Vulnerability Summary for the Week of December 30, 2013

Released
Jan 06, 2014
Document ID
SB14-006

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
emc -- replication_managerUnquoted Windows search path vulnerability in EMC Replication Manager before 5.5 allows local users to gain privileges via a crafted application in a parent directory of an intended directory.2013-12-277.2CVE-2013-6182
esri -- arcgisSQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service.2013-12-297.5CVE-2013-7232
hp -- application_information_optimizerUnspecified vulnerability in the Archive Query Server in HP Application Information Optimizer (formerly HP Database Archiving) 6.2, 6.3, 6.4, and 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1666.2013-12-2810.0CVE-2013-6189
ibm -- iThe OSPF implementation in IBM i 6.1 and 7.1, and in z/OS on zSeries servers, does not properly validate Link State Advertisement (LSA) type 1 packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.2014-01-028.5CVE-2013-5385
irfanview -- irfanviewBuffer overflow in IrfanView before 4.37, when a multibyte-character directory name is used, allows user-assisted remote attackers to execute arbitrary code via a crafted file that is incorrectly handled by the Thumbnail tooltips feature in the Thumbnails window.2013-12-277.6CVE-2013-6932
microsoft -- internet_explorerUse-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted CSpliceTreeEngine::InsertSplice object in an HTML document, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3143 and CVE-2013-3161.2013-12-289.3CVE-2013-3846
op5 -- monitorlicense.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the timestamp parameter for an install action.2013-12-3110.0CVE-2012-0261
op5 -- monitorop5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter.2013-12-3110.0CVE-2012-0262
op5 -- monitorop5 Monitor and op5 Appliance before 5.5.0 do not properly manage session cookies, which allows remote attackers to have an unspecified impact via unspecified vectors.2013-12-3110.0CVE-2012-0264
openx -- openx_sourceSQL injection vulnerability in www/delivery/axmlrpc.php (aka the XML-RPC delivery invocation script) in Revive Adserver before 3.0.2, and OpenX Source 2.8.11 and earlier, allows remote attackers to execute arbitrary SQL commands via the what parameter to an XML-RPC method.2013-12-277.5CVE-2013-7149
realvnc -- realvncRealVNC VNC 5.0.6 on Mac OS X, Linux, and UNIX allows local users to gain privileges via a crafted argument to the (1) vncserver, (2) vncserver-x11, or (3) Xvnc helper.2013-12-277.2CVE-2013-6886
synology -- diskstation_managerMultiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a .. (dot dot) in the (1) path parameter to file_delete.cgi or (2) folder_path parameter to file_share.cgi in webapi/FileStation/; (3) dlink parameter to fbdownload/; or unspecified parameters to (4) html5_upload.cgi, (5) file_download.cgi, (6) file_sharing.cgi, (7) file_MVCP.cgi, or (8) file_rename.cgi in webapi/FileStation/.2013-12-317.5CVE-2013-6987

