Weekly Vulnerabilities Reports > June 2 to 8, 2008

Overview

122 new vulnerabilities reported during this period, including 32 critical vulnerabilities and 39 high severity vulnerabilities. This weekly summary report vulnerabilities in 105 products from 59 vendors including Apple, SUN, HP, Vmware, and Cisco. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", "Cross-site Scripting", "Improper Input Validation", and "Permissions, Privileges, and Access Controls".

  • 104 reported vulnerabilities are remotely exploitables.
  • 33 reported vulnerabilities have public exploit available.
  • 45 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 117 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 20 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 8 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

32 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-06-06 CVE-2008-2388 Opensuse Numeric Errors vulnerability in Opensuse 10.2

Multiple off-by-one errors in opensuse-updater in openSUSE 10.2 have unspecified impact and attack vectors.

10.0
2008-06-04 CVE-2008-2541 CA Buffer Errors vulnerability in CA Etrust Secure Content Manager 8.0

Multiple stack-based buffer overflows in the HTTP Gateway Service (icihttp.exe) in CA eTrust Secure Content Manager 8.0 allow remote attackers to execute arbitrary code or cause a denial of service via long FTP responses, related to (1) the file month field in a LIST command; (2) the PASV command; and (3) directories, files, and links in a LIST command.

10.0
2008-06-04 CVE-2008-2404 SUN Buffer Errors vulnerability in SUN Java ASP Server 4.0

Stack-based buffer overflow in the request handling implementation in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to execute arbitrary code via an unspecified string field.

10.0
2008-06-04 CVE-2008-2403 SUN Path Traversal vulnerability in SUN Java ASP Server 4.0/4.0.1

Multiple directory traversal vulnerabilities in unspecified ASP applications in Sun Java Active Server Pages (ASP) Server before 4.0.3 allow remote attackers to read or delete arbitrary files via a ..

10.0
2008-06-04 CVE-2008-0953 HP Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control

The StartApp function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary programs via a .exe filename in the argument, a different vulnerability than CVE-2007-5608 and CVE-2008-0953.

10.0
2008-06-04 CVE-2007-5610 HP Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control

The DeleteSingleFile function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to delete an arbitrary file via a full pathname in the argument.

10.0
2008-06-04 CVE-2007-5606 HP Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control

Buffer overflow in the MoveFile function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary code via a long argument, a different vulnerability than CVE-2007-5604, CVE-2007-5605, and CVE-2007-5607.

10.0
2008-06-04 CVE-2008-1661 HP Buffer Errors vulnerability in HP Storageworks Storage Mirroring 4.5

Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Storage Mirroring (SWSM) before 4.5 SP2 allows remote attackers to execute arbitrary code via a crafted encoded authentication request.

10.0
2008-06-03 CVE-2008-2528 Citrix Improper Authentication vulnerability in Citrix Access Gateway 4.5.5/4.5.6

Unspecified vulnerability in Citrix Access Gateway Standard Edition 4.5.7 and earlier and Advanced Edition 4.5 HF2 and earlier allows attackers to bypass authentication and gain "access to network resources" via unspecified vectors.

10.0
2008-06-02 CVE-2008-1030 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

Integer overflow in the CFDataReplaceBytes function in the CFData API in CoreFoundation in Apple Mac OS X before 10.5.3 allows context-dependent attackers to execute arbitrary code or cause a denial of service (crash) via an invalid length argument, which triggers a heap-based buffer overflow.

10.0
2008-06-06 CVE-2008-2545 Skype Technologies Improper Input Validation vulnerability in Skype Technologies Skype

Skype 3.6.0.248, and other versions before 3.8.0.139, uses a case-sensitive comparison when checking for dangerous extensions, which allows user-assisted remote attackers to bypass warning dialogs and possibly execute arbitrary code via a file: URI with a dangerous extension that uses a different case.

9.3
2008-06-06 CVE-2008-1805 Skype Technologies Improper Input Validation vulnerability in Skype Technologies Skype

Incomplete blacklist vulnerability in Skype 3.6.0.248, and other versions before 3.8.0.139, allows user-assisted remote attackers to bypass warning dialogs and possibly execute arbitrary code via a file: URI that ends in an executable extension that is not covered by the blacklist.

9.3
2008-06-06 CVE-2008-2570 Limesurvey Remote vulnerability in LimeSurvey Prior to 1.71

Multiple unspecified vulnerabilities in LimeSurvey (formerly PHPSurveyor) before 1.71 have unknown impact and attack vectors.

9.3
2008-06-04 CVE-2008-2551 Icona Permissions, Privileges, and Access Controls vulnerability in Icona Instant Messenger 1.0.0.1

The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to "run."

