Weekly Vulnerabilities Reports > May 14 to 20, 2007

Overview

135 new vulnerabilities reported during this period, including 21 critical vulnerabilities and 55 high severity vulnerabilities. This weekly summary report vulnerabilities in 161 products from 111 vendors including BEA, Linux, Apple, Microsoft, and HP. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Use of Externally-Controlled Format String", "Resource Exhaustion", and "Information Exposure".

  • 128 reported vulnerabilities are remotely exploitables.
  • 41 reported vulnerabilities have public exploit available.
  • 3 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 120 reported vulnerabilities are exploitable by an anonymous user.
  • BEA has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

21 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-05-18 CVE-2007-2763 Sienzo Stack Buffer Overflow vulnerability in Sienzo Digital Music Mentor 2.6.0.4

Buffer overflow in the UnlockSupport function in the LockModules subsystem in a certain ActiveX control in ltmm15.dll in Sienzo Digital Music Mentor (DMM) 2.6.0.4 allows remote attackers to execute arbitrary code via a long string in the second argument, a different issue than CVE-2007-2564.

10.0
2007-05-17 CVE-2007-2755 Precisionid Barcode Unspecified vulnerability in Precisionid Barcode Precisionid Barcode 1.9

The PrecisionID Barcode 1.9 ActiveX control in PrecisionID_Barcode.dll, when Internet Explorer 6 is used, allows remote attackers to overwrite arbitrary files via a full pathname to the SaveToFile function, a different vulnerability than CVE-2007-2744.

10.0
2007-05-17 CVE-2007-2736 Apple
HP
IBM
Linux
Microsoft
Santa Cruz Operation
SUN
Windriver
Achievo
Remote File Include vulnerability in Achievo 1.1.0

PHP remote file inclusion vulnerability in index.php in Achievo 1.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the config_atkroot parameter.

10.0
2007-05-16 CVE-2007-1173 Centennial
Numara
Symantec
Remote Buffer Overflow vulnerability in Multiple Vendor XFERWAN.EXE

Multiple buffer overflows in the CentennialIPTransferServer service (XFERWAN.EXE), as used by (1) Centennial Discovery 2006 Feature Pack 1, (2) Numara Asset Manager 8.0, and (3) Symantec Discovery 6.5, allow remote attackers to execute arbitrary code via long strings in a crafted TCP packet.

10.0
2007-05-16 CVE-2007-1689 Symantec Buffer Overflow vulnerability in Symantec Norton Personal Firewall 2004 ActiveX Control

Buffer overflow in the ISAlertDataCOM ActiveX control in ISLALERT.DLL for Norton Personal Firewall 2004 and Internet Security 2004 allows remote attackers to execute arbitrary code via long arguments to the (1) Get and (2) Set functions.

10.0
2007-05-16 CVE-2007-2719 HP Improper Authentication vulnerability in HP Systems Insight Manager 4.2/5.0

Session fixation vulnerability in HP Systems Insight Manager (SIM) 4.2 and 5.0 SP4 and SP5 allows remote attackers to hijack web sessions by setting the JSESSIONID cookie.

10.0
2007-05-16 CVE-2007-2715 Snaps Gallery Remote Password Change vulnerability in Snaps Gallery Snaps Gallery 1.4.4

Admin/users.php in Snaps! Gallery 1.4.4 allows remote attackers to change arbitrary usernames and passwords via the (1) username, or the (2) password and password2 parameters in an edit action.

10.0
2007-05-16 CVE-2007-2714 Matt Mullenweg Unspecified vulnerability in WordPress Akismet Plugin

Unspecified vulnerability in akismet.php in Matt Mullenweg Akismet before 2.0.2, a WordPress plugin, has unknown impact and attack vectors.

10.0
2007-05-16 CVE-2007-2713 Ifusionservices Authentication Bypass vulnerability in IFDate Administrative

ifdate 2.x sends a redirect to the web browser but does not exit when administrative credentials are missing, which allows remote attackers to obtain administrative access via a direct request for the admin/ URI.

10.0
2007-05-16 CVE-2007-2712 MH Software Unspecified vulnerability in MHSoftware Connect Daily

Unspecified vulnerability in MH Software Connect Daily before 3.3.3 has unknown impact and attack vectors.

10.0
2007-05-16 CVE-2007-2711 Tinyirc Remote Buffer Overflow vulnerability in TinyIdentD

Stack-based buffer overflow in TinyIdentD 2.2 and earlier allows remote attackers to execute arbitrary code via a long string to TCP port 113.

10.0
2007-05-14 CVE-2007-2446 Samba Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Samba

Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names).

10.0
2007-05-16 CVE-2007-2439 Caucho Technology Denial-Of-Service vulnerability in Resin

Caucho Resin Professional 3.1.0 and Caucho Resin 3.1.0 and earlier for Windows allows remote attackers to cause a denial of service (device hang) and read data from a COM or LPT device via a DOS device name with an arbitrary extension.

9.4
2007-05-18 CVE-2007-2758 Winimage Buffer Overflow vulnerability in Winimage 8.0.8000

Multiple buffer overflows in WinImage 8.0.8000 allow user-assisted remote attackers to execute arbitrary code via a FAT image that contains long directory names in a deeply nested directory structure, which triggers (1) a stack-based buffer overflow during extraction, or (2) a heap-based buffer overflow during traversal.

9.3
2007-05-17 CVE-2007-2741 Littlecms Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Littlecms Lcms

Stack-based buffer overflow in Little CMS (lcms) before 1.15 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted ICC profile in a JPG file.

