Weekly Vulnerabilities Reports > August 30 to September 5, 2010
Overview
41 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 43 products from 27 vendors including Microsoft, IBM, Realnetworks, Apple, and Redhat. Vulnerabilities are notably categorized as "Code Injection", "Permissions, Privileges, and Access Controls", "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Cross-site Scripting".
- 37 reported vulnerabilities are remotely exploitables.
- 11 reported vulnerabilities have public exploit available.
- 10 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 39 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 9 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 8 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
14 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2010-08-31 | CVE-2010-3193 | IBM | Unspecified vulnerability in IBM DB2 9.1/9.5/9.7 Unspecified vulnerability in the DB2STST program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 has unknown impact and attack vectors. | 10.0 |
| 2010-08-30 | CVE-2010-3187 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM AIX Buffer overflow in ftpd in IBM AIX 5.3 and earlier allows remote attackers to execute arbitrary code via a long NLST command. | 10.0 |
| 2010-08-30 | CVE-2010-3186 | IBM | Improper Input Validation vulnerability in IBM Websphere Application Server IBM WebSphere Application Server (WAS) 7.x before 7.0.0.13, and WebSphere Application Server Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, when a JAX-WS application is used, does not properly handle an IncludeTimestamp setting in the WS-Security policy, which has unspecified impact and remote attack vectors. | 10.0 |
| 2010-08-31 | CVE-2010-3191 | Adobe | Unspecified vulnerability in Adobe Captivate 5.0.0.596 Untrusted search path vulnerability in Adobe Captivate 5.0.0.596, and possibly other versions, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .cptx file. | 9.3 |
| 2010-08-31 | CVE-2010-3190 | Apple Microsoft | Untrusted Search Path vulnerability in multiple products Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability." Per: https://technet.microsoft.com/en-us/security/bulletin/ms11-025 Access Vector: Network per "This is a remote code execution vulnerability" Per: http://cwe.mitre.org/data/definitions/426.html CWE-426: Untrusted Search Path | 9.3 |
| 2010-08-31 | CVE-2010-3189 | Trendmicro | Code Injection vulnerability in Trendmicro Internet Security 2010 The extSetOwner function in the UfProxyBrowserCtrl ActiveX control (UfPBCtrl.dll) in Trend Micro Internet Security Pro 2010 allows remote attackers to execute arbitrary code via an invalid address that is dereferenced as a pointer. | 9.3 |
| 2010-08-31 | CVE-2010-1818 | Apple | Access of Uninitialized Pointer vulnerability in Apple Quicktime The IPersistPropertyBag2::Read function in QTPlugin.ocx in Apple QuickTime 6.x, 7.x before 7.6.8, and other versions allows remote attackers to execute arbitrary code via the _Marshaled_pUnk attribute, which triggers unmarshalling of an untrusted pointer. | 9.3 |
| 2010-08-30 | CVE-2010-3002 | Realnetworks Microsoft | Unspecified vulnerability in Realnetworks Realplayer 11.0/11.1 Unspecified vulnerability in RealNetworks RealPlayer 11.0 through 11.1 allows attackers to bypass intended access restrictions on files via unknown vectors. | 9.3 |
| 2010-08-30 | CVE-2010-3001 | Realnetworks Microsoft | Unspecified vulnerability in Realnetworks Realplayer and Realplayer SP Unspecified vulnerability in an ActiveX control in the Internet Explorer (IE) plugin in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows has unknown impact and attack vectors related to "multiple browser windows." | 9.3 |
| 2010-08-30 | CVE-2010-3000 | Realnetworks Microsoft | Numeric Errors vulnerability in Realnetworks Realplayer and Realplayer SP Multiple integer overflows in the ParseKnownType function in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allow remote attackers to execute arbitrary code via crafted (1) HX_FLV_META_AMF_TYPE_MIXEDARRAY or (2) HX_FLV_META_AMF_TYPE_ARRAY data in an FLV file. | 9.3 |
| 2010-08-30 | CVE-2010-2996 | Realnetworks Microsoft | Code Injection vulnerability in Realnetworks Realplayer 11.0/11.1 Array index error in RealNetworks RealPlayer 11.0 through 11.1 on Windows allows remote attackers to execute arbitrary code via a malformed header in a RealMedia .IVR file. | 9.3 |
| 2010-08-30 | CVE-2010-0120 | Realnetworks Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer and Realplayer SP Heap-based buffer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows allows remote attackers to execute arbitrary code via large size values in QCP audio content. | 9.3 |
| 2010-08-30 | CVE-2010-0117 | Realnetworks Microsoft | Unspecified vulnerability in Realnetworks Realplayer and Realplayer SP RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows do not properly handle dimensions during YUV420 transformations, which might allow remote attackers to execute arbitrary code via crafted MP4 content. | 9.3 |
| 2010-08-30 | CVE-2010-0116 | Realnetworks Microsoft | Numeric Errors vulnerability in Realnetworks Realplayer and Realplayer SP Integer overflow in RealNetworks RealPlayer 11.0 through 11.1 and RealPlayer SP 1.0 through 1.1.4 on Windows might allow remote attackers to execute arbitrary code via a crafted QCP file that triggers a heap-based buffer overflow. | 9.3 |
9 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2010-09-03 | CVE-2010-3212 | Seagullproject ORG | SQL Injection vulnerability in Seagullproject.Org Seagull SQL injection vulnerability in index.php in Seagull 0.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via the frmQuestion parameter in a retrieve action, in conjunction with a user/password PATH_INFO. | 7.5 |
| 2010-09-03 | CVE-2010-3211 | Jextn Joomla | SQL Injection vulnerability in Jextn COM Jefaqpro 1.5.0 Multiple SQL injection vulnerabilities in the JE FAQ Pro (com_jefaqpro) component 1.5.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via category categorylist operations with (1) the catid parameter or (2) the catid parameter in a lists action. | 7.5 |
| 2010-09-03 | CVE-2010-3210 | Martin LEE | Code Injection vulnerability in Martin LEE Multi-Lingual E-Commerce System 0.2 Multiple PHP remote file inclusion vulnerabilities in Multi-lingual E-Commerce System 0.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) checkout2-CYM.php, (2) checkout2-EN.php, (3) checkout2-FR.php, (4) cat-FR.php, (5) cat-EN.php, (6) cat-CYM.php, (7) checkout1-CYM.php, (8) checkout1-EN.php, (9) checkout1-FR.php, (10) prod-CYM.php, (11) prod-EN.php, and (12) prod-FR.php in inc/. | 7.5 |
| 2010-09-03 | CVE-2010-3209 | Seagullproject ORG | Code Injection vulnerability in Seagullproject.Org Seagull 0.6.7 Multiple PHP remote file inclusion vulnerabilities in Seagull 0.6.7 allow remote attackers to execute arbitrary PHP code via a URL in the includeFile parameter to (1) Config/Container.php and (2) HTML/QuickForm.php in fog/lib/pear/, the (3) driverpath parameter to fog/lib/pear/DB/NestedSet.php, and the (4) path parameter to fog/lib/pear/DB/NestedSet/Output.php. | 7.5 |
| 2010-09-03 | CVE-2010-3206 | DIY CMS | Code Injection vulnerability in Diy-Cms 1.0 Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang parameter to modules/guestbook/blocks/control.block.php, (2) main_module parameter to index.php, and (3) getFile parameter to includes/general.functions.php. | 7.5 |
| 2010-09-03 | CVE-2010-3205 | Textpattern | Code Injection vulnerability in Textpattern 4.2.0 PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. | 7.5 |
| 2010-09-03 | CVE-2010-3204 | Pecio CMS | Code Injection vulnerability in Pecio-Cms Pecio CMS 2.0.5 Multiple PHP remote file inclusion vulnerabilities in Pecio CMS 2.0.5 allow remote attackers to execute arbitrary PHP code via a URL in the template parameter to (1) post.php, (2) article.php, (3) blog.php, or (4) home.php in pec_templates/nova-blue/. | 7.5 |
| 2010-08-31 | CVE-2010-3194 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM DB2 9.1/9.5/9.7 The DB2DART program in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 allows attackers to bypass intended file access restrictions via unspecified vectors related to overwriting files owned by an instance owner. | 7.5 |
| 2010-08-31 | CVE-2010-3188 | Ifdefined | SQL Injection vulnerability in Ifdefined Bugtracker.Net SQL injection vulnerability in search.aspx in BugTracker.NET 3.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via a custom field to the search page. | 7.5 |
15 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2010-08-30 | CVE-2010-2945 | Simone Rota | Configuration vulnerability in Simone Rota Slim Simple Login Manager The default configuration of SLiM before 1.3.2 places ./ (dot slash) at the beginning of the default_path option, which might allow local users to gain privileges via a Trojan horse program in the current working directory, related to slim.conf and cfg.cpp. | 6.9 |
| 2010-09-03 | CVE-2010-3207 | Galeriashqip | SQL Injection vulnerability in Galeriashqip 1.0 SQL injection vulnerability in index.php in GaleriaSHQIP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the album_id parameter. | 6.8 |
| 2010-08-30 | CVE-2010-2712 | HP | Unspecified vulnerability in HP Hp-Ux B.11.11/B.11.23/B.11.31 Unspecified vulnerability in Software Distributor (sd) in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to gain privileges via unknown vectors. | 6.8 |
| 2010-08-30 | CVE-2010-2575 | KDE | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in KDE SC Heap-based buffer overflow in the RLE decompression functionality in the TranscribePalmImageToJPEG function in generators/plucker/inplug/image.cpp in Okular in KDE SC 4.3.0 through 4.5.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image in a PDB file. | 6.8 |
| 2010-08-30 | CVE-2010-2363 | IIJ | Permissions, Privileges, and Access Controls vulnerability in IIJ products The IPv6 Unicast Reverse Path Forwarding (RPF) implementation on the SEIL/X1, SEIL/X2, and SEIL/B1 routers with firmware 1.00 through 2.73, when strict mode is used, does not properly drop packets, which might allow remote attackers to bypass intended access restrictions via a spoofed IP address. | 5.8 |
| 2010-08-30 | CVE-2010-2940 | Fedoraproject | Improper Authentication vulnerability in Fedoraproject Sssd 1.3.0 The auth_send function in providers/ldap/ldap_auth.c in System Security Services Daemon (SSSD) 1.3.0, when LDAP authentication and anonymous bind are enabled, allows remote attackers to bypass the authentication requirements of pam_authenticate via an empty password. | 5.1 |
| 2010-09-03 | CVE-2010-1507 | Novell | Credentials Management vulnerability in Novell Suse Linux 11 WebYaST in yast2-webclient in SUSE Linux Enterprise (SLE) 11 on the WebYaST appliance uses a fixed secret key that is embedded in the appliance's image, which allows remote attackers to spoof session cookies by leveraging knowledge of this key. | 5.0 |
| 2010-09-03 | CVE-2010-3203 | Xmlswf Joomla | Path Traversal vulnerability in Xmlswf COM Picsell 1.0 Directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. | 5.0 |
| 2010-08-31 | CVE-2010-3197 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM DB2 9.7 IBM DB2 9.7 before FP2 does not perform the expected access control on the monitor administrative views in the SYSIBMADM schema, which allows remote attackers to obtain sensitive information via unspecified vectors. | 5.0 |
| 2010-08-31 | CVE-2010-3195 | IBM Microsoft | Unspecified vulnerability in IBM DB2 9.1/9.5/9.7 Unspecified vulnerability in IBM DB2 9.1 before FP9, 9.5 before FP6, and 9.7 before FP2 on Windows Server 2008 allows attackers to cause a denial of service (trap) via vectors involving "special group and user enumeration." | 5.0 |
| 2010-08-30 | CVE-2010-3035 | Cisco | Improper Input Validation vulnerability in Cisco IOS XR Cisco IOS XR 3.4.0 through 3.9.1, when BGP is enabled, does not properly handle unrecognized transitive attributes, which allows remote attackers to cause a denial of service (peering reset) via a crafted prefix announcement, as demonstrated in the wild in August 2010 with attribute type code 99, aka Bug ID CSCti62211. | 5.0 |
| 2010-09-03 | CVE-2010-1325 | Novell | Cross-Site Request Forgery (CSRF) vulnerability in Novell Suse Lifecycle Management Server 1.0 Cross-site request forgery (CSRF) vulnerability in the apache2-slms package in SUSE Lifecycle Management Server (SLMS) 1.0 on SUSE Linux Enterprise (SLE) 11 allows remote attackers to hijack the authentication of unspecified victims via vectors related to improper parameter quoting. | 4.3 |
| 2010-09-03 | CVE-2010-3208 | Wiccle | Cross-Site Scripting vulnerability in Wiccle web Builder 1.0.1/1.00 Cross-site scripting (XSS) vulnerability in ajax.php in Wiccle Web Builder (WWB) 1.00 and 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the post_text parameter in a site custom_search action to index.php. | 4.3 |
| 2010-08-31 | CVE-2010-2365 | Common1 | Cross-Site Scripting vulnerability in Common1 Moobbs2 Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs2 before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2010-08-31 | CVE-2010-2364 | Common1 | Cross-Site Scripting vulnerability in Common1 Moobbs Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
3 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2010-08-31 | CVE-2010-3196 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM DB2 9.7 IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote authenticated users to cause a denial of service (loss of privileges) to a view owner by defining a dependent view. | 3.5 |
| 2010-08-30 | CVE-2010-2794 | Redhat Mozilla | Link Following vulnerability in Redhat Spice-Xpi 2.2 The SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to overwrite arbitrary files via a symlink attack on an unspecified log file. | 3.3 |
| 2010-08-30 | CVE-2010-2792 | Redhat Mozilla | Race Condition vulnerability in Redhat Spice-Xpi 2.2 Race condition in the SPICE (aka spice-xpi) plug-in 2.2 for Firefox allows local users to obtain sensitive information, and conduct man-in-the-middle attacks, by providing a UNIX socket for communication between this plug-in and the client (aka qspice-client) in qspice 0.3.0, and then accessing this socket. | 3.3 |