9.3
2008-06-04 CVE-2008-1770 Akamai Code Injection vulnerability in Akamai Download Manager 2.0.4.4/2.2.0.0/2.2.1.0

CRLF injection vulnerability in Akamai Download Manager ActiveX control before 2.2.3.6 allows remote attackers to force the download and execution of arbitrary files via a URL parameter containing an encoded LF followed by a malicious target line.

9.3
2008-06-04 CVE-2008-1109 Gnome Buffer Errors vulnerability in Gnome Evolution 2.22.1

Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window).

9.3
2008-06-04 CVE-2008-0952 HP Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control

The AppendStringToFile function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to create files with arbitrary content via a full pathname in the first argument and the content in the second argument, a different vulnerability than CVE-2007-5608 and CVE-2008-0953.

9.3
2008-06-04 CVE-2007-5608 HP Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control

The DownloadFile function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to force a download of an arbitrary file onto a client machine via a URL in the first argument and a destination filename in the second argument, a different vulnerability than CVE-2008-0952 and CVE-2008-0953.

9.3
2008-06-04 CVE-2007-5605 HP Code Execution in RETIRED: HP Instant Support 'HPISDataManager.dll' ActiveX Control

Buffer overflow in the GetFileTime function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary code via a long argument, a different vulnerability than CVE-2007-5604, CVE-2007-5606, and CVE-2007-5607.

9.3
2008-06-04 CVE-2008-2548 Motorola Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Motorola Razr

Stack-based buffer overflow in the JPEG thumbprint component in the EXIF parser on Motorola cell phones with RAZR firmware allows user-assisted remote attackers to execute arbitrary code via an MMS transmission of a malformed JPEG image, which triggers memory corruption.

9.3
2008-06-04 CVE-2008-2547 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows Installer 3.1.4000.1823/4.5.6001.22159

Stack-based buffer overflow in msiexec.exe 3.1.4000.1823 and 4.5.6001.22159 in Microsoft Windows Installer allows context-dependent attackers to execute arbitrary code via a long GUID value for the /x (aka /uninstall) option.

9.3
2008-06-03 CVE-2008-2540 Apple
Microsoft
Permissions, Privileges, and Access Controls vulnerability in Apple Safari

Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032.

9.3
2008-06-02 CVE-2008-2511 CA Path Traversal vulnerability in CA Internet Security Suite Plus 2008

Directory traversal vulnerability in the UmxEventCli.CachedAuditDataList.1 (aka UmxEventCliLib) ActiveX control in UmxEventCli.dll in CA Internet Security Suite 2008 allows remote attackers to create and overwrite arbitrary files via a ..

9.3
2008-06-02 CVE-2008-2426 Carsten Haitzler Buffer Errors vulnerability in Carsten Haitzler Imlib2 1.4.0

Multiple stack-based buffer overflows in Imlib 2 (aka imlib2) 1.4.0 allow user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) a PNM image with a crafted header, related to the load function in src/modules/loaders/loader_pnm.c; or (2) a crafted XPM image, related to the load function in src/modules/loader_xpm.c.

9.3
2008-06-02 CVE-2008-2363 PAN Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PAN

The PartsBatch class in Pan 0.132 and earlier does not properly manage the data structures for Parts batches, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted .nzb file that triggers a heap-based buffer overflow.

9.3
2008-06-02 CVE-2008-1577 Apple Multiple Security vulnerability in RETIRED: Apple Mac OS X 2008-003

Unspecified vulnerability in the Pixlet codec in Apple Pixlet Video in Apple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file, related to "multiple memory corruption issues."

9.3
2008-06-02 CVE-2008-1575 Apple Resource Management Errors vulnerability in Apple mac OS X and mac OS X Server

Unspecified vulnerability in the Apple Type Services (ATS) server in Apple Mac OS X 10.5 before 10.5.3 allows user-assisted remote attackers to execute arbitrary code via a crafted embedded font in a PDF document, related to memory corruption that occurs during printing.

9.3
2008-06-02 CVE-2008-1574 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Integer overflow in ImageIO in Apple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image that triggers a heap-based buffer overflow.

9.3
2008-06-02 CVE-2008-1034 Apple Numeric Errors vulnerability in Apple mac OS X

Integer underflow in Help Viewer in Apple Mac OS X before 10.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted help:topic URL that triggers a buffer overflow.

9.3
2008-06-02 CVE-2008-1031 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

CoreGraphics in Apple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document, related to an uninitialized variable.

9.3
2008-06-02 CVE-2008-1028 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

Unspecified vulnerability in AppKit in Apple Mac OS X before 10.5 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted document file, as demonstrated by opening the document with TextEdit.

9.3
2008-06-05 CVE-2008-2097 Vmware Buffer Errors vulnerability in VMWare ESX and Esxi

Buffer overflow in the openwsman management service in VMware ESXi 3.5 and ESX 3.5 allows remote authenticated users to gain privileges via an "invalid Content-Length."

9.0

39 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-06-06 CVE-2008-2573 Freesshd Buffer Errors vulnerability in Freesshd 1.2.1

Stack-based buffer overflow in SFTP in freeSSHd 1.2.1 allows remote authenticated users to execute arbitrary code via a long directory name in an SSH_FXP_OPENDIR (aka opendir) command.

8.5
2008-06-04 CVE-2008-2059 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 8.0.x before 8.0(3)9 allows remote attackers to bypass control-plane ACLs for the device via unknown vectors.

7.8
2008-06-04 CVE-2008-2058 Cisco Resource Management Errors vulnerability in Cisco products

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.2.x before 7.2(3)2 and 8.0.x before 8.0(2)17 allows remote attackers to cause a denial of service (device reload) via a port scan against TCP port 443 on the device.

7.8
2008-06-04 CVE-2008-2056 Cisco Improper Input Validation vulnerability in Cisco products

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 8.0.x before 8.0(3)9 and 8.1.x before 8.1(1)1 allows remote attackers to cause a denial of service (device reload) via a crafted Transport Layer Security (TLS) packet to the device interface.

7.8
2008-06-04 CVE-2008-2055 Cisco Improper Input Validation vulnerability in Cisco products

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.1.x before 7.1(2)70, 7.2.x before 7.2(4), and 8.0.x before 8.0(3)10 allows remote attackers to cause a denial of service via a crafted TCP ACK packet to the device interface.

7.8
2008-06-04 CVE-2008-1108 Gnome Buffer Errors vulnerability in Gnome Evolution 2.2.1

Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is disabled, allows remote attackers to execute arbitrary code via a long timezone string in an iCalendar attachment.

7.6
2008-06-06 CVE-2008-2574 Flashblog Improper Input Validation vulnerability in Flashblog 0.31

Unrestricted file upload vulnerability in admin/Editor/imgupload.php in FlashBlog 0.31 beta allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in tus_imagenes/.

7.5
2008-06-06 CVE-2008-2572 Theflashblog SQL Injection vulnerability in Theflashblog Flashblog

SQL injection vulnerability in php/leer_comentarios.php in FlashBlog allows remote attackers to execute arbitrary SQL commands via the articulo_id parameter.

7.5
2008-06-06 CVE-2008-2569 Joomla SQL Injection vulnerability in Joomla Easybook Component 1.1

SQL injection vulnerability in the EasyBook (com_easybook) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gbid parameter in a deleteentry action to index.php.

7.5
2008-06-06 CVE-2008-2568 Joomla SQL Injection vulnerability in Joomla COM Simpleshop and Joomla

SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component 3.4 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a browse action to index.php.

7.5
2008-06-06 CVE-2008-2565 PHP Address Book SQL Injection vulnerability in PHP-Address Book PHP-Address Book

Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) edit.php.

7.5
2008-06-06 CVE-2008-2564 Joomla SQL Injection vulnerability in Joomla COM Jotloader and Joomla

SQL injection vulnerability in the JotLoader (com_jotloader) component 1.2.1.a and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter to index.php.

7.5
2008-06-06 CVE-2008-2560 Fourtwosevenbb SQL Injection vulnerability in Fourtwosevenbb 427Bb 2.3.1

SQL injection vulnerability in showpost.php in 427BB 2.3.1 allows remote attackers to execute arbitrary SQL commands via the post parameter.

7.5
2008-06-05 CVE-2008-2559 Damian Frizza Numeric Errors vulnerability in Damian Frizza Borland Interbase 2007

Integer overflow in Borland Interbase 2007 SP2 (8.1.0.256) allows remote attackers to execute arbitrary code via a malformed packet to TCP port 3050, which triggers a stack-based buffer overflow.

7.5
2008-06-05 CVE-2008-2556 Hessel Brouwer SQL Injection vulnerability in Hessel Brouwer PHP Visit Counter

SQL injection vulnerability in read.php in PHP Visit Counter 0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the datespan parameter in a read action.

7.5
2008-06-05 CVE-2008-2555 Easyway SQL Injection vulnerability in Easyway CMS

SQL injection vulnerability in index.php in EasyWay CMS allows remote attackers to execute arbitrary SQL commands via the mid parameter.

7.5
2008-06-05 CVE-2008-2554 BP Blog SQL Injection vulnerability in BP Blog BP Blog 6.0

Multiple SQL injection vulnerabilities in BP Blog 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to template_permalink.asp and (2) cat parameter to template_archives_cat.asp.

7.5
2008-06-05 CVE-2008-2231 Slashcode COM SQL Injection vulnerability in Slashcode.Com Slash

SQL injection vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to execute SQL commands and read table information via the id parameter.

7.5
2008-06-04 CVE-2008-2406 SUN Improper Authentication vulnerability in SUN Java ASP Server 4.0

The administration application server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to bypass authentication via direct requests on TCP port 5102.

7.5
2008-06-04 CVE-2008-2405 SUN Improper Input Validation vulnerability in SUN Java Active Server Pages 4.0.0/4.0.1

Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in HTTP requests to unspecified ASP applications.

7.5
2008-06-04 CVE-2008-2401 SUN Improper Input Validation vulnerability in SUN Java Active Server 4.0.2

The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to append to arbitrary new or existing files via the first argument to a certain file that is included by multiple unspecified ASP applications.

7.5
2008-06-04 CVE-2007-5607 HP Code Injection vulnerability in HP Instant Support 1.0.0.22

Buffer overflow in the RegistryString function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary code via a long first argument, a different vulnerability than CVE-2007-5604, CVE-2007-5605, and CVE-2007-5606.

7.5
2008-06-04 CVE-2007-5604 HP Code Injection vulnerability in HP Instant Support 1.0.0.22

Buffer overflow in the ExtractCab function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary code via a long first argument, a different vulnerability than CVE-2007-5605, CVE-2007-5606, and CVE-2007-5607.

7.5
2008-06-03 CVE-2008-2537 Hispah SQL Injection vulnerability in Hispah Model Search

SQL injection vulnerability in cat.php in HispaH Model Search allows remote attackers to execute arbitrary SQL commands via the cat parameter.

7.5
2008-06-03 CVE-2008-2536 Yabsoft SQL Injection vulnerability in Yabsoft Advanced Image Hosting Script

SQL injection vulnerability in out.php in YABSoft Advanced Image Hosting (AIH) Script 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the t parameter.

7.5
2008-06-03 CVE-2008-2535 Fkrauthan SQL Injection vulnerability in Fkrauthan Phoenix View CMS 2Prealpha

Multiple SQL injection vulnerabilities in Phoenix View CMS Pre Alpha2 and earlier allow remote attackers to execute arbitrary SQL commands via the del parameter to (1) gbuch.admin.php, (2) links.admin.php, (3) menue.admin.php, (4) news.admin.php, and (5) todo.admin.php in admin/module/.

7.5
2008-06-03 CVE-2008-2534 Fkrauthan Path Traversal vulnerability in Fkrauthan Phoenix View CMS 2Prealpha

Directory traversal vulnerability in admin/admin_frame.php in Phoenix View CMS Pre Alpha2 and earlier allows remote attackers to include and execute arbitrary local files via a ..

7.5
2008-06-03 CVE-2008-2532 AJ Square SQL Injection vulnerability in AJ Square AJ Hyip

SQL injection vulnerability in forum/topic_detail.php in AJ Square aj-hyip (aka AJ HYIP Acme) allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2008-06-03 CVE-2008-2530 Quickupcms SQL Injection vulnerability in Quickupcms

Multiple SQL injection vulnerabilities in Concepts & Solutions QuickUpCMS allow remote attackers to execute arbitrary SQL commands via the (1) nr parameter to (a) frontend/news.php, the (2) id parameter to (b) events3.php and (c) videos2.php in frontend/, the (3) y parameter to (d) frontend/events2.php, and the (4) ser parameter to (e) frontend/fotos2.php.

7.5
2008-06-03 CVE-2008-2529 Advanced Links Management SQL Injection vulnerability in Advanced Links Management Advanced Links Management 1.5.2

SQL injection vulnerability in read.php in Advanced Links Management (ALM) 1.5.2 allows remote attackers to execute arbitrary SQL commands via the catId parameter.

7.5
2008-06-03 CVE-2008-2523 Raknet SQL Injection vulnerability in Raknet Autopatcher Server

SQL injection vulnerability in the Autopatcher server plugin in RakNet before 3.23 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2008-06-03 CVE-2008-2520 Bigace Code Injection vulnerability in Bigace 2.4

Multiple PHP remote file inclusion vulnerabilities in BigACE 2.4, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[_BIGACE][DIR][addon] parameter to (a) addon/smarty/plugins/function.captcha.php and (b) system/classes/sql/AdoDBConnection.php; and the (2) GLOBALS[_BIGACE][DIR][admin] parameter to (c) item_information.php and (d) jstree.php in system/application/util/, and (e) system/admin/plugins/menu/menuTree/plugin.php, different vectors than CVE-2006-4423.

7.5
2008-06-05 CVE-2008-2100 Vmware Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in VMWare products

Multiple buffer overflows in VIX API 1.1.x before 1.1.4 build 93057 on VMware Workstation 5.x and 6.x, VMware Player 1.x and 2.x, VMware ACE 2.x, VMware Server 1.x, VMware Fusion 1.x, VMware ESXi 3.5, and VMware ESX 3.0.1 through 3.5 allow guest OS users to execute arbitrary code on the host OS via unspecified vectors.

7.2
2008-06-05 CVE-2008-1518 Kaspersky LAB Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Kaspersky LAB Kaspersky Anti-Virus and Kaspersky Internet Security

Stack-based buffer overflow in kl1.sys in Kaspersky Anti-Virus 6.0 and 7.0 and Internet Security 6.0 and 7.0 allows local users to gain privileges via an IOCTL 0x800520e8 call.

7.2
2008-06-03 CVE-2008-2539 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Cluster 3.1

The Sun Cluster Global File System in Sun Cluster 3.1 on Sun Solaris 8 through 10, when an underlying ufs filesystem is used, might allow local users to read data from arbitrary deleted files, or corrupt files in global filesystems, via unspecified vectors.

7.2
2008-06-02 CVE-2008-2515 IBM Permissions, Privileges, and Access Controls vulnerability in IBM AIX 5.2/5.3/6.1

Unspecified vulnerability in iostat in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via unknown vectors related to an "environment variable handling error."

7.2
2008-06-02 CVE-2008-2513 IBM Buffer Errors vulnerability in IBM AIX 5.2/5.3/6.1

Buffer overflow in the kernel in IBM AIX 5.2, 5.3, and 6.1 allows local users to execute arbitrary code in kernel mode via unknown attack vectors.

7.2
2008-06-02 CVE-2008-2359 Fedora 8
Redhat
Configuration vulnerability in multiple products

The default configuration of consolehelper in system-config-network before 1.5.10-1 on Fedora 8 lacks the USER=root directive, which allows local users of the workstation console to gain privileges and change the network configuration.

7.2
2008-06-02 CVE-2008-1573 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

The BMP and GIF image decoding engine in ImageIO in Apple Mac OS X before 10.5.3 allows remote attackers to obtain sensitive information (memory contents) via a crafted (1) BMP or (2) GIF image, which causes an out-of-bounds read.

7.1

48 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-06-05 CVE-2008-0967 Vmware Local Privilege Escalation vulnerability in VMware vmware-authd Daemon

Untrusted search path vulnerability in vmware-authd in VMware Workstation 5.x before 5.5.7 build 91707 and 6.x before 6.0.4 build 93057, VMware Player 1.x before 1.0.7 build 91707 and 2.x before 2.0.4 build 93057, and VMware Server before 1.0.6 build 91891 on Linux, and VMware ESXi 3.5 and VMware ESX 2.5.4 through 3.5, allows local users to gain privileges via a library path option in a configuration file.

6.9
2008-06-03 CVE-2008-2538 SUN Race Condition vulnerability in SUN Solaris 10/8/9

Unspecified vulnerability in crontab on Sun Solaris 8 through 10, and OpenSolaris before snv_93, allows local users to insert cron jobs into the crontab files of arbitrary users via unspecified vectors.

6.9
2008-06-02 CVE-2008-2099 Microsoft
Vmware
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in VMWare products

Unspecified vulnerability in VMCI in VMware Workstation 6 before 6.0.4 build 93057, VMware Player 2 before 2.0.4 build 93057, and VMware ACE 2 before 2.0.2 build 93057 on Windows allows guest OS users to execute arbitrary code on the host OS via unspecified vectors.

6.9
2008-06-02 CVE-2008-2098 Vmware Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in VMWare products

Heap-based buffer overflow in the VMware Host Guest File System (HGFS) in VMware Workstation 6 before 6.0.4 build 93057, VMware Player 2 before 2.0.4 build 93057, VMware ACE 2 before 2.0.2 build 93057, and VMware Fusion before 1.1.2 build 87978, when folder sharing is used, allows guest OS users to execute arbitrary code on the host OS via unspecified vectors.

6.9
2008-06-06 CVE-2008-2575 Jcoppens Code Injection vulnerability in Jcoppens Cbrpager

cbrPager before 0.9.17 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a (1) ZIP (aka .cbz) or (2) RAR (aka .cbr) archive filename.

6.8
2008-06-05 CVE-2008-2542 Nasa Ames Research Center Buffer Errors vulnerability in Nasa Ames Research Center Bigview 1.8

Stack-based buffer overflow in the getline function in Ppm/ppm.C in NASA Ames Research Center BigView 1.8 allows user-assisted remote attackers to execute arbitrary code via a crafted PNM file.

6.8
2008-06-03 CVE-2008-2522 Haudenschilt SQL Injection vulnerability in Haudenschilt Battlenet Clan Script 1.5.1/1.5.2

SQL injection vulnerability in members.php in Battle.net Clan Script for PHP 1.5.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the showmember parameter in a members action.

6.8
2008-06-03 CVE-2008-0169 Ikiwiki Permissions, Privileges, and Access Controls vulnerability in Ikiwiki

Plugin/passwordauth.pm (aka the passwordauth plugin) in ikiwiki 1.34 through 2.47 allows remote attackers to bypass authentication, and login to any account for which an OpenID identity is configured and a password is not configured, by specifying an empty password during the login sequence.

6.8
2008-06-03 CVE-2008-2519 Core FTP Path Traversal vulnerability in Core FTP Core FTP 2.1

Directory traversal vulnerability in Core FTP client 2.1 Build 1565 allows remote FTP servers to create or overwrite arbitrary files via ..

6.8
2008-06-02 CVE-2008-1576 Apple Resource Management Errors vulnerability in Apple mac OS X

Mail in Apple Mac OS X before 10.5, when an IPv6 SMTP server is used, does not properly initialize memory, which might allow remote attackers to execute arbitrary code or cause a denial of service (application crash), or obtain sensitive information (memory contents) in opportunistic circumstances, by sending an e-mail message.

6.8
2008-06-02 CVE-2008-1032 Apple Multiple Security vulnerability in RETIRED: Apple Mac OS X 2008-003

Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.5.3 allows user-assisted remote attackers to execute arbitrary code via an (1) Automator, (2) Help, (3) Safari, or (4) Terminal content type for a downloadable object, which does not trigger a "potentially unsafe" warning message in (a) the Download Validation feature in Mac OS X 10.4 or (b) the Quarantine feature in Mac OS X 10.5.

6.8
2008-06-06 CVE-2008-2562 Powerphlogger SQL Injection vulnerability in Powerphlogger 2.0.9/2.2.1/2.2.2A

SQL injection vulnerability in edCss.php in PowerPhlogger 2.2.5 and earlier allows remote authenticated users to execute arbitrary SQL commands via the css_str parameter in an edit action.

6.5
2008-06-03 CVE-2008-2521 Yabsoft SQL Injection vulnerability in Yabsoft Mega File Hosting Script 1.2

SQL injection vulnerability in members.php in YABSoft Mega File Hosting Script (aka MFH or MFHS) 1.2 allows remote authenticated users to execute arbitrary SQL commands via the fid parameter.

6.5
2008-06-04 CVE-2008-2057 Cisco Unspecified vulnerability in Cisco products

The Instant Messenger (IM) inspection engine in Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.2.x before 7.2(4), 8.0.x before 8.0(3)10, and 8.1.x before 8.1(1)2 allows remote attackers to cause a denial of service via a crafted packet.

5.4
2008-06-05 CVE-2008-2558 CRE Loaded Cryptographic Issues vulnerability in CRE Loaded CRE Loaded

CRE Loaded 6.2.13.1 and earlier does not set the "Secure" attribute for cookies that are sent over HTTPS, which might allow remote attackers to sniff the cookies if they are sent over HTTP.

5.0
2008-06-05 CVE-2008-2543 Asterisk Resource Management Errors vulnerability in Asterisk Asterisk-Addons

The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and Asterisk-Addons 1.4.x before 1.4.7 creates a remotely accessible TCP port that is intended solely for localhost communication, and interprets some TCP application-data fields as addresses of memory to free, which allows remote attackers to cause a denial of service (daemon crash) via crafted TCP packets.

5.0
2008-06-04 CVE-2008-2550 IBM Remote Security vulnerability in Websphere Application Server

Unspecified vulnerability in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.17 has unknown impact and attack vectors related to an attribute in the SOAP security header.

5.0
2008-06-04 CVE-2008-2402 SUN Permissions, Privileges, and Access Controls vulnerability in SUN Java ASP Server 4.0

The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read password hashes and configuration data via direct requests for unspecified documents.

5.0
2008-06-03 CVE-2008-2524 Blogphp Improper Authentication vulnerability in Blogphp 2.0

BlogPHP 2.0 allows remote attackers to bypass authentication, and post (1) messages or (2) comments as an arbitrary user, via a modified blogphp_username field in a cookie.

5.0
2008-06-02 CVE-2008-2512 Symantec Path Traversal vulnerability in Symantec Backupexec System Recovery

Directory traversal vulnerability in Symantec Backup Exec System Recovery Manager 7.x before 7.0.4 and 8.x before 8.0.2 allows remote attackers to read arbitrary files via unspecified vectors.

5.0
2008-06-02 CVE-2008-1579 Apple Information Exposure vulnerability in Apple mac OS X and mac OS X Server

Wiki Server in Apple Mac OS X 10.5 before 10.5.3 allows remote attackers to obtain sensitive information (user names) by reading the error message produced upon access to a nonexistent blog.

5.0
2008-06-02 CVE-2008-1571 Apple Path Traversal vulnerability in Apple mac OS X and mac OS X Server

Directory traversal vulnerability in the embedded web server in Image Capture in Apple Mac OS X before 10.5 allows remote attackers to read arbitrary files via directory traversal sequences in the URI.

5.0
2008-06-06 CVE-2008-2389 Opensuse Link Following vulnerability in Opensuse 10.2

opensuse-updater in openSUSE 10.2 allows local users to access arbitrary files via a symlink attack.

4.9
2008-06-05 CVE-2008-2552 SUN Resource Management Errors vulnerability in SUN Service TAG

Unspecified vulnerability in the Service Tag Registry on Sun Solaris 10, and Sun Service Tag before 1.1.3, allows local users to cause a denial of service (disk consumption) via unspecified vectors.

4.9
2008-06-03 CVE-2008-2516 Libpam Pgsql Improper Authentication vulnerability in Libpam-Pgsql 0.6.3

pam_sm_authenticate in pam_pgsql.c in libpam-pgsql 0.6.3 does not properly consider operator precedence when evaluating the success of a pam_get_pass function call, which allows local users to gain privileges via a SIGINT signal when this function is executing, as demonstrated by a CTRL-C sequence at a sudo password prompt in an "auth sufficient pam_pgsql.so" configuration.

4.6
2008-06-02 CVE-2008-2514 IBM Buffer Errors vulnerability in IBM AIX 5.2/5.3/6.1

Buffer overflow in errpt in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via unknown attack vectors.

4.6
2008-06-02 CVE-2008-1572 Apple Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server

Image Capture in Apple Mac OS X before 10.5 does not properly use temporary files, which allows local users to overwrite arbitrary files, and display images that are being resized by this application.

4.6
2008-06-05 CVE-2007-5671 Vmware Improper Input Validation vulnerability in VMWare products

HGFS.sys in the VMware Tools package in VMware Workstation 5.x before 5.5.6 build 80404, VMware Player before 1.0.6 build 80404, VMware ACE before 1.0.5 build 79846, VMware Server before 1.0.5 build 80187, and VMware ESX 2.5.4 through 3.0.2 does not properly validate arguments in user-mode METHOD_NEITHER IOCTLs to the \\.\hgfs device, which allows guest OS users to modify arbitrary memory locations in guest kernel memory and gain privileges.

4.4
2008-06-06 CVE-2008-2571 Limesurvey Cross-Site Scripting vulnerability in Limesurvey

Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerly PHPSurveyor) before 1.71 allows remote attackers to change arbitrary quotas as administrators via a "modify quota" action.

4.3
2008-06-06 CVE-2008-2567 Fenrir Cross-Site Scripting vulnerability in Fenrir Grani

Cross-site scripting (XSS) vulnerability in Fenriru Sleipnir 2.7.1 Release2 and earlier, Portable Sleipnir 2.7.1 Release2 and earlier, and Grani 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to a history mechanism and favorites search, a different vulnerability than CVE-2007-6002.

4.3
2008-06-06 CVE-2008-2566 PHP Address Book Cross-Site Scripting vulnerability in PHP-Address Book PHP-Address Book

Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the group parameter to (1) index.php or (2) the default URI.

4.3
2008-06-06 CVE-2008-2563 Samtodo Cross-Site Scripting vulnerability in Samtodo 1.1

Multiple cross-site scripting (XSS) vulnerabilities in (1) dsp_main.php and (2) dsp_task_editor.php in SamTodo 1.1 allow remote attackers to inject arbitrary web script or HTML via the (a) tid parameter in a main.taskeditor edit action, and the (b) completed parameter in a main.default action, to index.php.

4.3
2008-06-06 CVE-2008-2561 Fourtwosevenbb Cross-Site Scripting vulnerability in Fourtwosevenbb 427Bb 2.3.1

Multiple cross-site scripting (XSS) vulnerabilities in 427BB 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to (a) register.php, (b) reminder.php, and (c) search.php; the (2) uname, (3) email, and (4) email2 parameters to register.php; the (5) email parameter to reminder.php; and the (6) keywords parameter to search.php.

4.3
2008-06-05 CVE-2008-2557 CRE Loaded Cross-Site Scripting vulnerability in CRE Loaded CRE Loaded

Cross-site scripting (XSS) vulnerability in CRE Loaded 6.2.13.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) Links and (2) Links Submit pages.

4.3
2008-06-05 CVE-2008-2553 Slashcode COM Cross-Site Scripting vulnerability in Slashcode.Com Slash

Cross-site scripting (XSS) vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to inject arbitrary web script or HTML via the userfield parameter.

4.3
2008-06-04 CVE-2008-2549 Adobe Remote Denial Of Service vulnerability in Adobe Reader

Adobe Acrobat Reader 8.1.2 and earlier, and before 7.1.1, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed PDF document, as demonstrated by 2008-HI2.pdf.

