Weekly Vulnerabilities Reports > December 24 to 30, 2001

Overview

15 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 14 products from 12 vendors including Namazu, Cherokee, Matrixs CGI Vault, Cisco, and Delegate. Vulnerabilities are notably categorized as and "Path Traversal".

  • 13 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 15 reported vulnerabilities are exploitable by an anonymous user.
  • Namazu has the most reported vulnerabilities, with 2 reported vulnerabilities.
  • Elsa has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-12-26 CVE-2001-1223 Elsa Unspecified vulnerability in Elsa Lancom 1100 Office 0.0

The web administration server for ELSA Lancom 1100 Office does not require authentication, which allows arbitrary remote attackers to gain administrative privileges by connecting to the server.

10.0

9 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-12-29 CVE-2001-1432 Cherokee Path Traversal vulnerability in Cherokee Httpd

Directory traversal vulnerability in Cherokee Web Server allows remote attackers to read arbitrary files via a ..

7.8
2001-12-30 CVE-2001-1466 VAN Dyke Technologies Remote Security vulnerability in SecureCRT

Buffer overflow in VanDyke SecureCRT before 3.4.2, when using the SSH-1 protocol, allows remote attackers to execute arbitrary code via a long (1) username or (2) password.

7.5
2001-12-30 CVE-2001-1207 Daydream Buffer Overflow vulnerability in DayDream BBS Control Code

Buffer overflows in DayDream BBS 2.9 through 2.13 allow remote attackers to possibly execute arbitrary code via the control codes (1) ~#MC, (2) ~#TF, or (3) ~#RA.

7.5
2001-12-30 CVE-2001-1206 Matrixs CGI Vault Remote Command Execution vulnerability in Matrixs CGI Vault Last Lines 2.0

Matrix CGI vault Last Lines 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the $error_log variable.

7.5
2001-12-29 CVE-2001-1433 Cherokee Unspecified vulnerability in Cherokee Httpd

Cherokee web server before 0.2.7 does not properly drop root privileges after binding to port 80, which could allow remote attackers to gain privileges via other vulnerabilities.

7.5
2001-12-28 CVE-2001-1202 Delegate Cross-Site Scripting vulnerability in DeleGate

Cross-site scripting vulnerability in DeleGate 7.7.0 and 7.7.1 does not quote scripting commands within a "403 Forbidden" error page, which allows remote attackers to execute arbitrary Javascript on other clients via a URL that generates an error.

7.5
2001-12-27 CVE-2001-1352 Namazu Unspecified vulnerability in Namazu

Cross-site scripting vulnerability in Namazu 2.0.9 and earlier allows remote attackers to execute arbitrary Javascript as other web users via an error message that is returned when an invalid index file is specified in the idxname parameter.

7.5
2001-12-25 CVE-2001-1351 Namazu Unspecified vulnerability in Namazu

Cross-site scripting vulnerability in Namazu 2.0.8 and earlier allows remote attackers to execute arbitrary Javascript as other web users via the index file name that is displayed when displaying hit numbers.

7.5
2001-12-27 CVE-2001-1203 Alessandro Rubini Unspecified vulnerability in Alessandro Rubini GPM 1.17.18/1.17.8

Format string vulnerability in gpm-root in gpm 1.17.8 through 1.17.18 allows local users to gain root privileges.

7.2

4 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-12-30 CVE-2001-1210 Cisco Unspecified vulnerability in Cisco Ubr920, Ubr924 and Ubr925

Cisco ubr900 series routers that conform to the Data-over-Cable Service Interface Specifications (DOCSIS) standard must ship without SNMP access restrictions, which can allow remote attackers to read and write information to the MIB using arbitrary community strings.

6.4
2001-12-30 CVE-2001-1205 Matrixs CGI Vault Path Traversal vulnerability in Matrixs CGI Vault Last Lines 2.0

Directory traversal vulnerability in lastlines.cgi for Last Lines 2.0 allows remote attackers to read arbitrary files via '..' sequences in the $error_log variable.

5.0
2001-12-28 CVE-2001-1204 Total PC Solutions Directory Traversal vulnerability in Total PC Solutions PHP Rocket Add-in for FrontPage

Directory traversal vulnerability in phprocketaddin in Total PC Solutions PHP Rocket Add-in for FrontPage 1.0 allows remote attackers to read arbitrary files via a ..

5.0
2001-12-25 CVE-2001-1226 Adcycle Remote SQL Query Modification vulnerability in AdCycle

AdCycle 1.17 and earlier allow remote attackers to modify SQL queries, which are not properly sanitized before being passed to the MySQL database.

5.0

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2001-12-26 CVE-2001-1225 Hughes Denial of Service vulnerability in Hughes Msql 2.0.10/2.0.11/2.0.12

Hughes Technology Mini SQL 2.0.10 through 2.0.12 allows local users to cause a denial of service by creating a very large array in a table, which causes miniSQL to crash when the table is queried.

2.1