Weekly Vulnerabilities Reports > January 23 to 29, 2012
Overview
75 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 63 products from 51 vendors including Android, Sitracker, Google, Tencent, and Schneider Electric. Vulnerabilities are notably categorized as "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Information Exposure", "SQL Injection", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".
- 72 reported vulnerabilities are remotely exploitables.
- 8 reported vulnerabilities have public exploit available.
- 28 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 68 reported vulnerabilities are exploitable by an anonymous user.
- Android has the most reported vulnerabilities, with 16 reported vulnerabilities.
- Renren has the most reported critical vulnerabilities, with 2 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
6 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-01-25 | CVE-2011-3478 | Symantec | Improper Authentication vulnerability in Symantec Pcanywhere The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a crafted session on TCP port 5631. | 10.0 |
2012-01-24 | CVE-2012-0918 | Hitachi | Remote Code Execution vulnerability in Hitachi products Unspecified vulnerability in Hitachi COBOL2002 Net Developer, Net Server Suite, and Net Client Suite 01-00, 01-01 through 01-01-/D, 01-02 through 01-02-/F, 01-03 through 01-03-/F, 02-00 through 02-00-/D, 02-01 through 02-01-/C, and possibly other versions before 02-01-/D allows remote attackers to execute arbitrary code via unknown attack vectors. | 10.0 |
2012-01-27 | CVE-2012-0395 | EMC | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in EMC Networker Buffer overflow in the server in EMC NetWorker 7.5.x and 7.6.x before 7.6.3 SP1 Cumulative Release build 851 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via unspecified vectors. | 9.3 |
2012-01-24 | CVE-2012-0916 | Renren | Buffer Errors vulnerability in Renren Talk 2.9 Heap-based buffer overflow in RenRen Talk 2.9 allows remote attackers to execute arbitrary code via a crafted image in a chat message, as demonstrated using a PNG file. | 9.3 |
2012-01-24 | CVE-2012-0915 | Renren | Numeric Errors vulnerability in Renren Talk 2.9 Integer signedness error in RenRen Talk 2.9 allows remote attackers to execute arbitrary code via crafted dimensions of a skin file, leading to a heap-based buffer overflow, as demonstrated using a BMP image. | 9.3 |
2012-01-23 | CVE-2012-0192 | IBM | Numeric Errors vulnerability in IBM Lotus Symphony Multiple integer overflows in vclmi.dll in the visual class library module in IBM Lotus Symphony before 3.0.1 might allow remote attackers to execute arbitrary code via an embedded (1) JPEG or (2) PNG image object in a Symphony document that triggers a heap-based buffer overflow, as demonstrated by a .doc file. | 9.3 |
12 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-01-28 | CVE-2012-0929 | Schneider Electric | Buffer Errors vulnerability in Schneider-Electric Modicon Quantum PLC Multiple buffer overflows in Schneider Electric Modicon Quantum PLC allow remote attackers to cause a denial of service via malformed requests to the (1) FTP server or (2) HTTP server. | 7.8 |
2012-01-29 | CVE-2011-5072 | Sitracker | SQL Injection vulnerability in Sitracker Support Incident Tracker Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to execute arbitrary SQL commands via the (1) start parameter to portal/kb.php; (2) contractid parameter to contract_add_service.php; (3) id parameter to edit_escalation_path.php; (4) unlock, (5) lock, or (6) selected parameter to holding_queue.php; inc parameter in a report action to (7) report_customers.php or (8) report_incidents_by_site.php; (9) start parameter to search.php; or (10) sites parameter to transactions.php. | 7.5 |
2012-01-29 | CVE-2011-4337 | Sitracker | Code Injection vulnerability in Sitracker Support Incident Tracker Static code injection vulnerability in translate.php in Support Incident Tracker (aka SiT!) 3.45 through 3.65 allows remote attackers to inject arbitrary PHP code into an executable language file in the i18n directory via the lang variable. | 7.5 |
2012-01-29 | CVE-2012-0935 | Aryadad | SQL Injection vulnerability in Aryadad CMS SQL injection vulnerability in Default.aspx in Aryadad CMS allows remote attackers to execute arbitrary SQL commands via the PageID parameter. | 7.5 |