9.3
2007-05-16 CVE-2007-2568 Vcdgear Buffer Overflow vulnerability in Vcdgear 3.55

Multiple stack-based buffer overflows in VCDGear 3.55 allow user-assisted remote attackers to execute arbitrary code via a long (1) tag or (2) track type in a CUE file.

9.3
2007-05-14 CVE-2007-2667 DB Soft LAB Buffer Overflow vulnerability in DB Soft LAB Vimp X 4.7.3

Buffer overflow in the DB Software Laboratory VImpX ActiveX control in VImpX.ocx 4.7.3 allows remote attackers to execute arbitrary code via a long LogFile parameter.

9.3
2007-05-14 CVE-2007-2648 Clever Components Buffer Overflow vulnerability in Clever Components Clever Database Comparer 2.2

Stack-based buffer overflow in the Clever Database Comparer 2.2 ActiveX control (comparerax.ocx) allows remote attackers to execute arbitrary code via a long argument to the ConnectToDatabase function.

9.3
2007-05-14 CVE-2007-2645 Libexif Remote Integer Overflow vulnerability in LibEXIF Exif_Data_Load_Data_Entry

Integer overflow in the exif_data_load_data_entry function in exif-data.c in libexif before 0.6.14 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted EXIF data, involving the (1) doff or (2) s variable.

9.3
2007-05-14 CVE-2007-0754 Apple Buffer Overflow vulnerability in Apple QuickTime MOV File STSD Heap

Heap-based buffer overflow in Apple QuickTime before 7.1.3 allows user-assisted remote attackers to execute arbitrary code via a crafted Sample Table Sample Descriptor (STSD) atom size in a QuickTime movie.

9.3
2007-05-18 CVE-2007-2760 Adempiere Remote Security vulnerability in Adempiere

The canUpdate function in model/MRole.java in Adempiere before 3.1.6 does not properly validate user roles, which allows remote authenticated read-only users to gain read-write privileges.

9.0

55 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-05-18 CVE-2007-2764 Linux
Brocade
Improper Input Validation vulnerability in Linux Kernel

The embedded Linux kernel in certain Sun-Brocade SilkWorm switches before 20070516 does not properly handle a situation in which a non-root user creates a kernel process, which allows attackers to cause a denial of service (oops and device reboot) via unspecified vectors.

7.8
2007-05-17 CVE-2007-1693 Yate Improper Input Validation vulnerability in Yate YET Another Telephony Engine 1.1.0

The SIP channel module in Yet Another Telephony Engine (Yate) before 1.2.0 sets the caller_info_uri parameter using an incorrect variable that can be NULL, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a Call-Info header without a purpose parameter.

7.8
2007-05-16 CVE-2007-2726 Bitscast Remote Denial Of Service vulnerability in Bitscast 0.13.0

BitsCast 0.13.0 allows remote attackers to cause a denial of service (application crash) via an RSS 2.0 feed item with certain invalid strings in a pubDate element, as demonstrated by repeated "../A" or "A/../" patterns.

7.8
2007-05-16 CVE-2007-2722 Newzcrawler Remote Denial of Service vulnerability in Newzcrawler 1.8

Unspecified vulnerability in NewzCrawler 1.8 allows remote attackers to cause a denial of service (application instability) via certain invalid strings in the URL attribute of an ENCLOSURE element, as demonstrated by a "%s" sequence, a "%Y" sequence, a "%%" sequence, and an "n," sequence.

7.8
2007-05-16 CVE-2007-2705 BEA Directory Traversal vulnerability in BEA Weblogic Integration and Weblogic Workshop

Directory traversal vulnerability in the Test View Console in BEA WebLogic Integration 9.2 before SP1 and WebLogic Workshop 8.1 SP2 through SP6, when "deployed in an exploded format," allows remote attackers to list a WebLogic Workshop Directory (wlwdir) parent directory via unspecified vectors.

7.8
2007-05-16 CVE-2007-2690 ISS Remote Security vulnerability in ISS products

Multiple IBM ISS Proventia Series products, including the A, G, and M series, do not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.

7.8
2007-05-16 CVE-2007-2689 Checkpoint Remote Security vulnerability in Checkpoint web Intelligence Gold

Check Point Web Intelligence does not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.

7.8
2007-05-16 CVE-2007-2688 Cisco Unspecified vulnerability in Cisco IOS and IPS Sensor Software

The Cisco Intrusion Prevention System (IPS) and IOS with Firewall/IPS Feature Set do not properly handle certain full-width and half-width Unicode character encodings, which might allow remote attackers to evade detection of HTTP traffic.

7.8
2007-05-14 CVE-2007-2658 ID Automation Denial of Service vulnerability in ID Automation Linear Barcode 1.6.0.5

Unspecified vulnerability in the ID Automation Linear Barcode 1.6.0.5 ActiveX control in IDAutomationLinear6.dll allows remote attackers to cause a denial of service via a long argument to the SaveEnhWMF method.

7.8
2007-05-14 CVE-2007-2657 Precisionid Barcode Denial of Service vulnerability in Precisionid Barcode Precisionid Barcode 1.3

Unspecified vulnerability in the PrecisionID Barcode 1.3 ActiveX control in PrecisionID_DataMatrix.DLL allows remote attackers to cause a denial of service via a long argument to the SaveBarCode method.

7.8
2007-05-14 CVE-2007-2656 HP Buffer Overflow vulnerability in HP Hpqvwocx.Dll 1.0.0.309

Stack-based buffer overflow in the Hewlett-Packard (HP) Magview ActiveX control in hpqvwocx.dll 1.0.0.309 allows remote attackers to cause a denial of service (application crash) and possibly have other impact via a long argument to the DeleteProfile method.

