Weekly Vulnerabilities Reports > November 8 to 14, 2010

Overview

55 new vulnerabilities reported during this period, including 12 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 28 products from 17 vendors including IBM, Microsoft, PHP, Google, and Adobe. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Improper Input Validation", and "Resource Management Errors".

  • 50 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 17 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 50 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 23 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 7 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

12 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-11-10 CVE-2010-3635 Adobe Code Injection vulnerability in Adobe Flash Media Server

Adobe Flash Media Server (FMS) 3.0.x before 3.0.7, 3.5.x before 3.5.5, and 4.0.x before 4.0.1 allows attackers to execute arbitrary code via unspecified vectors, related to a "segmentation fault vulnerability."

10.0
2010-11-09 CVE-2010-4221 Proftpd Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Proftpd 1.3.2/1.3.3

Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.

10.0
2010-11-09 CVE-2010-4218 IBM Security vulnerability in IBM Enovia 6

Unspecified vulnerability in Web Services in IBM ENOVIA 6 has unknown impact and attack vectors, related to a system that becomes "exposed to the internet."

10.0
2010-11-09 CVE-2010-3040 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Intelligent Contact Manager

Multiple stack-based buffer overflows in agent.exe in Setup Manager in Cisco Intelligent Contact Manager (ICM) before 7.0 allow remote attackers to execute arbitrary code via a long parameter in a (1) HandleUpgradeAll, (2) AgentUpgrade, (3) HandleQueryNodeInfoReq, or (4) HandleUpgradeTrace TCP packet, aka Bug IDs CSCti45698, CSCti45715, CSCti45726, and CSCti46164.

10.0
2010-11-12 CVE-2010-3894 IBM Buffer Errors vulnerability in IBM Omnifind 6.1/8.0/8.4

Stack-based buffer overflow in the Java_com_ibm_es_oss_CryptionNative_ESEncrypt function in /opt/IBM/es/lib/libffq.cryptionjni.so in the login form in the administration interface in IBM OmniFind Enterprise Edition before 8.5 FP6 allows remote attackers to execute arbitrary code via a long password.

9.3
2010-11-10 CVE-2010-3337 Microsoft Unspecified vulnerability in Microsoft Office 2007/2010

Untrusted search path vulnerability in Microsoft Office 2007 SP2 and 2010 allows local users to gain privileges via a Trojan horse DLL in the current working directory, aka "Insecure Library Loading Vulnerability." NOTE: this might overlap CVE-2010-3141 and CVE-2010-3142.

9.3
2010-11-10 CVE-2010-3336 Microsoft Buffer Errors vulnerability in Microsoft Office and Open XML File Format Converter

Microsoft Office XP SP3, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "MSO Large SPID Read AV Vulnerability."

9.3
2010-11-10 CVE-2010-3335 Microsoft Buffer Errors vulnerability in Microsoft Office and Open XML File Format Converter

Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "Drawing Exception Handling Vulnerability."

9.3
2010-11-10 CVE-2010-3334 Microsoft Buffer Errors vulnerability in Microsoft Office and Open XML File Format Converter

Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code via an Office document containing an Office Art Drawing record with crafted msofbtSp records and unspecified flags, which triggers memory corruption, aka "Office Art Drawing Records Vulnerability."

9.3
2010-11-10 CVE-2010-3333 Microsoft Buffer Errors vulnerability in Microsoft Office and Open XML File Format Converter

Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability."

9.3
2010-11-10 CVE-2010-2573 Microsoft Numeric Errors vulnerability in Microsoft Office, Powerpoint and Powerpoint Viewer

Integer underflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3, PowerPoint Viewer SP2, and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted PowerPoint document, aka "PowerPoint Integer Underflow Causes Heap Corruption Vulnerability."

9.3
2010-11-10 CVE-2010-2572 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Powerpoint 2002/2003

Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint 95 document, aka "PowerPoint Parsing Buffer Overflow Vulnerability."

9.3

4 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-11-12 CVE-2010-3896 IBM Improper Authentication vulnerability in IBM Omnifind

The ESSearchApplication directory tree in IBM OmniFind Enterprise Edition 8.x and 9.x does not require authentication, which allows remote attackers to modify the server configuration via a request to palette.do.

7.5
2010-11-12 CVE-2010-3893 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Omnifind

The administrator interface in IBM OmniFind Enterprise Edition 8.x and 9.x does not restrict use of a session ID (aka SID) value to a single IP address, which allows remote attackers to perform arbitrary administrative actions by leveraging cookie theft, related to a "session impersonation" issue.

7.5
2010-11-12 CVE-2010-3895 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Omnifind 8.0/8.4/8.5

esRunCommand in IBM OmniFind Enterprise Edition before 9.1 allows local users to gain privileges by specifying an arbitrary command name as the first argument.

7.2
2010-11-09 CVE-2010-3867 Proftpd Path Traversal vulnerability in Proftpd

Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command.

7.1

37 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-11-12 CVE-2010-4236 IBM Multiple vulnerability in RETIRED: IBM OmniFind

Untrusted search path vulnerability in estaskwrapper in IBM OmniFind Enterprise Edition before 9.1 allows local users to gain privileges via an ES_LIBRARY_PATH environment variable and a modified PATH environment variable, which is used during execution of the estasklight program, a different vulnerability than CVE-2010-3895.

6.9
2010-11-12 CVE-2010-3892 IBM Multiple vulnerability in RETIRED: IBM OmniFind

Session fixation vulnerability in the login form in the administrator interface in IBM OmniFind Enterprise Edition 8.x and 9.x allows remote attackers to hijack web sessions by replaying a session ID (aka SID) value.

6.8
2010-11-12 CVE-2009-5016 PHP Numeric Errors vulnerability in PHP

Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in PHP before 5.2.11 makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string that uses overlong UTF-8 encoding, a different vulnerability than CVE-2010-3870.

6.8
2010-11-12 CVE-2010-3891 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Omnifind 8.0/8.4/8.5

Cross-site request forgery (CSRF) vulnerability in ESAdmin/security.do in the administrator interface in IBM OmniFind Enterprise Edition before 9.1 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a saveNewUser action.

6.8
2010-11-12 CVE-2010-3870 PHP
Canonical
Improper Input Validation vulnerability in multiple products

The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.

6.8
2010-11-09 CVE-2010-3694 Horde Cross-Site Request Forgery (CSRF) vulnerability in Horde Application Framework

Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form.

6.8
2010-11-09 CVE-2010-3039 Cisco OS Command Injection vulnerability in Cisco Unified Communications Manager

/usr/local/cm/bin/pktCap_protectData in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6, 7, and 8 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in a request to the administrative interface, aka Bug IDs CSCti52041 and CSCti74930.

6.8
2010-11-09 CVE-2010-2635 IBM SQL Injection vulnerability in IBM Websphere Commerce

SQL injection vulnerability in IBM WebSphere Commerce 6.0 before 6.0.0.10 allows remote authenticated users to execute arbitrary SQL commands via unspecified parameters to "Commerce Organization Admin Console JavaServer pages."

6.5
2010-11-09 CVE-2010-0785 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Application Server

Cross-site request forgery (CSRF) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.0
2010-11-10 CVE-2010-2732 Microsoft Improper Input Validation vulnerability in Microsoft Forefront Unified Access Gateway 2010

Open redirect vulnerability in the web interface in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka "UAG Redirection Spoofing Vulnerability."

5.8
2010-11-12 CVE-2010-3899 IBM Resource Management Errors vulnerability in IBM Omnifind 8.0/9.0

IBM OmniFind Enterprise Edition 8.x and 9.x performs web crawls with an unlimited recursion depth, which allows remote web servers to cause a denial of service (infinite loop) via a crafted series of documents.

5.0
2010-11-12 CVE-2010-3898 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Omnifind

IBM OmniFind Enterprise Edition 8.x and 9.x does not properly restrict the cookie path of administrator (aka ESAdmin) cookies, which might allow remote attackers to bypass authentication by leveraging access to other pages on the web site.

