Weekly Vulnerabilities Reports > January 28 to February 3, 2013

Overview

133 new vulnerabilities reported during this period, including 40 critical vulnerabilities and 18 high severity vulnerabilities. This weekly summary report vulnerabilities in 722 products from 32 vendors including Oracle, SUN, Wireshark, Apple, and IBM. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Cross-site Scripting", "SQL Injection", and "Numeric Errors".

  • 108 reported vulnerabilities are remotely exploitables.
  • 10 reported vulnerabilities have public exploit available.
  • 20 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 127 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 51 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 29 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

40 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-02 CVE-2013-1483 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-1482 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-1481 Oracle
SUN
Remote Code Execution vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound.

10.0
2013-02-02 CVE-2013-1480 Oracle
SUN
Remote Code Execution vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.

10.0
2013-02-02 CVE-2013-1479 Oracle
SUN
Remote Code Execution vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

10.0
2013-02-02 CVE-2013-1478 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

10.0
2013-02-02 CVE-2013-1477 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-1476 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-0441 and CVE-2013-1475.

10.0
2013-02-02 CVE-2013-1475 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA.

10.0
2013-02-02 CVE-2013-1472 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-0450 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

10.0
2013-02-02 CVE-2013-0447 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-0446 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-0445 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.

10.0
2013-02-02 CVE-2013-0442 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT.

10.0
2013-02-02 CVE-2013-0441 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-1476 and CVE-2013-1475.

10.0
2013-02-02 CVE-2013-0439 Oracle Remote JavaFX vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-0437 Oracle Remote Java Runtime Environment vulnerability in Oracle Javafx, JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

10.0
2013-02-02 CVE-2013-0436 Oracle Remote JavaFX vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2013-0428 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0426.

10.0
2013-02-02 CVE-2013-0426 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428.

10.0
2013-02-02 CVE-2013-0425 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0428 and CVE-2013-0426.

10.0
2013-02-02 CVE-2012-4301 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2012-3342 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-02-02 CVE-2012-3213 Oracle
SUN
Remote Code Execution vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

10.0
2013-02-02 CVE-2012-1541 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

10.0
2013-01-31 CVE-2013-1591 Redhat
Palemoon
Numeric Errors vulnerability in multiple products

Stack-based buffer overflow in libpixman, as used in Pale Moon before 15.4 and possibly other products, has unspecified impact and context-dependent attack vectors.

10.0
2013-01-31 CVE-2013-0230 Miniupnp Project Buffer Errors vulnerability in Miniupnp Project Miniupnpd 1.0

Stack-based buffer overflow in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to execute arbitrary code via a long quoted method.

10.0
2013-01-31 CVE-2012-5965 Portable SDK FOR Upnp Project Buffer Errors vulnerability in Portable SDK for Upnp Project Portable SDK for Upnp 1.3.1

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long DeviceType (aka urn device) field in a UDP packet.

10.0
2013-01-31 CVE-2012-5964 Portable SDK FOR Upnp Project Buffer Errors vulnerability in Portable SDK for Upnp Project Portable SDK for Upnp 1.3.1

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long ServiceType (aka urn service) field in a UDP packet.

10.0
2013-01-31 CVE-2012-5963 Portable SDK FOR Upnp Project Buffer Errors vulnerability in Portable SDK for Upnp Project Portable SDK for Upnp 1.3.1

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that lacks a :: (colon colon) in a UDP packet.

10.0
2013-01-31 CVE-2012-5962 Portable SDK FOR Upnp Project Buffer Errors vulnerability in Portable SDK FOR Upnp Project Portable SDK for Upnp 1.3.1

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long DeviceType (aka urn) field in a UDP packet.

10.0
2013-01-31 CVE-2012-5961 Libupnp Project Buffer Errors vulnerability in Libupnp Project Libupnp 1.3.1

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) 1.3.1 allows remote attackers to execute arbitrary code via a long UDN (aka device) field in a UDP packet.

10.0
2013-01-31 CVE-2012-5960 Portable SDK FOR Upnp Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Portable SDK FOR Upnp Project Portable SDK FOR Upnp

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka upnp:rootdevice) field in a UDP packet.