4.3
2008-06-04 CVE-2008-2119 Asterisk Improper Input Validation vulnerability in Asterisk Business Edition and Open Source

Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Edition A.x.x and B.x.x before B.2.5.3, when pedantic parsing (aka pedanticsipchecking) is enabled, allows remote attackers to cause a denial of service (daemon crash) via a SIP INVITE message that lacks a From header, related to invocations of the ast_uri_decode function, and improper handling of (1) an empty const string and (2) a NULL pointer.

4.3
2008-06-04 CVE-2008-1947 Apache Cross-Site Scripting vulnerability in Apache Tomcat

Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add.

4.3
2008-06-03 CVE-2008-1035 Apple Code Injection vulnerability in Apple Ical 3.0.1

Use-after-free vulnerability in Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to trigger memory corruption or possibly execute arbitrary code via an "ATTACH;VALUE=URI:S=osumi" line in a .ics file, which triggers a "resource liberation" bug.

4.3
2008-06-03 CVE-2008-2533 Fkrauthan Cross-Site Scripting vulnerability in Fkrauthan Phoenix View CMS 2Prealpha

Multiple cross-site scripting (XSS) vulnerabilities in Phoenix View CMS Pre Alpha2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ltarget parameter to (a) admin/admin_frame.php and the (2) conf parameter to (b) gbuch.admin.php, (c) links.admin.php, (d) menue.admin.php, (e) news.admin.php, and (f) todo.admin.php in admin/module/.

4.3
2008-06-03 CVE-2008-2531 Buildanichestore3 Cross-Site Request Forgery (CSRF) vulnerability in Buildanichestore3 Bans 3.0

Cross-site scripting (XSS) vulnerability in the search script in Build A Niche Store (BANS) 3.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter.

4.3
2008-06-03 CVE-2008-2527 Actualscripts Cross-Site Scripting vulnerability in Actualscripts products

Cross-site scripting (XSS) vulnerability in view.php in ActualScripts ActualAnalyzer Server 8.37 and earlier, ActualAnalyzer Gold 7.74 and earlier, ActualAnalyzer Pro 6.95 and earlier, and ActualAnalyzer Lite 2.78 and earlier allows remote attackers to inject arbitrary web script or HTML via the language parameter.

4.3
2008-06-03 CVE-2008-2526 Typo3 Cross-Site Scripting vulnerability in Typo3 WT Gallery 2.50

Cross-site scripting (XSS) vulnerability in the WT Gallery (aka wt_gallery) extension 2.6.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2008-06-03 CVE-2008-2525 Typo3 Cross-Site Scripting vulnerability in Typo3 Rlmp Eventdb

Cross-site scripting (XSS) vulnerability in the Event Database (aka rlmp_eventdb) extension before 1.1.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2008-06-03 CVE-2008-2518 SUN Cross-Site Scripting vulnerability in SUN Java System web Server 6.1/7.0

Cross-site scripting (XSS) vulnerability in the advanced search mechanism (webapps/search/advanced.jsp) in Sun Java System Web Server 6.1 before SP9 and 7.0 before Update 3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably related to the next parameter.

4.3
2008-06-02 CVE-2008-1580 Apple Information Exposure vulnerability in Apple Safari

CFNetwork in Safari in Apple Mac OS X before 10.5.3 automatically sends an SSL client certificate in response to a web server's certificate request, which allows remote web sites to obtain sensitive information (Subject data) from personally identifiable certificates, and use arbitrary certificates to track user activities across domains, a related issue to CVE-2007-4879.

4.3
2008-06-02 CVE-2008-1036 Apple
Redhat
Cross-Site Scripting vulnerability in multiple products

The International Components for Unicode (ICU) library in Apple Mac OS X before 10.5.3, Red Hat Enterprise Linux 5, and other operating systems omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.

4.3
2008-06-02 CVE-2008-1027 Apple Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X and mac OS X Server

Apple Filing Protocol (AFP) Server in Apple Mac OS X before 10.5.3 does not verify that requested files and directories are inside shared folders, which allows remote attackers to read arbitrary files via unspecified AFP traffic.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2008-06-03 CVE-2008-2517 Sarab Information Exposure vulnerability in Sarab 0.2.2

The sarab.sh script in SaraB before 0.2.4 places the dar program's encryption key on the command line, which allows local users to obtain sensitive information by listing the process.

2.1
2008-06-02 CVE-2008-1578 Apple Information Exposure vulnerability in Apple mac OS X and mac OS X Server

The sso_util program in Single Sign-On in Apple Mac OS X before 10.5.3 places passwords on the command line, which allows local users to obtain sensitive information by listing the process.

2.1
2008-06-02 CVE-2008-1033 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Cups

The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging is enabled and a printer requires a password, allows attackers to obtain sensitive information (credentials) by reading the log data, related to "authentication environment variables."

2.1