Weekly Vulnerabilities Reports > August 16 to 22, 2010

Overview

100 new vulnerabilities reported during this period, including 28 critical vulnerabilities and 14 high severity vulnerabilities. This weekly summary report vulnerabilities in 72 products from 51 vendors including Apple, Freetype, Canonical, Debian, and Autonomy. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Path Traversal", "Numeric Errors", and "Improper Input Validation".

  • 87 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 18 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 93 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 16 reported vulnerabilities.
  • Autonomy has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

28 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-20 CVE-2010-2710 HP Unspecified vulnerability in HP Openview Network Node Manager 7.51/7.53

Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unknown vectors.

10.0
2010-08-19 CVE-2010-1760 Apple Credentials Management vulnerability in Apple Webkit

loader/DocumentThreadableLoader.cpp in the XMLHttpRequest implementation in WebCore in WebKit before r58409 does not properly handle credentials during a cross-origin synchronous request, which has unspecified impact and remote attack vectors, aka rdar problem 7905150.

10.0
2010-08-19 CVE-2010-1386 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Webkit

page/Geolocation.cpp in WebCore in WebKit before r56188 and before 1.2.5 does not properly restrict access to the lastPosition function, which has unspecified impact and remote attack vectors, aka rdar problem 7746357.

10.0
2010-08-17 CVE-2010-3032 SAP Numeric Errors vulnerability in SAP Crystal Reports 2008

Integer overflow in the OBGIOPServerWorker::extractHeader function in the ebus-3-3-2-6.dll module in SAP Crystal Reports 2008 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GIOP packet with a crafted size, which triggers a heap-based buffer overflow.

10.0
2010-08-17 CVE-2010-3031 Wyse Buffer Errors vulnerability in Wyse Thinos HF 4.4.079I

Buffer overflow in Wyse ThinOS HF 4.4.079i, and possibly other versions before ThinOS 6.5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the LPD service.

10.0
2010-08-21 CVE-2010-3104 Deskshare Path Traversal vulnerability in Deskshare Auto FTP Manager 4.31

Directory traversal vulnerability in DeskShare AutoFTP Manager 4.31, and probably earlier versions, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename.

9.3
2010-08-21 CVE-2010-3103 Ftpgetter Path Traversal vulnerability in Ftpgetter 3.51.0.05

Directory traversal vulnerability in FTPGetter Team FTPGetter 3.51.0.05, and probably earlier versions, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename.

9.3
2010-08-21 CVE-2010-3102 3Dftp Path Traversal vulnerability in 3Dftp 3D-Ftp Client 9.02

Directory traversal vulnerability in SiteDesigner Technologies, Inc.

9.3
2010-08-21 CVE-2010-3101 Ftpx Path Traversal vulnerability in Ftpx FTP Explorer 10.5.19.1

Directory traversal vulnerability in FTPx Corp FTP Explorer 10.5.19.1 for Windows, and probably earlier versions, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename.

9.3
2010-08-20 CVE-2010-3100 Portaplus Path Traversal vulnerability in Portaplus Porta+ FTP Client 4.1

Directory traversal vulnerability in Porta+ FTP Client 4.1, and possibly other versions, allows remote FTP servers to overwrite arbitrary files via a directory traversal sequences in a filename.

9.3
2010-08-20 CVE-2010-3099 Smartftp Path Traversal vulnerability in Smartftp

Directory traversal vulnerability in SmartSoft Ltd SmartFTP Client 4.0.1124.0, and possibly other versions before 4.0 Build 1133, allows remote FTP servers to overwrite arbitrary files via a "..\" (dot dot backslash) in a filename.

9.3
2010-08-20 CVE-2010-3098 Ftprush Path Traversal vulnerability in Ftprush 1.1.3

Directory traversal vulnerability in IoRush Software FTP Rush 1.1.3 and possibly earlier allows remote FTP servers to overwrite arbitrary files via a "..\" (dot dot backslash) in a filename.

