Weekly Vulnerabilities Reports > August 2 to 8, 2010
Overview
42 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 11 high severity vulnerabilities. This weekly summary report vulnerabilities in 51 products from 36 vendors including Windriver, Redhat, Moinmo, Pharscape, and Apple. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", and "Path Traversal".
- 35 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 14 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 39 reported vulnerabilities are exploitable by an anonymous user.
- Windriver has the most reported vulnerabilities, with 4 reported vulnerabilities.
- Gigabyte has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
11 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2010-08-05 | CVE-2010-2965 | Windriver Rockwellautomation | Incorrect Authorization vulnerability in multiple products The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804. | 10.0 |
2010-08-02 | CVE-2010-2540 | Osgeo UMN | Permissions, Privileges, and Access Controls vulnerability in multiple products mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments. | 10.0 |
2010-08-02 | CVE-2010-1518 | Gigabyte | Improper Input Validation vulnerability in Gigabyte Dldrv2 Activex Control 1.4.206.11 Array index error in the SetDLInfo method in the GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via the item argument. | 10.0 |
2010-08-02 | CVE-2010-1517 | Gigabyte | Improper Input Validation vulnerability in Gigabyte Dldrv2 Activex Control 1.4.206.11 The GIGABYTE Dldrv2 ActiveX control 1.4.206.11 allows remote attackers to (1) download arbitrary programs onto a client system, and execute these programs, via vectors involving the dl method; and (2) download arbitrary programs onto a client system via vectors involving the SetDLInfo method in conjunction with the Bdl method. | 10.0 |
2010-08-05 | CVE-2010-2974 | Invensys | Buffer Errors vulnerability in Invensys products Stack-based buffer overflow in the IConfigurationAccess interface in the Invensys Wonderware Archestra ConfigurationAccessComponent ActiveX control in Wonderware Application Server (WAS) before 3.1 SP2 P01, as used in the Wonderware Archestra Integrated Development Environment (IDE) and the InFusion Integrated Engineering Environment (IEE), allows remote attackers to execute arbitrary code via the first argument to the UnsubscribeData method. | 9.3 |
2010-08-05 | CVE-2010-2862 | Adobe | Numeric Errors vulnerability in Adobe Acrobat and Acrobat Reader Integer overflow in CoolType.dll in Adobe Reader 8.2.3 and 9.3.3, and Acrobat 9.3.3, allows remote attackers to execute arbitrary code via a TrueType font with a large maxCompositePoints value in a Maximum Profile (maxp) table. | 9.3 |
2010-08-05 | CVE-2010-2709 | HP | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Openview Network Node Manager 7.51/7.53 Stack-based buffer overflow in webappmon.exe in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via a long OvJavaLocale value in a cookie. | 9.3 |
2010-08-05 | CVE-2010-2932 | Barcodewiz | Buffer Errors vulnerability in Barcodewiz Barcode Activex Control 3.29 Buffer overflow in BarCodeWiz BarCode 3.29 ActiveX control (BarcodeWiz.dll) allows remote attackers to execute arbitrary code via a long argument to the LoadProperties method. | 9.3 |
2010-08-05 | CVE-2010-2931 | Topazsystems | Buffer Errors vulnerability in Topazsystems Sigplus PRO Activex Control 3.74 Stack-based buffer overflow in SigPlus Pro 3.74 ActiveX control allows remote attackers to execute arbitrary code via a long eighth argument (HexString) to the LCDWriteString method. | 9.3 |
2010-08-05 | CVE-2010-2971 | Raphael Assenat | Buffer Errors vulnerability in Raphael Assenat Libmikmod 3.1.12 loaders/load_it.c in libmikmod, possibly 3.1.12, does not properly account for the larger size of name##env relative to name##tick and name##node, which allows remote attackers to trigger a buffer over-read and possibly have unspecified other impact via a crafted Impulse Tracker file, a related issue to CVE-2010-2546. | 9.3 |
