Weekly Vulnerabilities Reports > August 27 to September 2, 2007

Overview

107 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 29 high severity vulnerabilities. This weekly summary report vulnerabilities in 102 products from 79 vendors including BEA, Cisco, Redhat, Mozilla, and Hitachi. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "SQL Injection", and "Code Injection".

  • 95 reported vulnerabilities are remotely exploitables.
  • 24 reported vulnerabilities have public exploit available.
  • 30 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 104 reported vulnerabilities are exploitable by an anonymous user.
  • BEA has the most reported vulnerabilities, with 6 reported vulnerabilities.
  • Apache has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

13 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-31 CVE-2007-4646 Hexamail Code Injection vulnerability in Hexamail Server 3.0.0.001Lite

Buffer overflow in the pop3 service in Hexamail Server 3.0.0.001 Lite allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long USER command.

10.0
2007-08-31 CVE-2007-4642 Doomsday Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Doomsday

Multiple buffer overflows in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allow remote attackers to execute arbitrary code via a long chat (PKT_CHAT) message that is not properly handled by the (1) D_NetPlayerEvent function in d_net.c or the (2) Msg_Write function in net_msg.c, or (3) many commands that are not properly handled by the NetSv_ReadCommands function in d_netsv.c; or (4) cause a denial of service (daemon crash) via a chat (PKT_CHAT) message without a final '\0' character.

10.0
2007-08-31 CVE-2007-2954 Novell Buffer Errors vulnerability in Novell Client 4.91

Multiple stack-based buffer overflows in the Spooler service (nwspool.dll) in Novell Client 4.91 SP2 through SP4 for Windows allow remote attackers to execute arbitrary code via certain long arguments to the (1) RpcAddPrinterDriver, (2) RpcGetPrinterDriverDirectory, and other unspecified RPC requests, aka Novell bug 300870, a different vulnerability than CVE-2006-5854.

10.0
2007-08-29 CVE-2007-4584 Bitchx Buffer Errors vulnerability in Bitchx 1.1Final

Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC servers to execute arbitrary code via a long string in a MODE command, related to the p_mode variable.

10.0
2007-08-29 CVE-2007-4221 Motorola Improper Input Validation vulnerability in Motorola Timbuktu 8.6.3.1367

Multiple buffer overflows in Motorola Timbuktu Pro before 8.6.5 for Windows allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via (1) a long user name and (2) certain malformed requests; and (3) allow remote Timbuktu servers to have an unknown impact via a malformed HELLO response, related to the Scanner component and possibly related to a malformed computer name.

10.0
2007-08-28 CVE-2007-4566 Alpha Centauri Software Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Alpha Centauri Software Sidvault Ldap Server

Multiple buffer overflows in the login mechanism in sidvault in Alpha Centauri Software SIDVault LDAP Server before 2.0f allow remote attackers to execute arbitrary code via crafted LDAP packets, as demonstrated by a long dc entry in an LDAP bind.

10.0
2007-08-28 CVE-2007-4561 Realnetworks Improper Input Validation vulnerability in Realnetworks Helix DNA Server

Heap-based buffer overflow in the RTSP service in Helix DNA Server before 11.1.4 allows remote attackers to execute arbitrary code via an RSTP command containing multiple Require headers.

10.0
2007-08-27 CVE-2007-4548 Apache Improper Authentication vulnerability in Apache Geronimo 2.0

The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module.

10.0
2007-08-31 CVE-2007-4634 Cisco SQL Injection vulnerability in Cisco Call Manager and Unified Communications Manager

Multiple SQL injection vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to execute arbitrary SQL commands via the lang variable to the (1) user or (2) admin logon page, aka CSCsi64265.

9.3
2007-08-31 CVE-2007-4515 Yahoo Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Yahoo Messenger

Buffer overflow in a certain ActiveX control in YVerInfo.dll before 2007.8.27.1 in the Yahoo! services suite for Yahoo! Messenger before 8.1.0.419 allows remote attackers to execute arbitrary code via unspecified vectors involving arguments to the (1) fvCom and (2) info methods.

9.3
2007-08-31 CVE-2007-2931 Microsoft Improper Input Validation vulnerability in Microsoft MSN Messenger and Windows Live Messenger

Heap-based buffer overflow in Microsoft MSN Messenger 6.2, 7.0, and 7.5, and Live Messenger 8.0 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors involving video conversation handling in Web Cam and video chat sessions.

9.3
2007-08-31 CVE-2007-4607 Gate Comm Software
Quicksoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029.

