Weekly Vulnerabilities Reports > December 29, 2003 to January 4, 2004
Overview
2 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 0 high severity vulnerabilities. This weekly summary report vulnerabilities in 2 products from 2 vendors including Xmlsoft, and Pedestalsoftware. Vulnerabilities are notably categorized as "XML Entity Expansion", and "Link Following".
- 2 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 2 reported vulnerabilities are exploitable by an anonymous user.
- Xmlsoft has the most reported vulnerabilities, with 1 reported vulnerabilities.
- Pedestalsoftware has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
1 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2003-12-31 | CVE-2003-1233 | Pedestalsoftware | Link Following vulnerability in Pedestalsoftware Integrity Protection Driver 1.3 Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier allows privileged attackers, such as rootkits, to bypass file access restrictions to the Windows kernel by using the NtCreateSymbolicLinkObject function to create a symbolic link to (1) \Device\PhysicalMemory or (2) to a drive letter using the subst command. | 9.8 |
0 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|
1 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2003-12-31 | CVE-2003-1564 | Xmlsoft | XML Entity Expansion vulnerability in Xmlsoft Libxml2 libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack." | 6.5 |
0 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|