Vulnerability Summary for the Week of January 8, 2007
Released
Jan 15, 2007
Document ID
SB07-015
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| @lexPHPTeam -- @lex Guestbook | SQL injection vulnerability in index.php in @lex Guestbook 4.0.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the lang parameter. |
| 7.0 | CVE-2007-0202 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | ||
| @lexPHPTeam -- @lex Guestbook | Multiple directory traversal vulnerabilities in @lex Guestbook 4.0.2 and earlier allow remote attackers to (1) include and execute arbitrary local files via a relative pathname in the lang parameter to index.php, which is handled in livre_include.php, and (2) possibly access arbitrary directories via the aj_skin and skin_edit parameters to admin/skins.php. |
| 7.0 | CVE-2007-0205 BUGTRAQ OTHER-REF OTHER-REF BID | ||
| Adam Jarret -- AJLogin | AJLogin 3.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for ajlogin.mdb. |
| 7.0 | CVE-2007-0153 BUGTRAQ XF | ||
| Adobe -- Acrobat Reader | The Adobe PDF specification 1.3, as implemented by Adobe Acrobat before 8.0.0, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. |
| 7.0 | CVE-2007-0103 BID OTHER-REF XF | ||
| AllMyPHP -- AllMyVisitors | PHP remote file inclusion vulnerability in index.php in AllMyVisitors 0.4.0 allows remote attackers to execute arbitrary PHP code via a URL in the AMV_serverpath parameter. |
| 7.0 | CVE-2007-0170 OTHER-REF BID XF | ||
| Apple -- Mac OS X Preview.app | The Adobe PDF specification 1.3, as implemented by Apple Mac OS X Preview, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. |
| 7.0 | CVE-2007-0102 OTHER-REF BID XF | ||
| Apple -- Mac OS X Server Apple -- Mac OS X | DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 10.4.8 does not properly validate Bill of Materials (BOM) files, which allows attackers to gain privileges via a BOM file under /Library/Receipts/, which triggers arbitrary file permission changes upon execution of a diskutil permission repair operation. |
| 10.0 | CVE-2007-0117 OTHER-REF BID FRSIRT SECUNIA | ||
| b2evolution -- b2evolution | Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-0175 SECUNIA | ||
| BinGo News -- BinGo News | PHP remote file inclusion vulnerability in bn_smrep1.php in BinGoPHP News (BP News) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the bnrep parameter, a different vector than CVE-2006-4648 and CVE-2006-4649. |
| 7.0 | CVE-2007-0145 SECTRACK XF | ||
| Cisco -- Secure Access Control Server | Stack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request. |
| 10.0 | CVE-2007-0105 CISCO BID FRSIRT SECTRACK SECUNIA XF | ||
| Computer Associates -- Server/Business Protection Suite Computer Associates -- BrightStor ARCserve Backup Computer Associates -- Enterprise Backup | The Tape Engine service in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allows remote attackers to execute arbitrary code via certain data in opnum 0xBF in an RPC request, which is directly executed. |
| 7.0 | CVE-2007-0168 OTHER-REF OTHER-REF | ||
| Computer Associates -- Server/Business Protection Suite Computer Associates -- BrightStor ARCserve Backup Computer Associates -- Enterprise Backup | Multiple buffer overflows in Computer Associates (CA) BrightStor ARCserve Backup 9.01 through 11.5, Enterprise Backup 10.5, and CA Server/Business Protection Suite r2 allow remote attackers to execute arbitrary code via RPC requests with crafted data for opnums (1) 0x2F and (2) 0x75 in the (a) Message Engine RPC service , or opnum (3) 0xCF in the Tape Engine service. |
| 7.0 | CVE-2007-0169 OTHER-REF OTHER-REF OTHER-REF | ||
| CreateAuction -- CreateAuction | SQL injection vulnerability in cats.asp in createauction allows remote attackers to execute arbitrary SQL commands via the catid parameter. |
| 7.0 | CVE-2007-0112 BUGTRAQ BID XF | ||
| Dayfox Designs -- Dayfox Blog | Multiple PHP remote file inclusion vulnerabilities in index.php in Dayfox Blog allow remote attackers to execute arbitrary PHP code via a URL in the (1) page, (2) subject, and (3) q parameters. |
| 7.0 | CVE-2007-0150 BUGTRAQ FRSIRT SECUNIA XF | ||
| Digger Solutions -- Intranet Open Source | Digger Solutions Intranet Open Source (IOS) stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for data/intranet.mdb. |
| 7.0 | CVE-2007-0116 BUGTRAQ XF | ||
| DigiAppz -- DigiRez | SQL injection vulnerability in info_book.asp in Digirez 3.4 and earlier allows remote attackers to execute arbitrary SQL commands via the book_id parameter. |
| 7.0 | CVE-2007-0128 OTHER-REF FRSIRT SECUNIA | ||
| Digitizing Quote And Ordering System -- Digitizing Quote And Ordering System | Cross-site scripting (XSS) vulnerability in search.asp in Digitizing Quote And Ordering System 1.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the ordernum parameter. |
| 7.0 | CVE-2007-0144 OTHER-REF SECUNIA XF | ||
| Edit-X -- eCommerce | PHP remote file inclusion vulnerability in edit_address.php in edit-x ecommerce allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter. |
| 7.0 | CVE-2007-0190 BUGTRAQ | ||
| EditTag -- EditTag | Multiple cross-site scripting (XSS) vulnerabilities in EditTag 1.2 allow remote attackers to inject arbitrary web script or HTML via the plain parameter to (1) mkpw_mp.cgi, (2) mkpw.pl, or (3) mkpw.cgi. |
| 7.0 | CVE-2007-0119 BUGTRAQ BID | ||
| EF Software -- EF Commander | Stack-based buffer overflow in EF Commander 5.75 allows user-assisted attackers to execute arbitrary code via a crafted ISO file containing a file within several nested directories, which produces a large filename that triggers the overflow. |
| 8.0 | CVE-2007-0180 OTHER-REF SECUNIA | ||
| EMembersPro -- EMembersPro | EMembersPro 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for users.mdb. |
| 7.0 | CVE-2007-0149 BUGTRAQ XF | ||
| F5 -- FirePass SSL VPN | Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550. |
| 7.0 | CVE-2007-0186 OTHER-REF OTHER-REF OTHER-REF BID | ||
| F5 -- Firepass | F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name. |
| 7.0 | CVE-2007-0187 OTHER-REF OTHER-REF BID | ||
| FON -- La Fonera | FON La Fonera routers do not properly limit DNS service access by unauthenticated clients, which allows remote attackers to tunnel traffic via DNS requests for hosts that should not be accessible before authentication. |
| 7.0 | CVE-2007-0193 BUGTRAQ BUGTRAQ | ||
| GeoBB -- GeoBB | Unspecified vulnerability in the Admin login for Georgian discussion board (GeoBB) before 1.0 has unknown impact and attack vectors. |
| 7.0 | CVE-2006-6918 OTHER-REF | ||
| GeoBB -- Georgian Bulletin Board | ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in GeoBB Georgian Bulletin Board allows remote attackers to execute arbitrary PHP code via a URL in the action parameter. NOTE: CVE disputes this issue, since GeoBB 1.0 sets $action to a whitelisted value. |
| 7.0 | CVE-2007-0189 BUGTRAQ VIM XF | ||
| Geoffrey Golliher -- Axiom Photo/News Gallery | PHP remote file inclusion vulnerability in template.php in Geoffrey Golliher Axiom Photo/News Gallery (axiompng) 0.8.6 allows remote attackers to execute arbitrary PHP code via a URL in the baseAxiomPath parameter. |
| 7.0 | CVE-2007-0200 OTHER-REF VIM FRSIRT | ||
| Getahead -- Direct Web Remoting | Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to obtain unauthorized access to public methods via a crafted request that bypasses the include/exclude checks. |
| 7.0 | CVE-2007-0184 OTHER-REF BID FRSIRT SECUNIA | ||
| GForge -- GForge | Cross-site scripting (XSS) vulnerability in search/advanced_search.php in GForge 4.5.11 allows remote attackers to inject arbitrary web script or HTML via the words parameter. |
| 7.0 | CVE-2007-0176 BUGTRAQ OTHER-REF BID SECTRACK SECUNIA | ||
| HarikaOnline -- HarikaOnline | HarikaOnline 2.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for harikaonline.mdb. |
| 7.0 | CVE-2007-0155 BUGTRAQ XF | ||
| HP -- DECnet/OSI | Unspecified vulnerability in the DECnet-Plus 7.3-2 feature in DECnet/OSI 7.3-2 for OpenVMS ALPHA, and the DECnet-Plus 7.3 feature in DECnet/OSI 7.3 for OpenVMS VAX, allows attackers to obtain "unintended privileged access to data and system resources" via unspecified vectors, related to (1) [SYSEXE]CTF$UI.EXE, (2) [SYSMSG]CTF$MESSAGES.EXE, (3) [SYSHLP]CTF$HELP.HLB, and (4) [SYSMGR]CTF$STARTUP.COM. |
| 7.0 | CVE-2007-0139 OTHER-REF OTHER-REF SECUNIA FRSIRT | ||
| iGeneric -- iG Calendar | SQL injection vulnerability in user.php in iGeneric iG Calendar 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.0 | CVE-2007-0130 OTHER-REF BID FRSIRT SECUNIA BUGTRAQ XF | ||
| iGeneric -- iG Shop | SQL injection vulnerability in compare_product.php in iGeneric iG Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.0 | CVE-2007-0132 OTHER-REF OTHER-REF FRSIRT SECUNIA BUGTRAQ BID XF | ||