5.0
2010-11-12 CVE-2010-3897 IBM Credentials Management vulnerability in IBM Omnifind

ESSearchApplication/palette.do in IBM OmniFind Enterprise Edition 8.x and 9.x includes the administrator password in the HTML source code, which might allow remote attackers to obtain sensitive information by leveraging read access to this file.

5.0
2010-11-10 CVE-2010-4156 PHP
Scottmac
Improper Input Validation vulnerability in Scottmac Libmbfl 1.1.0

The mb_strcut function in Libmbfl 1.1.0, as used in PHP 5.3.x through 5.3.3, allows context-dependent attackers to obtain potentially sensitive information via a large value of the third parameter (aka the length parameter).

5.0
2010-11-10 CVE-2010-3634 Adobe Remote Denial of Service vulnerability in Adobe Flash Media Server

Unspecified vulnerability in the edge process in Adobe Flash Media Server (FMS) 3.0.x before 3.0.7, 3.5.x before 3.5.5, and 4.0.x before 4.0.1 allows attackers to cause a denial of service via unknown vectors.

5.0
2010-11-10 CVE-2010-3633 Adobe Resource Management Errors vulnerability in Adobe Flash Media Server

Memory leak in Adobe Flash Media Server (FMS) 3.0.x before 3.0.7, 3.5.x before 3.5.5, and 4.0.x before 4.0.1 allows attackers to cause a denial of service (memory consumption) via unspecified vectors.

5.0
2010-11-09 CVE-2010-4217 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server

Use-after-free vulnerability in the proxy server in IBM Tivoli Directory Server (TDS) 6.0.0.x before 6.0.0.8-TIV-ITDS-IF0007 and 6.1.x before 6.1.0-TIV-ITDS-FP0005 allows remote attackers to cause a denial of service (daemon crash) via an unbind request that occurs during a certain search operation.

5.0
2010-11-09 CVE-2010-4216 IBM Buffer Errors vulnerability in IBM Tivoli Directory Server 6.0/6.0.0.7/6.0.0.8

IBM Tivoli Directory Server (TDS) 6.0.0.x before 6.0.0.8-TIV-ITDS-IF0007 does not properly handle invalid buffer references in LDAP BER requests, which might allow remote attackers to cause a denial of service (daemon crash) via vectors involving a buffer that has a memory address near the maximum possible address.

5.0
2010-11-09 CVE-2010-0786 IBM Improper Input Validation vulnerability in IBM Websphere Application Server

The Web Services Security component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 does not properly implement the Java API for XML Web Services (aka JAX-WS), which allows remote attackers to cause a denial of service (data corruption) via a crafted JAX-WS request that leads to incorrectly encoded data.

5.0
2010-11-09 CVE-2010-3436 PHP Permissions, Privileges, and Access Controls vulnerability in PHP

fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.

5.0
2010-11-12 CVE-2009-5017 Mozilla Cross-Site Scripting vulnerability in Mozilla Firefox 1.5/3.0/3.6

Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UTF-8 encoding, which makes it easier for remote attackers to bypass cross-site scripting (XSS) protection mechanisms via a crafted string, a different vulnerability than CVE-2010-1210.

4.3
2010-11-12 CVE-2010-3890 IBM Cross-Site Scripting vulnerability in IBM Omnifind 8.0/8.4/8.5

Cross-site scripting (XSS) vulnerability in IBM OmniFind Enterprise Edition before 9.1 allows remote attackers to inject arbitrary web script or HTML via the command parameter to the administration interface, as demonstrated by the command parameter to ESAdmin/collection.do.

4.3
2010-11-12 CVE-2010-2637 IBM Cryptographic Issues vulnerability in IBM Websphere MQ

IBM WebSphere MQ 6.0 before 6.0.2.9 and 7.0 before 7.0.1.1 does not encrypt the username and password in the security parameters field, which allows remote attackers to obtain sensitive information by sniffing the network traffic from a .NET client application.

