Weekly Vulnerabilities Reports > December 22 to 28, 2008
Overview
52 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 46 products from 40 vendors including Netcat, Mozilla, Avaya, Qemu, and KDE. Vulnerabilities are notably categorized as "SQL Injection", "Permissions, Privileges, and Access Controls", "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Cross-site Scripting".
- 42 reported vulnerabilities are remotely exploitables.
- 26 reported vulnerabilities have public exploit available.
- 20 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 50 reported vulnerabilities are exploitable by an anonymous user.
- Netcat has the most reported vulnerabilities, with 5 reported vulnerabilities.
- Trend Micro has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
11 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-12-26 | CVE-2008-5722 | Sawstudio | Buffer Errors vulnerability in Sawstudio 3.9I Buffer overflow in SAWStudio 3.9i allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long SAWSTUDIO PREFERENCES STRUCT value in a .prf (preferences) file. | 10.0 |
2008-12-23 | CVE-2008-5557 | PHP | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions. | 10.0 |
2008-12-23 | CVE-2008-4304 | Phpcollab | OS Command Injection vulnerability in PHPcollab general/login.php in phpCollab 2.5 rc3 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified input related to the SSL_CLIENT_CERT environment variable. | 10.0 |
2008-12-26 | CVE-2008-5735 | Coolplayer | Buffer Errors vulnerability in Coolplayer 2.17/2.18/2.19 Stack-based buffer overflow in skin.c in CoolPlayer 2.17 through 2.19 allows remote attackers to execute arbitrary code via a large PlaylistSkin value in a skin file. | 9.3 |
2008-12-26 | CVE-2008-5718 | Netatalk | OS Command Injection vulnerability in Netatalk The papd daemon in Netatalk before 2.0.4-beta2, when using certain variables in a pipe command for the print file, allows remote attackers to execute arbitrary commands via shell metacharacters in a print request, as demonstrated using a crafted Title. | 9.3 |
2008-12-24 | CVE-2008-5711 | Buffer Errors vulnerability in Facebook Photouploader 4.5.57.0 Heap-based buffer overflow in the Facebook PhotoUploader ActiveX control 5.0.14.0 and earlier allows remote attackers to execute arbitrary code via a long FileMask property value. | 9.3 | |
2008-12-23 | CVE-2008-2435 | Trend Micro | Resource Management Errors vulnerability in Trend Micro Housecall 6.51.0.1028/6.6.0.1278 Use-after-free vulnerability in the Trend Micro HouseCall ActiveX control 6.51.0.1028 and 6.6.0.1278 in Housecall_ActiveX.dll allows remote attackers to execute arbitrary code via a crafted notifyOnLoadNative callback function. | 9.3 |
2008-12-23 | CVE-2008-2434 | Trend Micro | Code Injection vulnerability in Trend Micro Housecall 6.51.0.1028/6.6/6.6.0.1278 The Trend Micro HouseCall ActiveX control 6.51.0.1028 and 6.6.0.1278 in Housecall_ActiveX.dll allows remote attackers to download an arbitrary library file onto a client system via a "custom update server" argument. | 9.3 |
2008-12-22 | CVE-2008-5705 | Verlihub Project | Improper Input Validation vulnerability in Verlihub-Project Verlihub 0.9.8D The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier, when user triggers are enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in an argument. | 9.3 |
2008-12-24 | CVE-2008-5709 | Avaya | Improper Input Validation vulnerability in Avaya Communication Manager Multiple unspecified vulnerabilities in the web management interface in Avaya Communication Manager (CM) 3.1 before 3.1.4 SP2, 4.0 before 4.0.3 SP1, and 5.0 before 5.0 SP3 allow remote authenticated users to execute arbitrary code via unknown attack vectors in the (1) Set Static Routes and (2) Backup History components. | 9.0 |
2008-12-23 | CVE-2008-4305 | PHP Collab | Code Injection vulnerability in PHP-Collab 2.2/2.3/2.4 Static code injection vulnerability in installation/setup.php in phpCollab 2.5 rc3 and earlier allows remote authenticated administrators to inject arbitrary PHP code into include/settings.php via the URI. | 9.0 |
16 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-12-24 | CVE-2008-5714 | Qemu | Numeric Errors vulnerability in Qemu 0.9.1 Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. | 7.8 |