| iGeneric -- iG Shop | Multiple SQL injection vulnerabilities in display_review.php in iGeneric iG Shop 1.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id or (2) user_login_cookie parameter. |
| 7.0 | CVE-2007-0133 FRSIRT | ||
| iGeneric -- iG Shop | Multiple eval injection vulnerabilities in iGeneric iG Shop 1.0 allow remote attackers to execute arbitrary code via the action parameter, which is supplied to an eval function call in (1) cart.php and (2) page.php. |
| 7.0 | CVE-2007-0134 OTHER-REF OTHER-REF FRSIRT SECUNIA BUGTRAQ BID XF | ||
| JAMWiki -- JAMWiki | JAMWiki before 0.5.0 does not properly check permissions during moves of "read-only or admin-only topics," which allows remote attackers to make unauthorized changes to the wiki. |
| 7.0 | CVE-2007-0131 OTHER-REF SECUNIA BID XF | ||
| Kolayindir Download -- Kolayindir Download | SQL injection vulnerability in down.asp in Kolayindir Download (Yenionline) allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.0 | CVE-2007-0140 BUGTRAQ BID FRSIRT SECUNIA XF | ||
| LocazoList -- LocazoList Classifieds | SQL injection vulnerability in main.asp in LocazoList 2.01a beta5 and earlier allows remote attackers to execute arbitrary SQL commands via the subcatID parameter. |
| 7.0 | CVE-2007-0129 OTHER-REF XF FRSIRT | ||
| M-Core -- M-Core | M-Core stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to db/uyelik.mdb. |
| 7.0 | CVE-2007-0156 BUGTRAQ XF | ||
| Michael Romedahl -- RI Blog | Cross-site scripting (XSS) vulnerability in search.asp in RI Blog 1.3 allows remote attackers to inject arbitrary web script or HTML via the q parameter. |
| 7.0 | CVE-2007-0121 BUGTRAQ BID FRSIRT SECUNIA XF | ||
| Microsoft -- Internet Explorer | Integer overflow in the Vector Markup Language (VML) implementation (vgx.dll) in Microsoft Internet Explorer 5.01, 6, and 7 on Windows 2000 SP4, XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted web page that contains unspecified integer properties that cause insufficient memory allocation and trigger a buffer overflow, aka the "VML Buffer Overrun Vulnerability." |
| 8.0 | CVE-2007-0024 IDEFENSE MS MSKB CERT-VN BID FRSIRT OSVDB SECTRACK SECUNIA XF | ||
| Microsoft -- Excel | Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via malformed IMDATA records that trigger memory corruption. |
| 10.0 | CVE-2007-0027 MS CERT-VN BID FRSIRT SECTRACK | ||
| Microsoft -- Excel | Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malformed record that triggers an "Improper Memory Access," a different issue than CVE-2007-0027. |
| 10.0 | CVE-2007-0028 MS CERT-VN FRSIRT | ||
| Microsoft -- Excel | Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string, aka "Excel Malformed String Vulnerability." |
| 8.0 | CVE-2007-0029 MS BID FRSIRT SECTRACK | ||
| Microsoft -- Excel | Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via an Excel file with an out-of-range Column field in certain BIFF8 record types, which references arbitrary memory. |
| 8.0 | CVE-2007-0030 IDEFENSE MS CERT-VN BID FRSIRT SECTRACK | ||
| Microsoft -- Excel | Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries. |
| 8.0 | CVE-2007-0031 IDEFENSE MS CERT-VN BID FRSIRT SECTRACK | ||
| Microsoft -- Outlook | Microsoft Outlook 2002 and 2003 allows user-assisted remote attackers to execute arbitrary code via a malformed VEVENT record in an .iCal meeting request or ICS file. |
| 8.0 | CVE-2007-0033 MS CERT-VN BID FRSIRT SECTRACK SECUNIA | ||
| Microsoft -- Outlook | Microsoft Outlook 2000, 2002, and 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted Outlook Saved Searches (OSS) file that triggers memory corruption, aka "Microsoft Outlook Advanced Find Vulnerability". |
| 8.0 | CVE-2007-0034 MS CERT-VN BID FRSIRT SECTRACK SECUNIA | ||
| MitiSoft -- MitiSoft | MitiSoft stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for access_MS/MitiSoft.mdb. |
| 7.0 | CVE-2007-0151 BUGTRAQ XF | ||
| MKPortal -- MKPortal | Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section. |
| 7.0 | CVE-2007-0191 BUGTRAQ XF | ||
| MKPortal -- MKPortal | Cross-site request forgery (CSRF) vulnerability in the save_main operation in the ad_perms section in admin.php in MKPortal allows remote attackers to modify privilege settings, as demonstrated using a getURL of admin.php within a .swf file contained in an IFRAME element, aka the "All Guests are Admin" attack. |
