Vulnerability Summary for the Week of October 11, 2010
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
blentz -- smbind | The filter function in php/src/include.php in Simple Management for BIND (aka smbind) before 0.4.8 does not anchor a certain regular expression, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via the username parameter to the admin login page. | 2010-10-14 | 7.5 | CVE-2010-3076 MLIST MLIST CONFIRM MISC |
cmsmadesimple -- cms_made_simple | Directory traversal vulnerability in lib/translation.functions.php in CMS Made Simple before 1.8.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the default_cms_lang parameter to an admin script, as demonstrated by admin/addbookmark.php, a different vulnerability than CVE-2008-5642. | 2010-10-08 | 7.5 | CVE-2010-2797 MLIST MLIST CONFIRM SECUNIA MISC |
david_shadoff -- mednafen | The network-play implementation in Mednafen before 0.8.D might allow remote servers to execute arbitrary code via unspecified vectors, related to "stack manipulation" issues. | 2010-10-12 | 10.0 | CVE-2010-3085 MLIST MLIST CONFIRM |
microsoft -- windows_2000 | Stack-based buffer overflow in the UpdateFrameTitleForDocument method in the CFrameWnd class in mfc42.dll (aka the Microsoft MFCDLL shared library) on Windows 2000 SP4 and XP SP2 and SP3 allows context-dependent attackers to execute arbitrary code via a long window title that this library attempts to create at the request of an application, as demonstrated by the Trident PowerZip 7.21 Build 4010 application. | 2010-10-08 | 9.3 | CVE-2010-3885 EXPLOIT-DB MISC |
microsoft -- windows | Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Kaspersky Lab researchers and other researchers. | 2010-10-08 | 7.2 | CVE-2010-3888 MISC MISC MISC MISC MISC MISC |
microsoft -- windows | Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Microsoft researchers and other researchers. | 2010-10-08 | 7.2 | CVE-2010-3889 MISC MISC MISC MISC MISC MISC |
microsoft -- windows_2003_server | Integer overflow in the Embedded OpenType (EOT) Font Engine in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to execute arbitrary code via a crafted table in an embedded font, aka "Embedded OpenType Font Integer Overflow Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-1883 MS |
microsoft -- windows_2003_server | The OpenType Font (OTF) format driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly perform memory allocation during font parsing, which allows local users to gain privileges via a crafted application, aka "OpenType Font Parsing Vulnerability." | 2010-10-13 | 7.2 | CVE-2010-2740 MS |
microsoft -- windows_2003_server | The OpenType Font (OTF) format driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 performs an incorrect integer calculation during font processing, which allows local users to gain privileges via a crafted application, aka "OpenType Font Validation Vulnerability." | 2010-10-13 | 7.2 | CVE-2010-2741 MS |
microsoft -- windows_2003_server | The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 do not properly manage a window class, which allows local users to gain privileges via a crafted application, aka "Win32k Window Class Vulnerability." | 2010-10-13 | 7.2 | CVE-2010-2744 MS |
microsoft -- windows_media_player | Microsoft Windows Media Player (WMP) 9 through 12 does not properly deallocate objects during a browser reload action, which allows user-assisted remote attackers to execute arbitrary code via crafted media content referenced in an HTML document, aka "Windows Media Player Memory Corruption Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-2745 MS |
microsoft -- windows_2003_server | Heap-based buffer overflow in Comctl32.dll (aka the common control library) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when a third-party SVG viewer is used, allows remote attackers to execute arbitrary code via a crafted HTML document that triggers unspecified messages from this viewer, aka "Comctl32 Heap Overflow Vulnerability." | 2010-10-13 | 7.6 | CVE-2010-2746 MS |
microsoft -- office | Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle an uninitialized pointer during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Uninitialized Pointer Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-2747 MS |
microsoft -- office | Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly check an unspecified boundary during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Boundary Check Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-2748 MS |
microsoft -- office | Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle an invalid index value during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Index Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-2750 MS |
microsoft -- office | Stack-based buffer overflow in Microsoft Word 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; Word Viewer; Office Web Apps; and Word Web App allows remote attackers to execute arbitrary code via a crafted Word document, aka "Word Stack Overflow Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3214 MS |
