Weekly Vulnerabilities Reports > July 12 to 18, 2010

Overview

116 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 31 high severity vulnerabilities. This weekly summary report vulnerabilities in 79 products from 43 vendors including Oracle, Microsoft, HP, Joomla, and Esoftpro. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Code Injection", and "Permissions, Privileges, and Access Controls".

  • 93 reported vulnerabilities are remotely exploitables.
  • 33 reported vulnerabilities have public exploit available.
  • 38 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 85 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 56 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

11 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-07-13 CVE-2010-0907 Oracle Remote vulnerability in Oracle Secure Backup 10.3.0.1

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0899, CVE-2010-0904, and CVE-2010-0906.

10.0
2010-07-13 CVE-2010-0898 Oracle Unspecified vulnerability in Oracle Secure Backup 10.3.0.1

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

10.0
2010-07-13 CVE-2010-0873 Oracle Remote Data Server vulnerability in Oracle Timesten In-Memory Database 7.0.6.0

Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

10.0
2010-07-13 CVE-2010-2523 Linux Ipv6 Buffer Errors vulnerability in Linux-Ipv6 Umip 0.4

Multiple buffer overflows in ha.c in the mipv6 daemon in UMIP 0.4 allow remote attackers to have an unspecified impact via a crafted (1) ND_OPT_PREFIX_INFORMATION or (2) ND_OPT_HOME_AGENT_INFO packet.

10.0
2010-07-15 CVE-2010-1881 Microsoft Code Injection vulnerability in Microsoft Access 2003

The FieldList ActiveX control in the Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office Access 2003 SP3 does not properly interact with the memory-access approach used by Internet Explorer and Office during instantiation, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTML document that references this control along with crafted persistent storage data, aka "ACCWIZ.dll Uninitialized Variable Vulnerability."

9.3
2010-07-15 CVE-2010-0814 Microsoft Code Injection vulnerability in Microsoft Access 2003/2007

The Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office Access 2003 SP3 and 2007 SP1 and SP2 do not properly interact with the memory-allocation approach used by Internet Explorer during instantiation, which allows remote attackers to execute arbitrary code via a web site that references multiple ActiveX controls, as demonstrated by the ImexGrid and FieldList controls, aka "Access ActiveX Control Vulnerability."

9.3
2010-07-15 CVE-2010-0266 Microsoft Code Injection vulnerability in Microsoft Outlook 2002/2003/2007

Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability."

9.3
2010-07-12 CVE-2010-2702 Epicgames Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Epicgames products

Buffer overflow in the UGameEngine::UpdateConnectingMessage function in the Unreal engine 1, 2, and 2.5, as used in multiple games including Unreal Tournament 2004, Unreal tournament 2003, Postal 2, Raven Shield, and SWAT4, when downloads are enabled, allows remote attackers to execute arbitrary code via a long LEVEL field in a WELCOME response to a download request.

9.3
2010-07-12 CVE-2010-2701 Fathsoft Buffer Errors vulnerability in Fathsoft Fathftp 1.7

Multiple buffer overflows in the FathFTP ActiveX control 1.7 allow remote attackers to execute arbitrary code via (1) the GetFromURL member or (2) a long argument to the RasIsConnected method.

9.3
2010-07-13 CVE-2010-0906 Oracle Remote vulnerability in Oracle Secure Backup 10.3.0.1

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

9.0
2010-07-13 CVE-2010-0899 Oracle
Microsoft
Remote Secure Backup vulnerability in Oracle Secure Backup 10.3.0.1

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0907, and CVE-2010-0906.

9.0

31 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-07-13 CVE-2010-0911 Oracle Remote Listener vulnerability in Oracle

Unspecified vulnerability in the Listener component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote attackers to affect availability via unknown vectors.

7.8
2010-07-13 CVE-2010-0903 Oracle
Microsoft
Remote Net Foundation Layer vulnerability in Oracle Database Server

Unspecified vulnerability in the Net Foundation Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors.