| 7.0 | CVE-2007-0192 BUGTRAQ | ||
| Motionborg -- Motionborg Web Real Estate | SQL injection vulnerability in admin_check_user.asp in Motionborg Web Real Estate 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the username field (txtUserName parameter) and possibly other parameters. NOTE: some details were obtained from third party information. |
| 7.0 | CVE-2007-0196 OTHER-REF BID XF | ||
| Novell -- Novell Access Manager Identity Server | Cross-site scripting (XSS) vulnerability in nidp/idff/sso in Novell Access Manager Identity Server before 3.0.0-1013 allows remote attackers to inject arbitrary web script or HTML via the IssueInstant parameter, which is not properly handled in the resulting error message. |
| 7.0 | CVE-2007-0110 OTHER-REF BID FRSIRT SECUNIA | ||
| OhhASP -- OhhASP | OhhASP stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/OhhASP.mdb. |
| 7.0 | CVE-2007-0152 BUGTRAQ OTHER-REF XF | ||
| Opera Software -- Opera | The Javascript SVG support in Opera before 9.10 does not properly validate object types in a createSVGTransformFromMatrix request, which allows remote attackers to execute arbitrary code via JavaScript code that uses an invalid object in this request that causes a controlled pointer to be referenced during the virtual function call. |
| 7.0 | CVE-2007-0127 IDEFENSE OTHER-REF FRSIRT SECUNIA SECTRACK | ||
| PHP Web Scripts -- Easy Banner Pro | PHP remote file inclusion vulnerability in info.php in Easy Banner Pro 2.8 allows remote attackers to execute arbitrary PHP code via a URL in the s[phppath] parameter. |
| 7.0 | CVE-2007-0178 BUGTRAQ | ||
| PHPKIT -- PHPKIT | SQL injection vulnerability in comment.php in PHPKIT 1.6.1 R2 allows remote attackers to execute arbitrary SQL commands via the subid parameter. |
| 7.0 | CVE-2007-0179 BUGTRAQ BID | ||
| phpMyAdmin -- phpMyAdmin | Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.2-rc1 have unknown impact and attack vectors. |
| 7.0 | CVE-2007-0203 OTHER-REF SECUNIA | ||
| phpMyAdmin -- phpMyAdmin | Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information, |
| 7.0 | CVE-2007-0204 OTHER-REF FRSIRT SECUNIA | ||
| PPC Search Engine -- PPC Search Engine WGS-PPC -- WGS-PPC | Multiple PHP file inclusion vulnerabilities in WGS-PPC (aka PPC Search Engine), as distributed with other aliases, allow remote attackers to execute arbitrary PHP code via a URL in the INC parameter in (1) config_admin.php, (2) config_main.php, (3) config_member.php, and (4) mysql_config.php in config/; (5) admin.php and (6) index.php in admini/; (7) paypalipn/ipnprocess.php; (8) index.php and (9) registration.php in members/; and (10) ppcbannerclick.php and (11) ppcclick.php in main/. |
| 7.0 | CVE-2007-0167 BUGTRAQ VIM BID | ||
| Scriptaty -- Magic Photo Storage Website | PHP remote file inclusion vulnerability in include/common_function.php in magic photo storage website allows remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter. |
| 7.0 | CVE-2007-0181 BUGTRAQ | ||
| Scriptaty -- Magic Photo Storage Website | Multiple PHP remote file inclusion vulnerabilities in magic photo storage website allow remote attackers to execute arbitrary PHP code via a URL in the _config[site_path] parameter to (1) admin_password.php, (2) add_welcome_text.php, (3) admin_email.php, (4) add_templates.php, (5) admin_paypal_email.php, (6) approve_member.php, (7) delete_member.php, (8) index.php, (9) list_members.php, (10) membership_pricing.php, or (11) send_email.php in admin/; (12) config.php or (13) db_config.php in include/; or (14) add_category.php, (15) add_news.php, (16) change_catalog_template.php, (17) couple_milestone.php, (18) couple_profile.php, (19) delete_category.php, (20) index.php, (21) login.php, (22) logout.php, (23) register.php, (24) upload_photo.php, (25) user_catelog_password.php, (26) user_email.php, (27) user_extend.php, or (28) user_membership_password.php in user/. NOTE: the include/common_function.php vector is already covered by another candidate from the same date. |
| 7.0 | CVE-2007-0182 BUGTRAQ | ||
| Shopstorenow -- E-commerce Shopping Cart | SQL injection vulnerability in orange.asp in ShopStoreNow E-commerce Shopping Cart allows remote attackers to execute arbitrary SQL commands via the CatID parameter. |
| 7.0 | CVE-2007-0142 BUGTRAQ BID FRSIRT SECUNIA XF | ||
