a crafted string in a Word file, a different issue than CVE-2006-3647 and CVE-2006-3651. |
| 5.6 | CVE-2006-4693 MS | ||
Moodle -- Moodle | SQL injection vulnerability in blog/index.php in the blog module in Moodle 1.6.2 allows remote attackers to execute arbitrary SQL commands via a double-encoded tag parameter. |
| 5.6 | CVE-2006-5219 BUGTRAQ BUGTRAQ FULLDISC OTHER-REF BID SECUNIA XF | ||
net2ftp -- net2ftp | Cross-site scripting (XSS) vulnerability in index.php in net2ftp 0.93 allows remote attackers to inject arbitrary web script or HTML via the username parameter. NOTE: some of these details are obtained from third party information. |
| 5.6 | CVE-2006-5194 BUGTRAQ BID FRSIRT SECUNIA | ||
NetBSD -- NetBSD OpenBSD -- OpenBSD | Integer overflow in the systrace_preprepl function (STRIOCREPLACE) in systrace in OpenBSD 3.9 and NetBSD 3 allows local users to cause a denial of service (crash), gain privileges, or read arbitrary kernel memory via large numeric arguments to the systrace ioctl. |
| 4.9 | CVE-2006-5218 OTHER-REF OPENBSD BID SECTRACK SECUNIA | ||
Novell -- Mono | The System.CodeDom.Compiler classes in Novell Mono create temporary files with insecure permissions, which allows local users to overwrite arbitrary files or execute arbitrary code via a symlink attack. |
| 5.6 | CVE-2006-5072 UBUNTU BID FRSIRT SECUNIA SECUNIA XF | ||
OpenDock -- Easy Gallery | Multiple PHP remote file inclusion vulnerabilities in OpenDock Easy Gallery 1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the doc_directory parameter in (1) file.php; (2) find_user.php, (3) lib_user.php, (4) lib_form_user.php, and (5) user.php in sw/lib_user/; (6) find_session.php and (7) session.php in sw/lib_session/; (8) comment.php and (9) lib_comment.php in sw/lib_comment/; and other unspecified PHP scripts. |
| 5.6 | CVE-2006-5241 BUGTRAQ ECHO Milw0rm BID FRSIRT SECUNIA | ||
OpenDock -- Easy Blog | Multilple PHP remote file inclusion vulnerabilities in OpenDock Easy Blog 1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the doc_directory parameter in (1) down_stat.php, (2) file.php, (3) find_file.php, (4) lib_read_file.php, and (5) lib_form_file.php in sw/lib_up_file; (6) find_comment.php, (7) comment.php, and (8) lib_comment.php in sw/lib_comment/; (9) sw/lib_find/find.php; and other unspecified vectors. |
| 5.6 | CVE-2006-5244 BUGTRAQ ECHO Milw0rm BID FRSIRT SECUNIA XF | ||
PHP News Reader -- PHP News Reader | PHP remote file inclusion vulnerability in auth/phpbb.inc.php in Shen Cheng-Da PHP News Reader (aka pnews) 2.6.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CFG[auth_phpbb_path] parameter. |
| 5.6 | CVE-2006-5284 Milw0rm BID FRSIRT SECUNIA | ||
phpBB -- phpBB | PHP remote file inclusion vulnerability in includes/functions_static_topics.php in the Nivisec Static Topics module for phpBB 1.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter. |
| 5.6 | CVE-2006-5191 Milw0rm BID FRSIRT SECUNIA XF | ||
phpMyProfiler -- phpMyProfiler | PHP remote file inclusion vulnerability in functions.php in phpMyProfiler 0.9.6 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the pmp_rel_path parameter. |
| 5.6 | CVE-2006-5186 BUGTRAQ Milw0rm OTHER-REF OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
phpMyTeam -- phpMyTeam | PHP remote file inclusion vulnerability in images/smileys/smileys_packs.php in phpMyTeam 2.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the smileys_dir parameter. |
| 5.6 | CVE-2006-5207 Milw0rm FRSIRT SECUNIA XF | ||
PowerPortal -- PowerPortal | Cross-site scripting (XSS) vulnerability in John Himmelman (aka DaRk2k1) PowerPortal 1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to registering a user. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 5.6 | CVE-2006-5169 BID | ||
