Weekly Vulnerabilities Reports > November 16 to 22, 2009

Overview

53 new vulnerabilities reported during this period, including 7 critical vulnerabilities and 20 high severity vulnerabilities. This weekly summary report vulnerabilities in 77 products from 50 vendors including Joomla, HP, Drupal, Frontaccounting, and Microsoft. Vulnerabilities are notably categorized as "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", and "Information Exposure".

  • 50 reported vulnerabilities are remotely exploitables.
  • 15 reported vulnerabilities have public exploit available.
  • 22 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 46 reported vulnerabilities are exploitable by an anonymous user.
  • Joomla has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • HP has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

7 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-11-20 CVE-2009-3842 HP Denial of Service vulnerability in HP products

Unspecified vulnerability on the HP Color LaserJet M3530 Multifunction Printer with firmware 05.058.4 and the Color LaserJet CP3525 Printer with firmware 53.021.2 allows remote attackers to obtain "access to data" or cause a denial of service via unknown vectors.

10.0
2009-11-20 CVE-2009-4006 Solarwinds Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Solarwinds Serv-U File Server

Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server 7.0.0.1, 9.0.0.5, and other versions before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexadecimal string.

10.0
2009-11-19 CVE-2009-3909 Gimp Integer Overflow or Wraparound vulnerability in Gimp 2.6.7

Integer overflow in the read_channel_data function in plug-ins/file-psd/psd-load.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a crafted PSD file that triggers a heap-based buffer overflow.

9.3
2009-11-18 CVE-2009-3976 Labtam INC Buffer Errors vulnerability in Labtam-Inc Proftp 2.9

Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to cause a denial of service (application crash) or execute arbitrary code via a long 220 reply (aka connection greeting or welcome message).

9.3
2009-11-18 CVE-2009-3969 Faslo Buffer Errors vulnerability in Faslo Player 7.0

Stack-based buffer overflow in Faslo Player 7.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a .m3u playlist file.

9.3
2009-11-16 CVE-2009-3947 Tandberg Buffer Errors vulnerability in Tandberg MXP Endpoints F7.0

Buffer overflow in the FTP service on the Tandberg MXP F7.0 allows remote attackers to cause a denial of service (process crash or device reboot) or possibly execute arbitrary code via a long USER command, as demonstrated by a command ending with many space characters.

9.3
2009-11-17 CVE-2009-3841 HP
Microsoft
Remote Code Execution vulnerability in HP Discovery and Dependency Mapping Inventory

Unspecified vulnerability in HP Discovery & Dependency Mapping Inventory (DDMI) 2.5x, 7.5x, and 7.60 on Windows allows remote authenticated users to execute arbitrary code via unknown vectors.

9.0

20 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-11-20 CVE-2009-4004 Linux Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Linux Kernel

Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc7 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL request that specifies a large number of Machine Check Exception (MCE) banks.

7.8
2009-11-17 CVE-2009-3962 2Wire Improper Input Validation vulnerability in 2Wire products

The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot) via a %0d%0a sequence in the page parameter to the xslt program on TCP port 50001, a related issue to CVE-2006-4523.

7.8
2009-11-20 CVE-2009-4046 Frontaccounting SQL Injection vulnerability in Frontaccounting 2.2

Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.

7.5
2009-11-20 CVE-2009-4045 Frontaccounting SQL Injection vulnerability in Frontaccounting

Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to various .inc and .php files in (1) reporting/, (2) sales/, (3) sales/includes/, (4) sales/includes/db/, (5) sales/inquiry/, (6) sales/manage/, (7) sales/view/, (8) taxes/, and (9) taxes/db/.

7.5
2009-11-20 CVE-2009-4044 Bruno Massa
Drupal
Permissions, Privileges, and Access Controls vulnerability in Bruno Massa web Services 6.X1.0

The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.

7.5
2009-11-20 CVE-2009-4037 Frontaccounting SQL Injection vulnerability in Frontaccounting

Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.1.7, and 2.2.x before 2.2 RC, allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) admin/db/users_db.inc, and various other .inc and .php files under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, and (7) purchasing/.

7.5
2009-11-20 CVE-2009-3553 Apple
Fedoraproject
Canonical
Debian
Redhat
Use After Free vulnerability in multiple products

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count.

7.5
2009-11-18 CVE-2009-3974 Invisionpower SQL Injection vulnerability in Invisioncommunity Invision Power Board 3.0.0/3.0.1/3.0.2

Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php.

7.5
2009-11-18 CVE-2009-3973 Turnkeyarcade SQL Injection vulnerability in Turnkeyarcade Turnkey Arcade Script

SQL injection vulnerability in index.php in Turnkey Arcade Script allows remote attackers to execute arbitrary SQL commands via the id parameter in a browse action, a different vector than CVE-2008-5629.

7.5
2009-11-18 CVE-2009-3972 Joomla
Qproje
SQL Injection vulnerability in Qproje COM Siirler 1.2

SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php.

7.5
2009-11-18 CVE-2009-3971 Joomla
Jtips
SQL Injection vulnerability in Jtips COM Jtips 1.0.7/1.0.9

SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php.

7.5
2009-11-18 CVE-2009-3968 Itechscripts SQL Injection vulnerability in Itechscripts Itechbids 8.0

Multiple SQL injection vulnerabilities in ITechBids 8.0 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php, (2) cate_id parameter to category.php, (3) id parameter to news.php, and (4) productid parameter to itechd.php.

7.5
2009-11-18 CVE-2009-3967 ED Charkow SQL Injection vulnerability in ED Charkow Supercharged Linking

SQL injection vulnerability in browse.php in Ed Charkow SuperCharged Linking allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2009-11-18 CVE-2009-3966 Arcadetradescript Improper Authentication vulnerability in Arcadetradescript Arcade Trade Script 1.0

Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true.

7.5
2009-11-18 CVE-2009-3965 Maniacomputer SQL Injection vulnerability in Maniacomputer New5Starrating 1.0

SQL injection vulnerability in rating.php in New 5 star Rating 1.0 allows remote attackers to execute arbitrary SQL commands via the det parameter.

7.5
2009-11-18 CVE-2009-3964 Joomla
Ninjaforge
SQL Injection vulnerability in Ninjaforge COM Ninjamonials 1.1.0

SQL injection vulnerability in the NinjaMonials (com_ninjacentral) component 1.1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the testimID parameter in a display action to index.php.

7.5
2009-11-17 CVE-2009-3963 Xoops Multiple Unspecified vulnerability in XOOPS Versions Prior to 2.4.0

Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have unknown impact and attack vectors.

7.5
2009-11-17 CVE-2009-3961 JOS DE Ruijter SQL Injection vulnerability in JOS DE Ruijter Superseriousstats

SQL injection vulnerability in user.php in Super Serious Stats (aka superseriousstats) before 1.1.2p1 allows remote attackers to execute arbitrary SQL commands via the uid parameter, related to an "incorrect regexp." NOTE: some of these details are obtained from third party information.

7.5
2009-11-16 CVE-2009-3949 Vivaprograms Permissions, Privileges, and Access Controls vulnerability in Vivaprograms Infinity Script 2.0.0

cp/profile.php in VivaPrograms Infinity 2.0.5 and earlier does not require administrative authentication for the donewauthor action, which allows remote attackers to create administrative accounts via the name, password, and conf_password parameters.

7.5
2009-11-16 CVE-2009-3939 Linux
Redhat
Canonical
Debian
Avaya
Suse
Opensuse
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

The poll_mode_io file for the megaraid_sas driver in the Linux kernel 2.6.31.6 and earlier has world-writable permissions, which allows local users to change the I/O mode of the driver by modifying this file.

7.1

24 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-11-18 CVE-2009-3975 Moagallery SQL Injection vulnerability in Moagallery MOA 1.1.0/1.2.0

SQL injection vulnerability in index.php in Moa Gallery 1.1.0 and 1.2.0 allows remote attackers to execute arbitrary SQL commands via the gallery_id parameter in a gallery_view action.

6.8
2009-11-16 CVE-2009-2746 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Application Server

Cross-site request forgery (CSRF) vulnerability in the administrative console in the Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

6.8
2009-11-18 CVE-2009-3970 Phpdirsubmit SQL Injection vulnerability in PHPdirsubmit PHP DIR Submit

SQL injection vulnerability in index.php in PHP Dir Submit (aka WebsiteSubmitter or Submitter Script) allows remote authenticated users to execute arbitrary SQL commands via the aid parameter in a showarticle action.

6.5
2009-11-16 CVE-2009-3942 Martin Lambers Cryptographic Issues vulnerability in Martin Lambers Msmtp

Martin Lambers msmtp before 1.4.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

6.4
2009-11-17 CVE-2009-3890 Wordpress Code Injection vulnerability in Wordpress

Unrestricted file upload vulnerability in the wp_check_filetype function in wp-includes/functions.php in WordPress before 2.8.6, when a certain configuration of the mod_mime module in the Apache HTTP Server is enabled, allows remote authenticated users to execute arbitrary code by posting an attachment with a multiple-extension filename, and then accessing this attachment via a direct request to a wp-content/uploads/ pathname, as demonstrated by a .php.jpg filename.

6.0
2009-11-16 CVE-2009-3945 Joomla Remote Security vulnerability in Joomla!

Unspecified vulnerability in the Front-End Editor in the com_content component in Joomla! before 1.5.15 allows remote authenticated users, with Author privileges, to replace the articles of an arbitrary user via unknown vectors.

5.5
2009-11-20 CVE-2009-4041 Usebb Remote Denial Of Service vulnerability in Usebb 1.0.9

UseBB 1.0.9 before 1.0.10 allows remote attackers to cause a denial of service (infinite loop) via crafted BBCode tags.

5.0
2009-11-20 CVE-2005-4882 Philippe Jounin Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Philippe Jounin Tftpd32

tftpd in Philippe Jounin Tftpd32 2.74 and earlier, as used in Wyse Simple Imager (WSI) and other products, allows remote attackers to cause a denial of service (daemon crash) via a long filename in a TFTP read (aka RRQ or get) request, a different vulnerability than CVE-2002-2226.

5.0
2009-11-20 CVE-2009-3386 Mozilla Information Exposure vulnerability in Mozilla Bugzilla

Template.pm in Bugzilla 3.3.2 through 3.4.3 and 3.5 through 3.5.1 allows remote attackers to discover the alias of a private bug by reading the (1) Depends On or (2) Blocks field of a related bug.

5.0
2009-11-19 CVE-2009-3977 HP Buffer Errors vulnerability in HP Openview Network Node Manager 7.53

Multiple buffer overflows in a certain ActiveX control in ActiveDom.ocx in HP OpenView Network Node Manager (OV NNM) 7.53 might allow remote attackers to cause a denial of service (memory corruption) or have unspecified other impact via a long string argument to the (1) DisplayName, (2) AddGroup, (3) InstallComponent, or (4) Subscribe method.

5.0
2009-11-19 CVE-2009-3840 HP Denial of Service vulnerability in HP OpenView Network Node Manager 'ovdbrun.exe'

The embedded database engine service (aka ovdbrun.exe) in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to cause a denial of service (daemon crash) via an invalid Error Code field in a packet.

5.0
2009-11-16 CVE-2009-3946 Joomla Information Exposure vulnerability in Joomla Joomla!

Joomla! before 1.5.15 allows remote attackers to read an extension's XML file, and thereby obtain the extension's version number, via a direct request.

5.0
2009-11-16 CVE-2009-3944 RIM Denial-Of-Service vulnerability in RIM Blackberry 8800 and Blackberry Browser

Research In Motion (RIM) BlackBerry Browser on the BlackBerry 8800 allows remote attackers to cause a denial of service (application hang) via a JavaScript loop that configures the home page by using the setHomePage method and a DHTML behavior property.