9.3
2010-08-20 CVE-2010-3097 Winfrigate Path Traversal vulnerability in Winfrigate Frigate 3

Directory traversal vulnerability in WinFrigate Frigate 3 FTP client 3.36 and earlier allows remote FTP servers to overwrite arbitrary files via a "..\" (dot dot backslash) in a filename.

9.3
2010-08-20 CVE-2010-3096 Softx Path Traversal vulnerability in Softx FTP Client 3.3

Directory traversal vulnerability in SoftX FTP Client 3.3 and possibly earlier allows remote FTP servers to write arbitrary files via "..\" (dot dot backslash) sequences in a filename.

9.3
2010-08-20 CVE-2010-1795 Apple DLL Loading Arbitrary Code Execution vulnerability in Apple iTunes

Untrusted search path vulnerability in Apple iTunes before 9.1, when running on Windows 7, Vista, and XP, allows local users and possibly remote attackers to gain privileges via a Trojan horse DLL in the current working directory.

9.3
2010-08-17 CVE-2010-1516 Swftools Numeric Errors vulnerability in Swftools 0.9.1

Multiple integer overflows in SWFTools 0.9.1 allow remote attackers to execute arbitrary code via (1) a crafted PNG file, related to the getPNG function in lib/png.c; or (2) a crafted JPEG file, related to the jpeg_load function in lib/jpeg.c.

9.3
2010-08-17 CVE-2010-1525 Autonomy Numeric Errors vulnerability in Autonomy products

Integer underflow in the SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted size for an unspecified record type, which triggers a heap-based buffer overflow.

9.3
2010-08-17 CVE-2010-1524 Autonomy Buffer Errors vulnerability in Autonomy products

The SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via unspecified vectors related to allocation of an array of pointers and "string indexing," which triggers memory corruption.

9.3
2010-08-17 CVE-2010-0135 Autonomy Buffer Errors vulnerability in Autonomy products

Heap-based buffer overflow in the WordPerfect 5.x reader (wosr.dll), as used in Autonomy KeyView 10.4 and 10.9 and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to "data blocks."

9.3
2010-08-17 CVE-2010-0134 Autonomy Numeric Errors vulnerability in Autonomy products

Integer signedness error in rtfsr.dll in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted \ls keyword in a list override table entry in an RTF file, which triggers a buffer overflow.

9.3
2010-08-17 CVE-2010-0133 Autonomy Buffer Errors vulnerability in Autonomy products

Multiple stack-based buffer overflows in the SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allow remote attackers to execute arbitrary code via unspecified vectors related to "certain records."

9.3
2010-08-17 CVE-2010-0131 Autonomy
Symantec
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the SpreadSheet Lotus 123 reader (wkssr.dll), as used in Autonomy KeyView 10.4 and 10.9, Symantec Mail Security, and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to floating point conversion in unknown record types.

9.3
2010-08-17 CVE-2010-0126 Autonomy Buffer Errors vulnerability in Autonomy products

Heap-based buffer overflow in an unspecified library in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted compound file, as demonstrated using a Quattro Pro file, which is not properly handled by the Quattro speed reader (qpssr.dll).

9.3
2010-08-17 CVE-2009-3737 Oracle
Microsoft
Code Injection vulnerability in Oracle Siebel Option Pack IE Activex Control

The Oracle Siebel Option Pack for IE ActiveX control does not properly initialize memory that is used by the NewBusObj method, which allows remote attackers to execute arbitrary code via a crafted HTML document.

9.3
2010-08-16 CVE-2010-3019 Opera Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Opera Browser

Heap-based buffer overflow in Opera before 10.61 allows remote attackers to execute arbitrary code or cause a denial of service (application crash or hang) via vectors related to HTML5 canvas painting operations that occur during the application of transformations.

9.3
2010-08-16 CVE-2010-1799 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Stack-based buffer overflow in the error-logging functionality in Apple QuickTime before 7.6.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file.

9.3
2010-08-16 CVE-2010-1797 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe.

