Vulnerability Summary for the Week of April 30, 2007
Released
May 07, 2007
Document ID
SB07-127
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
">
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Adobe -- Photoshop Adobe -- Photoshop Elements | Buffer overflow in Adobe Photoshop CS2 and CS3, and Photoshop Elements 5.0, allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file. |
| 8.0 | CVE-2007-2365 MILW0RM BID FRSIRT SECUNIA XF | ||
| AFFLIB -- AFFLIB | Multiple stack-based buffer overflows in AFFLIB before 2.2.6 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) a long LastModified value in an S3 XML response in lib/s3.cpp; (2) a long (a) path or (b) bucket in an S3 URL in lib/vnode_s3.cpp; or (3) a long (c) EFW, (d) AFD, or (c) aimage file path. NOTE: the aimage vector (3c) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB. |
| 10.0 | CVE-2007-2053 BUGTRAQ OTHER-REF BID XF | ||
| AFFLIB -- AFFLIB | Multiple format string vulnerabilities in AFFLIB before 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls in (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/aimage.cpp, (f) aimage/imager.cpp, and (g) tools/afxml.cpp. NOTE: the aimage.cpp vector (e) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB. |
| 7.0 | CVE-2007-2054 BUGTRAQ OTHER-REF XF | ||
| AFFLIB -- AFFLIB | AFFLIB 2.2.8 and earlier allows attackers to execute arbitrary commands via shell metacharacters involving (1) certain command line parameters in tools/afconvert.cpp and (2) arguments to the get_parameter function in aimage/ident.cpp. NOTE: it is unknown if the get_parameter vector (2) is ever called. |
| 7.0 | CVE-2007-2055 BUGTRAQ OTHER-REF XF | ||
| AFFLIB -- AFFLIB | Multiple format string vulnerabilities in AFFLIB 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls, possibly involving (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/imager.cpp, and (f) tools/afxml.cpp. NOTE: this identifier is intended to address the vectors that were not fixed in CVE-2007-2054, but the unfixed vectors were not explicitly listed. |
| 10.0 | CVE-2007-2352 BUGTRAQ OTHER-REF | ||
| Ahhp-Portal -- Ahhp-Portal | Multiple PHP remote file inclusion vulnerabilities in page.php in Ahhp-Portal allow remote attackers to execute arbitrary PHP code via a URL in the (1) fp or (2) sc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-2428 BID | ||
| Ariadne -- Ariadne CMS | Cross-site scripting (XSS) vulnerability in index.php in Ariadne 2.4.1 allows remote attackers to inject arbitrary web script or HTML via the ARLogin parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-2433 SECUNIA | ||
| Aventail -- Aventail Connect | Buffer overflow in asnsp.dll in Aventail Connect 4.1.2.13 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a malformed DNS query. |
| 10.0 | CVE-2007-2434 FULLDISC BID XF | ||
| b2evolution -- b2evolution | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in b2evolution allow remote attackers to execute arbitrary PHP code via a URL in the (1) inc_path parameter to (a) a_noskin.php, (b) a_stub.php, (c) admin.php, (d) contact.php, (e) default.php, (f) index.php, and (g) multiblogs.php in blogs/; the (2) view_path and (3) control_path parameters to blogs/admin.php; and the (4) skins_path parameter to (h) blogs/contact.php and (i) blogs/multiblogs.php. NOTE: this issue is disputed by CVE, since the inc_path, view_path, control_path, and skins_path variables are all initialized in conf/_advanced.php before they are used. |
| 7.0 | CVE-2007-2358 BUGTRAQ VIM XF | ||
| Burak Yilmaz -- Burak Yilmaz Blog | SQL injection vulnerability in bry.asp in Burak Yilmaz Blog 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.0 | CVE-2007-2420 BUGTRAQ BID XF | ||
| Burnstone -- BurnCMS | Multiple PHP remote file inclusion vulnerabilities in burnCMS 0.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the root parameter to (1) mysql.class.php or (2) postgres.class.php in lib/db/; or (3) authuser.php, (4) misc.php, or (5) connect.php in lib/. |
| 7.0 | CVE-2007-2364 MILW0RM BID FRSIRT XF | ||
| Cerulean Studios -- Trillian Pro | Heap-based buffer overflow in the Rendezvous / Extensible Messaging and Presence Protocol (XMPP) component (plugins\rendezvous.dll) for Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers to execute arbitrary code via a message that triggers the overflow from expansion that occurs during encoding. |
