Weekly Vulnerabilities Reports > July 5 to 11, 2010

Overview

52 new vulnerabilities reported during this period, including 9 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 35 products from 29 vendors including Opera, Google, Microsoft, Apple, and Mahara. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "SQL Injection", "Cross-site Scripting", "Improper Input Validation", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 52 reported vulnerabilities are remotely exploitables.
  • 9 reported vulnerabilities have public exploit available.
  • 21 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 51 reported vulnerabilities are exploitable by an anonymous user.
  • Opera has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

9 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-07-08 CVE-2010-1574 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Industrial Ethernet 3000 and IOS

IOS 12.2(52)SE and 12.2(52)SE1 on Cisco Industrial Ethernet (IE) 3000 series switches has (1) a community name of public for RO access and (2) a community name of private for RW access, which makes it easier for remote attackers to modify the configuration or obtain potentially sensitive information via SNMP requests, aka Bug ID CSCtf25589.

10.0
2010-07-08 CVE-2010-2445 Freeciv OS Command Injection vulnerability in Freeciv 2.2.0/2.3.0

freeciv 2.2 before 2.2.1 and 2.3 before 2.3.0 allows attackers to read arbitrary files or execute arbitrary commands via a scenario that contains Lua functionality, related to the (1) os, (2) io, (3) package, (4) dofile, (5) loadfile, (6) loadlib, (7) module, and (8) require modules or functions.

10.0
2010-07-08 CVE-2010-2666 Opera
Microsoft
Apple
Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 10.54 on Windows and Mac OS X does not properly enforce permission requirements for widget filesystem access and directory selection, which allows user-assisted remote attackers to create or modify arbitrary files, and consequently execute arbitrary code, via widget File I/O operations.

9.3
2010-07-08 CVE-2010-2657 Opera Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 10.60 on Windows and Mac OS X does not properly prevent certain double-click operations from running a program located on a web site, which allows user-assisted remote attackers to execute arbitrary code via a crafted web page that bypasses a dialog.

9.3
2010-07-06 CVE-2010-2651 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

The Cascading Style Sheets (CSS) implementation in Google Chrome before 5.0.375.99 does not properly perform style rendering, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

9.3
2010-07-06 CVE-2010-2650 Google Unspecified vulnerability in Google Chrome

Unspecified vulnerability in Google Chrome before 5.0.375.99 has unknown impact and attack vectors, related to an "annoyance with print dialogs."

9.3
2010-07-06 CVE-2010-2648 Google
Opensuse
Canonical
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The implementation of the Unicode Bidirectional Algorithm (aka Bidi algorithm or UBA) in Google Chrome before 5.0.375.99 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

9.3
2010-07-06 CVE-2010-2647 Google
Canonical
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Google Chrome before 5.0.375.99 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an invalid SVG document.

9.3
2010-07-06 CVE-2010-2646 Google Unspecified vulnerability in Google Chrome

Google Chrome before 5.0.375.99 does not properly isolate sandboxed IFRAME elements, which has unspecified impact and remote attack vectors.

9.3

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-07-08 CVE-2010-2679 Joomla SQL Injection vulnerability in Joomla COM Weblinks and Joomla!

SQL injection vulnerability in the Weblinks (com_weblinks) component in Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php.

7.5
2010-07-08 CVE-2010-2678 Guillermo Vargas
Joomla
SQL Injection vulnerability in Guillermo Vargas COM Xmap

SQL injection vulnerability in xmap (com_xmap) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php.

7.5
2010-07-08 CVE-2010-2674 Alanzard SQL Injection vulnerability in Alanzard Tsoka:Cms 1.1/1.9/2.0

SQL injection vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in an articolo action.

7.5
2010-07-08 CVE-2010-2673 Devana SQL Injection vulnerability in Devana

SQL injection vulnerability in profile_view.php in Devana 1.6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2010-07-08 CVE-2010-2672 EZ SQL Injection vulnerability in EZ Publish

Multiple SQL injection vulnerabilities in eZ Publish 3.7.0 through 4.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) SectionID and (2) SearchTimestamp parameters to the search feature and the (3) SearchContentClassAttributeID parameter to the advancedsearch feature.

