Weekly Vulnerabilities Reports > March 25 to 31, 2013

Overview

100 new vulnerabilities reported during this period, including 6 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 84 products from 47 vendors including Drupal, IBM, Google, Devsaran, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", and "Information Exposure".

  • 95 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 37 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 70 reported vulnerabilities are exploitable by an anonymous user.
  • Drupal has the most reported vulnerabilities, with 29 reported vulnerabilities.
  • Novell has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

6 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-03-29 CVE-2013-1083 Novell Unspecified vulnerability in Novell Identity Manager Roles Based Provisioning Module 4.0.2

Unspecified vulnerability in the login functionality in the Reporting Module in Novell Identity Manager (aka IDM) Roles Based Provisioning Module 4.0.2 before Field Patch C has unknown impact and attack vectors.

10.0
2013-03-29 CVE-2013-1080 Novell Improper Authentication vulnerability in Novell Zenworks Configuration Management 10.3/11.2

The web server in Novell ZENworks Configuration Management (ZCM) 10.3 and 11.2 before 11.2.4 does not properly perform authentication for zenworks/jsp/index.jsp, which allows remote attackers to conduct directory traversal attacks, and consequently upload and execute arbitrary programs, via a request to TCP port 443.

10.0
2013-03-27 CVE-2013-0318 Banckle Chat Project
Drupal
Permissions, Privileges, and Access Controls vulnerability in Banckle Chat Project Banckle Chat

The admin page in the Banckle Chat module for Drupal does not properly restrict access, which allows remote attackers to bypass intended restrictions via unspecified vectors.

10.0
2013-03-29 CVE-2013-1085 Novell Buffer Errors vulnerability in Novell Groupwise Messenger and Messenger

Stack-based buffer overflow in the nim: protocol handler in Novell GroupWise Messenger 2.04 and earlier, and Novell Messenger 2.1.x and 2.2.x before 2.2.2, allows remote attackers to execute arbitrary code via an import command containing a long string in the filename parameter.

9.3
2013-03-28 CVE-2013-2717 EMC Security vulnerability in EMC Smarts Network Configuration Manager 9.1/9.2

Multiple unspecified vulnerabilities in the System Management (aka SysAdmin) Console in EMC Smarts Network Configuration Manager (NCM) through 9.2 have unknown impact and attack vectors, a different issue than CVE-2013-0935.

9.3
2013-03-28 CVE-2013-0935 EMC Improper Authentication vulnerability in EMC Smarts Network Configuration Manager 9.1

EMC Smarts Network Configuration Manager (NCM) before 9.2 does not require authentication for all Java RMI method calls, which allows remote attackers to execute arbitrary code via unspecified vectors.

9.3

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-03-27 CVE-2013-0487 IBM Improper Authentication vulnerability in IBM Lotus Domino

The Java Console in IBM Domino 8.5.x allows remote authenticated users to hijack temporary credentials by leveraging knowledge of configuration details, aka SPR KLYH8TNNDN.

8.5
2013-03-28 CVE-2012-5879 Mcafee Permissions, Privileges, and Access Controls vulnerability in Mcafee products

An ActiveX control in McHealthCheck.dll in McAfee Virtual Technician (MVT) and ePO-MVT 6.5.0.2101 and earlier allows remote attackers to modify or create arbitrary files via a full pathname argument to the Save method.

8.2
2013-03-28 CVE-2013-1148 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS and IOS XE

The General Responder implementation in the IP Service Level Agreement (SLA) feature in Cisco IOS 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S allows remote attackers to cause a denial of service (device reload) via crafted (1) IPv4 or (2) IPv6 IP SLA packets on UDP port 1167, aka Bug ID CSCuc72594.

7.8
2013-03-28 CVE-2013-1147 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS

The Protocol Translation (PT) functionality in Cisco IOS 12.3 through 12.4 and 15.0 through 15.3, when one-step port-23 translation or a Telnet-to-PAD ruleset is configured, does not properly validate TCP connection information, which allows remote attackers to cause a denial of service (device reload) via an attempted connection to a PT resource, aka Bug ID CSCtz35999.

7.8
2013-03-28 CVE-2013-1146 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS

The Smart Install client functionality in Cisco IOS 12.2 and 15.0 through 15.3 on Catalyst switches allows remote attackers to cause a denial of service (device reload) via crafted image list parameters in Smart Install packets, aka Bug ID CSCub55790.

