Weekly Vulnerabilities Reports > February 18 to 24, 2013

Overview

124 new vulnerabilities reported during this period, including 23 critical vulnerabilities and 22 high severity vulnerabilities. This weekly summary report vulnerabilities in 85 products from 36 vendors including Linux, Opensuse, IBM, Microsoft, and Google. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Improper Input Validation", "Permissions, Privileges, and Access Controls", and "Resource Management Errors".

  • 101 reported vulnerabilities are remotely exploitables.
  • 28 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 103 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 36 reported vulnerabilities.
  • Mozilla has the most reported critical vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

23 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-24 CVE-2012-6275 Bigantsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Bigantsoft Bigant IM Message Server

Multiple stack-based buffer overflows in AntDS.exe in BigAntSoft BigAnt IM Message Server allow remote attackers to have an unspecified impact via (1) the filename header in an SCH request or (2) the userid component in a DUPF request.

10.0
2013-02-24 CVE-2012-4708 3S Software Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in 3S-Software Codesys Gateway-Server

Stack-based buffer overflow in 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via a crafted packet.

10.0
2013-02-24 CVE-2012-4707 3S Software Code Injection vulnerability in 3S-Software Codesys Gateway-Server

3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via vectors that trigger an out-of-bounds memory access.

10.0
2013-02-24 CVE-2012-4705 3S Software Path Traversal vulnerability in 3S-Software Codesys Gateway-Server

Directory traversal vulnerability in 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via vectors involving a crafted pathname.

10.0
2013-02-24 CVE-2012-4704 3S Software Improper Input Validation vulnerability in 3S-Software Codesys Gateway-Server

Array index error in 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via a crafted packet.

10.0
2013-02-24 CVE-2013-0804 Novell OS Command Injection vulnerability in Novell Groupwise

The client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference) via unspecified vectors.

10.0
2013-02-20 CVE-2013-1487 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE 7 Update 13 and earlier and 6 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

10.0
2013-02-20 CVE-2013-1486 Oracle
SUN
Remote Java Runtime Environment vulnerability in Oracle Java SE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier, 6 Update 39 and earlier, and 5.0 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

10.0
2013-02-20 CVE-2013-1484 Oracle Remote Java Runtime Environment vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.

10.0
2013-02-24 CVE-2013-0113 Nuance Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Nuance PDF Reader and PDF Reader Plus

Nuance PDF Reader 7.0 and PDF Viewer Plus 7.1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document.

9.3
2013-02-24 CVE-2012-0439 Novell Code Injection vulnerability in Novell Groupwise

An ActiveX control in gwcls1.dll in the client in Novell GroupWise 8.0 before 8.0.3 HP2 and 2012 before SP1 HP1 allows remote attackers to execute arbitrary code via (1) a pointer argument to the SetEngine method or (2) an XPItem pointer argument to an unspecified method.

9.3
2013-02-19 CVE-2013-0784 Mozilla
Opensuse
Canonical
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
9.3
2013-02-19 CVE-2013-0783 Mozilla
Opensuse
Redhat
Debian
Canonical
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
9.3
2013-02-19 CVE-2013-0782 Mozilla
Opensuse
Redhat
Debian
Canonical
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the nsSaveAsCharset::DoCharsetConversion function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via unspecified vectors.

9.3
2013-02-19 CVE-2013-0781 Mozilla
Opensuse
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsPrintEngine::CommonPrint function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

9.3
2013-02-19 CVE-2013-0780 Mozilla
Opensuse
Redhat
Debian
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsOverflowContinuationTracker::Finish function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted document that uses Cascading Style Sheets (CSS) -moz-column-* properties.

9.3
2013-02-19 CVE-2013-0779 Mozilla
Opensuse
Canonical
Out-Of-Bounds Read vulnerability in multiple products

The nsCodingStateMachine::NextState function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors.

9.3
2013-02-19 CVE-2013-0778 Mozilla
Opensuse
Canonical
Out-Of-Bounds Read vulnerability in multiple products

The ClusterIterator::NextCluster function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors.

9.3
2013-02-19 CVE-2013-0777 Mozilla
Opensuse
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsDisplayBoxShadowOuter::Paint function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

9.3
2013-02-19 CVE-2013-0775 Mozilla
Opensuse
Redhat
Debian
Canonical
USE After Free vulnerability in multiple products

Use-after-free vulnerability in the nsImageLoadingContent::OnStopContainer function in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to execute arbitrary code via crafted web script.

