Weekly Vulnerabilities Reports > January 24 to 30, 2011
Overview
51 new vulnerabilities reported during this period, including 9 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 42 products from 34 vendors including Mozilla, Apache, Canonical, Debian, and Novell. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-Site Request Forgery (CSRF)", "Permissions, Privileges, and Access Controls", and "SQL Injection".
- 39 reported vulnerabilities are remotely exploitables.
- 7 reported vulnerabilities have public exploit available.
- 16 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 48 reported vulnerabilities are exploitable by an anonymous user.
- Mozilla has the most reported vulnerabilities, with 7 reported vulnerabilities.
- Apache has the most reported critical vulnerabilities, with 4 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
9 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-01-28 | CVE-2010-4326 | Novell | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Groupwise Multiple buffer overflows in gwwww1.dll in GroupWise Internet Agent (GWIA) in Novell GroupWise before 8.02HP allow remote attackers to execute arbitrary code via variables in a VCALENDAR message, as demonstrated by a long (1) REQUEST-STATUS, (2) TZNAME, (3) COMMENT, or (4) RRULE variable in this message. | 10.0 |
2011-01-28 | CVE-2010-4325 | Novell | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Groupwise Buffer overflow in gwwww1.dll in GroupWise Internet Agent (GWIA) in Novell GroupWise before 8.02HP2 allows remote attackers to execute arbitrary code via a crafted TZID variable in a VCALENDAR message. | 10.0 |
2011-01-28 | CVE-2010-3454 | Apache Canonical Debian | Off-by-one Error vulnerability in multiple products Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a Microsoft Word .DOC file that triggers an out-of-bounds write. | 9.3 |
2011-01-28 | CVE-2010-3452 | Apache Canonical Debian | Use After Free vulnerability in multiple products Use-after-free vulnerability in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted tags in an RTF document. | 9.3 |
2011-01-28 | CVE-2010-3451 | Apache Canonical Debian | Use After Free vulnerability in multiple products Use-after-free vulnerability in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via malformed tables in an RTF document. | 9.3 |
2011-01-28 | CVE-2010-3450 | Apache Canonical Debian | Path Traversal vulnerability in multiple products Multiple directory traversal vulnerabilities in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow remote attackers to overwrite arbitrary files via a .. | 9.3 |
2011-01-25 | CVE-2011-0273 | HP | Buffer Errors vulnerability in HP Openview Storage Data Protector Cell Manager 6.11 Buffer overflow in crs.exe in HP OpenView Storage Data Protector Cell Manager 6.11 allows remote attackers to execute arbitrary code via unspecified message types. | 9.3 |
2011-01-28 | CVE-2010-2777 | Novell | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Groupwise 7.0/8.0 Stack-based buffer overflow in the IMAP server component in GroupWise Internet Agent (GWIA) in Novell GroupWise 7.x before 7.0 post-SP4 FTF and 8.x before 8.0 SP2 allows remote attackers to execute arbitrary code via a long mailbox name in a CREATE command. | 9.0 |
2011-01-28 | CVE-2011-0018 | Openvas | Improper Input Validation vulnerability in Openvas Manager The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA). | 9.0 |
12 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-01-28 | CVE-2011-0350 | Cisco | Denial of Service vulnerability in Cisco Content Services Gateway Malformed TCP Packet (CVE-2011-0350) Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth41891, a different vulnerability than CVE-2011-0349. | 7.8 |
2011-01-28 | CVE-2011-0349 | Cisco | Denial of Service vulnerability in Cisco Content Services Gateway Malformed TCP Packet (CVE-2011-0349) Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth17178, a different vulnerability than CVE-2011-0350. | 7.8 |
2011-01-24 | CVE-2011-0352 | Cisco | Buffer Errors vulnerability in Cisco products Buffer overflow in the web-based management interface on the Cisco Linksys WRT54GC router with firmware before 1.06.1 allows remote attackers to cause a denial of service (device crash) via a long string in a POST request. | 7.8 |
2011-01-28 | CVE-2010-4709 | Automatedsolutions | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Automatedsolutions Modbus/Tcp Master OPC Server Heap-based buffer overflow in Automated Solutions Modbus/TCP Master OPC Server before 3.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a MODBUS response packet with a crafted length field. | 7.6 |
2011-01-28 | CVE-2011-0651 | Icon Labs | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Icon-Labs Iconfidant SSL Server Buffer overflow in the key exchange functionality in Icon Labs Iconfidant SSL Server before 1.3.0 allows remote attackers to execute arbitrary code via a client master key packet in which the sum of unspecified length fields is greater than a certain value. | 7.5 |
2011-01-28 | CVE-2011-0520 | Maradns | Buffer Errors vulnerability in Maradns 1.4.03/1.4.05 The compress_add_dlabel_points function in dns/Compress.c in MaraDNS 1.4.03, 1.4.05, and probably other versions allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long DNS hostname with a large number of labels, which triggers a heap-based buffer overflow. | 7.5 |
