Vulnerability Summary for the Week of April 30, 2007

Released
May 07, 2007
Document ID
SB07-127

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


">

High Vulnerabilities
Primary
Vendor -- Product
Description
Discovered
Published
CVSS ScoreSource & Patch Info
Adobe -- Photoshop
Adobe -- Photoshop Elements
Buffer overflow in Adobe Photoshop CS2 and CS3, and Photoshop Elements 5.0, allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.
unknown
2007-04-30
8.0CVE-2007-2365
MILW0RM
BID
FRSIRT
SECUNIA
XF
AFFLIB -- AFFLIBMultiple stack-based buffer overflows in AFFLIB before 2.2.6 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) a long LastModified value in an S3 XML response in lib/s3.cpp; (2) a long (a) path or (b) bucket in an S3 URL in lib/vnode_s3.cpp; or (3) a long (c) EFW, (d) AFD, or (c) aimage file path. NOTE: the aimage vector (3c) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB.
unknown
2007-04-30
10.0CVE-2007-2053
BUGTRAQ
OTHER-REF
BID
XF
AFFLIB -- AFFLIBMultiple format string vulnerabilities in AFFLIB before 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls in (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/aimage.cpp, (f) aimage/imager.cpp, and (g) tools/afxml.cpp. NOTE: the aimage.cpp vector (e) has since been recalled from the researcher's original advisory, since the code is not called in any version of AFFLIB.
unknown
2007-04-30
7.0CVE-2007-2054
BUGTRAQ
OTHER-REF
XF
AFFLIB -- AFFLIBAFFLIB 2.2.8 and earlier allows attackers to execute arbitrary commands via shell metacharacters involving (1) certain command line parameters in tools/afconvert.cpp and (2) arguments to the get_parameter function in aimage/ident.cpp. NOTE: it is unknown if the get_parameter vector (2) is ever called.
unknown
2007-04-30
7.0CVE-2007-2055
BUGTRAQ
OTHER-REF
XF
AFFLIB -- AFFLIBMultiple format string vulnerabilities in AFFLIB 2.2.6 allow remote attackers to execute arbitrary code via certain command line parameters, which are used in (1) warn and (2) err calls, possibly involving (a) lib/s3.cpp, (b) tools/afconvert.cpp, (c) tools/afcopy.cpp, (d) tools/afinfo.cpp, (e) aimage/imager.cpp, and (f) tools/afxml.cpp. NOTE: this identifier is intended to address the vectors that were not fixed in CVE-2007-2054, but the unfixed vectors were not explicitly listed.
unknown
2007-04-30
10.0CVE-2007-2352
BUGTRAQ
OTHER-REF
Ahhp-Portal -- Ahhp-PortalMultiple PHP remote file inclusion vulnerabilities in page.php in Ahhp-Portal allow remote attackers to execute arbitrary PHP code via a URL in the (1) fp or (2) sc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-01
7.0CVE-2007-2428
BID
Ariadne -- Ariadne CMSCross-site scripting (XSS) vulnerability in index.php in Ariadne 2.4.1 allows remote attackers to inject arbitrary web script or HTML via the ARLogin parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-02
7.0CVE-2007-2433
SECUNIA
Aventail -- Aventail ConnectBuffer overflow in asnsp.dll in Aventail Connect 4.1.2.13 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a malformed DNS query.
unknown
2007-05-02
10.0CVE-2007-2434
FULLDISC
BID
XF
b2evolution -- b2evolution** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in b2evolution allow remote attackers to execute arbitrary PHP code via a URL in the (1) inc_path parameter to (a) a_noskin.php, (b) a_stub.php, (c) admin.php, (d) contact.php, (e) default.php, (f) index.php, and (g) multiblogs.php in blogs/; the (2) view_path and (3) control_path parameters to blogs/admin.php; and the (4) skins_path parameter to (h) blogs/contact.php and (i) blogs/multiblogs.php. NOTE: this issue is disputed by CVE, since the inc_path, view_path, control_path, and skins_path variables are all initialized in conf/_advanced.php before they are used.
unknown
2007-04-30
7.0CVE-2007-2358
BUGTRAQ
VIM
XF
Burak Yilmaz -- Burak Yilmaz BlogSQL injection vulnerability in bry.asp in Burak Yilmaz Blog 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2007-05-01
7.0CVE-2007-2420
BUGTRAQ
BID
XF
Burnstone -- BurnCMSMultiple PHP remote file inclusion vulnerabilities in burnCMS 0.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the root parameter to (1) mysql.class.php or (2) postgres.class.php in lib/db/; or (3) authuser.php, (4) misc.php, or (5) connect.php in lib/.
