Weekly Vulnerabilities Reports > July 13 to 19, 2009
Overview
102 new vulnerabilities reported during this period, including 19 critical vulnerabilities and 34 high severity vulnerabilities. This weekly summary report vulnerabilities in 86 products from 36 vendors including Oracle, Xigla, SUN, Microsoft, and Forkosh. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Authentication", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", and "SQL Injection".
- 91 reported vulnerabilities are remotely exploitables.
- 19 reported vulnerabilities have public exploit available.
- 34 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 83 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 28 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
19 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-07-14 | CVE-2009-1977 | Oracle | Remote Authentication Bypass vulnerability in Oracle Secure Backup 10.2.0.3 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
| 2009-07-14 | CVE-2009-2460 | Forkosh | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Forkosh Mathtex Multiple stack-based buffer overflows in mathtex.cgi in mathTeX, when downloaded before 20090713, have unspecified impact and remote attack vectors. | 10.0 |
| 2009-07-14 | CVE-2009-2459 | Forkosh | Unspecified vulnerability in Forkosh Mimetex Multiple unspecified vulnerabilities in mimeTeX, when downloaded before 20090713, have unknown impact and attack vectors related to the (1) \environ, (2) \input, and (3) \counter TeX directives. | 10.0 |
| 2009-07-14 | CVE-2009-1422 | HP | Unspecified vulnerability in HP Procurve Threat Management Services ZL Module Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to gain privileges via unknown vectors, aka PR_41209. | 10.0 |
| 2009-07-14 | CVE-2009-1382 | Forkosh | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Forkosh Mimetex Multiple stack-based buffer overflows in mimetex.cgi in mimeTeX, when downloaded before 20090713, allow remote attackers to execute arbitrary code via a TeX file with long (1) picture, (2) circle, or (3) input tags. | 10.0 |
| 2009-07-14 | CVE-2009-0692 | ISC | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in ISC Dhcp Stack-based buffer overflow in the script_write_params method in client/dhclient.c in ISC DHCP dhclient 4.1 before 4.1.0p1, 4.0 before 4.0.1p1, 3.1 before 3.1.2p1, 3.0, and 2.0 allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option. | 10.0 |
| 2009-07-14 | CVE-2009-2452 | Citrix | Security vulnerability in Citrix Licensing 11.5 Multiple unspecified vulnerabilities in Citrix Licensing 11.5 have unknown impact and attack vectors, related to "underlying components of the License Management Console." | 10.0 |
| 2009-07-16 | CVE-2009-2485 | Tingan | Buffer Errors vulnerability in Tingan Ht-Mp3Player 1.0 Stack-based buffer overflow in HT-MP3Player 1.0 allows remote attackers to execute arbitrary code via a long string in a .ht3 file. | 9.3 |
| 2009-07-15 | CVE-2009-2477 | Mozilla | Code Injection vulnerability in Mozilla Firefox 3.5 js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements. | 9.3 |
| 2009-07-15 | CVE-2009-1539 | Microsoft | Code Injection vulnerability in Microsoft products The QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 does not properly validate unspecified size fields in QuickTime media files, which allows remote attackers to execute arbitrary code via a crafted file, aka "DirectX Size Validation Vulnerability." | 9.3 |
| 2009-07-15 | CVE-2009-1538 | Microsoft | Improper Input Validation vulnerability in Microsoft products The QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 performs updates to pointers without properly validating unspecified data values, which allows remote attackers to execute arbitrary code via a crafted QuickTime media file, aka "DirectX Pointer Validation Vulnerability." | 9.3 |
| 2009-07-15 | CVE-2009-1136 | Microsoft | Code Injection vulnerability in Microsoft products The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the msDataSourceObject method, as exploited in the wild in July and August 2009, aka "Office Web Components HTML Script Vulnerability." | 9.3 |
| 2009-07-15 | CVE-2009-0566 | Microsoft | Code Injection vulnerability in Microsoft Office Publisher 2007 Microsoft Office Publisher 2007 SP1 does not properly calculate object handler data for Publisher files, which allows remote attackers to execute arbitrary code via a crafted file in a legacy format that triggers memory corruption, aka "Pointer Dereference Vulnerability." | 9.3 |
| 2009-07-14 | CVE-2009-2347 | Libtiff | Numeric Errors vulnerability in Libtiff Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr. | 9.3 |
| 2009-07-16 | CVE-2009-2047 | Cisco | Path Traversal vulnerability in Cisco products Directory traversal vulnerability in the Administration interface in Cisco Customer Response Solutions (CRS) before 7.0(1) SR2 in Cisco Unified Contact Center Express (aka CCX) server allows remote authenticated users to read, modify, or delete arbitrary files via unspecified vectors. | 9.0 |
| 2009-07-15 | CVE-2009-1542 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Virtual PC and Virtual Server The Virtual Machine Monitor (VMM) in Microsoft Virtual PC 2004 SP1, 2007, and 2007 SP1, and Microsoft Virtual Server 2005 R2 SP1, does not enforce CPU privilege-level requirements for all machine instructions, which allows guest OS users to execute arbitrary kernel-mode code and gain privileges within the guest OS via a crafted application, aka "Virtual PC and Virtual Server Privileged Instruction Decoding Vulnerability." | 9.0 |
| 2009-07-15 | CVE-2009-1135 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft ISA Server 2006 Microsoft Internet Security and Acceleration (ISA) Server 2006 Gold and SP1, when Radius OTP is enabled, uses the HTTP-Basic authentication method, which allows remote attackers to gain the privileges of an arbitrary account, and access published web pages, via vectors involving attempted access to a network resource behind the ISA Server, aka "Radius OTP Bypass Vulnerability." | 9.0 |
| 2009-07-14 | CVE-2009-1978 | Oracle | Arbitrary Command Execution vulnerability in Oracle Secure Backup 10.2.0.3 Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 9.0 |
| 2009-07-14 | CVE-2009-1020 | Oracle | Network Foundation Remote vulnerability in Oracle Database Unspecified vulnerability in the Network Foundation component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 9.0 |
34 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-07-15 | CVE-2009-0231 | Microsoft | Incorrect Conversion between Numeric Types vulnerability in Microsoft products The Embedded OpenType (EOT) Font Engine (T2EMBED.DLL) in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted name table in a data record that triggers an integer truncation and a heap-based buffer overflow, aka "Embedded OpenType Font Heap Overflow Vulnerability." | 8.8 |
| 2009-07-13 | CVE-2009-2446 | Mysql Oracle | USE of Externally-Controlled Format String vulnerability in multiple products Multiple format string vulnerabilities in the dispatch_command function in libmysqld/sql_parse.cc in mysqld in MySQL 4.0.0 through 5.0.83 allow remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in a database name in a (1) COM_CREATE_DB or (2) COM_DROP_DB request. | 8.5 |
| 2009-07-16 | CVE-2009-2487 | SUN | Resource Management Errors vulnerability in SUN Opensolaris and Solaris Use-after-free vulnerability in the frpr_icmp function in the ipfilter (aka IP Filter) subsystem in Sun Solaris 10, and OpenSolaris snv_45 through snv_110, allows remote attackers to cause a denial of service (panic) via unspecified vectors. | 7.8 |
| 2009-07-16 | CVE-2009-2486 | SUN | Unspecified vulnerability in SUN Opensolaris and Solaris Unspecified vulnerability in the SCTP implementation in Sun Solaris 10, and OpenSolaris before snv_120, allows remote attackers to cause a denial of service (panic) via unspecified packets. | 7.8 |
| 2009-07-16 | CVE-2009-2479 | Mozilla | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mozilla Firefox Mozilla Firefox 3.0.x, 3.5, and 3.5.1 on Windows allows remote attackers to cause a denial of service (uncaught exception and application crash) via a long Unicode string argument to the write method. | 7.8 |
| 2009-07-14 | CVE-2009-1425 | HP | Denial of Service vulnerability in HP ProCurve Threat Management Services zl Module 'httpd' Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to cause a denial of service by triggering a stop or crash in httpd, aka PR_18770, a different vulnerability than CVE-2009-1423 and CVE-2009-1424. | 7.8 |
