Weekly Vulnerabilities Reports > April 11 to 17, 2011
Overview
46 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 80 products from 21 vendors including Microsoft, HP, Google, Mono, and Novell. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Information Exposure", and "Improper Input Validation".
- 42 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 6 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 43 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 16 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 12 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
16 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-04-15 | CVE-2011-1300 | Mozilla Microsoft | Numeric Errors vulnerability in multiple products The Program::getActiveUniformMaxLength function in libGLESv2/Program.cpp in libGLESv2.dll in the WebGLES library in Almost Native Graphics Layer Engine (ANGLE), as used in Mozilla Firefox 4.x before 4.0.1 on Windows and in the GPU process in Google Chrome before 10.0.648.205 on Windows, allows remote attackers to execute arbitrary code via unspecified vectors, related to an "off-by-three" error. | 10.0 |
| 2011-04-15 | CVE-2011-0285 | MIT | Improper Input Validation vulnerability in MIT Kerberos 5 The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition. | 10.0 |
| 2011-04-14 | CVE-2011-0935 | Cisco | Cryptographic Issues vulnerability in Cisco IOS 15.0/15.1 The PKI functionality in Cisco IOS 15.0 and 15.1 does not prevent permanent caching of certain public keys, which allows remote attackers to bypass authentication and have unspecified other impact by leveraging an IKE peer relationship in which a key was previously valid but later revoked, aka Bug ID CSCth82164, a different vulnerability than CVE-2010-4685. | 10.0 |
| 2011-04-15 | CVE-2011-1302 | Out-Of-Bounds Write vulnerability in Google Chrome Heap-based buffer overflow in the GPU process in Google Chrome before 10.0.648.205 allows remote attackers to execute arbitrary code via unknown vectors. | 9.3 | |
| 2011-04-15 | CVE-2011-1301 | USE After Free vulnerability in Google Chrome Use-after-free vulnerability in the GPU process in Google Chrome before 10.0.648.205 allows remote attackers to execute arbitrary code via unknown vectors. | 9.3 | |
| 2011-04-13 | CVE-2011-1243 | Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Windows XP The Windows Messenger ActiveX control in msgsc.dll in Microsoft Windows XP SP2 and SP3 allows remote attackers to execute arbitrary code via unspecified vectors that "corrupt the system state," aka "Microsoft Windows Messenger ActiveX Control Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0656 | Microsoft | Improper Input Validation vulnerability in Microsoft products Microsoft PowerPoint 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate PersistDirectoryEntry records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a Slide with a malformed record, which triggers an exception and later use of an unspecified method, aka "Persist Directory RCE Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0655 | Microsoft | Improper Input Validation vulnerability in Microsoft products Microsoft PowerPoint 2007 SP2 and 2010; Office 2004, 2008, and 2011 for Mac; Open XML File Format Converter for Mac; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2; PowerPoint Viewer; PowerPoint Viewer 2007 SP2; and PowerPoint Web App do not properly validate TimeColorBehaviorContainer Floating Point records in PowerPoint documents, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document containing an invalid record, aka "Floating Point Techno-color Time Bandit RCE Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0107 | Microsoft | DLL Loading Arbitrary Code Execution vulnerability in Microsoft Office 2003/2007/Xp Untrusted search path vulnerability in Microsoft Office XP SP3, Office 2003 SP3, and Office 2007 SP2 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .docx file, aka "Office Component Insecure Library Loading Vulnerability." Per: http://www.microsoft.com/technet/security/Bulletin/MS11-023.mspx Access Vector: Network per "This is a remote code execution vulnerability" Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' | 9.3 |
| 2011-04-13 | CVE-2011-0105 | Microsoft | Buffer Errors vulnerability in Microsoft Excel, Office and Open XML File Format Converter Microsoft Excel 2002 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac obtain a certain length value from an uninitialized memory location, which allows remote attackers to trigger a buffer overflow and execute arbitrary code via a crafted Excel file, aka "Excel Data Initialization Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0104 | Microsoft | Buffer Errors vulnerability in Microsoft Excel, Office and Open XML File Format Converter Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HLink record in an Excel file, aka "Excel Buffer Overwrite Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0103 | Microsoft | Buffer Errors vulnerability in Microsoft Excel, Office and Open XML File Format Converter Microsoft Excel 2002 SP3 and 2003 SP3, Office 2004 and 2008 for Mac, and Open XML File Format Converter for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted record information in an Excel file, aka "Excel Memory Corruption Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0101 | Microsoft | Buffer Errors vulnerability in Microsoft Excel 2002 Microsoft Excel 2002 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RealTimeData record, related to a stTopic field, double-byte characters, and an incorrect pointer calculation, aka "Excel Record Parsing WriteAV Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0098 | Microsoft | Numeric Errors vulnerability in Microsoft products Integer signedness error in Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via an XLS file with a large record size, aka "Excel Heap Overflow Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0097 | Microsoft | Numeric Errors vulnerability in Microsoft products Integer underflow in Microsoft Excel 2002 SP3, 2003 SP3, 2007 SP2, and 2010; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Excel Viewer SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP2 allows remote attackers to execute arbitrary code via a crafted 400h substream in an Excel file, which triggers a stack-based buffer overflow, aka "Excel Integer Overrun Vulnerability." | 9.3 |
| 2011-04-13 | CVE-2011-0028 | Microsoft | Code Injection vulnerability in Microsoft Windows Server 2003 and Windows XP WordPad in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly parse fields in Word documents, which allows remote attackers to execute arbitrary code via a crafted .doc file, aka "WordPad Converter Parsing Vulnerability." | 9.3 |
4 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-04-13 | CVE-2011-0611 | Adobe Suse Opensuse | Type Confusion vulnerability in multiple products Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011. | 8.8 |
| 2011-04-15 | CVE-2011-1532 | HP | Multiple Security vulnerability in HP Photosmart Printers Unspecified vulnerability in the SNMP component on the HP Photosmart D110 and B110; Photosmart Plus B210; Photosmart Premium C310, Fax All-in-One, and C510; and ENVY 100 D410 printers allows remote attackers to obtain sensitive information or modify data via vectors related to the Embedded Web Server (EWS). | 7.5 |
| 2011-04-13 | CVE-2011-1229 | Microsoft Avaya | Null Pointer Dereference vulnerability in multiple products win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, a different vulnerability than other "Vulnerability Type 2" CVEs listed in MS11-034, aka "Win32k Null Pointer De-reference Vulnerability." | 7.2 |
| 2011-04-13 | CVE-2011-0673 | Microsoft | Local Privilege Escalation vulnerability in Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1234) win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, aka "Win32k Null Pointer De-reference Vulnerability." Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference' | 7.2 |
24 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-04-15 | CVE-2011-0896 | HP | Remote Denial Of Service vulnerability in HP Hp-Ux and Nfs/Oncplus Unspecified vulnerability in HP NFS/ONCplus B.11.31.10 and earlier on HP-UX B.11.31 allows remote authenticated users to cause a denial of service via unknown vectors. | 6.8 |
| 2011-04-13 | CVE-2011-0991 | Mono Novell | Resource Management Errors vulnerability in multiple products Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to finalizing and then resurrecting a DynamicMethod instance. | 6.8 |
| 2011-04-13 | CVE-2011-1683 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server IBM WebSphere Application Server (WAS) 6.0.x through 6.0.2.43, 6.1.x before 6.1.0.37, and 7.0.x before 7.0.0.17 on z/OS, when a Local OS user registry or Federated Repository with RACF adapter is used, allows remote attackers to obtain unspecified application access via unknown vectors. | 6.8 |
| 2011-04-13 | CVE-2011-0996 | ROY Marples | Improper Input Validation vulnerability in ROY Marples Dhcpcd dhcpcd before 5.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message. | 6.8 |
| 2011-04-13 | CVE-2011-0748 | Tincan | Cross-Site Request Forgery (CSRF) vulnerability in Tincan PHPlist Multiple cross-site request forgery (CSRF) vulnerabilities in phpList before 2.10.13 allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) edit administrator accounts. | 6.8 |
| 2011-04-13 | CVE-2011-0992 | Mono Novell | Resource Management Errors vulnerability in multiple products Use-after-free vulnerability in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to cause a denial of service (plugin crash) or obtain sensitive information via vectors related to member data in a resurrected MonoThread instance. | 5.8 |
| 2011-04-13 | CVE-2011-0990 | Mono Novell | Race Condition vulnerability in multiple products Race condition in the FastCopy optimization in the Array.Copy method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, allows remote attackers to trigger a buffer overflow and modify internal data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file in which a thread makes a change after a type check but before a copy action. | 5.8 |
| 2011-04-13 | CVE-2011-0989 | Mono Novell | Permissions, Privileges, and Access Controls vulnerability in multiple products The RuntimeHelpers.InitializeArray method in metadata/icall.c in Mono, when Moonlight 2.x before 2.4.1 or 3.x before 3.99.3 is used, does not properly restrict data types, which allows remote attackers to modify internal read-only data structures, and cause a denial of service (plugin crash) or corrupt the internal state of the security manager, via a crafted media file, as demonstrated by modifying a C# struct. | 5.8 |
| 2011-04-13 | CVE-2011-1244 | Microsoft | Improper Restriction of Rendered UI Layers or Frames vulnerability in Microsoft Internet Explorer 6/7/8 Microsoft Internet Explorer 6, 7, and 8 does not enforce intended domain restrictions on content access, which allows remote attackers to obtain sensitive information or conduct clickjacking attacks via a crafted web site, aka "Frame Tag Information Disclosure Vulnerability." | 5.8 |
| 2011-04-15 | CVE-2011-1691 | Apple | Null Pointer Dereference vulnerability in Google Chrome The counterToCSSValue function in CSSComputedStyleDeclaration.cpp in the Cascading Style Sheets (CSS) implementation in WebCore in WebKit before r82222, as used in Google Chrome before 11.0.696.43 and other products, does not properly handle access to the (1) counterIncrement and (2) counterReset attributes of CSSStyleDeclaration data provided by a getComputedStyle method call, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted JavaScript code. | 5.0 |
| 2011-04-11 | CVE-2011-1487 | Perl | Permissions, Privileges, and Access Controls vulnerability in Perl The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string. | 5.0 |
| 2011-04-11 | CVE-2011-1156 | Mark Pilgrim | Resource Management Errors vulnerability in Mark Pilgrim Feedparser feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0.1 allows remote attackers to cause a denial of service (application crash) via a malformed DOCTYPE declaration. | 5.0 |
| 2011-04-15 | CVE-2011-0897 | HP | Cross Site Scripting and Unauthorized Access vulnerability in HP Network Node Manager I 9.00 Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.00 allows local users to read arbitrary files via unknown vectors. | 4.6 |
| 2011-04-15 | CVE-2011-1713 | Microsoft | Information Exposure vulnerability in Microsoft Internet Explorer 8 Microsoft msxml.dll, as used in Internet Explorer 8 on Windows 7, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function. | 4.3 |
| 2011-04-15 | CVE-2011-1712 | Mozilla | Information Exposure vulnerability in Mozilla Firefox and Seamonkey The txXPathNodeUtils::getXSLTId function in txMozillaXPathTreeWalker.cpp and txStandaloneXPathTreeWalker.cpp in Mozilla Firefox before 3.5.19, 3.6.x before 3.6.17, and 4.x before 4.0.1, and SeaMonkey before 2.0.14, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function. | 4.3 |
| 2011-04-15 | CVE-2011-0195 | Apple | Information Exposure vulnerability in Apple Iphone OS 4.3.0/4.3.1 The generate-id XPath function in libxslt in Apple iOS 4.3.x before 4.3.2 allows remote attackers to obtain potentially sensitive information about heap memory addresses via a crafted web site. | 4.3 |
| 2011-04-15 | CVE-2011-1533 | HP | Cross-Site Scripting vulnerability in HP products Cross-site scripting (XSS) vulnerability on the HP Photosmart D110 and B110; Photosmart Plus B210; Photosmart Premium C310, Fax All-in-One, and C510; and ENVY 100 D410 printers allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2011-04-15 | CVE-2011-1531 | HP | Information Exposure vulnerability in HP products The webscan component in the Embedded Web Server (EWS) on the HP Photosmart D110 and B110; Photosmart Plus B210; Photosmart Premium C310, Fax All-in-One, and C510; and ENVY 100 D410 printers allows remote attackers to read documents on the scan surface via unspecified vectors. | 4.3 |
| 2011-04-15 | CVE-2011-0898 | HP | Cross-Site Scripting vulnerability in HP Network Node Manager I 9.00 Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 9.00 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2011-04-13 | CVE-2011-1682 | Tincan | Cross-Site Request Forgery (CSRF) vulnerability in Tincan PHPlist Multiple cross-site request forgery (CSRF) vulnerabilities in phpList 2.10.13 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) create a list or (2) insert cross-site scripting (XSS) sequences. | 4.3 |
| 2011-04-13 | CVE-2011-0746 | Zyxel | Cross-Site Request Forgery (CSRF) vulnerability in Zyxel O2 DSL Router Classic Cross-site request forgery (CSRF) vulnerability in Forms/PortForwarding_Edit_1 on the ZyXEL O2 DSL Router Classic allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the PortRule_Name parameter. | 4.3 |
| 2011-04-11 | CVE-2011-1158 | Mark Pilgrim | Cross-Site Scripting vulnerability in Mark Pilgrim Feedparser 5.0 Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via an unexpected URI scheme, as demonstrated by a javascript: URI. | 4.3 |
| 2011-04-11 | CVE-2011-1157 | Mark Pilgrim | Cross-Site Scripting vulnerability in Mark Pilgrim Feedparser 5.0 Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) 5.x before 5.0.1 allows remote attackers to inject arbitrary web script or HTML via malformed XML comments. | 4.3 |
| 2011-04-11 | CVE-2009-5065 | Mark Pilgrim | Cross-Site Scripting vulnerability in Mark Pilgrim Feedparser Cross-site scripting (XSS) vulnerability in feedparser.py in Universal Feed Parser (aka feedparser or python-feedparser) before 5.0 allows remote attackers to inject arbitrary web script or HTML via vectors involving nested CDATA stanzas. | 4.3 |
2 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-04-11 | CVE-2011-1401 | Ikiwiki | Cross-Site Scripting vulnerability in Ikiwiki ikiwiki before 3.20110328 does not ascertain whether the htmlscrubber plugin is enabled during processing of the "meta stylesheet" directive, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences in (1) the default stylesheet or (2) an alternate stylesheet. | 3.5 |
| 2011-04-13 | CVE-2011-1500 | Kevinmehall | Permissions, Privileges, and Access Controls vulnerability in Kevinmehall Pithos 0.3.7 PreferencesPithosDialog.py in Pithos 0.3.7 does not properly restrict permissions for the .config/pithos.ini file in a user's home directory, which allows local users to obtain Pandora credentials by reading this file. | 2.1 |