Weekly Vulnerabilities Reports > April 18 to 24, 2011

Overview

109 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 5 high severity vulnerabilities. This weekly summary report vulnerabilities in 59 products from 27 vendors including Oracle, IBM, SUN, Bestpractical, and Redhat. Vulnerabilities are notably categorized as "Resource Management Errors", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Path Traversal", and "Information Exposure".

  • 89 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 15 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 61 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 49 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-21 CVE-2011-1206 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Tivoli Directory Server

Stack-based buffer overflow in the server process in ibmslapd.exe in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010, 6.0 before 6.0.0.67 (aka 6.0.0.8-TIV-ITDS-IF0009), 6.1 before 6.1.0.40 (aka 6.1.0.5-TIV-ITDS-IF0003), 6.2 before 6.2.0.16 (aka 6.2.0.3-TIV-ITDS-IF0002), and 6.3 before 6.3.0.3 (aka 6.3.0.0-TIV-ITDS-IF0003) allows remote attackers to execute arbitrary code via a crafted LDAP request.

10.0
2011-04-20 CVE-2011-0807 Oracle
SUN
Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration.
10.0
2011-04-19 CVE-2009-5071 HP Remote Security vulnerability in Palm Pre Webos

Unspecified vulnerability in Palm Pre WebOS before 1.2.1 has unknown impact and attack vectors related to an "included contact template file."

10.0
2011-04-18 CVE-2010-4229 Novell Path Traversal vulnerability in Novell Zenworks Configuration Management 10.3/10.3.1/11

Directory traversal vulnerability in an unspecified servlet in the Inventory component in ZENworks Asset Management (ZAM) in Novell ZENworks Configuration Management 10.3 before 10.3.2, and 11, allows remote attackers to overwrite files, and subsequently execute arbitrary code, via directory traversal sequences in a filename field in an upload request.

10.0
2011-04-18 CVE-2011-1653 CA SQL Injection vulnerability in CA Total Defense R12

Multiple SQL injection vulnerabilities in the Unified Network Control (UNC) Server in CA Total Defense (TD) r12 before SE2 allow remote attackers to execute arbitrary SQL commands via vectors involving the (1) UnAssignFunctionalRoles, (2) UnassignAdminRoles, (3) DeleteFilter, (4) NonAssignedUserList, (5) DeleteReportLayout, (6) DeleteReports, and (7) RegenerateReport stored procedures.

10.0
2011-04-18 CVE-2011-1426 Realnetworks Remote Code Execution vulnerability in Real Networks RealPlayer 'OpenURLInDefaultBrowser()' Function

The OpenURLInDefaultBrowser method in RealNetworks RealPlayer 11.0 through 11.1 and 14.0.0 through 14.0.2, and RealPlayer SP 1.0 through 1.1.5, launches a default handler for the filename specified in the first argument, which allows remote attackers to execute arbitrary code via a .rnx filename corresponding to a crafted RNX file.

9.3

5 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-20 CVE-2011-0841 SUN Remote vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Solaris 11 Express allows remote attackers to affect availability, related to TCP/IP.

7.8
2011-04-19 CVE-2011-1722 Webempoweredchurch
Typo3
SQL Injection vulnerability in Webempoweredchurch WEC Discussion

Multiple SQL injection vulnerabilities in WEC Discussion Forum (wec_discussion) extension 2.1.0 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in April 2011.

7.5
2011-04-18 CVE-2011-1655 CA Cryptographic Issues vulnerability in CA Total Defense R12

The management.asmx module in the Management Web Service in the Unified Network Control (UNC) Server in CA Total Defense (TD) r12 before SE2 sends a cleartext response to unspecified getDBConfigSettings requests, which makes it easier for remote attackers to obtain database credentials, and subsequently execute arbitrary code, by sniffing the network, related to the UNCWS Web Service.