5.0
2009-11-16 CVE-2009-3943 Microsoft Unspecified vulnerability in Microsoft Internet Explorer

Microsoft Internet Explorer 6 through 6.0.2900.2180 and 7 through 7.0.6000.16711 allows remote attackers to cause a denial of service (application hang) via a JavaScript loop that configures the home page by using the setHomePage method and a DHTML behavior property.

5.0
2009-11-16 CVE-2009-3941 Martin Lambers Cryptographic Issues vulnerability in Martin Lambers Mpop

Martin Lambers mpop before 1.0.19, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the (1) subject's Common Name or (2) Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

5.0
2009-11-20 CVE-2009-4043 Drupal
Patrick Przybilla
Cross-Site Scripting vulnerability in Patrick Przybilla Addtoany

Cross-site scripting (XSS) vulnerability in the AddToAny module 5.x before 5.x-2.4 and 6.x before 6.x-2.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via a node title.

4.3
2009-11-20 CVE-2009-4042 Drupal
Marek Sotak
Cross-Site Scripting vulnerability in Marek Sotak Rootcandy

Cross-site scripting (XSS) vulnerability in the RootCandy theme 6.x before 6.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via the URI.

4.3
2009-11-20 CVE-2009-4040 Phpmyfaq Cross-Site Scripting vulnerability in PHPmyfaq

Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.0.17 and 2.5.x before 2.5.2, when used with Internet Explorer 6 or 7, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the search page.

4.3
2009-11-20 CVE-2009-4039 Piwigo Cross-Site Scripting vulnerability in Piwigo

Cross-site scripting (XSS) vulnerability in Piwigo before 2.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2009-11-20 CVE-2009-4038 NCH Cross-Site Scripting vulnerability in NCH Axon Virtual PBX 2.10/2.11

Multiple cross-site scripting (XSS) vulnerabilities in NCH Software Axon Virtual PBX 2.10 and 2.11 allow remote attackers to inject arbitrary web script or HTML via the (1) onok or (2) oncancel parameter to the logon program.

4.3
2009-11-20 CVE-2005-4883 Philippe Jounin Race Condition vulnerability in Philippe Jounin Tftpd32

Race condition in Philippe Jounin Tftpd32 before 2.80 allows remote attackers to cause a denial of service (daemon crash) via invalid "connect frames."

4.3
2009-11-19 CVE-2009-3978 Mozilla Unspecified vulnerability in Mozilla Firefox

The nsGIFDecoder2::GifWrite function in decoders/gif/nsGIFDecoder2.cpp in libpr0n in Mozilla Firefox before 3.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an animated GIF file with a large image size, a different vulnerability than CVE-2009-3373.

4.3
2009-11-16 CVE-2009-3950 Bract Cross-Site Scripting vulnerability in Bract Suntrack

Multiple cross-site scripting (XSS) vulnerabilities in Bractus SunTrack allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to newprofile.html; the (2) firstname, (3) lastname, and (4) company parameters to signup/signup.html; and the (5) firstname, (6) lastname, and (7) address[0].street1 parameters to contact.html.

4.3
2009-11-16 CVE-2009-3948 Cowonamerica Resource Management Errors vulnerability in Cowonamerica Cowon Media Center-Jetaudio 7.5.3

JetAudio 7.5.3 COWON Media Center allows remote attackers to cause a denial of service (memory consumption and application crash) via a long string at the end of a .wav file.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-11-17 CVE-2009-3891 Wordpress Cross-Site Scripting vulnerability in Wordpress

Cross-site scripting (XSS) vulnerability in wp-admin/press-this.php in WordPress before 2.8.6 allows remote authenticated users to inject arbitrary web script or HTML via the s parameter (aka the selection variable).

3.5
2009-11-16 CVE-2009-3940 SUN Unspecified vulnerability in SUN Virtualbox and XVM Virtualbox

Unspecified vulnerability in Guest Additions in Sun xVM VirtualBox 1.6.x and 2.0.x before 2.0.12, 2.1.x, and 2.2.x, and Sun VirtualBox before 3.0.10, allows guest OS users to cause a denial of service (memory consumption) on the guest OS via unknown vectors.

2.1