Simon Brown -- Pebble | Cross-site scripting (XSS) vulnerability in the search functionality in Simon Brown Pebble 2.0.0 RC1 and RC2 allows remote attackers to inject arbitrary web script or HTML via the query string. |
| 5.6 | CVE-2006-5168 BUGTRAQ OTHER-REF BID XF | ||
Sun -- StarOffice Sun -- NSS Sun -- JDK Sun -- SDK Sun -- Secure Global Desktop Sun -- Solaris Sun -- JRE Sun -- JSSE | Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, SDK and JRE 1.4.x up to 1.4.2_12, and SDK and JRE 1.3.x up to 1.3.1_19; (3) JSSE 1.0.3_03 and earlier; (4) IPSec/IKE; (5) Secure Global Desktop; and (6) StarOffice, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents these products from correctly verifying X.509 and other certificates that use PKCS #1. |
| 5.6 | CVE-2006-5201 SUNALERT CERT-VN FRSIRT FRSIRT SECUNIA SECUNIA | ||
Symantec -- NAVEX15 Driver Symantec -- NAVENG Driver | The (a) NAVENG (NAVENG.SYS) and (b) NAVEX15 (NAVEX15.SYS) device drivers 20061.3.0.12 and later, as used in Symantec AntiVirus and security products, allow local users to gain privileges by overwriting critical system addresses using a crafted Irp to the IOCTL functions (1) 0x222AD3, (2) 0x222AD7, and (3) 0x222ADB. |
| 4.9 | CVE-2006-4927 IDEFENSE BUGTRAQ SYMANTEC BID FRSIRT SECTRACK SECTRACK SECTRACK SECTRACK SECTRACK SECTRACK SECTRACK SECTRACK SECTRACK SECUNIA XF | ||
Trend Micro -- OfficeScan Corporate Edition | Trend Micro OfficeScan 6.0 in Client/Server/Messaging (CSM) Suite for SMB 2.0 before 6.0.0.1385, and OfficeScan Corporate Edition (OSCE) 6.5 before 6.5.0.1418, 7.0 before 7.0.0.1257, and 7.3 before 7.3.0.1053 allow remote attackers to remove OfficeScan clients via a certain HTTP request that invokes the OfficeScan CGI program. |
| 4.7 | CVE-2006-5211 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
webGENEius -- GOOP Gallery | Directory traversal vulnerability in download.php in webGENEius GOOP Gallery 2.0.2 allows remote attackers to read or list data from certain files or directories via unspecified vectors. |
| 4.7 | CVE-2006-5188 BUGTRAQ OTHER-REF BID | ||
Webmedia Explorer -- Webmedia Explorer | PHP remote file inclusion vulnerability in includes/core.lib.php in Webmedia Explorer 2.8.7 allows remote attackers to execute arbitrary PHP code via a URL in the path_include parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 5.6 | CVE-2006-5252 BID SECUNIA |
Low Vulnerabilities |
---|
Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
---|---|---|---|---|---|---|
Adobe -- Breeze Licensed Server | Unspecified vulnerability in Adobe Breeze 5 Licensed Server and Breeze 5.1 Licensed Server allows attackers to read arbitrary files via unknown vectors related to "URL parsing." |
| 1.6 | CVE-2006-5200 ADOBE | ||
Buffalo Technology -- TeraStation HD-HTGL firmware | Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors. |
| 3.7 | CVE-2006-5175 OTHER-REF FRSIRT SECUNIA XF | ||
Eazy Cart -- Eazy Cart | Eazy Cart allows remote attackers to change prices and other critical fields via unspecified vectors to easycart.php, probably including the price parameter. NOTE: some details are obtained from third party information. |
| 2.3 | CVE-2006-5246 BUGTRAQ OTHER-REF OTHER-REF SECUNIA | ||
Eazy Cart -- Eazy Cart | Eazy Cart stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a customer database via a direct request for admin/config/customer.dat. NOTE: the provenance of this information is unknown; the details are obtained from third party information. |
| 3.3 | CVE-2006-5248 SECUNIA | ||
Etomite -- Etomite Content Management System | SQL injection vulnerability in Etomite Content Management System (CMS) before 0.6.1.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
| 2.3 | CVE-2006-5242 OTHER-REF FRSIRT SECUNIA | ||