7.8
2007-05-14 CVE-2007-2649 T COM Unspecified vulnerability in T-Com Speedport W 700V

Deutsche Telekom (T-com) Speedport W 700v uses JavaScript delays for invalid authentication attempts to the CGI script, which allows remote attackers to bypass the delays and conduct brute-force attacks via direct calls to the authentication CGI script.

7.8
2007-05-14 CVE-2007-2666 Notepad
Scintilla
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in LexRuby.cxx (SciLexer.dll) in Scintilla 1.73, as used by notepad++ 4.1.1 and earlier, allows user-assisted remote attackers to execute arbitrary code via certain Ruby (.rb) files with long lines.

7.6
2007-05-18 CVE-2007-2762 Build IT Fast Remote File Include vulnerability in Build IT Fast Build IT Fast 0.4.1

Multiple PHP remote file inclusion vulnerabilities in Build it Fast (bif3) 0.4.1 allow remote attackers to execute arbitrary PHP code via a URL in (1) the pear_dir parameter to Base/Application.php, or the (2) sys_dir parameter to (a) Footer.php, (b) widget.BifContainer.php, (c) widget.BifRoot.php, (d) widget.BifRoot2.php, (e) widget.BifRoot3.php, or (f) widget.BifWarning.php in Widgets/Base/.

7.5
2007-05-18 CVE-2007-2761 Magiciso Stack Buffer Overflow vulnerability in Magic ISO Maker Cue File

Stack-based buffer overflow in MagicISO 5.4 build 239 and earlier allows remote attackers to execute arbitrary code via a long filename in a .cue file.

7.5
2007-05-18 CVE-2007-2759 Adempiere SQL-Injection vulnerability in Adempiere

Multiple SQL injection vulnerabilities in the insert function in the ValuePreference class (grid/ed/ValuePreference.java) in Adempiere before 3.1.6 allow remote attackers to execute arbitrary SQL commands via the (1) m_Attribute or (2) m_Value parameter.

7.5
2007-05-18 CVE-2007-2682 Apple
Adobe
Unspecified vulnerability in Adobe Creative Suite 3.0

The installer for Adobe Version Cue CS3 Server on Apple Mac OS X, as used in Adobe Creative Suite 3 (CS3), does not re-enable the personal firewall after completing the product installation, which allows remote attackers to bypass intended firewall rules.

7.5
2007-05-17 CVE-2007-2751 Phpglossar Remote File Include vulnerability in PHPglossar 0.8

Multiple PHP remote file inclusion vulnerabilities in PHPGlossar 0.8 allow remote attackers to execute arbitrary PHP code via a URL in the format_menue parameter to (1) admin/inc/change_action.php or (2) admin/inc/add.php.

7.5
2007-05-17 CVE-2007-2750 Simpnews SQL Injection vulnerability in SimpNews

SQL injection vulnerability in print.php in SimpNews 2.40.01 and earlier allows remote attackers to execute arbitrary SQL commands via the newsnr parameter.

7.5
2007-05-17 CVE-2007-2744 Precisionid Barcode Buffer Overflow vulnerability in Precisionid Barcode Precisionid Barcode 1.9

Stack-based buffer overflow in the PrecisionID Barcode 1.9 ActiveX control in PrecisionID_Barcode.dll allows remote attackers to cause a denial of service (Internet Explorer 6 crash), and possibly execute arbitrary code, via a long argument to the SaveBarCode method.

7.5
2007-05-17 CVE-2007-2743 Glossword Remote File Include vulnerability in Glossword 1.8.1

PHP remote file inclusion vulnerability in custom_vars.php in GlossWord 1.8.1 allows remote attackers to execute arbitrary PHP code via a URL in the sys[path_addon] parameter.

7.5
2007-05-17 CVE-2007-2742 Labs Beffa ORG Unspecified vulnerability in Labs.Beffa.Org W2Box 4.0.0Beta4

Unrestricted file upload vulnerability in labs.beffa.org w2box 4.0.0 Beta4 allows remote attackers to upload arbitrary PHP code via a filename with a double extension such as .php.jpg.

7.5
2007-05-17 CVE-2007-2738 Xoops SQL Injection vulnerability in XOOPS Module Glossarie Glossaire-P-F.PHP

SQL injection vulnerability in glossaire-p-f.php in the Glossaire 1.7 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the sid parameter in an ImprDef action.

7.5
2007-05-17 CVE-2007-2737 Xoops SQL-Injection vulnerability in Xoops Myconference Module 1.0

SQL injection vulnerability in index.php in the MyConference 1.0 module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.

7.5
2007-05-17 CVE-2007-2735 Touteresa SQL Injection vulnerability in XOOPS ResManager Module Edit_day.PHP

SQL injection vulnerability in edit_day.php in the ResManager 1.2.1 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id_reserv parameter.

7.5
2007-05-16 CVE-2007-2734 3Com Remote Security vulnerability in 3Crx506-96

The 3Com TippingPoint IPS do not properly handle certain full-width and half-width Unicode character encodings in an HTTP POST request, which might allow remote attackers to evade detection of HTTP traffic.

7.5
2007-05-16 CVE-2007-2725 DB Soft LAB Unspecified vulnerability in DB Soft LAB Dewizardx

The DB Software Laboratory DeWizardX (DEWizardAX.ocx) ActiveX control allows remote attackers to overwrite arbitrary files via the SaveToFile function.

7.5
2007-05-16 CVE-2007-2717 Igeneric SQL Injection vulnerability in Igeneric IG Shop 1.4

SQL injection vulnerability in shop/page.php in iGeneric (iG) Shop 1.4 allows remote attackers to execute arbitrary SQL commands via the type_id[] parameter, a different vector than CVE-2005-0537.

7.5
2007-05-16 CVE-2007-2710 Nagiosql Remote Security vulnerability in NagiosQL

PHP remote file inclusion vulnerability in functions/prepend_adm.php in NagiosQL 2.00-P00 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the SETS[path][IT] parameter.

7.5
2007-05-16 CVE-2007-2709 Nagiosql Remote File Include vulnerability in Nagiosql 2005 2.00

PHP remote file inclusion vulnerability in functions/prepend_adm.php in NagiosQL 2005 2.00 allows remote attackers to execute arbitrary PHP code via a URL in the SETS[path][physical] parameter.

7.5
2007-05-16 CVE-2007-2708 Feindt Computerservice Remote File Include vulnerability in Feindt Computerservice News-Script 2.0

PHP remote file inclusion vulnerability in newsadmin.php in Feindt Computerservice News (News-Script) 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the action parameter.

7.5
2007-05-16 CVE-2007-2706 Geeklog Remote File Include vulnerability in Geeklog Media Gallery Ftpmedia.PHP

PHP remote file inclusion vulnerability in maint/ftpmedia.php in Media Gallery 1.4.8a and earlier for Geeklog allows remote attackers to execute arbitrary PHP code via a URL in the _MG_CONF[path_html] parameter.

7.5
2007-05-15 CVE-2007-2681 B2Evolution File-Upload vulnerability in B2Evolution 1.6

Directory traversal vulnerability in blogs/index.php in b2evolution 1.6 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-05-15 CVE-2007-2678 Netsprint Remote Security vulnerability in Netsprint Toolbar 1.1

Buffer overflow in the isChecked function in toolbar.dll in Netsprint Toolbar 1.1 might allow remote attackers to execute arbitrary code via unspecified vectors.

7.5
2007-05-14 CVE-2007-2677 Phpchess Remote File Include vulnerability in PHPchess 2.0

Multiple PHP remote file inclusion vulnerabilities in phpChess Community Edition 2.0 allow remote attackers to execute arbitrary PHP code via a URL in (1) the config parameter to includes/language.php, or the Root_Path parameter to (2) layout_admin_cfg.php, (3) layout_cfg.php, or (4) layout_t_top.php in skins/phpchess/.

7.5
2007-05-14 CVE-2007-2676 Open Translation Engine Remote File Include vulnerability in Open Translation Engine Open Translation Engine 0.7.8

PHP remote file inclusion vulnerability in skins/header.php in Open Translation Engine (OTE) 0.7.8 allows remote attackers to execute arbitrary PHP code via a URL in the ote_home parameter.

7.5
2007-05-14 CVE-2007-2675 PRE Projects SQL Injection vulnerability in PRE Projects PRE Classifieds Listings 1.0

SQL injection vulnerability in search.php in Pre Classifieds Listings 1.0 allows remote attackers to execute arbitrary SQL commands via the category parameter.

7.5
2007-05-14 CVE-2007-2674 PRE Projects SQL Injection vulnerability in PRE Projects PRE Shopping Mall 1.0

SQL injection vulnerability in detail.php in Pre Shopping Mall 1.0 allows remote attackers to execute arbitrary SQL commands via the prodid parameter.

7.5
2007-05-14 CVE-2007-2673 Censura SQL Injection vulnerability in Censura 1.15.04

SQL injection vulnerability in includes/funcs_vendors.php in Censura 1.15.04, and other versions before 1.16.04, allows remote attackers to execute arbitrary SQL commands via the vendorid parameter in a vendor_info cmd action to censura.php.

7.5
2007-05-14 CVE-2007-2672 Thinc4Orce Marketing Group SQL Injection vulnerability in Thinc4Orce Marketing Group PHP Coupon Script 3.0

SQL injection vulnerability in index.php in PHP Coupon Script 3.0 allows remote attackers to execute arbitrary SQL commands via the bus parameter in a viewbus page.

7.5
2007-05-14 CVE-2007-2665 PHP Firstpost Remote File Include vulnerability in PHP Firstpost PHP Firstpost 0.1

PHP remote file inclusion vulnerability in block.php in PhpFirstPost 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the Include parameter.

7.5
2007-05-14 CVE-2007-2664 Tomasz Rekawek Remote Security vulnerability in Yet Another Asterisk Panel

PHP remote file inclusion vulnerability in includes/common.php in Yaap 1.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter, possibly related to the __autoload function.

7.5
2007-05-14 CVE-2007-2663 Beacon Remote File Include vulnerability in Beacon 0.2.0

PHP remote file inclusion vulnerability in language/1/splash.lang.php in Beacon 0.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the languagePath parameter.

7.5
2007-05-14 CVE-2007-2662 Efestech Haber SQL Injection vulnerability in Efestech Haber Efestech Haber 5.0

SQL injection vulnerability in EfesTECH Haber 5.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to the top-level URI.

7.5
2007-05-14 CVE-2007-2661 Drumster SQL Injection vulnerability in Drumster Blogme 3.0

SQL injection vulnerability in archshow.asp in BlogMe 3.0 allows remote attackers to execute arbitrary SQL commands via the var parameter, a different vector than CVE-2006-5976.

7.5
2007-05-14 CVE-2007-2655 Netwin USE of Externally-Controlled Format String vulnerability in Netwin Surgemail and Webmail

Unspecified vulnerability in NetWin Webmail 3.1s-1 in SurgeMail before 3.8i2 has unknown impact and remote attack vectors, possibly a format string vulnerability that allows remote code execution.

