Weekly Vulnerabilities Reports > January 12 to 18, 2009
Overview
104 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 25 high severity vulnerabilities. This weekly summary report vulnerabilities in 76 products from 32 vendors including Oracle, SUN, Cisco, Microsoft, and Codeavalanche. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", and "Information Exposure".
- 93 reported vulnerabilities are remotely exploitables.
- 21 reported vulnerabilities have public exploit available.
- 16 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 80 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 41 reported vulnerabilities.
- Oracle has the most reported critical vulnerabilities, with 5 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
13 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-01-16 | CVE-2009-0171 | SUN | Permissions, Privileges, and Access Controls vulnerability in SUN Sparc Enterprise Server M4000/M5000 The Sun SPARC Enterprise M4000 and M5000 Server, within a certain range of serial numbers, allows remote attackers to use the manufacturing root password, perform a root login to the eXtended System Control Facility Unit (aka XSCFU or Service Processor), and have unspecified other impact. | 10.0 |
2009-01-16 | CVE-2008-4770 | Realvnc | Improper Input Validation vulnerability in Realvnc The CMsgReader::readRect function in the VNC Viewer component in RealVNC VNC Free Edition 4.0 through 4.1.2, Enterprise Edition E4.0 through E4.4.2, and Personal Edition P4.0 through P4.4.2 allows remote VNC servers to execute arbitrary code via crafted RFB protocol data, related to "encoding type." | 10.0 |
2009-01-15 | CVE-2009-0133 | Microsoft | Buffer Errors vulnerability in Microsoft Html Help Workshop 4.74 Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long "Index file" field, possibly a related issue to CVE-2006-0564. | 10.0 |
2009-01-14 | CVE-2009-0119 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows XP Buffer overflow in Microsoft Windows XP SP3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .chm file. | 10.0 |
2009-01-14 | CVE-2008-5457 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins for Apache, Sun and IIS web servers component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
2009-01-14 | CVE-2008-5449 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.2.0.2 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5444 and CVE-2008-5448. | 10.0 |
2009-01-14 | CVE-2008-5448 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.2.0.2 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5444 and CVE-2008-5449. | 10.0 |
2009-01-14 | CVE-2008-5444 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.2.0.2 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2008-5448 and CVE-2008-5449. | 10.0 |
2009-01-14 | CVE-2008-4006 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.1.0.3 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.1.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
2009-01-16 | CVE-2009-0136 | Amarok | Numeric Errors vulnerability in Amarok 1.4.10/2.0/2.0.1 Multiple array index errors in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via an Audible Audio (.aa) file with a crafted (1) nlen or (2) vlen Tag value, each of which can lead to an invalid pointer dereference, or the writing of a 0x00 byte to an arbitrary memory location, after an allocation failure. | 9.3 |
2009-01-16 | CVE-2009-0135 | Amarok | Buffer Errors vulnerability in Amarok 1.4.10/2.0/2.0.1 Multiple integer overflows in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to execute arbitrary code via an Audible Audio (.aa) file with a large (1) nlen or (2) vlen Tag value, each of which triggers a heap-based buffer overflow. | 9.3 |
2009-01-16 | CVE-2009-0134 | Share2 | Arbitrary File Overwrite vulnerability in Share2 Easy Grid Control 3.51 Insecure method vulnerability in the EasyGrid.SGCtrl.32 ActiveX control in EasyGrid.ocx 1.0.0.1 in AAA EasyGrid ActiveX 3.51 allows remote attackers to create and overwrite arbitrary files via the (1) DoSaveFile or (2) DoSaveHtmlFile method. | 9.3 |
2009-01-16 | CVE-2009-0169 | SUN | Permissions, Privileges, and Access Controls vulnerability in SUN Java System Access Manager 7.1 Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm. | 9.0 |