| 7.0 | CVE-2007-2418 OTHER-REF | ||
| Cerulean Studios -- Trillian Pro | Multiple heap-based buffer overflows in the IRC component in Cerulean Studios Trillian Pro before 3.1.5.1 allow remote attackers to corrupt memory and possibly execute arbitrary code via (1) a URL with a long UTF-8 string, which triggers the overflow when the user highlights it, or (2) a font HTML tag with a face attribute containing a long UTF-8 string. |
| 7.0 | CVE-2007-2478 IDEFENSE OTHER-REF BID FRSIRT SECTRACK SECUNIA XF XF | ||
| Cisco -- PIX Cisco -- Adaptive Security Appliance | Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 before 7.2(2)8, when using Layer 2 Tunneling Protocol (L2TP) or Remote Management Access, allows remote attackers to bypass LDAP authentication and gain privileges via unknown vectors. |
| 10.0 | CVE-2007-2462 CISCO CERT-VN BID | ||
| CMS Made Simple -- CMS Made Simple | SQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter. |
| 7.0 | CVE-2007-2473 OTHER-REF OTHER-REF BID SECUNIA | ||
| Comdev -- Modules Builder | ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Modules Builder (modbuild) 4.1 for Comdev One Admin allow remote attackers to execute arbitrary PHP code via a URL in the path[docroot] parameter to (1) config-bak.php or (2) config.php. NOTE: CVE disputes this vulnerability because the unmodified scripts set the applicable variable to the empty string; reasonable modified copies would use a fixed pathname string. |
| 7.0 | CVE-2007-2422 BUGTRAQ XF | ||
| E-Annu -- E-Annu | SQL injection vulnerability in home.php in E-Annu allows remote attackers to execute arbitrary SQL commands via the a parameter. |
| 7.0 | CVE-2007-2416 BUGTRAQ BID XF | ||
| EMC -- RSA Security SiteKey | EMC RSA Security SiteKey does not set the secure qualifier on the SiteKey Flash token (aka the PassMark Flash shared object), which might allow remote attackers to obtain the token via HTTP. |
| 10.0 | CVE-2006-7201 OTHER-REF OTHER-REF | ||
| Fabrice Bellard -- QEMU | Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2 might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. |
| 7.0 | CVE-2007-1320 OTHER-REF DEBIAN BID FRSIRT SECUNIA SECUNIA | ||
| FileRun -- FileRun | SQL injection vulnerability in index.php in FileRun 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the fid parameter. |
| 7.0 | CVE-2007-2469 OTHER-REF BID SECUNIA | ||
| FireFly -- FireFly | Multiple PHP remote file inclusion vulnerabilities in FireFly 1.1.01 allow remote attackers to execute arbitrary PHP code via a URL in the doc_root parameter to (1) localize.php or (2) config.php in modules/admin/include/. |
| 7.0 | CVE-2007-2456 MILW0RM VIM BID FRSIRT | ||
| FireFly -- FireFly | PHP remote file inclusion vulnerability in modules/admin/include/config.php in FireFly 1.1.01 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-2460 VIM FRSIRT | ||
| Gregory Kokanosky -- phpMyNewsLetter | admin/index.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier provides access to configuration modification before login, which allows remote attackers to cause a denial of service (loss of configuration data), and possibly perform direct static code injection, via a saveGlobalconfig action. |
| 10.0 | CVE-2007-2371 MILW0RM BID | ||
| Gregory Kokanosky -- phpMyNewsLetter | admin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier prints a Location header but does not exit when administrative credentials are missing, which allows remote attackers to compose an e-mail message via a post with the subject, message, format, and list_id fields; and send the message via a direct request for the MsgId value under admin/. |
| 10.0 | CVE-2007-2372 MILW0RM BID | ||
| Hitachi -- Groupmax Mobile Option | Buffer overflow in Hitachi Groupmax Mobile Option for Mobile-Phone 07-00 through 07-30, 5 for i-mode 05-11 through 05-23, and 6 for EZweb 06-00 through 06-04 allows remote attackers to execute arbitrary code via unspecified vectors. |
| 7.0 | CVE-2007-2421 OTHER-REF BID FRSIRT SECUNIA XF | ||
| HP -- Power Manager Remote Agent | Unspecified vulnerability in the HP Power Manager Remote Agent (RA) 4.0Build10 and earlier in HP-UX B.11.11 and B.11.23 allows local users to execute arbitrary code via unspecified vectors. |
| 7.0 | CVE-2007-2351 HP BID FRSIRT SECUNIA SECTRACK | ||
| IBM -- WebSphere Application Server | Unspecified vulnerability in IBM WebSphere Application Server (WAS) before 5.1.1.14, and WAS for z/OS 601 before 6.0.2.13, has unknown impact and attack vectors, related to a "Potential security exposure," aka PK26123. |
| 7.0 | CVE-2006-7198 OTHER-REF AIXAPAR AIXAPAR FRSIRT SECTRACK SECUNIA XF | ||
| ManageEngine -- PasswordManager Pro | ManageEngine PasswordManager Pro (PMP) allows remote attackers to obtain administrative access to a database by injecting a certain command line for the mysql program, as demonstrated by the "-port 2345" and "-u root" arguments. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 10.0 | CVE-2007-2429 BID | ||
| Microsoft -- Windows 2000 Microsoft -- Windows Server 2003 Microsoft -- Windows XP | Unspecified vulnerability in Microsoft Windows 2000, XP, and Server 2003 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source. |
| 8.0 | CVE-2007-2374 OTHER-REF BID | ||
| MicroWorld Technologies -- eScan | The MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies eScan 8.0.671.1, and possibly other versions, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222. |
| 10.0 | CVE-2007-0655 OTHER-REF FRSIRT SECUNIA | ||
| Novell -- Novell SecureLogin | Unspecified vulnerability in the ADSCHEMA utility in Novell SecureLogin (NSL) 6 SP1 before 6.0.106 has unknown impact and remote attack vectors, related to granting "users excess permissions to their own attributes." |
| 7.0 | CVE-2007-2475 NOVELL FRSIRT | ||
| Novell -- Novell SecureLogin | Unspecified vulnerability in Novell SecureLogin (NSL) 6 SP1 before 6.0.106 has unknown impact and remote attack vectors, related to Active Directory (AD) password changes. |
| 7.0 | CVE-2007-2476 OTHER-REF FRSIRT | ||
| Nukedit -- Nukedit | Cross-site scripting (XSS) vulnerability in utilities/search.asp in nukedit 4.9.7b allows remote attackers to inject arbitrary web script or HTML via the terms parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.0 | CVE-2007-2432 BID SECUNIA | ||
| OPeNDAP -- Server3 | The get_url function in DODS_Dispatch.pm for the CGI_server in OPeNDAP 3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. |
| 10.0 | CVE-2007-2355 OTHER-REF OTHER-REF CERT-VN BID FRSIRT SECTRACK SECUNIA | ||
| phpMyChat -- phpMyChat | ** DISPUTED ** PHP remote file inclusion vulnerability in phpMyChat.php3 in phpMyChat 0.14.5 allows remote attackers to execute arbitrary PHP code via a URL in the {ChatPath} parameter. NOTE: this has been disputed by multiple third parties and CVE because $ChatPath is set to a constant value. |
| 7.0 | CVE-2007-2477 BUGTRAQ BUGTRAQ VIM VIM | ||
| Pixaria -- Pixaria Gallery | PHP remote file inclusion vulnerability in resources/includes/class.Smarty.php in Pixaria Gallery before 1.4.3 allows remote attackers to execute arbitrary PHP code via a URL in the cfg[sys][base_path] parameter. |
| 7.0 | CVE-2007-2457 MILW0RM OTHER-REF OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Pixaria -- Pixaria Gallery | Multiple PHP remote file inclusion vulnerabilities in Pixaria Gallery before 1.4.3 allow remote attackers to execute arbitrary PHP code via a URL in the cfg[sys][base_path] parameter to psg.smarty.lib.php and certain include and library scripts. |
| 7.0 | CVE-2007-2458 OTHER-REF OTHER-REF OTHER-REF FRSIRT | ||
| pnFlashGames -- pnFlashGames | SQL injection vulnerability in index.php in the pnFlashGames 1.5 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the cid parameter. |
| 7.0 | CVE-2007-2427 MILW0RM BID | ||
| Ruben Boelinger -- myflash | PHP remote file inclusion vulnerability in myflash-button.php in the myflash 1.00 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter. |
| 7.0 | CVE-2007-2485 MILW0RM OTHER-REF BID FRSIRT XF | ||
| Sphider -- Sphider | ** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Sphider 1.2.x allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter. NOTE: a third party disputes this vulnerability, stating that "the application is not vulnerable to this issue." |