| Sina -- Sina | Multiple stack-based multiple buffer overflows in the BRWOSSRE2UC.dll ActiveX Control in Sina UC2006 and earlier allow remote attackers to execute arbitrary code via a long string in the (1) astrVerion parameter to the SendChatRoomOpt function or (2) the astrDownDir parameter to the SendDownLoadFile function. |
| 7.0 | CVE-2007-0174 FULLDISC OTHER-REF FRSIRT SECUNIA | ||
| TIS -- Internet Firewall Toolkit | Buffer overflow in the cmd_usr function in ftp-gw in TIS Internet Firewall Toolkit (FWTK) allows remote attackers to execute arbitrary code via a long destination hostname (dest). |
| 10.0 | CVE-2007-0201 OTHER-REF BID SECTRACK XF | ||
| Voice Of Web -- AllMyLinks | PHP remote file inclusion vulnerability in index.php in AllMyLinks 0.5.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the AML_opensite parameter. |
| 7.0 | CVE-2007-0171 OTHER-REF BID XF | ||
| Voice Of Web -- AllMyGuests | Multiple PHP remote file inclusion vulnerabilities in AllMyGuests 0.3.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the AMG_serverpath parameter to (1) comments.php and (2) signin.php; and possibly via a URL in unspecified parameters to (3) include/submit.inc.php, (4) admin/index.php, (5) include/cm_submit.inc.php, and (6) index.php. |
| 7.0 | CVE-2007-0172 OTHER-REF BID XF | ||
| Webulas -- Webulas | Webulas stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing passwords via a direct request for db/db.mdb. |
| 7.0 | CVE-2007-0154 BUGTRAQ XF | ||
| Xpdf -- Xpdf | The Adobe PDF specification 1.3, as implemented by xpdf 3.0.1 patch 2, allows remote attackers to have an unknown impact, possibly including denial of service (infinite loop), arbitrary code execution, or memory corruption, via a PDF file with a (1) crafted catalog dictionary or (2) a crafted Pages attribute that references an invalid page tree node. |
| 7.0 | CVE-2007-0104 BID OTHER-REF XF |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apple -- Mac OS X Apple -- Finder | Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption. |
| 5.6 | CVE-2007-0197 OTHER-REF | ||
| Aratix -- Aratix | PHP remote file inclusion vulnerability in inc/init.inc.php in Aratix 0.2.2 beta 11 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the current_path parameter. |
| 5.6 | CVE-2007-0135 VIM OTHER-REF OTHER-REF FRSIRT XF | ||
| CenterICQ -- CenterICQ | Stack-based buffer overflow in the LiveJournal support (hooks/ljhook.cc) in CenterICQ 4.9.11 through 4.21.0, when using unofficial LiveJournal servers, allows remote attackers to cause a denial of service (crash) by adding the victim as a friend and using long (1) username and (2) real name strings. |
| 5.6 | CVE-2007-0160 BUGTRAQ BID | ||
| Coppermine -- Coppermine Photo Gallery | Multiple SQL injection vulnerabilities in Coppermine Photo Gallery 1.4.10 and earlier allow remote authenticated administrators to execute arbitrary SQL commands via (1) the cat parameter to albmgr.php, and possibly (2) the gid parameter to usermgr.php; (3) the start parameter to db_ecard.php; and the albumid parameter to unspecified files, related to the (4) filename_to_title and (5) del_titles functions. |
| 4.2 | CVE-2007-0122 BUGTRAQ OTHER-REF BID | ||
| Drupal -- Drupal | Multiple cross-site scripting (XSS) vulnerabilities in Drupal before 4.6.11, and 4.7 before 4.7.5, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in the (1) filter and (2) system modules. NOTE: some of these details are obtained from third party information. |
| 5.6 | CVE-2007-0136 FULLDISC OTHER-REF FRSIRT BUGTRAQ OTHER-REF XF | ||
| F5 -- Firepass | F5 FirePass 5.4 through 5.5.1 does not properly enforce host access restrictions when a client uses a single integer (dword) representation of an IP address ("dotless IP address"), which allows remote authenticated users to connect to the FirePass administrator console and certain other network resources. |
| 4.2 | CVE-2007-0188 OTHER-REF OTHER-REF BID | ||
| GeoIP -- GeoIP | Directory traversal vulnerability in the GeoIP_update_database_general function in libGeoIP/GeoIPUpdate.c in GeoIP 1.4.0 allows remote malicious update servers (possibly only update.maxmind.com) to overwrite arbitrary files via a .. (dot dot) in the database filename, which is returned by a request to app/update_getfilename. |
| 4.7 | CVE-2007-0159 OTHER-REF MANDRIVA BID FRSIRT FRSIRT | ||
