Weekly Vulnerabilities Reports > July 2 to 8, 2012

Overview

62 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 65 products from 43 vendors including Redhat, Wellintech, Joomla, Symantec, and Libexpat Project. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", "Permissions, Privileges, and Access Controls", and "Path Traversal".

  • 53 reported vulnerabilities are remotely exploitables.
  • 8 reported vulnerabilities have public exploit available.
  • 28 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 57 reported vulnerabilities are exploitable by an anonymous user.
  • Redhat has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • Wellintech has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

11 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-07-05 CVE-2012-2559 Wellintech Resource Management Errors vulnerability in Wellintech Kinghistorian 3.0

WellinTech KingHistorian 3.0 allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678.

10.0
2012-07-05 CVE-2012-1832 Wellintech Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wellintech Kingview

WellinTech KingView 6.53 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via a crafted packet to (1) TCP or (2) UDP port 2001.

10.0
2012-07-05 CVE-2012-1831 Wellintech Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wellintech Kingview

Heap-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.

10.0
2012-07-05 CVE-2012-1830 Wellintech Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wellintech Kingview

Stack-based buffer overflow in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 555.

10.0
2012-07-03 CVE-2011-5096 Avaya Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Avaya Aura Application Server 5300 1.0/2.0

Stack-based buffer overflow in cstore.exe in the Media Application Server (MAS) in Avaya Aura Application Server 5300 (formerly Nortel Media Application Server) 1.x before 1.0.2 and 2.0 before Patch Bundle 10 allows remote attackers to execute arbitrary code via a crafted cs_anams parameter in a CONTENT_STORE_ADMIN_REQ packet.

10.0
2012-07-03 CVE-2012-3811 Avaya Unspecified vulnerability in Avaya IP Office Customer Call Reporter 7.0/8.0

Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request.

10.0
2012-07-05 CVE-2012-3585 Irfanview Buffer Errors vulnerability in Irfanview Plugins 4.33

Heap-based buffer overflow in jpeg_ls.dll in the Jpeg_LS (aka JLS) plugin in the formats plugins in IrfanView PlugIns before 4.34 allows remote attackers to execute arbitrary code via a crafted JLS file.

9.3
2012-07-05 CVE-2012-2516 GE OS Command Injection vulnerability in GE products

An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability."

9.3
2012-07-05 CVE-2012-2515 EMC
GE
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Multiple stack-based buffer overflows in the KeyHelp.KeyCtrl.1 ActiveX control in KeyHelp.ocx 1.2.312 in KeyWorks KeyHelp Module (aka the HTML Help component), as used in EMC Documentum ApplicationXtender Desktop 5.4; EMC Captiva Quickscan Pro 4.6 SP1; GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; GE Intelligent Platforms Proficy HMI/SCADA iFIX 5.0 and 5.1; GE Intelligent Platforms Proficy Pulse 1.0; GE Intelligent Platforms Proficy Batch Execution 5.6; GE Intelligent Platforms SI7 I/O Driver 7.20 through 7.42; and other products, allow remote attackers to execute arbitrary code via a long string in the second argument to the (1) JumpMappedID or (2) JumpURL method.

9.3
2012-07-03 CVE-2012-3841 Kmplayer Unspecified vulnerability in Kmplayer 3.2.0.19

Untrusted search path vulnerability in KMPlayer 3.2.0.19 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse ehtrace.dll that is located in the current working directory.

9.3
2012-07-03 CVE-2012-3366 ANL OS Command Injection vulnerability in ANL Bcfg2 1.2.0

The Trigger plugin in bcfg2 1.2.x before 1.2.3 allows remote attackers with root access to the client to execute arbitrary commands via shell metacharacters in the UUID field to the server process (bcfg2-server).

9.0

3 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-07-07 CVE-2012-3374 Pidgin Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Pidgin

Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a crafted inline image in a message.

7.5
2012-07-03 CVE-2012-3839 Myclientbase SQL Injection vulnerability in Myclientbase 0.12

Multiple SQL injection vulnerabilities in application/core/MY_Model.php in MyClientBase 0.12 allow remote attackers to execute arbitrary SQL commands via the (1) invoice_number or (2) tags parameter to index.php/invoice_search.

7.5
2012-07-03 CVE-2012-2747 Joomla Unspecified vulnerability in Joomla Joomla!

Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to gain privileges via unknown attack vectors related to "Inadequate checking."

7.5

39 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-07-05 CVE-2012-0303 Symantec Cross-Site Request Forgery (CSRF) vulnerability in Symantec Message Filter

Multiple cross-site request forgery (CSRF) vulnerabilities in Brightmail Control Center in Symantec Message Filter 6.3 allow remote attackers to hijack the authentication of arbitrary users for requests that (1) execute application commands or (2) create admin accounts.

6.8
2012-07-05 CVE-2012-2281 RSA Improper Authentication vulnerability in RSA Access Manager Agent and Access Manager Server

EMC RSA Access Manager Server 6.x before 6.1 SP4 and RSA Access Manager Agent do not properly validate session tokens after a logout, which might allow remote attackers to conduct replay attacks via unspecified vectors.

6.8
2012-07-03 CVE-2011-2716 T Mobile
Busybox
Improper Input Validation vulnerability in multiple products

The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.

6.8
2012-07-03 CVE-2012-3834 Alienvault SQL Injection vulnerability in Alienvault Open Source Security Information Management 3.1

SQL injection vulnerability in forensics/base_qry_main.php in AlienVault Open Source Security Information Management (OSSIM) 3.1 allows remote authenticated users to execute arbitrary SQL commands via the time[0][0] parameter.

6.5
2012-07-05 CVE-2012-0301 Symantec Improper Authentication vulnerability in Symantec Message Filter

Session fixation vulnerability in Brightmail Control Center in Symantec Message Filter 6.3 allows remote attackers to hijack web sessions via unspecified vectors.

5.4
2012-07-05 CVE-2012-2640 Yomecolle
Google
Permissions, Privileges, and Access Controls vulnerability in Yomecolle NEC Biglobe Yome Collection

The NEC BIGLOBE Yome Collection application 1.8.3 and earlier for Android allows remote attackers to read the IMEI value from an SD card via a crafted application that lacks the READ_PHONE_STATE permission.

5.0
2012-07-05 CVE-2012-0410 Novell Path Traversal vulnerability in Novell Groupwise

Directory traversal vulnerability in WebAccess in Novell GroupWise before 8.03 allows remote attackers to read arbitrary files via the User.interface parameter.

5.0
2012-07-05 CVE-2012-3847 Invensys Resource Management Errors vulnerability in Invensys Intouch and Wonderware Application Server

slssvc.exe in Invensys Wonderware SuiteLink in Invensys InTouch 2012 and Wonderware Application Server 2012 allows remote attackers to cause a denial of service (resource consumption) via a long Unicode string, a different vulnerability than CVE-2012-3007.

5.0
2012-07-05 CVE-2012-3007 Invensys Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Invensys products

Stack-based buffer overflow in slssvc.exe before 58.x in Invensys Wonderware SuiteLink in the Invensys System Platform software suite, as used in InTouch/Wonderware Application Server IT before 10.5 and WAS before 3.5, DASABCIP before 4.1 SP2, DASSiDirect before 3.0, DAServer Runtime Components before 3.0 SP2, and other products, allows remote attackers to cause a denial of service (daemon crash or hang) via a long Unicode string.

5.0
2012-07-05 CVE-2012-2560 Wellintech Path Traversal vulnerability in Wellintech Kingview

Directory traversal vulnerability in WellinTech KingView 6.53 allows remote attackers to read arbitrary files via a crafted HTTP request to port 8001.

5.0
2012-07-03 CVE-2012-3845 LAN Messenger Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in LAN Messenger LAN Messenger1.2.28

Buffer overflow in LAN Messenger 1.2.28 and earlier allows remote attackers to cause a denial of service (crash) via a long string in an initiation request.

5.0
2012-07-03 CVE-2012-3838 Babygekko Information Exposure vulnerability in Babygekko Baby Gekko

Gekko before 1.2.0 allows remote attackers to obtain the installation path via a direct request to (1) admin/templates/babygekko/index.php or (2) templates/html5demo/index.php.

5.0
2012-07-03 CVE-2012-3829 Joomla Information Exposure vulnerability in Joomla Joomla! 2.5.3

Joomla! 2.5.3 allows remote attackers to obtain the installation path via the Host HTTP Header.

5.0
2012-07-03 CVE-2012-2181 IBM Path Traversal vulnerability in IBM Websphere Portal 7.0.0.1/7.0.0.2/8.0

Directory traversal vulnerability in the Dojo module in IBM WebSphere Portal 7.0.0.1 and 7.0.0.2 before CF14, and 8.0, allows remote attackers to read arbitrary files via a crafted URL.

5.0
2012-07-03 CVE-2012-2748 Joomla Unspecified vulnerability in Joomla Joomla!

Unspecified vulnerability in Joomla! 2.5.x before 2.5.5 allows remote attackers to obtain sensitive information via vectors related to "Inadequate filtering" and a "SQL error."

5.0
2012-07-03 CVE-2012-2318 Pidgin Improper Input Validation vulnerability in Pidgin

msg.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.4 does not properly handle crafted characters, which allows remote servers to cause a denial of service (application crash) by placing these characters in a text/plain message.

5.0
2012-07-03 CVE-2012-1148 Libexpat Project
Apple
Resource Management Errors vulnerability in multiple products

Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.

5.0
2012-07-07 CVE-2012-2644 Hazama
SIX Apart
Cross-Site Scripting vulnerability in Hazama Mt4I

Cross-site scripting (XSS) vulnerability in the MT4i plugin 3.1 beta 4 and earlier for Movable Type allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-2642.

4.3
2012-07-07 CVE-2012-2643 Kent WEB Cross-Site Scripting vulnerability in Kent-Web Yy-Board

Cross-site scripting (XSS) vulnerability in KENT-WEB YY-BOARD before 6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted form entry.

4.3
2012-07-07 CVE-2012-2642 Hazama
SIX Apart
Cross-Site Scripting vulnerability in Hazama Mt4I

Cross-site scripting (XSS) vulnerability in the MT4i plugin 3.1 beta 4 and earlier for Movable Type allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2012-2644.

4.3
2012-07-05 CVE-2012-2018 HP Cross-Site Scripting vulnerability in HP Network Node Manager I

Cross-site scripting (XSS) vulnerability in HP Network Node Manager i (NNMi) 8.x, 9.0x, and 9.1x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-07-05 CVE-2012-2641 Zenphoto Cross-Site Scripting vulnerability in Zenphoto

Cross-site scripting (XSS) vulnerability in Zenphoto before 1.4.3 allows remote attackers to inject arbitrary web script or HTML by triggering improper interaction with an unspecified library.

4.3
2012-07-05 CVE-2012-0302 Symantec Cross-Site Scripting vulnerability in Symantec Message Filter 6.3

Cross-site scripting (XSS) vulnerability in Brightmail Control Center in Symantec Message Filter 6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-07-03 CVE-2012-3846 Atmoner Cross-Site Scripting vulnerability in Atmoner PHP-Pastebin 2.1

Cross-site scripting (XSS) vulnerability in index.php in PHP-pastebin 2.1 allows remote attackers to inject arbitrary web script or HTML via the title parameter.

4.3
2012-07-03 CVE-2012-3844 Vbulletin Cross-Site Scripting vulnerability in Vbulletin 4.1.12

Cross-site scripting (XSS) vulnerability in vBulletin 4.1.12 allows remote attackers to inject arbitrary web script or HTML via a long string in the subject parameter when creating a post.

4.3
2012-07-03 CVE-2012-3843 E107 Cross-Site Scripting vulnerability in E107 1.0.1

Cross-site scripting (XSS) vulnerability in the registration page in e107, probably 1.0.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-07-03 CVE-2012-3842 Jbmc Software Cross-Site Scripting vulnerability in Jbmc-Software Directadmin 1.403

Multiple cross-site scripting (XSS) vulnerabilities in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) select0 or (2) select8 parameters.

4.3
2012-07-03 CVE-2012-3840 Myclientbase Cross-Site Scripting vulnerability in Myclientbase 0.12

Multiple cross-site scripting (XSS) vulnerabilities in index.php/users/form/user_id in MyClientBase 0.12 allow remote attackers to inject arbitrary web script or HTML via the (1) first_name or (2) last_name parameters.

4.3
2012-07-03 CVE-2012-3837 Babygekko Cross-Site Scripting vulnerability in Babygekko Baby Gekko

Multiple cross-site scripting (XSS) vulnerabilities in apps/users/registration.template.php in Baby Gekko 1.2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) email_address, (3) password, (4) password_verify, (5) firstname, (6) lastname, or (7) verification_code parameter to users/action/register.

4.3
2012-07-03 CVE-2012-3836 Babygekko Cross-Site Scripting vulnerability in Babygekko Baby Gekko

Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) groupname parameter in a savecategory in the users module; (2) virtual_filename, (3) branch, (4) contact_person, (5) street, (6) city, (7) province, (8) postal, (9) country, (10) tollfree, (11) phone, (12) fax, or (13) mobile parameter in a saveitem action in the contacts module; (14) title parameter in a savecategory action in the menus module; (15) firstname or (16) lastname in a saveitem action in the users module; (17) meta_key or (18) meta_description in a saveitem action in the blog module; or (19) the PATH_INFO to admin/index.php.

