Weekly Vulnerabilities Reports > July 14 to 20, 2008
Overview
128 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 24 high severity vulnerabilities. This weekly summary report vulnerabilities in 111 products from 61 vendors including Oracle, Apple, Drupal, Fedoraproject, and Joomla. Vulnerabilities are notably categorized as "Improper Input Validation", "SQL Injection", "Cross-site Scripting", "Path Traversal", and "Permissions, Privileges, and Access Controls".
- 121 reported vulnerabilities are remotely exploitables.
- 31 reported vulnerabilities have public exploit available.
- 32 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 95 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 44 reported vulnerabilities.
- Apple has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
17 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-18 | CVE-2008-3225 | Joomla | Permissions, Privileges, and Access Controls vulnerability in Joomla Joomla! before 1.5.4 allows attackers to access administration functionality, which has unknown impact and attack vectors related to a missing "LDAP security fix." | 10.0 |
2008-07-18 | CVE-2008-3224 | Phpbb | Remote Security vulnerability in PHPbb 3.0/3.0.0/3.0.1 Unspecified vulnerability in phpBB before 3.0.1 has unknown impact and attack vectors related to "urls gone through redirect() being used within login_box()." | 10.0 |
2008-07-17 | CVE-2008-1666 | HP | Remote Security vulnerability in Oracle for OpenView Unspecified vulnerability in HP Oracle for OpenView (OfO) 8.1.7, 9.1.01, 9.2, 9.2.0, 10g, and 10gR2 has unknown impact and attack vectors, possibly related to the July 2008 Oracle Critical Patch Update. | 10.0 |
2008-07-14 | CVE-2008-3169 | Empire Server | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Empire Server Empire Server Multiple heap-based buffer overflows in Empire Server before 4.3.15 allow remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to a "coordinate normalization bug." NOTE: some of these details are obtained from third party information. | 10.0 |
2008-07-14 | CVE-2008-3160 | IBM | Multiple Unspecified vulnerability in IBM Data ONTAP Multiple unspecified vulnerabilities in IBM Data ONTAP 7.1 before 7.1.3, as used by IBM System Storage N series Filer and IBM System Storage N series Gateway, have unknown impact and attack vectors. | 10.0 |
2008-07-14 | CVE-2008-3159 | Novell | Numeric Errors vulnerability in Novell Edirectory 8.7.3/8.8 Integer overflow in ds.dlm, as used by dhost.exe, in Novell eDirectory 8.7.3.10 before 8.7.3 SP10b and 8.8 before 8.8.2 ftf2 allows remote attackers to execute arbitrary code via unspecified vectors that trigger a stack-based buffer overflow, related to "flawed arithmetic." | 10.0 |
2008-07-14 | CVE-2008-2303 | Apple | Numeric Errors vulnerability in Apple Safari Integer signedness error in Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving JavaScript array indices that trigger an out-of-bounds access, a different vulnerability than CVE-2008-2307. | 10.0 |
2008-07-14 | CVE-2008-1809 | Novell | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Edirectory 8.7.3/8.8 Heap-based buffer overflow in Novell eDirectory 8.7.3 before 8.7.3.10b, and 8.8 before 8.8.2 FTF2, allows remote attackers to execute arbitrary code via an LDAP search request containing "NULL search parameters." | 10.0 |
2008-07-18 | CVE-2008-3232 | Dotclear | Code Injection vulnerability in Dotclear Unrestricted file upload vulnerability in ecrire/images.php in Dotclear 1.2.7.1 and earlier allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images. | 9.3 |
2008-07-18 | CVE-2008-3209 | Blackice | Buffer Errors vulnerability in Blackice Black ICE Document Imaging SDK 10.95 Heap-based buffer overflow in the OpenGifFile function in BiGif.dll in Black Ice Document Imaging SDK 10.95 allows remote attackers to execute arbitrary code via a long string argument to the GetNumberOfImagesInGifFile method in the BIImgFrm Control ActiveX control in biimgfrm.ocx. | 9.3 |
2008-07-18 | CVE-2008-3207 | Pragyan | Code Injection vulnerability in Pragyan Praygan CMS 2.6.2 PHP remote file inclusion vulnerability in cms/modules/form.lib.php in Pragyan CMS 2.6.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the (1) sourceFolder or (2) moduleFolder parameter. | 9.3 |