| L2J -- Statistik Script | Directory traversal vulnerability in index.php in L2J Statistik Script 0.09 and earlier, when register_globals is enabled and magic_quotes is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by index.php. |
| 5.6 | CVE-2007-0173 OTHER-REF BID XF | ||
| MediaWiki -- MediaWiki | Cross-site scripting (XSS) vulnerability in the AJAX module in MediaWiki before 1.6.9, 1.7 before 1.7.2, 1.8 before 1.8.3, and 1.9 before 1.9.0rc2, when wgUseAjax is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 5.6 | CVE-2007-0177 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| Mozilla -- Firefox Sage Extension | Firefox Sage extension 1.3.8 and earlier allows remote attackers to execute arbitrary Javascript in the local context via an RSS feed with an img tag containing the script followed by an extra trailing ">", which Sage modifies to close the img element before the malicious script. |
| 5.6 | CVE-2006-6919 BUGTRAQ OTHER-REF FRSIRT SECUNIA XF | ||
| Nucleus CMS -- Nucleus CMS | Cross-site scripting (XSS) vulnerability in Nucleus before 3.24 allows remote attackers to inject arbitrary web script or HTML via unknown vectors, possibly involving (1) lib/ADMIN.php and (2) lib/SKIN.php. |
| 5.6 | CVE-2006-6920 OTHER-REF OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
| NUNE -- News Script | Multiple PHP remote file inclusion vulnerabilities in NUNE News Script 2.0pre2 allow remote attackers to execute arbitrary PHP code via a URL in the custom_admin_path parameter to (1) index.php or (2) archives.php. |
| 5.6 | CVE-2007-0143 OTHER-REF FRSIRT SECUNIA BUGTRAQ XF | ||
| OmniGroup -- OmniWeb | Format string vulnerability in OmniGroup OmniWeb 5.5.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via format string specifiers in the Javascript alert function. |
| 5.6 | CVE-2007-0148 OTHER-REF OTHER-REF FRSIRT SECUNIA OTHER-REF BID XF | ||
| Opera Software -- Opera | Heap-based buffer overflow in Opera 9.02 allows remote attackers to execute arbitrary code via a JPEG file with an invalid number of index bytes in the Define Huffman Table (DHT) marker. |
| 5.6 | CVE-2007-0126 IDEFENSE OTHER-REF FRSIRT SECUNIA SECTRACK XF | ||
| Resco -- Photo Viewer | Buffer overflow in Resco Photo Viewer for PocketPC 4.11 and 6.01, as used in mobile devices running Windows Mobile 5.0, 2003, and 2003SE, allows remote attackers to execute arbitrary code via a crafted PNG image. |
| 5.6 | CVE-2007-0111 OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| SerendipityNZ -- Serene Bach sb 1.13D SerendipityNZ -- Serene Bach 2.05R SerendipityNZ -- Serene Bach 1.18R SerendipityNZ -- Serene Bach 2.08D | Cross-site scripting (XSS) vulnerability in SimpleBoxes/SerendipityNZ Serene Bach 2.05R and earlier, and 2.08D and earlier in the 2.08 series; and (2) sb 1.13D and earlier, and 1.18R and earlier in the 1.18 series; allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 5.6 | CVE-2007-0137 OTHER-REF OTHER-REF OTHER-REF SECUNIA BID FRSIRT SECTRACK XF | ||
| Sun -- iPlanet Web Server | Cross-site scripting (XSS) vulnerability in /search in iPlanet Web Server 4.x allows remote attackers to inject arbitrary web script or HTML via the NS-max-records parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 5.6 | CVE-2007-0183 BID SECUNIA | ||
| Uber Uploader -- Uber Uploader | Unrestricted file upload vulnerability in Uber Uploader 4.2 allows remote attackers to upload and execute arbitrary PHP scripts by naming them with a .phtml extension, which bypasses the .php extension check but is still executable on some server configurations. |
| 5.6 | CVE-2007-0123 BUGTRAQ XF | ||
| Unsanity -- Application Enhancer | Unsanity Application Enhancer (APE) 2.0.2 installs with insecure permissions for the (1) ApplicationEnhancer binary and the (2) /Library/Frameworks/ApplicationEnhancer.framework directory, which allows local users to gain privileges by modifying or replacing the binary or library files. |
| 4.2 | CVE-2007-0162 OTHER-REF OTHER-REF BID SECUNIA XF | ||
| WordPress -- WordPress | WordPress before 2.0.6, when mbstring is enabled for PHP, decodes alternate character sets after escaping the SQL query, which allows remote attackers to bypass SQL injection protection schemes and execute arbitrary SQL commands via multibyte charsets, as demonstrated using UTF-7. |
| 5.6 | CVE-2007-0107 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECUNIA OPENPKG XF | ||