eXpBlog -- eXpBlog | Multiple cross-site scripting (XSS) vulnerabilities in eXpBlog 0.3.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the query string (PHP_SELF) or (2) the captcha_session_code parameter in pre_details.php. |
| 2.3 | CVE-2006-5239 FULLDISC OTHER-REF BID SECUNIA | ||
FreeBSD -- FreeBSD | Integer signedness error in FreeBSD 6.0-RELEASE allows local users to cause a denial of service (memory corruption and kernel panic) via a PT_LWPINFO ptrace command with a large negative data value that satisfies a signed maximum value check but is used in an unsigned copyout function call. |
| 2.3 | CVE-2006-4516 IDEFENSE | ||
Grandstream -- GXP-2000 | Grandstream GXP-2000 VoIP Desktop Phone, firmware version 1.1.0.5, allows remote attackers to cause a denial of service (hang or reboot) via a large amount of ASCII data sent to port (1) 5060/UDP, (2) 5062/UDP, (3) 5064/UDP, (4) 5066/UDP, (5) 9876/UDP, or (6) 26789/UDP. |
| 3.3 | CVE-2006-5231 FULLDISC OTHER-REF BID FRSIRT SECUNIA XF | ||
Intoto -- iGateway SSL-VPN Intoto -- iGateway VPN | Intoto iGateway VPN and iGateway SSL-VPN allow context-dependent attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification, a related issue to CVE-2006-2940. |
| 2.7 | CVE-2006-5179 OTHER-REF FRSIRT SECUNIA | ||
Invision Power Services -- Invision Power Board | Cross-site scripting (XSS) vulnerability in action_admin/member.php in Invision Power Board (IPB) 2.1.7 and earlier allows remote authenticated users to inject arbitrary web script or HTML via a reference to a script in the avatar setting, which can be leveraged for a cross-site request forgery (CSRF) attack involving forced SQL execution by an admin. |
| 1.1 | CVE-2006-5204 BUGTRAQ OTHER-REF FRSIRT XF | ||
Invision Power Services -- Invision Gallery | Directory traversal vulnerability in Invision Gallery 2.0.7 allows remote attackers to read arbitrary files via a .. (dot dot) sequence in the dir parameter in (1) index.php and (2) forum/index.php, when the viewimage command in the gallery module is used. |
| 2.3 | CVE-2006-5205 Milw0rm BID XF | ||
Linksys -- WRT54G | Linksys WRT54g firmware 1.00.9 does not require credentials when making configuration changes, which allows remote attackers to modify arbitrary configurations via a direct request to Security.tri, as demonstrated using the SecurityMode and layout parameters, a different issue than CVE-2006-2559. |
| 2.3 | CVE-2006-5202 FULLDISC CERT-VN BID SECTRACK SECUNIA | ||
Linux -- Linux kernel | The perfmonctl system call (sys_perfmonctl) in Linux kernel 2.4.x and 2.6 before 2.6.18, when running on Itanium systems, does not properly track the reference count for file descriptors, which allows local users to cause a denial of service (file descriptor consumption). |
| 2.3 | CVE-2006-3741 REDHAT REDHAT OTHER-REF FRSIRT | ||
Linux -- Linux kernel | The clip_mkip function in net/atm/clip.c of the ATM subsystem in Linux kernel allows remote attackers to cause a denial of service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed (freed pointer dereference). |
| 3.3 | CVE-2006-4997 REDHAT OTHER-REF OTHER-REF FRSIRT | ||
Linux -- Linux kernel | The copy_from_user function in the uaccess code in Linux kernel 2.6 before 2.6.19-rc1, when running on s390, does not properly clear a kernel buffer, which allows local user space programs to read portions of kernel memory by "appending to a file from a bad address," which triggers a fault that prevents the unused memory from being cleared in the kernel buffer. |
| 1.6 | CVE-2006-5174 OTHER-REF | ||
Motorola -- SURFboard | The HTTP interface in the Motorola SURFboard SB4200 Cable Modem allows remote attackers to cause a denial of service (device crash) via a request with MfcISAPICommand set to SecretProc and a long string in the Secret parameter. |
| 3.3 | CVE-2006-5196 OTHER-REF BID | ||