2012-01-29 | CVE-2012-0934 | Zingiri Wordpress | Code Injection vulnerability in Zingiri Theme Tuner Plugin PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter. | 7.5 |
2012-01-29 | CVE-2011-5071 | Sitracker | SQL Injection vulnerability in Sitracker Support Incident Tracker Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.64 allow remote attackers to execute arbitrary SQL commands via the (1) exc[] parameter to report_marketing.php, (2) selected[] parameter to tasks.php, (3) sites[] parameter to billable_incidents.php, or (4) search_string parameter to search.php. | 7.5 |
2012-01-29 | CVE-2011-3831 | Sitracker | SQL Injection vulnerability in Sitracker Support Incident Tracker 3.65 SQL injection vulnerability in incident_attachments.php in Support Incident Tracker (aka SiT!) 3.65 allows remote attackers to execute arbitrary SQL commands via an uploaded file with a crafted file name. | 7.5 |
2012-01-28 | CVE-2012-0931 | Schneider Electric | Improper Authentication vulnerability in Schneider-Electric Modicon Quantum PLC Schneider Electric Modicon Quantum PLC does not perform authentication between the Unity software and PLC, which allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors. | 7.5 |
2012-01-27 | CVE-2011-3626 | Drusus Kerry Thompson | Resource Management Errors vulnerability in multiple products Double free vulnerability in the prepare_exec function in src/exec.c in Logsurfer 1.5b and earlier, and Logsurfer+ 1.7 and earlier, allows remote attackers to execute arbitrary commands via crafted strings in a log file. | 7.5 |
2012-01-24 | CVE-2012-0913 | Icloudcenter | SQL Injection vulnerability in Icloudcenter Ictimeattendance 1.0 SQL injection vulnerability in checklogin.aspx in ICloudCenter ICTimeAttendance 1.0 allows remote attackers to execute arbitrary SQL commands via the passw parameter. | 7.5 |
2012-01-24 | CVE-2012-0069 | Batavi | SQL Injection vulnerability in Batavi SQL injection vulnerability in ajax.php in Batavi before 1.2.1 allows remote attackers to execute arbitrary SQL commands via the boxToReload parameter. | 7.5 |
2012-01-24 | CVE-2012-0912 | Stone Ware | SQL Injection vulnerability in Stone-Ware Webnetwork 6.0.5.0 SQL injection vulnerability in Stoneware webNetwork before 6.0.8.0 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
55 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-01-29 | CVE-2011-5074 | Sitracker | Cross-Site Request Forgery (CSRF) vulnerability in Sitracker Support Incident Tracker Multiple cross-site request forgery (CSRF) vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to hijack the authentication of administrators for requests that change administrator email, add a new administrator, or insert arbitrary script via (1) user_profile_edit.php or (2) user_add.php. | 6.8 |
2012-01-29 | CVE-2011-5068 | Sitracker | Cross-Site Request Forgery (CSRF) vulnerability in Sitracker Support Incident Tracker 3.65 Multiple cross-site request forgery (CSRF) vulnerabilities in Support Incident Tracker (aka SiT!) 3.65 allow remote attackers to hijack the authentication of user for requests that delete a user via user_delete.php and other unspecified programs. | 6.8 |
2012-01-25 | CVE-2011-3479 | Symantec | Permissions, Privileges, and Access Controls vulnerability in Symantec Pcanywhere Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), uses world-writable permissions for product-installation files, which allows local users to gain privileges by modifying a file. | 6.8 |
2012-01-24 | CVE-2012-0286 | Stone Ware | Cross-Site Request Forgery (CSRF) vulnerability in Stone-Ware Webnetwork 6.0.5.0 Cross-site request forgery (CSRF) vulnerability in Stoneware webNetwork before 6.0.8.0 allows remote attackers to hijack the authentication of unspecified victims for requests that modify user accounts. | 6.8 |
2012-01-29 | CVE-2011-3832 | Sitracker | Code Injection vulnerability in Sitracker Support Incident Tracker 3.65 Eval injection vulnerability in config.php in Support Incident Tracker (aka SiT!) 3.65 allows remote authenticated administrators to execute arbitrary PHP code via the application_name parameter in a save action. | 6.5 |
2012-01-27 | CVE-2012-0806 | Duckcorp | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Duckcorp BIP Buffer overflow in Bip 0.8.8 and earlier might allow remote authenticated users to execute arbitrary code via vectors involving a series of TCP connections that triggers use of many open file descriptors. | 6.5 |