| Yet Another Link Directory -- Yet Another Link Directory | Cross-site scripting (XSS) vulnerability in yald.php in Yet Another Link Directory 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. |
| 5.6 | CVE-2007-0141 BUGTRAQ BID FRSIRT SECUNIA XF |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Acunetix -- Web Vulnerability Scanner | Acunetix Web Vulnerability Scanner (WVS) 4.0 Build 20060717 and earlier allows remote attackers to cause a denial of service (application crash) via multiple HTTP requests containing invalid Content-Length values. |
| 2.3 | CVE-2007-0120 OTHER-REF BID XF | ||
| Camouflage -- Camouflage | Camouflage 1.2.1 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing certain bytes of the JPEG image with alternate password information. |
| 3.3 | CVE-2007-0164 OTHER-REF BID SECUNIA | ||
| Cisco -- IP Contact Center Hosted Cisco -- IP Contact Center Enterprise Cisco -- Unified Contact Center Enterprise Cisco -- Unified Contact Center Hosted | The JTapi Gateway process in Cisco Unified Contact Center Enterprise, Unified Contact Center Hosted, IP Contact Center Enterprise, and Cisco IP Contact Center Hosted 5.0 through 7.1 allows remote attackers to cause a denial of service (repeated process restart) via a certain TCP session on the JTapi server port. |
| 2.3 | CVE-2007-0198 CISCO BID | ||
| Cisco -- IOS | The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via "an invalid value in a DLSw message... during the capabilities exchange." |
| 2.3 | CVE-2007-0199 CISCO | ||
| Coppermine -- Coppermine Photo Gallery | Static code injection vulnerability in Coppermine Photo Gallery 1.4.10 and earlier allows remote authenticated administrators to execute arbitrary PHP code via the Username to login.php, which is injected into an error message in security.log.php, which can then be accessed using viewlog.php. |
| 3.4 | CVE-2007-0115 BUGTRAQ VIM OTHER-REF | ||
| Cuyahoga -- Cuyahoga | Cuyahoga before 1.0.1 installs the FCKEditor component with an incorrect deny statement in a Web.config file, which allows remote attackers to upload files when these privileges were intended only for the Administrator and Editor roles. |
| 2.3 | CVE-2007-0147 OTHER-REF OTHER-REF SECUNIA BID | ||
| Drupal -- Drupal | Unspecified vulnerability in Drupal before 4.6.11, and 4.7 before 4.7.5, when MySQL is used, allows remote authenticated users to cause a denial of service by poisoning the page cache via unspecified vectors, which triggers erroneous 404 HTTP errors for pages that exist. |
| 1.1 | CVE-2007-0124 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA | ||
| EditTag -- EditTag | Multiple absolute path traversal vulnerabilities in EditTag 1.2 allow remote attackers to read arbitrary files via an absolute pathname in the file parameter to (1) edittag.cgi, (2) edittag.pl, (3) edittag_mp.cgi, or (4) edittag_mp.pl. |
| 1.9 | CVE-2007-0118 BUGTRAQ BID | ||
| F5 -- Firepass | my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account. |
| 2.3 | CVE-2007-0195 OTHER-REF OTHER-REF BID | ||
| Fersche -- Formankserver | formbankcgi.exe in Fersch Formbankserver 1.9, when the PATH_INFO begins with (1) AbfrageForm or (2) EingabeForm, allows remote attackers to cause a denial of service (daemon crash) via multiple requests containing many /../ sequences in the Name parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. |
| 2.3 | CVE-2007-0138 SECUNIA XF | ||
| Fix and Chips Computer Services -- Fix and Chips CMS | Multiple cross-site scripting (XSS) vulnerabilities in Fix and Chips CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter in (a) delete-announce.php; the (2) Announcement form field in (b) staff.php; the (3) Client Name, (4) Business Name, (5) Street, (6) Address 2, (7) Town/City, (8) Postcode, (9) Phone Number, (10) Email Address and (11) Website Address form fields in (c) new_customer.php; and unspecified fields in (d) search.php and (e) client-results.php. |
| 3.4 | CVE-2007-0146 BUGTRAQ FRSIRT SECUNIA XF | ||
| FreeBSD -- FreeBSD | The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack. |
| 3.4 | CVE-2007-0166 FREEBSD | ||
| Getahead -- Direct Web Remoting | Getahead Direct Web Remoting (DWR) before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch. |
| 2.3 | CVE-2007-0185 OTHER-REF BID FRSIRT SECUNIA | ||