7.5
2011-04-18 CVE-2011-1654 CA Path Traversal vulnerability in CA Total Defense R12

Directory traversal vulnerability in the Heartbeat Web Service in CA.Itm.Server.ManagementWS.dll in the Management Server in CA Total Defense (TD) r12 before SE2 allows remote attackers to execute arbitrary code via directory traversal sequences in the GUID parameter in an upload request to FileUploadHandler.ashx.

7.5
2011-04-21 CVE-2011-1149 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

Android before 2.3 does not properly restrict access to the system property space, which allows local applications to bypass the application sandbox and gain privileges, as demonstrated by psneuter and KillingInTheNameOf, related to the use of Android shared memory (ashmem) and ASHMEM_SET_PROT_MASK.

7.2

80 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-22 CVE-2011-1421 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Networker

EMC NetWorker 7.5.x before 7.5.4.3 and 7.6.x before 7.6.1.5, when the client push feature is enabled, uses weak permissions for an unspecified file, which allows local users to gain privileges via unknown vectors.

6.9
2011-04-21 CVE-2007-6742 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

The get_filter_list function in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0006 does not properly perform certain sub filter parsing, which allows remote authenticated users to cause a denial of service (infinite loop) via a malformed search filter.

6.8
2011-04-20 CVE-2011-0825 Oracle Remote vulnerability in Oracle JD Edwards EnterpriseOne Tools

Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect confidentiality, integrity, and availability, related to Enterprise Infrastructure SEC.

6.8
2011-04-22 CVE-2011-1686 Bestpractical SQL Injection vulnerability in Bestpractical RT

Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, as demonstrated by reading data.

6.5
2011-04-22 CVE-2011-1534 HP Unspecified vulnerability in HP Network Node Manager I

Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x allows remote authenticated users to obtain access to processes via unknown vectors.

6.5
2011-04-20 CVE-2011-0800 SUN Local vulnerability in Oracle Sun Solaris

Unspecified vulnerability in the Solaris component in Oracle Solaris 8, 9, 10, and 11 Express allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Administration Utilities.

6.5
2011-04-20 CVE-2011-0799 Oracle Remote Warehouse Builder vulnerability in Oracle Database Server

Unspecified vulnerability in the Oracle Warehouse Builder component in Oracle Database Server 10.2.0.5 (OWB), 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Oracle Warehouse Builder User Account.

6.5
2011-04-20 CVE-2011-0792 Oracle Remote Oracle Warehouse Builder vulnerability in Oracle Database Server

Unspecified vulnerability in the Oracle Warehouse Builder component in Oracle Database Server 10.2.0.5 (OWB) and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Dimensional Data Modeling.

6.5
2011-04-20 CVE-2011-0824 Oracle Remote Vulnerabilty in Oracle JD Edwards EnterpriseOne Tools

Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect confidentiality and integrity, related to Enterprise Infrastructure SEC.

6.4
2011-04-18 CVE-2009-0788 Redhat Information Exposure vulnerability in Redhat Network Satellite Server 5.3/5.4

Red Hat Network (RHN) Satellite Server 5.3 and 5.4 does not properly rewrite unspecified URLs, which allows remote attackers to (1) obtain unspecified sensitive host information or (2) use the server as an inadvertent proxy to connect to arbitrary services and IP addresses via unspecified vectors.

6.4
2011-04-20 CVE-2011-0803 Oracle Remote vulnerability in Oracle JD Edwards EnterpriseOne Tools

Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 8.9 GA through 8.98.4.1, and OneWorld Tools through 24.1.3, allows remote attackers to affect integrity and availability, related to Enterprise Infrastructure SEC.

5.8
2011-04-20 CVE-2011-0861 Oracle Remote PeopleSoft Enterprise HRMS vulnerability in Oracle PeopleSoft

Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Update 2011-B and 9.1 Update 2011-B allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Global Payroll Core.

5.5
2011-04-20 CVE-2011-0860 Oracle Remote Global Payroll Spain vulnerability in Oracle PeopleSoft Enterprise Hrms 9.0/9.1

Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Update 2011-B and 9.1 Update 2011-B allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Global Payroll - Spain.