2008-12-22 | CVE-2008-5704 | Gpsdrive | Link Following vulnerability in Gpsdrive 1.32/1.33/2.09 src/unit_test.c in gpsdrive (aka gpsdrive-scripts) 2.10~pre4 might allow local users to overwrite arbitrary files via a symlink attack on the /tmp/gpsdrive-unit-test/proc temporary file, a different vector than CVE-2008-4959 and CVE-2008-5380. | 7.6 |
2008-12-26 | CVE-2008-5739 | Pligg | SQL Injection vulnerability in Pligg CMS 9.9.5 SQL injection vulnerability in evb/check_url.php in Pligg CMS 9.9.5 Beta allows remote attackers to execute arbitrary SQL commands via the url parameter. | 7.5 |
2008-12-26 | CVE-2008-5738 | Nodstrum | Permissions, Privileges, and Access Controls vulnerability in Nodstrum Mysql Calendar 1.1/1.2 Nodstrum MySQL Calendar 1.1 and 1.2 allows remote attackers to bypass authentication and gain administrative access by setting the nodstrumCalendarV2 cookie to 1. | 7.5 |
2008-12-26 | CVE-2008-5737 | Nodstrum | SQL Injection vulnerability in Nodstrum Mysql Calendar 1.1/1.2 SQL injection vulnerability in index.php in Nodstrum MySQL Calendar 1.1 and 1.2 allows remote attackers to execute arbitrary SQL commands via the username parameter. | 7.5 |
2008-12-26 | CVE-2008-5733 | PHP Fusion | SQL Injection vulnerability in PHP-Fusion Team Impact TI Blog System Module SQL injection vulnerability in blog.php in the Team Impact TI Blog System mod for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2008-12-26 | CVE-2008-5732 | Kafooeyblog | Improper Input Validation vulnerability in Kafooeyblog 1.55B Unrestricted file upload vulnerability in lib/image_upload.php in KafooeyBlog 1.55b allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file. | 7.5 |
2008-12-26 | CVE-2008-5730 | Netcat | Improper Input Validation vulnerability in Netcat Multiple CRLF injection vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to have an unknown impact via unspecified vectors involving (1) a %0a sequence in a cookie and (2) the add.php file. | 7.5 |
2008-12-26 | CVE-2008-5726 | Stormboards Aaronnemisis | SQL Injection vulnerability in Stormboards Aaronnemisis Stormboards 1.0.1 SQL injection vulnerability in thread.php in stormBoards 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2008-12-24 | CVE-2008-5708 | Slimcms | Improper Authentication vulnerability in Slimcms 1.0.0 redirect.php in SlimCMS 1.0.0 does not require authentication, which allows remote attackers to create administrative users by using the newusername and newpassword parameters and setting the newisadmin parameter to 1. | 7.5 |
2008-12-24 | CVE-2008-5707 | Aspindir | SQL Injection vulnerability in Aspindir Iltaweb Alisveris Sistemi NIL SQL injection vulnerability in urunler.asp in Iltaweb Alisveris Sistemi allows remote attackers to execute arbitrary SQL commands via the catno parameter. | 7.5 |
2008-12-26 | CVE-2008-5744 | Asterisk | Numeric Errors vulnerability in Asterisk Zaptel 1.2/1.2.27/1.4 Array index error in the dahdi/tor2.c driver in Zaptel (aka DAHDI) 1.4.11 and earlier allows local users in the dialout group to overwrite an integer value in kernel memory by writing to /dev/zap/ctl, related to an incorrect tor2 patch for CVE-2008-5396 that uses the wrong variable in a range check against the value of lc->sync. | 7.2 |
2008-12-26 | CVE-2008-5736 | Freebsd | Permissions, Privileges, and Access Controls vulnerability in Freebsd Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, 6.3 before 6.3-RELEASE-p7, 6.4 before 6.4-RELEASE-p1, 7.0 before 7.0-RELEASE-p7, 7.1 before 7.1-RC2, and 7 before 7.1-PRERELEASE allow local users to gain privileges via unknown attack vectors related to function pointers that are "not properly initialized" for (1) netgraph sockets and (2) bluetooth sockets. | 7.2 |
2008-12-26 | CVE-2008-5725 | Entechtaiwan | Permissions, Privileges, and Access Controls vulnerability in Entechtaiwan Powerstrip The NT kernel-mode driver (aka pstrip.sys) 5.0.1.1 and earlier in EnTech Taiwan PowerStrip 3.84 and earlier allows local users to gain privileges via certain IRP parameters in an IOCTL request to \Device\Powerstrip1 that overwrites portions of memory. | 7.2 |