2011-01-28 | CVE-2010-4568 | Mozilla | Permissions, Privileges, and Access Controls vulnerability in Mozilla Bugzilla Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly generate random values for cookies and tokens, which allows remote attackers to obtain access to arbitrary accounts via unspecified vectors, related to an insufficient number of calls to the srand function. | 7.5 |
2011-01-25 | CVE-2011-0646 | Anserv | SQL Injection vulnerability in Anserv PHP LOW Bids SQL injection vulnerability in viewfaqs.php in PHP LOW BIDS allows remote attackers to execute arbitrary SQL commands via the cat parameter. | 7.5 |
2011-01-25 | CVE-2011-0645 | Phpcms | SQL Injection vulnerability in PHPcms 2008 2 SQL injection vulnerability in data.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the where_time parameter in a get action. | 7.5 |
2011-01-25 | CVE-2011-0644 | Phpcms | SQL Injection vulnerability in PHPcms 2008 2 SQL injection vulnerability in include/admin/model_field.class.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the modelid parameter to flash_upload.php. | 7.5 |
2011-01-24 | CVE-2010-4708 | Linux PAM | Unspecified vulnerability in Linux-Pam The pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the .pam_environment file in a user's home directory, which might allow local users to run programs with an unintended environment by executing a program that relies on the pam_env PAM check. | 7.2 |
2011-01-28 | CVE-2011-0275 | HP | Denial of Service vulnerability in HP OpenView Storage Data Protector 6.0/6.10/6.11 Unspecified vulnerability in HP OpenView Storage Data Protector 6.0, 6.10, and 6.11 allows remote attackers to cause a denial of service via unknown vectors. | 7.1 |
28 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-01-28 | CVE-2010-3689 | Apache Canonical Debian | Path Traversal vulnerability in multiple products soffice in OpenOffice.org (OOo) 3.x before 3.3 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. | 6.9 |
2011-01-28 | CVE-2011-0343 | Oneidentity Freebsd HP | Permissions, Privileges, and Access Controls vulnerability in Oneidentity Syslog-Ng Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeBSD or HP-UX, does not properly perform cast operations, which causes syslog-ng to use a default value of -1 to create log files with insecure permissions (07777), which allows local users to read and write to these log files. | 6.9 |
2011-01-25 | CVE-2011-0640 | Udev Project | Unspecified vulnerability in Udev Project Udev The default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. | 6.9 |
2011-01-25 | CVE-2011-0639 | Apple | Configuration vulnerability in Apple mac OS X Apple Mac OS X does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. | 6.9 |
2011-01-25 | CVE-2011-0638 | Microsoft | Configuration vulnerability in Microsoft Windows Microsoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. | 6.9 |
2011-01-24 | CVE-2010-3927 | Lunascape | DLL Loading Arbitrary Code Execution vulnerability in Lunascape Untrusted search path vulnerability in Lunascape before 6.4.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory. | 6.9 |
2011-01-24 | CVE-2010-3853 | Linux PAM | Unspecified vulnerability in Linux-Pam pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program. | 6.9 |
2011-01-28 | CVE-2011-0678 | Lomtec | Unspecified vulnerability in Lomtec Activeweb 3.0 Unrestricted file upload vulnerability in the EasyEdit module in Lomtec ActiveWeb Professional 3.0 allows remote attackers to execute arbitrary code by uploading an executable file via the UploadDirectory and Accepted Extensions fields in the getImagefile component of EasyEdit.cfm. | 6.8 |
2011-01-28 | CVE-2011-0650 | Greenbone | Cross-Site Request Forgery (CSRF) vulnerability in Greenbone Security Assistant 2.0 Cross-site request forgery (CSRF) vulnerability in Greenbone Security Assistant (GSA) before 2.0+rc3 allows remote attackers to hijack the authentication of users for requests that send email via an OMP request to OpenVAS Manager. | 6.8 |
2011-01-28 | CVE-2011-0046 | Mozilla | Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allow remote attackers to hijack the authentication of arbitrary users for requests related to (1) adding a saved search in buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6) adding, deleting, or approving a quip in quips.cgi. | 6.8 |
2011-01-25 | CVE-2011-0643 | Phplinkdirectory | Cross-Site Request Forgery (CSRF) vulnerability in PHPlinkdirectory PHP Link Directory 4.1.0 Cross-site request forgery (CSRF) vulnerability in admin/conf_users_edit.php in PHP Link Directory (phpLD) 4.1.0 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via the N action. | 6.8 |
2011-01-28 | CVE-2011-0348 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco IOS Cisco IOS 12.4(11)MD, 12.4(15)MD, 12.4(22)MD, 12.4(24)MD before 12.4(24)MD3, 12.4(22)MDA before 12.4(22)MDA5, and 12.4(24)MDA before 12.4(24)MDA3 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to bypass intended access restrictions and intended billing restrictions by sending HTTP traffic to a restricted destination after sending HTTP traffic to an unrestricted destination, aka Bug ID CSCtk35917. | 6.4 |