7.8
2010-07-13 CVE-2010-0083 Oracle Unspecified vulnerability in Oracle Opensolaris 10/8/9

Unspecified vulnerability in Oracle OpenSolaris 8, 9, and 10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

7.6
2010-07-15 CVE-2010-1965 HP
Microsoft
Unspecified vulnerability in HP Insight Orchestration

Unspecified vulnerability in HP Insight Orchestration for Windows before 6.1 allows remote attackers to read or modify data via unknown vectors.

7.5
2010-07-13 CVE-2010-0908 Oracle Remote Oracle Applications Framework vulnerability in Oracle E-Business Suite 12.1.2

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

7.5
2010-07-13 CVE-2010-2721 Rightinpoint SQL Injection vulnerability in Rightinpoint Lyrics Engine 3.0

SQL injection vulnerability in index.php in RightInPoint Lyrics Script 3.0 allows remote attackers to execute arbitrary SQL commands via the artist_id parameter in an addalbum action.

7.5
2010-07-13 CVE-2010-2720 Phpaa SQL Injection vulnerability in PHPaa PHPaacms 0.3.1

SQL injection vulnerability in list.php in phpaaCms 0.3.1 UTF-8, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2010-07-13 CVE-2010-2719 Phpaa SQL Injection vulnerability in PHPaa PHPaacms 0.3.1

SQL injection vulnerability in show.php in phpaaCms 0.3.1 UTF-8, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2010-07-13 CVE-2010-2716 Rich Kavanagh SQL Injection vulnerability in Rich Kavanagh Psnews 1.3

Multiple SQL injection vulnerabilities in PsNews 1.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) ndetail.php and (2) print.php.

7.5
2010-07-13 CVE-2010-2714 Tcwonline SQL Injection vulnerability in Tcwonline TCW PHP Album 1.0

SQL injection vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to execute arbitrary SQL commands via the album parameter.

7.5
2010-07-12 CVE-2010-2699 Edgephp SQL Injection vulnerability in Edgephp Clickbank Affiliate Marketplace Script

SQL injection vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to execute arbitrary SQL commands via the search parameter.

7.5
2010-07-12 CVE-2010-2696 Sijio SQL Injection vulnerability in Sijio Community Software

SQL injection vulnerability in gallery/index.php in Sijio Community Software allows remote attackers to execute arbitrary SQL commands via the parent parameter.

7.5
2010-07-12 CVE-2010-2694 Redcomponent
Joomla
SQL Injection vulnerability in Redcomponent COM Redshop 1.0

SQL injection vulnerability in the redSHOP Component (com_redshop) 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the pid parameter to index.php.

7.5
2010-07-12 CVE-2010-2691 2Daybiz SQL Injection vulnerability in 2Daybiz Custom T-Shirt Design Script

Multiple SQL injection vulnerabilities in 2daybiz Custom T-Shirt Design Script allow remote attackers to execute arbitrary SQL commands via the (1) sbid parameter to products_details.php, (2) pid parameter to products/products.php, and (3) designid parameter to designview.php.

7.5
2010-07-12 CVE-2010-2690 Jooforge
Joomla
SQL Injection vulnerability in Jooforge COM Gamesbox 1.0.2

SQL injection vulnerability in the JOOFORGE Gamesbox (com_gamesbox) component 1.0.2, and possibly earlier, for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a consoles action to index.php.

7.5
2010-07-12 CVE-2010-2689 Internetdm SQL Injection vulnerability in Internetdm Webdm CMS

SQL injection vulnerability in cont_form.php in Internet DM WebDM CMS allows remote attackers to execute arbitrary SQL commands via the cf_id parameter.

7.5
2010-07-12 CVE-2010-2688 Site2Nite SQL Injection vulnerability in Site2Nite Boat Classifieds

SQL injection vulnerability in detail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the ID parameter.