25 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-01-16 | CVE-2008-3818 | Cisco | Improper Input Validation vulnerability in Cisco ONS and ONS 15600 Cisco ONS 15310-CL, 15310-MA, 15327, 15454, 15454 SDH, and 15600 with software 7.0.2 through 7.0.6, 7.2.2, 8.0.x, 8.5.1, and 8.5.2 allows remote attackers to cause a denial of service (control-card reset) via a crafted TCP session. | 7.8 |
2009-01-15 | CVE-2009-0120 | IBM | Improper Input Validation vulnerability in IBM Websphere Datapower XML Security Gateway Xs40 3.6.1.5 The IBM WebSphere DataPower XML Security Gateway XS40 with firmware 3.6.1.5 allows remote attackers to cause a denial of service (device reboot) by sending data over an established SSL connection, as demonstrated by the abc\r\n\r\n string data. | 7.8 |
2009-01-12 | CVE-2008-5883 | Mini PUB | Path Traversal vulnerability in Mini-Pub 0.1/0.1.1/0.1.2 Absolute path traversal vulnerability in front-end/dir.php in mini-pub 0.3 and earlier allows remote attackers to list arbitrary directories via a full pathname in the sDir parameter. | 7.8 |
2009-01-15 | CVE-1999-1593 | Microsoft | Link Following vulnerability in Microsoft Windows 2000, Windows 95 and Windows 98 Windows Internet Naming Service (WINS) allows remote attackers to cause a denial of service (connectivity loss) or steal credentials via a 1Ch registration that causes WINS to change the domain controller to point to a malicious server. | 7.6 |
2009-01-15 | CVE-2008-5904 | Xrdp | Improper Input Validation vulnerability in Xrdp The rdp_rdp_process_color_pointer_pdu function in rdp/rdp_rdp.c in xrdp 0.4.1 and earlier allows remote RDP servers to have an unknown impact via input data that sets crafted values for certain length variables, leading to a buffer overflow. | 7.5 |
2009-01-15 | CVE-2008-5903 | Xrdp | Numeric Errors vulnerability in Xrdp Array index error in the xrdp_bitmap_def_proc function in xrdp/funcs.c in xrdp 0.4.1 and earlier allows remote attackers to execute arbitrary code via vectors that manipulate the value of the edit_pos structure member. | 7.5 |
2009-01-15 | CVE-2008-5902 | Xrdp | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Xrdp Buffer overflow in the xrdp_bitmap_invalidate function in xrdp/xrdp_bitmap.c in xrdp 0.4.1 and earlier allows remote attackers to execute arbitrary code via a crafted request. | 7.5 |
2009-01-15 | CVE-2009-0121 | Goople CMS | SQL Injection vulnerability in Goople CMS Goople CMS 1.8.2 SQL injection vulnerability in frontpage.php in Goople CMS 1.8.2 allows remote attackers to execute arbitrary SQL commands via the password parameter. | 7.5 |
2009-01-14 | CVE-2008-5440 | Oracle | Multiple vulnerability in Oracle Timesten In-Memory Database 7.0.5.0.0 Unspecified vulnerability in the TimesTen Data Server component in Oracle Database 7.0.5.0.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 7.5 |
2009-01-13 | CVE-2008-5262 | Devil | Buffer Errors vulnerability in Devil Developers Image Library 1.7.4 Multiple stack-based buffer overflows in the iGetHdrHeader function in src-IL/src/il_hdr.c in DevIL 1.7.4 allow context-dependent attackers to execute arbitrary code via a crafted Radiance RGBE file. | 7.5 |
2009-01-12 | CVE-2008-5901 | Iyziforum | Permissions, Privileges, and Access Controls vulnerability in Iyziforum Iyzi Forum 1.0 iyzi Forum 1.0 beta 3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing a password via a direct request for db/iyziforum.mdb. | 7.5 |
2009-01-12 | CVE-2008-5900 | Codeavalanche | Permissions, Privileges, and Access Controls vulnerability in Codeavalanche Articles NIL CodeAvalanche Articles stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the administrator password via a direct request for _private/CAArticles.mdb. | 7.5 |
2009-01-12 | CVE-2008-5899 | Codeavalanche | Permissions, Privileges, and Access Controls vulnerability in Codeavalanche Freeforall NIL CodeAvalanche FreeForAll stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the administrator password via a direct request for _private/CAFFAPage.mdb. | 7.5 |
2009-01-12 | CVE-2008-5898 | Codeavalanche | Permissions, Privileges, and Access Controls vulnerability in Codeavalanche Directory NIL CodeAvalanche Directory stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the administrator password via a direct request for _private/CADirectory.mdb. | 7.5 |