microsoft -- office | Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle unspecified return values during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Return Value Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3215 MS |
microsoft -- office | Microsoft Word 2002 SP3 and Office 2004 for Mac do not properly handle bookmarks during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Bookmarks Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3216 MS |
microsoft -- word | Microsoft Word 2002 SP3 does not properly handle pointers during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Pointer Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3217 MS |
microsoft -- word | Heap-based buffer overflow in Microsoft Word 2002 SP3 allows remote attackers to execute arbitrary code via malformed records in a Word document, aka "Word Heap Overflow Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3218 MS |
microsoft -- word | Microsoft Word 2002 SP3 does not properly handle indexes during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Index Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3219 MS |
microsoft -- office | Unspecified vulnerability in Microsoft Word 2002 SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Word document that triggers memory corruption, aka "Word Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3220 MS |
microsoft -- office | Microsoft Word 2002 SP3 and 2003 SP3, Office 2004 for Mac, and Word Viewer do not properly handle a malformed record during parsing of a Word document, which allows remote attackers to execute arbitrary code via a crafted document that triggers memory corruption, aka "Word Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3221 MS |
microsoft -- windows_server_2003 | Stack-based buffer overflow in the Remote Procedure Call Subsystem (RPCSS) in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted LPC message that requests an LRPC connection from an LPC server to a client, aka "LPC Message Buffer Overrun Vulnerability." | 2010-10-13 | 7.2 | CVE-2010-3222 MS |
microsoft -- windows_server_2008 | The user interface in Microsoft Cluster Service (MSCS) in Microsoft Windows Server 2008 R2 does not properly set administrative-share permissions for new cluster disks that are shared as part of a failover cluster, which allows remote attackers to read or modify data on these disks via requests to the associated share, aka "Permissions on New Cluster Disks Vulnerability." | 2010-10-13 | 7.5 | CVE-2010-3223 MS |
microsoft -- windows_7 | Use-after-free vulnerability in the Media Player Network Sharing Service in Microsoft Windows Vista SP1 and SP2 and Windows 7 allows remote attackers to execute arbitrary code via a crafted Real Time Streaming Protocol (RTSP) packet, aka "RTSP Use After Free Vulnerability." | 2010-10-13 | 7.6 | CVE-2010-3225 MS |
microsoft -- .net_framework | The JIT compiler in Microsoft .NET Framework 4.0 on 64-bit platforms does not properly perform optimizations, which allows remote attackers to execute arbitrary code via a crafted .NET application that triggers memory corruption, aka ".NET Framework x64 JIT Compiler Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3228 MS |
microsoft -- windows_7 | The Secure Channel (aka SChannel) security package in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when IIS 7.x is used, does not properly process client certificates during SSL and TLS handshakes, which allows remote attackers to cause a denial of service (LSASS outage and reboot) via a crafted packet, aka "TLSv1 Denial of Service Vulnerability." | 2010-10-13 | 7.1 | CVE-2010-3229 MS |
microsoft -- excel | Integer overflow in Microsoft Excel 2002 SP3 allows remote attackers to execute arbitrary code via an Excel document with crafted record information, aka "Excel Record Parsing Integer Overflow Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3230 MS |
microsoft -- excel | Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac do not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Excel Record Parsing Memory Corruption Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3231 MS |