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adtran -- netvanta_7060Cross-site scripting (XSS) vulnerability in the GUI login page in ADTRAN AOS before R10.8.1 on the NetVanta 7100 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2013-12-294.3CVE-2013-5210
barebones -- bbeditThe software update mechanism as used in Bare Bones Software Yojimbo before 4.0, TextWrangler before 4.5.3, and BBEdit before 10.5.5 does not properly download and verify updates before installation, which allows attackers to perform "tampering or corruption" of the updates.2013-12-316.4CVE-2013-3667
cisco -- ios_xeCisco IOS XE 3.7S(.1) and earlier allows remote attackers to cause a denial of service (Packet Processor crash) via fragmented MPLS IP packets, aka Bug ID CSCul00709.2013-12-275.4CVE-2013-6981
cisco -- unified_presence_serverSQL injection vulnerability in the web interface in Cisco Unified Presence Server allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuh35615.2013-12-316.5CVE-2013-6983
cloudbees -- jenkinsCross-site scripting (XSS) vulnerability in the default markup formatter in CloudBees Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.2013-12-314.3CVE-2013-5573
cybozu -- garoonCybozu Garoon 3.5 through 3.7 SP2 allows remote attackers to bypass Keitai authentication via a modified user ID in a request.2013-12-275.8CVE-2013-6006
cybozu -- garoonSQL injection vulnerability in Cybozu Garoon 3.7 SP2 and earlier allows remote authenticated users to execute arbitrary SQL commands via crafted API input.2013-12-276.5CVE-2013-6929
fatfreecrm -- fat_free_crmconfig/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.2014-01-025.0CVE-2013-7222
fatfreecrm -- fat_free_crmMultiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb.2014-01-026.8CVE-2013-7223
fatfreecrm -- fat_free_crmFat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.2014-01-025.0CVE-2013-7224
fatfreecrm -- fat_free_crmMultiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.2014-01-026.5CVE-2013-7225
fatfreecrm -- fat_free_crmFat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.2014-01-025.0CVE-2013-7249
hot -- hotbox_routerThe HOT HOTBOX router with software 2.1.11 allows remote attackers to bypass authentication by configuring a source IP address that had previously been used for an authenticated session.2013-12-295.8CVE-2013-5038
hot -- hotbox_routerCross-site request forgery (CSRF) vulnerability in goform/wlanBasicSecurity on the HOT HOTBOX router with software 2.1.11 allows remote attackers to hijack the authentication of administrators for requests that change the WiFi Security field to Deactivated via the WifiSecurity parameter.2013-12-295.4CVE-2013-5039
hot -- hotbox_routergoform/login on the HOT HOTBOX router with software 2.1.11 allows remote attackers to cause a denial of service (device crash) via crafted HTTP POST data.2013-12-296.1CVE-2013-5220
hp -- service_managerUnspecified vulnerability in HP Service Manager WebTier and Windows Client 9.20 and 9.21 before 9.21.661 p8 allows remote authenticated users to execute arbitrary code via unknown vectors.2013-12-285.2CVE-2013-6197
hp -- service_managerCross-site scripting (XSS) vulnerability in HP Service Manager WebTier and Windows Client 9.20 and 9.21 before 9.21.661 p8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2013-12-284.3CVE-2013-6198
jforum -- jforumCross-site request forgery (CSRF) vulnerability in admBase/login.page in the Admin module in JForum allows remote attackers to hijack the authentication of administrators for requests that change the user group permissions of arbitrary users via a groupsSave action.2013-12-306.8CVE-2013-7209
joomla -- joomla!Cross-site scripting (XSS) vulnerability in libraries/idna_convert/example.php in Joomla! 3.1.5 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.2013-12-284.3CVE-2013-5583
matrix42 -- service_storeCross-site scripting (XSS) vulnerability in SPS/Portal/default.aspx in Service Desk in Matrix42 Service Store 5.3 SP3 (aka 5.33.946.0) allows remote attackers to inject arbitrary web script or HTML via the query string.2013-12-284.3CVE-2013-2504
microsoft -- windows_movie_makerMicrosoft Windows Movie Maker 2.1.4026.0 on Windows XP SP3 allows remote attackers to cause a denial of service (application crash) via a crafted .wav file, as demonstrated by movieMaker.wav.2013-12-294.3CVE-2013-4858
mislav_marohnic -- will_paginateCross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.2013-12-314.3CVE-2013-6459
nextdc -- onedcThe ONEDC app before 1.7 for iOS does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2013-12-275.8CVE-2013-6812
novell -- identity_manager_roles_based_provisioning_moduleCross-site scripting (XSS) vulnerability in the Roles Based Provisioning Module 4.0.2 before Field Patch D for Novell Identity Manager (aka IDM) allows remote attackers to inject arbitrary web script or HTML via a taskDetail taskId.2013-12-274.3CVE-2013-1096
ntp -- ntpThe monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.2014-01-025.0CVE-2013-5211
op5 -- monitormonitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows remote authenticated users to obtain sensitive information such as database and user credentials via error messages that are triggered by (1) a malformed hoststatustypes parameter to status/service/all or (2) a crafted request to config.2013-12-314.0CVE-2012-0263
openssl -- opensslThe DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.2014-01-015.8CVE-2013-6450
projectforge -- projectforgeMultiple cross-site request forgery (CSRF) vulnerabilities in ProjectForge before 5.3 allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) web/admin/, (2) web/core/, (3) web/dialog/, (4) web/fibu/, (5) web/mobile/, (6) web/task/, or (7) web/wicket/.2014-01-026.8CVE-2013-7251
ubnt -- unifiCross-site scripting (XSS) vulnerability in the administer interface in the UniFi Controller in Ubiquiti Networks UniFi 2.3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted client hostname.2013-12-314.3CVE-2013-3572
wordpress -- wordpressCross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list.2013-12-296.8CVE-2013-7233
zend -- zendtoCross-site scripting (XSS) vulnerability in lib/NSSDropoff.php in ZendTo before 4.11-13 allows remote attackers to inject arbitrary web script or HTML via a modified emailAddr field to pickup.php.2013-12-274.3CVE-2013-6808
zenphoto -- zenphotoCross-site scripting (XSS) vulnerability in the export function in zp-core/zp-extensions/mergedRSS.php in Zenphoto before 1.4.5.4 allows remote attackers to inject arbitrary web script or HTML via the URI.2013-12-314.3CVE-2013-7241
zenphoto -- zenphotoSQL injection vulnerability in zp-core/zp-extensions/wordpress_import.php in Zenphoto before 1.4.5.4 allows remote authenticated administrators to execute arbitrary SQL commands via the tableprefix parameter.2013-12-316.5CVE-2013-7242

Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
emc -- watch4netEMC Watch4Net before 6.3 stores cleartext polled-device passwords in the installation repository, which allows local users to obtain sensitive information by leveraging repository privileges.2013-12-272.1CVE-2013-6181
esri -- arcgisMultiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2013-12-293.5CVE-2013-5222
esri -- arcgisCross-site scripting (XSS) vulnerability in the Mobile Content Server in ESRI ArcGIS for Server 10.1 and 10.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-5222.2013-12-293.5CVE-2013-7231
hot -- hotbox_routerThe HOT HOTBOX router with software 2.1.11 has a default WPS PIN of 12345670, which makes it easier for remote attackers to obtain the WPA or WPA2 pre-shared key via EAP messages.2013-12-293.3CVE-2013-5037
hot -- hotbox_routerCross-site scripting (XSS) vulnerability on the HOT HOTBOX router with software 2.1.11 allows remote attackers to inject arbitrary web script or HTML via a crafted DHCP Host Name option, which is not properly handled during rendering of the DHCP table in wlanAccess.asp.2013-12-292.9CVE-2013-5218
hot -- hotbox_routerDirectory traversal vulnerability on the HOT HOTBOX router with software 2.1.11 allows remote attackers to read arbitrary files via a .. (dot dot) in a URI, as demonstrated by a request for /etc/passwd.2013-12-293.3CVE-2013-5219
projectforge -- projectforgeCross-site scripting (XSS) vulnerability in ProjectForge before 3.5.3 allows remote authenticated users to inject arbitrary web script or HTML via a validation message.2014-01-023.5CVE-2011-5269
projectforge -- projectforgeCross-site scripting (XSS) vulnerability in the JsonBuilder implementation in ProjectForge before 5.3 allows remote authenticated users to inject arbitrary web script or HTML via an autocompletion string, related to web/core/JsonBuilder.java and web/wicket/autocompletion/PFAutoCompleteBehavior.java.2014-01-023.5CVE-2013-7250

Back to top

 

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.