2009-01-12 | CVE-2008-5897 | Codeavalanche | Permissions, Privileges, and Access Controls vulnerability in Codeavalanche Freewallpaper NIL CodeAvalanche FreeWallpaper stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the administrator password via a direct request for _private/CAFreeWallpaper.mdb. | 7.5 |
2009-01-12 | CVE-2008-5896 | Codeavalanche | Permissions, Privileges, and Access Controls vulnerability in Codeavalanche Ratemysite NIL CodeAvalanche RateMySite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the administrator password via a direct request for _private/CARateMySite.mdb. | 7.5 |
2009-01-12 | CVE-2008-5895 | Mediatheka | SQL Injection vulnerability in Mediatheka 4.2 SQL injection vulnerability in connection.php in Mediatheka 4.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter. | 7.5 |
2009-01-12 | CVE-2008-5892 | Icash | SQL Injection vulnerability in Icash Click&Email NIL Multiple SQL injection vulnerabilities in ClickAndEmail allow remote attackers to execute arbitrary SQL commands via (1) the ID parameter to admin_dblayers.asp in an update action, (2) the adminid parameter to admin_loginCheck.asp (aka the USERNAME field in admin_main.asp), and (3) the PassWord parameter to admin_loginCheck.asp (aka the PASSWORD field in admin_main.asp). | 7.5 |
2009-01-12 | CVE-2008-5890 | Injader | SQL Injection vulnerability in Injader SQL injection vulnerability in feeds.php in Injader before 2.1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2009-01-12 | CVE-2008-5888 | Icash | SQL Injection vulnerability in Icash Click&Rank NIL Multiple SQL injection vulnerabilities in Click&Rank allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) hitcounter.asp, (2) user_delete.asp, and (3) user_update.asp; (4) the userid parameter to admin_login.asp (aka the USERNAME field in admin.asp); and (5) the PassWord parameter to admin_login.asp (aka the PASSWORD field in admin.asp). | 7.5 |
2009-01-16 | CVE-2008-5910 | SUN | Unspecified vulnerability in SUN Opensolaris Unspecified vulnerability in txzonemgr in Sun OpenSolaris has unknown impact and local attack vectors, related to a "Temporary file vulnerability," aka Bug ID 6653462. | 7.2 |
2009-01-16 | CVE-2008-5909 | SUN | Unspecified vulnerability in SUN Opensolaris Unspecified vulnerability in conv_lpd in Sun OpenSolaris has unknown impact and local attack vectors, related to improper handling of temporary files, aka Bug ID 6655641. | 7.2 |
2009-01-16 | CVE-2008-5908 | SUN | Local Security vulnerability in OpenSolaris Unspecified vulnerability in the root/boot archive tool in Sun OpenSolaris has unknown impact and local attack vectors, related to a "Temporary file vulnerability," aka Bug ID 6653455. | 7.2 |
2009-01-16 | CVE-2008-4444 | Cisco | Improper Input Validation vulnerability in Cisco Unified IP Phone 7940G and Unified IP Phone 7960G Cisco Unified IP Phone (aka SIP phone) 7960G and 7940G with firmware P0S3-08-9-00 and possibly other versions before 8.10 allows remote attackers to cause a denial of service (device reboot) or possibly execute arbitrary code via a Realtime Transport Protocol (RTP) packet with malformed headers. | 7.1 |
2009-01-15 | CVE-2009-0123 | Apple Microsoft | Information Exposure vulnerability in Apple Safari Unspecified vulnerability in Apple Safari on Mac OS X 10.5 and Windows allows remote attackers to read arbitrary files on a client machine via vectors related to the association of Safari with the (1) feed, (2) feeds, and (3) feedsearch URL types for RSS feeds. | 7.1 |
60 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-01-15 | CVE-2009-0122 | HP | Permissions, Privileges, and Access Controls vulnerability in HP Hplip 2.7.7/2.8.2 hplip.postinst in HP Linux Imaging and Printing (HPLIP) 2.7.7 and 2.8.2 on Ubuntu allows local users to change the ownership of arbitrary files via unspecified manipulations in advance of an HPLIP installation or upgrade by an administrator, related to the product's attempt to correct the ownership of its configuration files within home directories. | 6.9 |