9.3
2007-08-31 CVE-2007-4467 Oracle Improper Input Validation vulnerability in Oracle Jinitiator

Multiple stack-based buffer overflows in the Oracle JInitiator ActiveX control (beans.ocx) 1.1.8.16 and earlier, as used by Oracle Forms applications from Oracle and third parties, allow remote attackers to execute arbitrary code via unspecified "initialization parameters." NOTE: it was later reported that 1.1.8.3 through 1.1.8.25, and probably 1.1.5.x and 1.1.7.x, are affected.

9.3

29 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-31 CVE-2007-4618 BEA Resource Management Errors vulnerability in BEA Weblogic Server 6.0/6.1/7.0

Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7 and 7.0 Gold through SP7 allows remote attackers to cause a denial of service (disk consumption) via certain malformed HTTP headers.

7.8
2007-08-31 CVE-2007-4617 BEA Resource Management Errors vulnerability in BEA Weblogic Server

Unspecified vulnerability in BEA WebLogic Server 6.1 Gold through SP7, 7.0 Gold through SP7, and 8.1 Gold through SP4 allows remote attackers to cause a denial of service (server thread hang) via unspecified vectors.

7.8
2007-08-29 CVE-2007-4220 Motorola Path Traversal vulnerability in Motorola Timbuktu 8.6.3.1367

Directory traversal vulnerability in Motorola Timbuktu Pro before 8.6.5 for Windows allows remote attackers to create or delete arbitrary files via a ..

7.8
2007-08-28 CVE-2007-4577 Sophos Resource Management Errors vulnerability in Sophos Anti-Virus, Scanning Engine and Small Business Suite

Sophos Anti-Virus for Unix/Linux before 2.48.0 allows remote attackers to cause a denial of service (infinite loop) via a malformed BZip file that results in the creation of multiple Engine temporary files (aka a "BZip bomb").

7.8
2007-08-28 CVE-2007-4560 Clam Anti Virus OS Command Injection vulnerability in Clam Anti-Virus Clamav

clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."

7.6
2007-08-31 CVE-2007-4644 Doomsday Code Injection vulnerability in Doomsday

Format string vulnerability in the Cl_GetPackets function in cl_main.c in the client in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allows remote Doomsday servers to execute arbitrary code via format string specifiers in a PSV_CONSOLE_TEXT message.

7.5
2007-08-31 CVE-2007-4636 Phpbg Improper Input Validation vulnerability in PHPbg 0.9.1

Multiple PHP remote file inclusion vulnerabilities in phpBG 0.9.1 allow remote attackers to execute arbitrary PHP code via a URL in the rootdir parameter to (1) intern/admin/other/backup.php, (2) intern/admin/, (3) intern/clan/member_add.php, (4) intern/config/key_2.php, or (5) intern/config/forum.php.

7.5
2007-08-31 CVE-2007-4629 University OF Minnesota Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in University of Minnesota Mapserver

Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.

7.5
2007-08-31 CVE-2007-4628 Phpns SQL Injection vulnerability in PHPns 1.1

SQL injection vulnerability in shownews.php in phpns 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-08-31 CVE-2007-4627 Algera SQL Injection vulnerability in Algera ABC Estore 3.0

SQL injection vulnerability in index.php in ABC eStore 3.0 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

7.5
2007-08-31 CVE-2007-4614 BEA Permissions, Privileges, and Access Controls vulnerability in BEA Weblogic Server 9.1

BEA WebLogic Server 9.1 does not properly handle propagation of an admin server's security policy change log to temporarily unavailable managed servers, which might allow attackers to bypass intended restrictions, a different vulnerability than CVE-2007-0426.

7.5
2007-08-31 CVE-2007-4611 Dale Mooney SQL Injection vulnerability in Dale Mooney Calendar Events

SQL injection vulnerability in viewevent.php in Moonware (aka Dale Mooney Gallery) allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2007-08-31 CVE-2007-4608 Winterburns CO UK Code Injection vulnerability in Winterburns.Co.Uk Epersonnel Rc200402

PHP remote file inclusion vulnerability in protection.php in ePersonnel RC_2004_02 allows remote attackers to execute arbitrary PHP code via a URL in the logout_page parameter.

7.5
2007-08-31 CVE-2007-4606 Phpnuke Clan Code Injection vulnerability in PHPnuke-Clan

PHP remote file inclusion vulnerability in convert/mvcw_conver.php in the Virtual War (VWar) module for PHPNuke-Clan (PNC) 4.2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter, a different vector than CVE-2006-1602.

7.5
2007-08-31 CVE-2007-4605 Vwar Code Injection vulnerability in Vwar Virtual WAR

PHP remote file inclusion vulnerability in convert/mvcw.php in Virtual War (VWar) 1.5.0 R15 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the vwar_root parameter, a different vector than CVE-2006-1503, CVE-2006-1636, and CVE-2006-1747.

7.5
2007-08-31 CVE-2007-4604 Dinkumsoft COM SQL Injection vulnerability in Dinkumsoft.Com DL Paycart 1.01

SQL injection vulnerability in viewitem.php in DL PayCart 1.01 allows remote attackers to execute arbitrary SQL commands via the ItemID parameter.

7.5
2007-08-31 CVE-2007-4603 Altercoder SQL Injection vulnerability in Altercoder ACG News 1.0

Multiple SQL injection vulnerabilities in index.php in ACG News 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the aid parameter in a showarticle action or (2) the catid parameter in a showcat action.

7.5
2007-08-30 CVE-2007-4597 Turnkey WEB Tools SQL Injection vulnerability in Turnkey web Tools Sunshop Shopping Cart 4.0

SQL injection vulnerability in index.php in TurnkeyWebTools SunShop Shopping Cart 4.0 RC 6 allows remote attackers to execute arbitrary SQL commands via the s[cid] parameter in a search_list action, a different vector than CVE-2007-2549.

7.5
2007-08-30 CVE-2007-4596 PHP Code Injection vulnerability in PHP

The perl extension in PHP does not follow safe_mode restrictions, which allows context-dependent attackers to execute arbitrary code via the Perl eval function.

7.5
2007-08-29 CVE-2007-4586 PHP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP

Multiple buffer overflows in php_iisfunc.dll in the iisfunc extension for PHP 5.2.0 and earlier allow context-dependent attackers to execute arbitrary code, probably during Unicode conversion, as demonstrated by a long string in the first argument to the iis_getservicestate function, related to the ServiceId argument to the (1) fnStartService, (2) fnGetServiceState, (3) fnStopService, and possibly other functions.

7.5
2007-08-29 CVE-2007-4585 2532Gigs Path Traversal vulnerability in 2532Gigs 1.2.1

Directory traversal vulnerability in activateuser.php in 2532|Gigs 1.2.1 allows remote attackers to include and execute arbitrary local files via a ..

7.5
2007-08-29 CVE-2007-4582 Acti Buffer Errors vulnerability in Acti Network Video Recorder Sp22.0

Buffer overflow in the nvUnifiedControl.AUnifiedControl.1 ActiveX control in nvUnifiedControl.dll 1.1.45.0 in ACTi Network Video Recorder (NVR) SP2 2.0 allows remote attackers to execute arbitrary code via a long second argument to the SetText method.

7.5
2007-08-29 CVE-2007-4581 Wbb2 Addon SQL Injection vulnerability in Wbb2-Addon Acrotxt 1

SQL injection vulnerability in acrotxt.php in WBB2-Addon: Acrotxt 1 allows remote attackers to execute arbitrary SQL commands via the show parameter.

7.5
2007-08-28 CVE-2007-4552 Agares Media SQL Injection vulnerability in Agares Media Arcadem 2.0.1

SQL injection vulnerability in index.php in Agares Media Arcadem 2.01 allows remote attackers to execute arbitrary SQL commands via the blockpage parameter.

7.5
2007-08-28 CVE-2007-4551 Agares Media Code Injection vulnerability in Agares Media Arcadem 2.0.1

PHP remote file inclusion vulnerability in index.php in Agares Media Arcadem 2.01 allows remote attackers to execute arbitrary PHP code via a URL in the loadpage parameter.

7.5
2007-08-27 CVE-2007-4540 Olate SQL Injection vulnerability in Olate Olatedownload 3.4.2

Multiple SQL injection vulnerabilities in download.php in Olate Download (od) 3.4.2 allow remote attackers to execute arbitrary SQL commands via the (1) HTTP_REFERER or (2) HTTP_USER_AGENT HTTP header.

7.5
2007-08-31 CVE-2007-4649 Microworld Technologies Permissions, Privileges, and Access Controls vulnerability in Microworld Technologies products

MicroWorld eScan Virus Control 9.0.722.1, Anti-Virus 9.0.722.1, and Internet Security 9.0.722.1 use weak permissions (Everyone:Full Control) for their installation directory trees, which allows local users to gain privileges by replacing application files, as demonstrated by traysser.exe.

7.2
2007-08-31 CVE-2007-4648 Norman Buffer Errors vulnerability in Norman Virus Control 5.82

The nvcoaft51 driver in Norman Virus Control (NVC) 5.82 uses weak permissions (unrestricted write access) for the NvcOa device, which allows local users to gain privileges by (1) triggering a buffer overflow in a kernel pool via a string argument to ioctl 0xBF67201C; or by (2) sending a crafted KEVENT structure through ioctl 0xBF672028 to overwrite arbitrary memory locations.

