Weekly Vulnerabilities Reports > March 12 to 18, 2012

Overview

86 new vulnerabilities reported during this period, including 27 critical vulnerabilities and 17 high severity vulnerabilities. This weekly summary report vulnerabilities in 82 products from 35 vendors including Google, Mozilla, Microsoft, IBM, and Vmware. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Resource Management Errors", "Information Exposure", and "Permissions, Privileges, and Access Controls".

  • 81 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 15 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 83 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 15 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 14 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

27 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-03-18 CVE-2012-1774 Gomlab Remote Security vulnerability in Gom Media Player

Unspecified vulnerability in the Open URL feature in Gretech GOM Media Player before 2.1.39.5101 has unknown impact and attack vectors, a different vulnerability than CVE-2007-5779 and CVE-2012-1264.

10.0
2012-03-15 CVE-2012-0231 GE Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in GE Intelligent Platforms Proficy Plant Applications

PRLicenseMgr.exe in the Proficy Server License Manager in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12401.

10.0
2012-03-15 CVE-2012-0230 GE Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in GE Intelligent Platforms Proficy Plant Applications

PRRDS.exe in the Proficy Remote Data Service in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12299.

10.0
2012-03-15 CVE-2012-0229 GE Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in GE Intelligent Platforms Proficy Historian

The Data Archiver service in GE Intelligent Platforms Proficy Historian 4.5 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted session on TCP port 14000 to (1) ihDataArchiver.exe or (2) ihDataArchiver_x64.exe.

10.0
2012-03-15 CVE-2012-1485 Netfrontlife
Google
Security vulnerability in NetFront Life Browser for Android

Unspecified vulnerability in the NetFront Life Browser (com.access_company.android.nflifebrowser.lite) application 2.2.0 and 2.3.0 for Android has unknown impact and attack vectors.

10.0
2012-03-15 CVE-2012-1484 Wali
Google
Security vulnerability in WaliSMS CN for Android

Unspecified vulnerability in the WaliSMS CN (cn.com.wali.walisms) application 2.9.2 and 3.7.0 for Android has unknown impact and attack vectors.

10.0
2012-03-15 CVE-2012-1483 Zhou BO
Google
Security vulnerability in Zhou BO Message Forwarder 1.12.20110409.1

Unspecified vulnerability in the Message Forwarder (com.gmail.zbnetium) application 1.12.20110409.1 for Android has unknown impact and attack vectors.

10.0
2012-03-15 CVE-2012-1482 Touchpal
Google
Security vulnerability in TouchPal Contacts for Android

Unspecified vulnerability in the TouchPal Contacts (com.cootek.smartdialer) application 3.3.1 and 4.0.1 for Android has unknown impact and attack vectors.

10.0
2012-03-15 CVE-2012-1481 Kashif Masud
Google
Security vulnerability in Kashif Masud Textdroid 2.5.2

Unspecified vulnerability in the Textdroid (com.app.android.textdroid) application 2.5.2 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1480 Pansi
Google
Unspecified vulnerability in Pansi SMS 1.97/2.01/2.07

Unspecified vulnerability in the Pansi SMS (com.pansi.msg) application 1.97, 2.01, and 2.07 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1479 Movesti
Google
Unspecified vulnerability in Movesti Acontact 1.8.2

Unspecified vulnerability in the AContact (com.movester.quickcontact) application 1.8.2 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1478 Ucweb
Google
Unspecified vulnerability in Ucweb Ucmobile Blovestorm 2.2.0/3.2.1

Unspecified vulnerability in the UCMobile BloveStorm (com.blovestorm) application 2.2.0 and 3.2.1 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1477 Cnectd
Google
Unspecified vulnerability in Cnectd 3.1.0

Unspecified vulnerability in the Cnectd (mci.cnectd) application 3.1.0 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1476 Kktalk
Google
Unspecified vulnerability in Kktalk 4.0.0/4.1.5

Unspecified vulnerability in the KKtalk (com.kkliaotian.android) application 4.0.0 and 4.1.5 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1475 Qualcomm
Google
Unspecified vulnerability in Qualcomm Yagattatalk Messenger 1.00.01.08

Unspecified vulnerability in the YagattaTalk Messenger (com.iskoot.yagatta.yagattatalk) application 1.00.01.08 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1474 SDO
Google
Unspecified vulnerability in SDO Youni SMS 2.1.0

Unspecified vulnerability in the Youni SMS (com.snda.youni) application 2.1.0c and 2.1.0d for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1409 Tinycouch
Google
Unspecified vulnerability in Tinycouch Tiny Password 1.64

Unspecified vulnerability in the Tiny Password (com.tinycouch.android.freepassword) application 1.64 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-1408 Creative Core
Google
Unspecified vulnerability in Creative Core APP Lock 1.7.5/1.7.6

Unspecified vulnerability in the App Lock (com.cc.applock) application 1.7.5 and 1.7.6 for Android has unknown impact and attack vectors.