9.3
2013-02-19 CVE-2013-0773 Mozilla
Opensuse
Debian
Canonical
The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent modifications to a prototype, which allows remote attackers to obtain sensitive information from chrome objects or possibly execute arbitrary JavaScript code with chrome privileges via a crafted web site.
9.3
2013-02-19 CVE-2013-0765 Mozilla
Opensuse
Canonical
Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 do not prevent multiple wrapping of WebIDL objects, which allows remote attackers to bypass intended access restrictions via unspecified vectors.
9.3
2013-02-22 CVE-2013-0706 NEC Permissions, Privileges, and Access Controls vulnerability in NEC Universal Raid Utility 1.40/2.31/2.5

NEC Universal RAID Utility 1.40 Rev 680 and earlier, 2.31 Rev 1492 and earlier, and 2.5 Rev 2244 and earlier does not provide access control, which allows remote attackers to perform arbitrary RAID disk operations via unspecified vectors.

9.0

22 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-24 CVE-2013-0120 Dell Improper Input Validation vulnerability in Dell Powerconnect 6248P

The web interface on Dell PowerConnect 6248P switches allows remote attackers to cause a denial of service (device crash) via a malformed request.

7.8
2013-02-24 CVE-2012-4706 3S Software Numeric Errors vulnerability in 3S-Software Codesys Gateway-Server

Integer signedness error in 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to cause a denial of service via a crafted packet that triggers a heap-based buffer overflow.

7.8
2013-02-22 CVE-2012-6326 Vmware Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in VMWare Vcenter Server and Vcenter Server Appliance

VMware vCenter Server 4.1 before Update 3 and 5.0 before Update 2, and vCSA 5.0 before Update 2, allows remote attackers to cause a denial of service (disk consumption) via vectors that trigger large log entries.

7.8
2013-02-22 CVE-2013-1659 Vmware Memory Corruption vulnerability in VMWare Esxi, Vcenter Server and Vcenter Server Appliance

VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5.1 before 5.1.0b; VMware ESXi 3.5 through 5.1; and VMware ESX 3.5 through 4.1 do not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption) by modifying the client-server data stream.

7.6
2013-02-24 CVE-2012-5646 Redhat Improper Input Validation vulnerability in Redhat Openshift and Openshift Origin

node-util/www/html/restorer.php in the Red Hat OpenShift Origin before 1.0.5-3 allows remote attackers to execute arbitrary commands via a crafted uuid in the PATH_INFO.

7.5
2013-02-24 CVE-2012-6273 Bigantsoft SQL Injection vulnerability in Bigantsoft Bigant IM Message Server

SQL injection vulnerability in BigAntSoft BigAnt IM Message Server allows remote attackers to execute arbitrary SQL commands via an SHU (aka search user) request.

7.5
2013-02-23 CVE-2013-2268 Google
Linux
Microsoft
Apple
Security vulnerability in WebKit MathML Library

Unspecified vulnerability in the MathML implementation in WebKit in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, has unknown impact and remote attack vectors, related to a "high severity security issue."

7.5
2013-02-23 CVE-2013-0898 Opensuse
Google
Linux
Microsoft
Apple
Resource Management Errors vulnerability in multiple products

Use-after-free vulnerability in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving a URL.

7.5
2013-02-23 CVE-2013-0896 Google
Linux
Microsoft
Opensuse
Apple
Buffer Errors vulnerability in Google Chrome

Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, does not properly manage memory during message handling for plug-ins, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

7.5
2013-02-23 CVE-2013-0895 Google
Apple
Linux
Microsoft
Path Traversal vulnerability in Google Chrome

Google Chrome before 25.0.1364.97 on Linux, and before 25.0.1364.99 on Mac OS X, does not properly handle pathnames during copy operations, which might make it easier for remote attackers to execute arbitrary programs via unspecified vectors.

7.5
2013-02-23 CVE-2013-0894 Google
Linux
Microsoft
Apple
Buffer Errors vulnerability in Google Chrome

Buffer overflow in the vorbis_parse_setup_hdr_floors function in the Vorbis decoder in vorbisdec.c in libavcodec in FFmpeg through 1.1.3, as used in Google Chrome before 25.0.1364.97 on Windows and Linux and before 25.0.1364.99 on Mac OS X and other products, allows remote attackers to cause a denial of service (divide-by-zero error or out-of-bounds array access) or possibly have unspecified other impact via vectors involving a zero value for a bark map size.