2009-01-16 | CVE-2009-0056 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Ironport Encryption Appliance and Ironport Postx Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to execute commands and modify appliance preferences as arbitrary users via a logout action. | 6.8 |
2009-01-16 | CVE-2009-0055 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Ironport Encryption Appliance and Ironport Postx Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to modify appliance preferences as arbitrary users via unspecified vectors. | 6.8 |
2009-01-15 | CVE-2008-5906 | Ktorrent | Improper Input Validation vulnerability in Ktorrent Eval injection vulnerability in the web interface plugin in KTorrent before 3.1.4 allows remote attackers to execute arbitrary PHP code via unspecified parameters to this interface's PHP scripts. | 6.8 |
2009-01-14 | CVE-2008-5462 | Oracle | Permissions, Privileges, and Access Controls vulnerability in Oracle BEA Product Suite Unspecified vulnerability in the WebLogic Portal component in BEA Product Suite 10.3, 10.2, 10.0 MP1, 9.2 MP3, and 8.1 SP6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 6.8 |
2009-01-14 | CVE-2008-5461 | Oracle | Permissions, Privileges, and Access Controls vulnerability in Oracle BEA Product Suite Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0, and SP7 allows remote attackers to affect confidentiality, integrity, and availability, related to WLS. | 6.8 |
2009-01-12 | CVE-2008-5894 | Mediatheka | Path Traversal vulnerability in Mediatheka 4.2 Directory traversal vulnerability in index.php in Mediatheka 4.2 allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
2009-01-14 | CVE-2008-4007 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the PeopleSoft Enterprise Components component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9.18 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 6.5 |
2009-01-16 | CVE-2009-0170 | SUN | Permissions, Privileges, and Access Controls vulnerability in SUN Java System Access Manager 6.3/7.02005Q4/7.1 Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows remote authenticated users with console privileges to discover passwords, and obtain unspecified other "access to resources," by visiting the Configuration Items component in the console. | 6.0 |
2009-01-15 | CVE-2003-1567 | Microsoft | Information Exposure vulnerability in Microsoft Internet Information Services 5.0 The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE. | 5.8 |
2009-01-14 | CVE-2008-5458 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10 and CU2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-01-14 | CVE-2008-5452 | Jdedwards Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9.18 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-01-14 | CVE-2008-5447 | Oracle | Multiple vulnerability in Oracle Enterprise Manager Grid Control 10G 10.2.0.4 Unspecified vulnerability in the Oracle Enterprise Manager component in Oracle Enterprise Manager 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-01-14 | CVE-2008-4014 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the Oracle BPEL Process Manager component in Oracle Application Server allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-01-14 | CVE-2008-5437 | Oracle | Multiple vulnerability in Oracle Database 10G, Database 11I and Database 9I Unspecified vulnerability in the Job Queue component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.6 allows remote authenticated users to affect confidentiality and integrity, related to DBMS_IJOB. | 5.5 |
2009-01-14 | CVE-2008-5436 | Oracle | Multiple vulnerability in Oracle Database 10G and Database 9I Unspecified vulnerability in the Oracle OLAP component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 allows remote authenticated users to affect integrity and availability via unknown vectors. | 5.5 |
2009-01-14 | CVE-2008-4015 | Oracle | Multiple vulnerability in Oracle Database 10G 10.1.0.5 Unspecified vulnerability in the Oracle Streams component in Oracle Database 10.1.0.5 allows remote authenticated users to affect confidentiality and integrity, related to SYS.DBMS_STREAMS_AUTH. | 5.5 |