9.3
2010-08-17 CVE-2010-2826 Cisco SQL Injection vulnerability in Cisco Wireless Control System Software

SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0.x before 6.0.196.0 allows remote authenticated users to execute arbitrary SQL commands via vectors related to the ORDER BY clause of the Client List screens, aka Bug ID CSCtf37019.

9.0

14 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-17 CVE-2010-2825 Cisco Unspecified vulnerability in Cisco ACE 4710 and ACE Module

Unspecified vulnerability in the SIP inspection feature on the Cisco Application Control Engine (ACE) Module with software A2(1.x) before A2(1.6), A2(2.x) before A2(2.3), and A2(3.x) before A2(3.1) for Catalyst 6500 series switches and 7600 series routers, and the Cisco Application Control Engine (ACE) 4710 appliance with software before A3(2.4), allows remote attackers to cause a denial of service (device reload) via crafted SIP packets over (1) TCP or (2) UDP, aka Bug IDs CSCta65603 and CSCta71569.

7.8
2010-08-17 CVE-2010-2824 Cisco Unspecified vulnerability in Cisco ACE Module

Unspecified vulnerability on the Cisco Application Control Engine (ACE) Module with software A2(1.x) before A2(1.6), A2(2.x) before A2(2.3), and A2(3.x) before A2(3.1) for Catalyst 6500 series switches and 7600 series routers allows remote attackers to cause a denial of service (device reload) via a sequence of SSL packets, aka Bug ID CSCta20756.

7.8
2010-08-17 CVE-2010-2823 Cisco Unspecified vulnerability in Cisco ACE 4710

Unspecified vulnerability in the deep packet inspection feature on the Cisco Application Control Engine (ACE) 4710 appliance with software before A3(2.6) allows remote attackers to cause a denial of service (device reload) via crafted HTTP packets, related to HTTP, RTSP, and SIP inspection, aka Bug ID CSCtb54493.

7.8
2010-08-17 CVE-2010-2822 Cisco Unspecified vulnerability in Cisco ACE 4710 and ACE Module

Unspecified vulnerability in the RTSP inspection feature on the Cisco Application Control Engine (ACE) Module with software before A2(3.2) for Catalyst 6500 series switches and 7600 series routers, and the Cisco Application Control Engine (ACE) 4710 appliance with software before A3(2.6), allows remote attackers to cause a denial of service (device reload) via crafted RTSP packets over TCP, aka Bug IDs CSCta85227 and CSCtg14858.

7.8
2010-08-16 CVE-2010-2827 Cisco Improper Input Validation vulnerability in Cisco IOS 15.1(2)T

Cisco IOS 15.1(2)T allows remote attackers to cause a denial of service (resource consumption and TCP outage) via spoofed TCP packets, related to embryonic TCP connections that remain in the SYN_RCVD or SYN_SENT state, aka Bug ID CSCti18193.

7.8
2010-08-20 CVE-2010-2944 Jens Vagelpohl Improper Authentication vulnerability in Jens Vagelpohl Zope-Ldapuserfolder 2.91

The authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.

7.5
2010-08-20 CVE-2010-3059 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Tivoli Storage Manager Fastback

Buffer overflow in the message-protocol implementation in the Server in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, allows remote attackers to read and modify data, and possibly have other impact, via an unspecified command.

7.5
2010-08-20 CVE-2010-3058 IBM Resource Management Errors vulnerability in IBM Tivoli Storage Manager Fastback

The Mount service in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, establishes an open UDP port, which might allow remote attackers to overwrite memory locations and execute arbitrary code, or cause a denial of service (application hang), via unspecified vectors.

7.5
2010-08-20 CVE-2010-2628 Strongswan Code Injection vulnerability in Strongswan

The IKE daemon in strongSwan 4.3.x before 4.3.7 and 4.4.x before 4.4.1 does not properly check the return values of snprintf calls, which allows remote attackers to execute arbitrary code via crafted (1) certificate or (2) identity data that triggers buffer overflows.

