Weekly Vulnerabilities Reports > July 7 to 13, 2008

Unspecified vulnerability in the JAX-WS client and service in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote attackers to access URLs or cause a denial of service via unknown vectors involving "processing of XML data" by a trusted application.

The SNMP daemon in the F5 FirePass 1200 6.0.2 hotfix 3 allows remote attackers to cause a denial of service (daemon crash) by walking the hrSWInstalled OID branch in HOST-RESOURCES-MIB.

Soldner Secret Wars 33724 and earlier allows remote attackers to cause a denial of service (CPU consumption) via a packet with a large numeric value in a 0x80 data block.

The do_change_type function in fs/namespace.c in the Linux kernel before 2.6.22 does not verify that the caller has the CAP_SYS_ADMIN capability, which allows local users to gain privileges or cause a denial of service by modifying the properties of a mountpoint.

Opera before 9.51 does not properly manage memory within functions supporting the CANVAS element, which allows remote attackers to read uninitialized memory contents by using JavaScript to read a canvas image.

The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/.

SQL injection vulnerability in index.php in WebBlizzard CMS allows remote attackers to execute arbitrary SQL commands via the page parameter.

SQL injection vulnerability in Triton CMS Pro allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For HTTP header.

SQL injection vulnerability in directory.php in SmartPPC and SmartPPC Pro allows remote attackers to execute arbitrary SQL commands via the idDirectory parameter.

SQL injection vulnerability in the 4ndvddb 0.91 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a show_dvd action.

SQL injection vulnerability in catalogue.php in AShop Deluxe 4.x allows remote attackers to execute arbitrary SQL commands via the cat parameter.

SQL injection vulnerability in the beamospetition (com_beamospetition) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the pet parameter to index.php.

Multiple SQL injection vulnerabilities in index.php in Catviz 0.4 beta 1 allow remote attackers to execute arbitrary SQL commands via the (1) foreign_key_value parameter in the news page and (2) webpage parameter in the webpage_multi_edit form.

SQL injection vulnerability in index.php in Mole Group Lastminute Script 4.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter.

SQL injection vulnerability in index.php in Mole Group Hotel Script 1.0 allows remote attackers to execute arbitrary SQL commands via the file parameter.

SQL injection vulnerability in index.php in Mole Group Real Estate Script 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the listing_id parameter in a listings action.

SQL injection vulnerability in index.php in DreamPics Builder allows remote attackers to execute arbitrary SQL commands via the page parameter.

SQL injection vulnerability in play.php in PHPmotion 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the vid parameter.

Secure Static Versioning in Sun Java JDK and JRE 6 Update 6 and earlier, and 5.0 Update 6 through 15, does not properly prevent execution of applets on older JRE releases, which might allow remote attackers to exploit vulnerabilities in these older releases.

Unspecified vulnerability in scripting language support in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.

Multiple SQL injection vulnerabilities in index.php in BlognPlus (BURO GUN +) 2.5.5 MySQL and PostgreSQL editions allow remote attackers to execute arbitrary SQL commands via the (1) p, (2) e, (3) d, and (4) m parameters, a different vulnerability than CVE-2008-2819.

SQL injection vulnerability in user.html in Xpoze Pro 3.06 (aka Xpoze Pro CMS 2008) allows remote attackers to execute arbitrary SQL commands via the uid parameter.

SQL injection vulnerability in Brightcode Weblinks (com_brightweblinks) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter.

Unspecified vulnerability in Simple Machines Forum (SMF) 1.1.x before 1.1.5 and 1.0.x before 1.0.13 has unknown impact and attack vectors, probably cross-site scripting (XSS), related to "use of the html-tag."

Simple Machines Forum (SMF) 1.1.x before 1.1.5 and 1.0.x before 1.0.13, when running in PHP before 4.2.0, does not properly seed the random number generator, which has unknown impact and attack vectors.

Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable.

Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection.

Microsoft Crypto API 5.131.2600.2180 through 6.0, as used in Outlook, Windows Live Mail, and Office 2007, performs Certificate Revocation List (CRL) checks by using an arbitrary URL from a certificate embedded in a (1) S/MIME e-mail message or (2) signed document, which allows remote attackers to obtain reading times and IP addresses of recipients, and port-scan results, via a crafted certificate with an Authority Information Access (AIA) extension.

The Page destructor in Page.cc in libpoppler in Poppler 0.8.4 and earlier deletes a pageWidgets object even if it is not initialized by a Page constructor, which allows remote attackers to execute arbitrary code via a crafted PDF document.

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 on Mac OS X allow remote attackers to bypass the Same Origin Policy and create arbitrary socket connections via a crafted Java applet, related to the Java Embedding Plugin (JEP) and Java LiveConnect.

Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to execute arbitrary code via an XUL document that includes a script from a chrome: URI that points to a fastload file, related to this file's "privilege level."

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.

Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and contains multiple branches.

SQL injection vulnerability in the Codeon Petition (cd_petition) extension 0.0.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the Support view (ext_tbl) extension 0.0.102 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the Branchenbuch (aka Yellow Pages o (mh_branchenbuch) extension 0.8.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the SQL Frontend (mh_omsqlio) extension 1.0.11 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Unspecified vulnerability in the SQL Frontend (mh_omsqlio) extension 1.0.11 and earlier for TYPO3 allows remote attackers to cause a denial of service via unknown vectors.

SQL injection vulnerability in the Pinboard extension 0.0.6 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Unspecified vulnerability in the PDF Generator 2 (pdf_generator2) extension 0.5.0 and earlier for TYPO3 has unknown impact and attack vectors related to "Unprotected test functionality."

Incomplete blacklist vulnerability in the KB Unpack (kb_unpack) extension 0.1.0 and earlier for TYPO3 has unknown impact and attack vectors.

Incomplete blacklist vulnerability in the Packman (kb_packman) extension 0.2.1 and earlier for TYPO3 has unknown impact and attack vectors.

Unspecified vulnerability in the Industry Database (aka Branchendatenbank pro_industrydb) extension 1.0.0 and earlier for TYPO3 has unknown impact and attack vectors related to "Insufficient Verification of Data Authenticity."

SQL injection vulnerability in the News Calendar (newscalendar) extension 1.0.7 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Unspecified vulnerability in the WEC Discussion Forum (wec_discussion) extension 1.6.2 and earlier for TYPO3 allows attackers to execute arbitrary code via vectors related to "certain file types."

Unspecified vulnerability in the DAM Frontend (dam_frontend) extension 0.1.0 and earlier for TYPO3 has unknown impact and attack vectors related to "broken access control."

SQL injection vulnerability in the DAM Frontend (dam_frontend) extension 0.1.0 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in the Address Directory (sp_directory) extension 0.2.10 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Directory traversal vulnerability in index.php in CMS little 0.0.1 allows remote attackers to include and execute arbitrary local files, and probably remote files, via a ..

Multiple SQL injection vulnerabilities in RSS-aggregator 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) IdFlux parameter to admin/fonctions/supprimer_flux.php and the (2) IdTag parameter to admin/fonctions/supprimer_tag.php.

Directory traversal vulnerability in index.php in Simple PHP Agenda 2.2.4 and earlier allows remote attackers to include and execute arbitrary local files via a ..

SQL injection vulnerability in default.asp in EfesTECH Shop 2.0 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in an urunler action.

SQL injection vulnerability in get_article.php in VanGogh Web CMS 0.9 allows remote attackers to execute arbitrary SQL commands via the article_ID parameter to index.php.

SQL injection vulnerability in index.php in OneClick CMS (aka Sisplet CMS) 2008-01-24 allows remote attackers to execute arbitrary SQL commands via the id parameter.

SQL injection vulnerability in ad.php in plx Ad Trader 3.2 allows remote attackers to execute arbitrary SQL commands via the adid parameter in a redir action.

Multiple PHP remote file inclusion vulnerabilities in sablonlar/gunaysoft/gunaysoft.php in PHPortal 1.2 Beta allow remote attackers to execute arbitrary PHP code via a URL in (1) icerikyolu, (2) sayfaid, and (3) uzanti parameters.

Unspecified vulnerability in NWFS.SYS in Novell Client for Windows 4.91 SP4 has unknown impact and attack vectors, possibly related to IOCTL requests that overwrite arbitrary memory.

Stack-based buffer overflow in (1) OllyDBG 1.10 and (2) ImpREC 1.7f allows user-assisted attackers to execute arbitrary code via a crafted DLL file that contains a long string.

SQL injection vulnerability in admin/index.php in BareNuked CMS 1.1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the password parameter.

SQL injection vulnerability in chatbox.php in pSys 0.7.0 Alpha, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the showid parameter.

PHP remote file inclusion vulnerability in hioxBannerRotate.php in HIOX Banner Rotator (HBR) 1.3, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the hm parameter.

Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote attackers to violate the security model for an applet's outbound connections by connecting to localhost services running on the machine that loaded the applet.

SQL injection vulnerability in class/page.php in Farsi Script (aka FaScript) FaName 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly identify the context of Windows shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy via a crafted web site for which the user has previously saved a shortcut.