7.2
2007-08-28 CVE-2007-4580 Trustware Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Trustware Bufferzone

Buffer underflow in redlight.sys in BufferZone 2.1 and 2.5 allows local users to cause a denial of service (crash) and possibly execute arbitrary code by sending a small buffer size value to the FsSetVolumeInformation IOCTL handler code with a FsSetDirectoryInformation subcode containing a large buffer.

7.2

63 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-31 CVE-2007-4631 Qgit Link Following vulnerability in Qgit 1.5.62Pre1

The DataLoader::doStart function in dataloader.cpp in QGit 1.5.6 and other versions up to 2pre1 allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack on temporary files with predictable filenames.

6.9
2007-08-29 CVE-2007-4593 Vmware Denial-Of-Service vulnerability in VMWare Workstation 6.0

Unspecified vulnerability in vstor2-ws60.sys in VMWare Workstation 6.0 allows local users to cause a denial of service (host operating system crash) via unspecified vectors, as demonstrated by the DC2 test suite, possibly a related issue to CVE-2007-4591.

6.9
2007-08-29 CVE-2007-4591 Vmware Buffer Overflow vulnerability in VMWare Workstation 6.0

vstor-ws60.sys in VMWare Workstation 6.0 allows local users to cause a denial of service (host operating system crash) and possibly gain privileges by sending a small file buffer size value to the FsSetVolumeInformation IOCTL handler with an FsSetFileInformation subcode.

6.9
2007-08-31 CVE-2007-4613 BEA Cryptographic Issues vulnerability in BEA Weblogic Server

SSL libraries in BEA WebLogic Server 6.1 Gold through SP7, 7.0 Gold through SP7, and 8.1 Gold through SP5 might allow remote attackers to obtain plaintext from an SSL stream via a man-in-the-middle attack that injects crafted data and measures the elapsed time before an error response, a different vulnerability than CVE-2006-2461.

6.8
2007-08-31 CVE-2007-4610 Dale Mooney Permissions, Privileges, and Access Controls vulnerability in Dale Mooney Moon Gallery

Unrestricted file upload vulnerability in config/upload.php in Moonware (aka Dale Mooney Gallery) allows remote attackers to upload and execute arbitrary PHP files in images/, possibly related to config/admin.php.

6.8
2007-08-31 CVE-2007-4602 Implied BY Design SQL Injection vulnerability in Implied BY Design Micro CMS 3.5

SQL injection vulnerability in cms/revert-content.php in Implied by Design Micro CMS (Micro-CMS) 3.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

6.8
2007-08-30 CVE-2007-4134 Redhat Path Traversal vulnerability in Redhat Fedora 7

Directory traversal vulnerability in extract.c in star before 1.5a84 allows user-assisted remote attackers to overwrite arbitrary files via certain //..

6.8
2007-08-28 CVE-2007-4578 Sophos Numeric Errors vulnerability in Sophos Anti-Virus, Scanning Engine and Small Business Suite

Sophos Anti-Virus for Windows and for Unix/Linux before 2.48.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted UPX packed file, resulting from an "integer cast around".

6.8
2007-08-28 CVE-2007-4559 Python Software Foundation Path Traversal vulnerability in Python Software Foundation Python

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a ..

6.8
2007-08-28 CVE-2007-4556 Opensymphony Unspecified vulnerability in Opensymphony Xwork

Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.

6.8
2007-08-28 CVE-2006-7222 Guliverkli Buffer Errors vulnerability in Guliverkli Media Player Classic 6.4.9.0

Buffer overflow in the CFLICStream::_deltachunk function in FLICSource.cpp in Media Player Classic (MPC) 6.4.9.0 allows user-assisted remote attackers to execute arbitrary code via a crafted FLI file.

6.8
2007-08-28 CVE-2007-4549 Altools Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Altools Alpass 2.7/3.02

Multiple buffer overflows in ALPass 2.7 English and 3.02 Korean allow user-assisted remote attackers to execute arbitrary code via an ALPass DB (APW) file containing (1) a long file-key or (2) a "Site Information and Folder entry" with a ciphertext_length value much larger than the plaintext_length value.

6.8
2007-08-27 CVE-2007-4545 X Diesel Path Traversal vulnerability in X-Diesel Unreal Commander 0.92Build565/0.92Build573

Multiple directory traversal vulnerabilities in Unreal Commander 0.92 build 565 and 573 allow user-assisted remote attackers to create or overwrite arbitrary files via a ..

6.8
2007-08-27 CVE-2007-4537 Skulltag Team Remote Heap Based Buffer Overflow vulnerability in Skulltag Huffman Packet Decompression

Heap-based buffer overflow in the Huffman decompression algorithm implemented in Skulltag 0.97d-beta4.1 and earlier allows remote attackers to execute arbitrary code via a crafted UDP packet.

6.8
2007-08-27 CVE-2007-2958 Sylpheed
Sylpheed Claws
Format string vulnerability in the inc_put_error function in src/inc.c in Sylpheed 2.4.4, and Sylpheed-Claws (Claws Mail) 1.9.100 and 2.10.0, allows remote POP3 servers to execute arbitrary code via format string specifiers in crafted replies.
6.8
2007-08-31 CVE-2007-4639 Enterprisedb Code Injection vulnerability in Enterprisedb Advanced Server 8.2

EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer.

6.5
2007-08-30 CVE-2007-4132 Redhat Remote Code Execution vulnerability in Redhat Network Satelite Server 5.0.0

Unspecified vulnerability in Red Hat Network Satellite Server 5.0.0 allows remote authenticated users to execute arbitrary code via unknown vectors in a "back-end XMLRPC handler."

6.5
2007-08-31 CVE-2007-4645 Nmdeluxe Code Injection vulnerability in Nmdeluxe 2.0.0

SQL injection vulnerability in index.php in NMDeluxe 2.0.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a newspost do action, a different vulnerability than CVE-2006-1108.

6.4
2007-08-31 CVE-2007-4641 Pakupaku Path Traversal vulnerability in Pakupaku CMS

Directory traversal vulnerability in index.php in Pakupaku CMS 0.4 and earlier allows remote attackers to include and execute arbitrary local files via a ..

6.4
2007-08-31 CVE-2007-4640 Pakupaku Permissions, Privileges, and Access Controls vulnerability in Pakupaku CMS

Unrestricted file upload vulnerability in index.php in Pakupaku CMS 0.4 and earlier allows remote attackers to upload and execute arbitrary PHP files in uploads/ via an Uploads action.

6.4
2007-08-31 CVE-2007-4637 XGB Denial-Of-Service vulnerability in XGB 2.0

xGB.php in xGB 2.0 does not require authentication for an admin edit action, which allows remote attackers to make unspecified changes via an unknown series of steps.

6.4
2007-08-31 CVE-2007-4616 BEA Information Disclosure vulnerability in BEA WebLogic Server Null Cipher Suite

The SSL server implementation in BEA WebLogic Server 7.0 Gold through SP7, 8.1 Gold through SP6, 9.0, 9.1, 9.2 Gold through MP1, and 10.0 sometimes selects the null cipher when no other cipher is compatible between the server and client, which might allow remote attackers to intercept communications.

6.4
2007-08-31 CVE-2007-4615 BEA Information Disclosure vulnerability in BEA WebLogic Server Null Cipher Suite

The SSL client implementation in BEA WebLogic Server 7.0 SP7, 8.1 SP2 through SP6, 9.0, 9.1, 9.2 Gold through MP2, and 10.0 sometimes selects the null cipher when others are available, which might allow remote attackers to intercept communications.

6.4
2007-08-31 CVE-2007-4609 Eyeos Project Permissions, Privileges, and Access Controls vulnerability in Eyeos Project Eyeos

eyeOS uses predictable checksum values in the checknum parameter for access control, which allows remote attackers to register many accounts via doCreateUser actions, add many eyeBoard messages via addMsg actions, and cause a denial of service or conduct certain unauthorized activities, by guessing valid parameter values.

6.4
2007-08-29 CVE-2007-4594 Entrust Credentials Management vulnerability in Entrust Entelligence Security Provider 8

Entrust Entelligence Security Provider (ESP) 8 does not properly validate certificates in certain circumstances involving (1) a chain that omits the root Certification Authority (CA) certificate, or an application that specifies disregarding (2) unknown revocation statuses during path validation or (3) certain errors in the certification path, which might allow context-dependent attackers to spoof certificate authentication.

6.4
2007-08-28 CVE-2007-3846 Subversion
Tortoisesvn
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in Subversion before 1.4.5, as used by TortoiseSVN before 1.4.5 and possibly other products, when run on Windows-based systems, allows remote authenticated users to overwrite and create arbitrary files via a ..\ (dot dot backslash) sequence in the filename, as stored in the file repository.

6.0
2007-08-27 CVE-2007-4546 X Diesel Remote vulnerability in Unreal Commander Malformed Archives

Unreal Commander 0.92 build 565 and 573 lists the filenames from the Central Directory of a ZIP archive, but extracts to local filenames corresponding to names in Local File Header fields in this archive, which might allow remote attackers to trick a user into performing a dangerous file overwrite or creation.

5.8
2007-08-28 CVE-2007-4550 Altools USE of Externally-Controlled Format String vulnerability in Altools Alpass 2.7/3.02

Format string vulnerability in ALPass 2.7 English and 3.02 Korean might allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an fnm field in a folder-name record in an ALPASS DB (APW) file.