7.5
2010-08-19 CVE-2010-2076 Apache Improper Input Validation vulnerability in Apache CXF

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.

7.5
2010-08-16 CVE-2010-3029 Phpkick SQL Injection vulnerability in PHPkick 0.8

SQL injection vulnerability in statistics.php in PHPKick 0.8 allows remote attackers to execute arbitrary SQL commands via the gameday parameter in an overview action.

7.5
2010-08-16 CVE-2010-3027 Tycoon SQL Injection vulnerability in Tycoon Baseball Script 1.0.9

SQL injection vulnerability in index.php in Tycoon Baseball Script 1.0.9 allows remote attackers to execute arbitrary SQL commands via the game_id parameter in a game_player action.

7.5
2010-08-16 CVE-2010-3013 Pligg SQL Injection vulnerability in Pligg CMS

SQL injection vulnerability in groupadmin.php in Pligg before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the role parameter, a different vulnerability than CVE-2010-2577.

7.5
2010-08-16 CVE-2010-2577 Pligg SQL Injection vulnerability in Pligg CMS

Multiple SQL injection vulnerabilities in Pligg before 1.1.1 allow remote attackers to execute arbitrary SQL commands via the title parameter to (1) storyrss.php or (2) story.php.

7.5

50 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-20 CVE-2010-1768 Apple Local Privilege Escalation vulnerability in Apple iTunes Log File Insecure File Operation

Unspecified vulnerability in Apple iTunes before 9.1 allows local users to gain console privileges via vectors related to log files, "insecure file operation," and syncing an iPhone, iPad, or iPod touch.

6.9
2010-08-20 CVE-2010-3064 PHP Buffer Errors vulnerability in PHP 5.3.0/5.3.1/5.3.2

Stack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.

6.8
2010-08-20 CVE-2010-2810 Lynx Buffer Errors vulnerability in Lynx 2.8.8

Heap-based buffer overflow in the convert_to_idna function in WWW/Library/Implementation/HTParse.c in Lynx 2.8.8dev.1 through 2.8.8dev.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed URL containing a % (percent) character in the domain name.

6.8
2010-08-19 CVE-2010-2809 Uzbl Code Injection vulnerability in Uzbl 2009.12.22/2010.01.04

The default configuration of the <Button2> binding in Uzbl before 2010.08.05 does not properly use the @SELECTED_URI feature, which allows user-assisted remote attackers to execute arbitrary commands via a crafted HREF attribute of an A element in an HTML document.

6.8
2010-08-19 CVE-2010-2234 Apache Cross-Site Request Forgery (CSRF) vulnerability in Apache Couchdb

Cross-site request forgery (CSRF) vulnerability in Apache CouchDB 0.8.0 through 0.11.0 allows remote attackers to hijack the authentication of administrators for direct requests to an installation URL.

6.8
2010-08-19 CVE-2010-2808 Freetype
Apple
Canonical
Classic Buffer Overflow vulnerability in multiple products

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.

6.8
2010-08-19 CVE-2010-2807 Freetype
Canonical
Apple
Incorrect Conversion Between Numeric Types vulnerability in multiple products

FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

6.8
2010-08-19 CVE-2010-2806 Freetype
Canonical
Apple
Improper Validation of Array Index vulnerability in multiple products

Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.

6.8
2010-08-19 CVE-2010-2805 Freetype
Canonical
Apple
Improper Input Validation vulnerability in multiple products

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

6.8
2010-08-19 CVE-2010-2541 Freetype
Canonical
Classic Buffer Overflow vulnerability in multiple products

Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

6.8
2010-08-19 CVE-2010-2527 Freetype
Debian
Canonical
Classic Buffer Overflow vulnerability in multiple products

Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

6.8
2010-08-19 CVE-2010-2519 Freetype
Canonical
Apple
Debian
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.

6.8
2010-08-19 CVE-2010-2500 Freetype
Canonical
Apple
Debian
Integer Overflow OR Wraparound vulnerability in multiple products

Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

6.8
2010-08-19 CVE-2010-2499 Freetype
Canonical
Apple
Debian
Classic Buffer Overflow vulnerability in multiple products

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.

6.8
2010-08-19 CVE-2010-2498 Freetype
Canonical
Apple
Debian
Out-Of-Bounds Write vulnerability in multiple products

The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.

6.8
2010-08-19 CVE-2010-2497 Freetype
Apple
Debian
Integer Underflow (Wrap OR Wraparound) vulnerability in multiple products

Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

6.8
2010-08-17 CVE-2010-3030 Tomaz Muraus Cross-Site Request Forgery (CSRF) vulnerability in Tomaz-Muraus Open Blog 1.2.1

Cross-site request forgery (CSRF) vulnerability in Tomaz Muraus Open Blog 1.2.1, and possibly earlier, allows remote attackers to hijack the authentication of administrators for requests that change the administrative password.

6.8
2010-08-16 CVE-2010-3024 Hulihanapplications Cross-Site Request Forgery (CSRF) vulnerability in Hulihanapplications Diamondlist 0.1.6

Multiple cross-site request forgery (CSRF) vulnerabilities in user/main/update_user in DiamondList 0.1.6, and possibly earlier, allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrative password or (2) change the site's configuration.

6.8
2010-08-16 CVE-2010-2576 Opera Code Injection vulnerability in Opera Browser

Opera before 10.61 does not properly suppress clicks on download dialogs that became visible after a recent tab change, which allows remote attackers to conduct clickjacking attacks, and consequently execute arbitrary code, via vectors involving (1) closing a tab or (2) hiding a tab, a related issue to CVE-2005-2407.

6.8
2010-08-16 CVE-2010-1886 Microsoft Permissions, Privileges, and Access Controls vulnerability in Microsoft products

Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2, and Windows 7 allow local users to gain privileges by leveraging access to a process with NetworkService credentials, as demonstrated by TAPI Server, SQL Server, and IIS processes, and related to the Windows Service Isolation feature.

6.8
2010-08-16 CVE-2010-1519 Glpng Numeric Errors vulnerability in Glpng 1.45

Multiple integer overflows in glpng.c in glpng 1.45 allow context-dependent attackers to execute arbitrary code via a crafted PNG image, related to (1) the pngLoadRawF function and (2) the pngLoadF function, leading to heap-based buffer overflows.

6.8
2010-08-16 CVE-2010-2757 Mozilla Cryptographic Issues vulnerability in Mozilla Bugzilla

The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 does not properly send impersonation notifications, which makes it easier for remote authenticated users to impersonate other users without discovery.

6.5
2010-08-19 CVE-2010-2520 Freetype
Canonical
Apple
Debian
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

5.1
2010-08-20 CVE-2010-2484 PHP Information Exposure vulnerability in PHP

The strrchr function in PHP 5.2 before 5.2.14 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler.

5.0
2010-08-20 CVE-2010-3065 PHP Permissions, Privileges, and Access Controls vulnerability in PHP

The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.

5.0
2010-08-20 CVE-2010-3063 PHP Buffer Errors vulnerability in PHP 5.3.0/5.3.1/5.3.2

The php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.

5.0
2010-08-20 CVE-2010-3062 PHP Information Exposure vulnerability in PHP 5.3.0/5.3.1/5.3.2

mysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows remote attackers to (1) read sensitive memory via a modified length value, which is not properly handled by the php_mysqlnd_ok_read function; or (2) trigger a heap-based buffer overflow via a modified length value, which is not properly handled by the php_mysqlnd_rset_header_read function.

5.0
2010-08-20 CVE-2010-3061 IBM Remote Code Execution and Denial of Service vulnerability in IBM Tivoli Storage Manager FastBack

Unspecified vulnerability in the message-protocol implementation in the Mount service in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, allows remote attackers to cause a denial of service (recovery failure), and possibly trigger loss of data, via unknown vectors.

5.0
2010-08-20 CVE-2010-3060 IBM Remote Code Execution and Denial of Service vulnerability in IBM Tivoli Storage Manager FastBack

Unspecified vulnerability in the message-protocol implementation in the Server in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, allows remote attackers to cause a denial of service (daemon outage) via unknown vectors.

5.0
2010-08-20 CVE-2010-2937 Videolan Improper Input Validation vulnerability in Videolan VLC Media Player

The ReadMetaFromId3v2 function in taglib.cpp in the TagLib plugin in VideoLAN VLC media player 0.9.0 through 1.1.2 does not properly process ID3v2 tags, which allows remote attackers to cause a denial of service (application crash) via a crafted media file.

5.0
2010-08-19 CVE-2010-3054 Freetype Remote Denial of Service vulnerability in FreeType 'seac' Calls

Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c.

5.0
2010-08-19 CVE-2010-2813 Squirrelmail Resource Management Errors vulnerability in Squirrelmail

functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files.

5.0
2010-08-17 CVE-2010-2934 ZNC Denial Of Service vulnerability in ZNC 0.092

Multiple unspecified vulnerabilities in ZNC 0.092 allow remote attackers to cause a denial of service (exception and daemon crash) via unknown vectors related to "unsafe substr() calls."

5.0
2010-08-17 CVE-2010-2812 ZNC Improper Input Validation vulnerability in ZNC 0.092

Client.cpp in ZNC 0.092 allows remote attackers to cause a denial of service (exception and daemon crash) via a PING command that lacks an argument.

5.0
2010-08-17 CVE-2010-1870 Apache Unspecified vulnerability in Apache Struts

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

5.0
2010-08-16 CVE-2010-3020 Opera Permissions, Privileges, and Access Controls vulnerability in Opera Browser

The news-feed preview feature in Opera before 10.61 does not properly remove scripts, which allows remote attackers to force subscriptions to arbitrary feeds via crafted content.

5.0
2010-08-16 CVE-2010-2758 Mozilla Information Exposure vulnerability in Mozilla Bugzilla

Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 generates different error messages depending on whether a product exists, which makes it easier for remote attackers to guess product names via unspecified use of the (1) Reports or (2) Duplicates page.

5.0
2010-08-16 CVE-2010-2756 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla Bugzilla

Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 allows remote attackers to determine the group memberships of arbitrary users via vectors involving the Search interface, boolean charts, and group-based pronouns.

5.0
2010-08-20 CVE-2010-3015 Linux Numeric Errors vulnerability in Linux Kernel

Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation.

4.7
2010-08-19 CVE-2010-2239 Libvirt Permissions, Privileges, and Access Controls vulnerability in Libvirt

Red Hat libvirt, possibly 0.6.0 through 0.8.2, creates new images without setting the user-defined backing-store format, which allows guest OS users to read arbitrary files on the host OS via unspecified vectors.

4.4
2010-08-19 CVE-2010-2238 Libvirt Permissions, Privileges, and Access Controls vulnerability in Libvirt

Red Hat libvirt, possibly 0.7.2 through 0.8.2, recurses into disk-image backing stores without extracting the defined disk backing-store format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors.

4.4
2010-08-19 CVE-2010-2237 Libvirt Permissions, Privileges, and Access Controls vulnerability in Libvirt

Red Hat libvirt, possibly 0.6.1 through 0.8.2, looks up disk backing stores without referring to the user-defined main disk format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors.

4.4
2010-08-20 CVE-2010-2531 PHP Information Exposure vulnerability in PHP

The var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.

4.3
2010-08-19 CVE-2010-3053 Freetype Improper Input Validation vulnerability in Freetype

bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.

4.3
2010-08-17 CVE-2010-2939 Openssl Resource Management Errors vulnerability in Openssl 0.9.7/0.9.8/1.0.0A

Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime.

4.3
2010-08-16 CVE-2010-3026 Tomaz Muraus Cross-Site Request Forgery (CSRF) vulnerability in Tomaz-Muraus Open Blog 1.2.1

Cross-site request forgery (CSRF) vulnerability in application/modules/admin/controllers/users.php in Tomaz Muraus Open Blog 1.2.1, and possibly earlier, allows remote attackers to hijack the authentication of administrators for requests to admin/users/edit that grant administrative privileges.

4.3
2010-08-16 CVE-2010-3025 Tomaz Muraus Cross-Site Scripting vulnerability in Tomaz-Muraus Open Blog 1.2.1

Multiple cross-site scripting (XSS) vulnerabilities in Tomaz Muraus Open Blog 1.2.1, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) excerpt parameter to application/modules/admin/controllers/posts.php, as reachable by admin/posts/edit; and the (2) content parameter to application/modules/admin/controllers/pages.php, as reachable by admin/posts/edit.

4.3
2010-08-16 CVE-2010-3023 Hulihanapplications Cross-Site Scripting vulnerability in Hulihanapplications Diamondlist 0.1.6

Multiple cross-site scripting (XSS) vulnerabilities in DiamondList 0.1.6, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) category[description] parameter to user/main/update_category, which is not properly handled by _app/views/categories/index.html.erb; and the (2) setting[site_title] parameter to user/main/update_settings, which is not properly handled by _app/views/settings/_list_settings.rhtml.

4.3
2010-08-16 CVE-2010-3021 Opera Resource Management Errors vulnerability in Opera Browser

Unspecified vulnerability in Opera before 10.61 allows remote attackers to cause a denial of service (CPU consumption and application hang) via an animated PNG image.

4.3
2010-08-16 CVE-2010-2759 Mozilla Numeric Errors vulnerability in Mozilla Bugzilla

Bugzilla 2.23.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2, when PostgreSQL is used, does not properly handle large integers in (1) bug and (2) attachment phrases, which allows remote authenticated users to cause a denial of service (bug invisibility) via a crafted comment.

4.0

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-08-20 CVE-2010-1172 Freedesktop Permissions, Privileges, and Access Controls vulnerability in Freedesktop Dbus-Glib 0.73

DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.

3.6
2010-08-16 CVE-2010-3028 Simon Philips
Joomla
Permissions, Privileges, and Access Controls vulnerability in Simon Philips Aardvertiser 2.2.1

The Aardvertiser component before 2.2.1 for Joomla! uses insecure permissions (777) in unspecified folders, which allows local users to modify, create, or delete certain files.

3.6
2010-08-16 CVE-2010-3022 Drupal Cross-Site Scripting vulnerability in Drupal Devel Module

Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths in a URL.

2.6
2010-08-20 CVE-2008-7258 Anibal Monsalve Salaz Improper Input Validation vulnerability in Anibal Monsalve Salaz Ssmtp 2.61/2.62

** DISPUTED ** The standardise function in Anibal Monsalve Salazar sSMTP 2.61 and 2.62 allows local users to cause a denial of service (application exit) via an e-mail message containing a long line that begins with a .

2.1
2010-08-19 CVE-2010-2242 Libvirt Permissions, Privileges, and Access Controls vulnerability in Libvirt

Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree.

2.1
2010-08-17 CVE-2010-2241 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Directory Server 8.0/8.1

The (1) setup-ds.pl and (2) setup-ds-admin.pl setup scripts for Red Hat Directory Server 8 before 8.2 use world-readable permissions when creating cache files, which allows local users to obtain sensitive information including passwords for Directory and Administration Server administrative accounts.

2.1
2010-08-16 CVE-2009-4269 Apache Cryptographic Issues vulnerability in Apache Derby

The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

2.1
2010-08-20 CVE-2010-3014 Freebsd
Netbsd
Information Exposure vulnerability in multiple products

The Coda filesystem kernel module, as used in NetBSD and FreeBSD, when Coda is loaded and Venus is running with /coda mounted, allows local users to read sensitive heap memory via a large out_size value in a ViceIoctl struct to a Coda ioctl, which triggers a buffer over-read.

1.2