Weekly Vulnerabilities Reports > March 1 to 7, 2010

Overview

83 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 32 high severity vulnerabilities. This weekly summary report vulnerabilities in 83 products from 56 vendors including Cisco, IBM, Perforce, Apple, and Joomla. Vulnerabilities are notably categorized as "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Link Following", and "Improper Input Validation".

  • 73 reported vulnerabilities are remotely exploitables.
  • 32 reported vulnerabilities have public exploit available.
  • 29 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 75 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 9 reported vulnerabilities.
  • IBM has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

13 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-03-05 CVE-2010-0570 Cisco Credentials Management vulnerability in Cisco Digital Media Manager

Cisco Digital Media Manager (DMM) 5.0.x and 5.1.x has a default password for the Tomcat administration account, which makes it easier for remote attackers to execute arbitrary code via a crafted web application, aka Bug ID CSCta03378.

10.0
2010-03-05 CVE-2010-0425 Apache Unspecified vulnerability in Apache Http Server

modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers."

10.0
2010-03-05 CVE-2009-3245 Openssl Improper Input Validation vulnerability in Openssl

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

10.0
2010-03-05 CVE-2009-3032 IBM
Symantec
Numeric Errors vulnerability in multiple products

Integer overflow in kvolefio.dll 8.5.0.8339 and 10.5.0.0 in the Autonomy KeyView Filter SDK, as used in IBM Lotus Notes 8.5, Symantec Mail Security for Microsoft Exchange 5.0.10 through 5.0.13, and other products, allows context-dependent attackers to execute arbitrary code via a crafted OLE document that triggers a heap-based buffer overflow.

10.0
2010-03-05 CVE-2009-2754 IBM
EMC
Numeric Errors vulnerability in multiple products

Integer signedness error in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3 and EMC Legato NetWorker, allows remote attackers to execute arbitrary code via a crafted parameter size that triggers a stack-based buffer overflow.

10.0
2010-03-05 CVE-2009-2753 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Informix Dynamic Server

Multiple buffer overflows in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3, allow remote attackers to execute arbitrary code via a crafted parameter size.

10.0
2010-03-03 CVE-2009-4660 Bigantsoft Buffer Errors vulnerability in Bigantsoft Bigant Messenger 2.50

Stack-based buffer overflow in the AntServer Module (AntServer.exe) in BigAnt IM Server 2.50 allows remote attackers to execute arbitrary code via a long GET request to TCP port 6660.

10.0
2010-03-03 CVE-2010-0918 IBM Security vulnerability in IBM Domino Web Access Prior to 229.281

Multiple unspecified vulnerabilities in the UltraLite functionality in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.281 for Domino 8.0.2 FP4 have unknown impact and attack vectors.

10.0
2010-03-05 CVE-2009-4676 Cowon America Buffer Errors vulnerability in Cowon America Jetaudio 7.5.2/7.5.3.15

Stack-based buffer overflow in JetCast.exe 2.0.4.1109 in jetAudio 7.5.2 and 7.5.3.15 allows remote attackers to execute arbitrary code via a long title in a FLAC file.

9.3
2010-03-05 CVE-2009-4668 Cowon America Buffer Errors vulnerability in Cowon America Jetaudio 7.5.2/7.5.3.15

Stack-based buffer overflow in JetCast.exe 2.0.4.1109 in jetAudio 7.5.2 and 7.5.3.15 allows remote attackers to execute arbitrary code via a long ID3 tag in an MP3 file.

9.3
2010-03-03 CVE-2009-4663 Quiksoft Buffer Errors vulnerability in Quiksoft Easymail Objects 6.0

Heap-based buffer overflow in the Quiksoft EasyMail Objects 6 ActiveX control allows remote attackers to execute arbitrary code via a long argument to the AddAttachment method.

9.3
2010-03-03 CVE-2009-4656 E Soft CO Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in E-Soft.Co DJ Studio PRO

Stack-based buffer overflow in E-Soft DJ Studio Pro 4.2 including 4.2.2.7.5, and 5.x including 5.1.4.3.1, allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a playlist file (.pls) containing a long string.

9.3
2010-03-03 CVE-2010-0766 Luxology Numeric Errors vulnerability in Luxology Modo 401

Integer overflow in the Swap4 function in valet4.dll in Luxology Modo 401 allows user-assisted remote attackers to execute arbitrary code via a .LXO file containing a CHNL subchunk associated with an invalid length.

9.3

32 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-03-05 CVE-2010-0573 Cisco Unspecified vulnerability in Cisco products

Unspecified vulnerability on the Cisco Digital Media Player before 5.2 allows remote attackers to hijack the source of (1) video or (2) data for a display via unknown vectors, related to a "content injection" issue, aka Bug ID CSCtc46024.

8.5
2010-03-05 CVE-2010-0571 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Digital Media Manager

Unspecified vulnerability in Cisco Digital Media Manager (DMM) 5.0.x and 5.1.x allows remote authenticated users to gain privileges via unknown vectors, and consequently execute arbitrary code via a crafted web application, aka Bug ID CSCtc46008.

8.5
2010-03-05 CVE-2010-0592 Cisco Denial of Service vulnerability in Cisco Unified Communications Manager CTI Manager Service

The CTI Manager service in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x before 4.3(2)sr1a, 6.x before 6.1(3), 7.0x before 7.0(2), 7.1x before 7.1(2), and 8.x before 8.0(1) allows remote attackers to cause a denial of service (service failure) via a malformed message, aka Bug ID CSCsu31800.

7.8
2010-03-05 CVE-2010-0591 Cisco Denial of Service vulnerability in Cisco Unified Communications Manager SIP Message (CVE-2010-0591)

Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5), 7.x before 7.1(3b)SU2, and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SIP REG message, related to an overflow of the Telephone-URL field, aka Bug ID CSCtc62362.

7.8
2010-03-05 CVE-2010-0590 Cisco Denial of Service vulnerability in Cisco Unified Communications Manager SIP Message (CVE-2010-0590)

The CMSIPUtility component in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.x before 7.1(3a)su1 and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SIP Register message, aka Bug ID CSCtc37188.

7.8
2010-03-05 CVE-2010-0588 Cisco Denial of Service vulnerability in Cisco Unified Communications Manager SCCP (CVE-2010-0588)

Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5), 7.x before 7.1(3a)su1, and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SCCP (1) RegAvailableLines or (2) FwdStatReq message with an invalid Line number, aka Bug ID CSCtc47823.

7.8
2010-03-05 CVE-2010-0587 Cisco Denial of Service vulnerability in Cisco Unified Communications Manager SCCP (CVE-2010-0587)

Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x before 4.3(2)SR2, 6.x before 6.1(5), 7.x before 7.1(3a)su1, and 8.x before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SCCP StationCapabilitiesRes message with an invalid MaxCap field, aka Bug ID CSCtc38985.

7.8
2010-03-03 CVE-2010-0922 IBM Local Denial of Service vulnerability in IBM AIX 5.3

Unspecified vulnerability in secldapclntd in IBM AIX 5.3 with SP 5300-11-02 allows attackers to cause a denial of service (LDAP login failure) via unknown vectors.

7.8
2010-03-03 CVE-2010-0919 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Domino web Access and Lotus Inotes

Stack-based buffer overflow in the Lotus Domino Web Access ActiveX control in IBM Lotus iNotes (aka Domino Web Access or DWA) 6.5, 7.0 before 7.0.4, 8.0, 8.0.2, and before 229.281 for Domino 8.0.2 FP4 allows remote attackers to execute arbitrary code via a long URL argument to an unspecified method, aka PRAD7JTNHJ.

7.6
2010-03-03 CVE-2010-0917 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

Stack-based buffer overflow in VBScript in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, might allow user-assisted remote attackers to execute arbitrary code via a long string in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution when the F1 key is pressed, a different vulnerability than CVE-2010-0483.

7.6
2010-03-03 CVE-2010-0483 Microsoft Code Injection vulnerability in Microsoft products

vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."

7.6
2010-03-05 CVE-2009-4675 Mole Group Improper Authentication vulnerability in Mole-Group Gastro Portal (Restaurant Directory) Script

admin/admin_info/index.php in the Mole Group Gastro Portal (Restaurant Directory) Script does not require administrative authentication, which allows remote attackers to change the admin password via an unspecified form submission.

7.5
2010-03-05 CVE-2009-4674 Mole Group Credentials Management vulnerability in Mole-Group products

admin/admin.php in Mole Group Sky Hunter Airline Ticket Sale Script and Bus Ticket Script allows remote attackers to change an arbitrary password via a modified user_id field.