| 7.0 | CVE-2007-2411 BUGTRAQ BID BUGTRAQ XF | ||
| Sun -- JRE Sun -- SDK Sun -- Java Enterprise System | Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java Web Start in SDK and JRE 1.4.2_13 and earlier, allows remote attackers to perform unauthorized actions via an application that grants privileges to itself, related to "Incorrect Use of System Classes" and probably related to support for JNLP files. |
| 7.0 | CVE-2007-2435 SUNALERT BID FRSIRT SECUNIA SECTRACK XF | ||
| Symantec -- LiveState Recovery Symantec -- Ghost Symantec -- BackupExec System Recovery Symantec -- Norton Save & Recovery | Buffer overflow in Ghost Service Manager, as used in Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, allows local users to gain privileges via a long string. |
| 7.0 | CVE-2007-2359 IDEFENSE OTHER-REF SECTRACK XF | ||
| Symantec -- Enterprise Security Manager | The agent remote upgrade interface in Symantec Enterprise Security Manager (ESM) before 20070405 does not verify the authenticity of upgrades, which allows remote attackers to execute arbitrary code via software that implements the agent upgrade protocol. |
| 10.0 | CVE-2007-2375 OTHER-REF BID SECUNIA | ||
| Tecnick.com -- TCExam | Dynamic variable evaluation vulnerability in shared/config/tce_config.php in TCExam 4.0.011 and earlier allows remote attackers to conduct cross-site scripting (XSS) and possibly other attacks by modifying critical variables such as $_SERVER, as demonstrated by injecting web script via the _SERVER[SCRIPT_NAME] parameter. |
| 7.0 | CVE-2007-2431 MILW0RM OTHER-REF VIM | ||
| The GIMP Team -- GIMP | Stack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file. |
| 8.0 | CVE-2007-2356 MILW0RM BID SECUNIA XF OTHER-REF FRSIRT | ||
| The Merchant Project -- The Merchant | PHP remote file inclusion vulnerability in help/index.php in The Merchant (themerchant) 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the show parameter. |
| 7.0 | CVE-2007-2424 MILW0RM | ||
| Tony Cook -- Imager | Heap-based buffer overflow in Imager before 0.57 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via compressed 8-bit BMP files. |
| 10.0 | CVE-2007-2413 OTHER-REF OTHER-REF SECUNIA BID FRSIRT | ||
| Turnkey Web Tools -- SunShop Shopping Cart | Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tools SunShop Shopping Cart 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) include/payment/payflow_pro.php, (2) global.php, or (3) libsecure.php, different vectors than CVE-2007-2070. |
| 7.0 | CVE-2007-2474 BUGTRAQ BID | ||
| VIM Development Group -- VIM | The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines. |
| 8.0 | CVE-2007-2438 MLIST MLIST OTHER-REF OTHER-REF OTHER-REF OTHER-REF BUGTRAQ BID FRSIRT SECUNIA | ||
| WF-Links -- WF-Links | SQL injection vulnerability in viewcat.php in the WF-Links (wflinks) 1.03 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter. |
| 7.0 | CVE-2007-2373 MILW0RM | ||
| Wildbits -- myGallery | PHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the myPath parameter. |
| 7.0 | CVE-2007-2426 MILW0RM BID FRSIRT SECUNIA XF | ||
| Xoops -- John Mordo Jobs Module | SQL injection vulnerability in index.php in the John Mordo Jobs 2.4 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a jobsview action. NOTE: the module name was originally reported as Job Listings. |
| 7.0 | CVE-2007-2370 MILW0RM VIM |
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apple -- Mac OS X Server | The Apple Security Update 2007-004 uses an incorrect configuration file for FTPServer in Apple Mac OS X Server 10.4.9, which might allow remote authenticated users to access additional directories. |
| 4.0 | CVE-2007-0745 APPLE | ||
| Corel -- Paint Shop Pro Photo | Buffer overflow in Corel Paint Shop Pro 11.20 allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file. |
| 4.8 | CVE-2007-2366 MILW0RM BID FRSIRT SECUNIA XF | ||
| Don Moore -- MyDNS | Multiple buffer overflows in MyDNS 1.1.0 allow remote attackers to (1) cause a denial of service (daemon crash) and possibly execute arbitrary code via a certain update, which triggers a heap-based buffer overflow in update.c; and (2) cause a denial of service (daemon crash) via unspecified vectors that trigger an off-by-one stack-based buffer overflow in update.c. |