2012-01-25 | CVE-2011-4866 | Kaixin001 Android | Information Exposure vulnerability in Kaixin001 1.3.1/1.3.3 The Kaixin001 (com.kaixin001.activity) application 1.3.1 and 1.3.3 for Android does not properly protect data, which allows remote attackers to read or modify contact information and a cleartext password via a crafted application. | 6.4 |
2012-01-25 | CVE-2011-4699 | Ubermedia Android | Information Exposure vulnerability in Ubermedia Twidroyd Legacy 4.3.11 The Ubermedia Twidroyd Legacy (com.twidroydlegacy) application 4.3.11 for Android does not properly protect data, which allows remote attackers to read or modify Twitter information via a crafted application. | 6.4 |
2012-01-25 | CVE-2011-4698 | Androidapptools Android | Information Exposure vulnerability in Androidapptools Easy Filter 1.1/1.2 The AndroidAppTools Easy Filter (com.phoneblocker.android) application 1.1 and 1.2 for Android does not properly protect data, which allows remote attackers to read or modify SMS messages and call records via a crafted application. | 6.4 |
2012-01-25 | CVE-2011-4697 | Xiaomi Android | Information Exposure vulnerability in Xiaomi Mitalk Messenger 1.0/2.1.280 The Xiaomi MiTalk Messenger (com.xiaomi.channel) application before 2.1.320 for Android does not properly protect data, which allows remote attackers to read or modify messaging information via a crafted application. | 6.4 |
2012-01-29 | CVE-2011-5069 | Sitracker | Input Validation vulnerability in Sitracker Support Incident Tracker 3.65 Unrestricted file upload vulnerability in incident_attachments.php in Support Incident Tracker (aka SiT!) 3.65 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in unspecified directory, a different program than CVE-2011-3833. | 6.0 |
2012-01-29 | CVE-2011-3833 | Sitracker | Input Validation vulnerability in Sitracker Support Incident Tracker 3.65 Unrestricted file upload vulnerability in ftp_upload_file.php in Support Incident Tracker (aka SiT!) 3.65 allows remote authenticated users to execute arbitrary PHP code by uploading a PHP file, then accessing it via a direct request to the file in an unspecified directory. | 6.0 |
2012-01-27 | CVE-2011-4314 | KAY Framework Project Openid Redhat | Improper Input Validation vulnerability in multiple products message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. | 5.8 |
2012-01-27 | CVE-2011-4354 | Openssl | Cryptographic Issues vulnerability in Openssl crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts. | 5.8 |
2012-01-25 | CVE-2011-4867 | Tencent Android | Permissions, Privileges, and Access Controls vulnerability in Tencent Qqpphoto 0.97 The Tencent QQPhoto (com.tencent.qqphoto) application 0.97 for Android does not properly protect data, which allows remote attackers to read or modify contact information and a password hash via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4865 | Tencent | Permissions, Privileges, and Access Controls vulnerability in Tencent Microblogpad and Wblog The Tencent WBlog (com.tencent.WBlog) 3.3.1 and MicroBlogPad 1.4.0 applications for Android do not properly protect data, which allows remote attackers to read or modify message drafts and search keywords via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4864 | Tencent | Permissions, Privileges, and Access Controls vulnerability in Tencent Mobileqq 2.2 The Tencent MobileQQ (com.tencent.mobileqq) application 2.2 for Android does not properly protect data, which allows remote attackers to read or modify messages and a friends list via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4863 | Tencent | Permissions, Privileges, and Access Controls vulnerability in Tencent Qqpimsecure 3.0.2 The Tencent QQPimSecure (com.tencent.qqpimsecure) application 3.0.2 for Android does not properly protect data, which allows remote attackers to read or modify SMS/MMS messages and a contact list via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4773 | Anguanjia Android | Permissions, Privileges, and Access Controls vulnerability in Anguanjia 2.10.343 The AnGuanJia (com.anguanjia.safe) application 2.10.343 for Android does not properly protect data, which allows remote attackers to read or modify SMS messages and a contact list via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4772 | 360 Android | Permissions, Privileges, and Access Controls vulnerability in 360 Kouxin 1.5.3 The 360 KouXin (com.qihoo360.kouxin) application 1.5.3 for Android does not properly protect data, which allows remote attackers to read or modify SMS messages and a contact list via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4771 | Lucion Android | Permissions, Privileges, and Access Controls vulnerability in Lucion Scan TO PDF Free 2.0.4 The Scan to PDF Free (com.scan.to.pdf.trial) application 2.0.4 for Android does not properly protect data, which allows remote attackers to read or modify scanned files and a Google account via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4770 | Qiwi Android | Permissions, Privileges, and Access Controls vulnerability in Qiwi Wallet 1.13 The QIWI Wallet (ru.mw) application before 1.14.2 for Android does not properly protect data, which allows remote attackers to read or modify financial information via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4769 | 360 Android | Permissions, Privileges, and Access Controls vulnerability in 360 Mobilesafe 2.1.0/2.2.0 The 360 MobileSafe (com.qihoo360.mobilesafe) application 2.x before 2.3.0 for Android does not properly protect data, which allows remote attackers to read or modify SMS messages and a contact list via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4705 | Ming Android | Permissions, Privileges, and Access Controls vulnerability in Ming Blacklist Free 1.8.1/1.9.2.1 The Ming Blacklist Free (vc.software.blacklist) application 1.8.1 and 1.9.2.1 for Android does not properly protect data, which allows remote attackers to read or modify blacklists and a contact list via a crafted application that launches a "data-flow attack." | 5.8 |
2012-01-25 | CVE-2011-4704 | Voxofon Android | Permissions, Privileges, and Access Controls vulnerability in Voxofon The Voxofon (com.voxofon) application before 2.5.2 for Android does not properly protect data, which allows remote attackers to read or modify SMS information via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4703 | Nathanielkh Android | Permissions, Privileges, and Access Controls vulnerability in Nathanielkh Limit MY Call 2.11 The Limit My Call (com.limited.call.view) application 2.11 for Android does not properly protect data, which allows remote attackers to read or modify call logs and a contact list via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4702 | Nimbuzz Android | Permissions, Privileges, and Access Controls vulnerability in Nimbuzz 2..0.10/2.0.8 The Nimbuzz (com.nimbuzz) application 2.0.8 and 2.0.10 for Android does not properly protect data, which allows remote attackers to read or modify a contact list via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4701 | Hatena Android | Permissions, Privileges, and Access Controls vulnerability in Hatena Callconfirm 2.0.0 The CallConfirm (jp.gr.java_conf.ofnhwx.callconfirm) application 2.0.0 for Android does not properly protect data, which allows remote attackers to read or modify allow/block lists via a crafted application. | 5.8 |
2012-01-25 | CVE-2011-4700 | Ubermedia Android | Permissions, Privileges, and Access Controls vulnerability in Ubermedia Ubersocial The UberMedia UberSocial (com.twidroid) application 7.x before 7.2.4 for Android does not properly protect data, which allows remote attackers to read or modify Twitter information via a crafted application. | 5.8 |
2012-01-27 | CVE-2012-0807 | Hardened PHP | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Hardened-PHP Suhosin Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header. | 5.1 |
2012-01-29 | CVE-2011-5075 | Sitracker | Unspecified vulnerability in Sitracker Support Incident Tracker translate.php in Support Incident Tracker (aka SiT!) 3.45 through 3.65 allows remote attackers to obtain sensitive information via a direct request using the save action, which reveals the installation path. | 5.0 |
2012-01-27 | CVE-2011-4143 | RSA | Information Exposure vulnerability in RSA Envision 4.0/4.1 EMC RSA enVision 4.0 before SP4 P5 and 4.1 before P3 allows remote attackers to obtain sensitive information about environment variables in the web system via unspecified vectors. | 5.0 |