7.5
2010-07-12 CVE-2010-2687 Site2Nite SQL Injection vulnerability in Site2Nite Boat Classifieds

SQL injection vulnerability in printdetail.asp in Site2Nite Boat Classifieds allows remote attackers to execute arbitrary SQL commands via the Id parameter.

7.5
2010-07-12 CVE-2010-2686 Topmanage SQL Injection vulnerability in Topmanage OLK Module 1.91.30

Multiple SQL injection vulnerabilities in clientes.asp in the TopManage OLK module 1.91.30 for SAP allow remote attackers to execute arbitrary SQL commands via the (1) PriceFrom, (2) PriceTo, and (3) InvFrom parameters, as reachable from olk/c_p/searchCart.asp, and other unspecified vectors when performing an advanced search.

7.5
2010-07-12 CVE-2010-2685 Customerparadigm Permissions, Privileges, and Access Controls vulnerability in Customerparadigm Pagedirector CMS

siteadmin/adduser.php in Customer Paradigm PageDirector CMS does not properly restrict access, which allows remote attackers to bypass intended restrictions and add administrative users via a direct request.

7.5
2010-07-12 CVE-2010-2684 Customerparadigm SQL Injection vulnerability in Customerparadigm Pagedirector CMS

SQL injection vulnerability in index.php in Customer Paradigm PageDirector CMS allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2010-07-12 CVE-2010-2683 Customerparadigm SQL Injection vulnerability in Customerparadigm Pagedirector CMS

SQL injection vulnerability in result.php in Customer Paradigm PageDirector CMS allows remote attackers to execute arbitrary SQL commands via the sub_catid parameter.

7.5
2010-07-12 CVE-2010-2682 Realtyna
Joomla
Path Traversal vulnerability in Realtyna COM Realtyna 1.0.15

Directory traversal vulnerability in the Realtyna Translator (com_realtyna) component 1.0.15 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a ..

7.5
2010-07-12 CVE-2010-2681 Joomla Code Injection vulnerability in Joomla COM SEF

PHP remote file inclusion vulnerability in the SEF404x (com_sef) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig.absolute.path parameter to index.php.

7.5
2010-07-12 CVE-2009-4935 Esoftpro SQL Injection vulnerability in Esoftpro Online Guestbook PRO

SQL injection vulnerability in ogp_show.php in Online Guestbook Pro allows remote attackers to execute arbitrary SQL commands via the display parameter.

7.5
2010-07-12 CVE-2009-4933 Winterwebs SQL Injection vulnerability in Winterwebs Ezwebitor

Multiple SQL injection vulnerabilities in login.php in EZ Webitor allow remote attackers to execute arbitrary SQL commands via the (1) txtUserId (Username) and (2) txtPassword (Password) parameters.

7.5
2010-07-12 CVE-2009-4929 Sweetphp Improper Authentication vulnerability in Sweetphp Totalcalender 2.4

admin/manage_users.php in TotalCalendar 2.4 does not require administrative authentication, which allows remote attackers to change arbitrary passwords via the newPW1 and newPW2 parameters.

7.5
2010-07-12 CVE-2009-4928 Sweetphp Code Injection vulnerability in Sweetphp Totalcalendar 2.4

PHP remote file inclusion vulnerability in config.php in TotalCalendar 2.4 allows remote attackers to execute arbitrary PHP code via a URL in the inc_dir parameter, a different vector than CVE-2006-1922 and CVE-2006-7055.

7.5
2010-07-12 CVE-2009-4927 Webmobo Improper Authentication vulnerability in Webmobo Wbnews 2.1.2

WB News 2.1.2 allows remote attackers to bypass authentication and gain administrative access via a modified WBNEWS cookie, as demonstrated by setting this cookie to 1.

7.5
2010-07-13 CVE-2010-2693 Freebsd Permissions, Privileges, and Access Controls vulnerability in Freebsd

FreeBSD 7.1 through 8.1-PRERELEASE does not copy the read-only flag when creating a duplicate mbuf buffer reference, which allows local users to cause a denial of service (system file corruption) and gain privileges via the sendfile system call.