7.5
2013-02-23 CVE-2013-0892 Google
Linux
Microsoft
Opensuse
Apple
Security vulnerability in Google Chrome

Multiple unspecified vulnerabilities in the IPC layer in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allow remote attackers to cause a denial of service or possibly have other impact via unknown vectors.

7.5
2013-02-23 CVE-2013-0891 Google
Apple
Opensuse
Linux
Microsoft
Numeric Errors vulnerability in Google Chrome

Integer overflow in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a blob.

7.5
2013-02-23 CVE-2013-0890 Google
Apple
Opensuse
Linux
Microsoft
Buffer Errors vulnerability in Google Chrome

Multiple unspecified vulnerabilities in the IPC layer in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allow remote attackers to cause a denial of service (memory corruption) or possibly have other impact via unknown vectors.

7.5
2013-02-23 CVE-2013-0887 Google
Linux
Microsoft
Apple
Permissions, Privileges, and Access Controls vulnerability in Google Chrome

The developer-tools process in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, does not properly restrict privileges during interaction with a connected server, which has unspecified impact and attack vectors.

7.5
2013-02-23 CVE-2013-0886 Google
Apple
Security vulnerability in Google Chrome

Google Chrome before 25.0.1364.99 on Mac OS X does not properly implement signal handling for Native Client (aka NaCl) code, which has unspecified impact and attack vectors.

7.5
2013-02-23 CVE-2013-0885 Opensuse
Google
Apple
Linux
Microsoft
Permissions, Privileges, and Access Controls vulnerability in multiple products

Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, does not properly restrict API privileges during interaction with the Chrome Web Store, which has unspecified impact and attack vectors.

7.5
2013-02-23 CVE-2013-0884 Google
Linux
Microsoft
Apple
Opensuse
Security vulnerability in Google Chrome

Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, does not properly load Native Client (aka NaCl) code, which has unspecified impact and attack vectors.

7.5
2013-02-23 CVE-2013-0882 Opensuse
Google
Apple
Linux
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service (incorrect memory access) or possibly have unspecified other impact via a large number of SVG parameters.

7.5
2013-02-23 CVE-2013-0880 Google
Apple
Linux
Microsoft
Opensuse
Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to databases.

7.5
2013-02-23 CVE-2013-0879 Google
Linux
Microsoft
Apple
Buffer Errors vulnerability in Google Chrome

Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, does not properly implement web audio nodes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

7.5
2013-02-19 CVE-2012-6354 IBM Improper Authentication vulnerability in IBM SAN Volume Controller Software and Storwize V7000

The management GUI on the IBM SAN Volume Controller and Storwize V7000 6.x before 6.4.1.3 allows remote attackers to bypass authentication and obtain superuser access via IP packets.

7.5

64 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-18 CVE-2012-4351 Symantec Numeric Errors vulnerability in Symantec Encryption Desktop and PGP Desktop

Integer overflow in pgpwded.sys in Symantec PGP Desktop 10.x and Encryption Desktop 10.3.0 before MP1 allows local users to gain privileges via a crafted application.

6.9
2013-02-18 CVE-2013-0871 Linux Race Condition vulnerability in Linux Kernel

Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.

6.9
2013-02-24 CVE-2013-0108 Honeywell Code Injection vulnerability in Honeywell products

An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.

6.8
2013-02-23 CVE-2013-0900 Google
Linux
Microsoft
Apple
Race Condition vulnerability in Google Chrome

Race condition in the International Components for Unicode (ICU) functionality in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

6.8
2013-02-23 CVE-2013-0893 Google
Linux
Microsoft
Apple
Opensuse
Race Condition vulnerability in Google Chrome

Race condition in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to media.

6.8
2013-02-23 CVE-2013-0889 Google
Linux
Microsoft
Opensuse
Apple
Permissions, Privileges, and Access Controls vulnerability in Google Chrome

Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, does not properly enforce a user gesture requirement before proceeding with a file download, which might make it easier for remote attackers to execute arbitrary code via a crafted file.

