Weekly Vulnerabilities Reports > January 3 to 9, 2005
Overview
12 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 13 products from 11 vendors including Photopost, Microsoft, Mozilla, Libtiff, and GFI. Vulnerabilities are notably categorized as .
- 11 reported vulnerabilities are remotely exploitables.
- 12 reported vulnerabilities are exploitable by an anonymous user.
- Photopost has the most reported vulnerabilities, with 2 reported vulnerabilities.
- GFI has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
1 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-01-03 | CVE-2004-1312 | GFI | Remote Denial of Service vulnerability in GFI MailEssentials and MailSecurity HTML Email A bug in the HTML parser in a certain Microsoft HTML library, as used in various third party products, may allow remote attackers to cause a denial of service via certain strings, as reported in GFI MailEssentials for Exchange 9 and 10, and GFI MailSecurity for Exchange 8, which causes emails to remain in IIS or Exchange mail queues. | 10.0 |
3 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-01-04 | CVE-2005-0280 | Jowood Productions | Remote vulnerability in Jowood Productions Soldner Secret Wars 30830 Format string vulnerability in Soldner Secret Wars 30830 and earlier allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in a message. | 7.5 |
| 2005-01-03 | CVE-2005-0271 | Photopost | SQL-Injection vulnerability in Photopost Reviewpost PHP PRO 1.0.2/2.5 Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php. | 7.5 |
| 2005-01-03 | CVE-2005-0268 | Flatnuke | Unspecified vulnerability in Flatnuke 2.5.1 Direct code injection vulnerability in FlatNuke 2.5.1 allows remote attackers to execute arbitrary PHP code by placing the code into the url_avatar field. | 7.5 |
8 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2005-01-06 | CVE-2004-1183 | Libtiff | Integer Overflow vulnerability in LibTIFF TIFFDUMP Heap Corruption Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file. | 5.1 |
| 2005-01-06 | CVE-2005-0182 | MOD Dosevasive | Local Insecure Temporary File Creation vulnerability in MOD Dosevasive MOD Dosevasive 1.8/1.9 The mod_dosevasive module 1.9 and earlier for Apache creates temporary files with predictable filenames, which could allow remote attackers to overwrite arbitrary files via a symlink attack. | 5.0 |
| 2005-01-05 | CVE-1999-1373 | Fore | Unspecified vulnerability in Fore Powerhub Software FORE PowerHub before 5.0.1 allows remote attackers to cause a denial of service (hang) via a TCP SYN scan with TCP/IP OS fingerprinting, e.g. | 5.0 |
| 2005-01-04 | CVE-2005-0283 | David Barrett | Remote Directory Traversal vulnerability in David Barrett Qwikiwiki 1.4.1 Directory traversal vulnerability in index.php in QwikiWiki allows remote attackers to read arbitrary files via a .. | 5.0 |
| 2005-01-07 | CVE-1999-1431 | Microsoft | Unspecified vulnerability in Microsoft Zero Administration KIT 1.0 ZAK in Appstation mode allows users to bypass the "Run only allowed apps" policy by starting Explorer from Office 97 applications (such as Word), installing software into the TEMP directory, and changing the name to that for an allowed application, such as Winword.exe. | 4.6 |
| 2005-01-06 | CVE-2004-1318 | Namazu | Remote vulnerability in Namazu 2.0.13/2.0.7/2.0.8 Cross-site scripting (XSS) vulnerability in namazu.cgi for Namazu 2.0.13 and earlier allows remote attackers to inject arbitrary HTML and web script via a query that starts with a tab ("%09") character, which prevents the rest of the query from being properly sanitized. | 4.3 |
| 2005-01-04 | CVE-2004-1061 | Mozilla | Cross-Site Scripting vulnerability in Bugzilla Internal Error Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, including 2.16.x before 2.16.11, allows remote attackers to inject arbitrary HTML and web script via forced error messages, as demonstrated using the action parameter. | 4.3 |
| 2005-01-03 | CVE-2005-0274 | Photopost | Input Validation vulnerability in All Enthusiast PhotoPost Classifieds Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters. | 4.3 |
0 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|