10.0
2012-03-14 CVE-2012-0124 HP Unspecified vulnerability in HP Data Protector Express 5.0/6.0

Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors.

10.0
2012-03-14 CVE-2012-0123 HP Unspecified vulnerability in HP Data Protector Express 5.0/6.0

Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1498.

10.0
2012-03-14 CVE-2012-0122 HP Unspecified vulnerability in HP Data Protector Express 5.0/6.0

Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1393.

10.0
2012-03-14 CVE-2012-0121 HP Unspecified vulnerability in HP Data Protector Express 5.0/6.0

Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1392.

10.0
2012-03-18 CVE-2012-1264 Gomlab Remote Security vulnerability in Gom Media Player

Unspecified vulnerability in Gretech GOM Media Player before 2.1.37.5091 allows remote attackers to execute arbitrary code via a crafted AVI file.

9.3
2012-03-15 CVE-2012-0358 Cisco Buffer Errors vulnerability in Cisco products

Buffer overflow in the Cisco Port Forwarder ActiveX control in cscopf.ocx, as distributed through the Clientless VPN feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.0 through 7.2 before 7.2(5.6), 8.0 before 8.0(5.26), 8.1 before 8.1(2.53), 8.2 before 8.2(5.18), 8.3 before 8.3(2.28), 8.2 before 8.4(2.16), and 8.6 before 8.6(1.1), allows remote attackers to execute arbitrary code via unspecified vectors, aka Bug ID CSCtr00165.

9.3
2012-03-14 CVE-2012-0457 Mozilla Resource Management Errors vulnerability in Mozilla products

Use-after-free vulnerability in the nsSMILTimeValueSpec::ConvertBetweenTimeContainer function in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to execute arbitrary code via an SVG animation.

9.3
2012-03-13 CVE-2012-0016 Microsoft Unspecified vulnerability in Microsoft Expression Design 2/3/4

Untrusted search path vulnerability in Microsoft Expression Design; Expression Design SP1; and Expression Design 2, 3, and 4 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .xpr or .DESIGN file, aka "Expression Design Insecure Library Loading Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-022 'This is a remote code execution vulnerability.' Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

9.3
2012-03-13 CVE-2012-0002 Microsoft Code Injection vulnerability in Microsoft products

The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly process packets in memory, which allows remote attackers to execute arbitrary code by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, aka "Remote Desktop Protocol Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-020 "By default, the Remote Desktop Protocol is not enabled on any Windows operating system.

9.3

17 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-03-15 CVE-2012-0356 Cisco Improper Input Validation vulnerability in Cisco products

Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 7.0 through 7.2 before 7.2(5.7), 8.0 before 8.0(5.27), 8.1 before 8.1(2.53), 8.2 before 8.2(5.8), 8.3 before 8.3(2.25), 8.4 before 8.4(2.5), and 8.5 before 8.5(1.2) and the Firewall Services Module (FWSM) 3.1 and 3.2 before 3.2(23) and 4.0 and 4.1 before 4.1(8) in Cisco Catalyst 6500 series devices, when multicast routing is enabled, allow remote attackers to cause a denial of service (device reload) via a crafted IPv4 PIM message, aka Bug IDs CSCtr47517 and CSCtu97367.

7.8
2012-03-15 CVE-2012-0355 Cisco Improper Input Validation vulnerability in Cisco products

Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 8.4 before 8.4(2.11) and 8.5 before 8.5(1.4) allow remote attackers to cause a denial of service (device reload) via (1) IPv4 or (2) IPv6 packets that trigger syslog message 305006, aka Bug ID CSCts39634.

7.8
2012-03-15 CVE-2012-0398 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Eroom

EMC Documentum eRoom before 7.4.4 does not properly validate session cookies, which allows remote attackers to hijack or replay sessions via unspecified vectors.

7.5
2012-03-14 CVE-2012-0464 Mozilla Resource Management Errors vulnerability in Mozilla products

Use-after-free vulnerability in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote attackers to execute arbitrary code via vectors involving an empty argument to the array.join function in conjunction with the triggering of garbage collection.