7.8
2013-03-28 CVE-2013-1145 Cisco Resource Management Errors vulnerability in Cisco IOS

Memory leak in Cisco IOS 12.2, 12.4, 15.0, and 15.1, when Zone-Based Policy Firewall SIP application layer gateway inspection is enabled, allows remote attackers to cause a denial of service (memory consumption or device reload) via malformed SIP messages, aka Bug ID CSCtl99174.

7.8
2013-03-28 CVE-2013-1144 Cisco Resource Management Errors vulnerability in Cisco IOS 15.1

Memory leak in the IKEv1 implementation in Cisco IOS 15.1 allows remote attackers to cause a denial of service (memory consumption) via unspecified (1) IPv4 or (2) IPv6 IKE packets, aka Bug ID CSCth81055.

7.8
2013-03-28 CVE-2013-1142 Cisco Race Condition vulnerability in Cisco IOS

Race condition in the VRF-aware NAT feature in Cisco IOS 12.2 through 12.4 and 15.0 through 15.2 allows remote attackers to cause a denial of service (memory consumption) via IPv4 packets, aka Bug IDs CSCtg47129 and CSCtz96745.

7.8
2013-03-28 CVE-2013-2266 ISC Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in ISC Bind

libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2, 9.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows remote attackers to cause a denial of service (memory consumption) via a crafted regular expression, as demonstrated by a memory-exhaustion attack against a machine running a named process.

7.8
2013-03-29 CVE-2013-1082 Novell Path Traversal vulnerability in Novell Zenworks Mobile Management 2.6.1

Directory traversal vulnerability in DUSAP.php in Novell ZENworks Mobile Management before 2.7.1 allows remote attackers to include and execute arbitrary local files via the language parameter.

7.5
2013-03-28 CVE-2013-2690 Synchroweb SQL Injection vulnerability in Synchroweb Synconnect 2.0

SQL injection vulnerability in index.php in Synchroweb Technology SynConnect 2.0 allows remote attackers to execute arbitrary SQL commands via the loginid parameter in a logoff action.

7.5
2013-03-28 CVE-2013-1492 Mysql
Oracle
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.30, has unspecified impact and attack vectors, a different vulnerability than CVE-2012-0553.

7.5
2013-03-28 CVE-2012-0553 Mysql
Oracle
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in yaSSL, as used in MySQL 5.1.x before 5.1.68 and 5.5.x before 5.5.28, has unspecified impact and attack vectors, a different vulnerability than CVE-2013-1492.

7.5
2013-03-28 CVE-2013-0925 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

Google Chrome before 26.0.1410.43 does not ensure that an extension has the tabs (aka APIPermission::kTab) permission before providing a URL to this extension, which has unspecified impact and remote attack vectors.

7.5
2013-03-28 CVE-2013-0924 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

The extension functionality in Google Chrome before 26.0.1410.43 does not verify that use of the permissions API is consistent with file permissions, which has unspecified impact and attack vectors.

7.5
2013-03-28 CVE-2013-0922 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

Google Chrome before 26.0.1410.43 does not properly restrict brute-force access attempts against web sites that require HTTP Basic Authentication, which has unspecified impact and attack vectors.

7.5
2013-03-28 CVE-2013-0920 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in the extension bookmarks API in Google Chrome before 26.0.1410.43 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

7.5
2013-03-28 CVE-2013-0919 Google
Linux
Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 26.0.1410.43 on Linux allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging the presence of an extension that creates a pop-up window.

7.5
2013-03-28 CVE-2013-0916 Google Resource Management Errors vulnerability in Google Chrome

Use-after-free vulnerability in the Web Audio implementation in Google Chrome before 26.0.1410.43 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

7.5
2013-03-29 CVE-2013-0513 IBM Local Privilege Escalation vulnerability in Multiple IBM Products

IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 create a service that lacks " (double quote) characters in the service path, which allows local users to gain privileges via a Trojan horse program, related to an "Unquoted Service Path Enumeration" vulnerability.

7.2
2013-03-28 CVE-2013-1143 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco IOS and IOS XE

The RSVP protocol implementation in Cisco IOS 12.2 and 15.0 through 15.2 and IOS XE 3.1.xS through 3.4.xS before 3.4.5S and 3.5.xS through 3.7.xS before 3.7.2S, when MPLS-TE is enabled, allows remote attackers to cause a denial of service (incorrect memory access and device reload) via a traffic engineering PATH message in an RSVP packet, aka Bug ID CSCtg39957.

7.1

54 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-03-29 CVE-2013-1079 Novell Path Traversal vulnerability in Novell Zenworks Configuration Management

Directory traversal vulnerability in the ISCreateObject method in an ActiveX control in InstallShield\ISProxy.dll in AdminStudio in Novell ZENworks Configuration Management (ZCM) 10.3 through 11.2 allows remote attackers to execute arbitrary local DLL files via a crafted web page that also calls the Initialize method.

6.8
2013-03-29 CVE-2013-0532 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Rational Policy Tester and Security Appscan

Cross-site request forgery (CSRF) vulnerability in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that cause a denial of service via malformed HTTP data.

6.8
2013-03-29 CVE-2013-0452 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Software USE Analysis and Tivoli Endpoint Manager

Cross-site request forgery (CSRF) vulnerability in the Software Use Analysis (SUA) application before 1.3.3 in IBM Tivoli Endpoint Manager 8.2 allows remote attackers to hijack the authentication of arbitrary users via a web site that contains crafted Flash Action Message Format (AMF) messages.

6.8
2013-03-28 CVE-2012-5216 HP Cross-Site Request Forgery (CSRF) vulnerability in HP products

Cross-site request forgery (CSRF) vulnerability on HP ProCurve 1700-8 (aka J9079A) switches with software before VA.02.09 and 1700-24 (aka J9080A) switches with software before VB.02.09 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2013-03-28 CVE-2013-0926 Google Improper Input Validation vulnerability in Google Chrome

Google Chrome before 26.0.1410.43 does not properly handle active content in an EMBED element during a copy-and-paste operation, which allows user-assisted remote attackers to have an unspecified impact via a crafted web site.

6.8
2013-03-28 CVE-2013-0921 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

The Isolated Sites feature in Google Chrome before 26.0.1410.43 does not properly enforce the use of separate processes, which makes it easier for remote attackers to bypass intended access restrictions via a crafted web site.

6.8
2013-03-28 CVE-2013-0918 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome

Google Chrome before 26.0.1410.43 does not prevent navigation to developer tools in response to a drag-and-drop operation, which allows user-assisted remote attackers to have an unspecified impact via a crafted web site.

6.8
2013-03-27 CVE-2013-0258 Google Authenticator Login Project
Drupal
Improper Authentication vulnerability in Google Authenticator Login Project GA Login 7.X1.0/7.X1.1/7.X1.2

The Google Authenticator login (ga_login) module 7.x before 7.x-1.3 for Drupal, when multi-factor authentication is enabled, allows remote attackers to bypass authentication for accounts without an associated Google Authenticator token by logging in with the username.

6.8
2013-03-26 CVE-2013-1609 Symantec Local Privilege Escalation vulnerability in Symantec Enterprise Vault for File System Archiving 10.0.0

Multiple unquoted Windows search path vulnerabilities in the (1) File Collector and (2) File PlaceHolder services in Symantec Enterprise Vault (EV) for File System Archiving before 9.0.4 and 10.x before 10.0.1 allow local users to gain privileges via a Trojan horse program.

6.8
2013-03-26 CVE-2013-1608 Symantec Path Traversal vulnerability in Symantec Netbackup Appliance 2.0.0

Directory traversal vulnerability in the Management Console on the Symantec NetBackup (NBU) appliance 2.0.x allows remote attackers to read arbitrary files via unspecified vectors.

6.7
2013-03-29 CVE-2013-0511 IBM SQL Injection vulnerability in IBM Security Appscan

Multiple SQL injection vulnerabilities in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified parameters.

6.5
2013-03-25 CVE-2013-1836 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle

Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access.

6.5
2013-03-27 CVE-2013-1859 Chris Desautels
Drupal
Permissions, Privileges, and Access Controls vulnerability in Chris Desautels Node Parameter Control 6.X1.0

The Node Parameter Control module 6.x-1.x for Drupal does not properly restrict access to the configuration options, which allows remote attackers to read and edit configuration options via unspecified vectors.

6.4
2013-03-26 CVE-2013-1161 Cisco Improper Input Validation vulnerability in Cisco Jabber IM

The XML parser in the Cisco Jabber IM application for Android allows remote authenticated users to cause a denial of service (blocked connection) by leveraging an entry on a Buddy list and sending a crafted XMPP presence update message, aka Bug ID CSCue38383.

6.3
2013-03-27 CVE-2013-0489 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Lotus Domino

Cross-site request forgery (CSRF) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote authenticated users to hijack the authentication of administrators.

6.0
2013-03-29 CVE-2013-1299 Microsoft Spoofing vulnerability in Microsoft Windows Modern Mail

Microsoft Windows Modern Mail allows remote attackers to spoof link targets via a crafted HTML e-mail message.

5.8
2013-03-29 CVE-2013-0130 Coreftp Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Coreftp

Multiple buffer overflows in Core FTP before 2.2 build 1769 allow remote FTP servers to execute arbitrary code or cause a denial of service (application crash) via a long directory name in a (1) DELE, (2) LIST, or (3) VIEW command.

5.1
2013-03-27 CVE-2013-0320 Mattias Hutterer
Drupal
Cross-Site Request Forgery (CSRF) vulnerability in Mattias Hutterer Taxonomy Manager

Cross-site request forgery (CSRF) vulnerability in the Taxonomy Manager (taxonomy_manager) module 6.x-2.x before 6.x-2.2 and 7.x-1.x before 7.x-1.0-rc1 for Drupal allows remote attackers to hijack the authentication of users with 'administer taxonomy' permissions via unspecified vectors.

5.1
2013-03-28 CVE-2013-1861 Mariadb
Redhat
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

MariaDB 5.5.x before 5.5.30, 5.3.x before 5.3.13, 5.2.x before 5.2.15, and 5.1.x before 5.1.68, and Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote attackers to cause a denial of service (crash) via a crafted geometry feature that specifies a large number of points, which is not properly handled when processing the binary representation of this feature, related to a numeric calculation error.

5.0
2013-03-28 CVE-2013-1747 Ngircd Remote Denial of Service vulnerability in Ngircd 20/20.1

channel.c in ngIRCd 20 and 20.1 allows remote attackers to cause a denial of service (assertion failure and crash) via a KICK command for a user who is not on the associated channel.

5.0
2013-03-28 CVE-2013-0923 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

The USB Apps API in Google Chrome before 26.0.1410.43 allows remote attackers to cause a denial of service (memory corruption) via unspecified vectors.

5.0
2013-03-28 CVE-2013-0917 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

The URL loader in Google Chrome before 26.0.1410.43 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

5.0
2013-03-27 CVE-2013-0316 Drupal Resource Management Errors vulnerability in Drupal

The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.

5.0
2013-03-27 CVE-2013-0257 David Alkire
Drupal
Permissions, Privileges, and Access Controls vulnerability in David Alkire Email2Image 6.X1.X/6.X2.X

The email2image module 6.x-1.x and 6.x-2.x for Drupal does not properly restrict access to nodes, which allows remote attackers to read images of user email addresses and email fields.

5.0
2013-03-27 CVE-2013-0182 Bart Feenstra
Drupal
Permissions, Privileges, and Access Controls vulnerability in Bart Feenstra Payment

The Payment module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to payments, which allows remote attackers to read arbitrary payments.

5.0
2013-03-27 CVE-2013-2300 PM9 Permissions, Privileges, and Access Controls vulnerability in PM9 Flickwnn

The FlickWnn (aka OpenWnn/Flick support) application 2.02 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem.

5.0
2013-03-27 CVE-2013-0720 COB S Products Permissions, Privileges, and Access Controls vulnerability in Cob'S products Cobime 0.9.2/0.9.3

The COBIME application before 0.9.4 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem.

5.0
2013-03-27 CVE-2013-0719 Codedesign Permissions, Privileges, and Access Controls vulnerability in Codedesign Artime Japanese Input 1.1.2

The ArtIME Japanese Input application 1.1.2 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem.

5.0
2013-03-27 CVE-2013-0718 Simeji Permissions, Privileges, and Access Controls vulnerability in Simeji 4.8

The Simeji application 4.8.1 and earlier for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem.

5.0
2013-03-26 CVE-2013-1162 Cisco Improper Input Validation vulnerability in Cisco IOS XR

The traffic engineering (TE) processing subsystem in Cisco IOS XR allows remote attackers to cause a denial of service (process restart) via crafted TE packets, aka Bug ID CSCue04000.

5.0
2013-03-25 CVE-2013-1831 Moodle Information Exposure vulnerability in Moodle

lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message.

5.0
2013-03-25 CVE-2013-1830 Fedoraproject
Moodle
Permissions, Privileges, and Access Controls vulnerability in multiple products

user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search.

5.0
2013-03-28 CVE-2013-2494 ISC Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in ISC Dhcp

libdns in ISC DHCP 4.2.x before 4.2.5-P1 allows remote name servers to cause a denial of service (memory consumption) via vectors involving a regular expression, as demonstrated by a memory-exhaustion attack against a machine running a dhcpd process, a related issue to CVE-2013-2266.

4.9
2013-03-29 CVE-2013-2301 Omron Permissions, Privileges, and Access Controls vulnerability in Omron Openwnn

The OMRON OpenWnn application before 1.3.6 for Android uses weak permissions for unspecified files, which allows attackers to obtain sensitive information via an application that accesses the local filesystem.

4.3
2013-03-29 CVE-2013-0512 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Rational Policy Tester and Security Appscan

Stack-based buffer overflow in the Manual Explore browser plug-in for Firefox in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to cause a denial of service (plug-in crash) via a crafted web page.

4.3
2013-03-29 CVE-2013-0510 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Security Appscan

IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 includes a security test that sends session cookies to a specific external server, which allows man-in-the-middle attackers to hijack the test account by capturing these cookies.

4.3
2013-03-29 CVE-2013-0474 IBM Information Exposure vulnerability in IBM Rational Policy Tester and Security Appscan

The Manual Explore browser plug-in in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allows remote attackers to discover test Platform Authentication credentials via a crafted web site.

4.3
2013-03-29 CVE-2013-0473 IBM Cross-Site Scripting vulnerability in IBM Rational Policy Tester and Security Appscan

Multiple cross-site scripting (XSS) vulnerabilities in IBM Security AppScan Enterprise 5.6 and 8.x before 8.7 and IBM Rational Policy Tester 5.6 and 8.x before 8.5.0.4 allow remote attackers to inject arbitrary web script or HTML via a crafted report.

4.3
2013-03-29 CVE-2012-6534 Novell Permissions, Privileges, and Access Controls vulnerability in Novell Sentinel LOG Manager

Novell Sentinel Log Manager before 1.2.0.3 allows remote attackers to create data retention policies via a crafted text/x-gwt-rpc request to novelllogmanager/datastorageservice.rpc, and allows remote authenticated Report Administrators to create data retention policies via a search-results "Save Query As" "Save As Retention Policy" action.

4.3
2013-03-28 CVE-2013-2290 Arubanetworks Cross-Site Scripting vulnerability in Arubanetworks Arubaos

Cross-site scripting (XSS) vulnerability in the dashboard of the ArubaOS Administration WebUI in Aruba Networks ArubaOS 6.2.x before 6.2.0.3, 6.1.3.x before 6.1.3.7, 6.1.x-FIPS before 6.1.4.3-FIPS, and 6.1.x-AirGroup before 6.1.3.6-AirGroup, as used by Mobility Controller, allows remote wireless access points to inject arbitrary web script or HTML via a crafted SSID.

4.3
2013-03-28 CVE-2013-0936 EMC Cross-Site Scripting vulnerability in EMC products

Cross-site scripting (XSS) vulnerability in EMC Smarts IP Manager, Smarts Service Assurance Manager, Smarts Server Manager, Smarts VoIP Availability Manager, Smarts Network Protocol Manager, and Smarts MPLS Manager before 9.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2013-03-27 CVE-2013-0325 Varnish Http Accelerator Integration Project
Drupal
Cross-Site Scripting vulnerability in Varnish Http Accelerator Integration Project Varnish

Multiple cross-site scripting (XSS) vulnerabilities in the Varnish module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta2 for Drupal allow remote attackers to inject arbitrary web script or HTML via crafted a (1) Watchdog message or (2) admin setting.