7.2
2010-07-12 CVE-2010-2489 Ruby Lang
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ruby-Lang Ruby

Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files.

7.2

51 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-07-12 CVE-2010-0832 Canonical Link Following vulnerability in Canonical Ubuntu Linux 10.04/9.10

pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user's home directory, related to "user file stamps" and the motd.legal-notice file.

6.9
2010-07-15 CVE-2010-1971 HP
Microsoft
Cross-Site Request Forgery (CSRF) vulnerability in HP Insight Software Installer 3.00/3.10

Cross-site request forgery (CSRF) vulnerability in HP Insight Software Installer for Windows before 6.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, a different vulnerability than CVE-2010-1968.

6.8
2010-07-15 CVE-2010-1968 HP
Microsoft
Cross-Site Request Forgery (CSRF) vulnerability in HP Insight Software Installer 3.00/3.10

Cross-site request forgery (CSRF) vulnerability in HP Insight Software Installer for Windows before 6.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, a different vulnerability than CVE-2010-1971.

6.8
2010-07-12 CVE-2010-2680 Harmistechnology
Joomla
Path Traversal vulnerability in Harmistechnology COM Jesectionfinder

Directory traversal vulnerability in the JExtensions JE Section/Property Finder (jesectionfinder) component for Joomla! allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the view parameter to index.php.

6.8
2010-07-12 CVE-2009-4932 Mpesch3 DE1 Buffer Errors vulnerability in Mpesch3.De1 1By1 1.67

Stack-based buffer overflow in 1by1 1.67 (aka 1.6.7.0) allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a .m3u playlist file.

6.8
2010-07-12 CVE-2009-4931 Bestwebsharing Buffer Errors vulnerability in Bestwebsharing Groovy Media Player 1.1.0

Stack-based buffer overflow in Groovy Media Player 1.1.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a .m3u playlist file.

6.8
2010-07-12 CVE-2009-4925 Creasito SQL Injection vulnerability in Creasito E-Commerce Content Manager 1.3.16

Multiple SQL injection vulnerabilities in Portale e-commerce Creasito (aka creasito e-commerce content manager) 1.3.16, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the username parameter to (1) admin/checkuser.php and (2) checkuser.php.

6.8
2010-07-12 CVE-2010-2695 Xlightftpd Path Traversal vulnerability in Xlightftpd Xlight FTP Server 3.5/3.5.5

Directory traversal vulnerability in the SFTP/SSH2 virtual server in Xlight FTP Server 3.5.0, 3.5.5, and possibly other versions before 3.6 allows remote authenticated users to read, overwrite, or delete arbitrary files via ..

6.5
2010-07-13 CVE-2010-2375 BEA
BEA Systems
Oracle
Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and integrity, related to IIS.
6.4
2010-07-13 CVE-2010-2227 Apache Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apache Tomcat

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

6.4
2010-07-13 CVE-2010-0916 Oracle Unspecified vulnerability in Oracle Opensolaris 10

Unspecified vulnerability in Oracle OpenSolaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to rdist.

6.2
2010-07-13 CVE-2010-0902 Oracle Remote Oracle OLAP vulnerability in Oracle Database Server

Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

6.0
2010-07-13 CVE-2010-2385 Oracle Administration Server Remote vulnerability in Oracle SUN Java System web Proxy Server 4.0.13

Unspecified vulnerability in Oracle Sun Java System Web Proxy Server 4.0.13 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Administration Server.

5.8
2010-07-13 CVE-2010-2392 Oracle Local ZFS vulnerability in Oracle Opensolaris and Solaris

Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect integrity and availability, related to ZFS.

5.6
2010-07-13 CVE-2010-2402 Oracle Remote vulnerability in Oracle Peoplesoft and Jdedwards Product Suite 8.49.27

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.27 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

5.5
2010-07-13 CVE-2010-2401 Oracle Remote eProfile Manager vulnerability in Oracle Peoplesoft and Jdedwards Suite HCM 9.0

Unspecified vulnerability in the PeopleSoft Enterprise HCM - eProfile Mgr component in Oracle PeopleSoft and JDEdwards Suite HCM 9.0 Bundle #9 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

5.5
2010-07-13 CVE-2010-0915 Oracle Remote Oracle Advanced Product Catalog vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.2

Unspecified vulnerability in the Oracle Advanced Product Catalog component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

5.5
2010-07-13 CVE-2010-0914 Oracle Remote vulnerability in Oracle SUN Convergence 1.0

Unspecified vulnerability in Oracle Sun Convergence 1.0 allows remote attackers to affect confidentiality via unknown vectors related to Mail, Calendar, Address Book, and Instant Messaging.

5.0
2010-07-13 CVE-2010-0910 Oracle Remote Data Server vulnerability in Oracle TimesTen In-Memory Database 11.2.1.4.1/7.0.6.0

Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 and 11.2.1.4.1 allows remote attackers to affect availability via unknown vectors.

5.0
2010-07-13 CVE-2010-0904 Oracle Remote Authentication Bypass vulnerability in Oracle Secure Backup 10.3.0.1

Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors.

5.0
2010-07-13 CVE-2010-2386 Oracle GigaSwift Ethernet Driver Local vulnerability in Oracle Opensolaris and Solaris

Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSolaris, allows local users to affect availability via unknown vectors related to GigaSwift Ethernet Driver.

4.9
2010-07-13 CVE-2010-2394 Oracle TCP/IP Local vulnerability in Oracle Solaris 10

Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability, related to TCP/IP.

4.7
2010-07-15 CVE-2010-1970 HP
Microsoft
Unspecified vulnerability in HP Insight Software Installer 3.00/3.10

Unspecified vulnerability in HP Insight Software Installer for Windows before 6.1 allows local users to read or modify data, and consequently gain privileges, via unknown vectors.

4.6
2010-07-15 CVE-2010-1966 HP
Microsoft
Unspecified vulnerability in HP Insight Control 3.00/3.10

Unspecified vulnerability in HP Insight Control power management for Windows before 6.1 allows local users to read or modify data, or cause a denial of service, via unknown vectors.

4.6
2010-07-13 CVE-2010-2400 Oracle Kernel/Filesystem Local vulnerability in Oracle Opensolaris and Solaris

Unspecified vulnerability in Oracle Solaris 9 and 10, and OpenSolaris, allows local users to affect availability via unknown vectors related to Kernel/Filesystem.

4.6
2010-07-13 CVE-2010-2399 Oracle Kernel/VM Local vulnerability in Oracle Opensolaris and Solaris

Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect availability via unknown vectors related to Kernel/VM.

4.6
2010-07-13 CVE-2010-2380 Oracle Local vulnerability in Oracle Peoplesoft and Jdedwards Suite SCM 8.9/9.0/9.1

Unspecified vulnerability in the PeopleSoft Enterprise FSCM component in Oracle PeopleSoft and JDEdwards Suite SCM 8.9 Bundle #37, SCM 9.0 Bundle #30, and SCM 9.1 Bundle #4 allows local users to affect confidentiality, integrity, and availability via unknown vectors.

4.3
2010-07-13 CVE-2010-2373 Oracle Remote Console vulnerability in Oracle Enterprise Manager Grid Control 10g

Unspecified vulnerability in the Console component in Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2010-2372 Oracle Remote vulnerability in Oracle Supply Chain products Suite 6.1.1

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1.1 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2010-2371.

4.3
2010-07-13 CVE-2010-2370 Oracle Cross-Site Scripting vulnerability in Oracle Fusion Middleware 10.3/5.7/6.0

Unspecified vulnerability in the Oracle Business Process Management component in Oracle Fusion Middleware 5.7 MP3, 6.0 MP5, and 10.3 MP2 allows remote attackers to affect integrity, related to BPM.

4.3
2010-07-13 CVE-2010-0913 Oracle Remote Oracle Applications Manager vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.2

Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2010-0912 Oracle Remote Oracle Applications Framework vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.2

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2010-0905 Oracle Remote Oracle Applications Manager vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.4

Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2 and 12.0.4 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2010-0892 Oracle Remote vulnerability in Oracle Database Server 3.2.0.00.27

Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2.0.00.27 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2010-0835 Oracle Remote Wireless vulnerability in Oracle Fusion Middleware 10.1.2.3

Unspecified vulnerability in the Wireless component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2009-3762 Oracle Remote vulnerability in Oracle Opensso Enterprise 8.0

Unspecified vulnerability in Oracle OpenSSO Enterprise 8.0 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2009-3764 Oracle Remote vulnerability in Oracle Opensso Enterprise 8.0

Unspecified vulnerability in the OpenSSO component in Oracle OpenSSO Enterprise 8.0 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2009-3763 Oracle Authentication Remote vulnerability in Oracle Opensso Enterprise 7.0/7.1/8.0

Unspecified vulnerability in the Access Manager / OpenSSO component in Oracle OpenSSO Enterprise 7.1, 7, 2005Q4, and 8.0 allows remote attackers to affect integrity via unknown vectors.

4.3
2010-07-13 CVE-2010-2723 Lsoft Cross-Site Scripting vulnerability in Lsoft Listserv 15.0/16.0

Cross-site scripting (XSS) vulnerability in LISTSERV 15 and 16 allows remote attackers to inject arbitrary web script or HTML via the T parameter.

4.3
2010-07-13 CVE-2010-2722 Rightinpoint Cross-Site Scripting vulnerability in Rightinpoint Lyrics Engine 3.0

Cross-site scripting (XSS) vulnerability in index.php in RightInPoint Lyrics Script 3.0 allows remote attackers to inject arbitrary web script or HTML via the artist_id parameter, which is not properly handled in a forced SQL error message.

4.3
2010-07-13 CVE-2010-2718 Cruxsoftware Cross-Site Scripting vulnerability in Cruxsoftware Cruxpa 2.00

Multiple cross-site scripting (XSS) vulnerabilities in CruxSoftware CruxPA 2.00, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) txtusername parameter to login.php, (2) todo parameter to newtodo.php, and unspecified vectors to (3) newtelephone.php and (4) newappointment.php.

4.3
2010-07-13 CVE-2010-2717 Cruxsoftware Cross-Site Scripting vulnerability in Cruxsoftware Cruxcms 3.0

Cross-site scripting (XSS) vulnerability in manager/login.php in CruxSoftware CruxCMS 3.0, and possibly earlier, allows remote attackers to inject arbitrary web script or HTML via the txtusername parameter.

4.3
2010-07-13 CVE-2010-2715 Tcwonline Cross-Site Scripting vulnerability in Tcwonline TCW PHP Album 1.0

Cross-site scripting (XSS) vulnerability in photos/index.php in TCW PHP Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the album parameter.

4.3
2010-07-12 CVE-2010-2700 Edgephp Cross-Site Scripting vulnerability in Edgephp Clickbank Affiliate Marketplace Script

Cross-site scripting (XSS) vulnerability in index.php in Edge PHP Clickbank Affiliate Marketplace Script (CBQuick) allows remote attackers to inject arbitrary web script or HTML via the search parameter.

4.3
2010-07-12 CVE-2010-2692 2Daybiz Cross-Site Scripting vulnerability in 2Daybiz Custom T-Shirt Design Script

Cross-site scripting (XSS) vulnerability in 2daybiz Custom T-Shirt Design Script allows remote attackers to inject arbitrary web script or HTML via a review comment.

4.3
2010-07-12 CVE-2009-4934 Esoftpro Cross-Site Scripting vulnerability in Esoftpro Online Photo PRO 2.0

Cross-site scripting (XSS) vulnerability in index.php in Online Photo Pro 2.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter.

4.3
2010-07-12 CVE-2009-4930 Sungard Cross-Site Scripting vulnerability in Sungard Banner Student 7.4

Cross-site scripting (XSS) vulnerability in the twbkwbis.P_SecurityQuestion (aka Change Security Question) page in SunGard Banner Student System 7.4 allows remote attackers to inject arbitrary web script or HTML via the New Question field.

4.3
2010-07-12 CVE-2009-4926 Esoftpro Cross-Site Scripting vulnerability in Esoftpro Online Contact Manager 3.0

Multiple cross-site scripting (XSS) vulnerabilities in Online Contact Manager (formerly EContact PRO) 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) showGroup parameter to (a) index.php and the (2) id parameter to (b) view.php, (c) email.php, (d) edit.php, and (e) delete.php.

4.3
2010-07-13 CVE-2010-2398 Oracle Remote vulnerability in Oracle Peoplesoft and Jdedwards Suite HCM 9.0

Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft and JDEdwards Suite HCM 9.0 Bundle #12 allows remote authenticated users to affect confidentiality via unknown vectors.

4.0
2010-07-13 CVE-2010-2379 Oracle Time & Labor Remote vulnerability in Oracle PeopleSoft Enterprise HCM 9.0/9.1

Unspecified vulnerability in the PeopleSoft Enterprise HCM - Time & Labor component in Oracle PeopleSoft and JDEdwards Suite HCM 9.0 Bundle #13 and HCM 9.1 Bundle #2 allows remote authenticated users to affect confidentiality via unknown vectors.

4.0
2010-07-13 CVE-2010-2377 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise PeopleTools

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.27 and 8.50.10 allows remote authenticated users to affect integrity via unknown vectors.

4.0

23 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-07-13 CVE-2010-2393 Oracle Local vulnerability in Oracle Opensolaris and Solaris

Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect availability, related to RPC.

3.8
2010-07-15 CVE-2010-1967 HP
Microsoft
Unspecified vulnerability in HP Insight Software Installer 3.00/3.10

Unspecified vulnerability in HP Insight Software Installer for Windows before 6.1 allows local users to read or modify data via unknown vectors.

3.6
2010-07-13 CVE-2010-2381 Oracle Remote vulnerability in Oracle Application Server Control

Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors, a different vulnerability than CVE-2010-0081.

3.5
2010-07-13 CVE-2010-0909 Oracle Remote Oracle Applications Framework vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.2

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality via unknown vectors.

3.5
2010-07-13 CVE-2010-0081 Oracle Remote Application Server Control vulnerability in Oracle Fusion Middleware 10.1.2.3/10.1.4.0.1

Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors, a different vulnerability than CVE-2010-2381.

3.5
2010-07-13 CVE-2010-2008 Oracle
Canonical
Fedoraproject
Command Injection vulnerability in multiple products

MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a .

3.5
2010-07-12 CVE-2010-2698 Sijio Cross-Site Scripting vulnerability in Sijio Community Software

Multiple cross-site scripting (XSS) vulnerabilities in Sijio Community Software allow remote authenticated users to inject arbitrary web script or HTML via the title parameter when (1) editing a new blog, (2) adding an album, or (3) editing an album.

3.5
2010-07-12 CVE-2010-2697 Sijio Cross-Site Scripting vulnerability in Sijio Community Software

Cross-site scripting (XSS) vulnerability in Sijio Community Software allows remote authenticated users to inject arbitrary web script or HTML via the title parameter when adding a new blog, related to edit_blog/index.php.

3.5
2010-07-12 CVE-2010-2448 ZNC Denial Of Service vulnerability in ZNC NULL Pointer Dereference

znc.cpp in ZNC before 0.092 allows remote authenticated users to cause a denial of service (crash) by requesting traffic statistics when there is an active unauthenticated connection, which triggers a NULL pointer dereference, as demonstrated using (1) a traffic link in the web administration pages or (2) the traffic command in the /znc shell.