2008-07-15 | CVE-2008-3182 | Speedbit | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Speedbit Download Accelerator Plus 7.0.1.3/8/8.6.6.3 Stack-based buffer overflow in DAP.exe in Download Accelerator Plus (DAP) 7.0.1.3, 8.6.6.3, and other 8.x versions allows user-assisted remote attackers to execute arbitrary code via an M3U (.m3u) file containing a long MP3 URL. | 9.3 |
2008-07-14 | CVE-2008-3167 | Boonex | Code Injection vulnerability in Boonex Dolphin 6.1.2 Multiple PHP remote file inclusion vulnerabilities in BoonEx Dolphin 6.1.2, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) dir[plugins] parameter to (a) HTMLSax3.php and (b) safehtml.php in plugins/safehtml/ and the (2) sIncPath parameter to (c) ray/modules/global/inc/content.inc.php. | 9.3 |
2008-07-14 | CVE-2008-3166 | Boonex | Code Injection vulnerability in Boonex RAY 3.5 PHP remote file inclusion vulnerability in modules/global/inc/content.inc.php in BoonEx Ray 3.5, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the sIncPath parameter. | 9.3 |
2008-07-14 | CVE-2008-3162 | Ffmpeg | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ffmpeg Stack-based buffer overflow in the str_read_packet function in libavformat/psxstr.c in FFmpeg before r13993 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted STR file that interleaves audio and video sectors. | 9.3 |
2008-07-14 | CVE-2008-2317 | Apple | Resource Management Errors vulnerability in Apple Safari WebCore in Apple Safari does not properly perform garbage collection of JavaScript document elements, which allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via a reference to the ownerNode property of a copied CSSStyleSheet object of a STYLE element, as originally demonstrated on Apple iPhone before 2.0 and iPod touch before 2.0, a different vulnerability than CVE-2008-1590. | 9.3 |
2008-07-17 | CVE-2008-1665 | HP | Remote Unauthorized Access vulnerability in HP Select Identity Bidrectional LDAP Connector Multiple unspecified vulnerabilities in HP Select Identity (HPSI) Active Directory Bidirectional LDAP Connector 2.20, 2.20.001, 2.20.002, and 2.30 allow remote attackers to execute arbitrary code via unspecified vectors. | 9.0 |
24 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-18 | CVE-2008-2934 | Apple Canonical | Use of Uninitialized Resource vulnerability in multiple products Mozilla Firefox 3 before 3.0.1 on Mac OS X allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted GIF file that triggers a free of an uninitialized pointer. | 8.8 |
2008-07-18 | CVE-2008-3214 | Thekelleys | Improper Input Validation vulnerability in Thekelleys Dnsmasq 2.25 dnsmasq 2.25 allows remote attackers to cause a denial of service (daemon crash) by (1) renewing a nonexistent lease or (2) sending a DHCPREQUEST for an IP address that is not in the same network, related to the DHCP NAK response from the daemon. | 7.8 |
2008-07-17 | CVE-2008-3199 | Resiprocate | Improper Input Validation vulnerability in Resiprocate Multiple unspecified vulnerabilities in ReSIProcate before 1.3.4 allow remote attackers to cause a denial of service (stack consumption) via unknown network traffic with a large "bytes-in-memory/bytes-on-wire ratio." | 7.8 |
2008-07-16 | CVE-2008-3196 | Yacc | Resource Management Errors vulnerability in Yacc skeleton.c in yacc does not properly handle reduction of a rule with an empty right hand side, which allows context-dependent attackers to cause an out-of-bounds stack access when the yacc stack pointer points to the end of the stack. | 7.8 |
2008-07-14 | CVE-2008-3164 | Fuzzylime | Path Traversal vulnerability in Fuzzylime CMS 3.01 Directory traversal vulnerability in blog.php in fuzzylime (cms) 3.01, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. | 7.6 |
2008-07-18 | CVE-2008-3228 | Joomla | Configuration vulnerability in Joomla Joomla! before 1.5.4 does not configure .htaccess to apply certain security checks that "block common exploits" to SEF URLs, which has unknown impact and remote attack vectors. | 7.5 |
2008-07-18 | CVE-2008-3227 | Joomla | Link Following vulnerability in Joomla Unspecified vulnerability in Joomla! before 1.5.4 has unknown impact and attack vectors related to a "User Redirect Spam fix," possibly an open redirect vulnerability. | 7.5 |
2008-07-18 | CVE-2008-3223 | Drupal Fedoraproject | SQL Injection vulnerability in multiple products SQL injection vulnerability in the Schema API in Drupal 6.x before 6.3 allows remote attackers to execute arbitrary SQL commands via vectors related to "an inappropriate placeholder for 'numeric' fields." | 7.5 |