6.8
2013-02-20 CVE-2012-5763 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Netezza 6.0.5/6.0.8/7.0

Cross-site request forgery (CSRF) vulnerability in the WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezza allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2013-02-19 CVE-2013-1125 Cisco Improper Input Validation vulnerability in Cisco products

The command-line interface in Cisco Identity Services Engine Software, Secure Access Control System (ACS), Application Networking Manager (ANM), Prime LAN Management Solution (LMS), Prime Network Control System, Quad, Context Directory Agent, Prime Collaboration, Unified Provisioning Manager, and Network Services Manager does not properly validate input, which allows local users to obtain root privileges via unspecified vectors, aka Bug IDs CSCue46001, CSCud95790, CSCue46021, CSCue46025, CSCue46023, CSCue46058, CSCue46013, CSCue46031, CSCue46035, and CSCue46042.

6.8
2013-02-22 CVE-2013-0310 Linux
Redhat
Buffer Errors vulnerability in Linux Kernel

The cipso_v4_validate function in net/ipv4/cipso_ipv4.c in the Linux kernel before 3.4.8 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an IPOPT_CIPSO IP_OPTIONS setsockopt system call.

6.6
2013-02-22 CVE-2013-0311 Linux
Redhat
Denial Of Service vulnerability in Linux Kernel

The translate_desc function in drivers/vhost/vhost.c in the Linux kernel before 3.7 does not properly handle cross-region descriptors, which allows guest OS users to obtain host OS privileges by leveraging KVM guest OS privileges.

6.5
2013-02-20 CVE-2012-6357 IBM Permissions, Privileges, and Access Controls vulnerability in IBM products

IBM Maximo Asset Management 7.5, Maximo Asset Management Essentials 7.5, and SmartCloud Control Desk 7.5 allow remote authenticated users to gain privileges and bypass intended restrictions on asset-lookup operations via unspecified vectors.

6.5
2013-02-20 CVE-2012-6356 IBM Permissions, Privileges, and Access Controls vulnerability in IBM products

IBM Maximo Asset Management 7.5, Maximo Asset Management Essentials 7.5, and SmartCloud Control Desk 7.5 allow remote authenticated users to gain privileges via vectors related to an import operation.

6.5
2013-02-20 CVE-2012-6355 IBM Permissions, Privileges, and Access Controls vulnerability in IBM products

IBM Maximo Asset Management 6.2 through 7.5, Maximo Asset Management Essentials 6.2 through 7.5, Tivoli Asset Management for IT 6.2 through 7.2, Tivoli Service Request Manager 7.1 and 7.2, Maximo Service Desk 6.2, Change and Configuration Management Database (CCMDB) 7.1 and 7.2, and SmartCloud Control Desk 7.5 allow remote authenticated users to gain privileges via vectors related to a work order.

6.5
2013-02-20 CVE-2012-5760 IBM SQL Injection vulnerability in IBM Netezza 6.0.5/6.0.8/7.0

SQL injection vulnerability in the WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezza allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2013-02-20 CVE-2012-3321 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Smartcloud Control Desk 7.5

IBM SmartCloud Control Desk 7.5 allows remote authenticated users to bypass intended access restrictions via vectors involving an expired password.

6.5
2013-02-22 CVE-2013-0313 Linux NULL Pointer Dereference Denial of Service vulnerability in Linux Kernel

The evm_update_evmxattr function in security/integrity/evm/evm_crypto.c in the Linux kernel before 3.7.5, when the Extended Verification Module (EVM) is enabled, allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via an attempted removexattr operation on an inode of a sockfs filesystem.

6.2
2013-02-22 CVE-2012-5536 Fedora Project
Redhat
Improper Input Validation vulnerability in multiple products

A certain Red Hat build of the pam_ssh_agent_auth module on Red Hat Enterprise Linux (RHEL) 6 and Fedora Rawhide calls the glibc error function instead of the error function in the OpenSSH codebase, which allows local users to obtain sensitive information from process memory or possibly gain privileges via crafted use of an application that relies on this module, as demonstrated by su and sudo.

6.2
2013-02-18 CVE-2013-0268 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.

6.2
2013-02-21 CVE-2013-0477 IBM Cross-Site Scripting vulnerability in IBM products

Multiple cross-site scripting (XSS) vulnerabilities in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 and 10.1 before FP1 and InfoSphere Master Data Management Server for Product Information Management 6.0, 9.0, and 9.1 allow remote authenticated users to inject content, and conduct phishing attacks, via unspecified vectors.