7.5
2010-03-05 CVE-2009-4673 Mole Group SQL Injection vulnerability in Mole-Group Adult Portal Script

SQL injection vulnerability in profile.php in Mole Group Adult Portal Script allows remote attackers to execute arbitrary SQL commands via the user_id parameter.

7.5
2010-03-05 CVE-2009-4672 Grupenet
Wordpress
Path Traversal vulnerability in Grupenet Wp-Lytebox 1.3

Directory traversal vulnerability in main.php in the WP-Lytebox plugin 1.3 for WordPress allows remote attackers to include and execute arbitrary local files via a ..

7.5
2010-03-05 CVE-2009-4671 Beaussier Improper Authentication vulnerability in Beaussier Roomphplanning 1.6

Login.php in RoomPHPlanning 1.6 allows remote attackers to bypass authentication and obtain administrative access by setting the room_phplanning cookie to a value associated with the admin account.

7.5
2010-03-05 CVE-2009-4670 Beaussier Improper Authentication vulnerability in Beaussier Roomphplanning 1.6

admin/delitem.php in RoomPHPlanning 1.6 does not require authentication, which allows remote attackers to (1) delete arbitrary users via the user parameter or (2) delete arbitrary rooms via the room parameter.

7.5
2010-03-05 CVE-2009-4669 Beaussier SQL Injection vulnerability in Beaussier Roomphplanning 1.6

Multiple SQL injection vulnerabilities in RoomPHPlanning 1.6 allow remote attackers to execute arbitrary SQL commands via (1) the loginus parameter to Login.php or (2) the Old Password field to changepwd.php, and allow (3) remote authenticated administrators to execute arbitrary SQL commands via the id parameter to admin/userform.php.

7.5
2010-03-05 CVE-2009-4666 Qualityunit Code Injection vulnerability in Qualityunit Download Protect 1.0

Multiple PHP remote file inclusion vulnerabilities in Webradev Download Protect 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[RootPath] parameter to (1) Framework/EmailTemplates.class.php, (2) Customers/PDPEmailReplaceConstants.class.php, and (3) Admin/ResellersManager.class.php in includes/DProtect/.

7.5
2010-03-03 CVE-2009-4657 Omidrouhani Improper Authentication vulnerability in Omidrouhani Xerver 4.32

The administrator package for Xerver 4.32 does not require authentication, which allows remote attackers to alter application settings by connecting to the application on port 32123, as demonstrated by setting the action option to wizardStep1.

7.5
2010-03-02 CVE-2010-0803 Jvideodirect
Joomla
SQL Injection vulnerability in Jvideodirect COM Jvideodirect 1.1

SQL injection vulnerability in the jVideoDirect (com_jvideodirect) component 1.1 RC3b for Joomla! allows remote attackers to execute arbitrary SQL commands via the v parameter to index.php.

7.5
2010-03-02 CVE-2010-0802 Aleinbeen
Invision Power Services
SQL Injection vulnerability in Aleinbeen (Nv2) Awards 1.1.0

SQL injection vulnerability in index.php in (nv2) Awards 1.1.0, a modification for Invision Power Board, allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action.

7.5
2010-03-02 CVE-2010-0800 Joomservices
Joomla
SQL Injection vulnerability in Joomservices COM DMS 2.5.1

SQL injection vulnerability in the Ossolution Team Documents Seller (aka DMS) (com_dms) component 2.5.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a view_category action to index.php.

7.5
2010-03-02 CVE-2010-0798 Snowflake
Typo3
SQL Injection vulnerability in Snowflake T3Blog 0.5.0/0.6.0/0.6.1

SQL injection vulnerability in the T3BLOG extension 0.6.2 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2010-03-02 CVE-2010-0796 Harmistechnology
Joomla
SQL Injection vulnerability in Harmistechnology COM Jeeventcalendar 1.0

SQL injection vulnerability in the JE Quiz (com_jequizmanagement) component 1.b01 for Joomla! allows remote attackers to execute arbitrary SQL commands via the eid parameter in a question action to index.php.

7.5
2010-03-02 CVE-2010-0795 Harmistechnology
Joomla
SQL Injection vulnerability in Harmistechnology COM Jeeventcalendar 1.0

SQL injection vulnerability in the JE Event Calendars (com_jeeventcalendar) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the event_id parameter in an event action to index.php.

7.5
2010-03-02 CVE-2010-0764 Kuwaitphp SQL Injection vulnerability in Kuwaitphp Esmile

SQL injection vulnerability in index.php in KuwaitPHP eSmile allows remote attackers to execute arbitrary SQL commands via the cid parameter in a show action.

7.5
2010-03-02 CVE-2010-0763 Commodityrentals SQL Injection vulnerability in Commodityrentals Vacation Rental Software

SQL injection vulnerability in index.php in CommodityRentals Vacation Rental Software allows remote attackers to execute arbitrary SQL commands via the rental_id parameter in a CalendarView action.

7.5
2010-03-02 CVE-2010-0762 Commodityrentals SQL Injection vulnerability in Commodityrentals CD Rental Software

SQL injection vulnerability in index.php in CommodityRentals CD Rental Software allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a catalog action.

7.5
2010-03-02 CVE-2010-0761 Commodityrentals SQL Injection vulnerability in Commodityrentals Books/Ebooks Rentals Script

SQL injection vulnerability in index.php in CommodityRentals Books/eBooks Rentals Script allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a gamecatalog action.

7.5
2010-03-05 CVE-2010-0934 Perforce OS Command Injection vulnerability in Perforce Server 2008.1

The triggers functionality in Perforce Server 2008.1 allows remote authenticated users with super privileges to execute arbitrary operating-system commands by using a "p4 client" command in conjunction with the form-in trigger script.

7.1
2010-03-05 CVE-2010-0572 Cisco Information Exposure vulnerability in Cisco Digital Media Manager

Cisco Digital Media Manager (DMM) before 5.2 allows remote authenticated users to discover Cisco Digital Media Player credentials via vectors related to reading a (1) error log or (2) stack trace, aka Bug ID CSCtc46050.

7.1

33 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-03-05 CVE-2010-0393 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Cups

The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers.

6.9
2010-03-03 CVE-2010-0923 KDE Race Condition vulnerability in KDE SC 4.4.0

Race condition in workspace/krunner/lock/lockdlg.cc in the KRunner lock module in kdebase in KDE SC 4.4.0 allows physically proximate attackers to bypass KScreenSaver screen locking and access an unattended workstation by pressing the Enter key at a certain time, related to multiple forked processes.

6.9
2010-03-05 CVE-2010-0933 Perforce Path Traversal vulnerability in Perforce Server 2008.1

Directory traversal vulnerability in Perforce Server 2008.1 allows remote authenticated users to create arbitrary files via a ..

6.8
2010-03-03 CVE-2010-0921 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Lotus Inotes

Cross-site request forgery (CSRF) vulnerability in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.281 for Domino 8.0.2 FP4 allows remote attackers to hijack the authentication of unspecified victims via vectors related to lack of "XSS/CSRF Get Filter and Referer Check fixes."

6.8
2010-03-05 CVE-2009-4667 Phpmember SQL Injection vulnerability in PHPmember Webmember 1.0

SQL injection vulnerability in form.php in WebMember 1.0 allows remote authenticated users to execute arbitrary SQL commands via the formID parameter.

6.5
2010-03-05 CVE-2010-0932 Perforce Improper Input Validation vulnerability in Perforce Server 2008.1

The FTP server in Perforce Server 2008.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a certain MKD command.

5.0
2010-03-05 CVE-2010-0931 Perforce Improper Input Validation vulnerability in Perforce Server 2008.1

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data, possibly involving a large sndbuf value.

5.0
2010-03-05 CVE-2010-0930 Perforce Resource Management Errors vulnerability in Perforce Server 2008.1

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (infinite loop) via crafted data that includes a byte sequence of 0xdc, 0xff, 0xff, and 0xff immediately before the client protocol version number.

5.0
2010-03-05 CVE-2010-0929 Perforce Improper Input Validation vulnerability in Perforce Server 2008.1

The Perforce service (p4s.exe) in Perforce Server 2008.1 allows remote attackers to cause a denial of service (daemon crash) via crafted data beginning with a byte sequence of 0x4c, 0xb3, 0xff, 0xff, and 0xff.

5.0
2010-03-05 CVE-2009-4665 Cutesoft Components Path Traversal vulnerability in Cutesoft Components Cute Editor FOR Asp.Net

Directory traversal vulnerability in CuteSoft_Client/CuteEditor/Load.ashx in CuteSoft Components Cute Editor for ASP.NET allows remote attackers to read arbitrary files via a ..

5.0
2010-03-05 CVE-2010-0408 Apache Unspecified vulnerability in Apache Http Server

The ap_proxy_ajp_request function in mod_proxy_ajp.c in mod_proxy_ajp in the Apache HTTP Server 2.2.x before 2.2.15 does not properly handle certain situations in which a client sends no request body, which allows remote attackers to cause a denial of service (backend server outage) via a crafted request, related to use of a 500 error code instead of the appropriate 400 error code.

5.0
2010-03-03 CVE-2010-0925 Apple
Microsoft
Denial-Of-Service vulnerability in Apple Safari 4.0.4

cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 in Apple Safari 4.0.4 on Windows, allows remote attackers to cause a denial of service (application crash) via a long string in the SRC attribute of a (1) IMG or (2) IFRAME element.

5.0
2010-03-03 CVE-2010-0924 Apple
Microsoft
Remote Denial Of Service vulnerability in Apple Safari 'background' attribute

cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 in Apple Safari 4.0.3 and 4.0.4 on Windows, allows remote attackers to cause a denial of service (application crash) via a long string in the BACKGROUND attribute of a BODY element.

5.0
2010-03-02 CVE-2010-0799 Perlunity Path Traversal vulnerability in Perlunity PHPunity.Newsmanager

Directory traversal vulnerability in misc/tell_a_friend/tell.php in phpunity.newsmanager allows remote attackers to read arbitrary files via a ..

5.0
2010-03-02 CVE-2010-0765 Fipsasp Permissions, Privileges, and Access Controls vulnerability in Fipsasp Fipsforum 2.6

fipsForum 2.6 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for _database/forumFips.mdb.

5.0
2010-03-05 CVE-2010-0935 Perforce Permissions, Privileges, and Access Controls vulnerability in Perforce Server

Perforce Server 2009.2 and earlier, when the protection table is empty, allows remote authenticated users to obtain super privileges via a "p4 protect" command.

4.6
2010-03-05 CVE-2010-0419 KVM Qumranet Permissions, Privileges, and Access Controls vulnerability in KVM Qumranet KVM 83

The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not properly restrict writing of segment selectors to segment registers, which might allow guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch.

4.4
2010-03-02 CVE-2010-0788 Ncpfs Link Following vulnerability in Ncpfs 2.2.6

ncpfs 2.2.6 allows local users to cause a denial of service, obtain sensitive information, or possibly gain privileges via symlink attacks involving the (1) ncpmount and (2) ncpumount programs.

4.4
2010-03-02 CVE-2010-0787 Samba Link Following vulnerability in Samba

client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.2, 3.4.0, and 3.4.5 allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file.

4.4
2010-03-05 CVE-2010-0434 Apache Information Exposure vulnerability in Apache Http Server

The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request.

4.3
2010-03-05 CVE-2010-0433 Openssl Improper Input Validation vulnerability in Openssl

The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.

4.3
2010-03-05 CVE-2010-0302 Apple Resource Management Errors vulnerability in Apple Cups

Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count.

4.3
2010-03-05 CVE-2010-0927 IBM Cross-Site Scripting vulnerability in IBM Lotus Domino

Cross-site scripting (XSS) vulnerability in help/readme.nsf/Header in the Help component in IBM Lotus Domino 7.x before 7.0.4 and 8.x before 8.0.2 allows remote attackers to inject arbitrary web script or HTML via the BaseTarget parameter in an OpenPage action.

4.3
2010-03-03 CVE-2009-4662 Novell Cross-Site Scripting vulnerability in Novell Groupwise

Cross-site scripting (XSS) vulnerability in the WebAccess component in Novell GroupWise 7.0 before 7.03 HP4 and 8.0 before 8.0 SP1 allows remote attackers to inject arbitrary web script or HTML via the User.Theme.index parameter.