4.3
2012-07-03 CVE-2012-3835 Alienvault Cross-Site Scripting vulnerability in Alienvault Open Source Security Information Management 3.1

Multiple cross-site scripting (XSS) vulnerabilities in AlienVault Open Source Security Information Management (OSSIM) 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter to top.php or (2) time[0][0] parameter to forensics/base_qry_main.php, which is not properly handled in an error page.

4.3
2012-07-03 CVE-2012-3833 Opensolution Cross-Site Scripting vulnerability in Opensolution Quick.Cms 4.0

Cross-site scripting (XSS) vulnerability in the default index page in admin/ in Quick.CMS 4.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter.

4.3
2012-07-03 CVE-2012-3832 Milesj Cross-Site Scripting vulnerability in Milesj Decoda

Cross-site scripting (XSS) vulnerability in decoda/Decoda.php in Decoda before 3.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to (1) b or (2) div tags.

4.3
2012-07-03 CVE-2012-3831 Milesj Cross-Site Scripting vulnerability in Milesj Decoda

Cross-site scripting (XSS) vulnerability in decoda/templates/video.php in Decoda before 3.3.1 allows remote attackers to inject arbitrary web script or HTML via multiple URLs in an img tag.

4.3
2012-07-03 CVE-2012-3830 Milesj Cross-Site Scripting vulnerability in Milesj Decoda

Cross-site scripting (XSS) vulnerability in decoda/templates/video.php in Decoda before 3.3.3 allows remote attackers to inject arbitrary web script or HTML via the video directive.

4.3
2012-07-03 CVE-2012-3828 Joomla Cross-Site Scripting vulnerability in Joomla Joomla! 2.5.3

Cross-site scripting (XSS) vulnerability in Joomla! 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the Host HTTP Header.

4.3
2012-07-03 CVE-2012-1147 Apple
Libexpat Project
Improper Input Validation vulnerability in multiple products

readfilemap.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (file descriptor consumption) via a large number of crafted XML files.

4.3
2012-07-03 CVE-2012-0876 Libexpat Project
Python
Debian
Canonical
Oracle
Redhat
Resource Exhaustion vulnerability in multiple products

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

4.3
2012-07-03 CVE-2011-2485 Gnome Unspecified vulnerability in Gnome Gdk-Pixbuf 2.22.1/2.23.3

The gdk_pixbuf__gif_image_load function in gdk-pixbuf/io-gif.c in gdk-pixbuf before 2.23.5 does not properly handle certain return values, which allows remote attackers to cause a denial of service (memory consumption) via a crafted GIF image file.

4.3

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-07-03 CVE-2012-2214 Pidgin Resource Management Errors vulnerability in Pidgin

proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests.

3.5
2012-07-05 CVE-2012-0300 Symantec Permissions, Privileges, and Access Controls vulnerability in Symantec Message Filter

Brightmail Control Center in Symantec Message Filter 6.3 does not properly restrict establishment of sessions to the listening port, which allows remote attackers to obtain potentially sensitive version information via unspecified vectors.

3.3
2012-07-03 CVE-2012-3368 Redhat Numeric Errors vulnerability in Redhat Dtach 0.8

Integer signedness error in attach.c in dtach 0.8 allows remote attackers to obtain sensitive information from daemon stack memory in opportunistic circumstances by reading application data after an improper connection-close request, as demonstrated by running an IRC client in dtach.

2.6
2012-07-03 CVE-2012-0833 Fedoraproject Permissions, Privileges, and Access Controls vulnerability in Fedoraproject 389 Directory Server

The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.

2.3
2012-07-03 CVE-2012-2746 Redhat
Fedoraproject
Cryptographic Issues vulnerability in multiple products

389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.

2.1
2012-07-03 CVE-2011-4029 X ORG Race Condition vulnerability in X.Org X Server

The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to change the permissions of arbitrary files to 444, read those files, and possibly cause a denial of service (removed execution permission) via a symlink attack on a temporary lock file.

1.9
2012-07-03 CVE-2012-1106 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Automatic BUG Reporting Tool

The C handler plug-in in Automatic Bug Reporting Tool (ABRT), possibly 2.0.8 and earlier, does not properly set the group (GID) permissions on core dump files for setuid programs when the sysctl fs.suid_dumpable option is set to 2, which allows local users to obtain sensitive information.

1.9
2012-07-03 CVE-2011-4028 X ORG Link Following vulnerability in X.Org X Server

The LockServer function in os/utils.c in X.Org xserver before 1.11.2 allows local users to determine the existence of arbitrary files via a symlink attack on a temporary lock file, which is handled differently if the file exists.

1.2
2012-07-03 CVE-2012-2678 Redhat
Fedoraproject
Cryptographic Issues vulnerability in multiple products

389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute.

1.2