Weekly Vulnerabilities Reports > April 25 to May 1, 2011

Overview

39 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 7 high severity vulnerabilities. This weekly summary report vulnerabilities in 31 products from 25 vendors including HP, Mediawiki, Microsoft, Wireshark, and Joomla. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Path Traversal", "Improper Input Validation", and "Information Exposure".

  • 38 reported vulnerabilities are remotely exploitables.
  • 11 reported vulnerabilities have public exploit available.
  • 19 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 34 reported vulnerabilities are exploitable by an anonymous user.
  • HP has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • HP has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

5 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-29 CVE-2011-1541 HP Remote Unauthorized Access vulnerability in HP System Management Homepage (CVE-2011-1541)

Unspecified vulnerability in HP System Management Homepage (SMH) before 6.3 allows remote attackers to bypass intended access restrictions, and consequently execute arbitrary code, via unknown vectors.

10.0
2011-04-29 CVE-2011-1591 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

Stack-based buffer overflow in the DECT dissector in epan/dissectors/packet-dect.c in Wireshark 1.4.x before 1.4.5 allows remote attackers to execute arbitrary code via a crafted .pcap file.

9.3
2011-04-27 CVE-2011-1719 CA Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in CA Output Management web Viewer 11.0/11.5

Multiple stack-based buffer overflows in the Web Viewer ActiveX controls in CA Output Management Web Viewer 11.0 and 11.5 allow remote attackers to execute arbitrary code via (1) a long SRC property value to the PPSViewer ActiveX control in PPSView.ocx before 1.0.0.7 or (2) a long Title property value to the UOMWV_Helper ActiveX control in UOMWV_HelperActiveX.ocx before 11.5.0.1.

9.3
2011-04-29 CVE-2011-1540 HP Remote Code Execution vulnerability in HP System Management Homepage (CVE-2011-1540)

Unspecified vulnerability in HP System Management Homepage (SMH) before 6.3 allows remote authenticated users to execute arbitrary code via unknown vectors.

9.0
2011-04-27 CVE-2011-1599 Digium Improper Input Validation vulnerability in Digium Asterisk

manager.c in the Manager Interface in Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 does not properly check for the system privilege, which allows remote authenticated users to execute arbitrary commands via an Originate action that has an Async header in conjunction with an Application header.

9.0

7 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-27 CVE-2010-4800 Baconmap SQL Injection vulnerability in Baconmap 1.0

SQL injection vulnerability in doadd.php in BaconMap 1.0 allows remote attackers to execute arbitrary SQL commands via the type parameter.

7.5
2011-04-27 CVE-2010-4797 Truworthit SQL Injection vulnerability in Truworthit Flex Timesheet

Multiple SQL injection vulnerabilities in the log-in form in Truworth Flex Timesheet allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.

7.5
2011-04-27 CVE-2010-4796 Phpyun SQL Injection vulnerability in PHPyun 1.1.6

Multiple SQL injection vulnerabilities in PHPYun 1.1.6 allow remote attackers to execute arbitrary SQL commands via the (1) provinceid parameter to search.php and the (2) e parameter to resumeview.php.

7.5
2011-04-27 CVE-2010-4795 Joomlaseller
Joomla
SQL Injection vulnerability in Joomlaseller COM Jscalendar 1.5.1/1.5.4

SQL injection vulnerability in the JS Calendar (com_jscalendar) component 1.5.1 and 1.5.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the ev_id parameter in a details action to index.php.

7.5
2011-04-27 CVE-2010-4793 Site2Nite SQL Injection vulnerability in Site2Nite Auto E-Manager

SQL injection vulnerability in detail.asp in Site2Nite Auto e-Manager allows remote attackers to execute arbitrary SQL commands via the ID parameter.

7.5
2011-04-27 CVE-2010-4791 Marcusg
PHP Fusion
SQL Injection vulnerability in Marcusg MG User Fotoalbum Panel 1.0.1

SQL injection vulnerability in infusions/mg_user_fotoalbum_panel/mg_user_fotoalbum.php in the MG User-Fotoalbum (mg_user_fotoalbum_panel) module 1.0.1 for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the album_id parameter.

7.5
2011-04-29 CVE-2011-0729 Ubuntu Permissions, Privileges, and Access Controls vulnerability in Ubuntu Language-Selector

dbus_backend/ls-dbus-backend in the D-Bus backend in language-selector before 0.6.7 does not restrict access on the basis of a PolicyKit check result, which allows local users to modify the /etc/default/locale and /etc/environment files via a (1) SetSystemDefaultLangEnv or (2) SetSystemDefaultLanguageEnv call.

7.2

24 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-27 CVE-2010-4799 Chipmunk Scripts SQL Injection vulnerability in Chipmunk-Scripts Pwngame 1.0

Multiple SQL injection vulnerabilities in Chipmunk Pwngame 1.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to authenticate.php and the (3) ID parameter to pwn.php.

6.8
2011-04-27 CVE-2010-4798 Orangehrm Path Traversal vulnerability in Orangehrm 2.6.0.1

Directory traversal vulnerability in index.php in OrangeHRM 2.6.0.1 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the uri parameter.

6.8
2011-04-27 CVE-2010-2789 Mediawiki Code Injection vulnerability in Mediawiki 1.16

PHP remote file inclusion vulnerability in MediaWikiParserTest.php in MediaWiki 1.16 beta, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via unspecified vectors.

6.8
2011-04-27 CVE-2010-3260 Orbeon Permissions, Privileges, and Access Controls vulnerability in Orbeon Forms

oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server component in the XForms service in Orbeon Forms before 3.9 does not properly restrict DTDs in Ajax requests, which allows remote attackers to read arbitrary files or send HTTP requests to intranet servers via an entity declaration in conjunction with an entity reference, related to an "XML injection" issue.

6.4
2011-04-29 CVE-2011-1535 HP Privilege Escalation vulnerability in HP Insight Control for Linux (CVE-2011-1535)

Unspecified vulnerability in HP Insight Control for Linux (aka IC-Linux) before 6.3 allows remote authenticated users to obtain sensitive information, modify data, or cause a denial of service via unknown vectors.

6.0
2011-04-27 CVE-2010-4801 Baconmap Path Traversal vulnerability in Baconmap 1.0

Directory traversal vulnerability in admin/updatelist.php in BaconMap 1.0 allows remote attackers to include and execute arbitrary local files via a ..

6.0
2011-04-27 CVE-2011-1586 KDE Path Traversal vulnerability in KDE SC

Directory traversal vulnerability in the KGetMetalink::File::isValidNameAttr function in ui/metalinkcreator/metalinker.cpp in KGet in KDE SC 4.6.2 and earlier allows remote attackers to create arbitrary files via a ..

5.8
2011-04-27 CVE-2011-1579 Mediawiki Improper Input Validation vulnerability in Mediawiki

The checkCss function in includes/Sanitizer.php in the wikitext parser in MediaWiki before 1.16.3 does not properly validate Cascading Style Sheets (CSS) token sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information by using the \2f\2a and \2a\2f hex strings to surround CSS comments.

5.8
2011-04-27 CVE-2010-4790 IN Mediakg Path Traversal vulnerability in In-Mediakg Filterftp 2.0.3/2.0.5

Directory traversal vulnerability in FilterFTP 2.0.3, 2.0.5, and probably earlier versions, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename.

5.8
2011-04-29 CVE-2011-1589 Mojolicious Path Traversal vulnerability in Mojolicious

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

5.0
2011-04-29 CVE-2011-1536 HP Unspecified vulnerability in HP Performance Insight

Unspecified vulnerability in HP Performance Insight 5.0, 5.1x.

5.0
2011-04-28 CVE-2011-1839 IBM Information Exposure vulnerability in IBM Rational Build Forge 7.1.0

IBM Rational Build Forge 7.1.0 uses the HTTP GET method during redirection from the authentication servlet to a PHP script, which makes it easier for context-dependent attackers to discover session IDs by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.

5.0
2011-04-27 CVE-2011-1725 HP Information Exposure vulnerability in HP Network Automation

Unspecified vulnerability in HP Network Automation 7.2x, 7.5x, 7.6x, 9.0, and 9.10 allows remote attackers to obtain sensitive information via unknown vectors.

5.0
2011-04-27 CVE-2011-1507 Digium Resource Management Errors vulnerability in Digium Asterisk

Asterisk Open Source 1.4.x before 1.4.40.1, 1.6.1.x before 1.6.1.25, 1.6.2.x before 1.6.2.17.3, and 1.8.x before 1.8.3.3 and Asterisk Business Edition C.x.x before C.3.6.4 do not restrict the number of unauthenticated sessions to certain interfaces, which allows remote attackers to cause a denial of service (file descriptor exhaustion and disk space exhaustion) via a series of TCP connections.

5.0
2011-04-29 CVE-2011-1592 Wireshark
Microsoft
Numeric Errors vulnerability in Wireshark

The NFS dissector in epan/dissectors/packet-nfs.c in Wireshark 1.4.x before 1.4.5 on Windows uses an incorrect integer data type during decoding of SETCLIENTID calls, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file.

4.3
2011-04-29 CVE-2011-1590 Wireshark Resource Management Errors vulnerability in Wireshark

The X.509if dissector in Wireshark 1.2.x before 1.2.16 and 1.4.x before 1.4.5 does not properly initialize certain global variables, which allows remote attackers to cause a denial of service (application crash) via a crafted .pcap file.

4.3
2011-04-29 CVE-2011-1543 HP Cross-Site Request Forgery (CSRF) vulnerability in HP Systems Insight Manager

Cross-site request forgery (CSRF) vulnerability in HP Systems Insight Manager (SIM) before 6.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

4.3
2011-04-29 CVE-2011-1542 HP Cross-Site Scripting vulnerability in HP Systems Insight Manager

Cross-site scripting (XSS) vulnerability in HP Systems Insight Manager (SIM) before 6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-04-27 CVE-2011-1718 CA Improper Input Validation vulnerability in CA Siteminder 12.0/6

The Web Agents component in CA SiteMinder R6 before SP6 CR2 and R12 before SP3 CR2 does not properly handle multi-line headers, which allows remote authenticated users to conduct impersonation attacks and gain privileges via crafted data.

4.3
2011-04-27 CVE-2011-1587 Mediawiki
Microsoft
Cross-Site Scripting vulnerability in Mediawiki

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html located before a ? (question mark) in a query string, in conjunction with a modified URI path that has a %2E sequence in place of the .

4.3
2011-04-27 CVE-2011-1578 Mediawiki
Microsoft
Cross-Site Scripting vulnerability in Mediawiki

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.3, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .html at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the .

4.3
2011-04-27 CVE-2010-4794 Joomlaseller
Joomla
Cross-Site Scripting vulnerability in Joomlaseller COM Jscalendar 1.5.1/1.5.4

Multiple cross-site scripting (XSS) vulnerabilities in the JoomlaSeller JS Calendar (com_jscalendar) component 1.5.1 and 1.5.4 for Joomla! allow remote attackers to inject arbitrary web script or HTML via the (1) month and (2) year parameters in a jscalendar action to index.php.

4.3
2011-04-27 CVE-2010-4792 Openit Cross-Site Scripting vulnerability in Openit Overlook 5.0

Cross-site scripting (XSS) vulnerability in title.php in OPEN IT OverLook 5.0 allows remote attackers to inject arbitrary web script or HTML via the frame parameter.

4.3
2011-04-27 CVE-2010-2787 Mediawiki Information Exposure vulnerability in Mediawiki

api.php in MediaWiki before 1.15.5 does not prevent use of public caching headers for private data, which allows remote attackers to bypass intended access restrictions and obtain sensitive information by retrieving documents from an HTTP proxy cache that has been used by a victim.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-04-27 CVE-2011-1580 Mediawiki Improper Input Validation vulnerability in Mediawiki

The transwiki import functionality in MediaWiki before 1.16.3 does not properly check privileges, which allows remote authenticated users to perform imports from any wgImportSources wiki via a crafted POST request.

3.5
2011-04-29 CVE-2011-1499 Banu
Debian
Configuration vulnerability in multiple products

acl.c in Tinyproxy before 1.8.3, when an Allow configuration setting specifies a CIDR block, permits TCP connections from all IP addresses, which makes it easier for remote attackers to hide the origin of web traffic by leveraging the open HTTP proxy server.

2.6
2011-04-27 CVE-2010-2788 Mediawiki Cross-Site Scripting vulnerability in Mediawiki

Cross-site scripting (XSS) vulnerability in profileinfo.php in MediaWiki before 1.15.5, when wgEnableProfileInfo is enabled, allows remote attackers to inject arbitrary web script or HTML via the filter parameter.

2.6