| 6.0 | CVE-2007-2362 FULLDISC OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| EMC -- RSA Security SiteKey | EMC RSA Security SiteKey allows remote attackers to display the correct image via a man-in-the-middle (MITM) attack in which an attacker-controlled server proxies authentication data to and from a legitimate SiteKey server. NOTE: the vendor disputes the severity of the issue, stating that it is easier to monitor this attack than "attacks against static web pages." |
| 6.0 | CVE-2006-7199 OTHER-REF OTHER-REF OTHER-REF | ||
| EMC -- RSA Security SiteKey | EMC RSA Security SiteKey issues challenge-bypass tokens that persist forever without a cancellation interface for end users, which makes it easier for attackers to bypass one stage of authentication by stealing and replaying a token. |
| 6.0 | CVE-2006-7200 OTHER-REF OTHER-REF | ||
| freePBX -- freePBX | admin/config.php in the music-on-hold module in freePBX 2.2.x allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the del parameter. |
| 4.2 | CVE-2007-2350 FULLDISC FRSIRT SECUNIA | ||
| IrfanView -- IrfanView | Buffer overflow in IrfanView 4.00 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted .IFF file. |
| 4.8 | CVE-2007-2363 MILW0RM BID XF FRSIRT SECUNIA | ||
| Linux -- Kernel | The _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel 2.6.21 and earlier does not prevent a bind to a port with a local address when there is already a bind to that port with a wildcard local address, which might allow local users to intercept local traffic for daemons or other applications. |
| 4.9 | CVE-2007-2480 OTHER-REF | ||
| Parallels -- Parallels Desktop | Heap-based buffer overflow in the VGA device in Parallels allows local users, with root access to the guest operating system, to terminate the virtual machine and possibly execute arbitrary code in the host operating system via unspecified vectors related to bitblt operations. |
| 4.2 | CVE-2007-2454 OTHER-REF | ||
| Ruben Boelinger -- wordTube | PHP remote file inclusion vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter. |
| 5.6 | CVE-2007-2481 BUGTRAQ MILW0RM OTHER-REF BID FRSIRT SECUNIA XF | ||
| Ruben Boelinger -- wordTube | Directory traversal vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the wpPATH parameter. |
| 5.6 | CVE-2007-2482 BUGTRAQ MILW0RM OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Ruben Boelinger -- wp-Table | PHP remote file inclusion vulnerability in js/wptable-button.php in the wp-Table 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter. |
| 5.6 | CVE-2007-2484 MILW0RM OTHER-REF FRSIRT SECUNIA XF | ||
| SineCMS -- SineCMS | Cross-site scripting (XSS) vulnerability in mods/Core/result.php in SineCms 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the stringa parameter. |
| 5.6 | CVE-2007-2357 BUGTRAQ BID FRSIRT SECUNIA XF | ||
| Symantec -- LiveState Recovery Symantec -- Ghost Symantec -- BackupExec System Recovery Symantec -- Norton Save & Recovery | Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore point images are configured, encrypt network share credentials with a key formed by a hash of the username, which allows local users to obtain the credentials by calculating the key. |
| 4.2 | CVE-2007-2360 IDEFENSE OTHER-REF SECTRACK | ||
| VMWare -- VMWare Workstation | VMware Workstation before 5.5.4, when running a 64-bit Windows guest on a 64-bit host, allows local users to "corrupt the virtual machine's register context" by debugging a local program and stepping into a "syscall instruction." |
| 4.9 | CVE-2007-1876 OTHER-REF | ||
| Xscreensaver -- Xscreensaver | XScreenSaver 4.10, when using a remote directory service for credentials, allows local users to bypass authentication by preventing network connectivity, which causes XScreenSaver to crash and unlock the screen. |
| 4.9 | CVE-2007-1859 REDHAT |
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ||
|---|---|---|---|---|---|---|
| Apache Software Foundation -- Axis | Apache Axis 1.0 allows remote attackers to obtain sensitive information by requesting a non-existent WSDL file, which reveals the installation path in the resulting exception message. |
| 3.3 | CVE-2007-2353 VIM BID OSVDB | ||