10.0
2013-01-31 CVE-2012-5959 Portable SDK FOR Upnp Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Portable SDK FOR Upnp Project Portable SDK FOR Upnp

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a long UDN (aka uuid) field within a string that contains a :: (colon colon) in a UDP packet.

10.0
2013-01-31 CVE-2012-5958 Libupnp Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libupnp Project Libupnp

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable SDK for UPnP Devices (aka libupnp, formerly the Intel SDK for UPnP devices) before 1.6.18 allows remote attackers to execute arbitrary code via a UDP packet with a crafted string that is not properly handled after a certain pointer subtraction.

10.0
2013-01-31 CVE-2013-1489 Oracle
Google
Microsoft
Mozilla
Opera
Unsigned Java Code Security Bypass vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 10 and Update 11, when running on Windows using Internet Explorer, Firefox, Opera, and Google Chrome, allows remote attackers to bypass the "Very High" security level of the Java Control Panel and execute unsigned Java code without prompting the user via unknown vectors, aka "Issue 53" and the "Java Security Slider" vulnerability.

10.0
2013-02-02 CVE-2013-1474 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

9.3
2013-02-02 CVE-2012-4305 Oracle JavaFX Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

9.3
2013-01-31 CVE-2012-0204 IBM Unspecified vulnerability in IBM products

Untrusted search path vulnerability in InfoSphere Import Export Manager 8.1 through 9.1 in InfoSphere Information Server MetaBrokers & Bridges (MBB) in IBM InfoSphere Information Server 8.1, 8.5 before FP3, 8.7, and 9.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.

9.3

18 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-01-31 CVE-2013-1462 Miniupnp Project Numeric Errors vulnerability in Miniupnp Project Miniupnpd 1.0

Integer signedness error in the ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (incorrect memory copy) via a SOAPAction header that lacks a " (double quote) character, a different vulnerability than CVE-2013-0230.

7.8
2013-01-31 CVE-2013-1461 Miniupnp Project Denial-Of-Service vulnerability in Miniupnp Project Miniupnpd 1.0

The ExecuteSoapAction function in the SOAPAction handler in the HTTP service in MiniUPnP MiniUPnPd 1.0 allows remote attackers to cause a denial of service (NULL pointer dereference and service crash) via a SOAPAction header that lacks a # (pound sign) character, a different vulnerability than CVE-2013-0230.

7.8
2013-01-31 CVE-2013-0229 Miniupnp Project Denial of Service vulnerability in MiniUPnP

The ProcessSSDPRequest function in minissdp.c in the SSDP handler in MiniUPnP MiniUPnPd before 1.4 allows remote attackers to cause a denial of service (service crash) via a crafted request that triggers a buffer over-read.

7.8
2013-02-02 CVE-2013-0444 Oracle Java Runtime Environment Remote Security vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans.

7.6
2013-02-02 CVE-2013-0429 Oracle
SUN
Remote Java Runtime Environment Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA.

7.6
2013-02-02 CVE-2013-0423 Oracle
SUN
Java Runtime Environment Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

7.6
2013-02-02 CVE-2013-0419 Oracle
SUN
Java Runtime Environment Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

7.6
2013-02-02 CVE-2012-1543 Oracle Remote Code Execution vulnerability in Oracle Java SE

Unspecified vulnerability in the JavaFX component in Oracle Java SE JavaFX 2.2.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than other CVEs listed in the February 2013 CPU.

7.6
2013-01-31 CVE-2013-0930 EMC Buffer Errors vulnerability in EMC Alphastor 4.0

Buffer overflow in Drive Control Program (DCP) in EMC AlphaStor 4.0 before build 814 allows remote attackers to execute arbitrary code via vectors involving a new device name.

7.6
2013-02-02 CVE-2013-0351 Oracle
SUN
Java Runtime Environment Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than other CVEs listed in the February 2013 CPU.

7.5
2013-01-31 CVE-2012-6529 Marinet SQL Injection vulnerability in Marinet CMS

Multiple SQL injection vulnerabilities in Marinet CMS allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) galleryphoto.php or (2) gallery.php; or the roomid parameter to (3) room.php or (4) room2.php.