2008-12-26 | CVE-2008-5724 | Eset | Permissions, Privileges, and Access Controls vulnerability in Eset Smart Security The Personal Firewall driver (aka epfw.sys) 3.0.672.0 and earlier in ESET Smart Security 3.0.672 and earlier allows local users to gain privileges via a crafted IRP in a certain METHOD_NEITHER IOCTL request to \Device\Epfw that overwrites portions of memory. | 7.2 |
2008-12-24 | CVE-2008-5716 | Citrix | Permissions, Privileges, and Access Controls vulnerability in Citrix XEN 3.3.0 xend in Xen 3.3.0 does not properly restrict a guest VM's write access within the /local/domain xenstore directory tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. | 7.2 |
25 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2008-12-26 | CVE-2008-5743 | Pdfjam | Link Following vulnerability in Pdfjam NIL pdfjam creates the (1) pdf90, (2) pdfjoin, and (3) pdfnup files with a predictable name, which allows local users to overwrite arbitrary files via a symlink attack. | 6.9 |
2008-12-22 | CVE-2008-5706 | Verlihub Project | Link Following vulnerability in Verlihub-Project Verlihub 0.9.8D The cTrigger::DoIt function in src/ctrigger.cpp in the trigger mechanism in the daemon in Verlihub 0.9.8d-RC2 and earlier allows local users to overwrite arbitrary files via a symlink attack on the /tmp/trigger.tmp temporary file. | 6.9 |
2008-12-26 | CVE-2008-5727 | Netcat | SQL Injection vulnerability in Netcat SQL injection vulnerability in modules/auth/password_recovery.php in AIST NetCat 3.12 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the query string. | 6.8 |
2008-12-23 | CVE-2008-4303 | PHP Collab | SQL Injection vulnerability in PHP-Collab 2.2/2.3/2.4 Multiple SQL injection vulnerabilities in phpCollab 2.5 rc3, 2.4, and earlier allow remote attackers to execute arbitrary SQL commands via the loginForm parameter to general/login.php, and unspecified other vectors. | 6.8 |
2008-12-22 | CVE-2008-5703 | Gpsdrive | Link Following vulnerability in Gpsdrive 1.32/1.33/2.09 gpsdrive (aka gpsdrive-scripts) 2.10~pre4 allows local users to overwrite arbitrary files via a symlink attack on the (a) /tmp/.smswatch or (b) /tmp/gpsdrivepos temporary file, related to (1) examples/gpssmswatch and (2) src/splash.c, different vectors than CVE-2008-4959 and CVE-2008-5380. | 6.2 |
2008-12-26 | CVE-2008-5728 | Netcat | Path Traversal vulnerability in Netcat Multiple directory traversal vulnerabilities in AIST NetCat 3.12 and earlier, when magic_quotes_gpc is disabled and register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. | 5.1 |
2008-12-22 | CVE-2008-2380 | Courier MTA | SQL Injection vulnerability in Courier-Mta Courtier-Authlib SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes. | 5.1 |
2008-12-26 | CVE-2008-5498 | PHP | Information Exposure vulnerability in PHP Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image. | 5.0 |
2008-12-26 | CVE-2008-5723 | CGI Rescue | Path Traversal vulnerability in Cgi-Rescue Kannibbs2000 and Kannibbs2000I Directory traversal vulnerability in CGI RESCUE KanniBBS2000 (aka KanniBBS2000i, MiniBBS2000, and MiniBBS2000i) before 1.03 allows remote attackers to read arbitrary files via unspecified vectors. | 5.0 |
2008-12-26 | CVE-2008-5721 | Sapporoworks | Improper Authentication vulnerability in Sapporoworks Blackjumbodog SapporoWorks BlackJumboDog (BJD) before 4.2.3 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors. | 5.0 |
2008-12-24 | CVE-2008-5715 | Mozilla Microsoft | Improper Input Validation vulnerability in Mozilla Firefox 3.0.5 Mozilla Firefox 3.0.5 on Windows Vista allows remote attackers to cause a denial of service (application crash) via JavaScript code with a long string value for the hash property (aka location.hash). | 5.0 |
2008-12-24 | CVE-2008-5712 | KDE | Improper Input Validation vulnerability in KDE Konqueror 3.5.9 The HTML parser in KDE Konqueror 3.5.9 allows remote attackers to cause a denial of service (application crash) via (1) a long COLOR attribute in an HR element; or a long (a) BGCOLOR or (b) BORDERCOLOR attribute in a (2) TABLE, (3) TD, or (4) TR element. | 5.0 |
2008-12-24 | CVE-2008-5710 | Avaya | Configuration vulnerability in Avaya Communication Manager Multiple unspecified vulnerabilities in the web management interface in Avaya Communication Manager (CM) 3.1.x, 4.0.3, and 5.x allow remote attackers to read (1) configuration files, (2) log files, (3) binary image files, and (4) help files via unknown vectors. | 5.0 |