2012-01-27 | CVE-2011-4622 | Redhat | Local Denial of Service vulnerability in Redhat KVM 83 The create_pit_timer function in arch/x86/kvm/i8254.c in KVM 83, and possibly other versions, does not properly handle when Programmable Interval Timer (PIT) interrupt requests (IRQs) when a virtual interrupt controller (irqchip) is not available, which allows local users to cause a denial of service (NULL pointer dereference) by starting a timer. | 4.9 |
2012-01-29 | CVE-2011-5073 | Sitracker | Cross-Site Scripting vulnerability in Sitracker Support Incident Tracker Multiple cross-site scripting (XSS) vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to inject arbitrary web script or HTML via the (1) mode parameter to contact_support.php; (2) contractid parameter to contract_add_service.php; (3) user parameter to edit_backup_users.php; (4) id parameter to edit_escalation_path.php; the Referer to (5) forgotpwd.php, (6) an approvalpage action to billable_incidents.php, or (7) transactions.php; (8) action parameter to inbox.php; (9) search_string parameter in a findcontact action to incident_add.php; table1 parameter to (10) report_customers.php, (11) report_incidents_by_engineer.php, (12) report_incidents_by_site.php, or (13) report_marketing.php; or the (14) startdate or (15) enddate parameter to report_incidents_by_vendor.php. | 4.3 |
2012-01-29 | CVE-2012-0936 | Opennms ORG | Cross-Site Scripting vulnerability in Opennms.Org Opennms Cross-site scripting (XSS) vulnerability in web/springframework/security/SecurityAuthenticationEventOnmsEventBuilder.java in OpenNMS 1.8.x before 1.8.17, 1.9.93 and earlier, and 1.10.x before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via the Username field, related to login. | 4.3 |
2012-01-29 | CVE-2012-0932 | Leadcapturepagesystem | Cross-Site Scripting vulnerability in Leadcapturepagesystem Lead Capture Page System Cross-site scripting (XSS) vulnerability in admin/login.php in Lead Capture Page System allows remote attackers to inject arbitrary web script or HTML via the message parameter. | 4.3 |
2012-01-29 | CVE-2011-5070 | Sitracker | Cross-Site Scripting vulnerability in Sitracker Support Incident Tracker 3.65 Multiple cross-site scripting (XSS) vulnerabilities in Support Incident Tracker (aka SiT!) 3.65 allow remote attackers to inject arbitrary web script or HTML via (1) the file name to incident_attachments.php; (2) unspecified vectors in link_add.php, possibly involving origref, linkref, linktype parameters, which are not properly handled in the clean_int function in lib/base.inc.php, or the redirect parameter, which is not properly handled in the html_redirect function in lib/html.inc.php; and (3) unspecified vectors in translate.php. | 4.3 |
2012-01-29 | CVE-2011-3830 | Sitracker | Cross-Site Scripting vulnerability in Sitracker Support Incident Tracker 3.65 Cross-site scripting (XSS) vulnerability in search.php in Support Incident Tracker (aka SiT!) 3.65 allows remote attackers to inject arbitrary web script or HTML via the search_string parameter. | 4.3 |
2012-01-28 | CVE-2012-0930 | Schneider Electric | Cross-Site Scripting vulnerability in Schneider-Electric Modicon Quantum PLC Cross-site scripting (XSS) vulnerability in Schneider Electric Modicon Quantum PLC allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-01-26 | CVE-2012-0312 | Oscommerce | Cross-Site Scripting vulnerability in Oscommerce Online Merchant and Oscommerce Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9, and osCommerce Online Merchant before 2.3.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-01-26 | CVE-2012-0311 | Oscommerce | Cross-Site Scripting vulnerability in Oscommerce Cross-site scripting (XSS) vulnerability in osCommerce 2.2MS1J before R9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-01-25 | CVE-2011-4276 | Information Exposure vulnerability in Google Android The Bluetooth service (com/android/phone/BluetoothHeadsetService.java) in Android 2.3 before 2.3.6 allows remote attackers within Bluetooth range to obtain contact data via an AT phonebook transfer. | 4.3 | |
2012-01-25 | CVE-2012-0885 | Asterisk | Unspecified vulnerability in Asterisk Open Source chan_sip.c in Asterisk Open Source 1.8.x before 1.8.8.2 and 10.x before 10.0.1, when the res_srtp module is used and media support is improperly configured, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted SDP message with a crypto attribute and a (1) video or (2) text media type, as demonstrated by CSipSimple. | 4.3 |
