Weekly Vulnerabilities Reports > February 9 to 15, 2004

Overview

10 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 2 high severity vulnerabilities. This weekly summary report vulnerabilities in 8 products from 8 vendors including RED M, Microsoft, Broadcom, GNU, and Sophos. Vulnerabilities are notably categorized as .

  • 8 reported vulnerabilities are remotely exploitables.
  • 10 reported vulnerabilities are exploitable by an anonymous user.
  • RED M has the most reported vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

2 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-02-11 CVE-2003-1214 Visualshapers Security Bypass vulnerability in ezContents

Unknown vulnerability in the server login for VisualShapers ezContents 2.02 and earlier allows remote attackers to bypass access restrictions and gain access to restricted functions.

7.5
2004-02-09 CVE-2004-2079 RED M Remote vulnerability in Red-M Red-Alert 2.7.5V3.1Build24

Red-M Red-Alert 2.7.5 with software 3.1 build 24 binds authentication to IP addresses, which allows remote attackers to bypass authentication by connecting from the same IP address as an active authenticated user.

7.5

7 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-02-13 CVE-2004-2082 Karjasoft Denial Of Service vulnerability in Karjasoft Sami FTP Server 1.1.3

The samiftp.dll library in Sami FTP Server 1.1.3 allows remote authenticated users to cause a denial of service (pmsystem.exe crash) via a GET request wit a large number of leading "/" (slash) characters.

5.0
2004-02-12 CVE-2004-2088 Sophos Unspecified vulnerability in Sophos Anti-Virus 3.4.6/3.78

Sophos Anti-Virus 3.78 allows remote attackers to bypass virus scanning by using a qmail generated Delivery Status Notification (DSN) where the original email is not included in the bounce message.

5.0
2004-02-10 CVE-2004-2091 Microsoft Unspecified vulnerability in Microsoft Baseline Security Analyzer 1.2

Microsoft Baseline Security Analyzer (MBSA) 1.2 does not correctly identify systems that have been patched but remain vulnerable to exploit until the system is rebooted, possibly giving the administrator a false sense of security.

5.0
2004-02-09 CVE-2004-2080 RED M Remote vulnerability in Red-M Red-Alert 2.7.5V3.1Build24

Red-M Red-Alert 2.7.5 with software 3.1 build 24 converts multiple spaces in a Service Set Identifier (SSID) to a single space, which prevents Red-Alert from correctly identifying the SSID.

5.0
2004-02-09 CVE-2004-2078 RED M Remote vulnerability in Red-M Red-Alert 2.7.5V3.1Build24

Red-M Red-Alert 2.7.5 with software 3.1 build 24 allows remote attackers to cause a denial of service (reboot and loss of logged events) via a long request to TCP port 80, possibly triggering a buffer overflow.

5.0
2004-02-09 CVE-2004-2093 GNU Denial-Of-Service vulnerability in rsync

Buffer overflow in the open_socket_out function in socket.c for rsync 2.5.7 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long RSYNC_PROXY environment variable.

4.6
2004-02-09 CVE-2004-2092 Broadcom Unspecified vulnerability in Broadcom Inoculateit 6.0

eTrust InoculateIT for Linux 6.0 uses insecure permissions for multiple files and directories, including the application's registry and tmp directories, which allows local users to delete, modify, or examine sensitive information.

4.6

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-02-11 CVE-2004-2083 Opera Unspecified vulnerability in Opera Browser

Opera Web Browser 7.0 through 7.23 allows remote attackers to trick users into executing a malicious file by embedding a CLSID in the file name, which causes the malicious file to appear as a trusted file type, aka "File Download Extension Spoofing."

2.6