Weekly Vulnerabilities Reports > October 17 to 23, 2011
Overview
118 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 22 high severity vulnerabilities. This weekly summary report vulnerabilities in 73 products from 23 vendors including Oracle, SUN, Cisco, HP, and Djangoproject. Vulnerabilities are notably categorized as "Improper Input Validation", "Cross-site Scripting", "SQL Injection", "Permissions, Privileges, and Access Controls", and "Information Exposure".
- 101 reported vulnerabilities are remotely exploitables.
- 6 reported vulnerabilities have public exploit available.
- 11 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 84 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 61 reported vulnerabilities.
- HP has the most reported critical vulnerabilities, with 7 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
16 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-10-19 | CVE-2011-3554 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors. | 10.0 |
2011-10-19 | CVE-2011-3549 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Swing. | 10.0 |
2011-10-19 | CVE-2011-3548 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT. | 10.0 |
2011-10-19 | CVE-2011-3545 | Oracle SUN | Remote Java Runtime Environment vulnerability in Oracle Java SE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. | 10.0 |
2011-10-19 | CVE-2011-3521 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization. | 10.0 |
2011-10-19 | CVE-2011-3162 | HP | Unspecified vulnerability in HP products Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1296. | 10.0 |
2011-10-19 | CVE-2011-3161 | HP | Unspecified vulnerability in HP products Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1229. | 10.0 |
2011-10-19 | CVE-2011-3160 | HP | Unspecified vulnerability in HP products Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1228. | 10.0 |
2011-10-19 | CVE-2011-3159 | HP | Unspecified vulnerability in HP products Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1227. | 10.0 |
2011-10-19 | CVE-2011-3158 | HP | Unspecified vulnerability in HP products Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1226. | 10.0 |
2011-10-19 | CVE-2011-3157 | HP | Unspecified vulnerability in HP products Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1225. | 10.0 |
2011-10-19 | CVE-2011-3156 | HP | Unspecified vulnerability in HP products Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1222. | 10.0 |
2011-10-19 | CVE-2011-3544 | Oracle Canonical Redhat Suse | Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. | 9.8 |
2011-10-19 | CVE-2011-3551 | SUN Oracle | Remote Java Runtime Environment vulnerability in Oracle Java SE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. | 9.3 |
2011-10-18 | CVE-2011-3508 | SUN | Remote vulnerability in Oracle Sun Solaris Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express allows remote attackers to affect confidentiality, integrity, and availability, related to LDAP library. | 9.3 |
2011-10-20 | CVE-2011-3310 | Cisco Microsoft | Code Injection vulnerability in multiple products The Home Page component in Cisco CiscoWorks Common Services before 4.1 on Windows, as used in CiscoWorks LAN Management Solution, Cisco Security Manager, Cisco Unified Service Monitor, Cisco Unified Operations Manager, CiscoWorks QoS Policy Manager, and CiscoWorks Voice Manager, allows remote authenticated users to execute arbitrary commands via a crafted URL, aka Bug IDs CSCtq48990, CSCtq63992, CSCtq64011, CSCtq64019, CSCtr23090, and CSCtt25535. | 9.0 |
22 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-10-18 | CVE-2011-2301 | Oracle | Unspecified vulnerability in Oracle Database Server Unspecified vulnerability in the Oracle Text component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability, related to CTXSYS.DRVDISP. | 8.5 |
2011-10-22 | CVE-2011-2058 | Cisco | Improper Input Validation vulnerability in Cisco IOS The cat6000-dot1x component in Cisco IOS 12.2 before 12.2(33)SXI7 does not properly handle an external loop between a pair of dot1x enabled ports, which allows remote attackers to cause a denial of service (traffic storm) via unspecified vectors that trigger many unicast EAPoL Protocol Data Units (PDUs), aka Bug ID CSCtq36336. | 7.8 |
2011-10-22 | CVE-2011-1640 | Cisco | Resource Exhaustion vulnerability in Cisco IOS The ethernet-lldp component in Cisco IOS 12.2 before 12.2(33)SXJ1 does not properly support a large number of LLDP Management Address (MA) TLVs, which allows remote attackers to cause a denial of service (device crash) via crafted LLDPDUs, aka Bug ID CSCtj22354. | 7.8 |
2011-10-20 | CVE-2011-4151 | MIT | Improper Input Validation vulnerability in MIT Kerberos 5 The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB) back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, a different vulnerability than CVE-2011-1528. | 7.8 |
2011-10-20 | CVE-2011-1529 | MIT | Improper Input Validation vulnerability in MIT Kerberos 5 The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors. | 7.8 |
2011-10-20 | CVE-2011-1528 | MIT | Improper Input Validation vulnerability in MIT Kerberos 5 The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function. | 7.8 |
2011-10-20 | CVE-2011-1527 | MIT | Improper Input Validation vulnerability in MIT Kerberos 5 1.9/1.9.1 The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal, and process_as_req functions. | 7.8 |
2011-10-18 | CVE-2011-3559 | Oracle | Remote vulnerability in Oracle products Unspecified vulnerability in Oracle Communications Server 2.0; GlassFish Enterprise Server 2.1.1, 3.0.1, and 3.1.1; and Sun Java System App Server 8.1 and 8.2 allows remote attackers to affect availability via unknown vectors related to Web Container. | 7.8 |
2011-10-18 | CVE-2011-3543 | SUN | Remote vulnerability in SUN Sunos 5.11 Unspecified vulnerability in Oracle Solaris 11 Express allows remote attackers to affect availability, related to iSCSI DataMover (IDM). | 7.8 |
2011-10-18 | CVE-2011-3537 | Oracle | Local vulnerability in Oracle Sun Product Suite Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express allows local users to affect availability via unknown vectors related to Kernel/Filesystem. | 7.8 |
2011-10-18 | CVE-2011-3517 | Oracle | Unspecified vulnerability in Oracle SUN products Suite 8.0 Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 8.0 allows remote attackers to affect availability via unknown vectors related to Authentication. | 7.8 |
2011-10-19 | CVE-2011-3550 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT. | 7.6 |
2011-10-19 | CVE-2011-3516 | SUN Microsoft | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 6 Update 27 and earlier, when running on Windows, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. | 7.6 |
2011-10-21 | CVE-2011-4026 | XIA Zuojie | SQL Injection vulnerability in XIA Zuojie Nexusphp 1.5 SQL injection vulnerability in thanks.php in NexusPHP 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2011-10-21 | CVE-2011-3988 | Lockon | SQL Injection vulnerability in Lockon Ec-Cube 2.11.0/2.11.1/2.11.2 SQL injection vulnerability in data/class/SC_Query.php in EC-CUBE 2.11.0 through 2.11.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2011-10-21 | CVE-2011-3340 | Atcom | SQL Injection vulnerability in Atcom Netvolution 2.5.6 SQL injection vulnerability in ATCOM Netvolution 2.5.8 ASP allows remote attackers to execute arbitrary SQL commands via the Referer HTTP header. | 7.5 |
2011-10-21 | CVE-2010-4967 | Atcom | SQL Injection vulnerability in Atcom Netvolution 2.5.6 SQL injection vulnerability in default.asp in ATCOM Netvolution 2.5.6 allows remote attackers to execute arbitrary SQL commands via the artID parameter. | 7.5 |
2011-10-21 | CVE-2009-5102 | Atcom | SQL Injection vulnerability in Atcom Netvolution 1.0 SQL injection vulnerability in default.asp in ATCOM Netvolution 1.0 ASP allows remote attackers to execute arbitrary SQL commands via the bpe_nid parameter. | 7.5 |
2011-10-20 | CVE-2011-2584 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco Show and Share 5.2(1)/5(2) Cisco Show and Share 5(2), 5.2(1), and 5.2(2) before 5.2(2.1) allows remote attackers to access the (1) Encoders and Pull Configurations, (2) Push Configurations, (3) Video Encoding Formats, and (4) Transcoding administration pages, and cause a denial of service (live event outage) or obtain potentially sensitive information, via unspecified vectors, aka Bug ID CSCto73758. | 7.5 |
2011-10-19 | CVE-2011-3556 | SUN Oracle | Remote Java Runtime Environment vulnerability in Oracle Java SE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3557. | 7.5 |
2011-10-18 | CVE-2011-2310 | Oracle | Remote vulnerability in Oracle Waveset Unspecified vulnerability in the Oracle Waveset component in Oracle Sun Products Suite 8.1.0 and 8.1.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to User Administration. | 7.5 |
2011-10-18 | CVE-2011-4062 | Freebsd | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Freebsd Buffer overflow in the kernel in FreeBSD 7.3 through 9.0-RC1 allows local users to cause a denial of service (panic) or possibly gain privileges via a bind system call with a long pathname for a UNIX socket. | 7.2 |
57 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-10-18 | CVE-2011-4061 | IBM | Unspecified vulnerability in IBM DB2 and Tivoli Monitoring FOR Databases Multiple untrusted search path vulnerabilities in (1) db2rspgn and (2) kbbacf1 in IBM DB2 Express Edition 9.7, as used in the IBM Tivoli Monitoring for Databases: DB2 Agent, allow local users to gain privileges via a Trojan horse libkbb.so in the current working directory, related to the DT_RPATH ELF header. | 6.9 |
2011-10-21 | CVE-2011-4063 | Asterisk | Improper Input Validation vulnerability in Asterisk Open Source 1.8.7/10.0.0 chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.7.1 and 10.x before 10.0.0-rc1 does not properly initialize variables during request parsing, which allows remote authenticated users to cause a denial of service (daemon crash) via a malformed request. | 6.8 |
2011-10-19 | CVE-2011-3557 | SUN Oracle | Remote Java Runtime Environment vulnerability in Oracle Java SE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI, a different vulnerability than CVE-2011-3556. | 6.8 |
2011-10-19 | CVE-2011-4140 | Djangoproject | Cross-Site Request Forgery (CSRF) vulnerability in Djangoproject Django The CSRF protection mechanism in Django through 1.2.7 and 1.3.x through 1.3.1 does not properly handle web-server configurations supporting arbitrary HTTP Host headers, which allows remote attackers to trigger unauthenticated forged requests via vectors involving a DNS CNAME record and a web page containing JavaScript code. | 6.8 |
2011-10-18 | CVE-2011-3538 | Oracle | Remote Security vulnerability in Oracle Virtualization 4.0 Unspecified vulnerability in the Sun Ray component in Oracle Virtualization 4.0 allows remote attackers to affect integrity, related to Authentication. | 6.8 |
2011-10-18 | CVE-2011-2255 | Oracle | Remote Oracle WebLogic Portal vulnerability in Oracle Fusion Middleware Unspecified vulnerability in the Oracle WebLogic Portal component in Oracle Fusion Middleware 9.2.3.0, 10.0.1.0, 10.2.1.0, and 10.3.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 6.8 |
2011-10-21 | CVE-2011-0290 | RIM Lotus Microsoft | Permissions, Privileges, and Access Controls vulnerability in RIM Blackberry Enterprise Server 5.0.3 The BlackBerry Collaboration Service in Research In Motion (RIM) BlackBerry Enterprise Server (BES) 5.0.3 through MR4 for Microsoft Exchange and Lotus Domino allows remote authenticated users to log into arbitrary user accounts associated with the same organization, and send messages, read messages, read contact lists, or cause a denial of service (login unavailability), via unspecified vectors. | 6.5 |
2011-10-20 | CVE-2011-2585 | Cisco | Code Injection vulnerability in Cisco Show and Share 5.2(1)/5(2) Cisco Show and Share 5(2), 5.2(1), and 5.2(2) before 5.2(2.1) allows remote authenticated users to upload and execute arbitrary code by leveraging video upload privileges, aka Bug ID CSCto69857. | 6.5 |
2011-10-18 | CVE-2011-3525 | Oracle | Remote Application Express vulnerability in Oracle Database Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2 and 4.0 allows remote authenticated users to affect confidentiality, integrity, and availability, related to APEX developer user. | 6.5 |
2011-10-18 | CVE-2011-3512 | Oracle | SQL Injection vulnerability in Oracle Database Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 6.5 |
2011-10-19 | CVE-2011-3560 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE. | 6.4 |
2011-10-19 | CVE-2011-3555 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, and 7 allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity and availability via unknown vectors. | 6.1 |
2011-10-19 | CVE-2011-3546 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JavaFX 2.0 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity via unknown vectors related to Deployment. | 5.8 |
2011-10-19 | CVE-2011-4136 | Djangoproject | Improper Input Validation vulnerability in Djangoproject Django django.contrib.sessions in Django before 1.2.7 and 1.3.x before 1.3.1, when session data is stored in the cache, uses the root namespace for both session identifiers and application-data keys, which allows remote attackers to modify a session by triggering use of a key that is equal to that session's identifier. | 5.8 |
2011-10-18 | CVE-2011-3515 | SUN | Local vulnerability in Oracle Sun Solaris Unspecified vulnerability in the Oracle Solaris 10 and 11 Express allows local users to affect integrity and availability via unknown vectors related to Process File System (procfs). | 5.6 |
2011-10-21 | CVE-2011-2677 | Cybozu | Permissions, Privileges, and Access Controls vulnerability in Cybozu Office 6 Cybozu Office before 8.0.0 allows remote authenticated users to bypass intended access restrictions and access sensitive information (time card and attendance) via unspecified vectors related to manipulation of a URL. | 5.5 |
2011-10-18 | CVE-2011-3533 | Oracle | Remote PeopleSoft Enterprise HRMS vulnerability in Oracle Peoplesoft Enterprise Hrms and Peoplesoft products Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 8.9 allows remote authenticated users to affect confidentiality and integrity, related to Job Profile Manager (JPM). | 5.5 |
2011-10-18 | CVE-2011-3528 | Oracle | Remote PeopleSoft Enterprise HRMS vulnerability in Oracle Peoplesoft products 8.9 Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 8.9 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to eProfile. | 5.5 |
2011-10-18 | CVE-2011-3527 | Oracle | Remote PeopleSoft Enterprise HRMS vulnerability in Oracle Peoplesoft Enterprise Hrms and Peoplesoft products Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Candidate Gateway. | 5.5 |
2011-10-18 | CVE-2011-3518 | Oracle | Remote vulnerability in Oracle Siebel CRM 8.0.0 Unspecified vulnerability in the Siebel Core - UIF Client component in Oracle Siebel CRM 8.0.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to User Interface. | 5.5 |
2011-10-18 | CVE-2011-2315 | Oracle | Remote PeopleSoft Enterprise PeopleTools vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.49/8.50/8.51 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.49, 8.50, and 8.51 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Security. | 5.5 |
2011-10-18 | CVE-2011-2306 | Oracle | Oracle Validation Security vulnerability in Oracle Linux 4/5 Unspecified vulnerability in Oracle Linux 4 and 5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to "Oracle validated." | 5.5 |
2011-10-22 | CVE-2011-2059 | Cisco | Information Exposure vulnerability in Cisco IOS The ipv6 component in Cisco IOS before 15.1(4)M1.3 allows remote attackers to conduct fingerprinting attacks and obtain potentially sensitive information about the presence of the IOS operating system via an ICMPv6 Echo Request packet containing a Hop-by-Hop (HBH) extension header (EH) with a 0x0c01050c value in the PadN option data, aka Bug ID CSCtq02219. | 5.0 |
2011-10-22 | CVE-2011-2057 | Cisco | Improper Input Validation vulnerability in Cisco IOS The cat6000-dot1x component in Cisco IOS 12.2 before 12.2(33)SXI7 does not properly handle (1) a loop between a dot1x enabled port and an open-authentication dot1x enabled port and (2) a loop between a dot1x enabled port and a non-dot1x port, which allows remote attackers to cause a denial of service (traffic storm) via unspecified vectors that trigger many Spanning Tree Protocol (STP) Bridge Protocol Data Unit (BPDU) frames, aka Bug ID CSCtq36327. | 5.0 |
2011-10-22 | CVE-2011-2042 | Cisco | Information Exposure vulnerability in Cisco Ciscoworks Common Services The Sybase SQL Anywhere database component in Cisco CiscoWorks Common Services 3.x and 4.x before 4.1 allows remote attackers to obtain potentially sensitive information about the engine name and database port via an unspecified request to UDP port 2638, aka Bug ID CSCsk35018. | 5.0 |
2011-10-19 | CVE-2011-3558 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot. | 5.0 |
2011-10-19 | CVE-2011-3547 | SUN Oracle | Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. | 5.0 |
2011-10-19 | CVE-2011-4139 | Djangoproject | Improper Input Validation vulnerability in Djangoproject Django Django before 1.2.7 and 1.3.x before 1.3.1 uses a request's HTTP Host header to construct a full URL in certain circumstances, which allows remote attackers to conduct cache poisoning attacks via a crafted request. | 5.0 |
2011-10-19 | CVE-2011-4138 | Djangoproject | Improper Input Validation vulnerability in Djangoproject Django The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 originally tests a URL's validity through a HEAD request, but then uses a GET request for the new target URL in the case of a redirect, which might allow remote attackers to trigger arbitrary GET requests with an unintended source IP address via a crafted Location header. | 5.0 |
2011-10-19 | CVE-2011-4137 | Djangoproject | Resource Management Errors vulnerability in Djangoproject Django The verify_exists functionality in the URLField implementation in Django before 1.2.7 and 1.3.x before 1.3.1 relies on Python libraries that attempt access to an arbitrary URL with no timeout, which allows remote attackers to cause a denial of service (resource consumption) via a URL associated with (1) a slow response, (2) a completed TCP connection with no application data sent, or (3) a large amount of application data, a related issue to CVE-2011-1521. | 5.0 |
2011-10-18 | CVE-2011-3535 | Oracle | Remote vulnerability in Oracle Sun Solaris Unspecified vulnerability in the Solaris component in Oracle Sun Products Suite 8, 9, 10, and 11 Express allows remote attackers to affect availability via unknown vectors related to Remote Quota Server (rquotad). | 5.0 |
2011-10-18 | CVE-2011-3534 | Oracle | Remote vulnerability in Oracle Sun Solaris Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 Express allows remote attackers to affect availability via unknown vectors related to Network Status Monitor (statd). | 5.0 |
2011-10-18 | CVE-2011-3532 | Oracle | Remote Oracle Agile Product Supplier Collaboration in Oracle Supply Chain Products Suite Unspecified vulnerability in the Oracle Agile Product Supplier Collaboration for Process component in Oracle Supply Chain Products Suite 5.2.2, 6.0.0.2, 6.0.0.3, and 6.0.0.4 allows remote attackers to affect confidentiality via unknown vectors related to Supplier Portal. | 5.0 |
2011-10-18 | CVE-2011-2320 | Oracle | Remote WebLogic Server vulnerability in Oracle Fusion Middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 9.2.4.0, 10.0.2.0, 10.3.3.0, 10.3.4.0, and 10.3.5.0 allows remote attackers to affect confidentiality via unknown vectors related to Web Services. | 5.0 |
2011-10-18 | CVE-2011-3542 | SUN | Local vulnerability in Oracle Sun Solaris Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows local users to affect availability via unknown vectors related to Kernel/Performance Counter BackEnd Module (pcbe). | 4.9 |
2011-10-18 | CVE-2011-3510 | Oracle | Remote Oracle Business Intelligence Enterprise Edition Vulner in Oracle Fusion Middleware 11.1.1.3.0/11.1.1.5.0 Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.3.0 and 11.1.1.5.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to BI Platform Security. | 4.9 |
2011-10-23 | CVE-2011-4170 | Gnome | Cross-Site Scripting vulnerability in Gnome Empathy Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname) in a /me event, a different vulnerability than CVE-2011-3635. | 4.3 |
2011-10-23 | CVE-2011-3635 | Gnome | Cross-Site Scripting vulnerability in Gnome Empathy Cross-site scripting (XSS) vulnerability in the theme_adium_append_message function in empathy-theme-adium.c in the Adium theme in libempathy-gtk in Empathy 3.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted alias (aka nickname). | 4.3 |
2011-10-21 | CVE-2011-4024 | Ocsinventory NG | Cross-Site Scripting vulnerability in Ocsinventory-Ng OCS Inventory NG Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2011-10-21 | CVE-2011-2713 | Libreoffice SUN | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products oowriter in OpenOffice.org 3.3.0 and LibreOffice before 3.4.3 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted DOC file that triggers an out-of-bounds read in the DOC sprm parser. | 4.3 |
2011-10-21 | CVE-2010-4966 | Atcom | Cross-Site Scripting vulnerability in Atcom Netvolution Cross-site scripting (XSS) vulnerability in default.asp in ATCOM Netvolution allows remote attackers to inject arbitrary web script or HTML via the query parameter in a Search action. | 4.3 |
2011-10-21 | CVE-2009-5103 | Atcom | Cross-Site Scripting vulnerability in Atcom Netvolution 1.0 Cross-site scripting (XSS) vulnerability in ATCOM Netvolution 1.0 ASP allows remote attackers to inject arbitrary web script or HTML via the email variable. | 4.3 |
2011-10-19 | CVE-2011-3294 | Cisco | Cross-Site Scripting vulnerability in Cisco products Cross-site scripting (XSS) vulnerability in the login page in the administrative interface on Cisco TelePresence Video Communication Servers (VCS) with software before X7.0 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, aka Bug ID CSCts80342. | 4.3 |
2011-10-18 | CVE-2011-2323 | Oracle | Unspecified vulnerability in Oracle Industry Applications 4.6.1/4.6.2 Unspecified vulnerability in the Health Sciences - Oracle Thesaurus Management System component in Oracle Industry Applications 4.6.1 and 4.6.2 allows remote attackers to affect integrity, related to TMS Help. | 4.3 |
2011-10-18 | CVE-2011-3513 | Oracle | Oracle Application Object Library Remote vulnerability in Oracle E-Business Suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.2, and 12.1.3 allows remote attackers to affect integrity, related to HTML Pages. | 4.3 |
2011-10-18 | CVE-2011-3506 | Oracle | Unspecified vulnerability in Oracle SUN products Suite 7.1/8.0 Unspecified vulnerability in the Oracle OpenSSO component in Oracle Sun Products Suite 7.1 and 8.0 allows remote attackers to affect integrity via unknown vectors related to Authentication. | 4.3 |
2011-10-18 | CVE-2011-2319 | Oracle | Remote Oracle WebLogic Server vulnerability in Oracle Fusion Middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 9.2.4.0, 10.0.2.0, 10.3.3.0, 10.3.4.0, and 10.3.5.0 allows remote attackers to affect confidentiality, related to JMS. | 4.3 |
2011-10-18 | CVE-2011-2316 | Oracle | Siebel Apps - Marketing Remote vulnerability in Oracle Siebel CRM 8.0.0 Unspecified vulnerability in the Siebel Apps - Marketing component in Oracle Siebel CRM 8.0.0 allows remote attackers to affect integrity via unknown vectors related to Email Marketing. | 4.3 |
2011-10-18 | CVE-2011-2314 | Oracle | Oracle Containers for J2EE Remote vulnerability in Oracle Fusion Middleware 10.1.2.3 Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors related to JavaServer Pages. | 4.3 |
2011-10-18 | CVE-2011-2313 | Oracle SUN | Local Solaris vulnerability in Oracle Solaris Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability, related to ZFS, a different vulnerability than CVE-2011-2311. | 4.3 |
2011-10-18 | CVE-2011-2309 | Oracle | Remote Health Sciences - Oracle Clinical Unspecified vulnerability in the Health Sciences - Oracle Clinical, Remote Data Capture component in Oracle Industry Applications 4.6 and 4.6.2 allows remote attackers to affect integrity, related to RDC Help. | 4.3 |
2011-10-18 | CVE-2011-2308 | Oracle | Oracle Application Object Library Remote vulnerability in Oracle E-Business Suite 12.0.6/12.1.2/12.1.3 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Online Help. | 4.3 |
2011-10-18 | CVE-2011-2304 | Oracle | Remote vulnerability in Oracle Solaris 10 Unspecified vulnerability in Oracle Solaris 10 allows remote attackers to affect confidentiality, related to Network Services Library (libnsl). | 4.3 |
2011-10-18 | CVE-2011-2302 | Oracle | Remote Oracle Application Object Library vulnerability in Oracle E-Business Suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Single Sign On. | 4.3 |
2011-10-18 | CVE-2011-3530 | Oracle | PeopleSoft Enterprise HRMS Remote vulnerability in Oracle Peoplesoft products 8.9 Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 8.9 allows remote authenticated users to affect confidentiality via unknown vectors related to eDevelopment. | 4.0 |
2011-10-18 | CVE-2011-3529 | Oracle | Remote PeopleSoft Enterprise HRMS vulnerability in Oracle Peoplesoft Enterprise Hrms and Peoplesoft products Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.0 and 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Talent Acquisition Manager. | 4.0 |
2011-10-18 | CVE-2011-3526 | Oracle | Remote Siebel Core - UIF Server vulnerability in Oracle Siebel CRM 8.0.0/8.1.1 Unspecified vulnerability in the Siebel Core - UIF Server component in Oracle Siebel CRM 8.0.0 and 8.1.1 allows remote authenticated users to affect confidentiality via unknown vectors related to User Interface. | 4.0 |
23 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-10-18 | CVE-2011-3511 | Oracle | Unspecified vulnerability in Oracle Database Server Unspecified vulnerability in the Database Vault component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.2 allows remote authenticated users to affect integrity and availability via unknown vectors related to Privileged Account. | 3.6 |
2011-10-18 | CVE-2011-2322 | Oracle | Remote Database Vault vulnerability in Oracle Database Server 11.1.0.7 Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.1.0.7 allows remote authenticated users to affect integrity and availability, related to SYSDBA. | 3.6 |
2011-10-19 | CVE-2011-3553 | SUN Oracle | Remote Java Runtime Environment vulnerability in Oracle Java SE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS. | 3.5 |
2011-10-18 | CVE-2011-3523 | Oracle | Remote Oracle Web Services Manager vulnerability in Oracle Fusion Middleware 10.1.3.5.0/10.1.3.5.1 Unspecified vulnerability in the Oracle Web Services Manager component in Oracle Fusion Middleware 10.1.3.5.0 and 10.1.3.5.1 allows remote authenticated users to affect integrity, related to WSM Console, a different vulnerability than CVE-2011-2237. | 3.5 |
2011-10-18 | CVE-2011-3519 | Oracle | Remote Oracle Applications Framework vulnerability in Oracle E-Business Suite 12.1.2/12.1.3 Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.2 and 12.1.3 allows remote authenticated users to affect confidentiality, related to REST Services. | 3.5 |
2011-10-18 | CVE-2011-3507 | Oracle | Remote Oracle Communications Unified vulnerability in Oracle SUN products Suite 7.0 Unspecified vulnerability in the Oracle Communications Unified component in Oracle Sun Products Suite 7.0 allows remote authenticated users to affect integrity via unknown vectors related to Messaging Server. | 3.5 |
2011-10-18 | CVE-2011-2303 | Oracle | Remote Oracle Application Object Library vulnerability in Oracle E-Business Suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.2, and 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Attachments / File Upload. | 3.5 |
2011-10-18 | CVE-2011-2237 | Oracle | Remote Oracle Web Services Manager vulnerability in Oracle Fusion Middleware 10.1.3.5/10.1.3.5.1 Unspecified vulnerability in the Oracle Web Services Manager component in Oracle Fusion Middleware 10.1.3.5.0 and 10.1.3.5.1 allows remote authenticated users to affect integrity, related to WSM Console, a different vulnerability than CVE-2011-3523. | 3.5 |
2011-10-18 | CVE-2011-4060 | QNX | Link Following vulnerability in QNX Neutrino Rtos 6.5.0 The runtime linker in QNX Neutrino RTOS 6.5.0 before Service Pack 1 does not properly clear the LD_DEBUG_OUTPUT and LD_DEBUG environment variables when a program is spawned from a setuid program, which allows local users to overwrite files via a symlink attack. | 3.3 |
2011-10-18 | CVE-2011-3520 | Oracle | PeopleSoft Enterprise PeopleTools Remote vulnerability in Oracle products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.49, 8.50, and 8.51 allows remote authenticated users to affect integrity via unknown vectors related to Personalization. | 2.8 |
2011-10-19 | CVE-2011-3552 | SUN | Remote Java Runtime Environment vulnerability in SUN JDK and JRE Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking. | 2.6 |
2011-10-18 | CVE-2011-2292 | Oracle | Local Solaris vulnerability in Oracle Solaris 11Express/9 Unspecified vulnerability in Oracle Solaris 9 and 11 Express allows local users to affect confidentiality and integrity via unknown vectors related to xscreensaver. | 2.4 |
2011-10-18 | CVE-2011-3536 | Oracle | Local vulnerability in Oracle Solaris 10 Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability, related to DTrace Software Library (libdtrace). | 2.1 |
2011-10-18 | CVE-2011-3522 | Oracle | Local SPARC T3 Unspecified vulnerability in SysFW 8.0 on certain SPARC T3, Netra SPARC T3, Sun Fire, and Sun Blade based servers allows local users to affect confidentiality, related to Integrated Lights Out Manager CLI. | 2.1 |
2011-10-18 | CVE-2011-2327 | Oracle | Local Oracle Communications Unified vulnerability in Oracle SUN products Suite 7.0 Unspecified vulnerability in the Oracle Communications Unified component in Oracle Sun Products Suite 7.0 allows local users to affect confidentiality via unknown vectors related to Delegated Administrator. | 2.1 |
2011-10-18 | CVE-2011-2286 | Oracle | Remote vulnerability in Oracle Sun Products Suite Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows remote authenticated users to affect availability, related to ZFS. | 2.1 |
2011-10-18 | CVE-2011-3541 | Oracle | Oracle Outside In Technology Local vulnerability in Oracle Fusion Middleware 8.3.5/8.3.7 Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows local users to affect availability via unknown vectors related to Outside In Filters. | 1.9 |
2011-10-19 | CVE-2011-3561 | Oracle SUN | Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JavaFX 2.0 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. | 1.8 |
2011-10-18 | CVE-2011-3539 | Oracle | Local Solaris vulnerability in Oracle Solaris Unspecified vulnerability in Oracle Solaris 10 and 11 Express allows local users to affect availability via unknown vectors related to Zones. | 1.7 |
2011-10-18 | CVE-2011-2312 | Oracle | Sub Component Local vulnerability in Oracle Solaris 10 Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, related to ZFS. | 1.7 |
2011-10-18 | CVE-2011-2311 | Oracle | ZFS Component Local vulnerability in Oracle Solaris 10 Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability, related to ZFS, a different vulnerability than CVE-2011-2313. | 1.7 |
2011-10-18 | CVE-2011-2318 | Oracle | Oracle WebLogic Server Local vulnerability in Oracle Fusion Middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 9.2.4.0, 10.0.2.0, 10.3.3.0, 10.3.4.0, and 10.3.5.0 allows local users to affect confidentiality, related to WLS Security. | 1.5 |
2011-10-23 | CVE-2011-3163 | HP | Information Exposure vulnerability in HP Multifunction Peripheral Digital Sending Software 4.91.20/4.91.21 HP MFP Digital Sending Software 4.9x through 4.91.21 allows local users to obtain sensitive workflow-metadata information via unspecified vectors. | 1.2 |