Weekly Vulnerabilities Reports > August 29 to September 4, 2011

Overview

39 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 10 high severity vulnerabilities. This weekly summary report vulnerabilities in 44 products from 22 vendors including Cisco, Rubyonrails, Tibco, Pidgin, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", and "Improper Authentication".

  • 38 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 36 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 8 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 2 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-09-02 CVE-2011-0342 Indusoft Buffer Errors vulnerability in Indusoft web Studio 7.0B2

Multiple buffer overflows in the InduSoft ISSymbol ActiveX control in ISSymbol.ocx 301.1104.601.0 in InduSoft Web Studio 7.0B2 hotfix 7.0.01.04 allow remote attackers to execute arbitrary code via a long parameter to the (1) Open, (2) Close, or (3) SetCurrentLanguage method.

10.0
2011-08-29 CVE-2011-2555 Cisco Credentials Management vulnerability in Cisco Telepresence Recording Server Software 1.7.2

Cisco TelePresence Recording Server 1.7.2.x before 1.7.2.1 has a default password for the root administrator account, which makes it easier for remote attackers to modify the configuration via an SSH session, aka Bug ID CSCtr76182.

10.0
2011-08-29 CVE-2011-1643 Cisco Information Exposure vulnerability in Cisco products

Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x, 7.x before 7.1(5b)su4, 8.0, and 8.5 before 8.5(1)su2 and Cisco Unified Presence Server 6.x, 7.x, 8.0, and 8.5 before 8.5xnr allow remote attackers to read database data by connecting to a query interface through an SSL session, aka Bug IDs CSCti81574, CSCto63060, CSCto72183, and CSCto73833.

10.0
2011-09-02 CVE-2011-2594 Kmplayer Buffer Errors vulnerability in Kmplayer 3.0.0.1441

Heap-based buffer overflow in KMPlayer 3.0.0.1441, and possibly other versions, allows remote attackers to execute arbitrary code via a playlist (.KPL) file with a long Title field.

9.3
2011-09-02 CVE-2011-1944 Xmlsoft Numeric Errors vulnerability in Xmlsoft Libxml and Libxml2

Integer overflow in xpath.c in libxml2 2.6.x through 2.6.32 and 2.7.x through 2.7.8, and libxml 1.8.16 and earlier, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.

9.3
2011-08-29 CVE-2011-3185 Microsoft
Pidgin
Improper Input Validation vulnerability in Pidgin

gtkutils.c in Pidgin before 2.10.0 on Windows allows user-assisted remote attackers to execute arbitrary programs via a file: URL in a message.

9.3

10 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-08-31 CVE-2011-2577 Cisco Remote Denial of Service vulnerability in Cisco TelePresence Codecs SIP Packet

Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500.

7.8
2011-08-29 CVE-2011-2564 Cisco Unspecified vulnerability in Cisco products

Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth19417.

7.8
2011-08-29 CVE-2011-2563 Cisco Unspecified vulnerability in Cisco products

Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth26669.

7.8
2011-08-29 CVE-2011-2562 Cisco Unspecified vulnerability in Cisco Unified Communications Manager

Unspecified vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5)su2, 7.x before 7.1(5b)su3, 8.x before 8.0(3a)su1, and 8.5 before 8.5(1) allows remote attackers to cause a denial of service (service outage) via a SIP INVITE message, aka Bug ID CSCth43256.

7.8
2011-08-29 CVE-2011-2560 Cisco Resource Management Errors vulnerability in Cisco Unified Communications Manager

The Packet Capture Service in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x does not properly handle idle TCP connections, which allows remote attackers to cause a denial of service (memory consumption and restart) by making many connections, aka Bug ID CSCtf97162.

7.8
2011-09-02 CVE-2011-3134 Tibco Unspecified vulnerability in Tibco Spotfire Analytics Server and Spotfire Server

Unspecified vulnerability in TIBCO Spotfire Server 3.0.x before 3.0.2, 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.1, and Spotfire Analytics Server before 10.1.1, allows remote attackers to modify data or obtain sensitive information via a crafted URL.

7.5
2011-09-02 CVE-2011-2763 Lifesize Improper Input Validation vulnerability in Lifesize Room Appliance Software 4.7.18/Lsrm13.5.3

The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php.

7.5
2011-08-29 CVE-2011-0228 Apple Improper Input Validation vulnerability in Apple Iphone OS

The Data Security component in Apple iOS before 4.2.10 and 4.3.x before 4.3.5 does not check the basicConstraints parameter during validation of X.509 certificate chains, which allows man-in-the-middle attackers to spoof an SSL server by using a non-CA certificate to sign a certificate for an arbitrary domain.

7.5
2011-08-29 CVE-2011-2930 Rubyonrails SQL Injection vulnerability in Rubyonrails Rails and Ruby ON Rails

Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.

7.5
2011-08-29 CVE-2011-2561 Cisco Resource Management Errors vulnerability in Cisco Unified Communications Manager

The SIP process in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.x before 7.1(5b)su4 and 8.x before 8.0(1) does not properly handle SDP data within a SIP call in certain situations related to use of the g729ar8 codec for a Media Termination Point (MTP), which allows remote attackers to cause a denial of service (service outage) via a crafted call, aka Bug ID CSCtc61990.

7.1

20 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-09-02 CVE-2011-2903 Rhythm Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Rhythm Tcptrack

Heap-based buffer overflow in tcptrack before 1.4.2 might allow attackers to execute arbitrary code via a long command line argument.

6.8
2011-09-02 CVE-2011-1411 Shibboleth Improper Authentication vulnerability in Shibboleth Opensaml and Shibboleth-Identity-Provider

Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."

5.8
2011-08-31 CVE-2011-2899 Redhat Improper Input Validation vulnerability in Redhat System-Config-Printer

pysmb.py in system-config-printer 0.6.x and 0.7.x, as used in foomatic-gui and possibly other products, allows remote SMB servers to execute arbitrary commands via shell metacharacters in the (1) NetBIOS or (2) workgroup name, which are not properly handled when searching for network printers.

5.1
2011-09-02 CVE-2011-2762 Lifesize Improper Authentication vulnerability in Lifesize Room Appliance Software Lsrm13.5.3

The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) allows remote attackers to bypass authentication via unspecified data associated with a "true" authentication status, related to AMF data and the LSRoom_Remoting.authenticate function in gateway.php.

5.0
2011-08-31 CVE-2011-2524 Gnome Path Traversal vulnerability in Gnome Libsoup

Directory traversal vulnerability in soup-uri.c in SoupServer in libsoup before 2.35.4 allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in a URI.

5.0
2011-08-29 CVE-2011-2929 Rubyonrails Improper Input Validation vulnerability in Rubyonrails Rails and Ruby ON Rails

The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."

5.0
2011-09-02 CVE-2011-3385 Lepton CMS
Websitebaker2
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerability than CVE-2006-2307.

4.3
2011-09-02 CVE-2009-5086 Juniper Cross-Site Scripting vulnerability in Juniper IDP

Cross-site scripting (XSS) vulnerability in Appliance Configuration Manager (ACM) in Juniper IDP 4.1 before 4.1r3 and 4.2 before 4.2r1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-09-02 CVE-2011-3133 Tibco Unspecified vulnerability in Tibco Spotfire Analytics Server and Spotfire Server

Session fixation vulnerability in TIBCO Spotfire Server 3.0.x before 3.0.2, 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.1, and Spotfire Analytics Server before 10.1.1, allows remote attackers to hijack web sessions via unspecified vectors.

4.3
2011-09-02 CVE-2011-3132 Tibco Cross-Site Scripting vulnerability in Tibco Spotfire Analytics Server and Spotfire Server

Cross-site scripting (XSS) vulnerability in TIBCO Spotfire Server 3.0.x before 3.0.2, 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.1, and Spotfire Analytics Server before 10.1.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-08-29 CVE-2011-3187 Rubyonrails Improper Input Validation vulnerability in Rubyonrails Rails 3.0.5

The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.

4.3
2011-08-29 CVE-2011-3186 Rubyonrails Code Injection vulnerability in Rubyonrails Rails

CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.

4.3
2011-08-29 CVE-2011-2932 Rubyonrails Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails

Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."

4.3
2011-08-29 CVE-2011-2931 Rubyonrails Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails

Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.

4.3
2011-08-29 CVE-2011-3184 Pidgin Resource Management Errors vulnerability in Pidgin

The msn_httpconn_parse_data function in httpconn.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.0 does not properly handle HTTP 100 responses, which allows remote attackers to cause a denial of service (incorrect memory access and application crash) via vectors involving a crafted server message.

4.3
2011-08-29 CVE-2011-3181 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Multiple cross-site scripting (XSS) vulnerabilities in the Tracking feature in phpMyAdmin 3.3.x before 3.3.10.4 and 3.4.x before 3.4.4 allow remote attackers to inject arbitrary web script or HTML via a (1) table name, (2) column name, or (3) index name.

4.3
2011-08-29 CVE-2011-2943 Pidgin Denial of Service and Security Bypass vulnerability in Pidgin Libpurple and Pidgin

The irc_msg_who function in msgs.c in the IRC protocol plugin in libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly validate characters in nicknames, which allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted nickname that is not properly handled in a WHO response.

4.3
2011-09-02 CVE-2011-3387 IBM Improper Input Validation vulnerability in IBM Java 1.4.2.13.9

The class file parser in IBM Java 1.4.2 SR13 FP9 allows remote authenticated users to cause a denial of service (memory consumption or an infinite loop) via a crafted attribute length field in a class file, related to validation of a length field at the wrong time, a different vulnerability than CVE-2011-0311.

4.0
2011-09-02 CVE-2011-3386 Medtronic Unspecified vulnerability in Medtronic Paradigm Wireless Insulin Pump

Unspecified vulnerability in Medtronic Paradigm wireless insulin pump 512, 522, 712, and 722 allows remote attackers to modify the delivery of an insulin bolus dose and cause a denial of service (adverse human health effects) via unspecified vectors involving wireless communications and knowledge of the device's serial number, as demonstrated by Jerome Radcliffe at the Black Hat USA conference in August 2011.

4.0
2011-08-29 CVE-2011-2746 Otrs Local File Disclosure vulnerability in OTRS 'AdminPackageManager.pm'

Unspecified vulnerability in Kernel/Modules/AdminPackageManager.pm in OTRS-Core in Open Ticket Request System (OTRS) 2.x before 2.4.11 and 3.x before 3.0.10 allows remote authenticated administrators to read arbitrary files via unknown vectors.

4.0

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-09-02 CVE-2011-0311 IBM Buffer Errors vulnerability in IBM Java and Runtimes for Java Technology

The class file parser in IBM Java before 1.4.2 SR13 FP9, as used in IBM Runtimes for Java Technology 5.0.0 before SR13 and 6.0.0 before SR10, allows remote authenticated users to cause a denial of service (JVM segmentation fault, and possibly memory consumption or an infinite loop) via a crafted attribute length field in a class file, which triggers a buffer over-read.

3.5
2011-08-29 CVE-2011-2712 Apache Cross-Site Scripting vulnerability in Apache Wicket

Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.18, when setAutomaticMultiWindowSupport is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

2.6
2011-09-02 CVE-2011-2176 Gnome Improper Authentication vulnerability in Gnome Networkmanager

GNOME NetworkManager before 0.8.6 does not properly enforce the auth_admin element in PolicyKit, which allows local users to bypass intended wireless network sharing restrictions via unspecified vectors.

2.1