Weekly Vulnerabilities Reports > July 11 to 17, 2011

Overview

32 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 8 high severity vulnerabilities. This weekly summary report vulnerabilities in 38 products from 21 vendors including IBM, Microsoft, Fedoraproject, Debian, and Squirrelmail. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Resource Management Errors", "SQL Injection", and "Path Traversal".

  • 25 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 10 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 30 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • HP has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-14 CVE-2011-2220 Novell Buffer Errors vulnerability in Novell File Reporter and File Reporter Engine

Stack-based buffer overflow in NFREngine.exe in Novell File Reporter Engine before 1.0.2.53, as used in Novell File Reporter and other products, allows remote attackers to execute arbitrary code via a crafted RECORD element.

10.0
2011-07-11 CVE-2011-1867 HP Buffer Errors vulnerability in HP products

Stack-based buffer overflow in iNodeMngChecker.exe in the User Access Manager (UAM) 5.0 before SP1 E0101P03 and Endpoint Admission Defense (EAD) 5.0 before SP1 E0101P03 components in HP Intelligent Management Center (aka iNode Management Center) allows remote attackers to execute arbitrary code via a 0x0A0BF007 packet.

10.0

8 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-17 CVE-2011-2692 Libpng
Fedoraproject
Debian
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

The png_handle_sCAL function in pngrutil.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 does not properly handle invalid sCAL chunks, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted PNG image that triggers the reading of uninitialized memory.

8.8
2011-07-13 CVE-2011-1265 Bluetooth
Microsoft
Code Injection vulnerability in multiple products

The Bluetooth Stack 2.1 in Microsoft Windows Vista SP1 and SP2 and Windows 7 Gold and SP1 does not prevent access to objects in memory that (1) were not properly initialized or (2) have been deleted, which allows remote attackers to execute arbitrary code via crafted Bluetooth packets, aka "Bluetooth Stack Vulnerability."

8.3
2011-07-11 CVE-2011-2064 Cisco Resource Management Errors vulnerability in Cisco Content Services Gateway Second Generation and IOS

Cisco IOS 12.4MDA before 12.4(24)MDA5 on the Cisco Content Services Gateway - Second Generation (CSG2) allows remote attackers to cause a denial of service (device reload) via crafted ICMP packets, aka Bug ID CSCtl79577.

7.8
2011-07-17 CVE-2011-2751 Parodia SQL Injection vulnerability in Parodia 6.2/6.4

SQL injection vulnerability in Parodia before 6.809 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2011-07-11 CVE-2011-0549 Symantec SQL Injection vulnerability in Symantec web Gateway

SQL injection vulnerability in forget.php in the management GUI in Symantec Web Gateway 4.5.x allows remote attackers to execute arbitrary SQL commands via the username parameter.

7.5
2011-07-17 CVE-2011-1223 IBM
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Tivoli Storage Manager

Buffer overflow in the Alternate Data Stream (aka ADS or named stream) functionality in the backup-archive client in IBM Tivoli Storage Manager (TSM) before 5.4.3.4, 5.5.x before 5.5.3, 6.x before 6.1.4, and 6.2.x before 6.2.2 on Windows allows local users to gain privileges via unspecified vectors.

7.2
2011-07-17 CVE-2011-1222 IBM
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Tivoli Storage Manager

Buffer overflow in the Journal Based Backup (JBB) feature in the backup-archive client in IBM Tivoli Storage Manager (TSM) before 5.4.3.4, 5.5.x before 5.5.3, 6.x before 6.1.4, and 6.2.x before 6.2.2 on Windows and AIX allows local users to gain privileges via unspecified vectors.

7.2
2011-07-13 CVE-2011-1870 Microsoft Numeric Errors vulnerability in Microsoft products

Integer overflow in the Client/Server Run-time Subsystem (aka CSRSS) in the Win32 subsystem in Microsoft Windows XP SP2 and SP3, and Windows Server 2003 SP2, allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted application that triggers an incorrect memory assignment for a user transaction, aka "CSRSS Local EOP SrvWriteConsoleOutputString Vulnerability."

7.2

21 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-11 CVE-2011-1338 Xnview DLL Loading Arbitrary Code Execution vulnerability in XnView

Untrusted search path vulnerability in XnView before 1.98.1 allows local users to gain privileges via a Trojan horse .exe file in a folder selected by the "Open containing folder" menu item.

6.9
2011-07-17 CVE-2011-2753 Squirrelmail Cross-Site Request Forgery (CSRF) vulnerability in Squirrelmail

Multiple cross-site request forgery (CSRF) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the empty trash implementation and (2) the Index Order (aka options_order) page, a different issue than CVE-2010-4555.

6.8
2011-07-17 CVE-2011-2690 Libpng
Fedoraproject
Debian
Canonical
Classic Buffer Overflow vulnerability in multiple products

Buffer overflow in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4, when used by an application that calls the png_rgb_to_gray function but not the png_set_expand function, allows remote attackers to overwrite memory with an arbitrary amount of data, and possibly have unspecified other impact, via a crafted PNG image.

6.8
2011-07-11 CVE-2011-2398 HP Local Privilege Escalation vulnerability in HP Hp-Ux B.11.11/B.11.23/B.11.31

Unspecified vulnerability in the dynamic loader in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to gain privileges or cause a denial of service via unknown vectors.

6.8
2011-07-17 CVE-2011-2691 Libpng
Fedoraproject
Debian
NULL Pointer Dereference vulnerability in multiple products

The png_err function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.

6.5
2011-07-17 CVE-2011-2501 Libpng
Fedoraproject
Debian
Canonical
Out-of-bounds Read vulnerability in multiple products

The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data.

6.5
2011-07-11 CVE-2011-1526 MIT
Debian
Fedoraproject
Opensuse
Suse
Improper Privilege Management vulnerability in multiple products

ftpd.c in the GSS-API FTP daemon in MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.1 and earlier does not check the krb5_setegid return value, which allows remote authenticated users to bypass intended group access restrictions, and create, overwrite, delete, or read files, via standard FTP commands, related to missing autoconf tests in a configure script.

6.5
2011-07-14 CVE-2011-0287 RIM Information Disclosure vulnerability in RIM products

Unspecified vulnerability in the BlackBerry Administration API in Research In Motion (RIM) BlackBerry Enterprise Server (BES) software 5.0.1 through 5.0.3, and BlackBerry Enterprise Server Express software 5.0.1 through 5.0.3, allows remote attackers to read text files or cause a denial of service via unknown vectors.

6.4
2011-07-17 CVE-2011-2752 Squirrelmail Code Injection vulnerability in Squirrelmail

CRLF injection vulnerability in SquirrelMail 1.4.21 and earlier allows remote attackers to modify or add preference values via a \n (newline) character, a different vulnerability than CVE-2010-4555.

5.8
2011-07-17 CVE-2011-2760 Brocade Permissions, Privileges, and Access Controls vulnerability in Brocade Bigiron RX Switch

Brocade BigIron RX switches allow remote attackers to bypass ACL rules by using 179 as the source port of a packet.

5.0
2011-07-17 CVE-2011-2759 IBM Information Exposure vulnerability in IBM Tivoli Directory Server

The login page of IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Server (TDS) 6.2 before 6.2.0.3-TIV-ITDS-IF0004 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

5.0
2011-07-17 CVE-2011-2758 IBM Improper Authentication vulnerability in IBM Tivoli Directory Server

IDSWebApp in the Web Administration Tool in IBM Tivoli Directory Server (TDS) 6.2 before 6.2.0.3-TIV-ITDS-IF0004 does not require authentication for access to LDAP Server log files, which allows remote attackers to obtain sensitive information via a crafted URL.

5.0
2011-07-17 CVE-2011-2757 Manageengine Path Traversal vulnerability in Manageengine Servicedesk Plus 7.0.0/7.6/8.0

Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a ..

5.0
2011-07-17 CVE-2011-2756 Manageengine Improper Authentication vulnerability in Manageengine Servicedesk Plus 8.0

FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attackers to read files from a specific directory via unspecified vectors.

5.0
2011-07-17 CVE-2011-2755 Manageengine Path Traversal vulnerability in Manageengine Servicedesk Plus 8.0

Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attackers to read arbitrary files via unspecified vectors.

5.0
2011-07-17 CVE-2011-2750 Novell Resource Management Errors vulnerability in Novell File Reporter 1.0.1/1.0.1.1/1.0.2

NFRAgent.exe in Novell File Reporter 1.0.4.2 and earlier allows remote attackers to delete arbitrary files via a full pathname in an SRS OPERATION 4 CMD 5 request to /FSF/CMD.

5.0
2011-07-17 CVE-2011-2754 IBM Cross-Site Scripting vulnerability in IBM web Content Manager and Websphere Portal

Cross-site scripting (XSS) vulnerability in the PageBuilder2 (aka Page Builder) theme in IBM WebSphere Portal 7.x before 7.0.0.1 CF006, as used in IBM Web Content Manager (WCM) and other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-07-14 CVE-2011-2510 Dokuwiki Cross-Site Scripting vulnerability in Dokuwiki

Cross-site scripting (XSS) vulnerability in the RSS embedding feature in DokuWiki before 2011-05-25a Rincewind allows remote attackers to inject arbitrary web script or HTML via a link.

4.3
2011-07-14 CVE-2011-2023 Squirrelmail Cross-Site Scripting vulnerability in Squirrelmail

Cross-site scripting (XSS) vulnerability in functions/mime.php in SquirrelMail before 1.4.22 allows remote attackers to inject arbitrary web script or HTML via a crafted STYLE element in an e-mail message.

4.3
2011-07-14 CVE-2010-4555 Squirrelmail Cross-Site Scripting vulnerability in Squirrelmail

Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.21 and earlier allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) drop-down selection lists, (2) the > (greater than) character in the SquirrelSpell spellchecking plugin, and (3) errors associated with the Index Order (aka options_order) page.

4.3
2011-07-14 CVE-2010-4554 Squirrelmail Improper Input Validation vulnerability in Squirrelmail

functions/page_header.php in SquirrelMail 1.4.21 and earlier does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.

4.3

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-07-13 CVE-2011-1886 Microsoft Local Information Disclosure vulnerability in Microsoft Windows Kernel 'Win32k.sys' (CVE-2011-1886)

win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3 does not properly validate the arguments to functions, which allows local users to read arbitrary data from kernel memory via a crafted application that triggers a NULL pointer dereference, aka "Win32k Incorrect Parameter Validation Allows Information Disclosure Vulnerability." Per: http://cwe.mitre.org/data/definitions/476.html 'CWE-476: NULL Pointer Dereference'

2.1