Weekly Vulnerabilities Reports > December 31, 2012 to January 6, 2013

Overview

64 new vulnerabilities reported during this period, including 3 critical vulnerabilities and 7 high severity vulnerabilities. This weekly summary report vulnerabilities in 57 products from 37 vendors including Opera, Redhat, Drupal, Moinmo, and Samsung. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Information Exposure", "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Improper Input Validation".

  • 51 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 13 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 57 reported vulnerabilities are exploitable by an anonymous user.
  • Opera has the most reported vulnerabilities, with 13 reported vulnerabilities.
  • Opera has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

3 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-01-02 CVE-2012-6470 Opera Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Opera Browser

Opera before 12.12 does not properly allocate memory for GIF images, which allows remote attackers to execute arbitrary code or cause a denial of service (memory overwrite) via a malformed image.

9.3
2013-01-02 CVE-2012-6468 Opera Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Opera Browser

Heap-based buffer overflow in Opera before 12.11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a long HTTP response.

9.3
2013-01-02 CVE-2012-6465 Opera Code Injection vulnerability in Opera Browser

Opera before 12.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed SVG image.

9.3

7 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-01-04 CVE-2012-6329 Perl Code Injection vulnerability in Perl

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.

7.5
2013-01-04 CVE-2012-6090 SWI Prolog Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Swi-Prolog

Multiple stack-based buffer overflows in the expand function in os/pl-glob.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename.

7.5
2013-01-04 CVE-2012-6089 SWI Prolog Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Swi-Prolog

Multiple stack-based buffer overflows in the canoniseFileName function in os/pl-os.c in SWI-Prolog before 6.2.5 and 6.3.x before 6.3.7 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted filename.

7.5
2013-01-04 CVE-2012-6496 Rubyonrails SQL Injection vulnerability in Rubyonrails Rails and Ruby ON Rails

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

7.5
2013-01-01 CVE-2012-6426 Lemonldap NG Permissions, Privileges, and Access Controls vulnerability in Lemonldap-Ng Lemonldap::

LemonLDAP::NG before 1.2.3 does not use the signature-verification capability of the Lasso library, which allows remote attackers to bypass intended access-control restrictions via crafted SAML data.

7.5
2012-12-31 CVE-2012-5642 Fail2Ban Arbitrary Log Content Injection vulnerability in Fail2ban

server/action.py in Fail2ban before 0.8.8 does not properly handle the content of the matches tag, which might allow remote attackers to trigger unsafe behavior in a custom action file via unspecified symbols in this content.

7.5
2012-12-31 CVE-2012-4688 I GEN Improper Authentication vulnerability in I-Gen Oplynx 2.01.8

The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support.

7.5

42 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-01-03 CVE-2012-6434 E107 Cross-Site Request Forgery (CSRF) vulnerability in E107 1.0.2

Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, or (8) download_class parameter.

6.8
2013-01-03 CVE-2012-6433 E107 Cross-Site Request Forgery (CSRF) vulnerability in E107 1.0.1

Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.

6.8
2013-01-05 CVE-2012-4550 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform 6.0.0

JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB.

6.4
2013-01-03 CVE-2012-6080 Moinmo Path Traversal vulnerability in Moinmo Moinmoin 1.9.3/1.9.4/1.9.5

Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a ..

6.4
2013-01-03 CVE-2012-6495 Moinmo Path Traversal vulnerability in Moinmo Moinmoin

Multiple directory traversal vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to overwrite arbitrary files via unspecified vectors.

6.0
2013-01-03 CVE-2012-6081 Moinmo Arbitrary Code Execution vulnerability in MoinMoin

Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory, as exploited in the wild in July 2012.

6.0
2013-01-03 CVE-2012-5653 Drupal
Debian
Improper Input Validation vulnerability in multiple products

The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.

6.0
2013-01-05 CVE-2012-4549 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform

The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods.

5.8
2013-01-01 CVE-2012-5769 IBM XML Parsing Unspecified Security vulnerability in IBM SPSS Modeler

IBM SPSS Modeler 14.0, 14.1, 14.2 through FP3, and 15.0 before FP2 allows remote attackers to read arbitrary files, and possibly send HTTP requests to intranet servers or cause a denial of service (CPU and memory consumption), via an XML external entity declaration in conjunction with an entity reference.

5.8
2012-12-31 CVE-2011-5251 Vbulletin Improper Input Validation vulnerability in Vbulletin

Open redirect vulnerability in forum/login.php in vBulletin 4.1.3 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter in a lostpw action.

5.8
2013-01-04 CVE-2012-5603 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms 1.0

proxies_controller.rb in Katello in Red Hat CloudForms before 1.1 does not properly check permissions, which allows remote authenticated users to read consumer certificates or change arbitrary users' settings via unspecified vectors related to the "consumer UUID" of a system.

5.5
2013-01-03 CVE-2012-4545 Elinks Improper Authentication vulnerability in Elinks 0.12

The http_negotiate_create_context function in protocol/http/http_negotiate.c in ELinks 0.12 before 0.12pre6, when using HTTP Negotiate or GSS-Negotiate authentication, delegates user credentials through GSSAPI, which allows remote servers to authenticate as the client via the delegated credentials.

5.1
2013-01-04 CVE-2012-6330 Twiki
Foswiki
Numeric Errors vulnerability in multiple products

The localization functionality in TWiki before 5.1.3, and Foswiki 1.0.x through 1.0.10 and 1.1.x through 1.1.6, allows remote attackers to cause a denial of service (memory consumption) via a large integer in a %MAKETEXT% macro.

5.0
2013-01-04 CVE-2012-5976 Digium Buffer Errors vulnerability in Digium Asterisk

Multiple stack consumption vulnerabilities in Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones allow remote attackers to cause a denial of service (daemon crash) via TCP data using the (1) SIP, (2) HTTP, or (3) XMPP protocol.

5.0
2013-01-03 CVE-2012-5655 Steven Jones
Drupal
Permissions, Privileges, and Access Controls vulnerability in Steven Jones Context

The Context module 6.x-3.x before 6.x-3.1 and 7.x-3.x before 7.x-3.0-beta6 for Drupal does not properly restrict access to block content, which allows remote attackers to obtain sensitive information via a crafted request.

5.0
2013-01-03 CVE-2012-5652 Drupal Information Exposure vulnerability in Drupal

Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.

5.0
2013-01-03 CVE-2012-5651 Drupal Permissions, Privileges, and Access Controls vulnerability in Drupal

Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.

5.0
2013-01-02 CVE-2013-0721 WP PHP Widget Project
Wordpress
Information Exposure vulnerability in WP PHP Widget Project WP PHP Widget 1.0.2

wp-php-widget.php in the WP PHP widget plugin 1.0.2 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

5.0
2013-01-02 CVE-2012-6471 Opera Unspecified vulnerability in Opera Browser

Opera before 12.12 allows remote attackers to spoof the address field via a high rate of HTTP requests.

5.0
2013-01-02 CVE-2012-6469 Opera Information Exposure vulnerability in Opera Browser

Opera before 12.11 allows remote attackers to determine the existence of arbitrary local files via vectors involving web script in an error page.

5.0
2013-01-02 CVE-2012-6466 Opera Information Exposure vulnerability in Opera Browser

Opera before 12.10 does not properly handle incorrect size data in a WebP image, which allows remote attackers to obtain potentially sensitive information from process memory by using a crafted image as the fill pattern for a canvas.

5.0
2013-01-02 CVE-2012-6462 Opera Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 12.10 does not properly implement the Cross-Origin Resource Sharing (CORS) specification, which allows remote attackers to bypass intended page-content restrictions via a crafted request.

5.0
2013-01-02 CVE-2012-6461 Opera Improper Input Validation vulnerability in Opera Browser

The X.509 certificate-validation functionality in the https implementation in Opera before 12.10 allows remote attackers to trigger a false indication of successful revocation-status checking by causing a failure of a single checking service.

5.0
2013-01-02 CVE-2012-6460 Opera Unspecified vulnerability in Opera Browser

Opera before 11.67 and 12.x before 12.02 allows remote attackers to cause truncation of a dialog, and possibly trigger downloading and execution of arbitrary programs, via a crafted web site.

5.0
2013-01-01 CVE-2012-6084 Ircd Ratbox
Ratbox
modules/m_capab.c in (1) ircd-ratbox before 3.0.8 and (2) Charybdis before 3.4.2 does not properly support capability negotiation during server handshakes, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request.
5.0
2013-01-01 CVE-2012-5573 Torproject Resource Management Errors vulnerability in Torproject TOR

The connection_edge_process_relay_cell function in or/relay.c in Tor before 0.2.3.25 maintains circuits even if an unexpected SENDME cell arrives, which might allow remote attackers to cause a denial of service (memory consumption or excessive cell reception rate) or bypass intended flow-control restrictions via a RELAY_COMMAND_SENDME command.

5.0
2013-01-02 CVE-2012-6472 Opera
Unix
Permissions, Privileges, and Access Controls vulnerability in Opera Browser

Opera before 12.12 on UNIX uses weak permissions for the profile directory, which allows local users to obtain sensitive information by reading a (1) cache file, (2) password file, or (3) configuration file, or (4) possibly gain privileges by modifying or overwriting a configuration file.

4.6
2013-01-04 CVE-2012-4543 Redhat Cross-Site Scripting vulnerability in Redhat Certificate System

Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Certificate System (RHCS) before 8.1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) pageStart or (2) pageSize to the displayCRL script, or (3) nonce variable to the profileProcess script.

4.3
2013-01-04 CVE-2012-5977 Digium Buffer Errors vulnerability in Digium Asterisk

Asterisk Open Source 1.8.x before 1.8.19.1, 10.x before 10.11.1, and 11.x before 11.1.2; Certified Asterisk 1.8.11 before 1.8.11-cert10; and Asterisk Digiumphones 10.x-digiumphones before 10.11.1-digiumphones, when anonymous calls are enabled, allow remote attackers to cause a denial of service (resource consumption) by making anonymous calls from multiple sources and consequently adding many entries to the device state cache.

4.3
2013-01-03 CVE-2012-6082 Moinmo Cross-Site Scripting vulnerability in Moinmo Moinmoin 1.9.5

Cross-site scripting (XSS) vulnerability in the rsslink function in theme/__init__.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link.

4.3
2013-01-03 CVE-2012-5666 Owncloud Cross-Site Scripting vulnerability in Owncloud

Cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js in ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to apps/bookmark/index.php.

4.3
2013-01-03 CVE-2012-5665 Owncloud Permissions, Privileges, and Access Controls vulnerability in Owncloud

ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly restrict access to settings.php, which allows remote attackers to edit app configurations of user_webdavauth and user_ldap by editing this file.

4.3
2013-01-03 CVE-2012-5654 Nodewords Project
Drupal
Information Exposure vulnerability in Nodewords Project Nodewords

The Nodewords: D6 Meta Tags module before 6.x-1.14 for Drupal, when configured to automatically generate description meta tags from node text, does not properly filter node content when creating tags, which might allow remote attackers to obtain sensitive information by reading the (1) description, (2) dc.description or (3) og:description meta tags.

4.3
2013-01-02 CVE-2012-6467 Opera Open Redirection vulnerability in Opera Web Browser

Opera before 12.10 follows Internet shortcuts that are referenced by a (1) IMG element or (2) other inline element, which makes it easier for remote attackers to conduct phishing attacks via a crafted web site, as exploited in the wild in November 2012.

4.3
2013-01-02 CVE-2012-6464 Opera Cross-Site Scripting vulnerability in Opera Browser

Cross-site scripting (XSS) vulnerability in Opera before 12.10 allows remote attackers to inject arbitrary web script or HTML via crafted JavaScript code that overrides methods of unspecified native objects in documents that have different origins.

4.3
2013-01-02 CVE-2012-6463 Opera Cross-Site Scripting vulnerability in Opera Browser

Cross-site scripting (XSS) vulnerability in Opera before 12.10 allows remote attackers to inject arbitrary web script or HTML via vectors involving an unspecified sequence of loading of documents and loading of data: URLs.

4.3
2013-01-01 CVE-2012-6459 Intel
Linux
Information Exposure vulnerability in Intel Connman 1.3

ConnMan 1.3 on Tizen continues to list the bluetooth service after offline mode has been enabled, which might allow remote attackers to obtain sensitive information via Bluetooth packets.

4.3
2013-01-01 CVE-2012-4970 Polycom Cross-Site Scripting vulnerability in Polycom HDX System Software

Cross-site scripting (XSS) vulnerability in the web management interface on Polycom HDX Video End Points with UC APL software before 2.7.1.1_J, and commercial software before 3.0.5, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-12-31 CVE-2012-6453 Mediawiki Cross-Site Scripting vulnerability in Mediawiki Rssreader

Cross-site scripting (XSS) vulnerability in the RSS Reader extension before 0.2.6 for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a crafted feed.