5.5
2011-04-20 CVE-2011-0859 Oracle Remote Global Payroll North America vulnerability in Oracle PeopleSoft Enterprise Hrms 9.0/9.1

Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Tax Update 11-B and 9.1 Tax Update 11-B allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Global Payroll - North America.

5.5
2011-04-20 CVE-2011-0858 Oracle Remote Talent Acquisition Manager vulnerability in Oracle PeopleSoft Enterprise Hrms 9.0/9.1

Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bundle #15 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Talent Acquisition Manager.

5.5
2011-04-20 CVE-2011-0857 Oracle Remote PeopleSoft Enterprise HRMS vulnerability in Oracle PeopleSoft Enterprise Hrms 9.0/9.1

Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bundle #15 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Pension Administration.

5.5
2011-04-20 CVE-2011-0855 Oracle Remote vulnerability in Oracle Industry Applications 4.5/4.6/5.0

Unspecified vulnerability in the InForm component in Oracle Industry Applications 4.5, 4.6, and 5.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core.

5.5
2011-04-20 CVE-2011-0854 Oracle Remote PeopleSoft Enterprise HRMS vulnerability in Oracle Peoplesoft Enterprise Hrms 9.1

Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to ePerformance.

5.5
2011-04-20 CVE-2011-0853 Oracle Remote PeopleSoft Enterprise HRMS vulnerability in Oracle PeopleSoft Enterprise Hrms 9.0/9.1

Unspecified vulnerability in Oracle PeopleSoft Enterprise HRMS 9.0 Bundle #15 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to ePerformance.

5.5
2011-04-20 CVE-2011-0851 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise ELS 9.0/9.1

Unspecified vulnerability in Oracle PeopleSoft Enterprise ELS 9.0 Bundle #19 and 9.1 Bundle #5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Enterprise Learning Mgmt.

5.5
2011-04-20 CVE-2011-0850 Oracle Remote vulnerability in Oracle Peoplesoft Enterprise Customer Relationship Management 8.9

Unspecified vulnerability in Oracle PeopleSoft Enterprise CRM 8.9 Bundle #41 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Order Capture.

5.5
2011-04-20 CVE-2011-0787 Oracle Unspecified vulnerability in Oracle Database Server and Enterprise Manager Grid Control

Unspecified vulnerability in the Application Service Level Management component in Oracle Database Server 11.1.0.7 and Enterprise Manager Grid Control allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Service Level Agreements.

5.5
2011-04-18 CVE-2010-1171 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Network Satellite 5.3/5.4

Red Hat Network (RHN) Satellite 5.3 and 5.4 exposes a dangerous, obsolete XML-RPC API, which allows remote authenticated users to access arbitrary files and cause a denial of service (failed yum operations) via vectors related to configuration and package group (comps.xml) files for channels.

5.5
2011-04-20 CVE-2011-0820 SUN Remote Kernel vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 10, and 11 Express allows remote attackers to affect availability via unknown vectors related to Kernel.

5.4
2011-04-18 CVE-2011-1179 Redhat
Mozilla
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Redhat Spice-Xpi 2.2/2.3/2.4

The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to (1) plugin/nsScriptablePeer.cpp and (2) plugin/plugin.cpp, which trigger multiple uses of an uninitialized pointer.

5.1
2011-04-21 CVE-2008-7288 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 on AIX allows remote attackers to cause a denial of service (server destabilization) via an anonymous DIGEST-MD5 LDAP Bind operation.

5.0
2011-04-20 CVE-2011-0846 Oracle Remote Web Proxy Agent vulnerability in Oracle SUN Java System Access Manager Policy Agent 2.2

Unspecified vulnerability in the Oracle Sun Java System Access Manager Policy Agent 2.2 allows remote attackers to affect availability via unknown vectors related to Web Proxy Agent.

5.0
2011-04-20 CVE-2011-0823 Oracle Remote vulnerability in Oracle JD Edwards OneWorld Tools

Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect integrity, related to Enterprise Infrastructure SEC, a different vulnerability than CVE-2011-0819.