2009-01-14 | CVE-2008-3979 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-01-14 | CVE-2008-3978 | Oracle | Multiple vulnerability in Oracle Database 10G 10.1.0.5 Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-01-16 | CVE-2009-0173 | IBM | Improper Input Validation vulnerability in IBM DB2 Universal Database 9.1/9.5 Unspecified vulnerability in the server in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote authenticated users to cause a denial of service (trap) via a crafted data stream. | 5.0 |
2009-01-16 | CVE-2009-0172 | IBM | Improper Input Validation vulnerability in IBM DB2 Universal Database 9.1/9.5 Unspecified vulnerability in IBM DB2 8 before FP17a, 9.1 before FP6a, and 9.5 before FP3a allows remote attackers to cause a denial of service (infinite loop) via a crafted CONNECT data stream. | 5.0 |
2009-01-15 | CVE-2009-0129 | Perl Openssl | Improper Authentication vulnerability in Perl-Openssl Libcrypt-Openssl-Dsa-Perl NIL libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | 5.0 |
2009-01-15 | CVE-2009-0128 | Llnl | Improper Authentication vulnerability in Llnl Slurm NIL plugins/crypto/openssl/crypto_openssl.c in Simple Linux Utility for Resource Management (aka SLURM or slurm-llnl) does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | 5.0 |
2009-01-15 | CVE-2009-0126 | Berkeley | Improper Authentication vulnerability in Berkeley Boinc Client 6.2.14/6.4.5 The decrypt_public function in lib/crypt.cpp in the client in Berkeley Open Infrastructure for Network Computing (BOINC) 6.2.14 and 6.4.5 does not check the return value from the OpenSSL RSA_public_decrypt function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | 5.0 |
2009-01-15 | CVE-2009-0124 | Arrl | Improper Authentication vulnerability in Arrl Tqsllib 2.0 The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. | 5.0 |
2009-01-15 | CVE-2008-5907 | Libpng Debian | Remote Security vulnerability in libpng3 The png_check_keyword function in pngwutil.c in libpng before 1.0.42, and 1.2.x before 1.2.34, might allow context-dependent attackers to set the value of an arbitrary memory location to zero via vectors involving creation of crafted PNG files with keywords, related to an implicit cast of the '\0' character constant to a NULL pointer. | 5.0 |
2009-01-15 | CVE-2003-1566 | Microsoft | Configuration vulnerability in Microsoft Internet Information Services 5.0 Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection. | 5.0 |
2009-01-14 | CVE-2009-0041 | Asterisk | Information Exposure vulnerability in Asterisk products IAX2 in Asterisk Open Source 1.2.x before 1.2.31, 1.4.x before 1.4.23-rc4, and 1.6.x before 1.6.0.3-rc2; Business Edition A.x.x, B.x.x before B.2.5.7, C.1.x.x before C.1.10.4, and C.2.x.x before C.2.1.2.1; and s800i 1.2.x before 1.3.0 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. | 5.0 |
2009-01-14 | CVE-2008-5459 | Oracle | Permissions, Privileges, and Access Controls vulnerability in Oracle BEA Product Suite 10.3 Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3 allows remote attackers to affect confidentiality via unknown vectors. | 5.0 |
2009-01-14 | CVE-2008-5445 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.2.0.2 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect availability via unknown vectors. | 5.0 |
2009-01-14 | CVE-2008-5443 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.2.0.2 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect availability via unknown vectors, a different vulnerability than CVE-2008-5441 and CVE-2008-5442. | 5.0 |
2009-01-14 | CVE-2008-4017 | Oracle | Multiple vulnerability in Oracle Application Server 10.1.2.3 Unspecified vulnerability in the OC4J component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality via unknown vectors. | 5.0 |
2009-01-14 | CVE-2008-5442 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.2.0.2 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect availability via unknown vectors, a different vulnerability than CVE-2008-5441 and CVE-2008-5443. | 5.0 |
2009-01-14 | CVE-2008-5441 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.2.0.2 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect availability via unknown vectors, a different vulnerability than CVE-2008-5442 and CVE-2008-5443. | 5.0 |
2009-01-14 | CVE-2008-3981 | Oracle | Multiple vulnerability in Oracle Secure Backup 10.1.0.1 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.1.0.1 allows remote attackers to affect confidentiality via unknown vectors. | 5.0 |