2008-07-18 | CVE-2008-3213 | Webcms | SQL Injection vulnerability in Webcms Portal Edition SQL injection vulnerability in secciones/tablon/tablon.php in WebCMS Portal Edition allows remote attackers to execute arbitrary SQL commands via the id parameter to portal/index.php in a tablon action. | 7.5 |
2008-07-18 | CVE-2008-3212 | Scripteen | SQL Injection vulnerability in Scripteen Free Image Hosting Script 1.2.1 Multiple SQL injection vulnerabilities in Scripteen Free Image Hosting Script 1.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/login.php, or the (3) uname or (4) pass parameter to login.php. | 7.5 |
2008-07-18 | CVE-2008-3211 | Scripteen | Improper Authentication vulnerability in Scripteen Free Image Hosting Script 1.2/1.2.1 Scripteen Free Image Hosting Script 1.2 and 1.2.1 allows remote attackers to bypass authentication and gain administrative access by setting the cookid cookie value to 1. | 7.5 |
2008-07-18 | CVE-2008-3206 | Iamilkay | SQL Injection vulnerability in Iamilkay Yuhhu Pubs Black CAT SQL injection vulnerability in browse.groups.php in Yuhhu Pubs Black Cat allows remote attackers to execute arbitrary SQL commands via the category parameter. | 7.5 |
2008-07-17 | CVE-2008-3204 | E Topbiz | SQL Injection vulnerability in E-Topbiz Million Pixels 3 SQL injection vulnerability in tops_top.php in E-topbiz Million Pixels 3 allows remote attackers to execute arbitrary SQL commands via the id_cat parameter. | 7.5 |
2008-07-17 | CVE-2008-3203 | Auracms | Improper Authentication vulnerability in Auracms 2.2/2.2.1/2.2.2 js/pages/pages_data.php in AuraCMS 2.2 through 2.2.2 does not perform authentication, which allows remote attackers to add, edit, and delete web content via a modified id parameter. | 7.5 |
2008-07-17 | CVE-2008-3200 | Easy Script | SQL Injection vulnerability in Easy-Script Avlc Forum SQL injection vulnerability in vlc_forum.php in Avlc Forum as of 20080715 allows remote attackers to execute arbitrary SQL commands via the id parameter in an affich_message action. | 7.5 |
2008-07-17 | CVE-2008-3198 | Mozilla | Code Injection vulnerability in Mozilla Firefox 3.0 Mozilla Firefox 3.x before 3.0.1 allows remote attackers to inject arbitrary web script into a chrome document via unspecified vectors, as demonstrated by injection into a XUL error page. | 7.5 |
2008-07-16 | CVE-2008-3193 | Sclek | SQL Injection vulnerability in Sclek Jsite 1.0 SQL injection vulnerability in jSite 1.0 OE allows remote attackers to execute arbitrary SQL commands via the page parameter to the default URI. | 7.5 |
2008-07-16 | CVE-2008-3189 | Dreamlevels | SQL Injection vulnerability in Dreamlevels Dreamnews Manager SQL injection vulnerability in dreamnews-rss.php in DreamNews Manager allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2008-07-15 | CVE-2008-2599 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the TimesTen Client/Server component in Oracle Times Ten In-Memory Database 7.0.3.0.0 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2597 and CVE-2008-2598. | 7.5 |
2008-07-15 | CVE-2008-2598 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the TimesTen Client/Server component in Oracle Times Ten In-Memory Database 7.0.3.0.0 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2597 and CVE-2008-2599. | 7.5 |
2008-07-15 | CVE-2008-2597 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the TimesTen Client/Server component in Oracle Times Ten In-Memory Database 7.0.3.0.0 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2598 and CVE-2008-2599. | 7.5 |
2008-07-15 | CVE-2008-3183 | Gapi CMS | Code Injection vulnerability in Gapi CMS Gapicms 9.0.2 PHP remote file inclusion vulnerability in ktmlpro/includes/ktedit/toolbar.php in gapicms 9.0.2 allows remote attackers to execute arbitrary PHP code via a URL in the dirDepth parameter. | 7.5 |
2008-07-15 | CVE-2008-3179 | W2B | Path Traversal vulnerability in W2B PHPdatingclub 3.7 Directory traversal vulnerability in website.php in Web 2 Business (W2B) phpDatingClub (aka Dating Club) 3.7 allows remote attackers to include and execute arbitrary local files via a .. | 7.5 |
2008-07-15 | CVE-2008-3178 | Webxell | Improper Input Validation vulnerability in Webxell Editor 0.1.3 Unrestricted file upload vulnerability in upload_pictures.php in WebXell Editor 0.1.3 allows remote attackers to execute arbitrary code by uploading a .php file with a jpeg content type, then accessing it via a direct request to the file in upload/. | 7.5 |