5.1
2007-08-31 CVE-2007-4647 2Coolcode Permissions, Privileges, and Access Controls vulnerability in 2Coolcode OUR Space 2.0.9

newswire/uploadmedia.cgi in 2coolcode Our Space (Ourspace) 2.0.9 allows remote attackers to upload certain files via unspecified vectors, probably involving unrestricted functionality in uploadmedia.cgi.

5.0
2007-08-31 CVE-2007-4643 Doomsday Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Doomsday

Integer underflow in Doomsday (aka deng) 1.9.0-beta5.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via a PKT_CHAT packet with a data length less than 3, which triggers an erroneous malloc, possibly related to the Sv_HandlePacket function in sv_main.c.

5.0
2007-08-31 CVE-2007-4635 Yahoo Improper Input Validation vulnerability in Yahoo Messenger 8.1.0.209/8.1.0.402

Yahoo! Messenger 8.1.0.209 and 8.1.0.402 allows remote attackers to cause a denial of service (application crash) via certain file-transfer packets, possibly involving a buffer overflow, as demonstrated by ym8bug.exe.

5.0
2007-08-31 CVE-2007-4626 Polipo Denial-Of-Service vulnerability in Polipo

Unspecified vulnerability in Polipo before 1.0.2 allows remote attackers to cause a denial of service (daemon crash) via certain network traffic associated with entities larger than 2 Gb.

5.0
2007-08-30 CVE-2007-4601 Ubuntu Permissions, Privileges, and Access Controls vulnerability in Ubuntu Linux 7.04

A regression error in tcp-wrappers 7.6.dbs-10 and 7.6.dbs-11 might allow remote attackers to bypass intended access restrictions when a service uses libwrap but does not specify server connection information.

5.0
2007-08-29 CVE-2007-4583 Acti Path Traversal vulnerability in Acti Network Video Recorder Sp22.0

Multiple absolute path traversal vulnerabilities in the nvUtility.Utility.1 ActiveX control in nvUtility.dll 1.0.14.0 in ACTi Network Video Recorder (NVR) SP2 2.0 allow remote attackers to (1) create or overwrite arbitrary files via a full pathname in the first argument to the SaveXMLFile method or (2) delete arbitrary files via a full pathname in the argument to the DeleteXMLFile method.

5.0
2007-08-28 CVE-2007-4565 Fetchmail Remote Denial of Service vulnerability in Fetchmail Failed Warning Message

sink.c in fetchmail before 6.3.9 allows context-dependent attackers to cause a denial of service (NULL dereference and application crash) by refusing certain warning messages that are sent over SMTP.

5.0
2007-08-28 CVE-2007-4521 Asterisk Remote Denial of Service vulnerability in Asterisk Malformed MIME Body

Asterisk Open Source 1.4.5 through 1.4.11, when configured to use an IMAP voicemail storage backend, allows remote attackers to cause a denial of service via an e-mail with an "invalid/corrupted" MIME body, which triggers a crash when the recipient listens to voicemail.

5.0
2007-08-28 CVE-2007-4553 Thomson Remote Denial of Service vulnerability in Thomson ST 2030 SIP Phone 1

The Thomson ST 2030 SIP phone with software 1.52.1 allows remote attackers to cause a denial of service (device hang) via an INVITE message with a Via header that contains a '/' (slash) instead of the required space following the SIP version number.

5.0
2007-08-27 CVE-2007-4539 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla Bugzilla

The WebService (XML-RPC) interface in Bugzilla 2.23.3 through 3.0.0 does not enforce permissions for the time-tracking fields of bugs, which allows remote attackers to obtain sensitive information via certain XML-RPC requests, as demonstrated by the (1) Deadline and (2) Estimated Time fields.

5.0
2007-08-27 CVE-2007-4538 Mozilla Remote vulnerability in Bugzilla

email_in.pl in Bugzilla 2.23.4 through 3.0.0 allows remote attackers to execute arbitrary commands via the -f (From address) option to the Email::Send::Sendmail function, probably involving shell metacharacters.

5.0
2007-08-30 CVE-2007-4598 IBM Credentials Management vulnerability in IBM Surepos 500

IBM SurePOS 500 has (1) a default password of "12345" for the manager and (2) blank default passwords for operator accounts.

4.6
2007-08-28 CVE-2007-4564 Hitachi Permissions, Privileges, and Access Controls vulnerability in Hitachi products

Cosminexus Manager in Cosminexus Application Server 07-00 and later might assign the wrong user's group permissions to logical user server processes, which allows local users to gain privileges.

4.6
2007-08-28 CVE-2007-4563 Hitachi Permissions, Privileges, and Access Controls vulnerability in Hitachi products

Cosminexus Manager in Cosminexus Application Server 06-50 and later might assign the wrong user's group permissions to logical J2EE server processes, which allows local users to gain privileges.

