Weekly Vulnerabilities Reports > February 8 to 14, 2010

Overview

84 new vulnerabilities reported during this period, including 27 critical vulnerabilities and 25 high severity vulnerabilities. This weekly summary report vulnerabilities in 54 products from 40 vendors including Microsoft, Ffmpeg, Gnome, Myshell, and Cisco. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", "Numeric Errors", "Code Injection", and "Cross-site Scripting".

  • 71 reported vulnerabilities are remotely exploitables.
  • 7 reported vulnerabilities have public exploit available.
  • 19 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 77 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 24 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 17 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

27 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-02-12 CVE-2001-1586 Analogx Path Traversal vulnerability in Analogx Simpleserver WWW

Directory traversal vulnerability in SimpleServer:WWW 1.13 and earlier allows remote attackers to execute arbitrary programs via encoded ../ ("%2E%2E%2F%") sequences in a request to the cgi-bin/ directory, a different vulnerability than CVE-2000-0664.

10.0
2010-02-11 CVE-2010-0445 HP Unspecified vulnerability in HP Network Node Manager

Unspecified vulnerability in HP Network Node Manager (NNM) 8.10, 8.11, 8.12, and 8.13 allows remote attackers to execute arbitrary commands via unknown vectors.

10.0
2010-02-11 CVE-2010-0145 Cisco Unspecified vulnerability in Cisco Ironport Encryption Appliance and Ironport Postx

Unspecified vulnerability in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to execute arbitrary code via unknown vectors, aka IronPort Bug 65923.

10.0
2010-02-10 CVE-2010-0241 Microsoft Code Injection vulnerability in Microsoft Windows Server 2008 and Windows Vista

The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Route Information packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Route Information Vulnerability."

10.0
2010-02-10 CVE-2010-0240 Microsoft Code Injection vulnerability in Microsoft Windows Server 2008 and Windows Vista

The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when a custom network driver is used, does not properly handle local fragmentation of Encapsulating Security Payload (ESP) over UDP packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "Header MDL Fragmentation Vulnerability."

10.0
2010-02-10 CVE-2010-0239 Microsoft Code Injection vulnerability in Microsoft Windows Server 2008 and Windows Vista

The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2, when IPv6 is enabled, does not properly perform bounds checking on ICMPv6 Router Advertisement packets, which allows remote attackers to execute arbitrary code via crafted packets, aka "ICMPv6 Router Advertisement Vulnerability."

10.0
2010-02-10 CVE-2010-0231 Microsoft Permissions, Privileges, and Access Controls vulnerability in Microsoft products

The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not use a sufficient source of entropy, which allows remote attackers to obtain access to files and other SMB resources via a large number of authentication requests, related to server-generated challenges, certain "duplicate values," and spoofing of an authentication token, aka "SMB NTLM Authentication Lack of Entropy Vulnerability."

10.0
2010-02-10 CVE-2009-4637 Ffmpeg Buffer Errors vulnerability in Ffmpeg 0.5

FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a stack-based buffer overflow.

10.0
2010-02-10 CVE-2009-4634 Ffmpeg Numeric Errors vulnerability in Ffmpeg 0.5

Multiple integer underflows in FFmpeg 0.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that (1) bypasses a validation check in vorbis_dec.c and triggers a wraparound of the stack pointer, or (2) access a pointer from out-of-bounds memory in mov.c, related to an elst tag that appears before a tag that creates a stream.

10.0
2010-02-10 CVE-2009-4633 Ffmpeg Numeric Errors vulnerability in Ffmpeg 0.5

vorbis_dec.c in FFmpeg 0.5 uses an assignment operator when a comparison operator was intended, which might allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted file that modifies a loop counter and triggers a heap-based buffer overflow.

10.0
2010-02-09 CVE-2010-0444 HP
SUN
Credentials Management vulnerability in HP Operations Agent 8.51/8.52/8.53

HP Operations Agent 8.51, 8.52, 8.53, and 8.60 on Solaris 10 uses a blank password for the opc_op account, which allows remote attackers to execute arbitrary code via unspecified vectors.

10.0
2010-02-11 CVE-2009-3735 Panda Code Injection vulnerability in Panda Activescan 2.0

The ActiveScan Installer ActiveX control in as2stubie.dll before 1.3.3.0 in PandaActiveScan Installer 2.0 in Panda ActiveScan downloads software in an as2guiie.cab archive located at an arbitrary URL, and does not verify the archive's digital signature before installation, which allows remote attackers to execute arbitrary code via a URL argument to an unspecified method.

9.3
2010-02-10 CVE-2010-0252 Microsoft Code Injection vulnerability in Microsoft products

The Microsoft Data Analyzer ActiveX control (aka the Office Excel ActiveX control for Data Analysis) in max3activex.dll in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote attackers to execute arbitrary code via a crafted web page that corrupts the "system state," aka "Microsoft Data Analyzer ActiveX Control Vulnerability."

9.3
2010-02-10 CVE-2010-0250 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

Heap-based buffer overflow in DirectShow in Microsoft DirectX, as used in the AVI Filter on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2, and in Quartz on Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, allows remote attackers to execute arbitrary code via an AVI file with a crafted length field in an unspecified video stream, which is not properly handled by the RLE video decompressor, aka "DirectShow Heap Overflow Vulnerability."

9.3
2010-02-10 CVE-2010-0243 Microsoft
Apple
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Office 2004/Xp

Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka "MSO.DLL Buffer Overflow."

9.3
2010-02-10 CVE-2010-0034 Microsoft Buffer Errors vulnerability in Microsoft Powerpoint 2003

Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "Office PowerPoint Viewer TextCharsAtom Record Stack Overflow Vulnerability."

9.3
2010-02-10 CVE-2010-0033 Microsoft Buffer Errors vulnerability in Microsoft Powerpoint 2003

Stack-based buffer overflow in Microsoft Office PowerPoint 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint Viewer TextBytesAtom Record Stack Overflow Vulnerability."

9.3
2010-02-10 CVE-2010-0032 Microsoft Code Injection vulnerability in Microsoft Powerpoint 2002/2003

Use-after-free vulnerability in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "OEPlaceholderAtom Use After Free Vulnerability."

9.3
2010-02-10 CVE-2010-0031 Microsoft Code Injection vulnerability in Microsoft Office and Powerpoint

Array index error in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3, and PowerPoint in Office 2004 for Mac, allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint OEPlaceholderAtom 'placementId' Invalid Array Indexing Vulnerability."

9.3
2010-02-10 CVE-2010-0030 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Powerpoint 2002/2003

Heap-based buffer overflow in Microsoft Office PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint LinkedSlideAtom Heap Overflow Vulnerability."

9.3
2010-02-10 CVE-2010-0029 Microsoft Buffer Errors vulnerability in Microsoft Powerpoint 2002

Buffer overflow in Microsoft Office PowerPoint 2002 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint File Path Handling Buffer Overflow Vulnerability."

9.3
2010-02-10 CVE-2010-0028 Microsoft Numeric Errors vulnerability in Microsoft Windows 2000, Windows Server 2003 and Windows XP

Integer overflow in Microsoft Paint in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted JPEG (.JPG) file, aka "MS Paint Integer Overflow Vulnerability."

9.3
2010-02-10 CVE-2010-0017 Microsoft Race Condition vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Vista

Race condition in the SMB client implementation in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code, and in the SMB client implementation in Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges, via a crafted SMB Negotiate response, aka "SMB Client Race Condition Vulnerability."

9.3
2010-02-10 CVE-2010-0016 Microsoft Improper Input Validation vulnerability in Microsoft Windows 2000, Windows Server 2003 and Windows XP

The SMB client implementation in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly validate response fields, which allows remote SMB servers and man-in-the-middle attackers to execute arbitrary code via a crafted response, aka "SMB Client Pool Corruption Vulnerability."

9.3
2010-02-10 CVE-2009-4635 Ffmpeg Code Injection vulnerability in Ffmpeg 0.5

FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted MOV container with improperly ordered tags that cause (1) mov.c and (2) utils.c to use inconsistent codec types and identifiers, leading to processing of a video-structure pointer by the mp3 decoder, and a stack-based buffer overflow.

9.3
2010-02-10 CVE-2009-4631 Ffmpeg Numeric Errors vulnerability in Ffmpeg 0.5

Off-by-one error in the VP3 decoder (vp3.c) in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted VP3 file that triggers an out-of-bounds read and possibly memory corruption.

9.3
2010-02-10 CVE-2010-0020 Microsoft Improper Input Validation vulnerability in Microsoft products

The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate request fields, which allows remote authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability."