| HP -- Officejet 5100 HP -- Officejet 4100 HP -- Officejet 5500 HP -- Officejet D HP -- Officejet 6100 HP -- Officejet G HP -- PSC 2400 Photosmart All-in-one HP -- PSC 700 HP -- PSC 2200 HP -- PML Driver HPZ12 HP -- PSC 2500 Photosmart All-in-one HP -- PSC 1100 HP -- Color LaserJet 4650 HP -- PSC 1200 HP -- PSC 1300 HP -- Officejet 7100 HP -- PSC 1210 All-in-One HP -- PSC 2100 HP -- PSC 900 HP -- PSC 2510 Photosmart Printer HP -- Officejet K | The PML Driver HPZ12 (HPZipm12.exe) in the HP all-in-one drivers, as used by multiple HP products, uses insecure SERVICE_CHANGE_CONFIG DACL permissions, which allows local users to gain privileges and execute arbitrary programs, as demonstrated by modifying the binpath argument, a related issue to CVE-2006-0023. |
| 2.3 | CVE-2007-0161 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA XF | ||
| HP -- OpenView Network Node Manager | Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 6.20, 6.4x, 7.01, and 7.50 allows remote attackers to read arbitrary files via unknown vectors. |
| 2.3 | CVE-2007-0206 HP BID | ||
| Kaspersky Lab -- Kaspersky Antivirus Engine | Kaspersky Labs Antivirus Engine 6.0 for Windows and 5.5-10 for Linux before 20070102 enter an infinite loop upon encountering an invalid NumberOfRvaAndSizes value in the Optional Windows Header of a portable executable (PE) file, which allows remote attackers to cause a denial of service (CPU consumption) by scanning a crafted PE file. |
| 2.3 | CVE-2007-0125 IDEFENSE SECUNIA BID FRSIRT SECTRACK XF | ||
| MKPortal -- MKPortal | admin.php in MKPortal M1.1 RC1 allows remote attackers to obtain sensitive information via a direct request with an MK_PATH=1 query string, which reveals the path in an error message. |
| 3.3 | CVE-2007-0194 BUGTRAQ | ||
| neon -- neon | Array index error in the uri_lookup function in the URI parser for neon 0.26.0 to 0.26.2, possibly only on 64-bit platforms, allows remote malicious servers to cause a denial of service (crash) via a URI with non-ASCII characters, which triggers a buffer under-read due to a type conversion error that generates a negative index. |
| 3.3 | CVE-2007-0157 MLIST OTHER-REF OTHER-REF | ||
| Novell -- Novell Client | nwgina.dll in Novell Client 4.91 SP3 for Windows 2000/XP/2003 does not delete user profiles during a Terminal Service or Citrix session, which allows remote authenticated users to invoke alternate user profiles. |
| 3.4 | CVE-2007-0108 OTHER-REF BID FRSIRT SECTRACK SECUNIA XF | ||
| Packeteer PacketShaper -- PacketWise | Buffer overflow in Packeteer PacketShaper PacketWise 8.x allows remote authenticated users to cause a denial of service (reset or reboot) via (1) a long traffic class argument to the "class show" command or (2) a long POLICY parameter value in clastree.htm. |
| 2.0 | CVE-2007-0113 BUGTRAQ BID FRSIRT SECUNIA XF | ||
| SecureKit -- SecureKit Steganography | SecureKit Steganography 1.7.1 and 1.8 embeds password information in the carrier file, which allows remote attackers to bypass authentication requirements and decrypt embedded steganography by replacing the last 20 bytes of the JPEG image with alternate password information. |
| 3.3 | CVE-2007-0163 BUGTRAQ OTHER-REF SECUNIA | ||
| Sun -- Java System Content Delivery Server | Sun Java System Content Delivery Server 5.0 and 5.0 PU1 allows remote attackers to obtain sensitive information regarding "content details" via unspecified vectors. |
| 2.3 | CVE-2007-0114 SUNALERT BID FRSIRT SECUNIA XF | ||
| Sun -- Solaris | Unspecified vulnerability in libnsl in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (crash) via malformed RPC requests that trigger a crash in rpcbind. |
| 3.3 | CVE-2007-0165 SUNALERT BID FRSIRT SECUNIA XF | ||
| WordPress -- WordPress | Cross-site scripting (XSS) vulnerability in the CSRF protection scheme in WordPress before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via a CSRF attack with an invalid token and quote characters or HTML tags in URL variable names, which are not properly handled when WordPress generates a new link to verify the request. |
| 2.3 | CVE-2007-0106 BUGTRAQ OTHER-REF OTHER-REF BID FRSIRT SECUNIA | ||
| WordPress -- WordPress | wp-login.php in WordPress 2.0.5 and earlier displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks. |
| 2.3 | CVE-2007-0109 BUGTRAQ FRSIRT SECUNIA XF |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.