2012-01-24 | CVE-2012-0919 | Hitachi | Cross-Site Scripting vulnerability in Hitachi IT Operations Director Cross-site scripting (XSS) vulnerability in Hitachi IT Operations Director 02-50-01 through 02-50-07, 03-00 through 03-00-04, and possibly other versions before 03-00-06, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-01-24 | CVE-2012-0917 | Hitachi | Cross-Site Scripting vulnerability in Hitachi IT Operations Analyzer Cross-site scripting (XSS) vulnerability in Hitachi IT Operations Analyzer 02-01, 02-51 through 02-51-01, and 02-53 through 02-53-02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-01-24 | CVE-2012-0914 | Earl Miles Drupal | Cross-Site Scripting vulnerability in Earl Miles Panels Cross-site scripting (XSS) vulnerability in display_renderers/panels_renderer_editor.class.php in the admin view in the Panels module 6.x-2.x before 6.x-3.10 and 7.x-3.x before 7.x-3.0 for Drupal allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the Region title. | 4.3 |
2012-01-24 | CVE-2012-0909 | Horde | Cross-Site Scripting vulnerability in Horde Groupware Webmail Edition Cross-site scripting (XSS) vulnerability in Horde_Form in Horde Groupware Webmail Edition before 4.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to email verification. | 4.3 |
2012-01-24 | CVE-2012-0908 | Simplesamlphp | Cross-Site Scripting vulnerability in Simplesamlphp Cross-site scripting (XSS) vulnerability in logout.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the link_href parameter. | 4.3 |
2012-01-24 | CVE-2012-0790 | Oetiker | Cross-Site Scripting vulnerability in Oetiker Smokeping Cross-site scripting (XSS) vulnerability in smokeping_cgi in Smokeping 2.4.2, 2.6.6, and other versions before 2.6.7 allows remote attackers to inject arbitrary web script or HTML via the displaymode parameter. | 4.3 |
2012-01-24 | CVE-2012-0389 | Mailenable | Cross-Site Scripting vulnerability in Mailenable Cross-site scripting (XSS) vulnerability in ForgottenPassword.aspx in MailEnable Professional, Enterprise, and Premium 4.26 and earlier, 5.x before 5.53, and 6.x before 6.03 allows remote attackers to inject arbitrary web script or HTML via the Username parameter. | 4.3 |
2012-01-24 | CVE-2012-0040 | Simplesamlphp | Cross-Site Scripting vulnerability in Simplesamlphp Cross-site scripting (XSS) vulnerability in modules/core/www/no_cookie.php in SimpleSAMLphp 1.8.1 and possibly other versions before 1.8.2 allows remote attackers to inject arbitrary web script or HTML via the retryURL parameter. | 4.3 |
2012-01-24 | CVE-2012-0285 | Stone Ware | Cross-Site Scripting vulnerability in Stone-Ware Webnetwork 6.0.5.0 Multiple cross-site scripting (XSS) vulnerabilities in Stoneware webNetwork before 6.0.8.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-01-24 | CVE-2012-0313 | Glucose | Cross-Site Scripting vulnerability in Glucose 2 Betastage5/Betastage5.1/Stage6 Cross-site scripting (XSS) vulnerability in glucose 2 before stage 6.2 allows remote attackers to inject arbitrary web script or HTML via an RSS feed. | 4.3 |
2012-01-29 | CVE-2011-5067 | Sitracker | Information Exposure vulnerability in Sitracker Support Incident Tracker 3.65 move_uploaded_file.php in Support Incident Tracker (aka SiT!) 3.65 allows remote authenticated users to obtain sensitive information via the file name, which reveals the installation path in an error message. | 4.0 |
2012-01-29 | CVE-2011-3829 | Sitracker | Information Exposure vulnerability in Sitracker Support Incident Tracker 3.65 ftp_upload_file.php in Support Incident Tracker (aka SiT!) 3.65 allows remote authenticated users to obtain sensitive information via the file name, which reveals the installation path in an error message. | 4.0 |
2 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-01-29 | CVE-2012-0933 | Acidcat | Cross-Site Scripting vulnerability in Acidcat CMS 3.5.1/3.5.2/3.5.6 Multiple cross-site scripting (XSS) vulnerabilities in Acidcat CMS 3.5.1, 3.5.2, 3.5.6, and possibly earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin_colors.asp, (2) admin_config.asp, and (3) admin_cat_add.asp in admin/. | 2.6 |
2012-01-27 | CVE-2011-1162 | Linux | Information Exposure vulnerability in Linux Kernel 2.6 The tpm_read function in the Linux kernel 2.6 does not properly clear memory, which might allow local users to read the results of the previous TPM command. | 2.1 |