MysqlDumper -- MysqlDumper | Cross-site scripting (XSS) vulnerability in sql.php in MysqlDumper 1.21 b6 allows remote attackers to inject arbitrary web script or HTML via the db parameter. |
| 2.3 | CVE-2006-5264 BUGTRAQ | ||
Netscape -- NSPR API Sun -- Solaris | The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from seutid programs, which allows local users to create or overwrite arbitrary files. |
| 3.3 | CVE-2006-4842 IDEFENSE SUNALERT | ||
OpenBSD -- OpenSSH Portable | OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as demonstrated by sshtime. NOTE: as of 20061010, it is not clear whether this issue is dependent on configuration or environment. |
| 1.9 | CVE-2006-5229 BUGTRAQ BUGTRAQ BUGTRAQ | ||
osCommerce -- osCommerce | Multiple cross-site scripting (XSS) vulnerabilities in osCommerce 2.2 Milestone 2 Update 060817 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter in the (a) banner_manager.php, (b) banner_statistics.php, (c) countries.php, (d) currencies.php, (e) languages.php, (f) manufacturers.php, (g) newsletters.php, (h) orders_status.php, (i) products_attributes.php, (j) products_expected.php, (k) reviews.php, (l) specials.php, (m) stats_products_purchased.php, (n) stats_products_viewed.php, (o) tax_classes.php, (p) tax_rates.php, or (q) zones.php scripts in /admin, and the (2) zpage parameter in (r) admin/geo_zones.php. |
| 2.3 | CVE-2006-5190 BLOGSPOT BID FRSIRT SECTRACK SECUNIA XF | ||
PDshopPro -- PDshopPro | PDshopPro stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for (1) /pdshoppro.mdb, (2) /data/pdshoppro.mdb, or (3) /shoppro/data/pdshoppro.mdb. |
| 2.3 | CVE-2006-5197 SECTRACK | ||
PHP -- PHP | Race condition in the symlink function in PHP 5.1.6 and earlier allows local users to bypass the open_basedir restriction by using a combination of symlink, mkdir, and unlink functions to change the file path after the open_basedir check and before the file is opened by the underlying system, as demonstrated by symlinking a symlink into a subdirectory, to point to a parent directory via .. (dot dot) sequences, and then unlinking the resulting symlink. |
| 2.6 | CVE-2006-5178 BUGTRAQ FULLDISC OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
Polycom -- SoundPoint IP 301 | Polycom SoundPoint IP 301 VoIP Desktop Phone, firmware version 1.4.1.0040, allows remote attackers to cause a denial of service (reboot) via (1) a long URL sent to the HTTP daemon and (2) unspecified manipulations as demonstrated by the Nessus http_fingerprinting_hmap.nasl script. |
| 3.3 | CVE-2006-5233 FULLDISC BID SECUNIA XF | ||
Sun -- Solaris | Sun Solaris 10 before 20061006 uses "incorrect and insufficient permission checks" that allow local users to intercept or spoof packets by creating a raw socket on a link aggregation (network device aggregation). |
| 1.6 | CVE-2006-5213 SUNALERT BID | ||
Sun -- Solaris NetBSD -- NetBSD | Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before 20061006, causes a user's Xsession errors file to have weak permissions before a chmod is performed, which allows local users to read Xsession errors files of other users. |
| 1.6 | CVE-2006-5214 OTHER-REF OTHER-REF SUNALERT | ||
Trend Micro -- OfficeScan | Trend Micro OfficeScan 6.0 in Client/Server/Messaging (CSM) Suite for SMB 2.0 before 6.0.0.1385, and OfficeScan Corporate Edition (OSCE) 6.5 before 6.5.0.1418, 7.0 before 7.0.0.1257, and 7.3 before 7.3.0.1053 allow remote attackers to delete files via a modified filename parameter in a certain HTTP request that invokes the OfficeScan CGI program. |
| 2.3 | CVE-2006-5212 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
X.org -- xdm Sun -- Solaris NetBSD -- NetBSD | The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file. |
| 2.6 | CVE-2006-5215 OTHER-REF OTHER-REF SUNALERT |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.