unknown
2007-04-30
7.0CVE-2007-2364
MILW0RM
BID
FRSIRT
XF
Cerulean Studios -- Trillian ProHeap-based buffer overflow in the Rendezvous / Extensible Messaging and Presence Protocol (XMPP) component (plugins\rendezvous.dll) for Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers to execute arbitrary code via a message that triggers the overflow from expansion that occurs during encoding.
unknown
2007-05-02
7.0CVE-2007-2418
OTHER-REF
Cerulean Studios -- Trillian ProMultiple heap-based buffer overflows in the IRC component in Cerulean Studios Trillian Pro before 3.1.5.1 allow remote attackers to corrupt memory and possibly execute arbitrary code via (1) a URL with a long UTF-8 string, which triggers the overflow when the user highlights it, or (2) a font HTML tag with a face attribute containing a long UTF-8 string.
unknown
2007-05-02
7.0CVE-2007-2478
IDEFENSE
OTHER-REF
BID
FRSIRT
SECTRACK
SECUNIA
XF
XF
Cisco -- PIX
Cisco -- Adaptive Security Appliance
Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 before 7.2(2)8, when using Layer 2 Tunneling Protocol (L2TP) or Remote Management Access, allows remote attackers to bypass LDAP authentication and gain privileges via unknown vectors.
unknown
2007-05-02
10.0CVE-2007-2462
CISCO
CERT-VN
BID
CMS Made Simple -- CMS Made SimpleSQL injection vulnerability in stylesheet.php in CMS Made Simple 1.0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the templateid parameter.
unknown
2007-05-02
7.0CVE-2007-2473
OTHER-REF
OTHER-REF
BID
SECUNIA
Comdev -- Modules Builder** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Modules Builder (modbuild) 4.1 for Comdev One Admin allow remote attackers to execute arbitrary PHP code via a URL in the path[docroot] parameter to (1) config-bak.php or (2) config.php. NOTE: CVE disputes this vulnerability because the unmodified scripts set the applicable variable to the empty string; reasonable modified copies would use a fixed pathname string.
unknown
2007-05-01
7.0CVE-2007-2422
BUGTRAQ
XF
E-Annu -- E-AnnuSQL injection vulnerability in home.php in E-Annu allows remote attackers to execute arbitrary SQL commands via the a parameter.
unknown
2007-05-01
7.0CVE-2007-2416
BUGTRAQ
BID
XF
EMC -- RSA Security SiteKeyEMC RSA Security SiteKey does not set the secure qualifier on the SiteKey Flash token (aka the PassMark Flash shared object), which might allow remote attackers to obtain the token via HTTP.
unknown
2007-04-30
10.0CVE-2006-7201
OTHER-REF
OTHER-REF
Fabrice Bellard -- QEMUMultiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2 might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.
unknown
2007-05-02
7.0CVE-2007-1320
OTHER-REF
DEBIAN
BID
FRSIRT
SECUNIA
SECUNIA
FileRun -- FileRunSQL injection vulnerability in index.php in FileRun 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the fid parameter.
unknown
2007-05-02
7.0CVE-2007-2469
OTHER-REF
BID
SECUNIA
FireFly -- FireFlyMultiple PHP remote file inclusion vulnerabilities in FireFly 1.1.01 allow remote attackers to execute arbitrary PHP code via a URL in the doc_root parameter to (1) localize.php or (2) config.php in modules/admin/include/.
unknown
2007-05-02
7.0CVE-2007-2456
MILW0RM
VIM
BID
FRSIRT
FireFly -- FireFlyPHP remote file inclusion vulnerability in modules/admin/include/config.php in FireFly 1.1.01 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the DOCUMENT_ROOT parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-02
7.0CVE-2007-2460
VIM
FRSIRT
Gregory Kokanosky -- phpMyNewsLetteradmin/index.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier provides access to configuration modification before login, which allows remote attackers to cause a denial of service (loss of configuration data), and possibly perform direct static code injection, via a saveGlobalconfig action.
unknown
2007-04-30
10.0CVE-2007-2371
MILW0RM
BID
Gregory Kokanosky -- phpMyNewsLetteradmin/send_mod.php in Gregory Kokanosky phpMyNewsletter 0.8 beta5 and earlier prints a Location header but does not exit when administrative credentials are missing, which allows remote attackers to compose an e-mail message via a post with the subject, message, format, and list_id fields; and send the message via a direct request for the MsgId value under admin/.
unknown
2007-04-30
10.0CVE-2007-2372
MILW0RM
BID
Hitachi -- Groupmax Mobile OptionBuffer overflow in Hitachi Groupmax Mobile Option for Mobile-Phone 07-00 through 07-30, 5 for i-mode 05-11 through 05-23, and 6 for EZweb 06-00 through 06-04 allows remote attackers to execute arbitrary code via unspecified vectors.
unknown
2007-05-01
7.0CVE-2007-2421
OTHER-REF
BID
FRSIRT
SECUNIA
XF
HP -- Power Manager Remote AgentUnspecified vulnerability in the HP Power Manager Remote Agent (RA) 4.0Build10 and earlier in HP-UX B.11.11 and B.11.23 allows local users to execute arbitrary code via unspecified vectors.
unknown
2007-04-30
7.0CVE-2007-2351
HP
BID
FRSIRT
SECUNIA
SECTRACK
IBM -- WebSphere Application ServerUnspecified vulnerability in IBM WebSphere Application Server (WAS) before 5.1.1.14, and WAS for z/OS 601 before 6.0.2.13, has unknown impact and attack vectors, related to a "Potential security exposure," aka PK26123.
unknown
2007-04-30
7.0CVE-2006-7198
OTHER-REF
AIXAPAR
AIXAPAR
FRSIRT
SECTRACK
SECUNIA
XF
ManageEngine -- PasswordManager ProManageEngine PasswordManager Pro (PMP) allows remote attackers to obtain administrative access to a database by injecting a certain command line for the mysql program, as demonstrated by the "-port 2345" and "-u root" arguments. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-01
10.0CVE-2007-2429
BID
Microsoft -- Windows 2000
Microsoft -- Windows Server 2003
Microsoft -- Windows XP
Unspecified vulnerability in Microsoft Windows 2000, XP, and Server 2003 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source.
unknown
2007-04-30
8.0CVE-2007-2374
OTHER-REF
BID
MicroWorld Technologies -- eScanThe MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies eScan 8.0.671.1, and possibly other versions, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222.
unknown
2007-05-02
10.0CVE-2007-0655
OTHER-REF
FRSIRT
SECUNIA
Novell -- Novell SecureLoginUnspecified vulnerability in the ADSCHEMA utility in Novell SecureLogin (NSL) 6 SP1 before 6.0.106 has unknown impact and remote attack vectors, related to granting "users excess permissions to their own attributes."
unknown
2007-05-02
7.0CVE-2007-2475
NOVELL
FRSIRT
Novell -- Novell SecureLoginUnspecified vulnerability in Novell SecureLogin (NSL) 6 SP1 before 6.0.106 has unknown impact and remote attack vectors, related to Active Directory (AD) password changes.
unknown
2007-05-02
7.0CVE-2007-2476
OTHER-REF
FRSIRT
Nukedit -- NukeditCross-site scripting (XSS) vulnerability in utilities/search.asp in nukedit 4.9.7b allows remote attackers to inject arbitrary web script or HTML via the terms parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-02
7.0CVE-2007-2432
BID
SECUNIA
OPeNDAP -- Server3The get_url function in DODS_Dispatch.pm for the CGI_server in OPeNDAP 3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
unknown
2007-04-30
10.0CVE-2007-2355
OTHER-REF
OTHER-REF
CERT-VN
BID
FRSIRT
SECTRACK
SECUNIA
phpMyChat -- phpMyChat** DISPUTED ** PHP remote file inclusion vulnerability in phpMyChat.php3 in phpMyChat 0.14.5 allows remote attackers to execute arbitrary PHP code via a URL in the {ChatPath} parameter. NOTE: this has been disputed by multiple third parties and CVE because $ChatPath is set to a constant value.
unknown
2007-05-02
7.0CVE-2007-2477
BUGTRAQ
BUGTRAQ
VIM
VIM
Pixaria -- Pixaria GalleryPHP remote file inclusion vulnerability in resources/includes/class.Smarty.php in Pixaria Gallery before 1.4.3 allows remote attackers to execute arbitrary PHP code via a URL in the cfg[sys][base_path] parameter.
unknown
2007-05-02
7.0CVE-2007-2457
MILW0RM
OTHER-REF
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Pixaria -- Pixaria GalleryMultiple PHP remote file inclusion vulnerabilities in Pixaria Gallery before 1.4.3 allow remote attackers to execute arbitrary PHP code via a URL in the cfg[sys][base_path] parameter to psg.smarty.lib.php and certain include and library scripts.
unknown
2007-05-02
7.0CVE-2007-2458
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
pnFlashGames -- pnFlashGamesSQL injection vulnerability in index.php in the pnFlashGames 1.5 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the cid parameter.
unknown
2007-05-01
7.0CVE-2007-2427
MILW0RM
BID
Ruben Boelinger -- myflashPHP remote file inclusion vulnerability in myflash-button.php in the myflash 1.00 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter.