7.5
2007-05-14 CVE-2007-2652 Free SA Buffer Overflow vulnerability in Free-SA

Multiple unspecified vulnerabilities in Free-SA before 1.2.2 allow remote attackers to execute arbitrary code via unspecified vectors involving certain (1) sprintf and (2) vsprintf calls in (a) r_index.c, (b) r_reports.c, (c) r_topsites.c, (d) r_topuser.c, (e) r_typical.c, (f) r_userdatetime.c, and (g) r_users.c in reports/; and (h) w_fs.c, (i) w_internal.c, and (j) w_log_operations.c in work/, probably related to buffer overflows.

7.5
2007-05-14 CVE-2007-2651 Voodoo Circle Remote vulnerability in VooDoo CIrcle Server

Multiple off-by-one errors in VooDoo cIRCle before 1.1.beta27 allow remote attackers to cause a denial of service (connection loss) or possibly execute arbitrary code via a (1) DNS name response of the exact length as a buffer; or a long (2) channel name, (3) partyline channel name, or unspecified vectors in crafted BOTNET packets.

7.5
2007-05-18 CVE-2007-2766 Backup Manager Credentials Management vulnerability in Backup Manager Backup Manager

lib/backup-methods.sh in Backup Manager before 0.7.6 provides the MySQL password as a plaintext command line argument, which allows local users to obtain this password by listing the process and its arguments, related to lib/backup-methods.sh.

7.2
2007-05-16 CVE-2007-2730 Microsoft
Checkpoint
Comodo
Local Security vulnerability in Comodo Firewall Pro

Check Point ZoneAlarm Pro before 6.5.737.000 does not properly test for equivalence of process identifiers for certain Microsoft Windows API functions in the NT kernel 5.0 and greater, which allows local users to call these functions, and bypass firewall rules or gain privileges, via a modified identifier that is one, two, or three greater than the canonical identifier.

7.2
2007-05-16 CVE-2007-2729 Comodo Local Security vulnerability in Comodo Firewall PRO and Comodo Personal Firewall

Comodo Firewall Pro 2.4.18.184 and Comodo Personal Firewall 2.3.6.81, and probably older Comodo Firewall versions, do not properly test for equivalence of process identifiers for certain Microsoft Windows API functions in the NT kernel 5.0 and greater, which allows local users to call these functions, and bypass firewall rules or gain privileges, via a modified identifier that is one, two, or three greater than the canonical identifier.

7.2
2007-05-14 CVE-2007-2444 Samba Local Privilege Escalation vulnerability in Samba SID Names

Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user.

7.2
2007-05-16 CVE-2007-2723 Media Player Classic Denial of Service vulnerability in Media Player Classic Media Player Classic 6.4.9.0

Media Player Classic 6.4.9.0 allows user-assisted remote attackers to cause a denial of service (web browser crash) via an "empty" .MPA file, which triggers a divide-by-zero error.

7.1
2007-05-16 CVE-2007-2699 BEA File-Upload vulnerability in Weblogic Server 9.0/9.1

The Administration Console in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not properly enforce certain Domain Security Policies, which allows remote administrative users in the Deployer role to upload arbitrary files.

7.1
2007-05-14 CVE-2007-2671 Mozilla Denial of Service vulnerability in Mozilla Firefox 2.0.0.3

Mozilla Firefox 2.0.0.3 allows remote attackers to cause a denial of service (application crash) via a long hostname in an HREF attribute in an A element, which triggers an out-of-bounds memory access.

7.1

52 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-05-18 CVE-2007-2765 AC Zoom Remote Denial of Service vulnerability in BlockHosts

blockhosts.py in BlockHosts before 2.0.3 does not properly parse daemon log files, which allows remote attackers to add arbitrary deny entries to the /etc/hosts.allow file and cause a denial of service by adding arbitrary IP addresses to a daemon log file, as demonstrated by logging in through ssh using a login name containing certain strings with an IP address, which is not properly handled by a regular expression, a related issue to CVE-2006-6301.

6.8
2007-05-18 CVE-2007-2757 Dean J Robinson Cross-Site Scripting vulnerability in Dean J Robinson Redoable 1.2

Multiple cross-site scripting (XSS) vulnerabilities in Redoable 1.2 allow remote attackers to inject arbitrary web script or HTML via the s parameter to (1) wp-content/themes/redoable/searchloop.php or (2) wp-content/themes/redoable/header.php.

6.8
2007-05-17 CVE-2007-2754 Freetype Integer Overflow vulnerability in FreeType TT_Load_Simple_Glyph() TTF File

Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.

6.8
2007-05-17 CVE-2007-2740 Xajax Cross-Site Scripting vulnerability in Xajax

Unspecified vulnerability in xajax before 0.2.5 has unknown impact and attack vectors, not related to XSS.

6.8
2007-05-16 CVE-2007-2732 Jetbox Cross-Site Scripting vulnerability in Jetbox CMS 2.1

Multiple cross-site scripting (XSS) vulnerabilities in Jetbox CMS allow remote attackers to inject arbitrary web script or HTML via the (1) path parameter to view/search/; or the (2) companyname, (3) country, (4) email, (5) firstname, (6) middlename, (7) required, (8) surname, or (9) title parameter to view/supplynews/.

6.8
2007-05-16 CVE-2007-2716 Eqdkp Cross-Site Scripting vulnerability in EQDKP Show Variable

Multiple cross-site scripting (XSS) vulnerabilities in EQdkp 1.3.2c and earlier allow remote attackers to inject arbitrary web script or HTML via the show parameter to (1) listmembers.php and (2) stats.php.

6.8
2007-05-16 CVE-2007-2707 Linksnet Remote File Include vulnerability in Linksnet Newsfeed 1.0

PHP remote file inclusion vulnerability in linksnet_linkslog_rss.php in Linksnet Newsfeed 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the dirpath_linksnet_newsfeed parameter.

6.8
2007-05-16 CVE-2007-2696 BEA Remote Security vulnerability in BEA Weblogic Server 6.1/7.0/8.1

The JMS Server in BEA WebLogic Server 6.1 through SP7, 7.0 through SP6, and 8.1 through SP5 enforces security access policies on the front end, which allows remote attackers to access protected queues via direct requests to the JMS back-end server.

6.8
2007-05-15 CVE-2007-2679 Simple PHP Scripts Gallery Remote File Include vulnerability in Simple PHP Scripts Gallery Simple PHP Scripts Gallery 0.3

PHP file inclusion vulnerability in index.php in Ivan Peevski gallery 0.3 in Simple PHP Scripts (sphp) allows remote attackers to execute arbitrary PHP code via a UNC share pathname or a local file pathname in the gallery parameter, which is accessed by the file_exists function.

6.8
2007-05-14 CVE-2007-2668 Webdesproxy Buffer Errors vulnerability in Webdesproxy 0.0.1

Buffer overflow in webdesproxy 0.0.1 allows remote attackers to execute arbitrary code via a long URL, possibly involving the process_connection_request function in webdesproxy.c.

6.8
2007-05-14 CVE-2007-2660 CJG Explorer PRO
Vincent Blavet
** DISPUTED ** PHP remote file inclusion vulnerability in pcltrace.lib.php in the PclTar module in Vincent Blavet PhpConcept Library, as used in CJG EXPLORER PRO 3.3 and earlier and probably other products, allows remote attackers to execute arbitrary PHP code via a URL in the g_pcltar_lib_dir parameter.
6.8
2007-05-14 CVE-2007-2646 Yenc32 Buffer Overflow vulnerability in Yenc32 1.0.7.207

Heap-based buffer overflow in yEnc32 1.0.7.207 allows user-assisted remote attackers to execute arbitrary code via a long filename in an NTX file.

6.8
2007-05-14 CVE-2007-1902 Sonicbb SQL Injection vulnerability in Sonicbb 1.0

Multiple SQL injection vulnerabilities in SonicBB 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) part and (2) by parameters to (a) search.php, or the (2) id parameter to (b) viewforum.php.

6.8
2007-05-14 CVE-2007-2647 Monalbum Unspecified vulnerability in Monalbum 0.8.7

Static code injection vulnerability in admin/admin_configuration.php in Monalbum 0.8.7 allows remote authenticated users to inject arbitrary PHP code into the conf/config.inc.php file via the (1) gadm_pass, (2) gadm_user, (3) gcfgHote, (4) gcfgPass, (5) gcfgUser, (6) gclassement_rep, (7) gcontour, (8) gfond, (9) ggd_version, (10) ghome, (11) ghor, (12) gimg_copyright, (13) glangage, (14) gmenu_visible, (15) gmini_hasard, (16) gordre_rep, (17) gpage, (18) gracine, (19) grech_inactive, (20) grep_mini, (21) grepertoire, (22) gsite, (23) gslide, (24) gtitre, (25) guse_copyright, (26) gversion, (27) gvert, or (28) gcfgBase parameter.

6.5
2007-05-17 CVE-2007-2752 Runawaysoft SQL Injection vulnerability in Runawaysoft Haber Portal 1.0

SQL injection vulnerability in devami.asp in RunawaySoft Haber portal 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

6.4
2007-05-16 CVE-2007-2733 Jetbox Unspecified vulnerability in Jetbox CMS 2.1

Unrestricted file upload vulnerability in Jetbox CMS allows remote authenticated users with author privileges to upload arbitrary scripts via unspecified vectors, which can be accessed in webfiles/.

6.0
2007-05-16 CVE-2007-2692 Mysql
Oracle
Privilege Escalation vulnerability in MySQL Security Invoker

The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before 5.1.18 does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges.

6.0
2007-05-14 CVE-2007-2447 Samba Remote Shell Command Execution vulnerability in Samba MS-RPC

The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management.

6.0
2007-05-16 CVE-2007-1898 Apple
HP
Linux
Microsoft
Santa Cruz Operation
SUN
Windriver
Jetbox
Unspecified vulnerability in Jetbox CMS 2.1

formmail.php in Jetbox CMS 2.1 allows remote attackers to send arbitrary e-mails (spam) via modified recipient, _SETTINGS[allowed_email_hosts][], and subject parameters.

5.8
2007-05-16 CVE-2007-2704 BEA Denial-Of-Service vulnerability in BEA Weblogic Server 9.0/9.1/9.2

BEA WebLogic Server 9.0 through 9.2 allows remote attackers to cause a denial of service (SSL port unavailability) by accessing a half-closed SSL socket.

5.4
2007-05-16 CVE-2007-2697 BEA Denial-Of-Service vulnerability in Weblogic Server

The embedded LDAP server in BEA WebLogic Express and WebLogic Server 7.0 through SP6, 8.1 through SP5, 9.0, and 9.1, when in certain configurations, does not limit or audit failed authentication attempts, which allows remote attackers to more easily conduct brute-force attacks against the administrator password, or flood the server with login attempts and cause a denial of service.

5.1
2007-05-16 CVE-2007-2695 BEA Remote Security vulnerability in Weblogic Server

The HttpClusterServlet and HttpProxyServlet in BEA WebLogic Express and WebLogic Server 6.1 through SP7, 7.0 through SP7, 8.1 through SP5, 9.0, and 9.1, when SecureProxy is enabled, may process "external requests on behalf of a system identity," which allows remote attackers to access administrative data or functionality.

5.1
2007-05-17 CVE-2007-2753 Runawaysoft Information Disclosure vulnerability in Runawaysoft Haber Portal 1.0

RunawaySoft Haber portal 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for data/xice.mdb.

5.0
2007-05-17 CVE-2007-2749 Faqengine SQL Injection vulnerability in FAQEngine Question.PHP

SQL injection vulnerability in question.php in FAQEngine 4.16.03 and earlier allows remote attackers to execute arbitrary SQL commands via the questionref parameter in a display action.

5.0
2007-05-17 CVE-2007-2747 Rdiffweb Directory Traversal vulnerability in rdiffWeb

Directory traversal vulnerability in rdw_helpers.py in rdiffWeb before 0.3.5.1 allows remote attackers to read arbitrary files via a ..

5.0
2007-05-16 CVE-2007-2728 PHP
Canonical
The soap extension in PHP calls php_rand_r with an uninitialized seed variable, which has unknown impact and attack vectors, a related issue to the mcrypt_create_iv issue covered by CVE-2007-2727.
5.0
2007-05-16 CVE-2007-2445 Linux
PNG Reference Library
Remote Denial of Service vulnerability in Libpng Library

The png_handle_tRNS function in pngrutil.c in libpng before 1.0.25 and 1.2.x before 1.2.17 allows remote attackers to cause a denial of service (application crash) via a grayscale PNG image with a bad tRNS chunk CRC value.

5.0
2007-05-16 CVE-2007-2441 Caucho Technology Information Disclosure vulnerability in Caucho Resin

Caucho Resin Professional 3.1.0 and Caucho Resin 3.1.0 and earlier for Windows allows remote attackers to obtain the system path via certain URLs associated with (1) deploying web applications or (2) displaying .xtp files.

5.0
2007-05-16 CVE-2007-2440 Caucho Technology Information Disclosure vulnerability in Caucho Resin

Directory traversal vulnerability in Caucho Resin Professional 3.1.0 and Caucho Resin 3.1.0 and earlier for Windows allows remote attackers to read certain files via a ..

5.0
2007-05-16 CVE-2007-2698 BEA Remote Security vulnerability in BEA Weblogic Server 9.0

The Administration Console in BEA WebLogic Server 9.0 may show plaintext Web Service attributes during configuration creation, which allows remote attackers to obtain sensitive credential information.

5.0
2007-05-14 CVE-2007-2659 Bugada Andrea Directory Traversal vulnerability in Bugada Andrea PHP Advanced Transfer Manager 1.30

Directory traversal vulnerability in index.php in PHP Advanced Transfer Manager (phpATM) 1.30 allows remote attackers to read arbitrary files and obtain script source code via a ..

5.0
2007-05-14 CVE-2007-0689 Mybb Information Disclosure vulnerability in MyBB

MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message.

5.0
2007-05-16 CVE-2007-2691 Mysql
Debian
Canonical
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
4.9
2007-05-16 CVE-2007-2701 BEA Security Bypass vulnerability in BEA Weblogic Server 7.0/8.1

The JMS Message Bridge in BEA WebLogic Server 7.0 through SP7 and 8.1 through Service Pack 6, when configured without a username and password, or when the connection URL is not defined, allows remote attackers to bypass the security access policy and "send unauthorized messages to a protected queue." The vendor has released a product update to address this issue: ftp://anonymous:dev2dev%[email protected]/pub/releases/security/CR281022_81sp6_rarfiles.jar

4.6
2007-05-14 CVE-2007-2654 Suse
Xfsdump
Race Condition vulnerability in multiple products

xfs_fsr in xfsdump creates a .fsr temporary directory with insecure permissions, which allows local users to read or overwrite arbitrary files on xfs filesystems.

4.4
2007-05-18 CVE-2007-2756 Libgd Denial of Service vulnerability in Libgd 2.0.34

The gdPngReadData function in libgd 2.0.34 allows user-assisted attackers to cause a denial of service (CPU consumption) via a crafted PNG image with truncated data, which causes an infinite loop in the png_read_info function in libpng.

4.3
2007-05-17 CVE-2007-2748 PHP Information Exposure vulnerability in PHP

The substr_count function in PHP 5.2.1 and earlier allows context-dependent attackers to obtain sensitive information via unspecified vectors, a different affected function than CVE-2007-1375.

4.3
2007-05-17 CVE-2007-2745 Vdesk Cross-Site Scripting vulnerability in Vdesk Webmail 4.03

Cross-site scripting (XSS) vulnerability in printcal.pl in vDesk Webmail 4.03 allows remote attackers to inject arbitrary web script or HTML via the type parameter.

4.3
2007-05-17 CVE-2007-2739 Xajax Unspecified vulnerability in Xajax

Cross-site scripting (XSS) vulnerability in xajax before 0.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2007-05-16 CVE-2007-2724 Fotolog Cross-Site Scripting vulnerability in Fotolog

Cross-site scripting (XSS) vulnerability in all_photos.html in fotolog allows remote attackers to inject arbitrary web script or HTML via the user parameter.

4.3
2007-05-16 CVE-2007-2721 Jasper Jpeg 2000 Remote Denial of Service vulnerability in JasPer JPC_QCX_GetCompParm Function JP2 File Handling

The jpc_qcx_getcompparms function in jpc/jpc_cs.c for the JasPer JPEG-2000 library (libjasper) before 1.900 allows remote user-assisted attackers to cause a denial of service (crash) and possibly corrupt the heap via malformed image files, as originally demonstrated using imagemagick convert.

4.3
2007-05-16 CVE-2007-2720 Group Office Security Bypass vulnerability in Group-Office Groupware 2.16.12

Group-Office before 2.16-13 does not properly validate user IDs, which allows remote attackers to obtain sensitive information via certain requests for (1) message.php and (2) messages.php in modules/email/.

4.3
2007-05-16 CVE-2007-2718 Microsoft
Stalker
Cross-site scripting (XSS) vulnerability in the WebMail system in Stalker CommuniGate Pro 5.1.8 and earlier, when using Microsoft Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via crafted STYLE tags.
4.3
2007-05-16 CVE-2007-2694 BEA Cross-Site Scripting vulnerability in Weblogic Server

Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Express and WebLogic Server 6.1 through SP7, 7.0 through SP7, 8.1 through SP5, 9.0 GA, and 9.1 GA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2007-05-15 CVE-2007-2680 Canon Cross Site Scripting vulnerability in Canon products

Cross-site scripting (XSS) vulnerability in the management interface in Canon Network Camera Server VB100 and VB101 with firmware 3.0 R69 and earlier, and VB150 with firmware 1.1 R39 and earlier, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2007-05-14 CVE-2007-2670 Globalmegacorp Cross-Site Scripting vulnerability in PHPChain

PHPChain 1.0 and earlier allows remote attackers to obtain the installation path via invalid values of the catid parameter to (1) settings.php or (2) cat.php, as demonstrated by XSS manipulations.

4.3
2007-05-14 CVE-2007-2669 Globalmegacorp Cross-Site Scripting vulnerability in PHPChain

Multiple cross-site scripting (XSS) vulnerabilities in PHPChain 1.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the catid parameter to (1) settings.php or (2) cat.php.

4.3
2007-05-14 CVE-2007-2650 Clamav
Debian
Resource Exhaustion vulnerability in multiple products

The OLE2 parser in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service (resource consumption) via an OLE2 file with (1) a large property size or (2) a loop in the FAT file block chain that triggers an infinite loop, as demonstrated via a crafted DOC file.

4.3
2007-05-14 CVE-2007-1901 Sonicbb Information Disclosure vulnerability in Sonicbb 1.0

SonicBB 1.0 allows remote attackers to obtain sensitive information via the (1) by[] parameter to search.php, (2) p[] parameter to viewforum.php, and the (3) id parameter to (a) viewforum.php or (b) members.php, which reveal the installation path in the resulting error message.

4.3
2007-05-16 CVE-2007-2731 Jetbox Unspecified vulnerability in Jetbox CMS 2.1

CRLF injection vulnerability in formmail.php in Jetbox CMS 2.1 might allow remote attackers to inject arbitrary e-mail headers via LF (%0A) sequences in the subject parameter, a related issue to CVE-2007-1898.

4.0
2007-05-16 CVE-2007-2700 BEA Information Disclosure vulnerability in Weblogic Server 9.0/9.1

The WLST script generated by the configToScript command in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not encrypt certain attributes in configuration files when creating a new domain, which allows remote authenticated users to obtain sensitive information.

4.0
2007-05-14 CVE-2006-7203 Linux Denial-Of-Service vulnerability in kernel

The compat_sys_mount function in fs/compat.c in Linux kernel 2.6.20 and earlier allows local users to cause a denial of service (NULL pointer dereference and oops) by mounting a smbfs file system in compatibility mode ("mount -t smbfs").

4.0

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-05-16 CVE-2007-2703 Oracle Remote Security vulnerability in Oracle Weblogic Portal 9.2

BEA WebLogic Portal 9.2 GA can corrupt a visitor entitlements role if an administrator provides a long role description, which might allow remote authenticated users to access privileged resources.

3.6
2007-05-17 CVE-2007-2746 Plain Black Information Disclosure vulnerability in Webgui

The viewList function in lib/WebGUI/Asset/Wobject/DataForm.pm in Plain Black WebGUI before 7.3.14 does not properly use data structures containing privilege information, which allows remote authenticated users to obtain sensitive information or possibly have other unspecified impact.

3.5
2007-05-16 CVE-2007-2702 Oracle Cross-Site Scripting vulnerability in Oracle Weblogic Portal 9.2

Cross-site scripting (XSS) vulnerability in the GroupSpace application in BEA WebLogic Portal 9.2 GA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to the rich text editor.

3.5
2007-05-16 CVE-2007-2693 Mysql
Oracle
Information Disclosure vulnerability in MySQL Alter Table Function

MySQL before 5.1.18 allows remote authenticated users without SELECT privileges to obtain sensitive information from partitioned tables via an ALTER TABLE statement.

3.5
2007-05-15 CVE-2007-2683 Mutt Local Buffer Overflow vulnerability in Mutt 1.4.2

Buffer overflow in Mutt 1.4.2 might allow local users to execute arbitrary code via "&" characters in the GECOS field, which triggers the overflow during alias expansion.

3.5
2007-05-16 CVE-2007-2727 PHP Unspecified vulnerability in PHP

The mcrypt_create_iv function in ext/mcrypt/mcrypt.c in PHP before 4.4.7, 5.2.1, and possibly 5.0.x and other PHP 5 versions, calls php_rand_r with an uninitialized seed variable and therefore always generates the same initialization vector (IV), which might allow context-dependent attackers to decrypt certain data more easily because of the guessable encryption keys.

2.6
2007-05-14 CVE-2007-1903 Sonicbb Cross-Site Scripting vulnerability in Sonicbb 1.0

Cross-site scripting (XSS) vulnerability in search.php in SonicBB 1.0 allows remote attackers to inject arbitrary web script or HTML via the part parameter.

2.6