7.5
2012-03-14 CVE-2012-0463 Mozilla Improper Input Validation vulnerability in Mozilla products

The nsWindow implementation in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 does not check the validity of an instance after event dispatching, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, as demonstrated by Mobile Firefox on Android.

7.5
2012-03-14 CVE-2012-0462 Mozilla Memory Corruption vulnerability in Mozilla Firefox/Thunderbird/SeaMonkey

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

7.5
2012-03-14 CVE-2012-0461 Mozilla Memory Corruption vulnerability in Mozilla Firefox/Thunderbird/Seamonkey

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

7.5
2012-03-14 CVE-2012-0459 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla products

The Cascading Style Sheets (CSS) implementation in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via dynamic modification of a keyframe followed by access to the cssText of the keyframe.

7.5
2012-03-14 CVE-2012-0454 Mozilla
Microsoft
Resource Management Errors vulnerability in Mozilla products

Use-after-free vulnerability in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 on 32-bit Windows 7 platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving use of the file-open dialog in a child window, related to the IUnknown_QueryService function in the Windows shlwapi.dll library.

7.5
2012-03-13 CVE-2012-1663 GNU Resource Management Errors vulnerability in GNU Gnutls

Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list.

7.5
2012-03-12 CVE-2012-1557 Parallels SQL Injection vulnerability in Parallels Plesk Panel

SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012.

7.5
2012-03-16 CVE-2012-1510 Vmware Buffer Errors vulnerability in VMWare Esx, Esxi and View

Buffer overflow in the WDDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors.

7.2
2012-03-16 CVE-2012-1509 Vmware Buffer Errors vulnerability in VMWare View 4.0.0/4.5/4.6.0

Buffer overflow in the XPDM display driver in VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors.

7.2
2012-03-16 CVE-2012-1508 Vmware Permissions, Privileges, and Access Controls vulnerability in VMWare Esx, Esxi and View

The XPDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors.

7.2
2012-03-13 CVE-2012-0157 Microsoft Improper Input Validation vulnerability in Microsoft products

win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle window messaging, which allows local users to gain privileges via a crafted application that calls the PostMessage function, aka "PostMessage Function Vulnerability."

7.2
2012-03-15 CVE-2012-0354 Cisco Improper Input Validation vulnerability in Cisco products

The Threat Detection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 8.0 through 8.2 before 8.2(5.20), 8.3 before 8.3(2.29), 8.4 before 8.4(3), 8.5 before 8.5(1.6), and 8.6 before 8.6(1.1) allows remote attackers to cause a denial of service (device reload) via (1) IPv4 or (2) IPv6 packets that trigger a shun event, aka Bug ID CSCtw35765.

7.1
2012-03-15 CVE-2012-0353 Cisco Improper Input Validation vulnerability in Cisco products

The UDP inspection engine on Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 8.0 before 8.0(5.25), 8.1 before 8.1(2.50), 8.2 before 8.2(5.5), 8.3 before 8.3(2.22), 8.4 before 8.4(2.1), and 8.5 before 8.5(1.2) does not properly handle flows, which allows remote attackers to cause a denial of service (device reload) via a crafted series of (1) IPv4 or (2) IPv6 UDP packets, aka Bug ID CSCtq10441.

7.1

42 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-03-13 CVE-2012-0008 Microsoft Local Privilege Escalation vulnerability in Microsoft Visual Studio 2008/2010

Untrusted search path vulnerability in Microsoft Visual Studio 2008 SP1, 2010, and 2010 SP1 allows local users to gain privileges via a Trojan horse add-in in an unspecified directory, aka "Visual Studio Add-In Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-021 'An attacker could then place a specially crafted add-in in the path used by Visual Studio.

6.9
2012-03-17 CVE-2012-0293 Symantec SQL Injection vulnerability in Symantec Altiris Wise Package Studio 7/7.0

Multiple SQL injection vulnerabilities in Symantec Altiris WISE Package Studio before 8.0MR1 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

6.8
2012-03-16 CVE-2012-1514 Vmware Cross-Site Request Forgery (CSRF) vulnerability in VMWare Vshield Manager

Cross-site request forgery (CSRF) vulnerability in VMware vShield Manager (vSM) 1.0.1 before Update 2 and 4.1.0 before Update 2 allows remote attackers to hijack the authentication of arbitrary users.

6.8
2012-03-14 CVE-2012-0458 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla products

Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict setting the home page through the dragging of a URL to the home button, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a javascript: URL that is later interpreted in the about:sessionrestore context.