4.4
2007-08-31 CVE-2007-4638 Blizzard Entertainment Remote Denial of Service vulnerability in Blizzard Entertainment StarCraft Brood War Minimap Preview

Blizzard Entertainment StarCraft Brood War 1.15.1 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed map, which triggers an out-of-bounds read during a minimap preview.

4.3
2007-08-31 CVE-2007-4633 Cisco Cross-Site Scripting vulnerability in Cisco Call Manager and Unified Communications Manager

Multiple cross-site scripting (XSS) vulnerabilities in Cisco CallManager and Unified Communications Manager (CUCM) before 3.3(5)sr2b, 4.1 before 4.1(3)sr5, 4.2 before 4.2(3)sr2, and 4.3 before 4.3(1)sr1 allow remote attackers to inject arbitrary web script or HTML via the lang variable to the (1) user or (2) admin logon page, aka CSCsi10728.

4.3
2007-08-31 CVE-2007-4632 Cisco Improper Authentication vulnerability in Cisco IOS 12.2E/12.2F/12.2S

Cisco IOS 12.2E, 12.2F, and 12.2S places a "no login" line into the VTY configuration when an administrator makes certain changes to a (1) VTY/AUX or (2) CONSOLE setting on a device without AAA enabled, which allows remote attackers to bypass authentication and obtain a terminal session, a different vulnerability than CVE-1999-0293 and CVE-2005-2105.

4.3
2007-08-31 CVE-2007-4630 Xigla Cross-Site Scripting vulnerability in Xigla Absolute Poll Manager XE 4.1

Cross-site scripting (XSS) vulnerability in xlaapmview.asp in Absolute Poll Manager XE 4.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

4.3
2007-08-31 CVE-2007-4625 Polipo Denial-Of-Service vulnerability in Polipo

Polipo before 1.0.2 allows remote HTTP servers to cause a denial of service (daemon crash) by aborting the response to a POST request.

4.3
2007-08-31 CVE-2007-4624 Abledesign HTML Injection vulnerability in Abledesign Dynamic Picture Frame 1.0

Cross-site scripting (XSS) vulnerability in pframe.php in AbleDesign Dynamic Picture Frame 1.00 allows remote attackers to inject arbitrary web script or HTML via the img_url parameter.

4.3
2007-08-31 CVE-2007-4612 Dale Mooney Improper Input Validation vulnerability in Dale Mooney Contact Form

CRLF injection vulnerability in contact.php in Moonware (aka Dale Mooney Gallery) allows remote attackers to add arbitrary mail headers via CRLF sequences in the subject parameter.

4.3
2007-08-29 CVE-2007-4595 THE Seasar Foundation Cross-Site Scripting vulnerability in the Seasar Foundation Mayaa

Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.12 allows remote attackers to inject arbitrary web script or HTML in certain circumstances involving (1) lack of charset specification within a META element or (2) a META element that specifies an unrecognized charset, which trigger automatic character set recognition by the web browser, as demonstrated by improper handling of UTF-7 data.

4.3
2007-08-29 CVE-2007-4589 Interworx Cross-Site Scripting vulnerability in Interworx web Control Panel 3.0.2

Multiple cross-site scripting (XSS) vulnerabilities in InterWorx Hosting Control Panel (InterWorx-CP) Webmaster Level (SiteWorx) 3.0.2 (1) allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php; and allow remote authenticated users to inject arbitrary web script or HTML via the PATH_INFO to (2) siteworx.php, (3) users.php, (4) ftp.php, (5) mysql.php, (6) domains.php, (7) htaccess.php, (8) scriptworx.php, (9) stats.php, (10) backup.php, (11) restore.php, and (12) httpd.php; and unspecified vectors to (13) cron.php and (14) prefs.php.

4.3
2007-08-29 CVE-2007-4588 Interworx Cross-Site Scripting vulnerability in Interworx web Control Panel 3.0.2

Multiple cross-site scripting (XSS) vulnerabilities in InterWorx Hosting Control Panel (InterWorx-CP) Server Admin Level (NodeWorx) 3.0.2 (1) allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php; and allow remote authenticated users to inject arbitrary web script or HTML via the PATH_INFO to (2) nodeworx.php, (3) users.php, (4) lang.php, (5) themes.php, (6) setup.php, (7) siteworx.php, (8) packages.php, (9) backup.php, (10) import.php, (11) scriptworx.php, (12) resellers.php, (13) reseller-packages.php, (14) http.php, (15) mail.php, (16) ftp.php, (17) mysql.php, (18) sshd.php, (19) nfs.php, (20) cron.php, (21) ip.php, (22) firewall.php, (23) updates.php, (24) rrd.php, or (25) cluster.php.

4.3
2007-08-29 CVE-2007-4587 THE Seasar Foundation Cross-Site Scripting vulnerability in the Seasar Foundation Escafeweb

Cross-site scripting (XSS) vulnerability in Easy Software Cafeteria escafeWeb (aka Tuigwaa) 1.0 through 1.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the setting of option.nopage.create in tuigwaa.properties.

4.3
2007-08-28 CVE-2007-4562 Hitachi Denial Of Service vulnerability in Hitachi Cosminexus Dabroker and Dabroker

Unspecified vulnerability in Hitachi DABroker before 03-02-/D and Cosminexus DABroker before 02-04-/C and 03-05-/E allows remote attackers to cause a denial of service (connection prevention) by sending "data unexpectedly through a port."

4.3
2007-08-28 CVE-2007-4557 Novell Cross-Site Scripting vulnerability in Novell Groupwise Webaccess 6.5

Cross-site scripting (XSS) vulnerability in the webacc servlet in Novell GroupWise 6.5 WebAccess allows remote attackers to inject arbitrary web script or HTML via the User.Id parameter, as demonstrated by a URL within a url field in a STYLE element, possibly due to an incomplete fix for CVE-2004-2103.2.

4.3
2007-08-28 CVE-2007-4555 Ipswitch Cross-Site Scripting vulnerability in Ipswitch WS FTP

Cross-site scripting (XSS) vulnerability in Ipswitch WS_FTP allows remote attackers to inject arbitrary web script or HTML via arguments to a valid command, which is not properly handled when it is displayed by the view log option in the administration interface.

4.3
2007-08-28 CVE-2007-4554 Tiki Cross-Site Scripting vulnerability in Tiki Tikiwiki Cms/Groupware 1.9.7

Cross-site scripting (XSS) vulnerability in tiki-remind_password.php in Tikiwiki (aka Tiki CMS/Groupware) 1.9.7 allows remote attackers to inject arbitrary web script or HTML via the username parameter.

4.3
2007-08-27 CVE-2007-4547 X Diesel Remote vulnerability in Unreal Commander Malformed Archives

Unreal Commander 0.92 build 565 and 573 writes portions of heap memory into local files when extracting from an archive with malformed size information in a file header, which might allow user-assisted attackers to obtain sensitive information (memory contents) by reading the extracted files.

4.3
2007-08-27 CVE-2007-4544 Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Wordpress MU

Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field).

4.3
2007-08-27 CVE-2007-4543 Mozilla Cross-Site Scripting vulnerability in Mozilla Bugzilla

Cross-site scripting (XSS) vulnerability in enter_bug.cgi in Bugzilla 2.17.1 through 2.20.4, 2.22.x before 2.22.3, and 3.x before 3.0.1 allows remote attackers to inject arbitrary web script or HTML via the buildid field in the "guided form."

4.3
2007-08-27 CVE-2007-4542 University OF Minnesota Cross-Site Scripting vulnerability in University of Minnesota Mapserver

Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError function in mapserv.c in the mapserv CGI program.

4.3
2007-08-27 CVE-2007-4541 Olate Cross-Site Request Forgery (CSRF) vulnerability in Olate Olatedownload 3.4.2

Multiple cross-site scripting (XSS) vulnerabilities in Olate Download (od) 3.4.2 allow remote attackers to inject arbitrary web script or HTML via (1) the PHP_SELF variable in modules/core/uim.php and (2) [url] tags in a comment in modules/core/fldm.php.

4.3
2007-08-27 CVE-2007-3741 Mandriva
GNU
File Plugins Multiple Remote Denial of Service vulnerability in GIMP

The (1) psp (aka .tub), (2) bmp, (3) pcx, and (4) psd plugins in gimp allow user-assisted remote attackers to cause a denial of service (crash or memory consumption) via crafted image files, as discovered using the fusil fuzzing tool.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2007-08-29 CVE-2007-4590 HP Local Security vulnerability in HP Dynrootdisk, Hp-Ux and Ignite-Ux

The get_system_info command in Ignite-UX C.7.0 through C.7.3, and DynRootDisk (DRD) A.1.0.16.417 through A.2.0.0.592, on HP-UX B.11.11, B.11.23, and B.11.31 does not inform local users of networking changes made by the command, which has unknown impact and attack vectors.

3.3
2007-08-27 CVE-2007-2797 Redhat
Xterm
Debian
Unspecified vulnerability in Xterm 1927.El4/2083.1

xterm, including 192-7.el4 in Red Hat Enterprise Linux and 208-3.1 in Debian GNU/Linux, sets the wrong group ownership of tty devices, which allows local users to write data to other users' terminals.

2.1