2008-12-24 | CVE-2008-2382 | Qemu KVM Qumranet | Resource Management Errors vulnerability in multiple products The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. | 5.0 |
2008-12-26 | CVE-2008-5731 | PGP | Resource Management Errors vulnerability in PGP Desktop 9.0.6/9.9.0 The PGPwded device driver (aka PGPwded.sys) in PGP Corporation PGP Desktop 9.0.6 build 6060 and 9.9.0 build 397 allows local users to cause a denial of service (system crash) and possibly gain privileges via a certain METHOD_BUFFERED IOCTL request that overwrites portions of memory, related to a "Driver Collapse." NOTE: some of these details are obtained from third party information. | 4.9 |
2008-12-22 | CVE-2008-5699 | SUN | Permissions, Privileges, and Access Controls vulnerability in SUN Opensolaris and Solaris The name service cache daemon (nscd) in Sun Solaris 10 and OpenSolaris snv_50 through snv_104 does not properly check permissions, which allows local users to gain privileges and obtain sensitive information via unspecified vectors. | 4.6 |
2008-12-26 | CVE-2008-5734 | Icewarp | Cross-Site Scripting vulnerability in Icewarp Merak Mail Server 9.3.2 Cross-site scripting (XSS) vulnerability in WebMail Pro in IceWarp Software Merak Mail Server 9.3.2 allows remote attackers to inject arbitrary web script or HTML via an IMG element in an HTML e-mail message. | 4.3 |
2008-12-26 | CVE-2008-5729 | Netcat | Cross-Site Scripting vulnerability in Netcat Multiple cross-site scripting (XSS) vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) form and (2) control parameters to FCKeditor/neditor.php, and the (3) path parameter to admin/siteinfo/iframe.inc.php. | 4.3 |
2008-12-26 | CVE-2008-5720 | Seasar | Cross-Site Scripting vulnerability in Seasar Mayaa Cross-site scripting (XSS) vulnerability in Mayaa before 1.1.23 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the default error page for the org.seasar.mayaa.impl.engine.PageNotFoundException exception and possibly other exceptions. | 4.3 |
2008-12-26 | CVE-2008-5719 | Hitachi | Cross-Site Scripting vulnerability in Hitachi products Cross-site scripting (XSS) vulnerability in Hitachi Groupmax Web Workflow SDK Set for Active Server Pages before 06-52-/C and Hitachi Groupmax Workflow - Development Kit for Active Server Pages before 06-52-/A allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2008-12-26 | CVE-2008-5717 | Hitachi | Cross-Site Scripting vulnerability in Hitachi JP1 Integrated Management Service Support Cross-site scripting (XSS) vulnerability in Hitachi JP1/Integrated Management - Service Support 08-10 through 08-10-05, 08-11 through 08-11-03, and 08-50 through 08-50-03 on Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2008-12-23 | CVE-2008-5514 | University OF Washington | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in University of Washington Imap Off-by-one error in the rfc822_output_char function in the RFC822BUFFER routines in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit before imap-2007e and other applications, allows context-dependent attackers to cause a denial of service (crash) via an e-mail message that triggers a buffer overflow. | 4.3 |
2008-12-22 | CVE-2008-5698 | KDE | Resource Management Errors vulnerability in KDE Konqueror HTMLTokenizer::scriptHandler in Konqueror in KDE 3.5.9 and 3.5.10 allows remote attackers to cause a denial of service (application crash) via an invalid document.load call that triggers use of a deleted object. | 4.3 |
2008-12-22 | CVE-2008-5697 | Skype Mozilla | Unspecified vulnerability in Skype Extension for Firefox 2.2.0.95 The skype_tool.copy_num method in the Skype extension BETA 2.2.0.95 for Firefox allows remote attackers to write arbitrary data to the clipboard via a string argument. | 4.3 |
2008-12-26 | CVE-2008-5742 | Netcat | Link Following vulnerability in Netcat Multiple open redirect vulnerabilities in AIST NetCat 3.12 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via (1) the redirect parameter in a logoff action to modules/auth/index.php or (2) the url parameter to modules/linkmanager/redirect.php. | 4.0 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|