5.0
2011-04-20 CVE-2011-0819 Oracle Remote vulnerability in Oracle JD Edwards EnterpriseOne Tools

Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect integrity, related to Enterprise Infrastructure SEC, a different vulnerability than CVE-2011-0823.

5.0
2011-04-20 CVE-2011-0818 Oracle Remote vulnerability in Oracle JD Edwards OneWorld Tools

Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect availability, related to Enterprise Infrastructure SEC.

5.0
2011-04-20 CVE-2011-0810 Oracle Remote vulnerability in Oracle JD Edwards EnterpriseOne Tools

Unspecified vulnerability Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote attackers to affect availability, related to Enterprise Infrastructure SEC.

5.0
2011-04-20 CVE-2011-0806 Oracle
Microsoft
Remote Denial of Service vulnerability in Oracle Database Network Foundation

Unspecified vulnerability in the Network Foundation component in Oracle Database Server 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2, when running on Windows, allows remote attackers to affect availability via unknown vectors.

5.0
2011-04-18 CVE-2011-1715 Qooxdoo
Eyeos
Path Traversal vulnerability in Qooxdoo 1.3

Directory traversal vulnerability in framework/source/resource/qx/test/part/delay.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to read arbitrary files via ..%2f (encoded dot dot) sequences in the file parameter.

5.0
2011-04-20 CVE-2011-0829 SUN Local vulnerability in Oracle Sun Solaris

Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows local users to affect availability, related to Kernel/SPARC.

4.9
2011-04-20 CVE-2011-0813 SUN Local Kernel vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express allows local users to affect availability via unknown vectors related to Kernel, a different vulnerability than CVE-2012-0098.

4.9
2011-04-22 CVE-2011-1685 Bestpractical Cross-Site Request Forgery (CSRF) vulnerability in Bestpractical RT

Best Practical Solutions RT 3.8.0 through 3.8.9 and 4.0.0rc through 4.0.0rc7, when the CustomFieldValuesSources (aka external custom field) option is enabled, allows remote authenticated users to execute arbitrary code via unspecified vectors, as demonstrated by a cross-site request forgery (CSRF) attack.

4.6
2011-04-18 CVE-2011-1496 Nicholas Marriott Permissions, Privileges, and Access Controls vulnerability in Nicholas Marriott Tmux 1.3/1.4

tmux 1.3 and 1.4 does not properly drop group privileges, which allows local users to gain utmp group privileges via a filename to the -S command-line option.

4.6
2011-04-20 CVE-2011-0808 Oracle Remote Code Execution vulnerability in Oracle Outside In Technology Lotus 123 File Parsing

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.2.0 and 8.3.5.0 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Outside In Filters.

4.4
2011-04-20 CVE-2011-0794 Oracle Remote Code Execution vulnerability in Oracle Fusion Middleware 8.3.5.0

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5.0 allows local users to affect confidentiality, integrity, and availability, related to File ID SDK.

4.4
2011-04-18 CVE-2011-0988 Pureftpd
Novell
Permissions, Privileges, and Access Controls vulnerability in multiple products

pure-ftpd 1.0.22, as used in SUSE Linux Enterprise Server 10 SP3 and SP4, and Enterprise Desktop 10 SP3 and SP4, when running OES Netware extensions, creates a world-writeable directory, which allows local users to overwrite arbitrary files and gain privileges via unspecified vectors.

4.4
2011-04-22 CVE-2011-1690 Bestpractical Credentials Management vulnerability in Bestpractical RT

Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8.8 allows remote attackers to trick users into sending credentials to an arbitrary server via unspecified vectors.

4.3
2011-04-22 CVE-2011-1689 Bestpractical Cross-Site Scripting vulnerability in Bestpractical RT

Multiple cross-site scripting (XSS) vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-04-22 CVE-2011-1688 Bestpractical Path Traversal vulnerability in Bestpractical RT

Directory traversal vulnerability in Best Practical Solutions RT 3.2.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote attackers to read arbitrary files via a crafted HTTP request.

4.3
2011-04-22 CVE-2011-1422 EMC Cross-Site Scripting vulnerability in EMC RSA Adaptive Authentication On-Premise

Cross-site scripting (XSS) vulnerability in an unspecified Shockwave Flash file in EMC RSA Adaptive Authentication On-Premise (AAOP) 2.x, 5.7.x, and 6.x allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

4.3
2011-04-20 CVE-2011-0849 Oracle Remote vulnerability in Oracle Java Dynamic Management KIT 5.1

Unspecified vulnerability in Oracle Java Dynamic Management Kit 5.1 allows remote attackers to affect integrity, related to HTML Adaptor.

4.3
2011-04-20 CVE-2011-0844 Oracle Remote vulnerability in Oracle OpenSSO & Java System Access Manager

Unspecified vulnerability in the OpenSSO Enterprise and Sun Java System Access Manager components in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication.

4.3
2011-04-20 CVE-2011-0843 Oracle Remote Siebel CRM Core vulnerability in Oracle Siebel CRM 7.8.2/8.0.0/8.1.1

Unspecified vulnerability in the Siebel CRM Core component in Oracle Siebel CRM 7.8.2, 8.0.0, and 8.1.1 allows remote attackers to affect integrity via unknown vectors related to Globalization - Automotive.

4.3
2011-04-20 CVE-2011-0837 Oracle Remote Agile Technology Platform vulnerability in Oracle Supply Chain products Suite 9.3.0.2/9.3.1

Unspecified vulnerability in the Agile Technology Platform component in Oracle Supply Chain Products Suite 9.3.0.2 and 9.3.1 allows remote attackers to affect confidentiality via unknown vectors related to Security.

4.3
2011-04-20 CVE-2011-0834 Oracle Remote Siebel CRM Core vulnerability in Oracle Siebel

Unspecified vulnerability in the Siebel CRM Core component in Oracle Siebel CRM 8.0.0 and 8.1.1 allows remote attackers to affect integrity via unknown vectors related to Globalization - Automotive.

4.3
2011-04-20 CVE-2011-0833 Oracle Remote Siebel CRM Core vulnerability in Oracle Siebel CRM 7.8.2/8.0.0/8.1.1

Unspecified vulnerability in the Siebel CRM Core component in Oracle Siebel CRM 7.8.2, 8.0.0, and 8.1.1 allows remote attackers to affect integrity, related to UIF Client.

4.3
2011-04-20 CVE-2011-0828 Oracle Remote PeopleSoft Enterprise vulnerability in Oracle Peoplesoft Enterprise 8.8

Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.8 Bundle #13 allows remote attackers to affect integrity via unknown vectors related to Application Portal.

4.3
2011-04-20 CVE-2011-0809 Oracle Web ADI Remote vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Web ADI component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors.

4.3
2011-04-20 CVE-2011-0805 Oracle Remote UIX vulnerability in Oracle Database Server

Unspecified vulnerability in the UIX component in Oracle Database Server 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote attackers to affect integrity via unknown vectors.

4.3
2011-04-20 CVE-2011-0798 Oracle Remote Security vulnerability in Oracle Portal

Unspecified vulnerability in the Portal component in Oracle Fusion Middleware 10.1.2.3 and 11.1.1.2.0 allows remote attackers to affect integrity via unknown vectors related to Midtier Infrastructure.

4.3
2011-04-20 CVE-2011-0791 Oracle Remote Application Object Library vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality via unknown vectors related to Data Export.

4.3
2011-04-20 CVE-2011-0789 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.2.3

Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors.

4.3
2011-04-20 CVE-2011-0785 Oracle Remote Security vulnerability in Oracle10g Enterprise Edition

Unspecified vulnerability in the Oracle Help component in Oracle Database Server 11.1.0.7, 11.2.0.1, 11.2.0.2, 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, and 10.1.0.5; and Oracle Fusion Middleware 11.1.1.2.0, 11.1.1.3.0, and 11.1.1.4.0 allows remote attackers to affect integrity via unknown vectors.

4.3
2011-04-19 CVE-2011-1723 Redmine Cross-Site Scripting vulnerability in Redmine

Cross-site scripting (XSS) vulnerability in app/views/layouts/base.rhtml in Redmine 1.0.1 through 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to projects/hg-helloworld/news/.

4.3
2011-04-19 CVE-2011-1721 Obspm Cross-Site Request Forgery (CSRF) vulnerability in Obspm Webjaxe 1.02

Cross-site request forgery (CSRF) vulnerability in php/partie_administrateur/administration.php in WebJaxe 1.02 allows remote attackers to hijack the authentication of administrators for requests that (1) modify passwords or (2) add new projects.

4.3
2011-04-18 CVE-2011-1716 Xymon Cross-Site Scripting vulnerability in Xymon

Multiple cross-site scripting (XSS) vulnerabilities in the Web UI in Xymon before 4.3.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-04-18 CVE-2011-1714 Qooxdoo
Eyeos
Cross-Site Scripting vulnerability in Qooxdoo 1.3

Cross-site scripting (XSS) vulnerability in framework/source/resource/qx/test/jsonp_primitive.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to inject arbitrary web script or HTML via the callback parameter.

4.3
2011-04-18 CVE-2011-1518 Otrs Cross-Site Scripting vulnerability in Otrs

Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.4.x before 2.4.10 and 3.x before 3.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-04-18 CVE-2011-1168 KDE Cross-Site Scripting vulnerability in KDE SC

Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site.

4.3
2011-04-18 CVE-2011-0286 RIM Cross-Site Scripting vulnerability in RIM products

Cross-site scripting (XSS) vulnerability in webdesktop/app in the BlackBerry Web Desktop Manager component in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software before 5.0.2 MR5 and 5.0.3 before MR1, and BlackBerry Enterprise Server Express software 5.0.1 and 5.0.2, allows remote attackers to inject arbitrary web script or HTML via the displayErrorMessage parameter in a ManageDevices action.

4.3
2011-04-22 CVE-2011-1687 Bestpractical Information Exposure vulnerability in Bestpractical RT

Best Practical Solutions RT 3.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote authenticated users to obtain sensitive information by using the search interface, as demonstrated by retrieving encrypted passwords.

4.0
2011-04-21 CVE-2011-1821 IBM
Microsoft
Resource Management Errors vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010 on Windows allows remote authenticated users to cause a denial of service (daemon hang) via a cn=changelog search.

4.0
2011-04-21 CVE-2010-4789 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server

Use-after-free vulnerability in the proxy-server implementation in IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.65 (aka 6.0.0.8-TIV-ITDS-IF0007) and 6.3 before 6.3.0.1 (aka 6.3.0.0-TIV-ITDS-IF0001) allows remote authenticated users to cause a denial of service (daemon crash) via a paged search that is interrupted by an LDAP Unbind operation.

4.0
2011-04-21 CVE-2010-4788 IBM Improper Input Validation vulnerability in IBM Tivoli Directory Server

IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.62 (aka 6.0.0.8-TIV-ITDS-IF0004) does not perform certain locking of linked-list access, which allows remote authenticated users to cause a denial of service (daemon crash) via a paged search.

4.0
2011-04-21 CVE-2010-4787 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server

IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.63 (aka 6.0.0.8-TIV-ITDS-IF0005) allows remote authenticated users to cause a denial of service (daemon hang) via a paged search that triggers improper mutex processing.

4.0
2011-04-21 CVE-2010-4786 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server

IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.63 (aka 6.0.0.8-TIV-ITDS-IF0005) allows remote authenticated users to cause a denial of service (daemon crash or hang) via a paged search, as demonstrated by a certain idsldapsearch command, related to an improper ibm-slapdIdleTimeOut configuration setting.

4.0
2011-04-21 CVE-2010-4785 IBM
Linux
Microsoft
SUN
Resource Management Errors vulnerability in IBM Tivoli Directory Server

The do_extendedOp function in ibmslapd in IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.62 (aka 6.0.0.8-TIV-ITDS-IF0004) on Linux, Solaris, and Windows allows remote authenticated users to cause a denial of service (ABEND) via a malformed LDAP extended operation that triggers certain comparisons involving the NULL operation OID.

4.0
2011-04-21 CVE-2009-5073 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server

IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.59 (aka 6.0.0.8-TIV-ITDS-IF0001) allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) by adding a nested group that contains the Distinguished Name (DN) of its parent entry.

4.0
2011-04-21 CVE-2009-5072 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server

Memory leak in the ldap_explode_dn function in IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.61 (aka 6.0.0.8-TIV-ITDS-IF0003) allows remote authenticated users to cause a denial of service (memory consumption) via an empty string argument.

4.0
2011-04-21 CVE-2008-7290 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

Memory leak in the ldap_explode_rdn API function in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 allows remote authenticated users to cause a denial of service (memory consumption) by making many function calls.

4.0
2011-04-21 CVE-2008-7289 IBM Improper Input Validation vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 does not properly handle the simultaneous changing of multiple passwords, which makes it easier for remote authenticated users to cause a denial of service (DB2 daemon deadlock) by making password changes that trigger updates to a DB2 password-history table.

4.0
2011-04-21 CVE-2008-7287 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

Multiple memory leaks in the (1) ldap_init and (2) ldap_url_search_direct API functions in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0007 allow remote authenticated users to cause a denial of service (memory consumption) by making many function calls.

4.0
2011-04-21 CVE-2007-6743 IBM Resource Management Errors vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

Double free vulnerability in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-LA0005 allows remote authenticated users to cause a denial of service (ABEND) via search operations that trigger recursive filter_free calls.

4.0
2011-04-20 CVE-2011-0856 Oracle Remote vulnerability in Oracle Peoplesoft Enterprise

Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.49 GA through 8.49.30, 8.50 GA through 8.50.17, and 8.51 GA through 8.51.07 allows remote authenticated users to affect confidentiality via unknown vectors.

4.0
2011-04-20 CVE-2011-0847 Oracle Remote vulnerability in Oracle OpenSSO & Java System Access Manager

Unspecified vulnerability in the OpenSSO Enterprise and Sun Java System Access Manager components in Oracle Sun Products Suite 7.1 and 8.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Authentication.

4.0
2011-04-20 CVE-2011-0840 Oracle Remote PeopleSoft Enterprise PeopleTools vulnerability in Oracle PeopleSoft

Unspecified vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.49 GA through 8.49.30 allows remote authenticated users to affect confidentiality via unknown vectors related to File Processing.

4.0

18 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-20 CVE-2011-0839 SUN Local Solaris vulnerability in SUN Sunos 5.10/5.11/5.9

Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allows local users to affect availability, related to LOFS.

3.7
2011-04-20 CVE-2011-0812 SUN Local Solaris vulnerability in Oracle Solaris

Unspecified vulnerability in the Solaris component in Oracle Solaris 8, 9, 10, and 11 Express allows local users to affect availability via unknown vectors related to Kernel.

3.7
2011-04-20 CVE-2011-0804 Oracle Remote Database Vault vulnerability in Oracle Database Server

Unspecified vulnerability in the Database Vault component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, and 11.2.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.

3.6
2011-04-20 CVE-2011-0801 SUN Local vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows local users to affect confidentiality and integrity via unknown vectors related to cp.

3.6
2011-04-20 CVE-2011-0793 Oracle Remote Database Vault vulnerability in Oracle Database Server

Unspecified vulnerability in the Database Vault component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect integrity and availability, related to SYSDBA.

3.6
2011-04-20 CVE-2011-0836 Oracle Unspecified vulnerability in Oracle products

Unspecified vulnerability in Oracle JD Edwards EnterpriseOne Tools 8.9 GA through 8.98.4.1 and OneWorld Tools through 24.1.3 allows remote authenticated users to affect integrity, related to Web Runtime SEC.

3.5
2011-04-20 CVE-2011-0827 Oracle Remote vulnerability in Oracle products

Unspecified vulnerability in the PeopleSoft Enterprise component in Oracle PeopleSoft Products 8.50 GA through 8.50.17 and 8.51 GA through 8.51.07 allows remote authenticated users to affect integrity via unknown vectors related to PeopleTools.

3.5
2011-04-20 CVE-2011-0826 Oracle Remote vulnerability in Oracle Peoplesoft Enterprise

Unspecified vulnerability in Oracle PeopleSoft Enterprise 8.8 Bundle #13, 8.9 Bundle #7, 9.0 Bundle #7, and 9.1 Bundle #4 allows remote authenticated users to affect integrity via unknown vectors related to Application Portal.

3.5
2011-04-20 CVE-2011-0795 Oracle Remote Security vulnerability in Oracle Fusion Middleware 10.1.2.3

Unspecified vulnerability in the Single Sign On component in Oracle Fusion Middleware 10.1.2.3 allows remote authenticated users to affect integrity via unknown vectors related to Administration and Monitoring.

3.5
2011-04-18 CVE-2011-0012 Redhat
Mozilla
Link Following vulnerability in Redhat Spice-Xpi 2.2/2.3/2.4

The SPICE Firefox plug-in (spice-xpi) 2.4, 2.3, 2.2, and possibly other versions allows local users to overwrite arbitrary files via a symlink attack on the usbrdrctl log file, which has a predictable name.

3.3
2011-04-20 CVE-2011-0821 SUN Local vulnerability in SUN Sunos 5.10/5.8/5.9

Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors related to uucp.

3.0
2011-04-21 CVE-2011-1822 IBM Credentials Management vulnerability in IBM Tivoli Directory Server 5.2.0/5.2.0.4

The LDAP_ADD implementation in IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0009 stores a cleartext SHA password in the change log, which might allow local users to obtain sensitive information by reading this log.

2.1
2011-04-20 CVE-2011-0797 Oracle Applications Install Remote vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Applications Install component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote authenticated users to affect confidentiality via unknown vectors.

2.1
2011-04-19 CVE-2011-0412 SUN Credentials Management vulnerability in SUN Sunos 5.10/5.8/5.9

Oracle Solaris 8, 9, and 10 stores back-out patch files (undo.Z) unencrypted with world-readable permissions under /var/sadm/pkg/, which allows local users to obtain password hashes and conduct brute force password guessing attacks.

2.1
2011-04-18 CVE-2011-1717 Skype Permissions, Privileges, and Access Controls vulnerability in Skype for Android

Skype for Android stores sensitive user data without encryption in sqlite3 databases that have weak permissions, which allows local applications to read user IDs, contacts, phone numbers, date of birth, instant message logs, and other private information.

2.1
2011-04-21 CVE-2011-1820 IBM Information Exposure vulnerability in IBM Tivoli Directory Server

IBM Tivoli Directory Server (TDS) 5.2 before 5.2.0.5-TIV-ITDS-IF0010, 6.0 before 6.0.0.67 (aka 6.0.0.8-TIV-ITDS-IF0009), 6.1 before 6.1.0.40 (aka 6.1.0.5-TIV-ITDS-IF0003), 6.2 before 6.2.0.16 (aka 6.2.0.3-TIV-ITDS-IF0002), and 6.3 before 6.3.0.3 (aka 6.3.0.0-TIV-ITDS-IF0003) does not properly handle the ibm-auditAttributesOnGroupEvalOp setting for auditing of extended operations, which might allow attackers to obtain sensitive information by reading the audit log.

1.7
2011-04-20 CVE-2011-0796 Oracle Applications Install Local vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Applications Install component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows local users to affect confidentiality via unknown vectors.

1.7
2011-04-20 CVE-2011-0790 SUN Local vulnerability in Oracle Solaris

Unspecified vulnerability in Oracle Solaris 9 and 10 allows local users to affect confidentiality via unknown vectors related to wbem.

1.7