Weekly Vulnerabilities Reports > January 2 to 8, 2012

Overview

51 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 37 products from 29 vendors including Siemens, Openssl, Apache, Mozilla, and Splunk. Vulnerabilities are notably categorized as "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Resource Management Errors", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 47 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 18 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 48 reported vulnerabilities are exploitable by an anonymous user.
  • Siemens has the most reported vulnerabilities, with 6 reported vulnerabilities.
  • Apache has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-08 CVE-2012-0391 Apache Improper Input Validation vulnerability in Apache Struts

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

9.3
2012-01-08 CVE-2011-4055 Siemens Buffer Errors vulnerability in Siemens Tecnomatix Factorylink 6.6.1/7.5.217/8.0.2.54

Buffer overflow in the WebClient ActiveX control in Siemens Tecnomatix FactoryLink 6.6.1 (aka 6.6 SP1), 7.5.217 (aka 7.5 SP2), and 8.0.2.54 allows remote attackers to execute arbitrary code via a long string in a parameter associated with the location URL.

9.3
2012-01-06 CVE-2011-4109 Openssl Resource Management Errors vulnerability in Openssl

Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.

9.3
2012-01-03 CVE-2011-4644 Splunk Improper Authentication vulnerability in Splunk

Splunk 4.2.5 and earlier, when a Free license is selected, enables potentially undesirable functionality within an environment that intentionally does not support authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that leverages the ability to create crafted data sources, or (2) execute management commands via an HTTP request.

9.3

4 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-08 CVE-2012-0024 Maradns Resource Exhaustion vulnerability in Maradns

MaraDNS before 1.3.07.12 and 1.4.x before 1.4.08 computes hash values for DNS data without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted queries with the Recursion Desired (RD) bit set.

7.8
2012-01-08 CVE-2011-4529 Siemens Buffer Errors vulnerability in Siemens Automation License Manager 5.1

Multiple buffer overflows in Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allow remote attackers to execute arbitrary code via a long serialid field in an _licensekey command, as demonstrated by the (1) check_licensekey or (2) read_licensekey command.

7.5
2012-01-04 CVE-2011-5051 Wpsymposium
Wordpress
Unspecified vulnerability in Wpsymposium WP Symposium

Multiple unrestricted file upload vulnerabilities in the WP Symposium plugin before 11.12.24 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension using (1) uploadify/upload_admin_avatar.php or (2) uploadify/upload_profile_avatar.php, then accessing it via a direct request to the file in an unspecified directory inside the webroot.

7.5
2012-01-03 CVE-2011-4197 Pfsense Permissions, Privileges, and Access Controls vulnerability in Pfsense

etc/inc/certs.inc in the PKI implementation in pfSense before 2.0.1 creates each X.509 certificate with a true value for the CA basic constraint, which allows remote attackers to create sub-certificates for arbitrary subjects by leveraging the private key.

7.5

41 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-06 CVE-2011-5054 KDE Improper Authentication vulnerability in KDE Kcheckpass

kcheckpass passes a user-supplied argument to the pam_start function, often within a setuid environment, which allows local users to invoke any configured PAM stack, and possibly trigger unintended side effects, via an arbitrary valid PAM service name, a different vulnerability than CVE-2011-4122.

6.9
2012-01-04 CVE-2011-3337 Eeye
HP
SGI
SUN
Permissions, Privileges, and Access Controls vulnerability in Eeye products

eEye Audit ID 2499 in eEye Digital Security Audits 2406 through 2423 for eEye Retina Network Security Scanner on HP-UX, IRIX, and Solaris allows local users to gain privileges via a Trojan horse gauntlet program in an arbitrary directory under /usr/local/.

6.9
2012-01-08 CVE-2012-0392 Apache Unspecified vulnerability in Apache Struts

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

6.8
2012-01-08 CVE-2011-4870 Invensys Buffer Errors vulnerability in Invensys Wonderware Inbatch 8.1/9.0/9.5

Multiple buffer overflows in the (1) GUIControls, (2) BatchObjSrv, and (3) BatchSecCtrl ActiveX controls in Invensys Wonderware InBatch 9.0 and 9.0 SP1, and InBatch 8.1 SP1, 9.0 SP2, and 9.5 Server and Runtime Clients, allow remote attackers to execute arbitrary code via a long string in a property value, a different issue than CVE-2011-3141.

6.8
2012-01-04 CVE-2011-5052 Cocsoft Buffer Errors vulnerability in Cocsoft Stream Down 6.8

Stack-based buffer overflow in CoCSoft Stream Down 6.8.0 allows remote web servers to execute arbitrary code via a long response to a download request.

6.8
2012-01-02 CVE-2011-3669 Mozilla Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla

Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments.

6.8
2012-01-02 CVE-2011-3668 Mozilla Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla

Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports.

6.8
2012-01-02 CVE-2011-3667 Mozilla Improper Authentication vulnerability in Mozilla Bugzilla

The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message.

6.8
2012-01-08 CVE-2012-0393 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Struts

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

6.4
2012-01-04 CVE-2011-5050 Elitecore SQL Injection vulnerability in Elitecore Cyberoam Unified Threat Management

SQL injection vulnerability in corporate/Controller in Elitecore Technologies Cyberoam UTM before 10.01.2 build 059 allows remote authenticated administrators to execute arbitrary SQL commands via the tableid parameter.

6.0
2012-01-08 CVE-2011-4056 Siemens Unspecified vulnerability in Siemens Tecnomatix Factorylink 6.6.1/7.5.217/8.0.2.54

An unspecified ActiveX control in ActBar.ocx in Siemens Tecnomatix FactoryLink 6.6.1 (aka 6.6 SP1), 7.5.217 (aka 7.5 SP2), and 8.0.2.54 allows remote attackers to create or overwrite arbitrary files via the save method.

5.8
2012-01-06 CVE-2011-5053 WI FI Improper Authentication vulnerability in Wi-Fi Wifi Protected Setup Protocol

The Wi-Fi Protected Setup (WPS) protocol, when the "external registrar" authentication method is used, does not properly inform clients about failed PIN authentication, which makes it easier for remote attackers to discover the PIN value, and consequently discover the Wi-Fi network password or reconfigure an access point, by reading EAP-NACK messages.

5.8
2012-01-04 CVE-2011-4921 E107 SQL Injection vulnerability in E107 0.7.26

SQL injection vulnerability in usersettings.php in e107 0.7.26, and possibly other versions before 1.0.0, allows remote attackers to execute arbitrary SQL commands via the username parameter.

5.1
2012-01-08 CVE-2011-4532 Siemens Path Traversal vulnerability in Siemens Automation License Manager 5.1

Absolute path traversal vulnerability in the ALMListView.ALMListCtrl ActiveX control in almaxcx.dll in the graphical user interface in Siemens Automation License Manager (ALM) 2.0 through 5.1+SP1+Upd2 allows remote attackers to overwrite arbitrary files via the Save method.

5.0
2012-01-08 CVE-2011-4531 Siemens Improper Input Validation vulnerability in Siemens Automation License Manager 5.1

Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted content in a (1) get_target_ocx_param or (2) send_target_ocx_param command.

5.0
2012-01-08 CVE-2011-4530 Siemens Improper Input Validation vulnerability in Siemens Automation License Manager 5.1

Siemens Automation License Manager (ALM) 4.0 through 5.1+SP1+Upd1 does not properly copy fields obtained from clients, which allows remote attackers to cause a denial of service (exception and daemon crash) via long fields, as demonstrated by fields to the (1) open_session->workstation->NAME or (2) grant->VERSION function.

5.0
2012-01-08 CVE-2011-5057 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Struts

Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces.

5.0
2012-01-08 CVE-2011-4361 Mediawiki Permissions, Privileges, and Access Controls vulnerability in Mediawiki and Mediawiki Botquery EXT

MediaWiki before 1.17.1 does not check for read permission before handling action=ajax requests, which allows remote attackers to obtain sensitive information by (1) leveraging the SpecialUpload::ajaxGetExistsWarning function, or by (2) leveraging an extension, as demonstrated by the CategoryTree, ExtTab, and InlineEditor extensions.

5.0
2012-01-08 CVE-2011-4360 Mediawiki Permissions, Privileges, and Access Controls vulnerability in Mediawiki and Mediawiki Botquery EXT

MediaWiki before 1.17.1 allows remote attackers to obtain the page titles of all restricted pages via a series of requests involving the (1) curid or (2) oldid parameter.

5.0
2012-01-08 CVE-2011-5055 Maradns Improper Input Validation vulnerability in Maradns 1.3.07.012/1.4.08

MaraDNS 1.3.07.12 and 1.4.08 computes hash values for DNS data without properly restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted queries with the Recursion Desired (RD) bit set.

5.0
2012-01-06 CVE-2012-0027 Openssl Resource Management Errors vulnerability in Openssl

The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client.

5.0
2012-01-06 CVE-2011-4619 Openssl Resource Management Errors vulnerability in Openssl

The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.

5.0
2012-01-06 CVE-2011-4576 Openssl Cryptographic Issues vulnerability in Openssl

The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.

5.0
2012-01-05 CVE-2011-4905 Apache Resource Management Errors vulnerability in Apache Activemq

Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests.

5.0
2012-01-03 CVE-2011-4642 Splunk Cross-Site Request Forgery (CSRF) vulnerability in Splunk

mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote authenticated administrators to execute arbitrary code by leveraging the sys module in a request to the search application, as demonstrated by a cross-site request forgery (CSRF) attack, aka SPL-45172.

4.6
2012-01-08 CVE-2011-3206 Redhat
RHQ Project
Cross-Site Scripting vulnerability in multiple products

Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in RHQ 4.2.0, as used in JBoss Operations Network (aka JON or JBoss ON) before 3.0, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-01-06 CVE-2011-4616 Igor Vlasenko Cross-Site Scripting vulnerability in Igor Vlasenko Html-Template-Pro

Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module before 0.9507 for Perl allows remote attackers to inject arbitrary web script or HTML via template parameters, related to improper handling of > (greater than) and < (less than) characters.

4.3
2012-01-06 CVE-2012-0390 GNU Cryptographic Issues vulnerability in GNU Gnutls

The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108.

4.3
2012-01-06 CVE-2011-4577 Openssl Resource Management Errors vulnerability in Openssl

OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.

4.3
2012-01-06 CVE-2011-4108 Openssl Cryptographic Issues vulnerability in Openssl

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.

4.3
2012-01-05 CVE-2011-5019 Textpattern Cross-Site Scripting vulnerability in Textpattern 4.4.1

Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter.

4.3
2012-01-04 CVE-2011-5049 Microsoft Denial-Of-Service vulnerability in MySQL

MySQL 5.5.8, when running on Windows, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted packet to TCP port 3306.

4.3
2012-01-04 CVE-2011-4920 E107 Cross-Site Scripting vulnerability in E107 0.7.26

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, and other versions before 1.0.0, allow remote attackers to inject arbitrary web script or HTML via the URL to (1) e107_images/thumb.php or (2) rate.php, (3) resend_name parameter to e107_admin/users.php, and (4) link BBCode in user signatures.

4.3
2012-01-04 CVE-2007-6751 H FJ
Sixapart
Cross-Site Scripting vulnerability in H-Fj Mailform Plugin 1.00/1.10

Cross-site scripting (XSS) vulnerability in the MailForm plugin before 1.20 for Movable Type allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-01-04 CVE-2011-1386 IBM Permissions, Privileges, and Access Controls vulnerability in IBM products

IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.1.1, 6.2.0, and 6.2.1 do not properly handle signature validations based on SAML 1.0, 1.1, and 2.0, which allows remote attackers to bypass intended authentication or authorization requirements via a non-conforming SAML signature.

4.3
2012-01-03 CVE-2011-5048 IBM Cross-Site Scripting vulnerability in IBM web Experience Factory 7.0/7.0.1

Multiple cross-site scripting (XSS) vulnerabilities in IBM Web Experience Factory (aka WEF, formerly WebSphere Portlet Factory) 7.0 and 7.0.1 allow remote attackers to inject arbitrary web script or HTML via a (1) text INPUT element or (2) TEXTAREA element, related to an interaction between Smart Refresh and Dojo.

4.3
2012-01-03 CVE-2011-5047 Pfsense Cross-Site Scripting vulnerability in Pfsense

Cross-site scripting (XSS) vulnerability in status_rrd_graph.php in pfSense before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the style parameter.

4.3
2012-01-03 CVE-2011-4778 Splunk Cross-Site Scripting vulnerability in Splunk

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 4.2.x before 4.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka SPL-44614.

4.3
2012-01-02 CVE-2011-3657 Mozilla Cross-Site Scripting vulnerability in Mozilla Bugzilla

Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13, 3.5.x and 3.6.x before 3.6.7, 3.7.x and 4.0.x before 4.0.3, and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart.

4.3
2012-01-04 CVE-2011-1384 IBM Link Following vulnerability in IBM Invscout.Rte

The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file.

4.0
2012-01-03 CVE-2011-4643 Splunk Path Traversal vulnerability in Splunk

Multiple directory traversal vulnerabilities in Splunk 4.x before 4.2.5 allow remote authenticated users to read arbitrary files via a ..

4.0

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-06 CVE-2012-0287 Wordpress Cross-Site Scripting vulnerability in Wordpress 3.3

Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature.

2.6
2012-01-08 CVE-2011-5056 Maradns Resource Exhaustion vulnerability in Maradns

The authoritative server in MaraDNS through 2.0.04 computes hash values for DNS data without restricting the ability to trigger hash collisions predictably, which might allow local users to cause a denial of service (CPU consumption) via crafted records in zone files, a different vulnerability than CVE-2012-0024.

2.1