4.3
2010-03-03 CVE-2009-4661 Bigantsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Bigantsoft Bigant Server

Multiple buffer overflows in BigAnt Server 2.50 SP6 and earlier allow user-assisted remote attackers to cause a denial of service (application crash) via a crafted ZIP file that is not properly handled when the victim uses the (1) Update or (2) Plug-In console menu item.

4.3
2010-03-03 CVE-2009-4659 MP3 Cutter Unspecified vulnerability in Mp3-Cutter Ease Audio Cutter 1.20

Unspecified vulnerability in MP3-Cutter Ease Audio Cutter 1.20 allows user-assisted remote attackers to cause a denial of service (application crash) via a long string in a WAV file.

4.3
2010-03-03 CVE-2010-0920 IBM Cross-Site Scripting vulnerability in IBM Lotus Inotes

Cross-site scripting (XSS) vulnerability in IBM Lotus iNotes (aka Domino Web Access or DWA) before 229.281 for Domino 8.0.2 FP4 allows remote attackers to inject arbitrary web script or HTML via vectors related to lack of "XSS/CSRF Get Filter and Referer Check fixes."

4.3
2010-03-03 CVE-2010-0205 Libpng
Apple
Fedoraproject
Opensuse
Suse
Canonical
Debian
Resource Exhaustion vulnerability in multiple products

The png_decompress_chunk function in pngrutil.c in libpng 1.0.x before 1.0.53, 1.2.x before 1.2.43, and 1.4.x before 1.4.1 does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.

4.3
2010-03-02 CVE-2010-0804 Netartmedia Cross-Site Scripting vulnerability in Netartmedia Iboutique 4.0

Cross-site scripting (XSS) vulnerability in index.php in iBoutique 4.0 allows remote attackers to inject arbitrary web script or HTML via the key parameter in a products action.

4.3
2010-03-02 CVE-2010-0797 Snowflake
Typo3
Cross-Site Scripting vulnerability in Snowflake T3Blog 0.5.0/0.6.0/0.6.1

Cross-site scripting (XSS) vulnerability in the T3BLOG extension 0.6.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-03-02 CVE-2010-0726 Tdiary Cross-Site Scripting vulnerability in Tdiary

Cross-site scripting (XSS) vulnerability in the tb-send.rb (TrackBack transmission) plugin in tDiary 2.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unknown vectors, possibly related to the (1) plugin_tb_url and (2) plugin_tb_excerpt parameters.

4.3
2010-03-05 CVE-2010-0928 Openssl
Gaisler
Xilinx
Cryptographic Issues vulnerability in Openssl 0.9.8I

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

4.0
2010-03-03 CVE-2009-4658 Omidrouhani Improper Input Validation vulnerability in Omidrouhani Xerver 4.32

Xerver 4.32 allows remote authenticated users to cause a denial of service (daemon crash) via a non-numeric web port assignment in the management interface.

4.0

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-03-02 CVE-2010-0801 Autartica
Joomla
Path Traversal vulnerability in Autartica COM Autartitarot 1.0.3

Directory traversal vulnerability in the AutartiTarot (com_autartitarot) component 1.0.3 for Joomla! allows remote authenticated users, with "Public Back-end" group permissions, to read arbitrary files via directory traversal sequences in the controller parameter in an edit task to administrator/index.php.

3.5
2010-03-03 CVE-2009-4664 Fwbuilder
Linux
Link Following vulnerability in Fwbuilder Firewall Builder 3.0.4/3.0.5/3.0.6

Firewall Builder 3.0.4, 3.0.5, and 3.0.6, when running on Linux, allows local users to gain privileges via a symlink attack on an unspecified temporary file that is created by the iptables script.

3.3
2010-03-03 CVE-2010-0156 Puppet Link Following vulnerability in Puppet

Puppet 0.24.x before 0.24.9 and 0.25.x before 0.25.2 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/daemonout, (2) /tmp/puppetdoc.txt, (3) /tmp/puppetdoc.tex, or (4) /tmp/puppetdoc.aux temporary file.

3.3
2010-03-02 CVE-2010-0789 Fuse Link Following vulnerability in Fuse

fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a symlink attack on a mountpoint.

3.3
2010-03-05 CVE-2010-0792 Thibault Godouet Link Following vulnerability in Thibault Godouet Fcron

fcrontab in fcron before 3.0.5 allows local users to read arbitrary files via a symlink attack on an unspecified file.

1.9