4.3
2010-11-10 CVE-2010-3936 Microsoft Cross-Site Scripting vulnerability in Microsoft Forefront Unified Access Gateway 2010

Cross-site scripting (XSS) vulnerability in Signurl.asp in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "XSS in Signurl.asp Vulnerability."

4.3
2010-11-10 CVE-2010-2734 Microsoft Cross-Site Scripting vulnerability in Microsoft Forefront Unified Access Gateway 2010

Cross-site scripting (XSS) vulnerability in the mobile portal in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "XSS Issue on UAG Mobile Portal Website in Forefront Unified Access Gateway Vulnerability."

4.3
2010-11-10 CVE-2010-2733 Microsoft Cross-Site Scripting vulnerability in Microsoft Forefront Unified Access Gateway 2010

Cross-site scripting (XSS) vulnerability in the Web Monitor in Microsoft Forefront Unified Access Gateway (UAG) 2010 Gold, 2010 Update 1, and 2010 Update 2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "UAG XSS Allows EOP Vulnerability."

4.3
2010-11-09 CVE-2010-4220 IBM Cross-Site Scripting vulnerability in IBM Websphere Application Server

Cross-site scripting (XSS) vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."

4.3
2010-11-09 CVE-2010-4219 IBM Cross-Site Scripting vulnerability in IBM Websphere Portal 6.1.0.1

Cross-site scripting (XSS) vulnerability in SemanticTagService.js in IBM WebSphere Portal 6.1.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-11-09 CVE-2010-3871 Mahara Cross-Site Scripting vulnerability in Mahara

Cross-site scripting (XSS) vulnerability in blocktype/groupviews/theme/raw/groupviews.tpl in Mahara before 1.3.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-11-09 CVE-2010-3077 Horde Cross-Site Scripting vulnerability in Horde Application Framework

Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter.

4.3
2010-11-09 CVE-2010-2636 IBM Cross-Site Scripting vulnerability in IBM Websphere Commerce 7.0

Multiple cross-site scripting (XSS) vulnerabilities in sample store pages in IBM WebSphere Commerce 7.0 before 7.0.0.1 allow remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2010-11-09 CVE-2010-0784 IBM Cross-Site Scripting vulnerability in IBM Websphere Application Server

Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-11-09 CVE-2010-0783 IBM Cross-Site Scripting vulnerability in IBM Websphere Application Server

Cross-site scripting (XSS) vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.35 and 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2010-11-09 CVE-2010-4214 Wellsfargo
Google
Cryptographic Issues vulnerability in Wellsfargo Wells Fargo Mobile 1.1

The Wells Fargo Mobile application 1.1 for Android stores a username and password, along with account balances, in cleartext, which might allow physically proximate attackers to obtain sensitive information by reading application data.

4.3
2010-11-09 CVE-2010-4213 Bankofamerica
Google
Cryptographic Issues vulnerability in Bankofamerica Bank of America 2.12

The Bank of America application 2.12 for Android stores a security question's answer in cleartext, which might allow physically proximate attackers to obtain sensitive information by reading application data.

4.3
2010-11-09 CVE-2010-3709 PHP Improper Input Validation vulnerability in PHP

The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.

4.3
2010-11-09 CVE-2008-7265 Proftpd Resource Management Errors vulnerability in Proftpd

The pr_data_xfer function in ProFTPD before 1.3.2rc3 allows remote authenticated users to cause a denial of service (CPU consumption) via an ABOR command during a data transfer.

4.0

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-11-09 CVE-2010-4211 Ebay
Apple
Improper Authentication vulnerability in Ebay Paypal

The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate.

2.9
2010-11-09 CVE-2010-4212 Usaa
Google
Permissions, Privileges, and Access Controls vulnerability in Usaa 3.0

The USAA application 3.0 for Android stores a mirror image of each visited web page, which might allow physically proximate attackers to obtain sensitive banking information by reading application data.

1.9