2009-01-12 | CVE-2008-5887 | Tincan | Improper Input Validation vulnerability in Tincan PHPlist phplist before 2.10.8 allows remote attackers to include files via unknown vectors, related to a "local file include vulnerability." | 5.0 |
2009-01-12 | CVE-2008-5886 | Takempis | Permissions, Privileges, and Access Controls vulnerability in Takempis Discussion web 4.0 TAKempis Discussion Web 4.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing a password via a direct request for _private/discussion.mdb. | 5.0 |
2009-01-12 | CVE-2008-5885 | Thenetguys | Permissions, Privileges, and Access Controls vulnerability in Thenetguys Aspired2Quote NIL The Net Guys ASPired2Quote stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing usernames and passwords via a direct request for admin/quote.mdb. | 5.0 |
2009-01-16 | CVE-2009-0168 | SUN | Denial-Of-Service vulnerability in SUN Opensolaris and Solaris Unspecified vulnerability in ppdmgr in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to a failure to "include all cache files," and improper handling of temporary files. | 4.9 |
2009-01-15 | CVE-2009-0132 | SUN | Numeric Errors vulnerability in SUN Opensolaris and Solaris Integer overflow in the aio_suspend function in Sun Solaris 8 through 10 and OpenSolaris, when 32-bit mode is enabled, allows local users to cause a denial of service (panic) via a large integer value in the second argument (aka nent argument). | 4.9 |
2009-01-15 | CVE-2009-0131 | SUN | Local Denial Of Service vulnerability in Sun OpenSolaris 'posix_fallocate(3C)' System Call The UFS implementation in the kernel in Sun OpenSolaris snv_29 through snv_90 allows local users to cause a denial of service (panic) via the single posix_fallocate test in the SUSv3 POSIX test suite, related to an F_ALLOCSP fcntl call. | 4.9 |
2009-01-14 | CVE-2008-5463 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the PeopleSoft Enterprise Campus Solutions component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9.18 and 9.0.8 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 4.9 |
2009-01-14 | CVE-2008-5456 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9.18 and 9.0.8 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 4.9 |
2009-01-14 | CVE-2008-5455 | Jdedwards Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the PeopleSoft Enterprise HRMS - ePerformance component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9.18 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 4.9 |
2009-01-14 | CVE-2008-5454 | Oracle | Multiple vulnerability in Oracle E-Business Suite 11I and E-Business Suite 12 Unspecified vulnerability in the iProcurement component in Oracle E-Business Suite 11.5.10 CU2 and 12.0.6 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 4.9 |
2009-01-16 | CVE-2009-0167 | SUN | Local Denial Of Service vulnerability in SUN Opensolaris and Solaris Unspecified vulnerability in lpadmin in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to enumeration of "wrong printers," aka a "Temporary file vulnerability." | 4.7 |
2009-01-16 | CVE-2009-0054 | Cisco | Credentials Management vulnerability in Cisco Ironport Encryption Appliance and Ironport Postx PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to capture credentials by tricking a user into reading a modified or crafted e-mail message. | 4.3 |
2009-01-16 | CVE-2009-0053 | Cisco | Cryptographic Issues vulnerability in Cisco Ironport Encryption Appliance and Ironport Postx PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to obtain the decryption key via unspecified vectors, related to a "logic error." | 4.3 |
2009-01-16 | CVE-2008-3821 | Cisco | Cross-Site Scripting vulnerability in Cisco IOS Multiple cross-site scripting (XSS) vulnerabilities in the HTTP server in Cisco IOS 11.0 through 12.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the ping program or (2) unspecified other aspects of the URI. | 4.3 |
2009-01-15 | CVE-2008-5905 | Ktorrent | Permissions, Privileges, and Access Controls vulnerability in Ktorrent The web interface plugin in KTorrent before 3.1.4 allows remote attackers to bypass intended access restrictions and upload arbitrary torrent files, and trigger the start of downloads and seeding, via a crafted HTTP POST request. | 4.3 |