unknown
2007-05-03
7.0CVE-2007-2485
MILW0RM
OTHER-REF
BID
FRSIRT
XF
Sphider -- Sphider** DISPUTED ** PHP remote file inclusion vulnerability in index.php in Sphider 1.2.x allows remote attackers to execute arbitrary PHP code via a URL in the include_dir parameter. NOTE: a third party disputes this vulnerability, stating that "the application is not vulnerable to this issue."
unknown
2007-05-01
7.0CVE-2007-2411
BUGTRAQ
BID
BUGTRAQ
XF
Sun -- JRE
Sun -- SDK
Sun -- Java Enterprise System
Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java Web Start in SDK and JRE 1.4.2_13 and earlier, allows remote attackers to perform unauthorized actions via an application that grants privileges to itself, related to "Incorrect Use of System Classes" and probably related to support for JNLP files.
unknown
2007-05-02
7.0CVE-2007-2435
SUNALERT
BID
FRSIRT
SECUNIA
SECTRACK
XF
Symantec -- LiveState Recovery
Symantec -- Ghost
Symantec -- BackupExec System Recovery
Symantec -- Norton Save & Recovery
Buffer overflow in Ghost Service Manager, as used in Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, allows local users to gain privileges via a long string.
unknown
2007-04-30
7.0CVE-2007-2359
IDEFENSE
OTHER-REF
SECTRACK
XF
Symantec -- Enterprise Security ManagerThe agent remote upgrade interface in Symantec Enterprise Security Manager (ESM) before 20070405 does not verify the authenticity of upgrades, which allows remote attackers to execute arbitrary code via software that implements the agent upgrade protocol.
unknown
2007-04-30
10.0CVE-2007-2375
OTHER-REF
BID
SECUNIA
Tecnick.com -- TCExamDynamic variable evaluation vulnerability in shared/config/tce_config.php in TCExam 4.0.011 and earlier allows remote attackers to conduct cross-site scripting (XSS) and possibly other attacks by modifying critical variables such as $_SERVER, as demonstrated by injecting web script via the _SERVER[SCRIPT_NAME] parameter.
unknown
2007-05-01
7.0CVE-2007-2431
MILW0RM
OTHER-REF
VIM
The GIMP Team -- GIMPStack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file.
unknown
2007-04-30
8.0CVE-2007-2356
MILW0RM
BID
SECUNIA
XF
OTHER-REF
FRSIRT
The Merchant Project -- The MerchantPHP remote file inclusion vulnerability in help/index.php in The Merchant (themerchant) 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the show parameter.
unknown
2007-05-01
7.0CVE-2007-2424
MILW0RM
Tony Cook -- ImagerHeap-based buffer overflow in Imager before 0.57 allows remote attackers to cause a denial of service (application abort) and possibly execute arbitrary code via compressed 8-bit BMP files.
unknown
2007-05-01
10.0CVE-2007-2413
OTHER-REF
OTHER-REF
SECUNIA
BID
FRSIRT
Turnkey Web Tools -- SunShop Shopping CartMultiple PHP remote file inclusion vulnerabilities in Turnkey Web Tools SunShop Shopping Cart 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) include/payment/payflow_pro.php, (2) global.php, or (3) libsecure.php, different vectors than CVE-2007-2070.
unknown
2007-05-02
7.0CVE-2007-2474
BUGTRAQ
BID
VIM Development Group -- VIMThe sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines.
unknown
2007-05-02
8.0CVE-2007-2438
MLIST
MLIST
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BUGTRAQ
BID
FRSIRT
SECUNIA
WF-Links -- WF-LinksSQL injection vulnerability in viewcat.php in the WF-Links (wflinks) 1.03 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter.
unknown
2007-04-30
7.0CVE-2007-2373
MILW0RM
Wildbits -- myGalleryPHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the myPath parameter.
unknown
2007-05-01
7.0CVE-2007-2426
MILW0RM
BID
FRSIRT
SECUNIA
XF
Xoops -- John Mordo Jobs ModuleSQL injection vulnerability in index.php in the John Mordo Jobs 2.4 and earlier module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a jobsview action. NOTE: the module name was originally reported as Job Listings.
unknown
2007-04-30
7.0CVE-2007-2370
MILW0RM
VIM

Back to top

Medium Vulnerabilities
Primary
Vendor -- Product
Description
Discovered
Published
CVSS ScoreSource & Patch Info
Apple -- Mac OS X ServerThe Apple Security Update 2007-004 uses an incorrect configuration file for FTPServer in Apple Mac OS X Server 10.4.9, which might allow remote authenticated users to access additional directories.
unknown
2007-05-02
4.0CVE-2007-0745
APPLE
Corel -- Paint Shop Pro PhotoBuffer overflow in Corel Paint Shop Pro 11.20 allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.
unknown
2007-04-30
4.8CVE-2007-2366
MILW0RM
BID
FRSIRT
SECUNIA
XF
Don Moore -- MyDNSMultiple buffer overflows in MyDNS 1.1.0 allow remote attackers to (1) cause a denial of service (daemon crash) and possibly execute arbitrary code via a certain update, which triggers a heap-based buffer overflow in update.c; and (2) cause a denial of service (daemon crash) via unspecified vectors that trigger an off-by-one stack-based buffer overflow in update.c.
unknown
2007-04-30
6.0CVE-2007-2362
FULLDISC
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
XF
EMC -- RSA Security SiteKeyEMC RSA Security SiteKey allows remote attackers to display the correct image via a man-in-the-middle (MITM) attack in which an attacker-controlled server proxies authentication data to and from a legitimate SiteKey server. NOTE: the vendor disputes the severity of the issue, stating that it is easier to monitor this attack than "attacks against static web pages."
unknown
2007-04-30
6.0CVE-2006-7199
OTHER-REF
OTHER-REF
OTHER-REF
EMC -- RSA Security SiteKeyEMC RSA Security SiteKey issues challenge-bypass tokens that persist forever without a cancellation interface for end users, which makes it easier for attackers to bypass one stage of authentication by stealing and replaying a token.
unknown
2007-04-30
6.0CVE-2006-7200
OTHER-REF
OTHER-REF
freePBX -- freePBXadmin/config.php in the music-on-hold module in freePBX 2.2.x allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the del parameter.
unknown
2007-04-30
4.2CVE-2007-2350
FULLDISC
FRSIRT
SECUNIA
IrfanView -- IrfanViewBuffer overflow in IrfanView 4.00 and earlier allows user-assisted remote attackers to execute arbitrary code via a crafted .IFF file.
unknown
2007-04-30
4.8CVE-2007-2363
MILW0RM
BID
XF
FRSIRT
SECUNIA
Linux -- KernelThe _udp_lib_get_port function in net/ipv4/udp.c in Linux kernel 2.6.21 and earlier does not prevent a bind to a port with a local address when there is already a bind to that port with a wildcard local address, which might allow local users to intercept local traffic for daemons or other applications.
unknown
2007-05-03
4.9CVE-2007-2480
OTHER-REF
Parallels -- Parallels DesktopHeap-based buffer overflow in the VGA device in Parallels allows local users, with root access to the guest operating system, to terminate the virtual machine and possibly execute arbitrary code in the host operating system via unspecified vectors related to bitblt operations.
unknown
2007-05-02
4.2CVE-2007-2454
OTHER-REF
Ruben Boelinger -- wordTubePHP remote file inclusion vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter.
unknown
2007-05-03
5.6CVE-2007-2481
BUGTRAQ
MILW0RM
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Ruben Boelinger -- wordTubeDirectory traversal vulnerability in wordtube-button.php in the wordTube 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the wpPATH parameter.
unknown
2007-05-03
5.6CVE-2007-2482
BUGTRAQ
MILW0RM
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Ruben Boelinger -- wp-TablePHP remote file inclusion vulnerability in js/wptable-button.php in the wp-Table 1.43 and earlier plugin for WordPress, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the wpPATH parameter.
unknown
2007-05-03
5.6CVE-2007-2484
MILW0RM
OTHER-REF
FRSIRT
SECUNIA
XF
SineCMS -- SineCMSCross-site scripting (XSS) vulnerability in mods/Core/result.php in SineCms 2.3.4 allows remote attackers to inject arbitrary web script or HTML via the stringa parameter.
unknown
2007-04-30
5.6CVE-2007-2357
BUGTRAQ
BID
FRSIRT
SECUNIA
XF
Symantec -- LiveState Recovery
Symantec -- Ghost
Symantec -- BackupExec System Recovery
Symantec -- Norton Save & Recovery
Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore point images are configured, encrypt network share credentials with a key formed by a hash of the username, which allows local users to obtain the credentials by calculating the key.
unknown
2007-04-30
4.2CVE-2007-2360
IDEFENSE
OTHER-REF
SECTRACK
VMWare -- VMWare WorkstationVMware Workstation before 5.5.4, when running a 64-bit Windows guest on a 64-bit host, allows local users to "corrupt the virtual machine's register context" by debugging a local program and stepping into a "syscall instruction."
unknown
2007-05-02
4.9CVE-2007-1876
OTHER-REF
Xscreensaver -- XscreensaverXScreenSaver 4.10, when using a remote directory service for credentials, allows local users to bypass authentication by preventing network connectivity, which causes XScreenSaver to crash and unlock the screen.
unknown
2007-05-02
4.9CVE-2007-1859
REDHAT

Back to top

Low Vulnerabilities
Primary
Vendor -- Product
Description
Discovered
Published
CVSS ScoreSource & Patch Info
Apache Software Foundation -- AxisApache Axis 1.0 allows remote attackers to obtain sensitive information by requesting a non-existent WSDL file, which reveals the installation path in the resulting exception message.