6.0
2013-02-24 CVE-2012-6073 Cloudbees
Jenkins
Improper Input Validation vulnerability in multiple products

Open redirect vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2013-02-24 CVE-2012-5647 Redhat Improper Input Validation vulnerability in Redhat Openshift and Openshift Origin

Open redirect vulnerability in node-util/www/html/restorer.php in Red Hat OpenShift Origin before 1.0.5-3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the PATH_INFO.

5.8
2013-02-19 CVE-2013-0772 Mozilla
Opensuse
Redhat
Canonical
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The RasterImage::DrawFrameTo function in Mozilla Firefox before 19.0, Thunderbird before 17.0.3, and SeaMonkey before 2.16 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) via a crafted GIF image.

5.8
2013-02-22 CVE-2013-0465 IBM Security vulnerability in IBM WebSphere Cast Iron Cloud Integration

Unspecified vulnerability in the IBM WebSphere Cast Iron physical and virtual appliance 6.0 and 6.1 before 6.1.0.15 and 6.3 before 6.3.0.1, when LDAP authentication is enabled, allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors.

5.4
2013-02-18 CVE-2013-0217 Linux Resource Management Errors vulnerability in Linux Kernel

Memory leak in drivers/net/xen-netback/netback.c in the Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (memory consumption) by triggering certain error conditions.

5.2
2013-02-18 CVE-2013-0216 Linux Improper Input Validation vulnerability in Linux Kernel

The Xen netback functionality in the Linux kernel before 3.7.8 allows guest OS users to cause a denial of service (loop) by triggering ring pointer corruption.

5.2
2013-02-21 CVE-2013-0472 IBM Unauthorized Access vulnerability in IBM Tivoli Storage Manager Client

The Web GUI in the client in IBM Tivoli Storage Manager (TSM) 6.3 before 6.3.1.0 and 6.4 before 6.4.0.1 allows man-in-the-middle attackers to obtain unspecified client access, and consequently obtain unspecified server access, via unknown vectors.

5.1
2013-02-24 CVE-2013-0247 Openstack
Canonical
Resource Management Errors vulnerability in multiple products

OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries.

5.0
2013-02-24 CVE-2013-0220 Fedoraproject Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Fedoraproject Sssd

The (1) sss_autofs_cmd_getautomntent and (2) sss_autofs_cmd_getautomntbyname function in responder/autofs/autofssrv_cmd.c and the (3) ssh_cmd_parse_request function in responder/ssh/sshsrv_cmd.c in System Security Services Daemon (SSSD) before 1.9.4 allow remote attackers to cause a denial of service (out-of-bounds read, crash, and restart) via a crafted SSSD packet.

5.0
2013-02-24 CVE-2012-6128 Infradead Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Infradead Openconnect

Multiple stack-based buffer overflows in http.c in OpenConnect before 4.08 allow remote VPN gateways to cause a denial of service (application crash) via a long (1) hostname, (2) path, or (3) cookie list in a response.

5.0
2013-02-24 CVE-2013-0786 Mozilla Information Exposure vulnerability in Mozilla Bugzilla

The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers to discover private product names by using debug mode for a query.

5.0
2013-02-24 CVE-2013-0118 CS Cart Configuration vulnerability in Cs-Cart

CS-Cart before 3.0.6, when PayPal Standard Payments is configured, allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self.

5.0
2013-02-24 CVE-2012-6274 Bigantsoft Improper Authentication vulnerability in Bigantsoft Bigant IM Message Server

BigAntSoft BigAnt IM Message Server does not require authentication for file uploading, which allows remote attackers to create arbitrary files under AntServer\DocData\Public via unspecified vectors.

5.0
2013-02-23 CVE-2013-0899 Google
Opus Codec
Linux
Microsoft
Opensuse
Apple
Numeric Errors vulnerability in Google Chrome

Integer overflow in the padding implementation in the opus_packet_parse_impl function in src/opus_decoder.c in Opus before 1.0.2, as used in Google Chrome before 25.0.1364.97 on Windows and Linux and before 25.0.1364.99 on Mac OS X and other products, allows remote attackers to cause a denial of service (out-of-bounds read) via a long packet.

5.0
2013-02-23 CVE-2013-0888 Google
Apple
Linux
Microsoft
Opensuse
Buffer Errors vulnerability in Google Chrome

Skia, as used in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service (out-of-bounds read) via vectors related to a "user gesture check for dangerous file downloads."