| Blackdot -- Imageview | Directory traversal vulnerability in fileview.php in Imageview 5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the album parameter. |
| 2.3 | CVE-2007-2425 MILW0RM | ||
| Cerulean Studios -- Trillian Pro | Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers to obtain potentially sensitive information via long CTCP PING messages that contain UTF-8 characters, which generates a malformed response that is not truncated by a newline, which can cause portions of a server message to be sent to the attacker. |
| 3.3 | CVE-2007-2479 IDEFENSE OTHER-REF BID FRSIRT SECTRACK SECUNIA XF XF | ||
| Cisco -- PIX Cisco -- Adaptive Security Appliance | The DHCP relay agent in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 allows remote attackers to cause a denial of service (dropped packets) via a DHCPREQUEST or DHCPINFORM message that causes multiple DHCPACK messages to be sent from DHCP servers to the agent, which consumes the memory allocated for a local buffer. NOTE: this issue only occurs when multiple DHCP servers are used. |
| 3.3 | CVE-2007-2461 CISCO CERT-VN BID | ||
| Cisco -- PIX Cisco -- Adaptive Security Appliance | Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)17 allows remote attackers to cause a denial of service (device reload) via unknown vectors related to VPN connection termination and password Expiry. |
| 3.3 | CVE-2007-2463 CISCO BID | ||
| Cisco -- PIX Cisco -- Adaptive Security Appliance | Race condition in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)19, when using "clientless SSL VPNs," allows remote attackers to cause a denial of service (device reload) via "non-standard SSL sessions." |
| 2.7 | CVE-2007-2464 CISCO BID | ||
| Clam Anti-Virus -- ClamAV | The PDF handler in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service via a crafted PDF file, resulting in a "file descriptor leak". |
| 3.3 | CVE-2007-2029 DEBIAN BID SECUNIA | ||
| Dojo Toolkit -- Dojo Toolkit | The Dojo framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2376 OTHER-REF | ||
| Fabrice Bellard -- QEMU | QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. |
| 2.3 | CVE-2007-1322 OTHER-REF DEBIAN BID FRSIRT SECUNIA SECUNIA | ||
| Fabrice Bellard -- QEMU | QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error. |
| 2.3 | CVE-2007-1366 MLIST MLIST OTHER-REF DEBIAN BID FRSIRT SECUNIA SECUNIA | ||
| FileRun -- FileRun | Multiple cross-site scripting (XSS) vulnerabilities in index.php in FileRun 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) module, or (3) section parameter. |
| 3.7 | CVE-2007-2470 OTHER-REF BID SECUNIA | ||
| Getahead -- Direct Web Remoting | The Getahead Direct Web Remoting (DWR) framework 1.1.4 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2377 OTHER-REF | ||
| Google -- Google Web Toolkit | The Google Web Toolkit (GWT) framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2378 OTHER-REF | ||
| HP -- OpenVMS | Unspecified vulnerability in HP OpenVMS for Integrity Servers 8.2-1 and 8.3 allows local users to cause a denial of service (crash) via "Program actions relating to exceptions." |
| 2.3 | CVE-2007-2468 OTHER-REF OTHER-REF BID FRSIRT SECUNIA XF | ||
| Invision Power Services -- Invision Power Board | Cross-site scripting (XSS) vulnerability in Invision Power Board (IP.Board) 2.1.x and 2.2.x allows remote attackers to inject arbitrary web script or HTML by uploading crafted images or PDF files. |
| 3.7 | CVE-2007-2349 OTHER-REF FRSIRT SECUNIA XF | ||
| ISC -- BIND | Unspecified vulnerability in query.c in ISC BIND 9.4.0, and 9.5.0a1 through 9.5.0a3, when recursion is enabled, allows remote attackers to cause a denial of service (daemon exit) via a sequence of queries processed by the query_addsoa function. |
| 2.7 | CVE-2007-2241 OTHER-REF FRSIRT SECTRACK SECUNIA | ||
| jQuery -- jQuery | The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2379 OTHER-REF | ||
| Mad4Milk -- Moo.fx | The Moo.fx framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2382 OTHER-REF | ||
| Microsoft -- Atlas framework | The Microsoft Atlas framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2380 OTHER-REF | ||
| Mochikit -- MochiKit Framework | The MochiKit framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2381 OTHER-REF | ||