9.0

25 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-02-11 CVE-2010-0144 Cisco Unspecified vulnerability in Cisco Ironport Encryption Appliance and Ironport Postx

Unspecified vulnerability in the WebSafe DistributorServlet in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65922.

7.8
2010-02-11 CVE-2010-0143 Cisco Unspecified vulnerability in Cisco Ironport Encryption Appliance and Ironport Postx

Unspecified vulnerability in the administrative interface in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65921.

7.8
2010-02-10 CVE-2010-0242 Microsoft Resource Management Errors vulnerability in Microsoft Windows Server 2008 and Windows Vista

The TCP/IP implementation in Microsoft Windows Vista Gold, SP1, and SP2 and Server 2008 Gold and SP2 allows remote attackers to cause a denial of service (system hang) via crafted packets with malformed TCP selective acknowledgement (SACK) values, aka "TCP/IP Selective Acknowledgement Vulnerability."

7.8
2010-02-10 CVE-2010-0022 Microsoft Improper Input Validation vulnerability in Microsoft products

The SMB implementation in the Server service in Microsoft Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly validate the share and servername fields in SMB packets, which allows remote attackers to cause a denial of service (system hang) via a crafted packet, aka "SMB Null Pointer Vulnerability."

7.8
2010-02-12 CVE-2010-0635 Jevents
Joomla
SQL Injection vulnerability in Jevents Search Plugin

SQL injection vulnerability in the plgSearchEventsearch::onSearch method in eventsearch.php in the JEvents Search plugin 1.5 through 1.5.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2010-02-12 CVE-2010-0634 Will Estes Unspecified vulnerability in Will Estes Flex

Unspecified vulnerability in Fast Lexical Analyzer Generator (flex) before 2.5.35 has unknown impact and attack vectors.

7.5
2010-02-12 CVE-2010-0632 Parkviewconsultants
Joomla
SQL Injection vulnerability in Parkviewconsultants COM Simplefaq

SQL injection vulnerability in the Parkview Consultants SimpleFAQ (com_simplefaq) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a display action to index.php.

7.5
2010-02-12 CVE-2010-0631 Eicrasoft SQL Injection vulnerability in Eicrasoft Eicra CAR Rental-Script

Multiple SQL injection vulnerabilities in index.php in Eicra Car Rental-Script, when the plugin_id parameter is 4, allow remote attackers to execute arbitrary SQL commands via the (1) users (username) and (2) passwords parameters.

7.5
2010-02-12 CVE-2010-0630 Evernewscripts SQL Injection vulnerability in Evernewscripts Free Joke Script 1.2

SQL injection vulnerability in viewjokes.php in Evernew Free Joke Script 1.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2010-02-12 CVE-2009-4274 Netpbm Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Netpbm

Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.

7.5
2010-02-11 CVE-2010-0616 Myshell Credentials Management vulnerability in Myshell Evalsmsi 2.1.03

evalSMSI 2.1.03 stores passwords in cleartext in the database, which allows attackers with database access to gain privileges.

7.5
2010-02-11 CVE-2010-0614 Myshell SQL Injection vulnerability in Myshell Evalsmsi 2.1.03

SQL injection vulnerability in ajax.php in evalSMSI 2.1.03 allows remote attackers to execute arbitrary SQL commands via the query parameter in the (1) question action, and possibly the (2) sub_par or (3) num_quest actions.

7.5
2010-02-11 CVE-2010-0612 Dmanager Unspecified vulnerability in Dmanager Documentmanager

Unspecified vulnerability in DocumentManager before 4.0 has unknown impact and attack vectors, related to file rights.

7.5
2010-02-11 CVE-2010-0611 Baalsystems SQL Injection vulnerability in Baalsystems Baal Systems 3.6/3.7

Multiple SQL injection vulnerabilities in adminlogin.php in Baal Systems 3.8 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters.

7.5
2010-02-11 CVE-2010-0610 Webguerilla
Joomla
SQL Injection vulnerability in Webguerilla COM Photoblog

Multiple SQL injection vulnerabilities in the Photoblog (com_photoblog) component for Joomla! allow remote attackers to execute arbitrary SQL commands via the blog parameter in an images action to index.php.

7.5
2010-02-11 CVE-2010-0609 Novaboard SQL Injection vulnerability in Novaboard 1.1.2

SQL injection vulnerability in header.php in NovaBoard 1.1.2 allows remote attackers to execute arbitrary SQL commands via the nova_name cookie parameter.

7.5
2010-02-11 CVE-2010-0608 Novaboard SQL Injection vulnerability in Novaboard 1.1.2

SQL injection vulnerability in index.php in NovaBoard 1.1.2 allows remote attackers to execute arbitrary SQL commands via the forums[] parameter in a search action.

7.5
2010-02-11 CVE-2010-0605 Osticket SQL Injection vulnerability in Osticket

SQL injection vulnerability in scp/ajax.php in osTicket before 1.6.0 Stable allows remote authenticated users, with "Staff" permissions, to execute arbitrary SQL commands via the input parameter.

7.5
2010-02-08 CVE-2010-0409 Gnome Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Gnome Gmime

Buffer overflow in the GMIME_UUENCODE_LEN macro in gmime/gmime-encodings.h in GMime before 2.4.15 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via input data for a uuencode operation.

7.5
2010-02-12 CVE-2010-0297 Qemu Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Qemu

Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.

7.2
2010-02-11 CVE-2009-4642 Gnome Local Security vulnerability in Gnome Screensaver 2.26.1

gnome-screensaver 2.26.1 relies on the gnome-session D-Bus interface to determine session idle time, even when an Xfce desktop such as Xubuntu or Mythbuntu is used, which allows physically proximate attackers to access an unattended workstation on which screen locking had been intended.

7.2
2010-02-11 CVE-2009-4641 Gnome Unspecified vulnerability in Gnome Screensaver 2.28.0

gnome-screensaver 2.28.0 does not resume adherence to its activation settings after an inhibiting application becomes unavailable on the session bus, which allows physically proximate attackers to access an unattended workstation on which screen locking had been intended.

7.2
2010-02-11 CVE-2010-0414 Gnome Unspecified vulnerability in Gnome Screensaver

gnome-screensaver before 2.28.2 allows physically proximate attackers to bypass screen locking and access an unattended workstation by moving the mouse position to an external monitor and then disconnecting that monitor.

7.2
2010-02-10 CVE-2010-0233 Microsoft Unspecified vulnerability in Microsoft products

Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application, aka "Windows Kernel Double Free Vulnerability." Per: http://cwe.mitre.org/data/slices/2000.html#d "CWE-415 Double Free" vulnerability

7.2
2010-02-10 CVE-2010-0021 Microsoft Race Condition vulnerability in Microsoft products

Multiple race conditions in the SMB implementation in the Server service in Microsoft Windows Vista Gold, SP1, and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allow remote attackers to cause a denial of service (system hang) via a crafted (1) SMBv1 or (2) SMBv2 Negotiate packet, aka "SMB Memory Corruption Vulnerability."

7.1

30 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-02-10 CVE-2010-0023 Microsoft Permissions, Privileges, and Access Controls vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

The Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 does not properly kill processes after a logout, which allows local users to obtain sensitive information or gain privileges via a crafted application that continues to execute throughout the logout of one user and the login session of the next user, aka "CSRSS Local Privilege Elevation Vulnerability."

6.9
2010-02-12 CVE-2010-0637 K5N Cross-Site Request Forgery (CSRF) vulnerability in K5N Webcalendar 1.2.0

Multiple cross-site request forgery (CSRF) vulnerabilities in WebCalendar 1.2.0, and other versions before 1.2.5, allow remote attackers to hijack the authentication of administrators for requests that (1) delete an event or (2) ban an IP address from posting via unknown vectors.

6.8
2010-02-12 CVE-2010-0309 Linux Configuration vulnerability in Linux Kernel

The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.

6.8
2010-02-10 CVE-2010-0394 Nanosleep
Edgewall Software
Debian
Improper Input Validation vulnerability in Nanosleep Trac-Git

PyGIT.py in the Trac Git plugin (trac-git) before 0.0.20080710-3+lenny1 and before 0.0.20090320-1 on Debian GNU/Linux, when enabled in Trac, allows remote attackers to execute arbitrary commands via shell metacharacters in a crafted HTTP query that is used to generate a certain git command.

6.8
2010-02-08 CVE-2010-0562 Fetchmail Buffer Errors vulnerability in Fetchmail 6.3.11/6.3.12/6.3.13

The sdump function in sdump.c in fetchmail 6.3.11, 6.3.12, and 6.3.13, when running in verbose mode on platforms for which char is signed, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an SSL X.509 certificate containing non-printable characters with the high bit set, which triggers a heap-based buffer overflow during escaping.

6.8
2010-02-12 CVE-2010-0298 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.

6.5
2010-02-09 CVE-2010-0438 Otrs SQL Injection vulnerability in Otrs

Multiple SQL injection vulnerabilities in Kernel/System/Ticket.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.1.x before 2.1.9, 2.2.x before 2.2.9, 2.3.x before 2.3.5, and 2.4.x before 2.4.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2010-02-10 CVE-2010-0035 Microsoft Unspecified vulnerability in Microsoft products

The Key Distribution Center (KDC) in Kerberos in Microsoft Windows 2000 SP4, Server 2003 SP2, and Server 2008 Gold and SP2, when a trust relationship with a non-Windows Kerberos realm exists, allows remote authenticated users to cause a denial of service (NULL pointer dereference and domain controller outage) via a crafted Ticket Granting Ticket (TGT) renewal request, aka "Kerberos Null Pointer Dereference Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS10-014.mspx "This vulnerability only affects domain controllers.

6.3
2010-02-10 CVE-2009-4632 Ffmpeg Numeric Errors vulnerability in Ffmpeg 0.5

oggparsevorbis.c in FFmpeg 0.5 does not properly perform certain pointer arithmetic, which might allow remote attackers to obtain sensitive memory contents and cause a denial of service via a crafted file that triggers an out-of-bounds read.

5.8
2010-02-11 CVE-2010-0613 Arwscripts Path Traversal vulnerability in Arwscripts Fonts Script

Directory traversal vulnerability in viewfile.php in ARWScripts Fonts Script allows remote attackers to read arbitrary local files via directory traversal sequences in a base64-encoded f parameter.

5.0
2010-02-10 CVE-2010-0564 Trendmicro Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Trendmicro Officescan

Buffer overflow in Trend Micro URL Filtering Engine (TMUFE) in OfficeScan 8.0 before SP1 Patch 5 - Build 3510, possibly tmufeng.dll before 3.0.0.1029, allows attackers to cause a denial of service (crash or OfficeScan hang) via unspecified vectors.

5.0
2010-02-08 CVE-2010-0563 IBM Information Exposure vulnerability in IBM Websphere Application Server

The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted.

5.0
2010-02-08 CVE-2010-0294 Tuxfamily Resource Management Errors vulnerability in Tuxfamily Chrony

chronyd in Chrony before 1.23.1, and possibly 1.24-pre1, generates a syslog message for each unauthorized cmdmon packet, which allows remote attackers to cause a denial of service (disk consumption) via a large number of invalid packets.

5.0
2010-02-08 CVE-2010-0293 Tuxfamily Resource Management Errors vulnerability in Tuxfamily Chrony

The client logging functionality in chronyd in Chrony before 1.23.1 does not restrict the amount of memory used for storage of client information, which allows remote attackers to cause a denial of service (memory consumption) via spoofed (1) NTP or (2) cmdmon packets.

5.0
2010-02-08 CVE-2010-0292 Tuxfamily Resource Management Errors vulnerability in Tuxfamily Chrony

The read_from_cmd_socket function in cmdmon.c in chronyd in Chrony before 1.23.1, and 1.24-pre1, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by sending a spoofed cmdmon packet that triggers a continuous exchange of NOHOSTACCESS messages between two daemons, a related issue to CVE-2009-3563.

5.0
2010-02-08 CVE-2010-0561 Netbsd Numeric Errors vulnerability in Netbsd 4.0/5.0

Integer signedness error in NetBSD 4.0, 5.0, and NetBSD-current before 2010-01-21 allows local users to cause a denial of service (kernel panic) via a negative mixer index number being passed to (1) the azalia_query_devinfo function in the azalia audio driver (src/sys/dev/pci/azalia.c) or (2) the hdaudio_afg_query_devinfo function in the hdaudio audio driver (src/sys/dev/pci/hdaudio/hdaudio_afg.c).

4.9
2010-02-08 CVE-2010-0411 Systemtap Numeric Errors vulnerability in Systemtap 1.1

Multiple integer signedness errors in the (1) __get_argv and (2) __get_compat_argv functions in tapset/aux_syscalls.stp in SystemTap 1.1 allow local users to cause a denial of service (script crash, or system crash or hang) via a process with a large number of arguments, leading to a buffer overflow.

4.9
2010-02-12 CVE-2010-0633 Citrix Authentication Bypass vulnerability in Citrix Xenserver 5.0/5.5

Unspecified vulnerability in Citrix XenServer 5.0 Update 3 and earlier, and 5.5, allows local users to bypass authentication and execute unspecified Xen API (XAPI) calls via unknown vectors.

4.6
2010-02-08 CVE-2010-0560 Intel Local Privilege Escalation vulnerability in Intel BIOS System Management Mode

Unspecified vulnerability in the BIOS in Intel Desktop Board DB, DG, DH, DP, and DQ Series allows local administrators to execute arbitrary code in System Management Mode (SSM) via unknown attack vectors.

4.6
2010-02-12 CVE-2010-0636 K5N Cross-Site Scripting vulnerability in K5N Webcalendar 1.2.0

Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar 1.2.0, and other versions before 1.2.5, allow remote attackers to inject arbitrary web script or HTML via the (1) tab parameter to users.php and the PATH_INFO to (2) day.php, (3) month.php, and (4) week.php.

4.3
2010-02-12 CVE-2010-0446 HP Information Disclosure vulnerability in HP Dreamscreen 100/130

Unspecified vulnerability on the HP DreamScreen 100 and 130 with firmware before 1.6.0.0, when using a web-connected configuration, allows remote attackers to obtain sensitive information via unknown vectors.

4.3
2010-02-11 CVE-2010-0617 Myshell Cross-Site Scripting vulnerability in Myshell Evalsmsi 2.1.03

Cross-site scripting (XSS) vulnerability in ajax.php in evalSMSI 2.1.03 allows remote attackers to inject arbitrary web script or HTML via the return parameter.

4.3
2010-02-11 CVE-2010-0615 Myshell Cross-Site Scripting vulnerability in Myshell Evalsmsi 2.1.03

Cross-site scripting (XSS) vulnerability in assess.php in evalSMSI 2.1.03 allows remote attackers to inject arbitrary web script or HTML via the reports comment box in a continue_assess action.

4.3
2010-02-11 CVE-2010-0607 Sterlitetechnologies Cross-Site Scripting vulnerability in Sterlitetechnologies Sam300 AX Router

Cross-site scripting (XSS) vulnerability in Forms/status_statistics_1 in the Sterlite SAM300 AX Router allows remote attackers to inject arbitrary web script or HTML via the Stat_Radio parameter.

4.3
2010-02-10 CVE-2009-4640 Ffmpeg Numeric Errors vulnerability in Ffmpeg 0.5

Array index error in vorbis_dec.c in FFmpeg 0.5 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Vorbis file that triggers an out-of-bounds read.

4.3
2010-02-10 CVE-2009-4639 Ffmpeg Numeric Errors vulnerability in Ffmpeg 0.5

The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error.

4.3
2010-02-10 CVE-2009-4638 Ffmpeg Numeric Errors vulnerability in Ffmpeg 0.5

Integer overflow in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors.

4.3
2010-02-10 CVE-2009-4636 Ffmpeg Code Injection vulnerability in Ffmpeg 0.5

FFmpeg 0.5 allows remote attackers to cause a denial of service (hang) via a crafted file that triggers an infinite loop.

4.3
2010-02-12 CVE-2010-0306 KVM Qumranet Permissions, Privileges, and Access Controls vulnerability in KVM Qumranet KVM 83

The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298.

4.1
2010-02-10 CVE-2010-0026 Microsoft Improper Input Validation vulnerability in Microsoft Windows Server 2008

The Hyper-V server implementation in Microsoft Windows Server 2008 Gold, SP2, and R2 on the x64 platform allows guest OS users to cause a denial of service (host OS hang) via a crafted application that executes a malformed series of machine instructions, aka "Hyper-V Instruction Set Validation Vulnerability."

4.0

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-02-11 CVE-2010-0606 Osticket Cross-Site Scripting vulnerability in Osticket

Cross-site scripting (XSS) vulnerability in scp/ajax.php in osTicket before 1.6.0 Stable allows remote authenticated users to inject arbitrary web script or HTML via the f parameter, possibly related to an error message generated by scp/admin.php.

3.5
2010-02-08 CVE-2003-1588 SUN Credentials Management vulnerability in SUN Cluster 2.2

Sun Cluster 2.2, when HA-Oracle or HA-Sybase DBMS services are used, stores database credentials in cleartext in a cluster configuration file, which allows local users to obtain sensitive information by reading this file.

1.9