2010-08-05 | CVE-2010-2860 | EMC | Permissions, Privileges, and Access Controls vulnerability in EMC Celerra Network Attached Storage The EMC Celerra Network Attached Storage (NAS) appliance accepts external network traffic to IP addresses intended for an intranet network within the appliance, which allows remote attackers to read, create, or modify arbitrary files in the user data directory via NFS requests. | 9.3 |
11 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2010-08-05 | CVE-2010-1871 | Redhat Netapp | Expression Language Injection vulnerability in multiple products JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. | 8.8 |
2010-08-05 | CVE-2010-2547 | Gnupg Fedoraproject Debian | Use After Free vulnerability in multiple products Use-after-free vulnerability in kbx/keybox-blob.c in GPGSM in GnuPG 2.x through 2.0.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a certificate with a large number of Subject Alternate Names, which is not properly handled in a realloc operation when importing the certificate or verifying its signature. | 8.1 |
2010-08-05 | CVE-2010-2968 | Windriver | Permissions, Privileges, and Access Controls vulnerability in Windriver Vxworks The FTP daemon in Wind River VxWorks does not close the TCP connection after a number of failed login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. | 7.8 |
2010-08-05 | CVE-2010-2967 | Windriver | Cryptographic Issues vulnerability in Windriver Vxworks The loginDefaultEncrypt algorithm in loginLib in Wind River VxWorks before 6.9 does not properly support a large set of distinct possible passwords, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. | 7.8 |
2010-08-05 | CVE-2010-2966 | Windriver | Credentials Management vulnerability in Windriver Vxworks The INCLUDE_SECURITY functionality in Wind River VxWorks 6.x, 5.x, and earlier uses the LOGIN_USER_NAME and LOGIN_USER_PASSWORD (aka LOGIN_PASSWORD) parameters to create hardcoded credentials, which makes it easier for remote attackers to obtain access via a (1) telnet, (2) rlogin, or (3) FTP session. | 7.8 |
2010-08-02 | CVE-2010-2633 | EMC | Remote Denial of Service vulnerability in EMC Disk Library Communication Module Unspecified vulnerability in EMC Disk Library (EDL) before 3.2.7, 3.3.x before 3.3.2 epatch 8, and 4.0.x before 4.0.1 epatch 4 allows remote attackers to cause a denial of service (communication-module crash) by sending a crafted message through TCP. | 7.8 |
2010-08-05 | CVE-2010-2933 | Avscripts | SQL Injection vulnerability in Avscripts AV Arcade 3 SQL injection vulnerability in AV Scripts AV Arcade 3 allows remote attackers to execute arbitrary SQL commands via the ava_code cookie to the "main page," related to index.php and the login task. | 7.5 |
2010-08-05 | CVE-2010-2725 | Barnowl | Improper Input Validation vulnerability in Barnowl BarnOwl before 1.6.2 does not check the return code of calls to the (1) ZPending and (2) ZReceiveNotice functions in libzephyr, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. | 7.5 |
2010-08-02 | CVE-2010-2930 | Pharscape | Buffer Errors vulnerability in Pharscape Hsolink 1.0.118 Multiple stack-based buffer overflows in hsolinkcontrol in hsolink 1.0.118 allow local users to gain privileges via long command-line arguments, a different vulnerability than CVE-2010-1671. | 7.2 |
2010-08-02 | CVE-2010-2929 | Pharscape | Permissions, Privileges, and Access Controls vulnerability in Pharscape Hsolink 1.0.118 Untrusted search path vulnerability in hsolinkcontrol in hsolink 1.0.118 allows local users to gain privileges via a modified PATH environment variable, which is used during execution of the (1) route, (2) mv, and (3) cp programs, a different vulnerability than CVE-2010-1671. | 7.2 |
2010-08-02 | CVE-2010-1671 | Pharscape | Permissions, Privileges, and Access Controls vulnerability in Pharscape Hsolink 1.0.118 hsolinkcontrol in hsolink 1.0.118 allows local users to gain privileges via shell metacharacters in command-line arguments, as demonstrated by the second argument in a down action. | 7.2 |
18 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2010-08-05 | CVE-2010-2973 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS 4.0/4.0.1 Integer overflow in IOSurface in Apple iOS before 4.0.2 on the iPhone and iPod touch, and before 3.2.2 on the iPad, allows local users to gain privileges via vectors involving IOSurface properties, as demonstrated by JailbreakMe. | 6.9 |
2010-08-05 | CVE-2010-2713 | Nalin Dahyabhai Gnome | Remote Code Execution vulnerability in VTE Window and Icon Title The vte_sequence_handler_window_manipulation function in vteseq.c in libvte (aka libvte9) in VTE 0.25.1 and earlier, as used in gnome-terminal, does not properly handle escape sequences, which allows remote attackers to execute arbitrary commands or obtain potentially sensitive information via a (1) window title or (2) icon title sequence. | 6.8 |
2010-08-02 | CVE-2010-2786 | Matomo | Path Traversal vulnerability in Matomo Directory traversal vulnerability in Piwik 0.6 through 0.6.3 allows remote attackers to include arbitrary local files and possibly have unspecified other impact via directory traversal sequences in a crafted data-renderer request. | 6.8 |
2010-08-02 | CVE-2010-2785 | Kvirc | Unspecified vulnerability in Kvirc The IRC Protocol component in KVIrc 3.x and 4.x before r4693 does not properly handle \ (backslash) characters, which allows remote authenticated users to execute arbitrary CTCP commands via vectors involving \r and \40 sequences, a different vulnerability than CVE-2010-2451 and CVE-2010-2452. | 6.5 |
2010-08-02 | CVE-2009-4896 | Mlmmj | Path Traversal vulnerability in Mlmmj 1.2.15/1.2.16/1.2.17 Multiple directory traversal vulnerabilities in the mlmmj-php-admin web interface for Mailing List Managing Made Joyful (mlmmj) 1.2.15 through 1.2.17 allow remote authenticated users to overwrite, create, or delete arbitrary files, or determine the existence of arbitrary directories, via a .. | 6.5 |
2010-08-02 | CVE-2010-2927 | IBM | Improper Authentication vulnerability in IBM Tivoli Directory Server The slapi_printmessage function in IBM Tivoli Directory Server (ITDS) before 6.0.0.8-TIV-ITDS-IF0006 allows remote attackers to cause a denial of service (daemon crash) via multiple incomplete DIGEST-MD5 connection attempts. | 5.0 |
2010-08-02 | CVE-2010-2320 | Eterna | Permissions, Privileges, and Access Controls vulnerability in Eterna Bozohttpd bozotic HTTP server (aka bozohttpd) before 20100621 allows remote attackers to list the contents of home directories, and determine the existence of user accounts, via multiple requests for URIs beginning with /~ sequences. | 5.0 |
2010-08-02 | CVE-2010-2195 | Eterna | Unspecified vulnerability in Eterna Bozohttpd 20090522/20100509/20100512 bozotic HTTP server (aka bozohttpd) 20090522 through 20100512 allows attackers to cause a denial of service via vectors related to a "wrong code generation interaction with GCC." Per: http://www.eterna.com.au/bozohttpd/ 'please note that a bozohttpd versions 20090522 to 20100512, inclusive, have a serious wrong code generation interaction with GCC that has been fixed in the 20100617 release. | 5.0 |
2010-08-02 | CVE-2010-1794 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X 10.6.0 The webdav_mount function in webdav_vfsops.c in the WebDAV kernel extension (aka webdav_fs.kext) for Mac OS X 10.6 allows local users to cause a denial of service (panic) via a mount request with a large integer in the pa_socket_namelen field. | 4.9 |
2010-08-05 | CVE-2010-2526 | Heinz Mauelshagen Redhat | Improper Authentication vulnerability in Heinz Mauelshagen Lvm2 The cluster logical volume manager daemon (clvmd) in lvm2-cluster in LVM2 before 2.02.72, as used in Red Hat Global File System (GFS) and other products, does not verify client credentials upon a socket connection, which allows local users to cause a denial of service (daemon exit or logical-volume change) or possibly have unspecified other impact via crafted control commands. | 4.6 |
2010-08-05 | CVE-2009-2696 | Apache Redhat | Cross-Site Scripting vulnerability in Apache Tomcat Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781. | 4.3 |
2010-08-05 | CVE-2010-2970 | Moinmo | Cross-Site Scripting vulnerability in Moinmo Moinmoin 1.9.0/1.9.1/1.9.2 Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/SlideShow.py, (2) action/anywikidraw.py, and (3) action/language_setup.py, a similar issue to CVE-2010-2487. | 4.3 |
2010-08-05 | CVE-2010-2969 | Moinmo | Cross-Site Scripting vulnerability in Moinmo Moinmoin Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, and 1.9.x before 1.9.3, allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) action/LikePages.py, (2) action/chart.py, and (3) action/userprofile.py, a similar issue to CVE-2010-2487. | 4.3 |
2010-08-05 | CVE-2010-2487 | Moinmo | Cross-Site Scripting vulnerability in Moinmo Moinmoin Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.7.3 and earlier, 1.8.x before 1.8.8, and 1.9.x before 1.9.3 allow remote attackers to inject arbitrary web script or HTML via crafted content, related to (1) Page.py, (2) PageEditor.py, (3) PageGraphicalEditor.py, (4) action/CopyPage.py, (5) action/Load.py, (6) action/RenamePage.py, (7) action/backup.py, (8) action/login.py, (9) action/newaccount.py, and (10) action/recoverpass.py. | 4.3 |
2010-08-02 | CVE-2010-2536 | Adjam | Cross-Site Scripting vulnerability in Adjam Rekonq Multiple cross-site scripting (XSS) vulnerabilities in rekonq 0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) a URL associated with a nonexistent domain name, related to webpage.cpp, aka a "universal XSS" issue; (2) unspecified vectors related to webview.cpp; and the about: views for (3) favorites, (4) bookmarks, (5) closed tabs, and (6) history. | 4.3 |
2010-08-02 | CVE-2009-4976 | URS Wolfer KDE | Cross-Site Scripting vulnerability in URS Wolfer Kwebkitpart 0.9.6 Cross-site scripting (XSS) vulnerability in webkitpart.cpp in kwebkitpart allows remote attackers to inject arbitrary web script or HTML via a URL associated with a nonexistent domain name, related to a "universal XSS" issue, a similar vulnerability to CVE-2010-2536. | 4.3 |
2010-08-02 | CVE-2009-4975 | Nokia | Cross-Site Scripting vulnerability in Nokia Qtdemobrowser Cross-site scripting (XSS) vulnerability in webview.cpp in QtDemoBrowser allows remote attackers to inject arbitrary web script or HTML via a URL associated with a nonexistent domain name, related to a "universal XSS" issue, a similar vulnerability to CVE-2010-2536. | 4.3 |
2010-08-05 | CVE-2010-2795 | Joachim Fritschi | Improper Input Validation vulnerability in Joachim Fritschi PHPcas phpCAS before 1.1.2 allows remote authenticated users to hijack sessions via a query string containing a crafted ticket value. | 4.0 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2010-08-05 | CVE-2010-2796 | Joachim Fritschi | Cross-Site Scripting vulnerability in Joachim Fritschi PHPcas Cross-site scripting (XSS) vulnerability in phpCAS before 1.1.2, when proxy mode is enabled, allows remote attackers to inject arbitrary web script or HTML via a callback URL. | 2.6 |
2010-08-02 | CVE-2010-2539 | Osgeo UMN | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Buffer overflow in the msTmpFile function in maputil.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 allows local users to cause a denial of service via vectors involving names of temporary files. | 2.1 |