7.5
2010-07-08 CVE-2010-2670 Brotherscripts SQL Injection vulnerability in Brotherscripts Recipe Website

SQL injection vulnerability in recipedetail.php in BrotherScripts Recipe Website allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2010-07-06 CVE-2010-2629 Cisco Improper Input Validation vulnerability in Cisco ACE 4710 and Content Services Switch 11500

The Cisco Content Services Switch (CSS) 11500 with software 8.20.4.02 and the Application Control Engine (ACE) 4710 with software A2(3.0) do not properly handle LF header terminators in situations where the GET line is terminated by CRLF, which allows remote attackers to conduct HTTP request smuggling attacks and possibly bypass intended header insertions via crafted header data, as demonstrated by an LF character between the ClientCert-Subject and ClientCert-Subject-CN headers.

7.5
2010-07-06 CVE-2010-2251 Alexander V Lukyanov Improper Input Validation vulnerability in Alexander V. Lukyanov Lftp

The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

7.5
2010-07-06 CVE-2010-1670 Mahara Improper Authentication vulnerability in Mahara

Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 has improper configuration options for authentication plugins associated with logins that use the single sign-on (SSO) functionality, which allows remote attackers to bypass authentication via an empty password.

7.5
2010-07-06 CVE-2010-1669 Mahara SQL Injection vulnerability in Mahara

SQL injection vulnerability in Mahara 1.1.x before 1.1.9 and 1.2.x before 1.2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2010-07-06 CVE-2010-1576 Cisco Improper Input Validation vulnerability in Cisco ACE 4710 and Content Services Switch 11500

The Cisco Content Services Switch (CSS) 11500 with software before 8.20.4.02 and the Application Control Engine (ACE) 4710 with software before A2(3.0) do not properly handle use of LF, CR, and LFCR as alternatives to the standard CRLF sequence between HTTP headers, which allows remote attackers to bypass intended header insertions or conduct HTTP request smuggling attacks via crafted header data, as demonstrated by LF characters preceding ClientCert-Subject and ClientCert-Subject-CN headers, aka Bug ID CSCta04885.

7.5
2010-07-06 CVE-2010-1575 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Content Services Switch 11500 08.20.1.01

The Cisco Content Services Switch (CSS) 11500 with software 08.20.1.01 conveys authentication data through ClientCert-* headers but does not delete client-supplied ClientCert-* headers, which might allow remote attackers to bypass authentication via crafted header data, as demonstrated by a ClientCert-Subject-CN header, aka Bug ID CSCsz04690.

7.5
2010-07-06 CVE-2010-1327 Tornadostore SQL Injection vulnerability in Tornadostore

Multiple SQL injection vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the marca parameter to precios.php3 or (2) the where parameter in a delivery_courier action to control/abm_list.php3.

7.5

30 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-07-06 CVE-2010-2645 Google Unspecified vulnerability in Google Chrome

Unspecified vulnerability in Google Chrome before 5.0.375.99, when WebGL is used, allows remote attackers to cause a denial of service (out-of-bounds read) via unknown vectors.

6.8
2010-07-06 CVE-2010-2253 Gisle AAS
Search Cpan
Improper Input Validation vulnerability in multiple products

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a .

6.8
2010-07-06 CVE-2010-2252 GNU Improper Input Validation vulnerability in GNU Wget

GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.

6.8
2010-07-06 CVE-2010-1668 Mahara Cross-Site Request Forgery (CSRF) vulnerability in Mahara

Multiple cross-site request forgery (CSRF) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2010-07-08 CVE-2010-2668 Adaptivedisplays Improper Authentication vulnerability in Adaptivedisplays products

Unspecified vulnerability in Adaptive Micro Systems ALPHA Ethernet Adapter II Web-Manager 3.40.2 allows remote attackers to bypass authentication and read or write configuration files via unknown vectors.

6.4
2010-07-08 CVE-2010-2677 Openwebanalytics Code Injection vulnerability in Openwebanalytics Open web Analytics 1.2.3

PHP remote file inclusion vulnerability in mw_plugin.php in Open Web Analytics (OWA) 1.2.3, when magic_quotes_gpc is disabled and register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the IP parameter.

5.1
2010-07-08 CVE-2010-2676 Openwebanalytics Path Traversal vulnerability in Openwebanalytics Open web Analytics 1.2.3

Multiple directory traversal vulnerabilities in index.php in Open Web Analytics (OWA) 1.2.3 might allow remote attackers to read arbitrary files via directory traversal sequences in the (1) owa_action and (2) owa_do parameters.

5.0
2010-07-08 CVE-2010-2494 Bogofilter Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Bogofilter

Multiple buffer underflows in the base64 decoder in base64.c in (1) bogofilter and (2) bogolexer in bogofilter before 1.2.2 allow remote attackers to cause a denial of service (heap memory corruption and application crash) via an e-mail message with invalid base64 data that begins with an = (equals) character.

5.0
2010-07-08 CVE-2010-2656 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Advanced Management Module

The IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, stores sensitive information under the web root with insufficient access control, which allows remote attackers to download (1) logs or (2) core files via direct requests, as demonstrated by a request for private/sdc.tgz.

5.0
2010-07-06 CVE-2010-2652 Google Unspecified vulnerability in Google Chrome

Google Chrome before 5.0.375.99 does not properly implement modal dialogs, which allows attackers to cause a denial of service (application crash) via unspecified vectors.

5.0
2010-07-08 CVE-2010-2675 Alanzard Cross-Site Scripting vulnerability in Alanzard Tsoka:Cms 1.1/1.9/2.0

Cross-site scripting (XSS) vulnerability in index.php in TSOKA:CMS 1.1, 1.9, and 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter in an articolo action.

4.3
2010-07-08 CVE-2010-2671 EZ Cross-Site Scripting vulnerability in EZ Publish

Cross-site scripting (XSS) vulnerability in advancedsearch.php in eZ Publish 3.7.0 through 4.2.0 allows remote attackers to inject arbitrary web script or HTML via the subTreeItem parameter.

4.3
2010-07-08 CVE-2010-2669 Novo WS Cross-Site Scripting vulnerability in Novo-Ws Orbis CMS 1.0.2

Cross-site scripting (XSS) vulnerability in admin/editors/text/editor-body.php in Orbis CMS 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter.

4.3
2010-07-08 CVE-2010-2665 Opera
Microsoft
Apple
Unix
Cross-Site Scripting vulnerability in Opera Browser

Cross-site scripting (XSS) vulnerability in Opera before 10.54 on Windows and Mac OS X, and before 10.11 on UNIX platforms, allows remote attackers to inject arbitrary web script or HTML via a data: URI, related to incorrect detection of the "opening site."

4.3
2010-07-08 CVE-2010-2664 Opera Unspecified vulnerability in Opera Browser

Opera before 10.60 allows remote attackers to cause a denial of service (application hang) via certain HTML content that has an unclosed SPAN element with absolute positioning.

4.3
2010-07-08 CVE-2010-2663 Opera Unspecified vulnerability in Opera Browser

Opera before 10.60 allows remote attackers to cause a denial of service (application hang) via an ended event handler that changes the SRC attribute of an AUDIO element.

4.3
2010-07-08 CVE-2010-2662 Opera Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 10.60 allows remote attackers to bypass the popup blocker via a javascript: URL and a "fake click."

4.3
2010-07-08 CVE-2010-2661 Opera
Microsoft
Apple
Unix
Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 10.54 on Windows and Mac OS X, and before 10.60 on UNIX platforms, does not properly restrict access to the full pathname of a file selected for upload, which allows remote attackers to obtain potentially sensitive information via unspecified DOM manipulations.

4.3
2010-07-08 CVE-2010-2660 Opera
Microsoft
Apple
Unix
Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 10.54 on Windows and Mac OS X, and before 10.60 on UNIX platforms, does not properly restrict certain uses of homograph characters in domain names, which makes it easier for remote attackers to spoof IDN domains via unspecified choices of characters.

4.3
2010-07-08 CVE-2010-2659 Opera
Microsoft
Apple
Unix
Information Exposure vulnerability in Opera Browser

Opera before 10.50 on Windows, before 10.52 on Mac OS X, and before 10.60 on UNIX platforms makes widget properties accessible to third-party domains, which allows remote attackers to obtain potentially sensitive information via a crafted web site.

4.3
2010-07-08 CVE-2010-2658 Opera Improper Input Validation vulnerability in Opera Browser

Opera before 10.60 does not properly restrict certain interaction between plug-ins, file inputs, and the clipboard, which allows user-assisted remote attackers to trigger the uploading of arbitrary files via a crafted web site.

4.3
2010-07-08 CVE-2010-2654 IBM Cross-Site Scripting vulnerability in IBM Advanced Management Module

Multiple cross-site scripting (XSS) vulnerabilities on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allow remote attackers to inject arbitrary web script or HTML via the (1) INDEX or (2) IPADDR parameter to private/cindefn.php, (3) the domain parameter to private/power_management_policy_options.php, the slot parameter to (4) private/pm_temp.php or (5) private/power_module.php, (6) the WEBINDEX parameter to private/blade_leds.php, or (7) the SLOT parameter to private/ipmi_bladestatus.php.

4.3
2010-07-08 CVE-2010-2244 Avahi Unspecified vulnerability in Avahi 0.6.16/0.6.25

The AvahiDnsPacket function in avahi-core/socket.c in avahi-daemon in Avahi 0.6.16 and 0.6.25 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a DNS packet with an invalid checksum followed by a DNS packet with a valid checksum, a different vulnerability than CVE-2008-5081.

4.3
2010-07-06 CVE-2010-2649 Google Unspecified vulnerability in Google Chrome

Unspecified vulnerability in Google Chrome before 5.0.375.99 allows remote attackers to cause a denial of service (application crash) via an invalid image.

4.3
2010-07-06 CVE-2010-2631 Libtiff Improper Input Validation vulnerability in Libtiff 3.9.0

LibTIFF 3.9.0 ignores tags in certain situations during the first stage of TIFF file processing and does not properly handle this during the second stage, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.

4.3
2010-07-06 CVE-2010-2630 Libtiff Improper Input Validation vulnerability in Libtiff 3.9.0

The TIFFReadDirectory function in LibTIFF 3.9.0 does not properly validate the data types of codec-specific tags that have an out-of-order position in a TIFF file, which allows remote attackers to cause a denial of service (application crash) via a crafted file, a different vulnerability than CVE-2010-2481.

4.3
2010-07-06 CVE-2010-2479 Htmlpurifier
Mahara
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-07-06 CVE-2010-1667 Mahara Cross-Site Scripting vulnerability in Mahara

Multiple cross-site scripting (XSS) vulnerabilities in Mahara before 1.0.15, 1.1.x before 1.1.9, and 1.2.x before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-07-06 CVE-2010-1328 Tornadostore Cross-Site Scripting vulnerability in Tornadostore

Multiple cross-site scripting (XSS) vulnerabilities in TornadoStore 1.4.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) tipo or (2) destino parameter to login_registrese.php3 in the Services section, (3) the rubro parameter to precios.php3 in the Products section, (4) the arti parameter to recomenda_articulo.php3 in the Products section, (5) the descrip parameter in a profile action to control/abm_det.php3 in the e-Commerce section, (6) the tit parameter in a delivery_courier action to control/abm_list.php3 in the e-Commerce section, or (7) the tit parameter in an usuario action to control/abm_det.php3 in the e-Commerce section.

4.3
2010-07-08 CVE-2010-2655 IBM Path Traversal vulnerability in IBM Advanced Management Module

Directory traversal vulnerability in private/file_management.php on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allows remote authenticated users to list arbitrary directories and possibly have unspecified other impact via a ..

4.0

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS