Weekly Vulnerabilities Reports > May 14 to 20, 2012

Overview

68 new vulnerabilities reported during this period, including 22 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 38 products from 25 vendors including Google, Linux, Apple, Microsoft, and Redhat. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Permissions, Privileges, and Access Controls", "Resource Management Errors", and "Numeric Errors".

  • 48 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 3 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 57 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 19 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

22 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-18 CVE-2012-2118 X ORG Improper Input Validation vulnerability in X.Org X11 1.11

Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name.

10.0
2012-05-16 CVE-2011-3099 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in the PDF functionality in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a malformed name for the font encoding.

10.0
2012-05-16 CVE-2011-3097 Google Improper Input Validation vulnerability in Google Chrome

The PDF functionality in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an out-of-bounds write error in the implementation of sampled functions.

10.0
2012-05-16 CVE-2011-3095 Google Improper Input Validation vulnerability in Google Chrome

The OGG container in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that trigger an out-of-bounds write.

10.0
2012-05-16 CVE-2011-3092 Google Improper Input Validation vulnerability in Google Chrome

The regex implementation in Google V8, as used in Google Chrome before 19.0.1084.46, allows remote attackers to cause a denial of service (invalid write operation) or possibly have unspecified other impact via unknown vectors.

10.0
2012-05-16 CVE-2011-3091 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

10.0
2012-05-16 CVE-2011-3089 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving tables.

10.0
2012-05-16 CVE-2011-3087 Google Multiple Security vulnerability in Google Chrome 19.0.1084.45

Google Chrome before 19.0.1084.46 does not properly perform window navigation, which has unspecified impact and remote attack vectors.

10.0
2012-05-16 CVE-2011-3086 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a STYLE element.

10.0
2012-05-18 CVE-2012-2411 Realnetworks Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer and Realplayer SP

Buffer overflow in RealNetworks RealPlayer before 15.0.4.53, and RealPlayer SP 1.0 through 1.1.5, allows remote attackers to execute arbitrary code via a crafted RealJukebox Media file.

9.3
2012-05-18 CVE-2012-2406 Realnetworks Unspecified vulnerability in Realnetworks Realplayer and Realplayer SP

RealNetworks RealPlayer before 15.0.4.53, and RealPlayer SP 1.0 through 1.1.5, does not properly parse ASMRuleBook data in RealMedia files, which allows remote attackers to execute arbitrary code via a crafted file.

9.3
2012-05-16 CVE-2012-0671 Apple Code Injection vulnerability in Apple Quicktime

Apple QuickTime before 7.7.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .pict file.

9.3
2012-05-16 CVE-2012-0670 Apple Numeric Errors vulnerability in Apple Quicktime

Integer overflow in Apple QuickTime before 7.7.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted sean atom in a movie file.

9.3
2012-05-16 CVE-2012-0669 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with Sorenson encoding.

9.3
2012-05-16 CVE-2012-0668 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Buffer overflow in Apple QuickTime before 7.7.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with RLE encoding.

9.3
2012-05-16 CVE-2012-0667 Apple
Microsoft
Numeric Errors vulnerability in Apple Quicktime

Integer signedness error in Apple QuickTime before 7.7.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted QTVR movie file.

9.3
2012-05-16 CVE-2012-0666 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Stack-based buffer overflow in the plugin in Apple QuickTime before 7.7.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted QTMovie object.

9.3
2012-05-16 CVE-2012-0665 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Heap-based buffer overflow in Apple QuickTime before 7.7.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with H.264 encoding.

9.3
2012-05-16 CVE-2012-0664 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Heap-based buffer overflow in Apple QuickTime before 7.7.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted text track in a movie file.

9.3
2012-05-16 CVE-2012-0663 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Multiple stack-based buffer overflows in Apple QuickTime before 7.7.2 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TeXML file.

9.3
2012-05-16 CVE-2012-0265 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Stack-based buffer overflow in Apple QuickTime before 7.7.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted pathname for a file.

9.3
2012-05-15 CVE-2012-2611 SAP Improper Input Validation vulnerability in SAP Netweaver 7.0

The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet.

9.3

12 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-17 CVE-2012-1097 Linux
Redhat
Suse
NULL Pointer Dereference vulnerability in multiple products

The regset (aka register set) feature in the Linux kernel before 3.2.10 does not properly handle the absence of .get and .set methods, which allows local users to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via a (1) PTRACE_GETREGSET or (2) PTRACE_SETREGSET ptrace call.

7.8
2012-05-17 CVE-2012-0044 Linux
Canonical
Integer Overflow or Wraparound vulnerability in multiple products

Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call.

7.8
2012-05-14 CVE-2012-2277 EMC Buffer Errors vulnerability in EMC Documentum Information Rights Management 4/5

The IRM Server in EMC Documentum Information Rights Management 4.x before 4.7.0100 and 5.x before 5.0.1030 allows remote attackers to cause a denial of service (pvcontrol.exe process hang) via \n (line feed) characters in the Id fields of many "batch begin untethered" commands.

7.8
2012-05-14 CVE-2012-2276 EMC Buffer Errors vulnerability in EMC Documentum Information Rights Management 4/5

The IRM Server in EMC Documentum Information Rights Management 4.x before 4.7.0100 and 5.x before 5.0.1030 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via input data that (1) lacks FIPS fields or (2) has an invalid version number.

7.8
2012-05-14 CVE-2012-1804 Progea Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Progea Movicon

The OPC server in Progea Movicon before 11.3 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted HTTP request.

7.8
2012-05-16 CVE-2011-3090 Google Race Condition vulnerability in Google Chrome

Race condition in Google Chrome before 19.0.1084.46 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to worker processes.

7.6
2012-05-17 CVE-2012-0207 Linux
Redhat
Divide By Zero vulnerability in multiple products

The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets.

7.5
2012-05-16 CVE-2011-3096 Google
Linux
Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 19.0.1084.46 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging an error in the GTK implementation of the omnibox.

7.5
2012-05-16 CVE-2011-3084 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

Google Chrome before 19.0.1084.46 does not use a dedicated process for the loading of links found on an internal page, which might allow attackers to bypass intended sandbox restrictions via a crafted page.

7.5
2012-05-14 CVE-2011-1390 IBM SQL Injection vulnerability in IBM Rational Clearquest

SQL injection vulnerability in the Maintenance tool in IBM Rational ClearQuest 7.1.1.x before 7.1.1.9, 7.1.2.x before 7.1.2.6, and 8.x before 8.0.0.2 allows remote attackers to execute arbitrary SQL commands by leveraging an error in the user-database upgrade feature.

7.5
2012-05-18 CVE-2012-2337 Todd Miller Permissions, Privileges, and Access Controls vulnerability in Todd Miller Sudo

sudo 1.6.x and 1.7.x before 1.7.9p1, and 1.8.x before 1.8.4p5, does not properly support configurations that use a netmask syntax, which allows local users to bypass intended command restrictions in opportunistic circumstances by executing a command on a host that has an IPv4 address.

7.2
2012-05-16 CVE-2011-3098 Opensuse
Google
Microsoft
Permissions, Privileges, and Access Controls vulnerability in multiple products

Google Chrome before 19.0.1084.46 on Windows uses an incorrect search path for the Windows Media Player plug-in, which might allow local users to gain privileges via a Trojan horse plug-in in an unspecified directory.

7.2

31 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-18 CVE-2012-2010 HP Permissions, Privileges, and Access Controls vulnerability in HP Openvms 8.3/8.31H1/8.4

The ACMELOGIN implementation in HP OpenVMS 8.3 and 8.4 on the Alpha platform, and 8.3, 8.3-1H1, and 8.4 on the Itanium platform, when the SYS$ACM system service is enabled, allows local users to gain privileges via unspecified vectors.

6.9
2012-05-18 CVE-2012-2341 Rahul Singla
Drupal
Cross-Site Request Forgery (CSRF) vulnerability in Rahul Singla Take Control 6.X1.X/6.X2.0/6.X2.X

Cross-site request forgery (CSRF) vulnerability in the Take Control module 6.x-2.x before 6.x-2.2 for Drupal allows remote attackers to hijack the authentication of unspecified users for Ajax requests that manipulate files.

6.8
2012-05-16 CVE-2011-3102 Google
Apple
Numeric Errors vulnerability in Google Chrome

Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.

6.8
2012-05-14 CVE-2012-2333 Openssl
Redhat
Numeric Errors vulnerability in multiple products

Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.

6.8
2012-05-18 CVE-2012-1589 Drupal Improper Input Validation vulnerability in Drupal

Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL.

5.8
2012-05-17 CVE-2012-1146 Linux
Fedoraproject
Suse
NULL Pointer Dereference vulnerability in multiple products

The mem_cgroup_usage_unregister_event function in mm/memcontrol.c in the Linux kernel before 3.2.10 does not properly handle multiple events that are attached to the same eventfd, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by registering memory threshold events.

5.5
2012-05-17 CVE-2012-0879 Linux
Canonical
Debian
Suse
Resource Exhaustion vulnerability in multiple products

The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context.

5.5
2012-05-17 CVE-2012-0038 Linux Integer Overflow or Wraparound vulnerability in Linux Kernel

Integer overflow in the xfs_acl_from_disk function in fs/xfs/xfs_acl.c in the Linux kernel before 3.1.9 allows local users to cause a denial of service (panic) via a filesystem with a malformed ACL, leading to a heap-based buffer overflow.

5.5
2012-05-17 CVE-2011-4621 Linux Infinite Loop vulnerability in Linux Kernel

The Linux kernel before 2.6.37 does not properly implement a certain clock-update optimization, which allows local users to cause a denial of service (system hang) via an application that executes code in a loop.

5.5
2012-05-17 CVE-2011-4594 Linux NULL Pointer Dereference vulnerability in Linux Kernel

The __sys_sendmsg function in net/socket.c in the Linux kernel before 3.1 allows local users to cause a denial of service (system crash) via crafted use of the sendmmsg system call, leading to an incorrect pointer dereference.

5.5
2012-05-17 CVE-2011-4112 Linux
Avaya
The net subsystem in the Linux kernel before 3.1 does not properly restrict use of the IFF_TX_SKB_SHARING flag, which allows local users to cause a denial of service (panic) by leveraging the CAP_NET_ADMIN capability to access /proc/net/pktgen/pgctrl, and then using the pktgen package in conjunction with a bridge device for a VLAN interface.
5.5
2012-05-17 CVE-2011-4097 Linux
Redhat
Integer Overflow or Wraparound vulnerability in multiple products

Integer overflow in the oom_badness function in mm/oom_kill.c in the Linux kernel before 3.1.8 on 64-bit platforms allows local users to cause a denial of service (memory consumption or process termination) by using a certain large amount of memory.

5.5
2012-05-17 CVE-2011-3637 Linux
Redhat
NULL Pointer Dereference vulnerability in multiple products

The m_stop function in fs/proc/task_mmu.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (OOPS) via vectors that trigger an m_start error.

5.5
2012-05-17 CVE-2012-1179 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages.

5.2
2012-05-15 CVE-2012-1248 Basercms Permissions, Privileges, and Access Controls vulnerability in Basercms

app/config/core.php in baserCMS 1.6.15 and earlier does not properly handle installations in shared-hosting environments, which allows remote attackers to hijack sessions by leveraging administrative access to a different domain.

5.1
2012-05-16 CVE-2011-3100 Google Multiple Security vulnerability in Google Chrome Prior to 19

Google Chrome before 19.0.1084.46 does not properly draw dash paths, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

5.0
2012-05-16 CVE-2011-3094 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 19.0.1084.46 does not properly handle Tibetan text, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

5.0
2012-05-16 CVE-2011-3093 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 19.0.1084.46 does not properly handle glyphs, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

5.0
2012-05-16 CVE-2011-3088 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Google Chrome before 19.0.1084.46 does not properly draw hairlines, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

5.0
2012-05-16 CVE-2011-3085 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

The Autofill feature in Google Chrome before 19.0.1084.46 does not properly restrict field values, which allows remote attackers to cause a denial of service (UI corruption) and possibly conduct spoofing attacks via vectors involving long values.

5.0
2012-05-16 CVE-2011-3083 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

browser/profiles/profile_impl_io_data.cc in Google Chrome before 19.0.1084.46 does not properly handle a malformed ftp URL in the SRC attribute of a VIDEO element, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted web page.

5.0
2012-05-15 CVE-2012-2612 SAP Buffer Errors vulnerability in SAP Netweaver 7.0

The DiagTraceHex function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.

5.0
2012-05-15 CVE-2012-2514 SAP Buffer Errors vulnerability in SAP Netweaver 7.0

The DiagiEventSource function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.

5.0
2012-05-15 CVE-2012-2513 SAP Buffer Errors vulnerability in SAP Netweaver 7.0

The Diaginput function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.

5.0
2012-05-15 CVE-2012-2512 SAP Buffer Errors vulnerability in SAP Netweaver 7.0

The DiagTraceStreamI function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.

5.0
2012-05-15 CVE-2012-2511 SAP Buffer Errors vulnerability in SAP Netweaver 7.0

The DiagTraceAtoms function in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2 allows remote attackers to cause a denial of service (daemon crash) via a crafted SAP Diag packet.

5.0
2012-05-17 CVE-2012-2121 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

The KVM implementation in the Linux kernel before 3.3.4 does not properly manage the relationships between memory slots and the iommu, which allows guest OS users to cause a denial of service (memory leak and host OS crash) by leveraging administrative access to the guest OS to conduct hotunplug and hotplug operations on devices.

4.9
2012-05-17 CVE-2012-1601 Linux Resource Management Errors vulnerability in Linux Kernel

The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists.

4.9
2012-05-17 CVE-2012-1090 Linux
Redhat
Suse
Improper Input Validation vulnerability in multiple products

The cifs_lookup function in fs/cifs/dir.c in the Linux kernel before 3.2.10 allows local users to cause a denial of service (OOPS) via attempted access to a special file, as demonstrated by a FIFO.

4.9
2012-05-17 CVE-2012-0058 Linux Resource Exhaustion vulnerability in Linux Kernel

The kiocb_batch_free function in fs/aio.c in the Linux kernel before 3.2.2 allows local users to cause a denial of service (OOPS) via vectors that trigger incorrect iocb management.

4.9
2012-05-15 CVE-2012-1246 Webcreate Cross-Site Scripting vulnerability in Webcreate web Mart 1.7

Cross-site scripting (XSS) vulnerability in KENT-WEB WEB MART 1.7 and earlier might allow remote attackers to inject arbitrary web script or HTML via a crafted cookie.

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-18 CVE-2012-2120 Debian Permissions, Privileges, and Access Controls vulnerability in Debian Texlive-Extra-Utils 2011.20120322

latex2man in texlive-extra-utils 2011.20120322, and possibly other versions or packages, when used with the H or T option, allows local users to overwrite arbitrary files via a symlink attack on a temporary file.

3.3
2012-05-18 CVE-2012-2093 Gajim Link Following vulnerability in Gajim 0.15

src/common/latex.py in Gajim 0.15 allows local users to overwrite arbitrary files via a symlink attack on a temporary latex file, related to the get_tmpfile_name function.

3.3
2012-05-15 CVE-2012-1247 Webcreate Cross-Site Scripting vulnerability in Webcreate web Mart 1.7

Cross-site scripting (XSS) vulnerability in KENT-WEB WEB MART 1.7 and earlier, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML by leveraging support for Cascading Style Sheets (CSS) expressions.

2.6