microsoft -- excel | Microsoft Excel 2003 SP3 and 2007 SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 do not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Excel File Format Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3232 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 and 2003 SP3 does not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted .wk3 (aka Lotus 1-2-3 workbook) file, aka "Lotus 1-2-3 Workbook Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3233 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 does not properly validate formula information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Formula Substream Memory Corruption Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3234 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 does not properly validate formula information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Formula Biff Record Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3235 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac do not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Out Of Bounds Array Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3236 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 and Office 2004 for Mac do not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Merge Cell Record Pointer Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3237 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 and 2003 SP3, and Office 2004 for Mac, does not properly validate binary file-format information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Negative Future Function Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3238 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 does not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Extra Out of Boundary Record Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3239 MS |
microsoft -- excel | Microsoft Excel 2002 SP3 and 2007 SP2; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 do not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Real Time Data Array Record Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3240 MS |
microsoft -- excel | Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac do not properly validate binary file-format information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Out-of-Bounds Memory Write in Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3241 MS |
microsoft -- excel | Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac do not properly validate record information, which allows remote attackers to execute arbitrary code via a crafted Excel document, aka "Ghost Record Type Parsing Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3242 MS |
microsoft -- ie | Microsoft Internet Explorer 6 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3326 MS |
microsoft -- ie | Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3328 MS |
microsoft -- ie | Microsoft Internet Explorer 7 and 8 does not properly handle objects in memory in certain circumstances involving use of Microsoft Word to read HTML files, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3329 MS |
microsoft -- ie | Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory in certain circumstances involving use of Microsoft Word to read Word documents, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "Uninitialized Memory Corruption Vulnerability." | 2010-10-13 | 9.3 | CVE-2010-3331 MS |
novell -- opensuse | Multiple buffer overflows in the Novell Client novfs module for the Linux kernel in SUSE Linux Enterprise 11 SP1 and openSUSE 11.3 allow local users to gain privileges via unspecified vectors. | 2010-10-12 | 7.2 | CVE-2010-3110 SUSE |
oracle -- database_server | Unspecified vulnerability in the Database Control component in EM Console in Oracle Database Server 10.1.0.5 and 10.2.0.3, Oracle Fusion Middleware 10.1.2.3 and 10.1.4.3, and Enterprise Manager Grid Control allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 2010-10-13 | 7.5 | CVE-2010-2390 CONFIRM |
oracle -- solaris | Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scheduler. | 2010-10-13 | 10.0 | CVE-2010-3509 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle OpenSolaris allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Depot Server. | 2010-10-14 | 9.0 | CVE-2010-3578 CONFIRM |
oracle -- vm | Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to ovs-agent. | 2010-10-14 | 9.0 | CVE-2010-3582 CONFIRM |
oracle -- vm | Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to ovs-agent. | 2010-10-14 | 9.0 | CVE-2010-3583 CONFIRM |
oracle -- vm | Unspecified vulnerability in the OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to ovs-agent. | 2010-10-14 | 9.0 | CVE-2010-3585 CONFIRM |
rim -- blackberry_enterprise_server | Multiple buffer overflows in the PDF distiller in the Attachment Service component in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software 4.1.7 and earlier and 5.0.0 through 5.0.2, and BlackBerry Professional Software 4.1.4 and earlier, allow user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted PDF document. | 2010-10-14 | 7.6 | CVE-2010-2601 CONFIRM |
Medium Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
apache -- qpid | sys/ssl/SslSocket.cpp in qpidd in Apache Qpid, as used in Red Hat Enterprise MRG before 1.2.2 and other products, when SSL is enabled, allows remote attackers to cause a denial of service (daemon outage) by connecting to the SSL port but not participating in an SSL handshake. | 2010-10-12 | 4.3 | CVE-2010-3083 REDHAT REDHAT CONFIRM CONFIRM MLIST |