6.8
2012-03-13 CVE-2011-1397 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM products

Cross-site request forgery (CSRF) vulnerability in the Labor Reporting page in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allows remote attackers to hijack the authentication of arbitrary users.

6.8
2012-03-13 CVE-2011-4816 IBM SQL Injection vulnerability in IBM products

SQL injection vulnerability in the KPI component in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2012-03-15 CVE-2012-0232 GE Path Traversal vulnerability in GE Intelligent Platforms Proficy Real-Time Information Portal 2.6/3.0/3.5

Directory traversal vulnerability in rifsrvd.exe in the Remote Interface Service in GE Intelligent Platforms Proficy Real-Time Information Portal 2.6, 3.0, 3.0 SP1, and 3.5 allows remote attackers to modify the configuration via crafted strings.

6.4
2012-03-15 CVE-2011-4939 Pidgin Permissions, Privileges, and Access Controls vulnerability in Pidgin

The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room.

6.4
2012-03-14 CVE-2012-0460 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla products

Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict write access to the window.fullScreen object, which allows remote attackers to spoof the user interface via a crafted web page.

6.4
2012-03-13 CVE-2012-1472 Vmware Improper Input Validation vulnerability in VMWare Vcenter Chargeback Manager

VMware vCenter Chargeback Manager (aka CBM) before 2.0.1 does not properly handle XML API requests, which allows remote attackers to read arbitrary files or cause a denial of service via unspecified vectors.

6.4
2012-03-12 CVE-2012-0584 Apple
Microsoft
Improper Input Validation vulnerability in Apple Safari

The Internationalized Domain Name (IDN) feature in Apple Safari before 5.1.4 on Windows does not properly restrict the characters in URLs, which allows remote attackers to spoof a domain name via unspecified homoglyphs.

6.4
2012-03-17 CVE-2012-0326 Tetsuya Aoyama
Google
Permissions, Privileges, and Access Controls vulnerability in Tetsuya Aoyama Twicca

The twicca application 0.7.0 through 0.9.30 for Android does not properly restrict the use of network privileges, which allows remote attackers to read media files on an SD card via a crafted application.

5.0
2012-03-15 CVE-2012-1165 Openssl Resource Management Errors vulnerability in Openssl

The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250.

5.0
2012-03-15 CVE-2012-1178 Pidgin Resource Management Errors vulnerability in Pidgin

The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding.

5.0
2012-03-14 CVE-2012-0456 Mozilla Information Exposure vulnerability in Mozilla products

The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to obtain sensitive information from process memory via vectors that trigger an out-of-bounds read.

5.0
2012-03-13 CVE-2012-0770 Adobe Unspecified vulnerability in Adobe Coldfusion

Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

5.0
2012-03-13 CVE-2012-0006 Microsoft Resource Management Errors vulnerability in Microsoft Windows Server 2003 and Windows Server 2008

The DNS server in Microsoft Windows Server 2003 SP2 and Server 2008 SP2, R2, and R2 SP1 does not properly handle objects in memory during record lookup, which allows remote attackers to cause a denial of service (daemon restart) via a crafted query, aka "DNS Denial of Service Vulnerability."

5.0
2012-03-13 CVE-2012-0690 Tibco Information Exposure vulnerability in Tibco products

TIBCO Spotfire Web Application, Web Player Application, Automation Services Application, and Analytics Client Application in Spotfire Analytics Server before 10.1.2; Server before 3.3.3; and Web Player, Automation Services, and Professional before 4.0.2 allow remote attackers to obtain sensitive information via a crafted URL.

5.0
2012-03-13 CVE-2012-0689 Tibco Information Exposure vulnerability in Tibco products

The server in TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0 allows remote attackers to discover credentials via unspecified vectors.

5.0
2012-03-13 CVE-2012-0687 Tibco Information Exposure vulnerability in Tibco products

TIBCO ActiveMatrix Runtime Platform in Service Grid and Service Bus 2.x before 2.3.2 and BusinessWorks Service Engine before 5.8.2; TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0; TIBCO BusinessEvents Runtime in Enterprise and Inference Editions 3.x before 3.0.3, Standard Edition 4.x before 4.0.2, and Standard Edition and Express 5.0.0; and TIBCO BusinessWorks Engine in TIBCO Silver Fabric ActiveMatrix BusinessWorks Distribution 5.9.2 and ActiveMatrix BusinessWorks before 5.9.3 allow remote attackers to obtain sensitive information via a crafted URL.

5.0
2012-03-13 CVE-2012-0884 Openssl Cryptographic Issues vulnerability in Openssl

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.