The mozIJSSubScriptLoader.LoadScript function in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 does not apply XPCNativeWrappers to scripts loaded from (1) file: URIs, (2) data: URIs, or (3) certain non-canonical chrome: URIs, which allows remote attackers to execute arbitrary code via vectors involving third-party add-ons.

The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method.

Multiple stack-based buffer overflows in the ServerView web interface (SnmpGetMibValues.exe) in Fujitsu Siemens Computers ServerView 04.60.07 and earlier allow remote authenticated users to execute arbitrary code via a crafted URL.

Multiple SQL injection vulnerabilities in Xerox CentreWare Web (CWW) before 4.6.46 allow remote authenticated users to execute arbitrary SQL commands via the unspecified vectors.

Unrestricted file upload vulnerability in update_profile.php in PHPmotion 2.0 and earlier allows remote authenticated users to execute arbitrary code by uploading a .php file with a content type of (1) image/gif, (2) image/jpeg, or (3) image/pjpeg, then accessing it via a direct request to the file under pictures/.

The Outline Designer module 5.x before 5.x-1.4 for Drupal changes each content reader's authentication level to match that of the content author, which might allow remote attackers to gain privileges.

Unrestricted file upload vulnerability in ImperialBB 2.3.5 and earlier allows remote authenticated users to upload and execute arbitrary PHP code by placing a .php filename in the Upload_Avatar parameter and sending the image/gif content type.

SQL injection vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to execute arbitrary SQL commands via unspecified vectors.

Multiple unspecified "input validation" vulnerabilities in the Web management interface (aka Messaging Administration interface) in Avaya Message Storage Server (MSS) 3.x and 4.0, and possibly Communication Manager 3.1.x, allow remote authenticated administrators to execute arbitrary commands as user vexvm via vectors related to (1) SFTP Remote Store configuration; (2) remote FTP storage settings; (3) name server lookup; (4) pinging another host; (5) TCP/IP Networking parameter configuration; (6) the external hosts configuration main page; (7) adding and changing external hosts; (8) Windows domain parameter configuration; (9) date, time, and NTP server configuration; (10) alarm settings; (11) the command line history form; (12) the maintenance form; and (13) the server events form.

SQL injection vulnerability in newThread.php in XchangeBoard 1.70 Final and earlier allows remote authenticated users to execute arbitrary SQL commands via the boardID parameter.

Cross-site request forgery (CSRF) vulnerability in admin.php in myWebland myBloggie 2.1.6 allows remote attackers to perform edit actions as administrators.

Multiple SQL injection vulnerabilities in myWebland myBloggie 2.1.6 allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a viewuser action to index.php, and allow remote authenticated administrators to execute arbitrary SQL commands via (2) the post_id parameter in an edit action to admin.php.

Nortel SIP Multimedia PC Client 4.x MCS5100 and MCS5200 does not limit the number of concurrent sessions, which allows attackers to cause a denial of service (resource consumption) via a large number of sessions.

The syslog dissector in Wireshark (formerly Ethereal) 1.0.0 allows remote attackers to cause a denial of service (application crash) via unknown vectors, possibly related to an "incomplete SS7 MSU syslog encapsulated packet."

The RTMPT dissector in Wireshark (formerly Ethereal) 0.99.8 through 1.0.0 allows remote attackers to cause a denial of service (crash) via unknown vectors.

The (1) PANA and (2) KISMET dissectors in Wireshark (formerly Ethereal) 0.99.3 through 1.0.0 allow remote attackers to cause a denial of service (application stop) via unknown vectors.

Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via (a) unspecified vectors in the (1) AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA, and (9) TGA decoder readers; and (b) the GetImageCharacteristics function in magick/image.c, as reachable from a crafted (10) PNG, (11) JPEG, (12) BMP, or (13) TIFF file.

Directory traversal vulnerability in search.php in Pivot 1.40.5 allows remote attackers to read arbitrary files via a ..

Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent attackers to obtain sensitive information (the cache location) via an untrusted application, aka CR 6704074.

Directory traversal vulnerability in Kasseler CMS 1.3.0 allows remote attackers to read arbitrary files via a ..

myWebland myBloggie 2.1.6 allow remote attackers to obtain sensitive information via (1) an invalid year parameter to calendar.php, reached through index.php; (2) a direct request to common.php; and (3) a mode array parameter in the query string to login.php, which reveal the installation path in various error messages.

The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug."

SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2000 Desktop Engine (MSDE 2000) SP4, 2005 Express Edition SP1 and SP2, and 2000 Desktop Engine (WMSDE); Microsoft Data Engine (MSDE) 1.0 SP4; and Internal Database (WYukon) SP2 does not initialize memory pages when reallocating memory, which allows database operators to obtain sensitive information (database contents) via unknown vectors related to memory page reuse.