| MoinMoin -- MoinMoin | Cross-site scripting (XSS) vulnerability in index.php in MoinMoin 1.5.7 allows remote attackers to inject arbitrary web script or HTML via the do parameter in an AttachFile action, a different vulnerability than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 3.7 | CVE-2007-2423 BID | ||
| Motobit -- Motobit | Directory traversal vulnerability in download.asp in Motobit 1.3 and 1.5 (aka PStruh-CZ) allows remote attackers to read arbitrary files via a .. (dot dot) in the File parameter. |
| 2.3 | CVE-2007-2486 MILW0RM XF | ||
| myServer -- myServer | MyServer before 0.8.8 allows remote attackers to cause a denial of service via unspecified vectors. |
| 3.3 | CVE-2007-2414 OTHER-REF OTHER-REF SECUNIA BID XF | ||
| Novell -- eDirectory | ncp in Novell eDirectory before 8.7.3 SP9, and 8.8.x before 8.8.1 FTF2, does not properly handle NCP fragments with a negative length, which allows remote attackers to cause a denial of service (daemon crash) when the heap is written to a log file. |
| 3.3 | CVE-2006-4520 IDEFENSE OTHER-REF BID FRSIRT SECTRACK XF | ||
| Parallels -- Parallels Desktop | Parallels allows local users to cause a denial of service (virtual machine abort) via (1) certain INT instructions, as demonstrated by INT 0xAA; (2) an IRET instruction when an invalid address is at the top of the stack; (3) a malformed MOVNTI instruction, as demonstrated by using a register as a destination; or a write operation to (4) SEGR6 or (5) SEGR7. |
| 3.3 | CVE-2007-2455 OTHER-REF | ||
| PHP -- PHP webSPELL -- webSPELL | Directory traversal vulnerability in picture.php in WebSPELL 4.01.02 and earlier, when PHP before 4.3.0 is used, allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter. |
| 3.3 | CVE-2007-2369 MILW0RM | ||
| Pi3Web -- Pi3Web Web Server | Pi3Web Web Server 2.0.3 PL1 allows remote attackers to cause a denial of service (application exit) via a long URI. NOTE: as of 20070429, the vendor was unable to reproduce this issue, stating "Couldn't reproduce any crash." |
| 3.3 | CVE-2007-2415 OTHER-REF BID SECUNIA FRSIRT XF | ||
| Progress -- WebSpeed Messenger | Progress Webspeed Messenger allows remote attackers to obtain sensitive information via a WService parameter containing "wsbroker1/webutil/about.r", which reveals the operating system and product information. |
| 3.3 | CVE-2007-2354 BUGTRAQ OTHER-REF | ||
| PrototypeJS -- Prototype framework | The Prototype (prototypejs) framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2383 OTHER-REF | ||
| Red Hat -- Red Hat Enterprise Linux Desktop Red Hat -- Red Hat Enterprise Linux Desktop Workstation Red Hat -- Red Hat Enterprise Linux Linux -- Kernel | Unspecified vulnerability in the utrace support for Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service |
| 2.3 | CVE-2007-0771 REDHAT BID SECTRACK SECUNIA | ||
| rPath -- rPath Linux -- Kernel | The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows local users to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow. |
| 2.3 | CVE-2007-2436 OTHER-REF BID FRSIRT SECUNIA | ||
| Script.aculo.us -- Script.aculo.us | The Script.aculo.us framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2384 OTHER-REF | ||
| Seir Anphin -- Seir Anphin | ** DISPUTED ** Directory traversal vulnerability in modules/file.php in Seir Anphin allows remote attackers to obtain sensitive information via a .. (dot dot) in the a[filepath] parameter. NOTE: a third party has disputed this issue because the a array is populated by a database query before use. |
| 3.3 | CVE-2007-2412 BUGTRAQ VIM XF | ||
| Sendcard -- Sendcard | Directory traversal vulnerability in sendcard.php in Sendcard 3.4.1 and earlier allows remote attackers to read arbitrary files via a full pathname in the form parameter. |
| 2.3 | CVE-2007-2471 MILW0RM SECUNIA XF | ||
| Sendcard -- Sendcard | Cross-site scripting (XSS) vulnerability in sendcard.php in Sendcard 3.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the form parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 1.9 | CVE-2007-2472 SECUNIA | ||
| Sun -- Solaris | Unspecified vulnerability in Sun Solaris 9, when Solaris Auditing (BSM) is enabled for file read, write, attribute modify, create, or delete audit classes, allows local users to cause a denial of service (panic) via unknown vectors, possibly related to the audit_savepath function. |
| 1.9 | CVE-2007-2465 SUNALERT BID FRSIRT SECTRACK SECUNIA XF | ||
| Sun -- Java System Directory Server Sun -- ONE Directory Server | Unspecified vulnerability in the LDAP Software Development Kit (SDK) for C, as used in Sun Java System Directory Server 5.2 up to Patch 4 and Sun ONE Directory Server 5.1, allows remote attackers to cause a denial of service (crash) via certain BER encodings. |
| 3.3 | CVE-2007-2466 SUNALERT BID FRSIRT SECTRACK SECUNIA XF | ||
| Symantec -- LiveState Recovery Symantec -- Ghost Symantec -- BackupExec System Recovery Symantec -- Norton Save & Recovery | Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore points images are configured, uses weak permissions (world readable) for a configuration file with network share credentials, which allows local users to obtain the credentials by reading the file. |
| 2.3 | CVE-2007-2361 IDEFENSE OTHER-REF SECTRACK XF | ||
| Tecnick.com -- TCExam | shared/code/tce_tmx.php in TCExam 4.0.011 and earlier allows remote attackers to create arbitrary PHP files in cache/ by placing file contents and directory traversal manipulations into a SessionUserLang cookie to public/code/index.php. |
| 3.3 | CVE-2007-2430 MILW0RM OTHER-REF | ||
| Tony Cook -- Imager | Buffer overflow in the read_4bit_bmp function in bmp.c in Imager 0.56 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via 4-bit/pixel BMP files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 3.3 | CVE-2007-2459 FRSIRT | ||
| VMWare -- VMWare Workstation | The memory management in VMware Workstation before 5.5.4 allows attackers to cause a denial of service (Windows virtual machine crash) by triggering certain general protection faults (GPF). |
| 3.3 | CVE-2007-1069 OTHER-REF | ||
| VMWare -- VMWare Workstation | The virtual machine process (VMX) in VMware Workstation before 5.5.4 does not properly read state information when moving from the ACPI sleep state to the run state, which allows attackers to cause a denial of service (virtual machine reboot) via unknown vectors. |
| 3.3 | CVE-2007-1337 OTHER-REF XF | ||
| VMWare -- VMWare Workstation | Directory traversal vulnerability in the Shared Folders feature for VMware Workstation before 5.5.4, when a folder is shared, allows users on the guest system to write to arbitrary files on the host system via the "Backdoor I/O Port" interface. |
| 3.7 | CVE-2007-1744 IDEFENSE OTHER-REF BID SECTRACK | ||
| VMWare -- VMWare Workstation | VMware Workstation before 5.5.4 allows attackers to cause a denial of service against the guest OS by causing the virtual machine process (VMX) to store malformed configuration information. |
| 3.3 | CVE-2007-1877 OTHER-REF | ||
| webSPELL -- webSPELL | picture.php in WebSPELL 4.01.02 and earlier allows remote attackers to read arbitrary files via the file parameter. |
| 3.3 | CVE-2007-2368 MILW0RM | ||
| Wserve HTTP Server -- Wserve HTTP Server | Buffer overflow in wserve_console.exe in Wserve HTTP Server (whttp) 4.6 allows remote attackers to cause a denial of service (forced application exit) via a long directory name in the URI. |
| 3.3 | CVE-2007-2367 BUGTRAQ BID | ||
| X.Org -- Xserver X.Org -- X Window System | The X render (Xrender) extension in X.org X Window System 7.0, 7.1, and 7.2, with Xserver 1.3.0 and earlier, allows remote authenticated users to cause a denial of service (daemon crash) via crafted values to the (1) XRenderCompositeTrapezoids and (2) XRenderAddTraps functions, which trigger a divide-by-zero error. |
| 2.0 | CVE-2007-2437 OTHER-REF SECTRACK XF | ||
| Yahoo! -- Yahoo UI framework | The Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." |
| 3.3 | CVE-2007-2385 OTHER-REF | ||
| Zone Labs -- ZoneAlarm Pro | ZoneAlarm Pro 6.5.737.000, 6.1.744.001, and possibly earlier versions and other products, allows local users to cause a denial of service (system crash) by sending malformed data to the vsdatant device driver, which causes an invalid memory access. |
| 2.3 | CVE-2007-2467 BUGTRAQ OTHER-REF BID FRSIRT SECUNIA |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.