81 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-18 | CVE-2008-3229 | Swapoff | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Swapoff OP Stack-based buffer overflow in op before Changeset 563, when xauth support is enabled, allows local users to gain privileges via a long XAUTHORITY environment variable. | 6.9 |
2008-07-18 | CVE-2008-3217 | Powerdns | Numeric Errors vulnerability in Powerdns Recursor PowerDNS Recursor before 3.1.6 does not always use the strongest random number generator for source port selection, which makes it easier for remote attack vectors to conduct DNS cache poisoning. | 6.8 |
2008-07-16 | CVE-2008-3194 | Pluck | Path Traversal vulnerability in Pluck 4.5.1 Multiple directory traversal vulnerabilities in data/inc/themes/predefined_variables.php in pluck 4.5.1 allow remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2008-07-16 | CVE-2008-3192 | Sclek | Path Traversal vulnerability in Sclek Jsite 1.0 Directory traversal vulnerability in index.php in jSite 1.0 OE allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2008-07-16 | CVE-2008-3191 | Marcioforum | SQL Injection vulnerability in Marcioforum Mforum 0.1A Multiple SQL injection vulnerabilities in usercp.php in mForum 0.1a, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) City, (2) Interest, (3) Email, (4) Icq, (5) msn, or (6) Yahoo Messenger field in an edit_profile action. | 6.8 |
2008-07-16 | CVE-2008-3190 | 1Scripts | Path Traversal vulnerability in 1Scripts Codedb 1.1.1 Directory traversal vulnerability in list.php in 1Scripts CodeDB 1.1.1 allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2008-07-15 | CVE-2008-2579 | Apache Oracle SUN Microsoft | Unspecified vulnerability in the WebLogic Server Plugins for Apache, Sun and IIS web servers component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 has unknown impact and remote attack vectors. | 6.8 |
2008-07-15 | CVE-2008-3185 | Vclcomponents | SQL Injection vulnerability in Vclcomponents Relative Real Estate Systems SQL injection vulnerability in index.php in Relative Real Estate Systems 3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the listing_id parameter in a listings action. | 6.8 |
2008-07-14 | CVE-2008-3173 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer allows web sites to set cookies for domains that have a public suffix with more than one dot character, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking." NOTE: this issue may exist because of an insufficient fix for CVE-2004-0866. | 6.8 |
2008-07-14 | CVE-2008-3172 | Opera | Permissions, Privileges, and Access Controls vulnerability in Opera Opera allows web sites to set cookies for country-specific top-level domains that have DNS A records, such as co.tv, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking." | 6.8 |
2008-07-14 | CVE-2008-3170 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Safari Apple Safari allows web sites to set cookies for country-specific top-level domains, such as co.uk and com.au, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session, aka "Cross-Site Cooking," a related issue to CVE-2004-0746, CVE-2004-0866, and CVE-2004-0867. | 6.8 |
2008-07-14 | CVE-2008-3165 | Fuzzylime | Path Traversal vulnerability in Fuzzylime CMS Directory traversal vulnerability in rss.php in fuzzylime (cms) 3.01a and earlier, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2008-07-14 | CVE-2008-3163 | Regretless | Path Traversal vulnerability in Regretless Dodos Mail 2.5 Directory traversal vulnerability in dodosmail.php in DodosMail 2.5 allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2008-07-14 | CVE-2008-2304 | Apple | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Core Image FUN House Buffer overflow in Apple Core Image Fun House 2.0 and earlier in CoreImage Examples in Xcode tools before 3.1 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a .funhouse file with a string XML element that contains many characters. | 6.8 |
2008-07-14 | CVE-2008-1590 | Webkit | Resource Management Errors vulnerability in Webkit Javascriptcore JavaScriptCore in WebKit on Apple iPhone before 2.0 and iPod touch before 2.0 does not properly perform runtime garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger memory corruption, a different vulnerability than CVE-2008-2317. | 6.8 |
2008-07-18 | CVE-2008-3234 | Openbsd Debian | Permissions, Privileges, and Access Controls vulnerability in Openbsd Openssh 4.0 sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username. | 6.5 |
2008-07-15 | CVE-2008-2622 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, and CVE-2008-2621. | 6.5 |
2008-07-15 | CVE-2008-2620 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2621, and CVE-2008-2622. | 6.5 |
2008-07-15 | CVE-2008-2618 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. | 6.5 |
2008-07-15 | CVE-2008-2617 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2618, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. | 6.5 |
2008-07-15 | CVE-2008-2616 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. | 6.5 |
2008-07-15 | CVE-2008-2615 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. | 6.5 |
2008-07-15 | CVE-2008-2613 | Oracle | Unspecified vulnerability in Oracle Database Scheduler and Database Server Unspecified vulnerability in the Database Scheduler component in Oracle Database 10.2.0.4 and 11.1.0.6 has unknown impact and local attack vectors. | 6.5 |
2008-07-15 | CVE-2008-2610 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors. | 6.5 |
2008-07-15 | CVE-2008-2607 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Advanced Queuing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to SYS.DBMS_AQELM. | 6.5 |
2008-07-15 | CVE-2008-2606 | Oracle | Unspecified vulnerability in Oracle Application Object Library and E-Business Suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2586. | 6.5 |
2008-07-15 | CVE-2008-2604 | Oracle | Unspecified vulnerability in Oracle Authentication Component and Database Server Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.6 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2605. | 6.5 |
2008-07-15 | CVE-2008-2600 | Oracle | Unspecified vulnerability in Oracle Database Server, Oracle Database and Spatial Component Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to MDSYS.SDO_TOPO_MAP. | 6.5 |
2008-07-15 | CVE-2008-2596 | Oracle | Unspecified vulnerability in Oracle E-Business Suite and Mobile Application Server Unspecified vulnerability in the Mobile Application Server component in Oracle E-Business Suite 12.0.3 has unknown impact and remote authenticated attack vectors. | 6.5 |
2008-07-15 | CVE-2008-2591 | Oracle | Unspecified vulnerability in Oracle Database 9I and Database Server Unspecified vulnerability in the Oracle Database Vault component in Oracle Database 9.2.0.8DV, 10.2.0.3, and 11.1.0.6 has unknown impact and remote authenticated attack vectors. | 6.5 |
2008-07-15 | CVE-2008-2585 | Oracle | Remote Security vulnerability in E-Business Suite 12 Unspecified vulnerability in the Oracle Report Manager component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors. | 6.5 |
2008-07-15 | CVE-2008-3181 | Content NOW | Improper Input Validation vulnerability in Content NOW Content NOW 1.4.1 Unrestricted file upload vulnerability in upload.php in ContentNow CMS 1.4.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/. | 6.5 |
2008-07-15 | CVE-2008-2609 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.4.2 has unknown impact and remote attack vectors. | 6.4 |
2008-07-15 | CVE-2008-2594 | Oracle | Unspecified vulnerability in Oracle Application Server 10.1.2.3/10.1.4.2 Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2593. | 6.4 |
2008-07-15 | CVE-2008-2589 | Oracle | Unspecified vulnerability in Oracle Application Server and Oracle Portal Component Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3, 10.1.2.2, and 10.1.4.1 has unknown impact and remote attack vectors. | 6.4 |
2008-07-18 | CVE-2008-3222 | Drupal Fedoraproject | Session Fixation vulnerability in multiple products Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | 5.8 |
2008-07-15 | CVE-2008-2601 | Oracle | Unspecified vulnerability in Oracle E-Business Suite 12.0.4 Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors. | 5.5 |
2008-07-15 | CVE-2008-2592 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Advanced Replication component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to SYS.DBMS_DEFER_SYS. | 5.5 |
2008-07-15 | CVE-2008-2581 | Oracle | Unspecified vulnerability in Oracle BEA Product Suite and Weblogic Server Component Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 has unknown impact and remote attack vectors related to UDDI Explorer. | 5.1 |
2008-07-18 | CVE-2008-3226 | Joomla | Permissions, Privileges, and Access Controls vulnerability in Joomla The file caching implementation in Joomla! before 1.5.4 allows attackers to access cached pages via unknown attack vectors. | 5.0 |
2008-07-18 | CVE-2008-3215 | Clam Anti Virus | Resource Management Errors vulnerability in Clam Anti-Virus Clamav libclamav/petite.c in ClamAV before 0.93.3 allows remote attackers to cause a denial of service via a malformed Petite file that triggers an out-of-bounds memory access. | 5.0 |
2008-07-18 | CVE-2008-3210 | Resiprocate | Improper Input Validation vulnerability in Resiprocate 1.3.2 rutil/dns/DnsStub.cxx in ReSIProcate 1.3.2, as used by repro, allows remote attackers to cause a denial of service (daemon crash) via a SIP (1) INVITE or (2) OPTIONS message with a long domain name in a request URI, which triggers an assert error. | 5.0 |
2008-07-18 | CVE-2008-3208 | Simpledns | Improper Input Validation vulnerability in Simpledns Simple DNS Plus 4.1/5.0 Simple DNS Plus 4.1, 5.0, and possibly other versions before 5.1.101 allows remote attackers to cause a denial of service via multiple DNS reply packets. | 5.0 |
2008-07-17 | CVE-2008-3205 | Easy Script | Path Traversal vulnerability in Easy-Script Wysi Wiki WYG 1.0 Directory traversal vulnerability in index.php in Easy-Script Wysi Wiki Wyg 1.0 allows remote attackers to read arbitrary files via a .. | 5.0 |
2008-07-16 | CVE-2008-3145 | Wireshark | Improper Input Validation vulnerability in Wireshark The fragment_add_work function in epan/reassemble.c in Wireshark 0.8.19 through 1.0.1 allows remote attackers to cause a denial of service (crash) via a series of fragmented packets with non-sequential fragmentation offset values, which lead to a buffer over-read. | 5.0 |
2008-07-15 | CVE-2008-2595 | Oracle | Unspecified vulnerability in Oracle Database 10G and Database 9I Unspecified vulnerability in the Oracle Internet Directory component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.4.2 has unknown impact and remote attack vectors. | 5.0 |
2008-07-15 | CVE-2008-2582 | Oracle | Unspecified vulnerability in Oracle BEA Product Suite and Weblogic Server Component Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 has unknown impact and remote attack vectors. | 5.0 |
2008-07-15 | CVE-2008-2580 | Oracle | Unspecified vulnerability in Oracle BEA Product Suite and Weblogic Server Component Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, and 9.0 has unknown impact and remote attack vectors. | 5.0 |
2008-07-15 | CVE-2008-3177 | Sophos | Configuration vulnerability in Sophos products Sophos virus detection engine 2.75 on Linux and Unix, as used in Sophos Email Appliance, Pure Message for Unix, and Sophos Anti-Virus Interface (SAVI), allows remote attackers to cause a denial of service (engine crash) via zero-length MIME attachments. | 5.0 |
2008-07-14 | CVE-2008-3171 | Apple | Information Exposure vulnerability in Apple Safari Apple Safari sends Referer headers containing https URLs to different https web sites, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. | 5.0 |
2008-07-14 | CVE-2008-3168 | Empire Server | Information Exposure vulnerability in Empire Server Empire Server The files utility in Empire Server before 4.3.15 discloses the world creation time, which makes it easier for attackers to determine the PRNG seed. | 5.0 |
2008-07-14 | CVE-2008-2318 | Apple | Information Exposure vulnerability in Apple Xcode and Xcode Tools The WOHyperlink implementation in WebObjects in Apple Xcode tools before 3.1 appends local session IDs to generated non-local URLs, which allows remote attackers to obtain potentially sensitive information by reading the requests for these URLs. | 5.0 |
2008-07-18 | CVE-2008-3216 | Debian | Link Following vulnerability in Debian Projectl 1.001 The save function in br/prefmanager.d in projectl 1.001 creates a projectL.prf file in the current working directory, which allows local users to overwrite arbitrary files via a symlink attack. | 4.6 |
2008-07-17 | CVE-2008-2232 | Afuse | Permissions, Privileges, and Access Controls vulnerability in Afuse 0.2 The expand_template function in afuse.c in afuse 0.2 allows local users to gain privileges via shell metacharacters in a pathname. | 4.6 |
2008-07-15 | CVE-2008-2602 | Oracle | Unspecified vulnerability in Oracle Data Pump Component and Database Server Unspecified vulnerability in the Data Pump component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to the IMP_FULL_DATABASE role. | 4.6 |
2008-07-15 | CVE-2008-2577 | Oracle | Unspecified vulnerability in Oracle Weblogic Server 9.2 Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 9.2 MP1 has unknown impact and remote authenticated attack vectors. | 4.6 |
2008-07-18 | CVE-2008-3233 | Wordpress | Cross-Site Scripting vulnerability in Wordpress Cross-site scripting (XSS) vulnerability in WordPress before 2.6, SVN development versions only, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2008-07-18 | CVE-2008-3231 | Xine | Improper Input Validation vulnerability in Xine Xine-Lib xine-lib before 1.1.15 allows remote attackers to cause a denial of service (crash) via a crafted OGG file, as demonstrated by playing lol-ffplay.ogg with xine. | 4.3 |
2008-07-18 | CVE-2008-3221 | Drupal Fedoraproject | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cross-site request forgery (CSRF) vulnerability in Drupal 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of OpenID identities. | 4.3 |
2008-07-18 | CVE-2008-3220 | Drupal Fedoraproject | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cross-site request forgery (CSRF) vulnerability in Drupal 5.x before 5.8 and 6.x before 6.3 allows remote attackers to perform administrative actions via vectors involving deletion of "translated strings." | 4.3 |
2008-07-18 | CVE-2008-3219 | Drupal Fedoraproject | Cross-Site Scripting vulnerability in multiple products The Drupal filter_xss_admin function in 5.x before 5.8 and 6.x before 6.3 does not "prevent use of the object HTML tag in administrator input," which has unknown impact and attack vectors, probably related to an insufficient cross-site scripting (XSS) protection mechanism. | 4.3 |
2008-07-18 | CVE-2008-3218 | Drupal Fedoraproject | Cross-Site Scripting vulnerability in multiple products Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) free tagging taxonomy terms, which are not properly handled on node preview pages, and (2) unspecified OpenID values. | 4.3 |
2008-07-17 | CVE-2008-3202 | Xomol | Cross-Site Scripting vulnerability in Xomol CMS 1.2 Cross-site scripting (XSS) vulnerability in index.php in Xomol CMS 1.2 allows remote attackers to inject arbitrary web script or HTML via the current_url parameter in a tellafriend action. | 4.3 |
2008-07-17 | CVE-2008-3201 | Pagefusion | Cross-Site Scripting vulnerability in Pagefusion 1.5 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Pagefusion 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) acct_fname and (2) acct_lname parameters in an edit action, and the (3) PID, (4) PGID, and (5) rez parameters. | 4.3 |
2008-07-15 | CVE-2008-2614 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Oracle HTTP Server component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.3.3 has unknown impact and remote attack vectors. | 4.3 |
2008-07-15 | CVE-2008-2612 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Hyperion BI Plus component in Oracle Application Server 8.3.2.4, 8.5.0.3, 9.2.0.3, 9.2.1.0, and 9.3.1.0 has unknown impact and remote attack vectors. | 4.3 |
2008-07-15 | CVE-2008-2593 | Oracle | Unspecified vulnerability in Oracle Application Server 10.1.2.3.0/10.1.4.2.0 Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2594. | 4.3 |
2008-07-15 | CVE-2008-2583 | Oracle | Unspecified vulnerability in Oracle Application Server and Oracle Portal Component Unspecified vulnerability in the sample Discussion Forum Portlet for the Oracle Portal component in Oracle Application Server, as available from OTN before 20080715, has unknown impact and remote attack vectors. | 4.3 |
2008-07-15 | CVE-2008-2578 | Oracle | Unspecified vulnerability in Oracle Weblogic Server 10.0/9.2 Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 and 9.2 MP1 has unknown impact and local attack vectors. | 4.3 |
2008-07-15 | CVE-2008-2576 | Oracle | Unspecified vulnerability in Oracle BEA Product Suite and Weblogic Server Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 9.2, 9.1, 9.0, and 8.1 SP6 has unknown impact and local attack vectors. | 4.3 |
2008-07-15 | CVE-2008-3186 | Chipmunk Scripts | Cross-Site Scripting vulnerability in Chipmunk Scripts Chipmunk Blogger Multiple cross-site scripting (XSS) vulnerabilities in Chipmunk Blog (Blogger) allow remote attackers to inject arbitrary web script or HTML via the membername parameter to (1) members.php, (2) comments.php, (3) photos.php, (4) archive.php, or (5) cat.php. | 4.3 |
2008-07-15 | CVE-2008-3184 | Vbulletin | Cross-Site Scripting vulnerability in Vbulletin Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.6.10 PL2 and earlier, and 3.7.2 and earlier 3.7.x versions, allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO (PHP_SELF) or (2) the do parameter, as demonstrated by requests to upload/admincp/faq.php. | 4.3 |
2008-07-15 | CVE-2008-3180 | CWH Underground | Cross-Site Scripting vulnerability in CWH Underground Contentnow CMS 1.4.1 Multiple cross-site scripting (XSS) vulnerabilities in upload/file/language_menu.php in ContentNow CMS 1.4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) pageid parameter or (2) PATH_INFO. | 4.3 |
2008-07-14 | CVE-2008-3161 | IBM | Cross-Site Scripting vulnerability in IBM Maximo 4.1/5.2 Multiple cross-site scripting (XSS) vulnerabilities in jsp/common/system/debug.jsp in IBM Maximo 4.1 and 5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Accept, (2) Accept-Language, (3) UA-CPU, (4) Accept-Encoding, (5) User-Agent, or (6) Cookie HTTP header. | 4.3 |
2008-07-14 | CVE-2008-1589 | Apple | Improper Input Validation vulnerability in Apple Safari Safari on Apple iPhone before 2.0 and iPod touch before 2.0 misinterprets a menu button press as user confirmation for visiting a web site with a (1) self-signed or (2) invalid certificate, which makes it easier for remote attackers to spoof web sites. | 4.3 |
2008-07-14 | CVE-2008-1588 | Apple | Improper Input Validation vulnerability in Apple Safari Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows remote attackers to spoof the address bar via Unicode ideographic spaces in the URL. | 4.3 |
2008-07-15 | CVE-2008-2621 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, and CVE-2008-2622. | 4.0 |
2008-07-15 | CVE-2008-2611 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors. | 4.0 |
2008-07-15 | CVE-2008-2608 | Oracle | Unspecified vulnerability in Oracle Data Pump Component and Database Server Unspecified vulnerability in the Data Pump component in Oracle Database 10.1.0.5 and 10.2.0.3 has unknown impact and remote authenticated attack vectors related to SYS.KUPF$FILE_INT. | 4.0 |
2008-07-15 | CVE-2008-2605 | Oracle | Unspecified vulnerability in Oracle Authentication Component and Database Server Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.6 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2604. | 4.0 |
2008-07-15 | CVE-2008-2586 | Oracle | Unspecified vulnerability in Oracle Application Object Library and E-Business Suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2606. | 4.0 |
6 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-07-16 | CVE-2008-3197 | Phpmyadmin | Cross-Site Request Forgery (CSRF) vulnerability in PHPmyadmin Cross-site request forgery (CSRF) vulnerability in phpMyAdmin before 2.11.7.1 allows remote attackers to perform unauthorized actions via a link or IMG tag to (1) the db parameter in the "Creating a Database" functionality (db_create.php), and (2) the convcharset and collation_connection parameters related to an unspecified program that modifies the connection character set. | 3.5 |
2008-07-15 | CVE-2008-2603 | Oracle | Unspecified vulnerability in Oracle Enterprise Manager 10.1.0.5/10.2.0.4/11.1.0.6 Unspecified vulnerability in the Resource Manager component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.6, and Database Control in Enterprise Manager, has unknown impact and remote authenticated attack vectors. | 3.5 |
2008-07-15 | CVE-2008-2590 | Oracle | Unspecified vulnerability in Oracle products Unspecified vulnerability in the Instance Management component in Oracle Database 10.1.0.5 and Enterprise Manager 10.1.0.6 has unknown impact and remote authenticated attack vectors. | 3.5 |
2008-07-17 | CVE-2008-2933 | Mozilla | Improper Input Validation vulnerability in Mozilla Firefox Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' (pipe) characters in a command-line URI as requests to open multiple tabs, which allows remote attackers to access chrome:i URIs, or read arbitrary local files via manipulations involving a series of URIs that is not entirely handled by a vector application, as exploited in conjunction with CVE-2008-2540. | 2.6 |
2008-07-18 | CVE-2008-3230 | Ffmpeg | Improper Input Validation vulnerability in Ffmpeg Lavf Demuxer The ffmpeg lavf demuxer allows user-assisted attackers to cause a denial of service (application crash) via a crafted GIF file, possibly related to gstreamer, as demonstrated by lol-giftopnm.gif. | 1.9 |
2008-07-15 | CVE-2008-2587 | Oracle | Unspecified vulnerability in Oracle Advanced Replication, Database 9I and Database Server Unspecified vulnerability in the Advanced Replication component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 has unknown impact and local attack vectors. | 1.5 |