| 2009-07-14 | CVE-2009-1424 | HP | Unspecified vulnerability in HP Procurve Threat Management Services ZL Module Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to cause a denial of service via unknown vectors, aka PR_39412, a different vulnerability than CVE-2009-1423 and CVE-2009-1425. | 7.8 |
| 2009-07-14 | CVE-2009-1423 | HP | Unspecified vulnerability in HP Procurve Threat Management Services ZL Module Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to cause a denial of service via unknown vectors, aka PR_39898, a different vulnerability than CVE-2009-1424 and CVE-2009-1425. | 7.8 |
| 2009-07-14 | CVE-2009-1963 | Oracle | Unspecified vulnerability in Oracle Database Server 11.1.0.6 Unspecified vulnerability in the Network Foundation component in Oracle Database 11.1.0.6 allows remote authenticated users to affect integrity and availability via unknown vectors. | 7.5 |
| 2009-07-14 | CVE-2009-1019 | Oracle | Remote Network Authentication vulnerability in Oracle Database Unspecified vulnerability in the Network Authentication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 7.5 |
| 2009-07-14 | CVE-2009-1383 | Forkosh | Code Injection vulnerability in Forkosh Mathtex The getdirective function in mathtex.cgi in mathTeX, when downloaded before 20090713, allows remote attackers to execute arbitrary commands via shell metacharacters in the dpi tag. | 7.5 |
| 2009-07-14 | CVE-2009-2453 | Citrix | Permissions, Privileges, and Access Controls vulnerability in Citrix Presentation Server and Xenapp Citrix XenApp (formerly Presentation Server) 4.5 Hotfix Rollup Pack 3 does not apply an access policy when it is defined with the Access Gateway Advanced Edition filters, which allows attackers to bypass intended access restrictions via unknown vectors. | 7.5 |
| 2009-07-14 | CVE-2009-2451 | MIM Infinix | SQL Injection vulnerability in Mim.Infinix Infinix Multiple SQL injection vulnerabilities in index.php in MIM:InfiniX 1.2.003 and possibly earlier versions allow remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters in a calendar action, or (3) a search term in the search form. | 7.5 |
| 2009-07-14 | CVE-2008-6867 | Scripts FOR Sites | SQL Injection vulnerability in Scripts FOR Sites EZ Career SQL injection vulnerability in content.php in Scripts For Sites (SFS) EZ Career allows remote attackers to execute arbitrary SQL commands via the topic parameter. | 7.5 |
| 2009-07-14 | CVE-2008-6866 | PHP Nuke | SQL Injection vulnerability in PHP-Nuke Current Issue Module SQL injection vulnerability in modules.php in the Current_Issue module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a summary action. | 7.5 |
| 2009-07-14 | CVE-2008-6865 | PHP Nuke Phpnuke | SQL Injection vulnerability in PHP-Nuke Sections Module SQL injection vulnerability in modules.php in the Sectionsnew module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the artid parameter in a printpage action. | 7.5 |
| 2009-07-14 | CVE-2008-6864 | Xigla | Improper Authentication vulnerability in Xigla Absolute Live Support .Net 5.1 Xigla Software Absolute Live Support .NET 5.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6863 | Xigla | Improper Authentication vulnerability in Xigla Absolute Form Processor.Net 4.0 Xigla Software Absolute Form Processor .NET 4.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6862 | Xigla | Improper Authentication vulnerability in Xigla Absolute Content Rotator 6.0 Absolute Content Rotator 6.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6861 | Xigla | Improper Authentication vulnerability in Xigla Absolute Newsletter 6.0/6.1 Xigla Software Absolute Newsletter 6.0 and 6.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6860 | Xigla | Improper Authentication vulnerability in Xigla Absolute Poll Manager XE 4.1 Xigla Software Absolute Poll Manager XE 4.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6859 | Xigla | Improper Authentication vulnerability in Xigla Absolute Control Panel XE 1.5 Xigla Software Absolute Control Panel XE 1.5 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6858 | Xigla | Improper Authentication vulnerability in Xigla Absolute Banner Manager.Net 4.0 Absolute Banner Manager .NET 4.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6857 | Xigla | Improper Authentication vulnerability in Xigla Absolute Podcast.Net 1.0 Absolute Podcast .NET 1.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6856 | Xigla | Improper Authentication vulnerability in Xigla Absolute News Manager.Net 5.1 Xigla Software Absolute News Manager.NET 5.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-14 | CVE-2008-6855 | Xigla | Improper Authentication vulnerability in Xigla Absolute News Feed 1.0/1.5 Xigla Software Absolute News Feed 1.0 and possibly 1.5 allows remote attackers to bypass authentication and gain administrative access by setting a certain cookie. | 7.5 |
| 2009-07-14 | CVE-2008-6854 | Xigla | Improper Authentication vulnerability in Xigla Absolute FAQ Manager .Net 6.0 Xigla Software Absolute FAQ Manager.NET 6.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value. | 7.5 |
| 2009-07-13 | CVE-2009-2449 | Adbnewssender | Path Traversal vulnerability in Adbnewssender Directory traversal vulnerability in maillinglist/admin/change_config.php in ADbNewsSender before 1.5.6 allows remote attackers to include and execute arbitrary local files via a .. | 7.5 |
| 2009-07-13 | CVE-2009-2444 | Adbnewssender | Path Traversal vulnerability in Adbnewssender Directory traversal vulnerability in maillinglist/setup/step1.php.inc in ADbNewsSender before 1.5.6, and 2.0 before RC2, allows remote attackers to include and execute arbitrary local files via a .. | 7.5 |
| 2009-07-13 | CVE-2009-2439 | WEB Development House | SQL Injection vulnerability in web Development House Alibaba Clone Multiple SQL injection vulnerabilities in Web Development House Alibaba Clone allow remote attackers to execute arbitrary SQL commands via the (1) IndustryID parameter to category.php and the (2) SellerID parameter to supplier/view_contact_details.php. | 7.5 |
| 2009-07-13 | CVE-2009-2436 | Phponlinedatingsoftware | SQL Injection vulnerability in PHPonlinedatingsoftware Myphpdating 1.0 SQL injection vulnerability in page.php in Online Dating Software MyPHPDating 1.0 allows remote attackers to execute arbitrary SQL commands via the page_id parameter. | 7.5 |
| 2009-07-14 | CVE-2009-2461 | Forkosh | Permissions, Privileges, and Access Controls vulnerability in Forkosh Mathtex 1.00/1.01 mathtex.cgi in mathTeX, when downloaded before 20090713, does not securely create temporary files, which has unspecified impact and local attack vectors. | 7.2 |
| 2009-07-13 | CVE-2009-2450 | Tallemu | Buffer Errors vulnerability in Tallemu products The OAmon.sys kernel driver 3.1.0.0 and earlier in Tall Emu Online Armor Personal Firewall AV+ before 3.5.0.12, and Personal Firewall 3.5 before 3.5.0.14, allows local users to gain privileges via crafted METHOD_NEITHER IOCTL requests to \Device\OAmon containing arbitrary kernel addresses, as demonstrated using the 0x830020C3 IOCTL. | 7.2 |
| 2009-07-13 | CVE-2009-2434 | IBM | Buffer Errors vulnerability in IBM AIX 5.3 Buffer overflow in the syscall implementation in IBM AIX 5.3 allows local users to gain privileges via unspecified vectors. | 7.2 |
42 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-07-16 | CVE-2009-2482 | Netbsd | Permissions, Privileges, and Access Controls vulnerability in Netbsd The pam_unix module in OpenPAM in NetBSD 4.0 before 4.0.2 and 5.0 before 5.0.1 allows local users to change the current root password if it is already known, even when they are not in the wheel group. | 6.9 |
| 2009-07-14 | CVE-2009-1975 | Oracle | Cross-Site Scripting vulnerability in Oracle BEA Product Suite 10.3 Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3 allows remote attackers to affect confidentiality, integrity, and availability, related to the WLS Console Package. | 6.8 |
| 2009-07-14 | CVE-2009-1974 | Oracle | Remote vulnerability in Oracle WebLogic Server Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to the Servlet Container Package. | 6.8 |
| 2009-07-14 | CVE-2009-1980 | Oracle | Remote vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 6.0 |
| 2009-07-16 | CVE-2009-2481 | SIX Apart Sixapart | Improper Authentication vulnerability in multiple products mt-wizard.cgi in Six Apart Movable Type before 4.261, when global templates are not initialized, allows remote attackers to bypass access restrictions and (1) send e-mail to arbitrary addresses or (2) obtain sensitive information via unspecified vectors. | 5.8 |
| 2009-07-14 | CVE-2009-1989 | Oracle | Remote PeopleSoft Enterprise FMS vulnerability in Oracle PeopleSoft Unspecified vulnerability in the PeopleSoft Enterprise FMS component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.8 SP1, 8.9 Bundle 33, and 9.0 Bundle 24 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
| 2009-07-14 | CVE-2009-1973 | Oracle | Remote Virtual Private Database vulnerability in Oracle Database Server 10.1.0.5/10.2.0.4/11.1.0.7 Unspecified vulnerability in the Virtual Private Database component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality and integrity, related to VPD policies. | 5.5 |
| 2009-07-14 | CVE-2009-1967 | Oracle | SQL-injection vulnerability in Oracle Config Management Unspecified vulnerability in the Config Management component in (1) Oracle Database 11.1.0.7 and (2) Oracle Enterprise Manager 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2009-1966. | 5.5 |
| 2009-07-14 | CVE-2009-1966 | Oracle | SQL-injection vulnerability in Oracle Config Management Unspecified vulnerability in the Config Management component in (1) Oracle Database 11.1.0.7 and (2) Oracle Enterprise Manager 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2009-1967. | 5.5 |
| 2009-07-14 | CVE-2009-1021 | Oracle | Privilege Escalation vulnerability in Oracle Advanced Replication 'REPCAT_RPC.VALIDATE_REMOTE_RC()' Unspecified vulnerability in the Advanced Replication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
| 2009-07-14 | CVE-2009-0987 | Oracle | Remote Upgrade vulnerability in Oracle Database Unspecified vulnerability in the Upgrade component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
| 2009-07-14 | CVE-2009-2458 | SUN | Remote Denial Of Service vulnerability in SUN Fire Server V215 Unspecified vulnerability in Sun Fire V215 Server, when using XVR-100 graphic cards on system boards with part number 375-3463 and a hardware dash level -04 or later, allows remote attackers to cause a denial of service (panic) via unknown vectors. | 5.4 |
| 2009-07-17 | CVE-2009-1892 | ISC | Configuration vulnerability in ISC Dhcp dhcpd in ISC DHCP 3.0.4 and 3.1.1, when the dhcp-client-identifier and hardware ethernet configuration settings are both used, allows remote attackers to cause a denial of service (daemon crash) via unspecified requests. | 5.0 |
| 2009-07-16 | CVE-2009-2478 | Mozilla | Numeric Errors vulnerability in Mozilla Firefox 3.5 Mozilla Firefox 3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors, related to a "flash bug." | 5.0 |
| 2009-07-14 | CVE-2009-1987 | Oracle | Remote vulnerability in Oracle PeopleSoft Enterprise PeopleTools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools - Enterprise Portal component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.21 allows remote attackers to affect integrity via unknown vectors. | 5.0 |
| 2009-07-14 | CVE-2009-1970 | Oracle | Remote Denial of Service vulnerability in Oracle Database TNS Command Unspecified vulnerability in the Listener component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect availability via unknown vectors, a different vulnerability than CVE-2009-0991. | 5.0 |
| 2009-07-14 | CVE-2009-0217 | IBM Mono Project Oracle | Authentication Bypass vulnerability in IETF and W3C XML Digital Signature Specification HMAC Truncation The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits. | 5.0 |
| 2009-07-14 | CVE-2009-2457 | Novell | Code Injection vulnerability in Novell Edirectory 8.8 The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remote attackers to cause a denial of service (crash) via a malformed bind LDAP packet. | 5.0 |
| 2009-07-14 | CVE-2009-2456 | Novell | Denial-Of-Service vulnerability in Novell Edirectory 8.8 The DS\NDSD component in Novell eDirectory 8.8 before SP5 allows remote attackers to cause a denial of service (ndsd core dump) via an LDAP request containing multiple . | 5.0 |
| 2009-07-14 | CVE-2009-0192 | Novell | Numeric Errors vulnerability in Novell Edirectory 8.8 Off-by-one error in the iMonitor component in Novell eDirectory 8.8 SP3, 8.8 SP3 FTF3, and possibly other versions allows remote attackers to execute arbitrary code via an HTTP request with a crafted Accept-Language header, which triggers a stack-based buffer overflow. | 5.0 |
| 2009-07-13 | CVE-2009-2445 | SUN | Information Exposure vulnerability in SUN Java System web Server 6.1/7.0 Oracle iPlanet Web Server (formerly Sun Java System Web Server or Sun ONE Web Server) 6.1 before SP12, and 7.0 through Update 6, when running on Windows, allows remote attackers to read arbitrary JSP files via an alternate data stream syntax, as demonstrated by a .jsp::$DATA URI. | 5.0 |
| 2009-07-13 | CVE-2009-2443 | Siteframe | Permissions, Privileges, and Access Controls vulnerability in Siteframe CMS 3.2.1/3.2.2/3.2.3 Siteframe 3.2.3, and other 3.2.x versions, allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. | 5.0 |
| 2009-07-16 | CVE-2009-2488 | SUN | Unspecified vulnerability in SUN Opensolaris and Solaris Unspecified vulnerability in the NFSv4 module in the kernel in Sun Solaris 10, and OpenSolaris snv_102 through snv_119, allows local users to cause a denial of service (client panic) via vectors involving "file operations." | 4.9 |
| 2009-07-16 | CVE-2009-2483 | Netbsd | Numeric Errors vulnerability in Netbsd 4.0/4.0.1 libprop/prop_object.c in proplib in NetBSD 4.0 and 4.0.1 allows local users to cause a denial of service (NULL pointer dereference and kernel panic) via a malformed externalized plist (XML form) containing an undefined element. | 4.9 |
| 2009-07-16 | CVE-2009-2491 | SUN | Unspecified vulnerability in SUN RAY Server Software 4.0 The utaudiod daemon in Sun Ray Server Software (SRSS) 4.0, when Solaris Trusted Extensions is enabled, allows local users to access the sessions of arbitrary users via unknown vectors related to "resource leaks." | 4.4 |
| 2009-07-14 | CVE-2009-1984 | Oracle | Application Install Local vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1 Unspecified vulnerability in the Application Install component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Patch Administrator. | 4.4 |
| 2009-07-16 | CVE-2009-2480 | Movabletype | Cross-Site Scripting vulnerability in Movabletype SIX Apart Movable Type 4.24/4.25 Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart Movable Type 4.24, and 4.25 when global templates are not initialized, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-07-14 | CVE-2009-1983 | Oracle | Remote Oracle iStore vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1 Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1 allows remote attackers to affect integrity via unknown vectors. | 4.3 |
| 2009-07-14 | CVE-2009-1982 | Oracle | Remote Oracle Applications Framework vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6 Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2 and 12.0.6 allows remote attackers to affect integrity via unknown vectors. | 4.3 |
| 2009-07-14 | CVE-2009-1976 | Oracle | Remote HTTP Server vulnerability in Oracle Application Server 10.1.2.3 Unspecified vulnerability in the HTTP Server component in Oracle Application Server 10.1.2.3 allows remote attackers to affect integrity via unknown vectors. | 4.3 |
| 2009-07-14 | CVE-2009-1968 | Oracle | Cross-Site Scripting vulnerability in Oracle Database Server 10.1.8.3 Unspecified vulnerability in the Secure Enterprise Search component in Oracle Database 10.1.8.3 allows remote attackers to affect integrity via unknown vectors. | 4.3 |
| 2009-07-14 | CVE-2009-2455 | Atmail | Cross-Site Scripting vulnerability in Atmail @Tmail 5.6.1 Multiple cross-site scripting (XSS) vulnerabilities in webadmin/admin.php in @mail 5.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) type and (2) func parameters. | 4.3 |
| 2009-07-14 | CVE-2009-2454 | Citrix | Cross-Site Scripting vulnerability in Citrix web Interface 4.6/5.0/5.0.1 Cross-site scripting (XSS) vulnerability in Citrix Web Interface 4.6, 5.0, and 5.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2009-07-13 | CVE-2009-2448 | Esoftpro | Cross-Site Scripting vulnerability in Esoftpro Online Guestbook PRO 5.1 Cross-site scripting (XSS) vulnerability in ogp_show.php in Online Guestbook Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via the search_choice parameter. | 4.3 |
| 2009-07-13 | CVE-2009-2447 | Esoftpro | Cross-Site Scripting vulnerability in Esoftpro Online Guestbook PRO 5.1 Multiple cross-site scripting (XSS) vulnerabilities in ogp_show.php in Online Guestbook Pro 5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) search or (2) display parameter. | 4.3 |
| 2009-07-13 | CVE-2009-2442 | Linea21 | Cross-Site Scripting vulnerability in Linea21 1.2.1 Cross-site scripting (XSS) vulnerability in public/index.php in Linea21 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the search parameter in a resultats-recherche action. | 4.3 |
| 2009-07-13 | CVE-2009-2441 | Esoftpro | Cross-Site Scripting vulnerability in Esoftpro Online Guestbook PRO 5.1 Cross-site scripting (XSS) vulnerability in ogp_show.php in Online Guestbook Pro 5.1 allows remote attackers to inject arbitrary web script or HTML via the entry parameter. | 4.3 |
| 2009-07-13 | CVE-2009-2440 | Jnmsolutions | Cross-Site Scripting vulnerability in Jnmsolutions Guestbook 3.0 Cross-site scripting (XSS) vulnerability in index.php in JNM Guestbook 3.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter. | 4.3 |
| 2009-07-13 | CVE-2009-2438 | Clansphere | Cross-Site Scripting vulnerability in Clansphere 2009.0/2009.0.2 Cross-site scripting (XSS) vulnerability in index.php in the search module in ClanSphere 2009.0 and 2009.0.2 allows remote attackers to inject arbitrary web script or HTML via the text parameter in a list action. | 4.3 |
| 2009-07-13 | CVE-2009-2437 | Rentventory | Cross-Site Scripting vulnerability in Rentventory 1.0.1 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Rentventory 1.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) username (aka Login) and (2) password parameters in a login action. | 4.3 |
| 2009-07-14 | CVE-2009-1988 | Oracle | Remote vulnerability in Oracle PeopleSoft Enterprise HRMS eProfile Manager Unspecified vulnerability in the PeopleSoft Enterprise HRMS eProfile Manager component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.8 SP1, 8.9 Bundle 19, and 9.0 Bundle 9 allows remote authenticated users to affect confidentiality via unknown vectors. | 4.0 |
| 2009-07-14 | CVE-2009-1015 | Oracle | Remote Core RDBMS vulnerability in Oracle Database Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.05, and 10.2.04 allows remote authenticated users to affect integrity via unknown vectors. | 4.0 |
7 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2009-07-16 | CVE-2009-2048 | Cisco | Cross-Site Scripting vulnerability in Cisco products Cross-site scripting (XSS) vulnerability in the Administration interface in Cisco Customer Response Solutions (CRS) before 7.0(1) SR2 in Cisco Unified Contact Center Express (aka CCX) server allows remote authenticated users to inject arbitrary web script or HTML into the CCX database via unspecified vectors. | 3.5 |
| 2009-07-14 | CVE-2009-1981 | Oracle | Local vulnerability in Oracle Highly Interactive Client Unspecified vulnerability in the Highly Interactive Client component in Siebel Product Suite 7.5.3, 7.7.2, 7.8.2, 8.0.0.5, and 8.1.0 allows local users to affect confidentiality and integrity via unknown vectors. | 3.0 |
| 2009-07-17 | CVE-2009-2492 | SIX Apart SIX Apart LTD Sixapart | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in mt-wizard.cgi in Six Apart Movable Type before 4.261 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2009-2480. | 2.6 |
| 2009-07-14 | CVE-2009-1986 | Oracle | Remote Oracle Applications Manager vulnerability in Oracle E-Business Suite 11.5.10.2 Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2 allows remote attackers to affect confidentiality via unknown vectors. | 2.6 |
| 2009-07-16 | CVE-2009-2489 | SUN | Unspecified vulnerability in SUN RAY Server Software 4.0 Unspecified vulnerability in the utdmsession program in Sun Ray Server Software (SRSS) 4.0 allows local users to access the sessions of arbitrary users via unknown vectors. | 2.1 |
| 2009-07-14 | CVE-2009-1969 | Oracle | Remote Auditing vulnerability in Oracle Database Unspecified vulnerability in the Auditing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality via unknown vectors. | 2.1 |
| 2009-07-16 | CVE-2009-2490 | SUN | Unspecified vulnerability in SUN RAY Server Software 4.0 Unspecified vulnerability in the utaudiod daemon in Sun Ray Server Software (SRSS) 4.0, when Solaris Trusted Extensions is enabled, allows local users to cause a denial of service (audio outage) or possibly gain privileges via unknown vectors related to "resource leaks." | 1.9 |