2011-01-25 | CVE-2010-4255 | Citrix | Unspecified vulnerability in Citrix XEN The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled, does not verify that kernel mode is used to call the handle_gdt_ldt_mapping_fault function, which allows guest OS users to cause a denial of service (host OS BUG_ON) via a crafted memory access. | 6.1 |
2011-01-25 | CVE-2010-4353 | Menalto | Unspecified vulnerability in Menalto Gallery Unrestricted file upload vulnerability in modules/gallery/models/item.php in Menalto Gallery before 3.0 and beta allows remote authenticated users with upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | 6.0 |
2011-01-28 | CVE-2011-0679 | IBM | Information Exposure vulnerability in IBM Websphere Portal IBM WebSphere Portal 6.0.1.1 through 7.0.0.0, as used in IBM Lotus Web Content Management (WCM) and IBM Lotus Quickr for WebSphere Portal, allows remote attackers to obtain sensitive information via a "modified message." | 5.0 |
2011-01-24 | CVE-2011-0410 | Collabnet | Cryptographic Issues vulnerability in Collabnet Scrumworks 1.8.4 CollabNet ScrumWorks Basic 1.8.4 uses cleartext credentials for network communication and the internal database, which makes it easier for context-dependent attackers to obtain sensitive information by (1) sniffing the network for transmissions of Java objects or (2) reading the database. | 5.0 |
2011-01-25 | CVE-2011-0637 | IBM | Denial of Service vulnerability in IBM AIX 6.1 The FC SCSI protocol driver in IBM AIX 6.1 does not verify that a timer is unused before deallocating this timer, which might allow attackers to cause a denial of service (system crash) via unspecified vectors. | 4.9 |
2011-01-28 | CVE-2010-2779 | Novell | Cross-Site Scripting vulnerability in Novell Groupwise 8.0 Cross-site scripting (XSS) vulnerability in WebAccess in Novell GroupWise 8.x before 8.0 SP2 allows remote attackers to inject arbitrary web script or HTML via a crafted message, related to "replies." | 4.3 |
2011-01-28 | CVE-2010-2778 | Novell | Cross-Site Scripting vulnerability in Novell Groupwise 7.0/8.0 Cross-site scripting (XSS) vulnerability in WebAccess in Novell GroupWise 7.x before 7.0 post-SP4 FTF and 8.x before 8.0 SP2 allows remote attackers to inject arbitrary web script or HTML via a crafted message, related to a "Javascript XSS exploit." | 4.3 |
2011-01-28 | CVE-2010-4710 | Yahoo | Cross-Site Scripting vulnerability in Yahoo YUI Cross-site scripting (XSS) vulnerability in the addItem method in the Menu widget in YUI before 2.9.0 allows remote attackers to inject arbitrary web script or HTML via a field that is added to a menu, related to documentation that specifies this field as a text field rather than an HTML field, a similar issue to CVE-2010-4569 and CVE-2010-4570. | 4.3 |
2011-01-28 | CVE-2011-0048 | Mozilla | Cross-Site Scripting vulnerability in Mozilla Bugzilla Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI. | 4.3 |
2011-01-28 | CVE-2010-4572 | Mozilla | Code Injection vulnerability in Mozilla Bugzilla CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the query string, a different vulnerability than CVE-2010-2761 and CVE-2010-4411. | 4.3 |
2011-01-28 | CVE-2010-4570 | Mozilla | Cross-Site Scripting vulnerability in Mozilla Bugzilla Cross-site scripting (XSS) vulnerability in the duplicate-detection functionality in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the summary field, related to the DataTable widget in YUI. | 4.3 |
2011-01-28 | CVE-2010-4569 | Mozilla | Cross-Site Scripting vulnerability in Mozilla Bugzilla Cross-site scripting (XSS) vulnerability in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the real name field of a user account, related to the AutoComplete widget in YUI. | 4.3 |
2011-01-28 | CVE-2010-4567 | Mozilla | Cross-Site Scripting vulnerability in Mozilla Bugzilla Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field. | 4.3 |
2011-01-25 | CVE-2011-0642 | Network 13 | Cross-Site Request Forgery (CSRF) vulnerability in Network-13 N-13 News 3.4/3.7/4.0 Cross-site request forgery (CSRF) vulnerability in news/admin.php in N-13 News 3.4, 3.7, and 4.0 allows remote attackers to hijack the authentication of administrators for requests that create new users via the options action. | 4.3 |
2011-01-25 | CVE-2011-0641 | Heart5 Wordpress | Cross-Site Scripting vulnerability in Heart5 Statpresscn 1.9.0 Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. | 4.3 |
2011-01-24 | CVE-2011-0274 | HP | Cross-Site Scripting vulnerability in HP products Cross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 7.x through 7.55 and 8.x through 8.05, and Business Service Management (BSM) through 9.01, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-01-28 | CVE-2011-0652 | Looknstop | Improper Input Validation vulnerability in Looknstop Look 'N' Stop Firewall 2.06/2.07 lnsfw1.sys 6.0.2900.5512 in Look 'n' Stop Firewall 2.06p4 and 2.07 allows local users to cause a denial of service (crash) via a crafted 0x80000064 IOCTL request that triggers an assertion failure. | 2.1 |
2011-01-25 | CVE-2010-4341 | Fedorahosted Fedoraproject | Resource Management Errors vulnerability in multiple products The pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet. | 2.1 |