4.3
2012-12-31 CVE-2012-6339 Cerberusftp Cross-Site Scripting vulnerability in Cerberusftp FTP Server

Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program.

4.3
2013-01-04 CVE-2012-4556 Redhat Improper Input Validation vulnerability in Redhat Certificate System

The token processing system (pki-tps) in Red Hat Certificate System (RHCS) before 8.1.3 allows remote attackers to cause a denial of service (Apache httpd web server child process restart) via certain unspecified empty search fields in a user certificate search query.

4.0
2013-01-04 CVE-2012-4555 Redhat Cross-Site Scripting and Denial of Service vulnerability in Red Hat Certificate System

The token processing system (pki-tps) in Red Hat Certificate System (RHCS) before 8.1.3 does not properly handle interruptions of token format operations, which allows remote attackers to cause a denial of service (NULL pointer dereference and Apache httpd web server child process crash) via unspecified vectors.

4.0

12 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-01-04 CVE-2011-4316 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Enterprise Virtualization Manager

Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, in certain unspecified conditions, does not lock the desktop screen between SPICE sessions, which allows local users with access to a virtual machine to gain access to other users' desktop sessions via unspecified vectors.

3.7
2013-01-04 CVE-2012-3538 Redhat Credentials Management vulnerability in Redhat Cloudforms 1.0

Pulp in Red Hat CloudForms before 1.1 logs administrative passwords in a world-readable file, which allows local users to read pulp administrative passwords by reading production.log.

3.3
2013-01-04 CVE-2012-6348 Centrify Link Following vulnerability in Centrify Deployment Manager and Centrify Suite

Centrify Deployment Manager 2.1.0.283, as distributed in Centrify Suite before 2012.5, allows local users to (1) overwrite arbitrary files via a symlink attack on the adcheckDMoutput temporary file, or (2) overwrite arbitrary files and consequently gain privileges via a symlink attack on the centrify.cmd.0 temporary file.

3.3
2012-12-31 CVE-2012-6371 Belkin Cryptographic Issues vulnerability in Belkin N900 Wireless Router F9K1104V1

The WPA2 implementation on the Belkin N900 F9K1104v1 router establishes a WPS PIN based on 6 digits of the LAN/WLAN MAC address, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading broadcast packets, a different vulnerability than CVE-2012-4366.

3.3
2012-12-31 CVE-2012-6337 Samsung Information Exposure vulnerability in Samsung Samsungdive

The Track My Mobile feature in the SamsungDive subsystem for Android on Samsung Galaxy devices shows the activation of remote tracking, which might allow physically proximate attackers to defeat a product-recovery effort by tampering with this feature or its location data.

3.3
2012-12-31 CVE-2012-6336 Lookout Spoofing vulnerability in Lookout for Android

The Missing Device feature in Lookout allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer."

3.3
2012-12-31 CVE-2012-6335 AVG Spoofing vulnerability in AVG AntiVirus for Android

The Anti-theft service in AVG AntiVirus for Android allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer."

3.3
2012-12-31 CVE-2012-6334 Samsung Permissions, Privileges, and Access Controls vulnerability in Samsung Samsungdive

The Track My Mobile feature in the SamsungDive subsystem for Android on Samsung Galaxy devices does not properly implement Location APIs, which allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer."

2.9
2013-01-04 CVE-2012-2696 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Enterprise Virtualization Manager

The backend in Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1 does not properly check privileges, which allows remote authenticated users to query arbitrary information via a (1) SOAP or (2) GWT request.

2.7
2013-01-04 CVE-2012-5605 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms 1.0

Grinder in Red Hat CloudForms before 1.1 uses world-writable permissions for /var/lib/pulp/cache/grinder/, which allows local users to modify grinder cache files.

2.1
2013-01-04 CVE-2012-5516 Redhat Information Exposure vulnerability in Redhat Enterprise Virtualization Manager

Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when moving disks between storage domains, does not properly wipe-after-delete, which prevents disks from being securely deleted and might allow local users to obtain sensitive information via unspecified vectors.

2.1
2013-01-04 CVE-2012-4574 Redhat Credentials Management vulnerability in Redhat Cloudforms 1.0

Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file.

2.1