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly handle an invalid .properties file for an add-on, which allows remote attackers to read uninitialized memory, as demonstrated by use of ISO 8859 encoding instead of UTF-8 encoding in a French .properties file.

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to force the upload of arbitrary local files from a client computer via vectors involving originalTarget and DOM Range.

Unspecified vulnerability in the PDF Generator 2 (pdf_generator2) extension 0.5.0 and earlier for TYPO3 allows attackers to cause a denial of service via unspecified vectors.

The PDF Generator 2 (pdf_generator2) extension 0.5.0 and earlier for TYPO3 allows attackers to obtain sensitive information via unspecified vectors.

Unspecified vulnerability in the DAM Frontend (dam_frontend) extension 0.1.0 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors.

Unspecified vulnerability in the RMI dissector in Wireshark (formerly Ethereal) 0.9.5 through 1.0.0 allows remote attackers to read system memory via unspecified vectors.

WeFi 3.2.1.4.1, when diagnostic mode is enabled, stores (1) WEP, (2) WPA, and (3) WPA2 access-point keys in (a) ClientWeFiLog.dat, (b) ClientWeFiLog.bak, and possibly (c) a certain .inf file under %PROGRAMFILES%\WeFi\Users\, and uses cleartext for the ClientWeFiLog files, which allows local users to obtain sensitive information by reading these files.

The GSM SMS dissector in Wireshark (formerly Ethereal) 0.99.2 through 1.0.0 allows remote attackers to cause a denial of service (application crash) via unknown vectors.

Multiple cross-site scripting (XSS) vulnerabilities in index.php in OpenCart 0.7.7 allow remote attackers to inject arbitrary web script or HTML via the (1) firstname and (2) search parameters.

Multiple cross-site scripting (XSS) vulnerabilities in Xerox CentreWare Web (CWW) before 4.6.46 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Unspecified vulnerability in scripting language support in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote attackers to obtain sensitive information by using an applet to read information from another applet.

Unspecified vulnerability in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier and JDK and JRE 5.0 Update 15 and earlier allows remote attackers to access URLs via unknown vectors involving processing of XML data by an untrusted (1) application or (2) applet, a different vulnerability than CVE-2008-3105.

The Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote attackers to obtain sensitive information (private group names) via unspecified vectors.

Cross-site scripting (XSS) vulnerability in the Files module in Kasseler CMS 1.3.0 and 1.3.1 Lite allows remote attackers to inject arbitrary web script or HTML via the cid parameter in a Category action to index.php.

Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Help Errors log.

Cross-site scripting (XSS) vulnerability in UPM/English/login/login.asp in Commtouch Enterprise Anti-Spam Gateway 4 and 5 allows remote attackers to inject arbitrary web script or HTML via the PARAMS parameter.

Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) 2.1.10 and 2.1.11 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Multiple cross-site scripting (XSS) vulnerabilities in Farsi Script (aka FaScript) FaName 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) key or (2) desc parameter to index.php, or (3) the name parameter to page.php.

class/page.php in Farsi Script (aka FaScript) FaName 1.0 allows remote attackers to obtain sensitive information via a '; (quote semicolon) sequence in the id parameter, which reveals the installation path in an error message.

Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified HTML, a different vulnerability than CVE-2008-2247.

Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified e-mail fields, a different vulnerability than CVE-2008-2248.

Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php.

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via a crafted filename.

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest.

Cross-site scripting (XSS) vulnerability in the Address Directory (sp_directory) extension 0.2.10 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in the phpMyAdmin (phpmyadmin) extension 3.0.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in the WEC Discussion Forum (wec_discussion) extension 1.6.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Multiple cross-site scripting (XSS) vulnerabilities in the Send-A-Card (sr_sendcard) extension 2.2.2 and earlier for TYPO3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site.

Cross-site scripting (XSS) vulnerability in the Tinytax module (aka Tinytax taxonomy block) 5.x before 5.x-1.10-1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML, probably by creating a crafted taxonomy term.

Cross-site scripting (XSS) vulnerability in the Organic Groups (OG) module 5.x before 5.x-7.3 and 6.x before 6.x-1.0-RC1, a module for Drupal, allows remote authenticated users, with group owner permissions, to inject arbitrary web script or HTML via unspecified vectors.

Cross-site scripting (XSS) vulnerability in the Taxonomy Autotagger module 5.x before 5.x-1.8 for Drupal allows remote authenticated users, with create or edit post permissions, to inject arbitrary web script or HTML via unspecified vectors.

sudo in SUSE openSUSE 10.3 does not clear the stdin buffer when password entry times out, which might allow local users to obtain a password by reading stdin from the parent process after a sudo child process exits.