2009-01-14 | CVE-2008-5438 | Oracle | Unspecified vulnerability in Oracle Application Server 10.1.2.3.0/10.1.4.2.0 Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors. | 4.3 |
2009-01-12 | CVE-2008-5891 | Injader | Cross-Site Scripting vulnerability in Injader Cross-site scripting (XSS) vulnerability in the profile editing functionality in Injader before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2009-01-12 | CVE-2008-5889 | Icash | Cross-Site Scripting vulnerability in Icash Click&Rank NIL Cross-site scripting (XSS) vulnerability in user.asp in Click&Rank allows remote attackers to inject arbitrary web script or HTML via the action parameter. | 4.3 |
2009-01-12 | CVE-2008-5884 | Zkesoft | Denial of Service vulnerability in Zkesoft Ayeview 2.20 AyeView 2.20 allows user-assisted attackers to cause a denial of service (application crash) via a GIF file with a malformed header. | 4.3 |
2009-01-14 | CVE-2008-5451 | Jdedwards Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the JD Edwards Tools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.97.2.5 allows remote authenticated users to affect confidentiality via unknown vectors. | 4.0 |
2009-01-14 | CVE-2008-4016 | Oracle | Multiple vulnerability in Oracle Collaboration Suite 10.1.2 Unspecified vulnerability in the Collaborative Workspaces component in Oracle Collaboration Suite 10.1.2 allows remote authenticated users to affect confidentiality via unknown vectors. | 4.0 |
2009-01-14 | CVE-2008-5439 | Oracle | Multiple vulnerability in Oracle Database 10G 10.2.0.4 Unspecified vulnerability in the SQL*Plus Windows GUI component in Oracle Database 10.2.0.4 allows remote authenticated users to affect confidentiality via unknown vectors. | 4.0 |
2009-01-14 | CVE-2008-3999 | Oracle | Multiple vulnerability in Oracle Database 10G and Database 9I Unspecified vulnerability in the Oracle OLAP component in Oracle Database 9.2.0.8, 9.2.0.8DV, and 10.1.0.5 allows remote authenticated users to affect availability, related to SYS.OLAPIMPL_T. | 4.0 |
2009-01-14 | CVE-2008-3997 | Oracle | Multiple vulnerability in Oracle Database 10G 10.1.0.5/10.2.0.3 Unspecified vulnerability in the Oracle OLAP component in Oracle Database 10.1.0.5 and 10.2.0.3 allows remote authenticated users to affect availability, related to SYS.DBMS_XSOQ_ODBO. | 4.0 |
2009-01-14 | CVE-2008-3974 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the Oracle OLAP component in Oracle Database 9.0.2.8 and 9.2.0.8DV allows remote authenticated users to affect availability, related to SYS.OLAPIMPL_T. | 4.0 |
6 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-01-14 | CVE-2008-5446 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10 CU2 and 12.0.6 allows remote authenticated users to affect confidentiality via unknown vectors. | 3.5 |
2009-01-14 | CVE-2008-5460 | Oracle | Information Exposure vulnerability in Oracle BEA Product Suite Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, and 9.0 allows remote attackers to affect confidentiality via unknown vectors. | 2.6 |
2009-01-12 | CVE-2008-5893 | Icash | Cross-Site Scripting vulnerability in Icash Click&Email NIL Cross-site scripting (XSS) vulnerability in admin_dblayers.asp in ClickAndEmail allows remote attackers to inject arbitrary web script or HTML via the tablename parameter in an update action. | 2.6 |
2009-01-14 | CVE-2008-2623 | Oracle | Multiple vulnerability in Oracle Jdeveloper 10.1.2.3 Unspecified vulnerability in the Oracle JDeveloper component in Oracle Application Server 10.1.2.3 allows local users to affect confidentiality via unknown vectors. | 2.1 |
2009-01-14 | CVE-2008-3973 | Oracle | Multiple vulnerability in Oracle Database 10G and Database 11G Unspecified vulnerability in the SQL*Plus Windows GUI component in Oracle Database allows local users to affect confidentiality via unknown vectors. | 1.7 |
2009-01-14 | CVE-2008-5450 | Oracle | Multiple vulnerability in Oracle January 2009 Critical Patch Update Unspecified vulnerability in the Oracle Applications Platform Engineering component in Oracle E-Business Suite 11.5.10 CU2 and 12.0.6 allows local users to affect confidentiality via unknown vectors. | 1.2 |