apple -- mail | The Limit Mail feature in the Parental Controls functionality in Mail on Apple Mac OS X does not properly enforce the correspondence whitelist, which allows remote attackers to bypass intended access restrictions and conduct e-mail communication by leveraging knowledge of a child's e-mail address and a parent's e-mail address, related to parental notification of unapproved e-mail addresses. | 2010-10-08 | 4.3 | CVE-2010-3887 MISC |
bip.t1r -- bip | bip before 0.8.6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an empty USER command. | 2010-10-14 | 5.0 | CVE-2010-3071 CONFIRM MLIST MLIST CONFIRM CONFIRM |
christian_dywan -- midori | Midori before 0.2.5, when WebKitGTK+ before 1.1.14 or LibSoup before 2.29.91 is used, does not verify X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted server certificate, a related issue to CVE-2010-3312. | 2010-10-14 | 5.8 | CVE-2010-3900 CONFIRM MISC CONFIRM MLIST MISC CONFIRM |
cmsmadesimple -- cms_made_simple | Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple 1.7.1 and earlier allow remote attackers to inject arbitrary web script or HTML via input to the (1) Add Pages, (2) Add Global Content, (3) Edit Global Content, (4) Add Article, (5) Add Category, (6) Add Field Definition, or (7) Add Shortcut module. | 2010-10-08 | 4.3 | CVE-2010-3882 MISC SECUNIA |
cmsmadesimple -- cms_made_simple | Cross-site request forgery (CSRF) vulnerability in the Change Group Permissions module in CMS Made Simple 1.7.1 and earlier allows remote attackers to hijack the authentication of arbitrary users for requests that make permission modifications. | 2010-10-08 | 6.8 | CVE-2010-3883 MISC SECUNIA |
cmsmadesimple -- cms_made_simple | Cross-site request forgery (CSRF) vulnerability in CMS Made Simple 1.8.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that reset the administrative password. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2010-10-08 | 6.8 | CVE-2010-3884 SECUNIA |
gnome -- epiphany | Epiphany 2.28 and 2.29, when WebKit and LibSoup are used, unconditionally displays a closed-lock icon for any URL beginning with the https: substring, without any warning to the user, which allows man-in-the-middle attackers to spoof arbitrary https web sites via a crafted X.509 server certificate. | 2010-10-14 | 5.8 | CVE-2010-3312 CONFIRM MLIST MLIST MLIST MLIST MLIST MLIST MLIST CONFIRM CONFIRM MISC |
gnu -- glibc | Certain run-time memory protection mechanisms in the GNU C Library (aka glibc or libc6) print argv[0] and backtrace information, which might allow context-dependent attackers to obtain sensitive information from process memory by executing an incorrect program, as demonstrated by a setuid program that contains a stack-based buffer overflow error, related to the __fortify_fail function in debug/fortify_fail.c, and the __stack_chk_fail (aka stack protection) and __chk_fail (aka FORTIFY_SOURCE) implementations. | 2010-10-14 | 5.0 | CVE-2010-3192 MLIST MLIST MLIST MLIST MLIST MLIST MLIST FULLDISC |
infradead -- openconnect | Double free vulnerability in OpenConnect before 1.40 might allow remote AnyConnect SSL VPN servers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted DTLS Cipher option during a reconnect operation. | 2010-10-14 | 5.0 | CVE-2009-5009 CONFIRM |
infradead -- openconnect | OpenConnect before 2.25 does not properly validate X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary AnyConnect SSL VPN servers via a crafted server certificate that (1) does not correspond to the server hostname or (2) is presented in circumstances involving a missing --cafile configuration option. | 2010-10-14 | 6.4 | CVE-2010-3901 MLIST MLIST CONFIRM |
infradead -- openconnect | OpenConnect before 2.26 places the webvpn cookie value in the debugging output, which might allow remote attackers to obtain sensitive information by reading this output, as demonstrated by output posted to the public openconnect-devel mailing list. | 2010-10-14 | 5.0 | CVE-2010-3902 CONFIRM |
infradead -- openconnect | Unspecified vulnerability in OpenConnect before 2.23 allows remote AnyConnect SSL VPN servers to cause a denial of service (application crash) via a 404 HTTP status code. | 2010-10-14 | 5.0 | CVE-2010-3903 CONFIRM |
jianping_yu -- pidgin-knotify | The notify function in pidgin-knotify.c in the pidgin-knotify plugin 0.2.1 and earlier for Pidgin allows remote attackers to execute arbitrary commands via shell metacharacters in a message. | 2010-10-08 | 5.1 | CVE-2010-3088 CONFIRM MLIST MLIST MISC |
linux -- kernel | arch/x86/hvm/vmx/vmcs.c in the virtual-machine control structure (VMCS) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when an Intel platform without Extended Page Tables (EPT) functionality is used, accesses VMCS fields without verifying hardware support for these fields, which allows local users to cause a denial of service (host OS crash) by requesting a VMCS dump for a fully virtualized Xen guest. | 2010-10-08 | 4.9 | CVE-2010-2938 CONFIRM CONFIRM REDHAT |
microsoft -- ie | The CTimeoutEventList::InsertIntoTimeoutList function in Microsoft mshtml.dll uses a certain pointer value as part of producing Timer ID values for the setTimeout and setInterval methods in VBScript and JScript, which allows remote attackers to obtain sensitive information about the heap memory addresses used by an application, as demonstrated by the Internet Explorer 8 application. | 2010-10-08 | 4.3 | CVE-2010-3886 MISC MISC BUGTRAQ |
microsoft -- ie | Cross-site scripting (XSS) vulnerability in the toStaticHTML function in Microsoft Internet Explorer 8, and the SafeHTML function in Microsoft Windows SharePoint Services 3.0 SP2 and Office SharePoint Server 2007 SP2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "HTML Sanitization Vulnerability." | 2010-10-13 | 4.3 | CVE-2010-3243 MS MS |
microsoft -- ie | Microsoft Internet Explorer 6 through 8 does not properly handle unspecified special characters in Cascading Style Sheets (CSS) documents, which allows remote attackers to obtain sensitive information from a different (1) domain or (2) zone via a crafted web site, aka "CSS Special Character Information Disclosure Vulnerability." | 2010-10-13 | 4.3 | CVE-2010-3325 MS |
microsoft -- ie | The implementation of HTML content creation in Microsoft Internet Explorer 6 through 8 does not remove the Anchor element during pasting and editing, which might allow remote attackers to obtain sensitive deleted information by visiting a web page, aka "Anchor Element Information Disclosure Vulnerability." | 2010-10-13 | 4.3 | CVE-2010-3327 MS |
microsoft -- ie | Microsoft Internet Explorer 6 through 8 does not properly restrict script access to content from a different (1) domain or (2) zone, which allows remote attackers to obtain sensitive information via a crafted web site, aka "Cross-Domain Information Disclosure Vulnerability." | 2010-10-13 | 4.3 | CVE-2010-3330 MS |
oracle -- e-business_suite | Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2 allows remote attackers to affect confidentiality and integrity via unknown vectors. | 2010-10-13 | 5.8 | CVE-2010-2388 CONFIRM |
oracle -- fusion_middleware | Unspecified vulnerability in the Cabo/UIX component in Oracle Fusion Middleware 10.1.2.3 and 10.1.3.5 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2395 CONFIRM |
oracle -- fusion_middleware | Unspecified vulnerability in the Forms component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2396 CONFIRM |
oracle -- siebel_suite | Unspecified vulnerability in the Siebel Core - Highly Interactive Client component in Oracle Siebel Suite 7.7.2.12, 7.8.2.14, 8.0.0.10, and 8.1.1.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 2010-10-13 | 6.0 | CVE-2010-2405 CONFIRM |
oracle -- siebel_suite | Unspecified vulnerability in the Siebel Core - Highly Interactive Client component in Oracle Siebel Suite 7.7.2.12, 7.8.2.14, 8.0.0.10, and 8.1.1.3 allows remote authenticated users to affect confidentiality via unknown vectors. | 2010-10-13 | 4.0 | CVE-2010-2406 CONFIRM |
oracle -- database_server | Unspecified vulnerability in the XDK component in Oracle Database Server 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2407 CONFIRM |
oracle -- e-business_suite | Unspecified vulnerability in the Oracle iRecruitment component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2408 CONFIRM |
oracle -- fusion_middleware | Unspecified vulnerability in the Cabo/UIX component in Oracle Fusion Middleware 10.1.2.3 and 10.1.3.5 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2409 CONFIRM |
oracle -- fusion_middleware | Unspecified vulnerability in the Cabo/UIX component in Oracle Fusion Middleware 10.1.2.3 and 10.1.3.5 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2410 CONFIRM |
oracle -- database_server | Unspecified vulnerability in the Job Queue component in Oracle Database Server 11.2.0.1, 11.1.0.7, 10.2.0.3, 10.2.0.4, and 10.1.0.5 allows remote authenticated users to affect confidentiality, integrity, and availability, related to SYS.DBMS_IJOB. | 2010-10-13 | 4.6 | CVE-2010-2411 CONFIRM |
oracle -- database_server | Unspecified vulnerability in the OLAP component in Oracle Database Server 11.1.0.7 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-13 | 5.5 | CVE-2010-2412 CONFIRM |
oracle -- fusion_middleware | Unspecified vulnerability in the BI Publisher component in Oracle Fusion Middleware 10.1.3.3.2 and 10.1.3.4.1 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2413 CONFIRM |
oracle -- database_server | Unspecified vulnerability in the Change Data Capture component in Oracle Database Server 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality and integrity, related to DBMS_CDC_PUBLISH. | 2010-10-13 | 4.9 | CVE-2010-2415 CONFIRM |
oracle -- e-business_suite | Unspecified vulnerability in the Oracle E-Business Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2416 CONFIRM |
oracle -- supply_chain_products_suite | Unspecified vulnerability in the Agile PLM component in Oracle Supply Chain Products Suite 9.3.0.0 allows remote authenticated users to affect integrity via unknown vectors. | 2010-10-13 | 4.0 | CVE-2010-2417 CONFIRM |
oracle -- e-business_suite | Unspecified vulnerability in the Oracle Territory Management component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-2418 CONFIRM |
oracle -- database_server | Unspecified vulnerability in the Java Virtual Machine component in Oracle Database Server 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 2010-10-13 | 6.5 | CVE-2010-2419 CONFIRM |
oracle -- siebel_suite | Unspecified vulnerability in the Siebel Core - Highly Interactive Client component in Oracle Siebel Suite 7.7.2.12, 7.8.2.14, 8.0.0.10, and 8.1.1.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 2010-10-13 | 6.0 | CVE-2010-3500 CONFIRM |
oracle -- fusion_middleware | Unspecified vulnerability in the OID component in Oracle Fusion Middleware 10.1.2.3, 10.1.4.3, and 11.1.1.2.0 allows remote attackers to affect availability via unknown vectors. | 2010-10-13 | 5.0 | CVE-2010-3501 CONFIRM |
oracle -- siebel_suite | Unspecified vulnerability in the Siebel Core component in Oracle Siebel Suite 7.7.2.12, 7.8.2.14, 8.0.0.10, and 8.1.1.3 allows remote authenticated users to affect confidentiality via unknown vectors. | 2010-10-13 | 4.0 | CVE-2010-3502 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect confidentiality and integrity via unknown vectors related to su. | 2010-10-13 | 6.3 | CVE-2010-3503 CONFIRM |
oracle -- e-business_suite | Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors. | 2010-10-13 | 4.3 | CVE-2010-3504 CONFIRM |
oracle -- solaris | Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Live Upgrade. | 2010-10-13 | 6.6 | CVE-2010-3507 CONFIRM |
oracle -- sun_products_suite | Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java System Web Server) component in Oracle Sun Products Suite 6.1 and 7.0 allows remote attackers to affect integrity via unknown vectors related to Web Container. | 2010-10-13 | 4.3 | CVE-2010-3514 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in the Solaris component in Oracle Solaris 9 and 10, and OpenSolaris, allows local users to affect availability via unknown vectors related to Kernel/Disk Driver. | 2010-10-13 | 4.0 | CVE-2010-3515 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect availability via unknown vectors related to InfiniBand. | 2010-10-13 | 4.0 | CVE-2010-3516 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect availability, related to Kernel/X86. | 2010-10-13 | 4.9 | CVE-2010-3517 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise HCM GP - Japan component in Oracle PeopleSoft and JDEdwards Suite 8.81 SP1 Bundle #13, 8.9 GP Update 2010-E, 9.0 GP Update 2010-E, and 9.1 GP Update 2010-E allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-13 | 5.5 | CVE-2010-3518 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.28 and 8.50.12 allows remote authenticated users to affect integrity via unknown vectors. | 2010-10-13 | 4.0 | CVE-2010-3519 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise HCM - GP France component in Oracle PeopleSoft and JDEdwards Suite 8.81 SP1 Bundle #12, 8.9 GP Update 2010-E, 9.0 GP Update 2010-E, and 9.1 GP Update 2010-E allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-13 | 5.5 | CVE-2010-3520 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise HCM ePay component in Oracle PeopleSoft and JDEdwards Suite 9.0 to Payroll Update 10-C and 9.1 to Payroll Update 10-C allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-13 | 5.5 | CVE-2010-3521 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.28 and 8.50.12 allows remote authenticated users to affect confidentiality via unknown vectors. | 2010-10-14 | 4.0 | CVE-2010-3522 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.28 and 8.50.12 allows remote attackers to affect integrity via unknown vectors. | 2010-10-14 | 5.0 | CVE-2010-3523 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise SCM - Strategic Sourcing component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3524 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the (1) PeopleSoft Enterprise FMS, (2) SCM, (3) EPM, (4) CRM, and (5) Campus Solutions components in Oracle PeopleSoft and JDEdwards Suite 8.9, 9.0, and 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3525 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise SCM - PO component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3526 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise FMS - AM component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect integrity and availability via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3527 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise CRM - Common Components component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #41, 9.0 Bundle #28, and 9.1 Bundle #4 allows remote authenticated users to affect confidentiality via unknown vectors. | 2010-10-14 | 4.0 | CVE-2010-3528 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise FMS - Cash Management component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3529 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise HCM - HR component in Oracle PeopleSoft and JDEdwards Suite 9.0 Bundle #13 and 9.1 Bundle #3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3530 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise FMS ESA - RM component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3531 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise CRM - Order Capture component in Oracle PeopleSoft and JDEdwards Suite 9.0 Bundle #28 and 9.1 Bundle #4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3532 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise SCM OM and CRM Order Capture component in Oracle PeopleSoft and JDEdwards Suite 8.9, 9.0, and 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3533 CONFIRM |
oracle -- primavera_product_suite | Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 6.21.3.0 and 7.0.1.0 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Project Management Module. | 2010-10-14 | 4.6 | CVE-2010-3534 CONFIRM |
oracle -- sun_product_suite | Unspecified vulnerability in the Directory Server Enterprise Edition component in Oracle Sun Products Suite 6.0, 6.1, 6.2, and 6.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Identity Synchronization for Windows. | 2010-10-14 | 4.4 | CVE-2010-3535 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3536 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise FMS - AM component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3537 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise FMS - GL component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3538 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft Enterprise FMS - GL component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3539 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect availability, related to ZFS. | 2010-10-14 | 4.0 | CVE-2010-3540 CONFIRM |
oracle -- sun_product_suite | Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java System Web Server) component in Oracle Sun Products Suite 7.0 allows remote attackers to affect integrity and availability via unknown vectors related to Administration. | 2010-10-14 | 5.8 | CVE-2010-3544 CONFIRM |
oracle -- sun_product_suite | Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java System Web Server) component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Administration. | 2010-10-14 | 5.8 | CVE-2010-3545 CONFIRM |
oracle -- sun_product_suite | Unspecified vulnerability in the Sun Java System Identity Manager component in Oracle Sun Products Suite 8.1 allows remote attackers to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.8 | CVE-2010-3546 CONFIRM |
oracle -- peoplesoft_and_jdedwards_product_suite | Unspecified vulnerability in the PeopleSoft FMS ESA - EX component in Oracle PeopleSoft and JDEdwards Suite 8.9 Bundle #38, 9.0 Bundle #31, and 9.1 Bundle #6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-14 | 5.5 | CVE-2010-3547 CONFIRM |
oracle -- sun_product_suite | Unspecified vulnerability in the Oracle Communications Messaging Server (Sun Java System Messaging Server) component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Webmail. | 2010-10-14 | 6.4 | CVE-2010-3564 CONFIRM |
oracle -- sun_product_suite | Unspecified vulnerability in the Oracle Communications Messaging Server (Sun Java System Messaging Server) component in Oracle Sun Products Suite 6.0, 6.2, 6.3, and 7.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Web Mail. | 2010-10-14 | 6.4 | CVE-2010-3575 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle OpenSolaris allows remote attackers to affect confidentiality and integrity, related to Kernel/CIFS. | 2010-10-14 | 6.4 | CVE-2010-3577 CONFIRM |
oracle -- sun_product_suite | Unspecified vulnerability in the (1) Sun Convergence 1 and (2) Sun Java Communications Suite 7 components in Oracle Sun Products Suite 1.0 and 7.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Webmail. | 2010-10-14 | 6.4 | CVE-2010-3579 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle OpenSolaris allows local users to affect availability via unknown vectors related to Kernel/File System. | 2010-10-14 | 4.6 | CVE-2010-3580 CONFIRM |
oracle -- vm | Unspecified vulnerability in the Oracle VM component in Oracle VM 2.2.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to ovs-agent. | 2010-10-14 | 4.3 | CVE-2010-3584 CONFIRM |
redhat -- enterprise_mrg | lib/MessageStoreImpl.cpp in Red Hat Enterprise MRG before 1.2.2 allows remote authenticated users to cause a denial of service (stack memory exhaustion and broker crash) via a large persistent message. | 2010-10-12 | 4.0 | CVE-2010-3701 CONFIRM REDHAT REDHAT CONFIRM |
rene_tegel -- visual_synapse | Directory traversal vulnerability in Visual Synapse HTTP Server 1.0 RC1 through RC3, and 0.60 and earlier, allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. | 2010-10-08 | 5.0 | CVE-2010-3743 MISC BID BUGTRAQ EXPLOIT-DB |
rim -- blackberry_device_software | The browser in Research In Motion (RIM) BlackBerry Device Software 5.0.0.593 Platform 5.1.0.147 on the BlackBerry 9700 does not properly restrict cross-domain execution of JavaScript, which allows remote attackers to bypass the Same Origin Policy via vectors related to a window.open call and an IFRAME element. NOTE: some of these details are obtained from third party information. | 2010-10-14 | 6.8 | CVE-2010-3934 SECTRACK SECUNIA MISC |
squid-cache -- squid | dns_internal.cc in Squid 3.1.6, when IPv6 DNS resolution is not enabled, accesses an invalid socket during an IPv4 TCP DNS query, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors that trigger an IPv4 DNS response with the TC bit set. | 2010-10-12 | 5.0 | CVE-2010-2951 CONFIRM MLIST MLIST CONFIRM CONFIRM MLIST MLIST MLIST CONFIRM CONFIRM CONFIRM |
Low Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
cisco -- anyconnect_ssl_vpn | The Cisco trial client on Linux for Cisco AnyConnect SSL VPN allows local users to overwrite arbitrary files via a symlink attack on unspecified temporary files. | 2010-10-14 | 3.3 | CVE-2009-5007 MISC |
cisco -- secure_desktop | Cisco Secure Desktop (CSD), when used in conjunction with an AnyConnect SSL VPN server, does not properly perform verification, which allows local users to bypass intended policy restrictions via a modified executable file. | 2010-10-14 | 2.1 | CVE-2009-5008 MISC |
microsoft -- ie | Microsoft Internet Explorer 6 and 7 on Windows XP and Vista does not prevent script from simulating user interaction with the AutoComplete feature, which allows remote attackers to obtain sensitive form information via a crafted web site, aka "AutoComplete Information Disclosure Vulnerability." | 2010-10-13 | 2.6 | CVE-2010-0808 MS |
oracle -- database_server | Unspecified vulnerability in the Perl component in Oracle Database Server 11.2.0.1, 11.1.0.7, 10.2.0.3, 10.2.0.4, and 10.1.0.5; and Fusion Middleware 11.1.1.1.0 and 11.1.1.2.0; allows local users to affect integrity via unknown vectors related to Local Logon. | 2010-10-13 | 1.0 | CVE-2010-2389 CONFIRM |
oracle -- database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.1.0.5 and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 2010-10-13 | 3.6 | CVE-2010-2391 CONFIRM |
oracle -- e-business_suite | Unspecified vulnerability in the Oracle iRecruitment component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect integrity via unknown vectors related to Account. | 2010-10-13 | 3.5 | CVE-2010-2404 CONFIRM |
oracle -- sun_products_suite | Unspecified vulnerability in the (1) Sun Convergence 1 and (2) Sun Java Communications Suite 7 components in Oracle Sun Products Suite 1.0 and 7.0 allows remote attackers to affect confidentiality via unknown vectors. | 2010-10-13 | 2.6 | CVE-2010-2414 CONFIRM |
oracle -- sun_products_suite | Unspecified vulnerability in the Oracle Explorer (Sun Explorer) component in Oracle Sun Products Suite 6.4 allows local users to affect confidentiality and integrity via unknown vectors. | 2010-10-13 | 3.0 | CVE-2010-3506 CONFIRM |
oracle -- solaris | Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality and integrity via unknown vectors related to Solaris Zones. | 2010-10-13 | 3.2 | CVE-2010-3508 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle OpenSolaris allows local users to affect integrity and availability via unknown vectors related to Tooltalk. | 2010-10-13 | 2.6 | CVE-2010-3511 CONFIRM |
oracle -- sun_products_suite | Unspecified vulnerability in the Oracle iPlanet Web Server (Sun Java System Web Server) component in Oracle Sun Products Suite 7.0u8 allows remote authenticated users to affect confidentiality, related to DAV (WebDAV). | 2010-10-13 | 3.5 | CVE-2010-3512 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle Solaris 9 and 10, and OpenSolaris, allows local users to affect integrity and availability via unknown vectors related to Device Drivers. | 2010-10-13 | 2.4 | CVE-2010-3513 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSolaris, allows local users to affect confidentiality, related to USB. | 2010-10-14 | 1.9 | CVE-2010-3542 CONFIRM |
oracle -- opensolaris | Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSolaris, allows local users to affect integrity and availability, related to the SCSI enclosure services device driver. | 2010-10-14 | 3.6 | CVE-2010-3576 CONFIRM |
oracle -- fusion_middleware | Unspecified vulnerability in the BPEL Console component in Oracle Fusion Middleware 11.1.1.1.0 and 11.1.1.2.0 allows remote authenticated users to affect integrity via unknown vectors. | 2010-10-14 | 3.5 | CVE-2010-3581 CONFIRM |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.