Weekly Vulnerabilities Reports > November 19 to 25, 2012

Overview

119 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 13 high severity vulnerabilities. This weekly summary report vulnerabilities in 82 products from 51 vendors including Mozilla, Redhat, Canonical, Opensuse, and Suse. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Improper Input Validation", "Use After Free", and "Information Exposure".

  • 91 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 26 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 106 reported vulnerabilities are exploitable by an anonymous user.
  • Mozilla has the most reported vulnerabilities, with 29 reported vulnerabilities.
  • Mozilla has the most reported critical vulnerabilities, with 18 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

23 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-11-23 CVE-2012-5864 Sinapsitech Permissions, Privileges, and Access Controls vulnerability in Sinapsitech products

The management web pages on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 do not require authentication, which allows remote attackers to obtain administrative access via a direct request, as demonstrated by a request to ping.php.

10.0
2012-11-23 CVE-2012-5863 Sinapsitech Permissions, Privileges, and Access Controls vulnerability in Sinapsitech products

ping.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in the ip_dominio parameter.

10.0
2012-11-23 CVE-2012-5862 Sinapsitech Cryptographic Issues vulnerability in Sinapsitech products

login.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by leveraging a (1) cleartext password or (2) password hash contained in this script, as demonstrated by a password of astridservice or 36e44c9b64.

10.0
2012-11-21 CVE-2012-5835 Mozilla
Opensuse
Suse
Canonical
Redhat
Integer Overflow OR Wraparound vulnerability in multiple products

Integer overflow in the WebGL subsystem in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (invalid write operation) via crafted data.

10.0
2012-11-21 CVE-2012-4218 Mozilla
Canonical
Opensuse
Suse
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the BuildTextRunsScanner::BreakSink::SetBreaks function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

10.0
2012-11-21 CVE-2012-4212 Mozilla
Canonical
Opensuse
Suse
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the XPCWrappedNative::Mark function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

10.0
2012-11-21 CVE-2012-3513 Munin Monitoring Permissions, Privileges, and Access Controls vulnerability in Munin-Monitoring Munin

munin-cgi-graph in Munin before 2.0.6, when running as a CGI module under Apache, allows remote attackers to load new configurations and create files in arbitrary directories via the logdir command.

9.3
2012-11-21 CVE-2012-5843 Mozilla
Opensuse
Suse
Canonical
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
9.3
2012-11-21 CVE-2012-5842 Mozilla
Opensuse
Suse
Canonical
Redhat
Debian
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
9.3
2012-11-21 CVE-2012-5840 Mozilla
Opensuse
Suse
Canonical
Redhat
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsTextEditorState::PrepareEditor function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-4214.

9.3
2012-11-21 CVE-2012-5839 Mozilla
Opensuse
Suse
Canonical
Redhat
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the gfxShapedWord::CompressedGlyph::IsClusterStart function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via unspecified vectors.

9.3
2012-11-21 CVE-2012-5838 Mozilla
Opensuse
Suse
Canonical
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The copyTexImage2D implementation in the WebGL subsystem in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via large image dimensions.

9.3
2012-11-21 CVE-2012-5833 Mozilla
Opensuse
Suse
Canonical
Redhat
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The texImage2D implementation in the WebGL subsystem in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 does not properly interact with Mesa drivers, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via function calls involving certain values of the level parameter.

9.3
2012-11-21 CVE-2012-5829 Mozilla
Opensuse
Suse
Redhat
Canonical
Debian
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the nsWindow::OnExposeEvent function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via unspecified vectors.

9.3
2012-11-21 CVE-2012-4217 Mozilla
Opensuse
Suse
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsViewManager::ProcessPendingUpdates function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

9.3
2012-11-21 CVE-2012-4216 Mozilla
Opensuse
Suse
Redhat
Debian
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the gfxFont::GetFontEntry function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

9.3
2012-11-21 CVE-2012-4215 Mozilla
Opensuse
Suse
Canonical
Redhat
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsPlaintextEditor::FireClipboardEvent function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

9.3
2012-11-21 CVE-2012-4214 Mozilla
Opensuse
Suse
Redhat
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsTextEditorState::PrepareEditor function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-5840.

9.3
2012-11-21 CVE-2012-4213 Mozilla
Opensuse
Suse
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsEditor::FindNextLeafNode function in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

9.3
2012-11-21 CVE-2012-4210 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox and Firefox ESR

The Style Inspector in Mozilla Firefox before 17.0 and Firefox ESR 10.x before 10.0.11 does not properly restrict the context of HTML markup and Cascading Style Sheets (CSS) token sequences, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted stylesheet.

9.3
2012-11-21 CVE-2012-4204 Mozilla
Opensuse
Suse
Canonical
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The str_unescape function in the JavaScript engine in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.

9.3
2012-11-21 CVE-2012-4202 Mozilla
Opensuse
Suse
Canonical
Redhat
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the image::RasterImage::DrawFrameTo function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via a crafted GIF image.

9.3
2012-11-23 CVE-2012-5759 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Datapower Xc10 Appliance

The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 allows remote authenticated users to bypass intended administrative-role requirements and perform arbitrary JMX operations via unspecified vectors.

9.0

13 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-11-23 CVE-2012-5758 IBM Improper Authentication vulnerability in IBM Websphere Datapower Xc10 Appliance

The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors.

7.8
2012-11-24 CVE-2012-0960 PS Project Management Team Improper Input Validation vulnerability in PS Project Management Team Unity-Firefox-Extension

Unity integration extension (unity-firefox-extension) before 2.4.1 for Firefox does not properly handle callbacks, which allows remote attackers to cause a denial of service (Firefox crash) and possibly execute arbitrary code via a crafted request.

7.5
2012-11-23 CVE-2012-2086 Gajim SQL Injection vulnerability in Gajim

SQL injection vulnerability in the get_last_conversation_lines function in common/logger.py in Gajim before 0.15 allows remote attackers to execute arbitrary SQL commands via the jig parameter.

7.5
2012-11-23 CVE-2011-4605 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat products

The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors.

7.5
2012-11-23 CVE-2012-5861 Sinapsitech SQL Injection vulnerability in Sinapsitech products

Multiple SQL injection vulnerabilities on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allow remote attackers to execute arbitrary SQL commands via (1) the inverterselect parameter in a primo action to dettagliinverter.php or (2) the lingua parameter to changelanguagesession.php.

7.5
2012-11-21 CVE-2012-5836 Mozilla
Opensuse
Suse
Canonical
Code Injection vulnerability in multiple products

Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving the setting of Cascading Style Sheets (CSS) properties in conjunction with SVG text.

7.5
2012-11-19 CVE-2012-5854 Flashtux Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Flashtux Weechat

Heap-based buffer overflow in WeeChat 0.3.6 through 0.3.9 allows remote attackers to cause a denial of service (crash or hang) and possibly execute arbitrary code via crafted IRC colors that are not properly decoded.

7.5
2012-11-23 CVE-2012-6030 XEN Improper Input Validation vulnerability in XEN 4.0.0/4.1.0/4.2.0

The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

7.2
2012-11-23 CVE-2012-3515 Qemu
XEN
Opensuse
Suse
Redhat
Debian
Canonical
Improper Input Validation vulnerability in multiple products

Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."

7.2
2012-11-21 CVE-2012-3512 Munin Monitoring Permissions, Privileges, and Access Controls vulnerability in Munin-Monitoring Munin

Munin before 2.0.6 stores plugin state files that run as root in the same group-writable directory as non-root plugins, which allows local users to execute arbitrary code by replacing a state file, as demonstrated using the smart_ plugin.

7.2
2012-11-20 CVE-2012-5519 Apple
Debian
Permissions, Privileges, and Access Controls vulnerability in Apple Cups 1.4.4

CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.

7.2
2012-11-19 CVE-2012-4225 Nvidia Permissions, Privileges, and Access Controls vulnerability in Nvidia Unix Graphic Driver

NVIDIA UNIX graphics driver before 295.71 and before 304.32 allows local users to write to arbitrary physical memory locations and gain privileges by modifying the VGA window using /dev/nvidia0.

7.2
2012-11-20 CVE-2012-5674 Adobe Unspecified vulnerability in Adobe Coldfusion 10.0

Unspecified vulnerability in Adobe ColdFusion 10 before Update 5, when Internet Information Services (IIS) is used, allows attackers to cause a denial of service via unknown vectors.

7.1

74 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-11-23 CVE-2012-6035 XEN Improper Input Validation vulnerability in XEN 4.0.0/4.1.0/4.2.0

The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors.

6.9
2012-11-23 CVE-2012-3516 Citrix
XEN
Permissions, Privileges, and Access Controls vulnerability in multiple products

The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall in Xen 4.2 and Citrix XenServer 6.0.2 allows local guest kernels or administrators to cause a denial of service (host crash) and possibly gain privileges via a crafted grant reference that triggers a write to an arbitrary hypervisor memory location.

6.9
2012-11-23 CVE-2012-3497 XEN Improper Input Validation vulnerability in XEN 4.0.0/4.1.0/4.2.0

(1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (NULL pointer dereference or memory corruption and host crash) or possibly have other unspecified impacts via a NULL client id.

6.9
2012-11-21 CVE-2012-4206 Mozilla
Microsoft
Arbitrary Code Execution vulnerability in Mozilla Firefox and Firefox ESR

Untrusted search path vulnerability in the installer in Mozilla Firefox before 17.0 and Firefox ESR 10.x before 10.0.11 on Windows allows local users to gain privileges via a Trojan horse DLL in the default downloads directory.

6.9
2012-11-24 CVE-2012-2246 Mahara Improper Input Validation vulnerability in Mahara

Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to conduct clickjacking attacks to delete arbitrary users and bypass CSRF protection via account/delete.php.

6.8
2012-11-23 CVE-2011-4085 Redhat Improper Authentication vulnerability in Redhat products

The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method.

6.8
2012-11-23 CVE-2012-5173 Bigace Unspecified vulnerability in Bigace

Session fixation vulnerability in BIGACE before 2.7.8 allows remote attackers to hijack web sessions via unspecified vectors.

6.8
2012-11-21 CVE-2012-4527 Mcrypt Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mcrypt

Stack-based buffer overflow in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long file name.

6.8
2012-11-21 CVE-2012-4426 Mcrypt USE of Externally-Controlled Format String vulnerability in Mcrypt

Multiple format string vulnerabilities in mcrypt 2.6.8 and earlier might allow user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via vectors involving (1) errors.c or (2) mcrypt.c.

6.8
2012-11-21 CVE-2012-4409 Mcrypt Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Mcrypt

Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption.

6.8
2012-11-21 CVE-2012-5837 Mozilla Code Injection vulnerability in Mozilla Firefox

The Web Developer Toolbar in Mozilla Firefox before 17.0 executes script with chrome privileges, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

6.8
2012-11-21 CVE-2012-5830 Mozilla
Apple
Redhat
Suse
Canonical
Opensuse
USE After Free vulnerability in multiple products

Use-after-free vulnerability in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 on Mac OS X allows remote attackers to execute arbitrary code via an HTML document.

6.8
2012-11-21 CVE-2012-4205 Mozilla
Canonical
Opensuse
Suse
Cross-Site Request Forgery (CSRF) vulnerability in multiple products

Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 assign the system principal, rather than the sandbox principal, to XMLHttpRequest objects created in sandboxes, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks or obtain sensitive information by leveraging a sandboxed add-on.

6.8
2012-11-21 CVE-2012-4203 Mozilla Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox

The New Tab page in Mozilla Firefox before 17.0 uses a privileged context for execution of JavaScript code by bookmarklets, which allows user-assisted remote attackers to run arbitrary programs by leveraging a javascript: URL in a bookmark.

6.8
2012-11-19 CVE-2011-5244 Gnome
T1Lib
Tetex
Numeric Errors vulnerability in multiple products

Multiple off-by-one errors in the (1) token and (2) linetoken functions in backend/dvi/mdvi-lib/afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, different vulnerabilities than CVE-2010-2642 and CVE-2011-0433.

6.8
2012-11-19 CVE-2011-0433 Gnome
T1Lib
Tetex
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Heap-based buffer overflow in the linetoken function in afmparse.c in t1lib, as used in teTeX 3.0.x, GNOME evince, and possibly other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a DVI file containing a crafted Adobe Font Metrics (AFM) file, a different vulnerability than CVE-2010-2642.

6.8
2012-11-21 CVE-2012-5479 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle

The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback.

6.5
2012-11-21 CVE-2012-5471 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle

The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout.

6.5
2012-11-24 CVE-2012-2239 Mahara Code Injection vulnerability in Mahara

Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php.

6.4
2012-11-21 CVE-2012-5480 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle

The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search.

6.4
2012-11-20 CVE-2012-4566 Uninett Permissions, Privileges, and Access Controls vulnerability in Uninett Radsecproxy

The DTLS support in radsecproxy before 1.6.2 does not properly verify certificates when there are configuration blocks with CA settings that are unrelated to the block being used for verifying the certificate chain, which might allow remote attackers to bypass intended access restrictions and spoof clients, a different vulnerability than CVE-2012-4523.

6.4
2012-11-20 CVE-2012-4523 Uninett Permissions, Privileges, and Access Controls vulnerability in Uninett Radsecproxy

radsecproxy before 1.6.1 does not properly verify certificates when there are configuration blocks with CA settings that are unrelated to the block being used for verifying the certificate chain, which might allow remote attackers to bypass intended access restrictions and spoof clients.

6.4
2012-11-23 CVE-2012-3495 Citrix
XEN
Improper Input Validation vulnerability in multiple products

The physdev_get_free_pirq hypercall in arch/x86/physdev.c in Xen 4.1.x and Citrix XenServer 6.0.2 and earlier uses the return value of the get_free_pirq function as an array index without checking that the return value indicates an error, which allows guest OS users to cause a denial of service (invalid memory write and host crash) and possibly gain privileges via unspecified vectors.

6.1
2012-11-24 CVE-2012-2244 Mahara Permissions, Privileges, and Access Controls vulnerability in Mahara

Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote authenticated administrators to execute arbitrary programs by modifying the path to clamav.

6.0
2012-11-23 CVE-2012-4601 Tecnick SQL Injection vulnerability in Tecnick Tcexam

Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1) user_groups[] parameter to admin/code/tce_edit_test.php or (2) subject_id parameter to admin/code/tce_show_all_questions.php.

6.0
2012-11-23 CVE-2011-2908 Redhat Cross-Site Request Forgery (CSRF) vulnerability in Redhat products

Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors.

6.0
2012-11-20 CVE-2012-4510 Cups PK Helper Project Permissions, Privileges, and Access Controls vulnerability in Cups-Pk-Helper Project Cups-Pk-Helper

cups-pk-helper before 0.2.3 does not properly wrap the (1) cupsGetFile and (2) cupsPutFile function calls, which allows user-assisted remote attackers to read or overwrite sensitive files using CUPS resources.

5.8
2012-11-23 CVE-2012-3498 Citrix
XEN
Improper Input Validation vulnerability in multiple products

PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and earlier allows local HVM guest OS kernels to cause a denial of service (host crash) and possibly read hypervisor or guest memory via vectors related to a missing range check of map->index.

5.6
2012-11-24 CVE-2012-5533 Lighttpd Resource Management Errors vulnerability in Lighttpd 1.4.31/1.4.32

The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.

5.0
2012-11-24 CVE-2012-4522 Ruby Lang Permissions, Privileges, and Access Controls vulnerability in Ruby-Lang Ruby 1.9.3/2.0.0

The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.

5.0
2012-11-23 CVE-2012-0818 Redhat Information Exposure vulnerability in Redhat Resteasy

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.

5.0
2012-11-23 CVE-2011-5245 Redhat Information Exposure vulnerability in Redhat Resteasy

The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.

5.0
2012-11-23 CVE-2011-1096 Redhat Cryptographic Issues vulnerability in Redhat Jboss Enterprise Portal Platform

The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Enterprise Portal Platform before 5.2.2 and other products, when using block ciphers in cipher-block chaining (CBC) mode, allows remote attackers to obtain plaintext data via a chosen-ciphertext attack on SOAP responses, aka "character encoding pattern attack."

5.0
2012-11-21 CVE-2012-5526 Andy Armstrong Configuration vulnerability in Andy Armstrong Cgi.Pm

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.

5.0
2012-11-20 CVE-2012-5703 Vmware Improper Input Validation vulnerability in VMWare ESX and Esxi

The vSphere API in VMware ESXi 4.1 and ESX 4.1 allows remote attackers to cause a denial of service (host daemon crash) via an invalid value in a (1) RetrieveProp or (2) RetrievePropEx SOAP request.

5.0
2012-11-20 CVE-2011-4612 Icecast Improper Input Validation vulnerability in Icecast

icecast before 2.3.3 allows remote attackers to inject control characters such as newlines into the error loc (error.log) via a crafted URL.

5.0
2012-11-19 CVE-2012-4423 Redhat Remote Denial Of Service vulnerability in libvirt 'virNetServerProgramDispatchCall()' Function

The virNetServerProgramDispatchCall function in libvirt before 0.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and segmentation fault) via an RPC call with (1) an event as the RPC number or (2) an RPC number whose value is in a "gap" in the RPC dispatch table.

5.0
2012-11-19 CVE-2011-2486 Nspluginwrapper Permissions, Privileges, and Access Controls vulnerability in Nspluginwrapper 1.4.2

nspluginwrapper before 1.4.4 does not properly provide access to NPNVprivateModeBool variable settings, which could prevent Firefox plugins from determining if they should run in Private Browsing mode and allow remote attackers to bypass intended access restrictions, as demonstrated using Flash.

5.0
2012-11-24 CVE-2012-4538 XEN Improper Input Validation vulnerability in XEN 4.0.0/4.1.0/4.2.0

The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service (hypervisor crash) via unspecified vectors.

4.9
2012-11-24 CVE-2012-3433 XEN Resource Management Errors vulnerability in XEN 4.0.0/4.1.0

Xen 4.0 and 4.1 allows local HVM guest OS kernels to cause a denial of service (domain 0 VCPU hang and kernel panic) by modifying the physical address space in a way that triggers excessive shared page search time during the p2m teardown.

4.9
2012-11-23 CVE-2012-6032 XEN Numeric Errors vulnerability in XEN 4.0.0/4.1.0/4.2.0

Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors.

4.9
2012-11-23 CVE-2012-6031 XEN Improper Input Validation vulnerability in XEN 4.0.0/4.1.0/4.2.0

The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (CPU hang and host crash) via unspecified vectors related to a spinlock being held in the "bad_copy error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others.

4.7
2012-11-23 CVE-2012-3496 Citrix
XEN
Configuration vulnerability in multiple products

XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when translating paging mode is not used, allows local PV OS guest kernels to cause a denial of service (BUG triggered and host crash) via invalid flags such as MEMF_populate_on_demand.

4.7
2012-11-23 CVE-2012-4411 XEN Information Exposure vulnerability in XEN 4.0.0/4.1.0/4.2.0

The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor.

4.6
2012-11-23 CVE-2012-1167 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat products

The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.

4.6
2012-11-23 CVE-2012-6036 XEN Permissions, Privileges, and Access Controls vulnerability in XEN 4.0.0/4.1.0/4.2.0

The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or possibly execute arbitrary code via unspecified vectors.

4.4
2012-11-23 CVE-2012-6034 XEN Improper Input Validation vulnerability in XEN 4.0.0/4.1.0/4.2.0

The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check incoming guest output buffer pointers," which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors.

4.4
2012-11-23 CVE-2012-6033 XEN Permissions, Privileges, and Access Controls vulnerability in XEN 4.0.0/4.1.0/4.2.0

The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which allows local guest OS users to access control stack operations via unspecified vectors.

4.4
2012-11-24 CVE-2012-6037 Mahara Cross-Site Scripting vulnerability in Mahara

Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2, allow remote attackers to inject arbitrary web script or HTML via a CSV header with "unknown fields," which are not properly handled in error messages in the (1) bulk user, (2) group, and (3) group member upload capabilities.

4.3
2012-11-24 CVE-2012-2253 Mahara Cross-Site Scripting vulnerability in Mahara

Cross-site scripting (XSS) vulnerability in group/members.php in Mahara 1.5.x before 1.5.7 and 1.6.x before 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter.

4.3
2012-11-24 CVE-2012-2247 Mahara Cross-Site Scripting vulnerability in Mahara

Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to artefact/file/ and a crafted SVG file.

4.3
2012-11-24 CVE-2012-2243 Mahara Cross-Site Scripting vulnerability in Mahara

Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script.

4.3
2012-11-23 CVE-2012-4602 Tecnick Cross-Site Scripting vulnerability in Tecnick Tcexam

Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_select_users_popup.php in Nicola Asuni TCExam before 11.3.009 allow remote attackers to inject arbitrary web script or HTML via the (1) cid or (2) uids parameter.

4.3
2012-11-23 CVE-2012-3431 Redhat Cryptographic Issues vulnerability in Redhat Jboss Enterprise Data Services Platform 5.1.0/5.2.0

The Teiid Java Database Connectivity (JDBC) socket, as used in JBoss Enterprise Data Services Platform before 5.3.0, does not encrypt login messages by default contrary to documentation and specification, which allows remote attackers to obtain login credentials via a man-in-the-middle (MITM) attack.

4.3
2012-11-23 CVE-2010-1330 Jruby Cross-Site Scripting vulnerability in Jruby

The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

4.3
2012-11-23 CVE-2012-5756 IBM Cryptographic Issues vulnerability in IBM Websphere Datapower Xc10 Appliance

The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2, when a collective configuration is enabled, has a single secret key that is shared across different customers' installations, which allows remote attackers to spoof a container server by (1) sniffing the network to locate a cleartext transmission of this key or (2) leveraging knowledge of this key from another installation.

4.3
2012-11-22 CVE-2012-2211 Egroupware Cross-Site Scripting vulnerability in Egroupware 1.8.001.20110421/1.8.001.20110805

Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php.

4.3
2012-11-22 CVE-2012-2084 Joao Ventura
Drupal
Cross-Site Scripting vulnerability in Joao Ventura Print

Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the PATH_INFO.

4.3
2012-11-21 CVE-2012-5841 Mozilla
Opensuse
Suse
Canonical
Redhat
Cross-Site Scripting vulnerability in multiple products

Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 implement cross-origin wrappers with a filtering behavior that does not properly restrict write actions, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site.

4.3
2012-11-21 CVE-2012-4209 Mozilla
Opensuse
Suse
Redhat
Canonical
Cross-Site Scripting vulnerability in multiple products

Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 do not prevent use of a "top" frame name-attribute value to access the location property, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving a binary plugin.

4.3
2012-11-21 CVE-2012-4208 Mozilla
Opensuse
Suse
Canonical
Information Exposure vulnerability in multiple products

The XrayWrapper implementation in Mozilla Firefox before 17.0, Thunderbird before 17.0, and SeaMonkey before 2.14 does not consider the compartment during property filtering, which allows remote attackers to bypass intended chrome-only restrictions on reading DOM object properties via a crafted web site.

4.3
2012-11-21 CVE-2012-4207 Mozilla
Opensuse
Suse
Redhat
Debian
Canonical
Cross-Site Scripting vulnerability in multiple products

The HZ-GB-2312 character-set implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 does not properly handle a ~ (tilde) character in proximity to a chunk delimiter, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document.

4.3
2012-11-21 CVE-2012-4201 Mozilla
Opensuse
Suse
Redhat
Canonical
Debian
Cross-Site Scripting vulnerability in multiple products

The evalInSandbox implementation in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 uses an incorrect context during the handling of JavaScript code that sets the location.href property, which allows remote attackers to conduct cross-site scripting (XSS) attacks or read arbitrary files by leveraging a sandboxed add-on.

4.3
2012-11-20 CVE-2012-5920 Google Cross-Site Scripting vulnerability in Google web Toolkit 2.4/2.4.0/2.5.0

Cross-site scripting (XSS) vulnerability in Google Web Toolkit (GWT) 2.4 through 2.5 Final, as used in JBoss Operations Network (ON) 3.1.1 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-11-20 CVE-2012-4563 Google Cross-Site Scripting vulnerability in Google web Toolkit 2.4

Cross-site scripting (XSS) vulnerability in Google Web Toolkit (GWT) 2.4 Beta and release candidates before 2.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-11-20 CVE-2012-3354 Dokuwiki
Fedoraproject
Information Exposure vulnerability in multiple products

doku.php in DokuWiki, as used in Fedora 16, 17, and 18, when certain PHP error levels are set, allows remote attackers to obtain sensitive information via the prefix parameter, which reveals the installation path in an error message.

4.3
2012-11-19 CVE-2012-5919 Havalite Cross-Site Scripting vulnerability in Havalite CMS

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit Article module, or (5) hava_post.php in the postAuthor module; (6) postId parameter to hava_post.php; (7) userId parameter to hava_user.php; or (8) linkId parameter to hava_link.php.

4.3
2012-11-19 CVE-2012-4541 Matomo Cross-Site Scripting vulnerability in Matomo

Cross-site scripting (XSS) vulnerability in Piwik before 1.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-11-19 CVE-2012-4233 Libreoffice
SUN
NULL Pointer Dereference Denial of Service vulnerability in LibreOffice and OpenOffice

LibreOffice 3.5.x before 3.5.7.2 and 3.6.x before 3.6.1, and OpenOffice.org (OOo), allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted (1) odt file to vcllo.dll, (2) ODG (Drawing document) file to svxcorelo.dll, (3) PolyPolygon record in a .wmf (Window Meta File) file embedded in a ppt (PowerPoint) file to tllo.dll, or (4) xls (Excel) file to scfiltlo.dll.

4.3
2012-11-19 CVE-2012-4533 Viewvc
Debian
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in the "extra" details in the DiffSource._get_row function in lib/viewvc.py in ViewVC 1.0.x before 1.0.13 and 1.1.x before 1.1.16 allows remote authenticated users with repository commit access to inject arbitrary web script or HTML via the "function name" line.

4.3
2012-11-21 CVE-2012-5481 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle 2.3.0/2.3.1/2.3.2

Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page.

4.0
2012-11-21 CVE-2012-5473 Moodle Information Exposure vulnerability in Moodle

The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search.

4.0
2012-11-21 CVE-2012-5472 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle

lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field.

4.0
2012-11-19 CVE-2012-5918 Razorcms Permissions, Privileges, and Access Controls vulnerability in Razorcms 1.2

razorCMS 1.2 allows remote authenticated users to access administrator directories and files by creating and deleting a directory.

4.0

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-11-20 CVE-2012-5529 Firebirdsql Resource Management Errors vulnerability in Firebirdsql Firebird 2.5.0/2.5.1

TraceManager in Firebird 2.5.0 and 2.5.1, when trace is enabled, allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by preparing an empty dynamic SQL query.

3.5
2012-11-23 CVE-2012-2377 Redhat Improper Authentication vulnerability in Redhat products

JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast.

3.3
2012-11-20 CVE-2012-4366 Belkin Cryptographic Issues vulnerability in Belkin products

Belkin wireless routers Surf N150 Model F7D1301v1, N900 Model F9K1104v1, N450 Model F9K1105V2, and N300 Model F7D2301v1 generate a predictable default WPA2-PSK passphrase based on eight digits of the WAN MAC address, which allows remote attackers to access the network by sniffing the beacon frames.

3.3
2012-11-24 CVE-2012-0959 Remote Login Service Hackers Information Exposure vulnerability in Remote Login Service Hackers Remote Login Service 1.0.0

Remote Login Service (RLS) 1.0.0 does not properly clear account information when switching users, which might allow physically proximate users to obtain login credentials.

2.1
2012-11-23 CVE-2012-3494 Citrix
XEN
Permissions, Privileges, and Access Controls vulnerability in multiple products

The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when running on x86-64 systems, allows local OS guest users to cause a denial of service (host crash) by writing to the reserved bits of the DR7 debug control register.

2.1
2012-11-21 CVE-2012-4539 XEN Resource Management Errors vulnerability in XEN

Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka "Grant table hypercall infinite loop DoS vulnerability."

2.1
2012-11-21 CVE-2012-4537 XEN Configuration vulnerability in XEN

Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability."

2.1
2012-11-21 CVE-2012-4536 XEN Denial of Service vulnerability in XEN 2.2.0

The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a denial of service (Xen crash) via a crafted pirq value that triggers an out-of-bounds read.

2.1
2012-11-21 CVE-2012-4535 XEN Resource Management Errors vulnerability in XEN

Xen 3.4 through 4.2, and possibly earlier versions, allows local guest OS administrators to cause a denial of service (Xen infinite loop and physical CPU consumption) by setting a VCPU with an "inappropriate deadline."

1.9