5.0
2013-02-23 CVE-2013-0883 Opensuse
Google
Apple
Linux
Microsoft
Improper Input Validation vulnerability in multiple products

Skia, as used in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.

5.0
2013-02-23 CVE-2013-0881 Google
Linux
Microsoft
Opensuse
Apple
Improper Input Validation vulnerability in Google Chrome

Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service (incorrect read operation) via crafted data in the Matroska container format.

5.0
2013-02-20 CVE-2013-1485 Oracle Security Bypass vulnerability in Oracle JDK and JRE

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.

5.0
2013-02-20 CVE-2012-5952 IBM Improper Authentication vulnerability in IBM Websphere Message Broker

IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.6, and 8.0 before 8.0.0.2 does not validate Basic Authentication credentials before proceeding to WS-Addressing and WS-Security operations, which allows remote attackers to trigger transmission of unauthenticated messages via unspecified vectors.

5.0
2013-02-19 CVE-2013-1129 Cisco Resource Management Errors vulnerability in Cisco Unity Connection

Memory leak in Cisco Unity Connection 9.x allows remote attackers to cause a denial of service (memory consumption and process crash) by sending many TCP requests, aka Bug ID CSCud59736.

5.0
2013-02-24 CVE-2012-2697 Redhat Improper Input Validation vulnerability in Redhat Enterprise Linux 5

Unspecified vulnerability in autofs, as used in Red Hat Enterprise Linux (RHEL) 5, allows local users to cause a denial of service (autofs crash and delayed mounts) or prevent "mount expiration" via unspecified vectors related to "using an LDAP-based automount map."

4.9
2013-02-19 CVE-2013-0290 Linux Improper Input Validation vulnerability in Linux Kernel

The __skb_recv_datagram function in net/core/datagram.c in the Linux kernel before 3.8 does not properly handle the MSG_PEEK flag with zero-length data, which allows local users to cause a denial of service (infinite loop and system hang) via a crafted application.

4.9
2013-02-18 CVE-2012-4398 Linux Improper Input Validation vulnerability in Linux Kernel

The __request_module function in kernel/kmod.c in the Linux kernel before 3.4 does not set a certain killable attribute, which allows local users to cause a denial of service (memory consumption) via a crafted application.

4.9
2013-02-22 CVE-2013-0309 Linux
Redhat
Buffer Errors vulnerability in Linux Kernel

arch/x86/include/asm/pgtable.h in the Linux kernel before 3.6.2, when transparent huge pages are used, does not properly support PROT_NONE memory regions, which allows local users to cause a denial of service (system crash) via a crafted application.

4.7
2013-02-18 CVE-2012-6533 Symantec
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Symantec Encryption Desktop and PGP Desktop

Buffer overflow in pgpwded.sys in Symantec PGP Desktop 10.x and Encryption Desktop 10.3.0 before MP1 on Windows XP and Server 2003 allows local users to gain privileges via a crafted application.

4.4
2013-02-24 CVE-2012-6072 Cloudbees
Jenkins
Improper Input Validation vulnerability in multiple products

CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

4.3
2013-02-24 CVE-2012-6121 Roundcube Cross-Site Scripting vulnerability in Roundcube Webmail

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.

4.3
2013-02-24 CVE-2012-5337 Jforum Cross-Site Scripting vulnerability in Jforum 2.1.9

Multiple cross-site scripting (XSS) vulnerabilities in jforum.page in JForum 2.1.9 allow remote attackers to inject arbitrary web script or HTML via the (1) action, (2) match_type, (3) sort_by, or (4) start parameters.

4.3
2013-02-24 CVE-2012-6093 QT
Opensuse
Canonical
Cryptographic Issues vulnerability in multiple products

The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.

4.3
2013-02-24 CVE-2012-5624 QT
Digia
Canonical
Information Exposure vulnerability in multiple products

The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.

4.3
2013-02-24 CVE-2013-0785 Mozilla Cross-Site Scripting vulnerability in Mozilla Bugzilla

Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before 4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote attackers to inject arbitrary web script or HTML via the id parameter in conjunction with an invalid value of the format parameter.

4.3
2013-02-23 CVE-2013-0897 Google
Apple
Opensuse
Linux
Microsoft
Numeric Errors vulnerability in Google Chrome

Off-by-one error in the PDF functionality in Google Chrome before 25.0.1364.97 on Windows and Linux, and before 25.0.1364.99 on Mac OS X, allows remote attackers to cause a denial of service via a crafted document.

4.3
2013-02-22 CVE-2013-0730 Sourcefabric Cross-Site Scripting vulnerability in Sourcefabric Newscoop

Multiple cross-site scripting (XSS) vulnerabilities in Newscoop 4.x through 4.1.0 allow remote attackers to inject arbitrary web script or HTML via vectors involving the (1) language parameter to application/modules/admin/controllers/LanguagesController.php or (2) user parameter to application/modules/admin/controllers/UserController.php.

4.3
2013-02-21 CVE-2013-0471 IBM Denial of Service vulnerability in IBM Tivoli Storage Manager

The traditional scheduler in the client in IBM Tivoli Storage Manager (TSM) before 6.2.5.0, 6.3 before 6.3.1.0, and 6.4 before 6.4.0.1, when Prompted mode is enabled, allows remote attackers to cause a denial of service (scheduling outage) via unspecified vectors.

4.3
2013-02-20 CVE-2012-5953 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Websphere Message Broker

IBM WebSphere Message Broker 6.1 before 6.1.0.12, 7.0 before 7.0.0.6, and 8.0 before 8.0.0.2, when the Parse Query Strings option is enabled on an HTTPInput node, allows remote attackers to cause a denial of service (infinite loop) via a crafted query string.

4.3
2013-02-20 CVE-2012-5940 IBM Improper Authentication vulnerability in IBM Netezza 6.0.5/6.0.8/7.0

The WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezza, when SSL is not enabled, allows remote attackers to discover credentials by sniffing the network during the authentication process.

4.3
2013-02-20 CVE-2012-3328 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.1, Maximo Asset Management Essentials 7.1, Tivoli Asset Management for IT 7.1 and 7.2, Tivoli Service Request Manager 7.1 and 7.2, and Change and Configuration Management Database (CCMDB) 7.1 and 7.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to a hidden frame footer.

4.3
2013-02-20 CVE-2012-3327 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 7.5, Maximo Asset Management Essentials 6.2 through 7.5, Tivoli Asset Management for IT 6.2 through 7.2, Tivoli Service Request Manager 7.1 and 7.2, Maximo Service Desk 6.2, Change and Configuration Management Database (CCMDB) 7.1 and 7.2, and SmartCloud Control Desk 7.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to a login action.

4.3
2013-02-19 CVE-2013-0774 Mozilla
Opensuse
Canonical
Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 do not prevent JavaScript workers from reading the browser-profile directory name, which has unspecified impact and remote attack vectors.
4.3
2013-02-18 CVE-2012-4352 Stone Ware Cross-Site Scripting vulnerability in Stone-Ware Webnetwork 6.1

Multiple cross-site scripting (XSS) vulnerabilities in Stoneware webNetwork 6.1 before SP1 allow remote attackers to inject arbitrary web script or HTML via the blogName parameter to (1) community/blog.jsp or (2) community/blogSearch.jsp, the (3) calendarType or (4) monthNumber parameter to community/calendar.jsp, or the (5) flag parameter to swDashboard/ajax/setAppFlag.jsp.

4.3
2013-02-24 CVE-2013-0212 Openstack
Canonical
Information Exposure vulnerability in multiple products

store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.

4.0
2013-02-21 CVE-2013-0467 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Data Studio 3.1.0/3.1.1

IBM Eclipse Help System (IEHS), as used in IBM Data Studio 3.1 and 3.1.1 and other products, allows remote authenticated users to read source code via a crafted URL.

4.0
2013-02-19 CVE-2013-0776 Mozilla
Opensuse
Redhat
Debian
Canonical
Improper Certificate Validation vulnerability in multiple products

Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16 allow man-in-the-middle attackers to spoof the address bar by operating a proxy server that provides a 407 HTTP status code accompanied by web script, as demonstrated by a phishing attack on an HTTPS site.

4.0
2013-02-18 CVE-2012-5375 Linux Cryptographic Issues vulnerability in Linux Kernel

The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (prevention of file creation) by leveraging the ability to write to a directory important to the victim, and creating a file with a crafted name that is associated with a specific CRC32C hash value.

4.0
2013-02-18 CVE-2012-5374 Linux Cryptographic Issues vulnerability in Linux Kernel

The CRC32C feature in the Btrfs implementation in the Linux kernel before 3.8-rc1 allows local users to cause a denial of service (extended runtime of kernel code) by creating many different files whose names are associated with the same CRC32C hash value.

4.0

15 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-24 CVE-2013-0219 Fedoraproject
Redhat
Permissions, Privileges, and Access Controls vulnerability in multiple products

System Security Services Daemon (SSSD) before 1.9.4, when (1) creating, (2) copying, or (3) removing a user home directory tree, allows local users to create, modify, or delete arbitrary files via a symlink attack on another user's files.

3.7
2013-02-24 CVE-2013-0164 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Openshift and Openshift Origin

The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Red Hat OpenShift Origin before 1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

3.6
2013-02-24 CVE-2012-6074 Cloudbees
Jenkins
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in Jenkins before 1.491, Jenkins LTS before 1.480.1, and Jenkins Enterprise 1.424.x before 1.424.6.13, 1.447.x before 1.447.4.1, and 1.466.x before 1.466.10.1 allows remote authenticated users with write access to inject arbitrary web script or HTML via unspecified vectors.

3.5
2013-02-21 CVE-2013-0478 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 and 10.1 before FP1 and InfoSphere Master Data Management Server for Product Information Management 6.0, 9.0, and 9.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2013-02-20 CVE-2013-0457 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.5, Maximo Asset Management Essentials 7.5, and SmartCloud Control Desk 7.5 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to a uisessionid.

3.5
2013-02-20 CVE-2012-5941 IBM Cross-Site Scripting vulnerability in IBM Netezza 6.0.5/6.0.8/7.0

Cross-site scripting (XSS) vulnerability in the WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezza allows remote authenticated users to inject content, and conduct phishing attacks, via unspecified vectors.

3.5
2013-02-20 CVE-2012-5762 IBM Cross-Site Scripting vulnerability in IBM Netezza 6.0.5/6.0.8/7.0

Cross-site scripting (XSS) vulnerability in the WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezza allows remote authenticated users to inject arbitrary web script or HTML via vectors involving the MHTML protocol.

3.5
2013-02-20 CVE-2012-5761 IBM Cross-Site Scripting vulnerability in IBM Netezza 6.0.5/6.0.8/7.0

Cross-site scripting (XSS) vulnerability in the WebAdmin application 6.0.5, 6.0.8, and 7.0 before P2 in IBM Netezza allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2013-02-20 CVE-2012-3322 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 7.5, Maximo Asset Management Essentials 6.2 through 7.5, Tivoli Asset Management for IT 6.2 through 7.2, Tivoli Service Request Manager 7.1 and 7.2, Maximo Service Desk 6.2, Change and Configuration Management Database (CCMDB) 7.1 and 7.2, and SmartCloud Control Desk 7.5 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to a display name.

3.5
2013-02-20 CVE-2012-3316 IBM Cross-Site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in the Tivoli Process Automation Engine (TPAE) in IBM Maximo Asset Management 6.2 through 7.5, Maximo Asset Management Essentials 6.2 through 7.5, Tivoli Asset Management for IT 6.2 through 7.2, Tivoli Service Request Manager 7.1 and 7.2, Maximo Service Desk 6.2, Change and Configuration Management Database (CCMDB) 7.1 and 7.2, and SmartCloud Control Desk 7.5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2013-02-24 CVE-2013-0158 Cloudbees
Jenkins
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to obtain the master cryptographic key via unknown vectors.
2.6
2013-02-20 CVE-2013-0466 IBM Cross-Site Scripting vulnerability in IBM Websphere Message Broker

Cross-site scripting (XSS) vulnerability in IBM WebSphere Message Broker 7.0 before 7.0.0.6 and 8.0 before 8.0.0.2, when wsdl support is enabled on a SOAPInput node, allows remote attackers to inject arbitrary web script or HTML via a wsdl request that is not properly handled during construction of an error message.

2.6
2013-02-24 CVE-2012-5658 Redhat Cryptographic Issues vulnerability in Redhat Openshift and Openshift Origin

rhc-chk.rb in Red Hat OpenShift Origin before 1.1, when -d (debug mode) is used, outputs the password and other sensitive information in cleartext, which allows context-dependent attackers to obtain sensitive information, as demonstrated by including log files or Bugzilla reports in support channels.

2.1
2013-02-18 CVE-2013-0160 Linux Information Exposure vulnerability in Linux Kernel

The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.

2.1
2013-02-18 CVE-2012-4530 Linux Information Exposure vulnerability in Linux Kernel

The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.

2.1