unknown
2007-04-30
3.3CVE-2007-2353
VIM
BID
OSVDB
Blackdot -- ImageviewDirectory traversal vulnerability in fileview.php in Imageview 5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the album parameter.
unknown
2007-05-01
2.3CVE-2007-2425
MILW0RM
Cerulean Studios -- Trillian ProCerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers to obtain potentially sensitive information via long CTCP PING messages that contain UTF-8 characters, which generates a malformed response that is not truncated by a newline, which can cause portions of a server message to be sent to the attacker.
unknown
2007-05-02
3.3CVE-2007-2479
IDEFENSE
OTHER-REF
BID
FRSIRT
SECTRACK
SECUNIA
XF
XF
Cisco -- PIX
Cisco -- Adaptive Security Appliance
The DHCP relay agent in Cisco Adaptive Security Appliance (ASA) and PIX 7.2 allows remote attackers to cause a denial of service (dropped packets) via a DHCPREQUEST or DHCPINFORM message that causes multiple DHCPACK messages to be sent from DHCP servers to the agent, which consumes the memory allocated for a local buffer. NOTE: this issue only occurs when multiple DHCP servers are used.
unknown
2007-05-02
3.3CVE-2007-2461
CISCO
CERT-VN
BID
Cisco -- PIX
Cisco -- Adaptive Security Appliance
Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)17 allows remote attackers to cause a denial of service (device reload) via unknown vectors related to VPN connection termination and password Expiry.
unknown
2007-05-02
3.3CVE-2007-2463
CISCO
BID
Cisco -- PIX
Cisco -- Adaptive Security Appliance
Race condition in Cisco Adaptive Security Appliance (ASA) and PIX 7.1 before 7.1(2)49 and 7.2 before 7.2(2)19, when using "clientless SSL VPNs," allows remote attackers to cause a denial of service (device reload) via "non-standard SSL sessions."
unknown
2007-05-02
2.7CVE-2007-2464
CISCO
BID
Clam Anti-Virus -- ClamAVThe PDF handler in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service via a crafted PDF file, resulting in a "file descriptor leak".
unknown
2007-04-30
3.3CVE-2007-2029
DEBIAN
BID
SECUNIA
Dojo Toolkit -- Dojo ToolkitThe Dojo framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2376
OTHER-REF
Fabrice Bellard -- QEMUQEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction.
unknown
2007-05-02
2.3CVE-2007-1322
OTHER-REF
DEBIAN
BID
FRSIRT
SECUNIA
SECUNIA
Fabrice Bellard -- QEMUQEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error.
unknown
2007-05-02
2.3CVE-2007-1366
MLIST
MLIST
OTHER-REF
DEBIAN
BID
FRSIRT
SECUNIA
SECUNIA
FileRun -- FileRunMultiple cross-site scripting (XSS) vulnerabilities in index.php in FileRun 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) module, or (3) section parameter.
unknown
2007-05-02
3.7CVE-2007-2470
OTHER-REF
BID
SECUNIA
Getahead -- Direct Web RemotingThe Getahead Direct Web Remoting (DWR) framework 1.1.4 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2377
OTHER-REF
Google -- Google Web ToolkitThe Google Web Toolkit (GWT) framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2378
OTHER-REF
HP -- OpenVMSUnspecified vulnerability in HP OpenVMS for Integrity Servers 8.2-1 and 8.3 allows local users to cause a denial of service (crash) via "Program actions relating to exceptions."
unknown
2007-05-02
2.3CVE-2007-2468
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Invision Power Services -- Invision Power BoardCross-site scripting (XSS) vulnerability in Invision Power Board (IP.Board) 2.1.x and 2.2.x allows remote attackers to inject arbitrary web script or HTML by uploading crafted images or PDF files.
unknown
2007-04-30
3.7CVE-2007-2349
OTHER-REF
FRSIRT
SECUNIA
XF
ISC -- BINDUnspecified vulnerability in query.c in ISC BIND 9.4.0, and 9.5.0a1 through 9.5.0a3, when recursion is enabled, allows remote attackers to cause a denial of service (daemon exit) via a sequence of queries processed by the query_addsoa function.
unknown
2007-05-02
2.7CVE-2007-2241
OTHER-REF
FRSIRT
SECTRACK
SECUNIA
jQuery -- jQueryThe jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2379
OTHER-REF
Mad4Milk -- Moo.fxThe Moo.fx framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2382
OTHER-REF
Microsoft -- Atlas frameworkThe Microsoft Atlas framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2380
OTHER-REF
Mochikit -- MochiKit FrameworkThe MochiKit framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2381
OTHER-REF
MoinMoin -- MoinMoinCross-site scripting (XSS) vulnerability in index.php in MoinMoin 1.5.7 allows remote attackers to inject arbitrary web script or HTML via the do parameter in an AttachFile action, a different vulnerability than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-01
3.7CVE-2007-2423
BID
Motobit -- MotobitDirectory traversal vulnerability in download.asp in Motobit 1.3 and 1.5 (aka PStruh-CZ) allows remote attackers to read arbitrary files via a .. (dot dot) in the File parameter.
unknown
2007-05-03
2.3CVE-2007-2486
MILW0RM
XF
myServer -- myServerMyServer before 0.8.8 allows remote attackers to cause a denial of service via unspecified vectors.
unknown
2007-05-01
3.3CVE-2007-2414
OTHER-REF
OTHER-REF
SECUNIA
BID
XF
Novell -- eDirectoryncp in Novell eDirectory before 8.7.3 SP9, and 8.8.x before 8.8.1 FTF2, does not properly handle NCP fragments with a negative length, which allows remote attackers to cause a denial of service (daemon crash) when the heap is written to a log file.
unknown
2007-04-30
3.3CVE-2006-4520
IDEFENSE
OTHER-REF
BID
FRSIRT
SECTRACK
XF
Parallels -- Parallels DesktopParallels allows local users to cause a denial of service (virtual machine abort) via (1) certain INT instructions, as demonstrated by INT 0xAA; (2) an IRET instruction when an invalid address is at the top of the stack; (3) a malformed MOVNTI instruction, as demonstrated by using a register as a destination; or a write operation to (4) SEGR6 or (5) SEGR7.
unknown
2007-05-02
3.3CVE-2007-2455
OTHER-REF
PHP -- PHP
webSPELL -- webSPELL
Directory traversal vulnerability in picture.php in WebSPELL 4.01.02 and earlier, when PHP before 4.3.0 is used, allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter.
unknown
2007-04-30
3.3CVE-2007-2369
MILW0RM
Pi3Web -- Pi3Web Web ServerPi3Web Web Server 2.0.3 PL1 allows remote attackers to cause a denial of service (application exit) via a long URI. NOTE: as of 20070429, the vendor was unable to reproduce this issue, stating "Couldn't reproduce any crash."
unknown
2007-05-01
3.3CVE-2007-2415
OTHER-REF
BID
SECUNIA
FRSIRT
XF
Progress -- WebSpeed MessengerProgress Webspeed Messenger allows remote attackers to obtain sensitive information via a WService parameter containing "wsbroker1/webutil/about.r", which reveals the operating system and product information.
unknown
2007-04-30
3.3CVE-2007-2354
BUGTRAQ
OTHER-REF
PrototypeJS -- Prototype frameworkThe Prototype (prototypejs) framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2383
OTHER-REF
Red Hat -- Red Hat Enterprise Linux Desktop
Red Hat -- Red Hat Enterprise Linux Desktop Workstation
Red Hat -- Red Hat Enterprise Linux
Linux -- Kernel
Unspecified vulnerability in the utrace support for Linux kernel 2.6.18, and other versions, allows local users to cause a denial of service
unknown
2007-05-02
2.3CVE-2007-0771
REDHAT
BID
SECTRACK
SECUNIA
rPath -- rPath
Linux -- Kernel
The nl_fib_lookup function in net/ipv4/fib_frontend.c in Linux Kernel before 2.6.20.8 allows local users to cause a denial of service (kernel panic) via NETLINK_FIB_LOOKUP replies, which trigger infinite recursion and a stack overflow.
unknown
2007-05-02
2.3CVE-2007-2436
OTHER-REF
BID
FRSIRT
SECUNIA
Script.aculo.us -- Script.aculo.usThe Script.aculo.us framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2384
OTHER-REF
Seir Anphin -- Seir Anphin** DISPUTED ** Directory traversal vulnerability in modules/file.php in Seir Anphin allows remote attackers to obtain sensitive information via a .. (dot dot) in the a[filepath] parameter. NOTE: a third party has disputed this issue because the a array is populated by a database query before use.
unknown
2007-05-01
3.3CVE-2007-2412
BUGTRAQ
VIM
XF
Sendcard -- SendcardDirectory traversal vulnerability in sendcard.php in Sendcard 3.4.1 and earlier allows remote attackers to read arbitrary files via a full pathname in the form parameter.
unknown
2007-05-02
2.3CVE-2007-2471
MILW0RM
SECUNIA
XF
Sendcard -- SendcardCross-site scripting (XSS) vulnerability in sendcard.php in Sendcard 3.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the form parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-02
1.9CVE-2007-2472
SECUNIA
Sun -- SolarisUnspecified vulnerability in Sun Solaris 9, when Solaris Auditing (BSM) is enabled for file read, write, attribute modify, create, or delete audit classes, allows local users to cause a denial of service (panic) via unknown vectors, possibly related to the audit_savepath function.
unknown
2007-05-02
1.9CVE-2007-2465
SUNALERT
BID
FRSIRT
SECTRACK
SECUNIA
XF
Sun -- Java System Directory Server
Sun -- ONE Directory Server
Unspecified vulnerability in the LDAP Software Development Kit (SDK) for C, as used in Sun Java System Directory Server 5.2 up to Patch 4 and Sun ONE Directory Server 5.1, allows remote attackers to cause a denial of service (crash) via certain BER encodings.
unknown
2007-05-02
3.3CVE-2007-2466
SUNALERT
BID
FRSIRT
SECTRACK
SECUNIA
XF
Symantec -- LiveState Recovery
Symantec -- Ghost
Symantec -- BackupExec System Recovery
Symantec -- Norton Save & Recovery
Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, when remote backups of restore points images are configured, uses weak permissions (world readable) for a configuration file with network share credentials, which allows local users to obtain the credentials by reading the file.
unknown
2007-04-30
2.3CVE-2007-2361
IDEFENSE
OTHER-REF
SECTRACK
XF
Tecnick.com -- TCExamshared/code/tce_tmx.php in TCExam 4.0.011 and earlier allows remote attackers to create arbitrary PHP files in cache/ by placing file contents and directory traversal manipulations into a SessionUserLang cookie to public/code/index.php.
unknown
2007-05-01
3.3CVE-2007-2430
MILW0RM
OTHER-REF
Tony Cook -- ImagerBuffer overflow in the read_4bit_bmp function in bmp.c in Imager 0.56 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via 4-bit/pixel BMP files. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-05-02
3.3CVE-2007-2459
FRSIRT
VMWare -- VMWare WorkstationThe memory management in VMware Workstation before 5.5.4 allows attackers to cause a denial of service (Windows virtual machine crash) by triggering certain general protection faults (GPF).
unknown
2007-05-02
3.3CVE-2007-1069
OTHER-REF
VMWare -- VMWare WorkstationThe virtual machine process (VMX) in VMware Workstation before 5.5.4 does not properly read state information when moving from the ACPI sleep state to the run state, which allows attackers to cause a denial of service (virtual machine reboot) via unknown vectors.
unknown
2007-05-02
3.3CVE-2007-1337
OTHER-REF
XF
VMWare -- VMWare WorkstationDirectory traversal vulnerability in the Shared Folders feature for VMware Workstation before 5.5.4, when a folder is shared, allows users on the guest system to write to arbitrary files on the host system via the "Backdoor I/O Port" interface.
unknown
2007-05-02
3.7CVE-2007-1744
IDEFENSE
OTHER-REF
BID
SECTRACK
VMWare -- VMWare WorkstationVMware Workstation before 5.5.4 allows attackers to cause a denial of service against the guest OS by causing the virtual machine process (VMX) to store malformed configuration information.
unknown
2007-05-02
3.3CVE-2007-1877
OTHER-REF
webSPELL -- webSPELLpicture.php in WebSPELL 4.01.02 and earlier allows remote attackers to read arbitrary files via the file parameter.
unknown
2007-04-30
3.3CVE-2007-2368
MILW0RM
Wserve HTTP Server -- Wserve HTTP ServerBuffer overflow in wserve_console.exe in Wserve HTTP Server (whttp) 4.6 allows remote attackers to cause a denial of service (forced application exit) via a long directory name in the URI.
unknown
2007-04-30
3.3CVE-2007-2367
BUGTRAQ
BID
X.Org -- Xserver
X.Org -- X Window System
The X render (Xrender) extension in X.org X Window System 7.0, 7.1, and 7.2, with Xserver 1.3.0 and earlier, allows remote authenticated users to cause a denial of service (daemon crash) via crafted values to the (1) XRenderCompositeTrapezoids and (2) XRenderAddTraps functions, which trigger a divide-by-zero error.
unknown
2007-05-02
2.0CVE-2007-2437
OTHER-REF
SECTRACK
XF
Yahoo! -- Yahoo UI frameworkThe Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
unknown
2007-04-30
3.3CVE-2007-2385
OTHER-REF
Zone Labs -- ZoneAlarm ProZoneAlarm Pro 6.5.737.000, 6.1.744.001, and possibly earlier versions and other products, allows local users to cause a denial of service (system crash) by sending malformed data to the vsdatant device driver, which causes an invalid memory access.
unknown
2007-05-02
2.3CVE-2007-2467
BUGTRAQ
OTHER-REF
BID
FRSIRT
SECUNIA

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.