3.5
2010-07-13 CVE-2010-2384 Oracle Unspecified vulnerability in Oracle Solaris 10/9

Unspecified vulnerability in Oracle Solaris 9 and 10 allows local users to affect confidentiality and integrity via unknown vectors related to Solaris Management Console.

3.2
2010-07-13 CVE-2010-2383 Oracle Unspecified vulnerability in Oracle Opensolaris and Solaris

Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSolaris, allows local users to affect confidentiality and integrity, related to NFS.

3.2
2010-07-13 CVE-2010-2382 Oracle Unspecified vulnerability in Oracle Solaris 10/8/9

Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors.

3.2
2010-07-13 CVE-2010-2376 Oracle Local vulnerability in Oracle Solaris 10/8/9

Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors related to Solaris Management Console.

3.2
2010-07-13 CVE-2010-2378 Oracle Local vulnerability in Oracle PeopleSoft Enterprise CRM 9.0/9.1

Unspecified vulnerability in the PeopleSoft Enterprise CRM component in Oracle PeopleSoft and JDEdwards Suite CRM 9.0 Bundle #28 and CRM 9.1 Bundle #4 allows local users to affect confidentiality and integrity via unknown vectors.

3.0
2010-07-13 CVE-2010-2374 Oracle Local vulnerability in Oracle Solaris Studio 12

Unspecified vulnerability in Solaris Studio 12 update 1 allows local users to affect confidentiality and integrity via unknown vectors.

3.0
2010-07-13 CVE-2010-0900 Oracle
Microsoft
Remote vulnerability in Oracle Network Layer

Unspecified vulnerability in the Network Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors.

2.6
2010-07-13 CVE-2010-0836 Oracle Remote Oracle Knowledge Management vulnerability in Oracle E-Business Suite 11.5.10.2/12.0.6/12.1.2

Unspecified vulnerability in the Oracle Knowledge Management component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.

2.6
2010-07-13 CVE-2010-2397 Oracle Local vulnerability in Oracle Glassfish Server and Java System Application Server

Unspecified vulnerability in Oracle Sun Java System Application Server 8.0, 8.1, and 8.2; and GlassFish Enterprise Server 2.1.1; allows local users to affect confidentiality and integrity, related to the GUI.

2.4
2010-07-13 CVE-2010-2403 Oracle Remote vulnerability in Oracle Peoplesoft and Jdedwards Suite Campus Solutions 9.0

Unspecified vulnerability in the PeopleSoft Enterprise Campus Solutions component in Oracle PeopleSoft and JDEdwards Suite Campus Solutions 9.0 Bundle #17 allows remote authenticated users to affect confidentiality via unknown vectors.

2.1
2010-07-13 CVE-2010-0901 Oracle Remote Export vulnerability in Oracle

Unspecified vulnerability in the Export component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Select Any Dictionary.

2.1
2010-07-13 CVE-2010-2724 Wimleers
Drupal
Cross-Site Scripting vulnerability in Wimleers Hierarchical Select

Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 5.x before 5.x-3.2 and 6.x before 6.x-3.2 for Drupal allows remote authenticated users, with administer taxonomy permissions, to inject arbitrary web script or HTML via unspecified vectors in the hierarchical_select form.

2.1
2010-07-13 CVE-2010-2522 Linux Ipv6 Permissions, Privileges, and Access Controls vulnerability in Linux-Ipv6 Umip 0.4

The mipv6 daemon in UMIP 0.4 does not verify that netlink messages originated in the kernel, which allows local users to spoof netlink socket communication via a crafted unicast message.

2.1
2010-07-13 CVE-2010-2371 Oracle Local vulnerability in Oracle Supply Chain products Suite 6.1.1

Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1.1 allows local users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2010-2372.

1.9