Weekly Vulnerabilities Reports > October 19 to 25, 2009
Overview
98 new vulnerabilities reported during this period, including 27 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 60 products from 41 vendors including Oracle, Adobe, Citrix, Openssl, and EMC. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", and "Numeric Errors".
- 87 reported vulnerabilities are remotely exploitables.
- 11 reported vulnerabilities have public exploit available.
- 14 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 76 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 36 reported vulnerabilities.
- Adobe has the most reported critical vulnerabilities, with 18 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
27 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-10-23 | CVE-2009-2281 | Osgeo UMN | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Multiple heap-based buffer underflows in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x through 4.10.4 and 5.x before 5.4.2 allow remote attackers to execute arbitrary code via (1) a crafted Content-Length HTTP header or (2) a large HTTP request, related to an integer overflow that triggers a heap-based buffer overflow. | 10.0 |
2009-10-22 | CVE-2009-3403 | Oracle | Unspecified vulnerability in Oracle BEA Product Suite R27.6.4 Unspecified vulnerability in the JRockit component in BEA Product Suite R27.6.4: JRE/JDK, 1.4.2, 5, and, and 6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
2009-10-22 | CVE-2009-1992 | Oracle Microsoft | Remote Core RDBMS vulnerability in Oracle Database Server 10.1.0.5/10.2.0.4/9.2.0.8 Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
2009-10-22 | CVE-2009-1985 | Oracle | Remote Network Authentication vulnerability in Oracle Database Unspecified vulnerability in the Network Authentication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
2009-10-22 | CVE-2009-1979 | Oracle | Remote Buffer Overflow vulnerability in Oracle Database Server 10.1.0.5/10.2.0.4 Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
2009-10-22 | CVE-2008-3685 | EMC | Path Traversal vulnerability in EMC Documentum Applicationxtender Workflow Manager Directory traversal vulnerability in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to upload arbitrary files, and execute arbitrary code, via directory traversal sequences in requests to TCP port 2606. | 10.0 |
2009-10-22 | CVE-2008-3684 | EMC | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in EMC Documentum Applicationxtender Heap-based buffer overflow in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to execute arbitrary code via crafted packet data to TCP port 2606. | 10.0 |
2009-10-23 | CVE-2009-3616 | Qemu Redhat | Use After Free vulnerability in multiple products Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities. | 9.9 |
2009-10-19 | CVE-2009-3461 | Adobe | Permissions, Privileges, and Access Controls vulnerability in Adobe Acrobat Unspecified vulnerability in Adobe Acrobat 9.x before 9.2 allows attackers to bypass intended file-extension restrictions via unknown vectors. | 9.3 |
2009-10-19 | CVE-2009-3460 | Adobe | Resource Management Errors vulnerability in Adobe Acrobat Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-3458 | Adobe | Improper Input Validation vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2998. | 9.3 |
2009-10-19 | CVE-2009-2998 | Adobe | Improper Input Validation vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-3458. | 9.3 |
2009-10-19 | CVE-2009-2997 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2996 | Adobe | Resource Management Errors vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2985. | 9.3 |
2009-10-19 | CVE-2009-2994 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2993 | Adobe | Improper Input Validation vulnerability in Adobe Acrobat and Acrobat Reader The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly implement the (1) Privileged Context and (2) Safe Path restrictions for unspecified JavaScript methods, which allows remote attackers to create arbitrary files, and possibly execute arbitrary code, via the cPath parameter in a crafted PDF file. | 9.3 |
2009-10-19 | CVE-2009-2991 | Adobe | Remote vulnerability in RETIRED: Adobe Reader and Acrobat October 2009 Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and Acrobat 8.x before 8.1.7, and possibly 7.x before 7.1.4 and 9.x before 9.2, might allow remote attackers to execute arbitrary code via unknown vectors. | 9.3 |
2009-10-19 | CVE-2009-2990 | Adobe | Numeric Errors vulnerability in Adobe Acrobat and Acrobat Reader Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2989 | Adobe | Numeric Errors vulnerability in Adobe Acrobat Integer overflow in Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2986 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2985 | Adobe | Resource Management Errors vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2996. | 9.3 |
2009-10-19 | CVE-2009-2984 | Adobe | Remote vulnerability in RETIRED: Adobe Reader and Acrobat October 2009 Unspecified vulnerability in the image decoder in Adobe Acrobat 9.x before 9.2, and possibly 7.x through 7.1.4 and 8.x through 8.1.7, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors. | 9.3 |
2009-10-19 | CVE-2009-2983 | Adobe | Resource Management Errors vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2982 | Adobe | Cryptographic Issues vulnerability in Adobe Acrobat and Acrobat Reader An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow remote attackers to conduct a "social engineering attack" via unknown vectors. | 9.3 |
2009-10-19 | CVE-2009-2981 | Adobe | Improper Input Validation vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to bypass intended Trust Manager restrictions via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2980 | Adobe | Numeric Errors vulnerability in Adobe Acrobat and Acrobat Reader Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors. | 9.3 |
2009-10-19 | CVE-2009-2970 | Uitv Baidu | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Stack-based buffer overflow in the GetUiDllVersion function in an ActiveX control in UiCheck.dll before 1.0.0.7 in UiTV UiPlayer, as used in BaiduX and other products, allows remote attackers to execute arbitrary code via the filename parameter. | 9.3 |
13 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-10-22 | CVE-2009-3759 | Citrix | Cross-Site Request Forgery (CSRF) vulnerability in Citrix Xencenterweb Multiple cross-site request forgery (CSRF) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to hijack the authentication of administrators for (1) requests that change the password via the username parameter to config/changepw.php or (2) stop a virtual machine via the stop_vmname parameter to hardstopvm.php. | 8.8 |
2009-10-22 | CVE-2009-3620 | Linux Fedoraproject Canonical Redhat Opensuse Suse | Use of Uninitialized Resource vulnerability in multiple products The ATI Rage 128 (aka r128) driver in the Linux kernel before 2.6.31-git11 does not properly verify Concurrent Command Engine (CCE) state initialization, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly gain privileges via unspecified ioctl calls. | 7.8 |
2009-10-22 | CVE-2009-3760 | Citrix | Code Injection vulnerability in Citrix Xencenterweb Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to inject arbitrary PHP code into include/config.ini.php via the pool1 parameter. | 7.5 |
2009-10-22 | CVE-2009-3758 | Citrix | SQL Injection vulnerability in Citrix Xencenterweb SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to execute arbitrary SQL commands via the username parameter. | 7.5 |
2009-10-22 | CVE-2009-3754 | Kreotek | SQL Injection vulnerability in Kreotek PHPbms 0.96 Multiple SQL injection vulnerabilities in phpBMS 0.96 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to modules/bms/invoices_discount_ajax.php, (2) f parameter to dbgraphic.php, and (3) tid parameter in a show action to advancedsearch.php. | 7.5 |
2009-10-22 | CVE-2009-3753 | Opial | Improper Input Validation vulnerability in Opial 1.0 Unrestricted file upload vulnerability in Opial 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension as a User Image, then accessing it via a request to the file in userimages, related to register.php. | 7.5 |
2009-10-22 | CVE-2009-3752 | Opial | SQL Injection vulnerability in Opial 1.0 SQL injection vulnerability in home.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the genres_parent parameter. | 7.5 |
2009-10-22 | CVE-2009-3750 | Santostefano Giovanni | SQL Injection vulnerability in Santostefano Giovanni Toylog 0.1 SQL injection vulnerability in read.php in ToyLog 0.1 allows remote attackers to execute arbitrary SQL commands via the idm parameter. | 7.5 |
2009-10-22 | CVE-2009-2943 | Ocaml Postgresql | Remote Security vulnerability in Ocaml Postgresql-Ocaml 1.12.1/1.5.4/1.7.0 The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL libpq do not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. | 7.5 |
2009-10-22 | CVE-2009-2942 | Mysql Ocaml Mysql | Remote Security vulnerability in Mysql-Ocaml 1.0.4 The mysql-ocaml bindings 1.0.4 for MySQL do not properly support the mysql_real_escape_string function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. | 7.5 |
2009-10-22 | CVE-2009-2940 | Pygresql Python | Remote Security vulnerability in Pygresql 3.8.1/4.0 The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. | 7.5 |
2009-10-22 | CVE-2009-1479 | Boxalino | Path Traversal vulnerability in Boxalino Directory traversal vulnerability in client/desktop/default.htm in Boxalino before 09.05.25-0421 allows remote attackers to read arbitrary files via a .. | 7.5 |
2009-10-20 | CVE-2009-3296 | Gallium Inria | Numeric Errors vulnerability in Gallium.Inria Camimages 2.2 Multiple integer overflows in tiffread.c in CamlImages 2.2 might allow remote attackers to execute arbitrary code via TIFF images containing large width and height values that trigger heap-based buffer overflows. | 7.5 |
48 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-10-23 | CVE-2009-3767 | Openldap Openssl | Cryptographic Issues vulnerability in Openldap libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | 6.8 |
2009-10-23 | CVE-2009-3766 | Mutt Openssl | Cryptographic Issues vulnerability in Mutt 1.5.16/1.5.17/1.5.18 mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 6.8 |
2009-10-23 | CVE-2009-3765 | Mutt Openssl | Cryptographic Issues vulnerability in Mutt 1.5.19/1.5.20 mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. | 6.8 |
2009-10-22 | CVE-2009-2001 | Oracle | Remote PL/SQL vulnerability in Oracle Database Unspecified vulnerability in the PL/SQL component in Oracle Database 10.2.0.4 and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 6.5 |
2009-10-22 | CVE-2009-1994 | Oracle | Remote Oracle Spatial vulnerability in Oracle Database Server 10.1.0.5 Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 allows remote authenticated users to affect confidentiality, integrity, and availability, related to MDSYS.PRVT_CMT_CBK. | 6.5 |
2009-10-22 | CVE-2009-1007 | Oracle | Remote Data Mining vulnerability in Oracle Database Server 10.2.0.4 Unspecified vulnerability in the Data Mining component in Oracle Database 10.2.0.4 allows remote authenticated users to affect confidentiality, integrity, and availability, related to SYS.DMP_SYS. | 6.5 |
2009-10-22 | CVE-2009-3400 | Oracle | Oracle Advanced Benefits Unspecified vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.1 Unspecified vulnerability in the Oracle Advanced Benefits component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-10-22 | CVE-2009-1993 | Oracle | Application Express Unspecified vulnerability in Oracle Database Server 3.0.1 Unspecified vulnerability in the Application Express component in Oracle Database 3.0.1 allows remote authenticated users to affect confidentiality and integrity, related to FLOWS_030000.WWV_EXECUTE_IMMEDIATE. | 5.5 |
2009-10-22 | CVE-2009-1964 | Oracle | Remote Workspace Manager vulnerability in Oracle Database Server 10.2.0.4 Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 5.5 |
2009-10-22 | CVE-2009-1018 | Oracle | Workspace Manager Unspecified vulnerability in Oracle Database Server 10.2.0.4 Unspecified vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity, related to SYS.LTRIC (WMSYS.LTRIC). | 5.5 |
2009-10-22 | CVE-2009-3621 | Linux Canonical Fedoraproject Opensuse Suse Vmware | Resource Exhaustion vulnerability in multiple products net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket. | 5.5 |
2009-10-22 | CVE-2009-3392 | Oracle | Remote vulnerability in Oracle E-Business Suite 6.1.0.0 Unspecified vulnerability in the Agile Engineering Data Management (EDM) component in Oracle E-Business Suite 6.1.0.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 5.4 |
2009-10-22 | CVE-2009-1965 | Oracle Microsoft | Remote Net Foundation Layer vulnerability in Oracle Database Unspecified vulnerability in the Net Foundation Layer component in Oracle Database 9.2.0.8 and 10.1.0.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 5.4 |
2009-10-22 | CVE-2009-3408 | Oracle | Remote Oracle Application Object Library vulnerability in Oracle E-Business Suite 11.5.10 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 5.1 |
2009-10-19 | CVE-2009-3462 | Adobe | Remote vulnerability in RETIRED: Adobe Reader and Acrobat October 2009 Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 on Unix, when Debug mode is enabled, allow attackers to execute arbitrary code via unspecified vectors, related to a "format bug." Per: http://www.adobe.com/support/security/bulletins/apsb09-15.html This update resolves a Unix-only format bug when running in Debug mode that could lead to arbitrary code execution Per: http://www.adobe.com/support/security/bulletins/apsb09-15.html Adobe Reader Adobe Reader users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows. Adobe Reader users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh. Adobe Reader users on UNIX can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix. Acrobat Acrobat Standard and Pro users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows. Acrobat Pro Extended users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows Acrobat 3D users on Windows can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows. Acrobat Pro users on Macintosh can find the appropriate update here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh. | 5.1 |
2009-10-22 | CVE-2009-3395 | Oracle | Remote AutoVue vulnerability in Oracle E-Business Suite 19.3.2 Unspecified vulnerability in the AutoVue component in Oracle E-Business Suite 19.3.2 allows remote attackers to affect availability via unknown vectors. | 5.0 |
2009-10-22 | CVE-2009-2000 | Oracle | Remote Authentication vulnerability in Oracle Database Server 11.1.0.7 Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.7 allows remote attackers to affect confidentiality via unknown vectors. | 5.0 |
2009-10-22 | CVE-2009-1997 | Oracle | Remote Authentication vulnerability in Oracle Database Unspecified vulnerability in the Authentication component in Oracle Database 10.2.0.3 and 11.1.0.7 allows remote attackers to affect confidentiality via unknown vectors. | 5.0 |
2009-10-22 | CVE-2009-3756 | Kreotek | Information Exposure vulnerability in Kreotek PHPbms 0.96 phpBMS 0.96 allows remote attackers to obtain sensitive information via a direct request to (1) footer.php, (2) header.php, (3) the show action in advancedsearch.php, and (4) choicelist.php, which reveals the installation path in an error message. | 5.0 |
2009-10-22 | CVE-2009-3749 | Websense | Remote Denial of Service vulnerability in Websense Email Security and Personal Email Manager The Web Administrator service (STEMWADM.EXE) in Websense Personal Email Manager 7.1 before Hotfix 4 and Email Security 7.1 before Hotfix 4 allows remote attackers to cause a denial of service (crash) by sending a HTTP GET request to TCP port 8181 and closing the socket before the service can send a response. | 5.0 |
2009-10-22 | CVE-2009-3744 | EMC | Remote Denial of Service vulnerability in EMC Replistor 6.3.1.3 rep_serv.exe 6.3.1.3 in the server in EMC RepliStor allows remote attackers to cause a denial of service via a crafted packet to TCP port 7144. | 5.0 |
2009-10-20 | CVE-2009-3615 | Adium Pidgin | Resource Management Errors vulnerability in multiple products The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client. | 5.0 |
2009-10-19 | CVE-2006-6404 | Innovationdp | Denial-Of-Service vulnerability in Innovationdp Fdr/Upstrean 3 INNOVATION Data Processing FDR/UPSTREAM 3.3.0 (GA Oct 2003) allows remote attackers to cause a denial of service (service outage) via a sequence of TCP SYN packets to many ports, as demonstrated using nmap. | 5.0 |
2009-10-22 | CVE-2009-1998 | Oracle | Remote vulnerability in Oracle Communications Order and Service Management Unspecified vulnerability in the Oracle Communications Order and Service Management component in Oracle Industry Applications 2.8.0, 6.2.0, 6.3.0, and 6.3.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 4.9 |
2009-10-22 | CVE-2009-1995 | Oracle | Remote Advanced Queuing vulnerability in Oracle Database Unspecified vulnerability in the Advanced Queuing component in Oracle Database 10.2.0.4 and 11.1.0.7 allows remote authenticated users to affect confidentiality and integrity, related to SYS.DBMS_AQ_INV. | 4.9 |
2009-10-23 | CVE-2009-1297 | Novell Opensuse | Link Following vulnerability in multiple products iscsi_discovery in open-iscsi in SUSE openSUSE 10.3 through 11.1 and SUSE Linux Enterprise (SLE) 10 SP2 and 11, and other operating systems, allows local users to overwrite arbitrary files via a symlink attack on an unspecified temporary file that has a predictable name. | 4.4 |
2009-10-23 | CVE-2009-3622 | Wordpress | Cryptographic Issues vulnerability in Wordpress Algorithmic complexity vulnerability in wp-trackback.php in WordPress before 2.8.5 allows remote attackers to cause a denial of service (CPU consumption and server hang) via a long title parameter in conjunction with a charset parameter composed of many comma-separated "UTF-8" substrings, related to the mb_convert_encoding function in PHP. | 4.3 |
2009-10-22 | CVE-2009-3407 | Oracle | Remote Portal vulnerability in Oracle Application Server 10.1.2.3/10.1.4.2 Unspecified vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2009-0974 and CVE-2009-0983. | 4.3 |
2009-10-22 | CVE-2009-3399 | Oracle | Remote WebLogic Server vulnerability in Oracle BEA Product Suite 7.0.6 Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 7.0.6 and 8.1.5 allows remote attackers to affect integrity, related to WLS Console. | 4.3 |
2009-10-22 | CVE-2009-3397 | Oracle | Remote Oracle Application Object Library vulnerability in Oracle E-Business Suite 12.0.6/12.1.1 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.1 allows remote attackers to affect confidentiality via unknown vectors. | 4.3 |
2009-10-22 | CVE-2009-3396 | Oracle | HTML Injection vulnerability in Oracle WebLogic Server Administration Console Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 9.0, 9.1, 9.2.3, 10.0.1, and 10.3 allows remote attackers to affect integrity, related to WLS Console. | 4.3 |
2009-10-22 | CVE-2009-3393 | Oracle | Remote Oracle Application Object Library vulnerability in Oracle E-Business Suite 11.5.10.2 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2 allows remote attackers to affect integrity via unknown vectors. | 4.3 |
2009-10-22 | CVE-2009-2002 | Oracle | Remote Unspecified vulnerability in Oracle WebLogic Portal Unspecified vulnerability in the WebLogic Portal component in BEA Product Suite 8.1.6, 9.2.3, 10.0.1, 10.2.1, and 10.3.1.0.0 allows remote attackers to affect integrity via unknown vectors. | 4.3 |
2009-10-22 | CVE-2009-1999 | Oracle | Remote vulnerability in Oracle Business Intelligence Enterprise Edition Unspecified vulnerability in the Business Intelligence Enterprise Edition component in unspecified Oracle Application Server versions allows remote attackers to affect integrity via unknown vectors. | 4.3 |
2009-10-22 | CVE-2009-3757 | Citrix | Cross-Site Scripting vulnerability in Citrix Xencenterweb Multiple cross-site scripting (XSS) vulnerabilities in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to config/edituser.php; (2) location, (3) sessionid, and (4) vmname parameters to console.php; (5) vmrefid and (6) vmname parameters to forcerestart.php; and (7) vmname and (8) vmrefid parameters to forcesd.php. | 4.3 |
2009-10-22 | CVE-2009-3755 | Kreotek | Cross-Site Scripting vulnerability in Kreotek PHPbms 0.96 Multiple cross-site scripting (XSS) vulnerabilities in phpBMS 0.96 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php and (2) modules\base\myaccount.php; and the PATH_INFO to (3) modules_view.php, (4) tabledefs_options.php, and (5) adminsettings.php in phpbms\modules\base\. | 4.3 |
2009-10-22 | CVE-2009-3751 | Opial | Cross-Site Scripting vulnerability in Opial 1.0 Cross-site scripting (XSS) vulnerability in home.php in Opial 1.0 allows remote attackers to inject arbitrary web script or HTML via the genres_parent parameter. | 4.3 |
2009-10-22 | CVE-2009-3748 | Websense | Cross-Site Scripting vulnerability in Websense Personal Email Manager and Websense Email Security Multiple cross-site scripting (XSS) vulnerabilities in the Web Administrator in Websense Personal Email Manager 7.1 before Hotfix 4 and Email Security 7.1 before Hotfix 4 allow remote attackers to inject arbitrary web script or HTML via the (1) FileName, (2) IsolatedMessageID, (3) ServerName, (4) Dictionary, (5) Scoring, and (6) MessagePart parameters to web/msgList/viewmsg/actions/msgAnalyse.asp; the (7) Queue, (8) FileName, (9) IsolatedMessageID, and (10) ServerName parameters to actions/msgForwardToRiskFilter.asp and viewHeaders.asp in web/msgList/viewmsg/; and (11) the subject in an e-mail message that is held in a Queue. | 4.3 |
2009-10-22 | CVE-2009-3747 | Tbmnet | Cross-Site Scripting vulnerability in Tbmnet Tbmnetcms 1.0 Cross-site scripting (XSS) vulnerability in index.php in TBmnetCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the content parameter. | 4.3 |
2009-10-22 | CVE-2009-3745 | IBM | Cross-Site Scripting vulnerability in IBM Rational Appscan 5.5.0.2 Cross-site scripting (XSS) vulnerability in the help pages in IBM Rational AppScan Enterprise Edition 5.5.0.2 allows remote attackers to inject arbitrary web script or HTML via the query string. | 4.3 |
2009-10-20 | CVE-2009-3730 | IBM | Cross-Site Scripting vulnerability in IBM Rational Requisitepro 7.1.0 Multiple cross-site scripting (XSS) vulnerabilities in the ReqWeb Help feature (aka the Web Client Help system) in IBM Rational RequisitePro 7.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the operation parameter to ReqWebHelp/advanced/workingSet.jsp, or the (2) searchWord, (3) maxHits, (4) scopedSearch, or (5) scope parameter to ReqWebHelp/basic/searchView.jsp. | 4.3 |
2009-10-19 | CVE-2009-2995 | Adobe | Numeric Errors vulnerability in Adobe Acrobat Integer overflow in Adobe Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial of service via unspecified vectors. | 4.3 |
2009-10-19 | CVE-2009-2992 | Adobe | Improper Input Validation vulnerability in Adobe Acrobat and Acrobat Reader An unspecified ActiveX control in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 does not properly validate input, which allows attackers to cause a denial of service via unknown vectors. | 4.3 |
2009-10-19 | CVE-2009-2988 | Adobe | Improper Input Validation vulnerability in Adobe Acrobat and Acrobat Reader Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which allows attackers to cause a denial of service via unspecified vectors. | 4.3 |
2009-10-19 | CVE-2009-2987 | Adobe | Remote vulnerability in RETIRED: Adobe Reader and Acrobat October 2009 Unspecified vulnerability in an ActiveX control in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 on Windows allows remote attackers to cause a denial of service via unknown vectors. | 4.3 |
2009-10-19 | CVE-2009-2979 | Adobe | Remote vulnerability in RETIRED: Adobe Reader and Acrobat October 2009 Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 do not properly perform XMP-XML entity expansion, which allows remote attackers to cause a denial of service via a crafted document. | 4.3 |
2009-10-22 | CVE-2009-3405 | Oracle | Remote JD Edwards Tools vulnerability in Oracle JD Edwards Tools Unspecified vulnerability in the JD Edwards Tools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.98.1.4 allows remote authenticated users to affect integrity and availability via unknown vectors. | 4.1 |
2009-10-22 | CVE-2009-3404 | Oracle | Remote vulnerability in Oracle PeopleSoft PeopleTools & Enterprise Portal Unspecified vulnerability in the PeopleSoft PeopleTools & Enterprise Portal component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.23 allows remote authenticated users to affect integrity via unknown vectors. | 4.0 |
10 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2009-10-22 | CVE-2009-3409 | Oracle | Remote vulnerability in Oracle PeopleSoft Enterprise Human Capital Management Unspecified vulnerability in the PeopleSoft Enterprise HCM (TAM) component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 9.0 Bundle 10 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. | 3.6 |
2009-10-22 | CVE-2009-1991 | Oracle | Remote SQL Injection vulnerability in Oracle Database Text Component 'ctxsys.drvxtabc.create_tables' Unspecified vulnerability in the Oracle Text component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity, related to CTXSYS.DRVXTABC. | 3.6 |
2009-10-22 | CVE-2009-1971 | Oracle | Remote Data Pump vulnerability in Oracle Database Server 10.1.0.5/10.2.0.3/11.1.0.7 Unspecified vulnerability in the Data Pump component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.7 allows remote authenticated users to affect integrity via unknown vectors. | 3.5 |
2009-10-22 | CVE-2009-3406 | Oracle | JD Edwards Tools Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Unspecified vulnerability in the JD Edwards Tools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.98.2.1 allows remote authenticated users to affect confidentiality via unknown vectors. | 2.7 |
2009-10-22 | CVE-2009-3402 | Oracle | Remote Oracle Applications Framework vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.1 Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows remote authenticated users to affect confidentiality via unknown vectors. | 2.1 |
2009-10-22 | CVE-2009-1972 | Oracle | Remote Auditing vulnerability in Oracle Database Unspecified vulnerability in the Auditing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect integrity, related to DBMS_SYS_SQL and DBMS_SQL. | 2.1 |
2009-10-22 | CVE-2009-3746 | SUN | Configuration vulnerability in SUN Solaris 10 XScreenSaver in Sun Solaris 10, when the accessibility feature is enabled, allows physically proximate attackers to obtain sensitive information by reading popup windows, which are displayed even when the screen is locked, a different vulnerability than CVE-2009-1276 and CVE-2009-2711. | 1.9 |
2009-10-22 | CVE-2009-2911 | Systemtap | Permissions, Privileges, and Access Controls vulnerability in Systemtap 1.0 SystemTap 1.0, when the --unprivileged option is used, does not properly restrict certain data sizes, which allows local users to (1) cause a denial of service or gain privileges via a print operation with a large number of arguments that trigger a kernel stack overflow, (2) cause a denial of service via crafted DWARF expressions that trigger a kernel stack frame overflow, or (3) cause a denial of service (infinite loop) via vectors that trigger creation of large unwind tables, related to Common Information Entry (CIE) and Call Frame Instruction (CFI) records. | 1.9 |
2009-10-22 | CVE-2009-3401 | Oracle | Local Oracle Applications Technology Stack vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.1 Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 allows local users to affect confidentiality via unknown vectors. | 1.7 |
2009-10-22 | CVE-2009-1990 | Oracle | Unspecified vulnerability in Oracle Application Server 10.1.3.4.1 Unspecified vulnerability in the Business Intelligence Enterprise Edition component in Oracle Application Server 10.1.3.4.1 allows local users to affect confidentiality via unknown vectors. | 1.7 |