7.5
2013-01-31 CVE-2012-6526 Vastal SQL Injection vulnerability in Vastal Freelance Zone

SQL injection vulnerability in show_code.php in Vastal I-Tech Freelance Zone allows remote attackers to execute arbitrary SQL commands via the code_id parameter.

7.5
2013-01-31 CVE-2012-6525 Phpbridges DEV Team SQL Injection vulnerability in PHPbridges DEV Team PHPbridges

SQL injection vulnerability in members.php in PHPBridges allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2013-01-31 CVE-2012-6524 Powie SQL Injection vulnerability in Powie PGB 2.12/2.14

SQL injection vulnerability in kommentar.php in pGB 2.12 allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2013-01-31 CVE-2010-5287 Cstech SQL Injection vulnerability in Cstech Webconductor

SQL injection vulnerability in default.php in Cornerstone Technologies webConductor allows remote attackers to execute arbitrary SQL commands via the id parameter.

7.5
2013-01-30 CVE-2013-0333 Rubyonrails Unspecified vulnerability in Rubyonrails Rails and Ruby ON Rails

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

7.5
2013-01-31 CVE-2012-0705 IBM Improper Input Validation vulnerability in IBM products

InfoSphere Import Export Manager in InfoSphere Information Server MetaBrokers & Bridges (MBB) in IBM InfoSphere Information Server 8.1, 8.5 before FP3, 8.7, and 9.1 does not validate unspecified input data, which allows remote authenticated users to execute arbitrary commands via unknown vectors.

7.1
2013-01-31 CVE-2012-6530 Sysax Buffer Errors vulnerability in Sysax Multi Server 4.3/4.5/5.50

Stack-based buffer overflow in Sysax Multi Server before 5.52, when HTTP is enabled, allows remote authenticated users with the create folder permission to execute arbitrary code via a crafted request.

7.1

49 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-02 CVE-2013-0430 Oracle
SUN
Java Runtime Environment Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process of the client.

6.9
2013-01-28 CVE-2012-4696 Beijerelectronics Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Beijerelectronics Beijer ADP and H-Designer

Buffer overflow in Beijer ADP 6.5.0-180_R1967 and 6.5.1-186_R2942, and H-Designer 6.5.0 B180_R1967, allows local users to gain privileges by inserting a long string into a DLL file.

6.9
2013-01-29 CVE-2013-0968 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0959 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0958 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0956 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0955 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0954 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0953 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0952 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0951 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0950 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0949 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-29 CVE-2013-0948 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Iphone OS

WebKit, as used in Apple iOS before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-01-28-1.

6.8
2013-01-31 CVE-2012-0701 IBM Permissions, Privileges, and Access Controls vulnerability in IBM products

The client applications in the DataStage Administrator client in InfoSphere DataStage in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 rely on client-side access control, which allows remote authenticated users to gain privileges via unspecified vectors.

6.5
2013-01-31 CVE-2012-0205 IBM Permissions, Privileges, and Access Controls vulnerability in IBM products

InfoSphere Metadata Workbench (MWB) 8.1 through 8.7 in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 does not properly restrict use of the troubleshooting feature, which allows remote authenticated users to bypass intended access restrictions or cause a denial of service (workbench outage) via unspecified vectors.

6.5
2013-02-02 CVE-2013-0432 Oracle
SUN
Java Runtime Environment Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to AWT.

6.4
2013-01-31 CVE-2012-0703 IBM Improper Input Validation vulnerability in IBM products

Open redirect vulnerability in Information Services Framework (ISF) in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2013-02-02 CVE-2013-0214 Samba Cross-Site Request Forgery (CSRF) vulnerability in Samba

Cross-site request forgery (CSRF) vulnerability in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to hijack the authentication of arbitrary users by leveraging knowledge of a password and composing requests that perform SWAT actions.

5.1
2013-02-02 CVE-2013-0213 Samba Improper Input Validation vulnerability in Samba

The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking attacks via a (1) FRAME or (2) IFRAME element.

5.1
2013-01-29 CVE-2013-0974 Apple Security Bypass vulnerability in Apple iPhone/iPad/iPod touch

StoreKit in Apple iOS before 6.1 does not properly handle the disabling of JavaScript within the preferences configuration of Mobile Safari, which allows remote attackers to bypass intended access restrictions and execute JavaScript code via a web site with a Smart App Banner.

5.1
2013-02-02 CVE-2012-6352 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Sterling Connect

The Session Manager in IBM Sterling Connect:Direct through 4.1.0.3 on UNIX allows remote attackers to cause a denial of service (daemon crash and disk consumption) via crafted data.

5.0
2013-02-02 CVE-2013-1473 Oracle
SUN
Java Runtime Environment Remote Security vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect integrity via unknown vectors related to Deployment.

5.0
2013-02-02 CVE-2013-0449 Oracle Java Runtime Environment Remote Security vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows remote attackers to affect confidentiality via unknown vectors related to Deployment.

5.0
2013-02-02 CVE-2013-0448 Oracle Remote Java Runtime Environment vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows remote attackers to affect integrity via unknown vectors related to Libraries.

5.0
2013-02-02 CVE-2013-0440 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 7, allows remote attackers to affect availability via vectors related to JSSE.

5.0
2013-02-02 CVE-2013-0435 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAX-WS.

5.0
2013-02-02 CVE-2013-0434 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAXP.

5.0
2013-02-02 CVE-2013-0433 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Networking.

5.0
2013-02-02 CVE-2013-0427 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Libraries.

5.0
2013-02-02 CVE-2013-0424 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via vectors related to RMI.

5.0
2013-02-02 CVE-2013-0409 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38 allows remote attackers to affect confidentiality via vectors related to JMX.

5.0
2013-01-31 CVE-2013-0431 Oracle Remote Java Runtime Environment vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

5.0
2013-01-31 CVE-2013-1112 Cisco Improper Input Validation vulnerability in Cisco Carrier Routing System

Cisco Carrier Routing System (CRS) allows remote attackers to cause a denial of service (packet loss) via short malformed packets that trigger inefficient processing, aka Bug ID CSCud79136.

5.0
2013-01-31 CVE-2012-6522 W CMS Path Traversal vulnerability in W-Cms 2.01

Directory traversal vulnerability in the getContent function in codes/wcms.php in w-CMS 2.01 allows remote attackers to read arbitrary files via a ..

5.0
2013-02-02 CVE-2013-0438 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38 allows remote attackers to affect confidentiality via unknown vectors related to Deployment.

4.3
2013-01-31 CVE-2013-1490 Oracle Security Bypass vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 7 Update 11 (JRE 1.7.0_11-b21) allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors, aka "Issue 51," a different vulnerability than CVE-2013-0431.

4.3
2013-01-31 CVE-2013-1113 Cisco Cross-Site Scripting vulnerability in Cisco Unified Communications Domain Manager

Cross-site scripting (XSS) vulnerability in Cisco Unified Communications Domain Manager allows remote attackers to inject arbitrary web script or HTML via a crafted parameter value, aka Bug ID CSCue21042.

4.3
2013-01-31 CVE-2012-6350 IBM Cross-Site Scripting vulnerability in IBM Cognos TM1

Cross-site scripting (XSS) vulnerability in the Web component in IBM Cognos TM1 before 9.5.2 FP3 and 10.1 before 10.1 FP1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-01-31 CVE-2012-6029 Cisco Cross-Site Scripting vulnerability in Cisco NAC Appliance

Multiple cross-site scripting (XSS) vulnerabilities in the web-authentication function on the Cisco NAC Appliance 4.9.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) cm or (2) uri parameters to (a) perfigo_weblogin.jsp, or the (3) cm, (4) provider, (5) session, (6) uri, (7) userip, or (8) username parameters to (b) perfigo_cm_validate.jsp, aka Bug ID CSCud15109.

4.3
2013-01-31 CVE-2012-4819 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in InfoSphere Business Glossary 8.1.1 and 8.1.2, InfoSphere DataStage Operation Console, InfoSphere Administration, and Reporting and Repository Management Web Console in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-01-31 CVE-2012-0203 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in InfoSphere Metadata Workbench (MWB) 8.1 through 8.7 in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-01-31 CVE-2012-6528 Atutor Cross-Site Scripting vulnerability in Atutor

Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6) login.php/mods/_standard/flowplayer, (7) browse.php/jscripts/infusion/framework/fss, (8) registration.php/themes/default/ie_styles.css, (9) about.php, or (10) themes/default/social/basic_profile.tmpl.php.

4.3
2013-01-31 CVE-2012-6523 W CMS Cross-Site Scripting vulnerability in W-Cms 2.01

Multiple cross-site scripting (XSS) vulnerabilities in w-CMS 2.01 allow remote attackers to inject arbitrary web script or HTML via (1) the p parameter in the getMenus function in codes/wcms.php; or the COMMENT parameter in (2) blog.php, (3) guestbook.php, or (4) forum.php in codes/.

4.3
2013-01-31 CVE-2011-5255 X3Cms Cross-Site Scripting vulnerability in X3Cms X3 CMS

Multiple cross-site scripting (XSS) vulnerabilities in admin/login in X3 CMS 0.4.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) username, or (3) password parameter.

4.3
2013-02-02 CVE-2013-0443 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.

4.0
2013-01-31 CVE-2012-0702 IBM Improper Authentication vulnerability in IBM products

Information Services Framework (ISF) in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 does not properly determine authorization, which allows remote authenticated users to gain privileges via unspecified vectors.

4.0
2013-01-29 CVE-2013-1451 Microsoft Configuration vulnerability in Microsoft Internet Explorer 8/9

Microsoft Internet Explorer 8 and 9, when the Proxy Settings configuration has the same Proxy address and Port values in the HTTP and Secure rows, does not ensure that the SSL lock icon is consistent with the Address bar, which makes it easier for remote attackers to spoof web sites via a crafted HTML document that triggers many HTTPS requests to an arbitrary host, followed by an HTTPS request to a trusted host and then an HTTP request to an untrusted host, a related issue to CVE-2013-1450.

4.0
2013-01-29 CVE-2013-1450 Microsoft Configuration vulnerability in Microsoft Internet Explorer 8/9

Microsoft Internet Explorer 8 and 9, when the Proxy Settings configuration has the same Proxy address and Port values in the HTTP and Secure rows, does not properly reuse TCP sessions to the proxy server, which allows remote attackers to obtain sensitive information intended for a specific host via a crafted HTML document that triggers many HTTPS requests and then triggers an HTTP request to that host, as demonstrated by reading a Cookie header, aka MSRC 12096gd.

4.0

26 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-01-29 CVE-2013-0964 Apple Improper Input Validation vulnerability in Apple Iphone OS and Tvos

The kernel in Apple iOS before 6.1 and Apple TV before 5.2 does not properly validate copyin and copyout arguments, which allows local users to bypass intended pointer restrictions and access locations in the first kernel-memory page by specifying a length of less than one page.

3.6
2013-02-01 CVE-2012-3268 HP
Huawei
Insufficiently Protected Credentials vulnerability in multiple products

Certain HP Access Controller, Fabric Module, Firewall, Router, Switch, and UTM Appliance products; certain HP 3Com Access Controller, Router, and Switch products; certain HP H3C Access Controller, Firewall, Router, Switch, and Switch and Route Processing Unit products; and certain Huawei Firewall/Gateway, Router, Switch, and Wireless products do not properly implement access control as defined in h3c-user.mib 2.0 and hh3c-user.mib 2.0, which allows remote authenticated users to discover credentials in UserInfoEntry values via an SNMP request with the read-only community.

3.5
2013-02-03 CVE-2013-1590 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

Buffer overflow in the NTLMSSP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1589 Wireshark Resource Management Errors vulnerability in Wireshark

Double free vulnerability in epan/proto.c in the dissection engine in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allows remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1588 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

Multiple buffer overflows in the dissect_pft_fec_detailed function in the DCP-ETSI dissector in epan/dissectors/packet-dcp-etsi.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 allow remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1587 Wireshark Unspecified vulnerability in Wireshark

The dissect_rohc_ir_packet function in epan/dissectors/packet-rohc.c in the ROHC dissector in Wireshark 1.8.x before 1.8.5 does not properly handle unknown profiles, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1586 Wireshark Unspecified vulnerability in Wireshark

The fragment_set_tot_len function in epan/reassemble.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly determine the length of a reassembled packet for the DTLS dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1585 Wireshark Improper Input Validation vulnerability in Wireshark

epan/tvbuff.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly validate certain length values for the MS-MMC dissector, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1584 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_version_5_and_6_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1583 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_version_4_primary_header function in epan/dissectors/packet-dtn.c in the DTN dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 accesses an inappropriate pointer, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1582 Wireshark Numeric Errors vulnerability in Wireshark

The dissect_clnp function in epan/dissectors/packet-clnp.c in the CLNP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly manage an offset variable, which allows remote attackers to cause a denial of service (infinite loop or application crash) via a malformed packet.

2.9
2013-02-03 CVE-2013-1581 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_pft_fec_detailed function in epan/dissectors/packet-dcp-etsi.c in the DCP-ETSI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle fragment gaps, which allows remote attackers to cause a denial of service (loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1580 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_cmstatus_tlv function in plugins/docsis/packet-cmstatus.c in the DOCSIS CM-STATUS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a position variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1579 Wireshark Resource Management Errors vulnerability in Wireshark

The rtps_util_add_bitmap function in epan/dissectors/packet-rtps.c in the RTPS dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly implement certain nested loops for processing bitmap data, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1578 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_pw_eth_heuristic function in epan/dissectors/packet-pw-eth.c in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle apparent Ethernet address values at the beginning of MPLS data, which allows remote attackers to cause a denial of service (loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1577 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_sip_p_charging_func_addresses function in epan/dissectors/packet-sip.c in the SIP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle offset data associated with a quoted string, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1576 Wireshark Cryptographic Issues vulnerability in Wireshark

The dissect_sdp_media_attribute function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly process crypto-suite parameters, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1575 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_r3_cmd_alarmconfigure function in epan/dissectors/packet-assa_r3.c in the R3 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a certain alarm length, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1574 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_bthci_eir_ad_data function in epan/dissectors/packet-bthci_cmd.c in the Bluetooth HCI dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 uses an incorrect data type for a counter variable, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1573 Wireshark Improper Input Validation vulnerability in Wireshark

The csnStreamDissector function in epan/dissectors/packet-csn1.c in the CSN.1 dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle a large number of padding bits, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-02-03 CVE-2013-1572 Wireshark Improper Input Validation vulnerability in Wireshark

The dissect_oampdu_event_notification function in epan/dissectors/packet-slowprotocols.c in the IEEE 802.3 Slow Protocols dissector in Wireshark 1.6.x before 1.6.13 and 1.8.x before 1.8.5 does not properly handle certain short lengths, which allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.

2.9
2013-01-31 CVE-2012-6527 Joedolson
Wordpress
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

2.6
2013-01-29 CVE-2013-0962 Apple Cross-Site Scripting vulnerability in Apple Iphone OS

Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before 6.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted content that is not properly handled during a copy-and-paste operation.

2.6
2013-01-29 CVE-2013-0963 Apple Improper Input Validation vulnerability in Apple Iphone OS

Identity Services in Apple iOS before 6.1 does not properly handle validation failures of AppleID certificates, which might allow physically proximate attackers to bypass authentication by leveraging an incorrect assignment of an empty string value to an AppleID.

2.1
2013-01-31 CVE-2012-4832 IBM Information Exposure vulnerability in IBM products

Information Services Framework (ISF) in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 and InfoSphere Business Glossary 8.1.1 and 8.1.2 does not have an off autocomplete attribute for the password field on the login page, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

1.9
2013-01-31 CVE-2012-0700 IBM Credentials Management vulnerability in IBM products

The client in InfoSphere FastTrack 8.1 through 8.7 in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 does not properly store credentials, which allows local users to bypass intended access restrictions via unspecified vectors.

1.9