Weekly Vulnerabilities Reports > October 24 to 30, 2011

Overview

60 new vulnerabilities reported during this period, including 10 critical vulnerabilities and 17 high severity vulnerabilities. This weekly summary report vulnerabilities in 39 products from 11 vendors including Google, IBM, Apple, Microsoft, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Permissions, Privileges, and Access Controls", "Use After Free", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 51 reported vulnerabilities are remotely exploitables.
  • 14 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 55 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 24 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

10 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-10-30 CVE-2011-1367 IBM Remote Command Execution vulnerability in IBM Rational AppScan '.scan' file

Unspecified vulnerability in the File Load feature in IBM Rational AppScan Standard and Express 7.8.x, 7.9.x, and 8.0.x before 8.0.0.3 allows remote attackers to execute arbitrary commands via a crafted .scan file.

9.3
2011-10-28 CVE-2011-3251 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Apple QuickTime before 7.7.1 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted TKHD atoms in a QuickTime movie file.

9.3
2011-10-28 CVE-2011-3250 Apple
Microsoft
Numeric Errors vulnerability in Apple Quicktime

Integer overflow in Apple QuickTime before 7.7.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with JPEG2000 encoding.

9.3
2011-10-28 CVE-2011-3249 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with FLC encoding.

9.3
2011-10-28 CVE-2011-3248 Apple
Microsoft
Numeric Errors vulnerability in Apple Quicktime

Integer signedness error in Apple QuickTime before 7.7.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted font table in a QuickTime movie file.

9.3
2011-10-28 CVE-2011-3247 Apple
Microsoft
Numeric Errors vulnerability in Apple Quicktime

Integer overflow in Apple QuickTime before 7.7.1 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT file.

9.3
2011-10-27 CVE-2011-4004 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player

Buffer overflow in the ATAS32 processing functionality in the Cisco WebEx Recording Format (WRF) player T26 before SP49 EP40 and T27 before SP28 allows remote attackers to execute arbitrary code via a crafted WRF file.

9.3
2011-10-27 CVE-2011-3319 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player

Buffer overflow in the WRF parsing functionality in the Cisco WebEx Recording Format (WRF) player T26 before SP49 EP40 and T27 before SP28 allows remote attackers to execute arbitrary code via a crafted WRF file.

9.3
2011-10-24 CVE-2011-2656 Novell Remote Code Execution vulnerability in Novell ZENworks Handheld Management 7/7.0.2.61213

Unspecified vulnerability in ZfHSrvr.exe in Novell ZENworks Handheld Management (ZHM) 7 allows remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2655.

9.3
2011-10-24 CVE-2011-2655 Novell Remote Code Execution vulnerability in Novell Zenworks Handheld Management 7

Unspecified vulnerability in ZfHSrvr.exe in Novell ZENworks Handheld Management (ZHM) 7 allows remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-2656.

9.3

17 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-10-30 CVE-2011-1366 IBM Remote Security vulnerability in Rational Appscan

Unspecified vulnerability in the Import feature in IBM Rational AppScan Enterprise and AppScan Reporting Console 5.2 through 7.9.x and 8.x before 8.0.1.1 allows remote attackers to execute arbitrary commands on an agent server via a crafted ZIP archive.

8.8
2011-10-27 CVE-2011-3318 Cisco Resource Management Errors vulnerability in Cisco products

Cisco Video Surveillance 2421 and 2500 series cameras with software 1.1.x and 2.x before 2.4.0 and Video Surveillance 2600 series cameras with software before 4.2.0-13 allow remote attackers to cause a denial of service (device reload) by sending crafted RTSP packets over TCP, aka Bug IDs CSCtj96312, CSCtj39462, and CSCtl80175.

7.8
2011-10-27 CVE-2011-3315 Cisco Path Traversal vulnerability in Cisco products

Directory traversal vulnerability in Cisco Unified Communications Manager (CUCM) 5.x and 6.x before 6.1(5)SU2, 7.x before 7.1(5b)SU2, and 8.x before 8.0(3), and Cisco Unified Contact Center Express (aka Unified CCX or UCCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) before 6.0(1)SR1ES8, 7.0(x) before 7.0(2)ES1, 8.0(x) through 8.0(2)SU3, and 8.5(x) before 8.5(1)SU2, allows remote attackers to read arbitrary files via a crafted URL, aka Bug IDs CSCth09343 and CSCts44049.

7.8
2011-10-28 CVE-2011-2830 Google Unspecified vulnerability in Google Chrome

Google V8, as used in Google Chrome before 14.0.835.163, does not properly implement script object wrappers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via unknown vectors.

7.5
2011-10-25 CVE-2011-3891 Google Unspecified vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not properly restrict access to internal Google V8 functions, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

7.5
2011-10-25 CVE-2011-3890 Google USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to video source handling.

7.5
2011-10-25 CVE-2011-3889 Google Out-Of-Bounds Write vulnerability in Google Chrome

Heap-based buffer overflow in the Web Audio implementation in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

7.5
2011-10-25 CVE-2011-3885 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to stale Cascading Style Sheets (CSS) token-sequence data.

7.5
2011-10-25 CVE-2011-3883 Google USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to counters.

7.5
2011-10-25 CVE-2011-3882 Google USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to media buffers.

7.5
2011-10-25 CVE-2011-3880 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not prevent use of an unspecified special character as a delimiter in HTTP headers, which has unknown impact and remote attack vectors.

7.5
2011-10-25 CVE-2011-3879 Google Unspecified vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not prevent redirects to chrome: URLs, which has unspecified impact and remote attack vectors.

7.5
2011-10-24 CVE-2011-3615 Simplemachines SQL Injection vulnerability in Simplemachines SMF

Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) before 1.1.15 and 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via vectors involving a (1) HTML entity or (2) display name.

7.5
2011-10-30 CVE-2011-4213 Google Permissions, Privileges, and Access Controls vulnerability in Google APP Engine Python SDK

The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent use of the os module, which allows local users to bypass intended access restrictions and execute arbitrary commands via a file_blob_storage.os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.

7.2
2011-10-30 CVE-2011-4212 Google Permissions, Privileges, and Access Controls vulnerability in Google APP Engine Python SDK

The sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly prevent os.popen calls, which allows local users to bypass intended access restrictions and execute arbitrary commands via a dev_appserver.RestrictedPathFunction._original_os reference within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.

7.2
2011-10-30 CVE-2011-4211 Google Permissions, Privileges, and Access Controls vulnerability in Google APP Engine Python SDK

The FakeFile implementation in the sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly control the opening of files, which allows local users to bypass intended access restrictions and create arbitrary files via ALLOWED_MODES and ALLOWED_DIRS changes within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.

7.2
2011-10-28 CVE-2011-3640 Google
Apple
Microsoft
Untrusted Search Path vulnerability in Google Chrome

** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory.

7.1

31 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-10-30 CVE-2011-1364 Google Cross-Site Request Forgery (CSRF) vulnerability in Google APP Engine Python SDK

Cross-site request forgery (CSRF) vulnerability in _ah/admin/interactive/execute (aka the Interactive Console) in the SDK Console (aka Admin Console) in the Google App Engine Python SDK before 1.5.4 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary Python code via the code parameter.

6.8
2011-10-27 CVE-2011-2569 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco products

Cisco Nexus OS (aka NX-OS) 4.2 and 5.0 and Cisco Unified Computing System with software 1.4 and 2.0 do not properly restrict command-line options, which allows local users to gain privileges via unspecified vectors, aka Bug IDs CSCtf40008, CSCtg18363, CSCtr44645, CSCts10195, and CSCts10188.

6.8
2011-10-25 CVE-2011-3888 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 15.0.874.102 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to editing operations in conjunction with an unknown plug-in.

6.8
2011-10-25 CVE-2011-3886 Google Improper Input Validation vulnerability in Google V8

Google V8, as used in Google Chrome before 15.0.874.102, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers out-of-bounds write operations.

6.8
2011-10-25 CVE-2011-3884 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not properly address timing issues during DOM traversal, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document.

6.8
2011-10-25 CVE-2011-3878 Google Race Condition vulnerability in Google Chrome

Race condition in Google Chrome before 15.0.874.102 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker process initialization.

6.8
2011-10-25 CVE-2011-3876 Google Unspecified vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not properly handle downloading files that have whitespace characters at the end of a filename, which has unspecified impact and user-assisted remote attack vectors.

6.8
2011-10-24 CVE-2011-4173 Simplemachines Cross-Site Request Forgery (CSRF) vulnerability in Simplemachines SMF 2.0

Cross-site request forgery (CSRF) vulnerability in Simple Machines Forum (SMF) 2.x before 2.0.1 allows remote attackers to hijack the authentication of administrators or moderators via vectors involving image files, a different vulnerability than CVE-2011-3615.

6.8
2011-10-27 CVE-2011-3870 Puppet
Puppetlabs
Link Following vulnerability in multiple products

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to modify the permissions of arbitrary files via a symlink attack on the SSH authorized_keys file.

6.3
2011-10-27 CVE-2011-3869 Puppet
Puppetlabs
Link Following vulnerability in multiple products

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x allows local users to overwrite arbitrary files via a symlink attack on the .k5login file.

6.3
2011-10-27 CVE-2011-3871 Puppet
Puppetlabs
Permissions, Privileges, and Access Controls vulnerability in multiple products

Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, when running in --edit mode, uses a predictable file name, which allows local users to run arbitrary Puppet code or trick a user into editing arbitrary files.

6.2
2011-10-30 CVE-2009-2747 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server

The Java Naming and Directory Interface (JNDI) implementation in IBM WebSphere Application Server (WAS) 6.0 before 6.0.2.39, 6.1 before 6.1.0.29, and 7.0 before 7.0.0.7 does not properly restrict access to UserRegistry object methods, which allows remote attackers to obtain sensitive information via a crafted method call.

5.0
2011-10-29 CVE-2011-1370 IBM Configuration vulnerability in IBM Lotus Sametime

The default configuration of the Sametime configuration servlet (SCS) in the server in IBM Lotus Sametime 7.0 through 8.5.2 does not enable an authentication requirement, which allows remote attackers to read the configuration settings by examining a response message.

5.0
2011-10-29 CVE-2011-1368 IBM Information Exposure vulnerability in IBM Websphere Application Server 8.0.0.0

The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors.

5.0
2011-10-27 CVE-2011-3848 Puppet
Puppetlabs
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in Puppet 2.6.x before 2.6.10 and 2.7.x before 2.7.4 allows remote attackers to write X.509 Certificate Signing Request (CSR) to arbitrary locations via (1) a double-encoded key parameter in the URI in 2.7.x, (2) the CN in the Subject of a CSR in 2.6 and 0.25.

5.0
2011-10-25 CVE-2011-3887 Google
Apple
Reliance ON Cookies Without Validation and Integrity Checking vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not properly handle javascript: URLs, which allows remote attackers to bypass intended access restrictions and read cookies via unspecified vectors.

5.0
2011-10-30 CVE-2009-2748 IBM Cross-Site Scripting vulnerability in IBM Websphere Application Server

Cross-site scripting (XSS) vulnerability in the Administration Console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.29 and 7.1 before 7.0.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-10-29 CVE-2010-0780 IBM Resource Management Errors vulnerability in IBM Websphere MQ

IBM WebSphere MQ 7.x before 7.0.1.4 allows remote attackers to cause a denial of service (disk consumption) via multiple connection attempts to a stopped queue manager.

4.3
2011-10-28 CVE-2011-1371 IBM Cross-Site Scripting vulnerability in IBM Websphere Ilog Rule Team Server 7.1.1

Cross-site scripting (XSS) vulnerability in content/error.jsp in IBM WebSphere ILOG Rule Team Server 7.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors that trigger an Unknown Error document, a different vulnerability than CVE-2011-4171.

4.3
2011-10-28 CVE-2011-1360 IBM Cross-Site Scripting vulnerability in IBM Http Server

Multiple cross-site scripting (XSS) vulnerabilities in IBM HTTP Server 2.0.47 and earlier, as used in WebSphere Application Server and other products, allow remote attackers to inject arbitrary web script or HTML via vectors involving unspecified documentation files in (1) manual/ibm/ and (2) htdocs/*/manual/ibm/.

4.3
2011-10-25 CVE-2011-3881 Google
Apple
Cross-Site Scripting vulnerability in Google Chrome

WebKit, as used in Google Chrome before 15.0.874.102 and Android before 4.4, allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors related to (1) the DOMWindow::clear function and use of a selection object, (2) the Object::GetRealNamedPropertyInPrototypeChain function and use of an __proto__ property, (3) the HTMLPlugInImageElement::allowedToLoadFrameURL function and use of a javascript: URL, (4) incorrect origins for XSLT-generated documents in the XSLTProcessor::createDocumentFromSource function, and (5) improper handling of synchronous frame loads in the ScriptController::executeIfJavaScriptURL function.

4.3
2011-10-25 CVE-2011-3877 Google Cross-Site Scripting vulnerability in Google Chrome

Cross-site scripting (XSS) vulnerability in the appcache internals page in Google Chrome before 15.0.874.102 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-10-25 CVE-2011-3875 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not properly handle drag and drop operations on URL strings, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.

4.3
2011-10-25 CVE-2011-2845 Google
Apple
Improper Input Validation vulnerability in Google Chrome

Google Chrome before 15.0.874.102 does not properly handle history data, which allows user-assisted remote attackers to spoof the URL bar via unspecified vectors.

4.3
2011-10-24 CVE-2011-4172 Kent WEB Cross-Site Scripting vulnerability in Kent-Web web Forum

Multiple cross-site scripting (XSS) vulnerabilities in KENT-WEB WEB FORUM before 5.1 allow remote attackers to inject arbitrary web script or HTML via (1) an e-mail address field or (2) a cookie, a related issue to CVE-2011-3383, CVE-2011-3983, and CVE-2011-3984.

4.3
2011-10-24 CVE-2011-4171 IBM Cross-Site Scripting vulnerability in IBM Websphere Ilog Rule Team Server 7.1.1

Cross-site scripting (XSS) vulnerability in content/error.jsp in IBM WebSphere ILOG Rule Team Server 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the project parameter to teamserver/faces/home.jsp.

4.3
2011-10-24 CVE-2011-3984 Kent WEB Cross-Site Scripting vulnerability in Kent-Web web Forum

Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to "web form entries."

4.3
2011-10-24 CVE-2011-3983 Kent WEB Cross-Site Scripting vulnerability in Kent-Web web Forum 5.1

Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to cookies.

4.3
2011-10-24 CVE-2011-3383 Kent WEB Cross-Site Scripting vulnerability in Kent-Web web Forum

Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to "the web page to be output."

4.3
2011-10-30 CVE-2009-0900 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Websphere MQ

Heap-based buffer overflow in the client in IBM WebSphere MQ 6.0 before 6.0.2.7 and 7.0 before 7.0.1.0 allows local users to gain privileges via crafted SSL information in a Client Channel Definition Table (CCDT) file.

4.1
2011-10-27 CVE-2011-4079 Openldap Numeric Errors vulnerability in Openldap

Off-by-one error in the UTF8StringNormalize function in OpenLDAP 2.4.26 and earlier allows remote attackers to cause a denial of service (slapd crash) via a zero-length string that triggers a heap-based buffer overflow, as demonstrated using an empty postalAddressAttribute value in an LDIF entry.

4.0

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-10-27 CVE-2011-3872 Puppet
Puppetlabs
Improper Input Validation vulnerability in multiple products

Puppet 2.6.x before 2.6.12 and 2.7.x before 2.7.6, and Puppet Enterprise (PE) Users 1.0, 1.1, and 1.2 before 1.2.4, when signing an agent certificate, adds the Puppet master's certdnsnames values to the X.509 Subject Alternative Name field of the certificate, which allows remote attackers to spoof a Puppet master via a man-in-the-middle (MITM) attack against an agent that uses an alternate DNS name for the master, aka "AltNames Vulnerability."

2.6
2011-10-30 CVE-2009-0905 IBM Improper Input Validation vulnerability in IBM Websphere MQ

IBM WebSphere MQ 6.0 before 6.0.2.8 and 7.0 before 7.0.1.0 does not properly handle long group names, which might allow local users to gain privileges by leveraging combinations of group names with the same initial substring.

1.7