5.0
2012-03-13 CVE-2011-1394 IBM Resource Management Errors vulnerability in IBM products

IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allow remote attackers to cause a denial of service (memory consumption) by establishing many UI sessions within one HTTP session.

5.0
2012-03-12 CVE-2012-0647 Apple Information Exposure vulnerability in Apple Safari

WebKit in Apple Safari before 5.1.4 does not properly handle redirects in conjunction with HTTP authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header.

5.0
2012-03-12 CVE-2012-0640 Apple Information Exposure vulnerability in Apple Safari

WebKit in Apple Safari before 5.1.4 does not properly implement "From third parties and advertisers" cookie blocking, which makes it easier for remote web servers to track users via a cookie.

5.0
2012-03-12 CVE-2012-1558 Yassl Resource Management Errors vulnerability in Yassl Cyassl

yaSSL CyaSSL before 2.0.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted X.509 certificate.

5.0
2012-03-16 CVE-2012-1512 Vmware Cross-Site Scripting vulnerability in VMWare Vsphere 5.0

Cross-site scripting (XSS) vulnerability in the internal browser in vSphere Client in VMware vSphere 4.1 before Update 2 and 5.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via a crafted log-file entry.

4.3
2012-03-16 CVE-2012-1511 Vmware Cross-Site Scripting vulnerability in VMWare View 4.0.0/4.5/4.6.0

Cross-site scripting (XSS) vulnerability in View Manager Portal in VMware View before 4.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2012-03-15 CVE-2012-0404 EMC Cross-Site Scripting vulnerability in EMC Documentum Eroom

Cross-site scripting (XSS) vulnerability in EMC Documentum eRoom before 7.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-03-14 CVE-2012-0455 Mozilla Cross-Site Scripting vulnerability in Mozilla products

Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue.

4.3
2012-03-14 CVE-2012-0451 Mozilla Code Injection vulnerability in Mozilla products

CRLF injection vulnerability in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote web servers to bypass intended Content Security Policy (CSP) restrictions and possibly conduct cross-site scripting (XSS) attacks via crafted HTTP headers.

4.3
2012-03-13 CVE-2012-0156 Microsoft Improper Input Validation vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Vista

DirectWrite in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly render Unicode characters, which allows remote attackers to cause a denial of service (application hang) via a (1) instant message or (2) web site, aka "DirectWrite Application Denial of Service Vulnerability."

4.3
2012-03-13 CVE-2012-0152 Microsoft Improper Input Validation vulnerability in Microsoft Windows 7 and Windows Server 2008

The Remote Desktop Protocol (RDP) service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (application hang) via a series of crafted packets, aka "Terminal Server Denial of Service Vulnerability."

4.3
2012-03-13 CVE-2012-1099 Rubyonrails Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.

4.3
2012-03-13 CVE-2012-1098 Rubyonrails Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails

Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.

4.3
2012-03-13 CVE-2012-0688 Tibco Cross-Site Scripting vulnerability in Tibco products

Cross-site scripting (XSS) vulnerability in TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-03-13 CVE-2012-0195 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in the Start Center Layout and Configuration component in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allows remote attackers to inject arbitrary web script or HTML via the display name.

4.3
2012-03-13 CVE-2011-4819 IBM Cross-Site Scripting vulnerability in IBM products

Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allow remote attackers to inject arbitrary web script or HTML via the uisesionid parameter to (1) maximo.jsp or (2) the default URI under ui/.

4.3
2012-03-13 CVE-2011-4818 IBM Improper Input Validation vulnerability in IBM products

Open redirect vulnerability in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the uisessionid parameter to an unspecified component.

4.3
2012-03-13 CVE-2011-1396 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the reportType parameter to an unspecified component.

4.3
2012-03-13 CVE-2011-1395 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in imicon.jsp in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the controlid parameter.

4.3
2012-03-16 CVE-2012-1513 Vmware Information Exposure vulnerability in VMWare Vcenter Orchestrator 4.0/4.1

The Web Configuration tool in VMware vCenter Orchestrator (vCO) 4.0 before Update 4, 4.1 before Update 2, and 4.2 before Update 1 places the vCenter Server password in an HTML document, which allows remote authenticated administrators to obtain sensitive information by reading this document.

4.0
2012-03-13 CVE-2011-4817 IBM Information Exposure vulnerability in IBM products

The About option on the Help menu in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 shows the username, which might allow remote authenticated users to have an unspecified impact via a targeted attack against the corresponding user account.

4.0

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS