Weekly Vulnerabilities Reports > June 22 to 28, 2009

Overview

3 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 1 high severity vulnerabilities. This weekly summary report vulnerabilities in 4 products from 3 vendors including Citrix, Egyplus, and Torrenttrader Project. Vulnerabilities are notably categorized as "Use of Insufficiently Random Values", "Incorrect Authorization", and "Improper Authentication".

  • 3 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 2 reported vulnerabilities are exploitable by an anonymous user.
  • Citrix has the most reported vulnerabilities, with 1 reported vulnerabilities.
  • Egyplus has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-06-22 CVE-2009-2168 Egyplus Improper Authentication vulnerability in Egyplus 7Ammel 1.0.1

cpanel/login.php in EgyPlus 7ammel (aka 7ml) 1.0.1 and earlier sends a redirect to the web browser but does not exit when the supplied credentials are incorrect, which allows remote attackers to bypass authentication by providing arbitrary username and password parameters.

9.8

1 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-06-22 CVE-2009-2158 Torrenttrader Project Use of Insufficiently Random Values vulnerability in Torrenttrader Project Torrenttrader 1.09

account-recover.php in TorrentTrader Classic 1.09 chooses random passwords from an insufficiently large set, which makes it easier for remote attackers to obtain a password via a brute-force attack.

7.5

1 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-06-25 CVE-2009-2213 Citrix Incorrect Authorization vulnerability in Citrix products

The default configuration of the Security global settings on the Citrix NetScaler Access Gateway appliance with Enterprise Edition firmware 9.0, 8.1, and earlier specifies Allow for the Default Authorization Action option, which might allow remote authenticated users to bypass intended access restrictions.

6.5

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS