Weekly Vulnerabilities Reports > May 11 to 17, 2009

Overview

106 new vulnerabilities reported during this period, including 36 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 82 products from 64 vendors including Apple, Microsoft, Adobe, Squirrelmail, and Mini Stream. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Code Injection", "Permissions, Privileges, and Access Controls", "Cross-site Scripting", and "SQL Injection".

  • 98 reported vulnerabilities are remotely exploitables.
  • 48 reported vulnerabilities have public exploit available.
  • 35 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 102 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 21 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 14 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

36 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-16 CVE-2009-1656 Xerox Remote Command Execution vulnerability in Xerox WorkCentre Webserver

Xerox WorkCentre and WorkCentre Pro 232, 238, 245, 255, 265, 275; and WorkCentre 5632, 5638, 5645, 5655, 5665, 5675, 5687, 7655, 7656, and 7675 allows remote attackers to execute arbitrary commands via unknown attack vectors, aka "command injection vulnerability."

10.0
2009-05-11 CVE-2009-1611 Electrasoft Buffer Errors vulnerability in Electrasoft 32Bit FTP 09.04.24

Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows remote FTP servers to execute arbitrary code via a long 257 reply to a CWD command.

10.0
2009-05-15 CVE-2009-1647 Ultrafunk Buffer Errors vulnerability in Ultrafunk Popcorn 1.87

Heap-based buffer overflow in popcorn.exe in Ultrafunk Popcorn 1.87 allows remote POP3 servers to cause a denial of service (application crash) via a long string in a +OK response.

9.3
2009-05-15 CVE-2009-1646 Mini Stream Buffer Errors vulnerability in Mini-Stream RM Downloader 3.0.0.9

Stack-based buffer overflow in Mini-stream RM Downloader 3.0.0.9 allows remote attackers to execute arbitrary code via a long rtsp URL in a .ram file.

9.3
2009-05-15 CVE-2009-1645 Mini Stream Buffer Errors vulnerability in Mini-Stream Easy Rm-Mp3 Converter 3.0.0.7

Multiple stack-based buffer overflows in Mini-stream Easy RM-MP3 Converter 3.0.0.7 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file.

9.3
2009-05-15 CVE-2009-1644 Sorinara Buffer Errors vulnerability in Sorinara Streaming Audio Player 0.9

Stack-based buffer overflow in Sorinara Streaming Audio Player 0.9 allows remote attackers to execute arbitrary code via a crafted .pla file.

9.3
2009-05-15 CVE-2009-1643 Sorinara Buffer Errors vulnerability in Sorinara Soritong MP3 Player 1.0

Stack-based buffer overflow in Sorinara Soritong MP3 Player 1.0 allows remote attackers to execute arbitrary code via a crafted .m3u file.

9.3
2009-05-15 CVE-2009-1642 Mini Stream Buffer Errors vulnerability in Mini-Stream TO MP3 Converter 3.0.0.7

Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Converter 3.0.0.7 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file.

9.3
2009-05-15 CVE-2009-1641 Mini Stream Buffer Errors vulnerability in Mini-Stream Ripper 3.0.1.1

Multiple stack-based buffer overflows in Mini-stream Ripper 3.0.1.1 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file.

9.3
2009-05-15 CVE-2009-1640 Nucleustechnologies Buffer Errors vulnerability in Nucleustechnologies Kernel Recovery 4.04

Stack-based buffer overflow in Nucleus Data Recovery Kernel Recovery for Macintosh 4.04 allows user-assisted attackers to execute arbitrary code via a crafted .AMHH file.

9.3
2009-05-15 CVE-2009-1639 Nucleustechnologies Buffer Errors vulnerability in Nucleustechnologies Kernel Recovery 4.03

Stack-based buffer overflow in Nucleus Data Recovery Kernel Recovery for Novell 4.03 allows user-assisted attackers to execute arbitrary code via a crafted .NKNT file.

9.3
2009-05-13 CVE-2009-0945 Apple
Microsoft
Code Injection vulnerability in Apple Safari

Array index error in the insertItemBefore method in WebKit, as used in Apple Safari before 3.2.3 and 4 Public Beta, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome Stable before 1.0.154.65, and possibly other products allows remote attackers to execute arbitrary code via a document with a SVGPathList data structure containing a negative index in the (1) SVGTransformList, (2) SVGStringList, (3) SVGNumberList, (4) SVGPathSegList, (5) SVGPointList, or (6) SVGLengthList SVGList object, which triggers memory corruption.

9.3
2009-05-13 CVE-2009-0010 Apple Numeric Errors vulnerability in Apple mac OS X

Integer underflow in QuickDraw Manager in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7, and Apple QuickTime before 7.6.2, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PICT image with a crafted 0x77 Poly tag and a crafted length field, which triggers a heap-based buffer overflow.

9.3
2009-05-12 CVE-2009-1137 Microsoft Buffer Errors vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0223, CVE-2009-0226, and CVE-2009-0227.

9.3
2009-05-12 CVE-2009-1131 Microsoft Buffer Errors vulnerability in Microsoft Office Powerpoint 2000

Multiple stack-based buffer overflows in Microsoft Office PowerPoint 2000 SP3 allow remote attackers to execute arbitrary code via a large amount of data associated with unspecified atoms in a PowerPoint file that triggers memory corruption, aka "Data Out of Bounds Vulnerability."

9.3
2009-05-12 CVE-2009-1130 Microsoft Buffer Errors vulnerability in Microsoft Office and Office Powerpoint

Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a crafted structure in a Notes container in a PowerPoint file that causes PowerPoint to read more data than was allocated when creating a C++ object, leading to an overwrite of a function pointer, aka "Heap Corruption Vulnerability."

9.3
2009-05-12 CVE-2009-1129 Microsoft Buffer Errors vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Multiple stack-based buffer overflows in the PowerPoint 95 importer (PP7X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via an inconsistent record length in sound data in a file that uses a PowerPoint 95 (PPT95) native file format, aka "PP7 Memory Corruption Vulnerability," a different vulnerability than CVE-2009-1128.

9.3
2009-05-12 CVE-2009-1128 Microsoft Code Injection vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 95 native file format, leading to memory corruption, aka "PP7 Memory Corruption Vulnerability," a different vulnerability than CVE-2009-1129.

9.3
2009-05-12 CVE-2009-0227 Microsoft Buffer Errors vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Stack-based buffer overflow in the PowerPoint 4.2 conversion filter (PP4X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via a large number of structures in sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0223, CVE-2009-0226, and CVE-2009-1137.

9.3
2009-05-12 CVE-2009-0226 Microsoft Buffer Errors vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Stack-based buffer overflow in the PowerPoint 4.2 conversion filter in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via a long string in sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0223, CVE-2009-0227, and CVE-2009-1137.

9.3
2009-05-12 CVE-2009-0225 Microsoft Code Injection vulnerability in Microsoft Office Powerpoint 2002

Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 95 native file format, leading to improper "array indexing" and memory corruption, aka "PP7 Memory Corruption Vulnerability."

9.3
2009-05-12 CVE-2009-0224 Microsoft Code Injection vulnerability in Microsoft products

Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; PowerPoint Viewer 2003 and 2007 SP1 and SP2; PowerPoint in Microsoft Office 2004 for Mac and 2008 for Mac; Open XML File Format Converter for Mac; Microsoft Works 8.5 and 9.0; and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 do not properly validate PowerPoint files, which allows remote attackers to execute arbitrary code via multiple crafted BuildList records that include ChartBuild containers, which triggers memory corruption, aka "Memory Corruption Vulnerability."

9.3
2009-05-12 CVE-2009-0223 Microsoft Code Injection vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0222, CVE-2009-0226, CVE-2009-0227, and CVE-2009-1137.

9.3
2009-05-12 CVE-2009-0222 Microsoft Code Injection vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allows remote attackers to execute arbitrary code via crafted sound data in a file that uses a PowerPoint 4.0 native file format, leading to a "pointer overwrite" and memory corruption, aka "Legacy File Format Vulnerability," a different vulnerability than CVE-2009-0223, CVE-2009-0226, CVE-2009-0227, and CVE-2009-1137.

9.3
2009-05-12 CVE-2009-0221 Microsoft Numeric Errors vulnerability in Microsoft Office Powerpoint 2002/2003

Integer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a PowerPoint file containing a crafted record type for "collaboration information for different slides" that contains a field that specifies a large number of records, which triggers an under-allocated buffer and a heap-based buffer overflow, aka "Integer Overflow Vulnerability."

9.3
2009-05-12 CVE-2009-0220 Microsoft Buffer Errors vulnerability in Microsoft Office Powerpoint 2000/2002/2003

Multiple stack-based buffer overflows in the PowerPoint 4.0 importer (PP4X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via crafted formatting data for paragraphs in a file that uses a PowerPoint 4.0 native file format, related to (1) an incorrect calculation from a record header, or (2) an interget that is used to specify the number of bytes to copy, aka "Legacy File Format Vulnerability."

9.3
2009-05-12 CVE-2009-1627 SDP Multimedia Buffer Errors vulnerability in SDP Multimedia Streaming Download Project 2.3.0

Stack-based buffer overflow in Streaming Download Project (SDP) Downloader 2.3.0 allows remote attackers to execute arbitrary code via a long .asf URL in the HREF attribute of a REF element in a .asx file.

9.3
2009-05-11 CVE-2009-1612 Baofeng Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Baofeng Storm

Stack-based buffer overflow in the MPS.StormPlayer.1 ActiveX control in mps.dll 3.9.4.27 in Baofeng Storm allows remote attackers to execute arbitrary code via a long argument to the OnBeforeVideoDownload method, as exploited in the wild in April and May 2009.

9.3
2009-05-11 CVE-2009-1608 Microchip Buffer Errors vulnerability in Microchip Mplab IDE 8.30

Multiple buffer overflows in Microchip MPLAB IDE 8.30 and possibly earlier versions allow user-assisted remote attackers to execute arbitrary code via a .MCP project file with long (1) FILE_INFO, (2) CAT_FILTERS, and possibly other fields.

9.3
2009-05-11 CVE-2009-1606 Dafolo Buffer Errors vulnerability in Dafolo Dafolocontrol 1.108.6

Multiple stack-based and heap-based buffer overflows in Dafolo DafoloControl ActiveX control (DafoloFFControl.dll) 1.108.6.195 allow remote attackers to execute arbitrary code via long (1) baseurl, (2) kommune, (3) felter, (4) afdeling, (5) Flags, (6) HelpURL, (7) caburl, or (8) filename properties; or (9) a long argument to the Open method.

9.3
2009-05-11 CVE-2009-1605 Sumatrapdfreader Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Sumatrapdfreader Sumatrapdf

Heap-based buffer overflow in the loadexponentialfunc function in mupdf/pdf_function.c in MuPDF in the mupdf-20090223-win32 package, as used in SumatraPDF 0.9.3 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF file.

9.3
2009-05-11 CVE-2009-1600 Apple
Adobe
Permissions, Privileges, and Access Controls vulnerability in Apple Safari

Apple Safari executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI.

9.3
2009-05-11 CVE-2009-1599 Opera
Adobe
Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI.

9.3
2009-05-11 CVE-2009-1598 Google
Adobe
Permissions, Privileges, and Access Controls vulnerability in Google Chrome

Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI.

9.3
2009-05-11 CVE-2009-1597 Mozilla
Adobe
Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox

Mozilla Firefox executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI.

9.3
2009-05-11 CVE-2009-0194 Garmin Permissions, Privileges, and Access Controls vulnerability in Garmin Communicator Plugin 2.6.4.0

The domain-locking implementation in the GARMINAXCONTROL.GarminAxControl_t.1 ActiveX control in npGarmin.dll in the Garmin Communicator Plug-In 2.6.4.0 does not properly enforce the restrictions that (1) download and (2) upload requests come from a web site specified by the user, which allows remote attackers to obtain sensitive information or reconfigure Garmin GPS devices via unspecified vectors related to a "synchronisation error."

9.3

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-16 CVE-2009-1653 Tinybutstrong Path Traversal vulnerability in Tinybutstrong 3.4.0

Directory traversal vulnerability in examples/tbs_us_examples_0view.php in TinyButStrong 3.4.0 allows remote attackers to read arbitrary files via a ..

7.8
2009-05-16 CVE-2009-1652 2Daybiz Permissions, Privileges, and Access Controls vulnerability in 2Daybiz Business Community Script

admin/adminaddeditdetails.php in Business Community Script does not properly restrict access, which allows remote attackers to gain privileges and add administrators via a direct request.

7.5
2009-05-16 CVE-2009-1651 2Daybiz SQL Injection vulnerability in 2Daybiz Business Community Script

SQL injection vulnerability in admin/member_details.php in 2daybiz Business Community Script allows remote attackers to execute arbitrary SQL commands via the mid parameter.

7.5
2009-05-16 CVE-2009-1650 Tenfourzero SQL Injection vulnerability in Tenfourzero Shutter 0.1.1

Multiple SQL injection vulnerabilities in photos.php in Shutter 0.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) albumID, (2) tagID, and (3) photoID parameters to index.html.

7.5
2009-05-16 CVE-2009-1649 Bicluc Path Traversal vulnerability in Bicluc Belive 0.2.3

Directory traversal vulnerability in arch.php in beLive 0.2.3 allows remote attackers to read arbitrary files via a ..

7.5
2009-05-15 CVE-2009-1638 T Dreams Improper Authentication vulnerability in T-Dreams JOB Career Package 3.0

Techno Dreams Job Career Package 3.0 allows remote attackers to bypass authentication and obtain administrative access by setting the JobCareerAdmin cookie to Login.

7.5
2009-05-15 CVE-2009-0688 Carnegie Mellon University Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Carnegie Mellon University Cyrus-Sasl

Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.

7.5
2009-05-14 CVE-2009-1465 Klinzmann Credentials Management vulnerability in Klinzmann Application Access Server 2.0.48

Application Access Server (A-A-S) 2.0.48 has "wildbat" as its default password for the admin account, which makes it easier for remote attackers to obtain access.

7.5
2009-05-12 CVE-2009-1626 Will Kraft SQL Injection vulnerability in Will Kraft Ez-Blog

SQL injection vulnerability in public/specific.php in EZ-Blog before Beta 2 20090427, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the category parameter.

7.5
2009-05-12 CVE-2009-1622 Ecshop SQL Injection vulnerability in Ecshop 2.5.0

SQL injection vulnerability in user.php in EcShop 2.5.0 allows remote attackers to execute arbitrary SQL commands via the order_sn parameter in an order_query action.

7.5
2009-05-12 CVE-2009-1619 Teraway Improper Authentication vulnerability in Teraway Filestream 1.0

Teraway FileStream 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the twFSadmin cookie to 1.

7.5
2009-05-12 CVE-2009-1618 Teraway Improper Authentication vulnerability in Teraway Livehelp 2.0

Teraway LiveHelp 2.0 allows remote attackers to bypass authentication and gain administrative access via a pwd=&lvl=1&usr=&alias=admin&userid=1 value for the TWLHadmin cookie.

7.5
2009-05-12 CVE-2009-1617 Teraway Improper Authentication vulnerability in Teraway Linktracker 1.0

Teraway LinkTracker 1.0 allows remote attackers to bypass authentication and gain administrative access via a userid=1&lvl=1 value for the twLTadmin cookie.

7.5
2009-05-12 CVE-2008-6808 Scripts FOR Sites SQL Injection vulnerability in Scripts-For-Sites EZ Link Directory

SQL injection vulnerability in links.php in Scripts for Sites (SFS) EZ Link Directory allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action.

7.5
2009-05-12 CVE-2008-6807 Ibiblio Code Injection vulnerability in Ibiblio Osprey 1.0A4.1

PHP remote file inclusion vulnerability in ListRecords.php in osprey 1.0a4.1 allows remote attackers to execute arbitrary PHP code via a URL in the xml_dir parameter.

7.5
2009-05-11 CVE-2008-6804 Tribiq Improper Authentication vulnerability in Tribiq CMS 5.0.9A

** DISPUTED ** Tribiq CMS 5.0.9a beta allows remote attackers to bypass authentication and gain administrative access by setting the COOKIE_LAST_ADMIN_USER and COOKIE_LAST_ADMIN_LANG cookies.

7.5
2009-05-11 CVE-2008-6803 Yigit Aybuga SQL Injection vulnerability in Yigit Aybuga Dizi Portali

SQL injection vulnerability in diziler.asp in Yigit Aybuga Dizi Portali allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2009-05-11 CVE-2009-1610 Jobscript Permissions, Privileges, and Access Controls vulnerability in Jobscript JOB Script JOB Board Software 2.0

admin/changepassword.php in Job Script Job Board Software 2.0 allows remote attackers to change the administrator password and gain administrator privileges via a direct request.

7.5
2009-05-11 CVE-2009-1604 Limesurvey Remote Code Execution vulnerability in LimeSurvey '/admin/remotecontrol'

Unspecified vulnerability in LimeSurvey before 1.82 allows remote attackers to execute commands and obtain sensitive data via unknown attack vectors related to /admin/remotecontrol/.

7.5
2009-05-14 CVE-2009-0714 Microsoft
Novell
Redhat
Suse
HP
Privilege Escalation vulnerability in HP Data Protector Express 3.5/4.0

Unspecified vulnerability in the dpwinsup module (dpwinsup.dll) for dpwingad (dpwingad.exe) in HP Data Protector Express and Express SSE 3.x before build 47065, and Express and Express SSE 4.x before build 46537, allows remote attackers to cause a denial of service (application crash) or read portions of memory via one or more crafted packets.

7.2
2009-05-13 CVE-2008-1517 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

Array index error in the xnu (Mach) kernel in Apple Mac OS X 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (system shutdown) via unspecified vectors related to workqueues.

7.2

46 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-14 CVE-2009-1629 Antony Lesuisse Improper Authentication vulnerability in Antony Lesuisse Ajaxterm

ajaxterm.js in AjaxTerm 0.10 and earlier generates session IDs with predictable random numbers based on certain JavaScript functions, which makes it easier for remote attackers to (1) hijack a session or (2) cause a denial of service (session ID exhaustion) via a brute-force attack.

6.8
2009-05-14 CVE-2009-1579 Squirrelmail Code Injection vulnerability in Squirrelmail

The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.18 and NaSMail before 1.7 allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program.

6.8
2009-05-14 CVE-2009-1464 Klinzmann Cross-Site Request Forgery (CSRF) vulnerability in Klinzmann Application Access Server 2.0.48

Multiple cross-site request forgery (CSRF) vulnerabilities in index.aas in Application Access Server (A-A-S) 2.0.48 allow remote attackers to hijack the authentication of administrators for requests that (1) execute arbitrary programs via a command job, (2) stop services via a setservice job, or (3) terminate processes via a killprocess job.

6.8
2009-05-13 CVE-2009-0944 Apple Code Injection vulnerability in Apple mac OS X and mac OS X Server

The Microsoft Office Spotlight Importer in Spotlight in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not properly validate Microsoft Office files, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a file that triggers memory corruption.

6.8
2009-05-13 CVE-2009-0943 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

Help Viewer in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not verify that HTML pathnames are located in a registered help book, which allows remote attackers to execute arbitrary code via a help: URL that triggers invocation of AppleScript files.

6.8
2009-05-13 CVE-2009-0942 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

Help Viewer in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not verify that certain Cascading Style Sheets (CSS) are located in a registered help book, which allows remote attackers to execute arbitrary code via a help: URL that triggers invocation of AppleScript files.

6.8
2009-05-13 CVE-2009-0160 Apple Code Injection vulnerability in Apple mac OS X and mac OS X Server

QuickDraw Manager in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image that triggers memory corruption.

6.8
2009-05-13 CVE-2009-0158 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Stack-based buffer overflow in telnet in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long hostname for a telnet server.

6.8
2009-05-13 CVE-2009-0157 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Heap-based buffer overflow in CFNetwork in Apple Mac OS X 10.5 before 10.5.7 allows remote web servers to execute arbitrary code or cause a denial of service (application crash) via long HTTP headers.

6.8
2009-05-13 CVE-2009-0155 Apple Numeric Errors vulnerability in Apple mac OS X and mac OS X Server

Integer underflow in CoreGraphics in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file that triggers a heap-based buffer overflow.

6.8
2009-05-13 CVE-2009-0154 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code via a crafted Compact Font Format (CFF) font.

6.8
2009-05-13 CVE-2009-0145 Apple Code Injection vulnerability in Apple mac OS X and mac OS X Server

CoreGraphics in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file that triggers memory corruption.

6.8
2009-05-12 CVE-2009-1625 Davlin Path Traversal vulnerability in Davlin Thickbox Gallery 2

Directory traversal vulnerability in index.php in Thickbox Gallery 2 allows remote attackers to include and execute arbitrary local files via a ..

6.8
2009-05-12 CVE-2008-6806 7 Shop Improper Input Validation vulnerability in 7-Shop 7Shop 0.9Beta/1.0

Unrestricted file upload vulnerability in includes/imageupload.php in 7Shop 1.1 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in images/artikel/.

6.8
2009-05-11 CVE-2009-1615 Gowondesigns Unspecified vulnerability in Gowondesigns Leap 0.1.4

Unrestricted file upload vulnerability in Leap CMS 0.1.4 allows remote attackers to execute arbitrary code by uploading a file with an executable extension via an admin.system.files (aka Manage Files) request to the default URI, then accessing the file via a direct request.

6.8
2009-05-11 CVE-2009-1613 Gowondesigns SQL Injection vulnerability in Gowondesigns Leap 0.1.4

Multiple SQL injection vulnerabilities in leap.php in Leap CMS 0.1.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) searchterm or (2) email parameter.

6.8
2009-05-11 CVE-2008-6805 Micgr SQL Injection vulnerability in Micgr MIC Blog 0.0.3

Multiple SQL injection vulnerabilities in Mic_Blog 0.0.3, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to category.php, the (2) user parameter to login.php, and the (3) site parameter to register.php.

6.8
2009-05-11 CVE-2009-1609 Battleblog Improper Input Validation vulnerability in Battleblog Battle Blog 1.25

Unrestricted file upload vulnerability in admin/uploadform.asp in Battle Blog 1.25 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file.

6.8
2009-05-11 CVE-2009-1601 Ubuntu Permissions, Privileges, and Access Controls vulnerability in Ubuntu Linux 9.04

The Ubuntu clamav-milter.init script in clamav-milter before 0.95.1+dfsg-1ubuntu1.2 in Ubuntu 9.04 sets the ownership of the current working directory to the clamav account, which might allow local users to bypass intended access restrictions via read or write operations involving this directory.

6.8
2009-05-11 CVE-2009-1194 Pango Numeric Errors vulnerability in Pango

Integer overflow in the pango_glyph_string_set_size function in pango/glyphstring.c in Pango before 1.24 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long glyph string that triggers a heap-based buffer overflow, as demonstrated by a long document.location value in Firefox.

6.8
2009-05-16 CVE-2009-1655 Easy Scripts SQL Injection vulnerability in Easy-Scripts Answer and Question Script

Multiple SQL injection vulnerabilities in myaccount.php in Easy Scripts Answer and Question Script allow remote authenticated users to execute arbitrary SQL commands via the (1) user name (userid parameter) and (2) password.

6.5
2009-05-15 CVE-2009-1637 Simplecustomer Permissions, Privileges, and Access Controls vulnerability in Simplecustomer Simple Customer 1.3

profile.php in Simple Customer 1.3 does not require administrative authentication, which allows remote attackers to change the admin e-mail address and password via the email and password parameters.

6.4
2009-05-13 CVE-2009-0161 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

The OpenSSL::OCSP module for Ruby in Apple Mac OS X 10.5 before 10.5.7 misinterprets an unspecified invalid response as a successful OCSP certificate validation, which might allow remote attackers to spoof certificate authentication via a revoked certificate.

6.4
2009-05-14 CVE-2009-1580 Squirrelmail Improper Authentication vulnerability in Squirrelmail

Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie.

5.8
2009-05-14 CVE-2009-1632 Ipsec Tools Resource Management Errors vulnerability in Ipsec-Tools

Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication with X.509 certificates, related to the eay_check_x509sign function in src/racoon/crypto_openssl.c; and (2) the NAT-Traversal (aka NAT-T) keepalive implementation, related to src/racoon/nattraversal.c.

5.0
2009-05-13 CVE-2009-0152 Apple Configuration vulnerability in Apple mac OS X and mac OS X Server

iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instant Messenger (AIM) communication in certain circumstances that are inconsistent with the Require SSL setting, which allows remote attackers to obtain sensitive information by sniffing the network.

5.0
2009-05-12 CVE-2009-1624 DEW Code Path Traversal vulnerability in Dew-Code Dew-Newphplinks 2.0

Directory traversal vulnerability in index.php in Dew-NewPHPLinks 2.0 allows remote attackers to read arbitrary files via a ..

5.0
2009-05-12 CVE-2009-1621 Opencart Path Traversal vulnerability in Opencart 1.1.8

Directory traversal vulnerability in index.php in OpenCart 1.1.8 allows remote attackers to read arbitrary files via a ..

5.0
2009-05-11 CVE-2009-1602 Pablosoftwaresolutions Buffer Errors vulnerability in Pablosoftwaresolutions Quick'N Easy Mail Server 3.3

Pablo Software Solutions Quick 'n Easy Mail Server 3.3 allows remote attackers to cause a denial of service (daemon outage or CPU consumption) via multiple long SMTP commands, as demonstrated by HELO commands.

5.0
2009-05-14 CVE-2009-1630 Linux
Opensuse
Debian
Canonical
Vmware
Permissions, Privileges, and Access Controls vulnerability in multiple products

The nfs_permission function in fs/nfs/dir.c in the NFS client implementation in the Linux kernel 2.6.29.3 and earlier, when atomic_open is available, does not check execute (aka EXEC or MAY_EXEC) permission bits, which allows local users to bypass permissions and execute files, as demonstrated by files on an NFSv4 fileserver.

4.4
2009-05-13 CVE-2009-0150 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server

Stack-based buffer overflow in Apple Mac OS X 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (application crash) by attempting to mount a crafted sparse disk image.

4.4
2009-05-13 CVE-2009-0149 Apple Code Injection vulnerability in Apple mac OS X and mac OS X Server

Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (application crash) by attempting to mount a crafted sparse disk image that triggers memory corruption.

4.4
2009-05-16 CVE-2009-1654 Easy Scripts Cross-Site Scripting vulnerability in Easy-Scripts Answer and Question Script

Cross-site scripting (XSS) vulnerability in questiondetail.php in Easy Scripts Answer and Question Script allows remote attackers to inject arbitrary web script or HTML via the questionid parameter.

4.3
2009-05-14 CVE-2009-1581 Squirrelmail Cross-Site Scripting vulnerability in Squirrelmail

functions/mime.php in SquirrelMail before 1.4.18 does not protect the application's content from Cascading Style Sheets (CSS) positioning in HTML e-mail messages, which allows remote attackers to spoof the user interface, and conduct cross-site scripting (XSS) and phishing attacks, via a crafted message.

4.3
2009-05-14 CVE-2009-1578 Squirrelmail Cross-Site Scripting vulnerability in Squirrelmail

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.4.18 and NaSMail before 1.7 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) certain encrypted strings in e-mail headers, related to contrib/decrypt_headers.php; (2) PHP_SELF; and (3) the query string (aka QUERY_STRING).

4.3
2009-05-13 CVE-2009-0162 Apple
Microsoft
Cross-Site Scripting vulnerability in Apple Safari

Cross-site scripting (XSS) vulnerability in Safari before 3.2.3, and 4 Public Beta, on Apple Mac OS X 10.5 before 10.5.7 and Windows allows remote attackers to inject arbitrary web script or HTML via a crafted feed: URL.

4.3
2009-05-13 CVE-2009-0156 Apple Improper Input Validation vulnerability in Apple mac OS X and mac OS X Server

Launch Services in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to cause a denial of service (persistent Finder crash) via a crafted Mach-O executable that triggers an out-of-bounds memory read.

4.3
2009-05-13 CVE-2009-0153 Apple Cross-Site Scripting vulnerability in Apple mac OS X and mac OS X Server

International Components for Unicode (ICU) 4.0, 3.6, and other 3.x versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10, and possibly other operating systems, does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks.

4.3
2009-05-13 CVE-2009-0144 Apple Configuration vulnerability in Apple mac OS X and mac OS X Server

CFNetwork in Apple Mac OS X 10.5 before 10.5.7 does not properly parse noncompliant Set-Cookie headers, which allows remote attackers to obtain sensitive information by sniffing the network for "secure cookies" that are sent over unencrypted HTTP connections.

4.3
2009-05-12 CVE-2009-1623 DEW Code Cross-Site Scripting vulnerability in Dew-Code Dew-Newphplinks 2.0

Cross-site scripting (XSS) vulnerability in index.php in Dew-NewPHPLinks 2.0 allows remote attackers to inject arbitrary web script or HTML via the PID parameter.

4.3
2009-05-12 CVE-2009-1620 Mata Cross-Site Scripting vulnerability in Mata Matachat

Multiple cross-site scripting (XSS) vulnerabilities in input.php in MataChat allow remote attackers to inject arbitrary web script or HTML via the (1) nickname and (2) color parameters.

4.3
2009-05-11 CVE-2009-1616 Coppermine Cross-Site Scripting vulnerability in Coppermine Photo Gallery 1.4.22

Cross-site scripting (XSS) vulnerability in docs/showdoc.php in Coppermine Photo Gallery (CPG) before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via the css parameter, a different vector than CVE-2008-0505.

4.3
2009-05-11 CVE-2009-1607 Linkbase Cross-Site Scripting vulnerability in Linkbase 2.0

Cross-site scripting (XSS) vulnerability in the administrator panel in phpForm.net LinkBase 2.0 allows remote attackers to inject arbitrary web script or HTML via the username in a registration, which is not properly handled when the administrator accesses the Users menu.

4.3
2009-05-11 CVE-2009-1603 Opensc Project Cryptographic Issues vulnerability in Opensc-Project Opensc 0.11.7

src/tools/pkcs11-tool.c in pkcs11-tool in OpenSC 0.11.7, when used with unspecified third-party PKCS#11 modules, generates RSA keys with incorrect public exponents, which allows attackers to read the cleartext form of messages that were intended to be encrypted.

4.3
2009-05-11 CVE-2009-1596 Igniterealtime Configuration vulnerability in Igniterealtime Openfire

Ignite Realtime Openfire before 3.6.5 does not properly implement the register.password (aka canChangePassword) console configuration setting, which allows remote authenticated users to bypass intended policy and change their own passwords via a passwd_change IQ packet.

4.0
2009-05-11 CVE-2009-1595 Igniterealtime Improper Authentication vulnerability in Igniterealtime Openfire

The jabber:iq:auth implementation in IQAuthHandler.java in Ignite Realtime Openfire before 3.6.4 allows remote authenticated users to change the passwords of arbitrary accounts via a modified username element in a passwd_change action.

4.0

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-05-11 CVE-2009-1614 Gowondesigns Cross-Site Scripting vulnerability in Gowondesigns Leap 0.1.4

Multiple cross-site scripting (XSS) vulnerabilities in Leap CMS 0.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the msg parameter (aka the message in an article comment) or (2) the searchterm parameter (aka the search post form).

2.6
2009-05-14 CVE-2009-1631 Gnome Permissions, Privileges, and Access Controls vulnerability in Gnome Evolution

The Mailer component in Evolution 2.26.1 and earlier uses world-readable permissions for the .evolution directory, and certain directories and files under .evolution/ related to local mail, which allows local users to obtain sensitive information by reading these files.

2.1
2009-05-14 CVE-2009-1466 Klinzmann Cryptographic Issues vulnerability in Klinzmann Application Access Server 2.0.48

Application Access Server (A-A-S) 2.0.48 stores (1) passwords and (2) the port keyword in cleartext in aas.ini, which allows local users to obtain sensitive information by reading this file.

2.1