4.3
2013-03-27 CVE-2013-0323 Display Suite Project
Drupal
Cross-Site Scripting vulnerability in Display Suite Project DS

Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-1.x before 7.x-1.7 and 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via the author field.

4.3
2013-03-27 CVE-2013-0322 Ubercart
Drupal
Cross-Site Scripting vulnerability in Ubercart

Cross-site scripting (XSS) vulnerability in Views in the Ubercart module 7.x-3.x before 7.x-3.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.

4.3
2013-03-27 CVE-2013-0321 Ubercart Views Project
Drupal
Cross-Site Scripting vulnerability in Ubercart Views Project UC Views

Cross-site scripting (XSS) vulnerability in Views in the Ubercart Views (uc_views) module 6.x before 6.x-3.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the full name field.

4.3
2013-03-27 CVE-2013-0319 Yandex Metrics Project
Drupal
Cross-Site Scripting vulnerability in Yandex.Metrics Project Yandex Metrics

Cross-site scripting (XSS) vulnerability in the Yandex.Metrics module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to the Yandex.Metrica service data.

4.3
2013-03-27 CVE-2013-0317 JOE Haskins
Drupal
Cross-Site Scripting vulnerability in JOE Haskins OG Manager Change 7.X2.0/7.X2.X

Cross-site scripting (XSS) vulnerability in the Manager Change for Organic Groups (og_manager_change) module 7.x-2.x before 7.x-2.1 for Drupal might allow remote attackers to inject arbitrary web script or HTML via the username in the new manager autocomplete field.

4.3
2013-03-27 CVE-2013-0488 IBM Cross-Site Scripting vulnerability in IBM Lotus Domino

Cross-site scripting (XSS) vulnerability in webadmin.nsf (aka the Web Administrator client) in IBM Domino 8.5.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-03-27 CVE-2013-0486 IBM Resource Management Errors vulnerability in IBM Lotus Domino

Memory leak in the HTTP server in IBM Domino 8.5.x allows remote attackers to cause a denial of service (memory consumption and daemon crash) via GET requests, aka SPR KLYH92NKZY.

4.3
2013-03-26 CVE-2012-5943 IBM Cross-Site Scripting vulnerability in IBM Lotus Inotes

Cross-site scripting (XSS) vulnerability in IBM iNotes 8.5.x before 8.5.3 FP4 allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors involving mail, aka SPR JDOE8ZZS9.

4.3
2013-03-26 CVE-2013-0454 Canonical
Samba
IBM
Permissions, Privileges, and Access Controls vulnerability in multiple products

The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the IBM Storwize V7000 Unified 1.3 before 1.3.2.3 and 1.4 before 1.4.0.1 and possibly other products, does not properly enforce CIFS share attributes, which allows remote authenticated users to (1) write to a read-only share; (2) trigger data-integrity problems related to the oplock, locking, coherency, or leases attribute; or (3) have an unspecified impact by leveraging incorrect handling of the browseable or "hide unreadable" parameter.

4.0
2013-03-25 CVE-2013-1834 Moodle Permissions, Privileges, and Access Controls vulnerability in Moodle

notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field.

4.0
2013-03-25 CVE-2013-1832 Moodle Information Exposure vulnerability in Moodle

repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance.

4.0
2013-03-25 CVE-2013-1829 Moodle Information Exposure vulnerability in Moodle 2.4.0/2.4.1

calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar subscriptions, which allows remote authenticated users to obtain potentially sensitive information by leveraging the student role.

4.0

19 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-03-25 CVE-2013-1835 Moodle Information Exposure vulnerability in Moodle

Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature.

3.5
2013-03-25 CVE-2013-1833 Moodle Cross-Site Scripting vulnerability in Moodle

Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename.

3.5
2013-03-27 CVE-2013-0181 Thomas Seidl
Drupal
Cross-Site Scripting vulnerability in Thomas Seidl Search API

Cross-site scripting (XSS) vulnerability in Views in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal, when using certain backends and facets, allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message.

2.6
2013-03-27 CVE-2013-1887 Views Project
Drupal
Cross-Site Scripting vulnerability in Views Project Views

Multiple cross-site scripting (XSS) vulnerabilities in the Views module 7.x-3.x before 7.x-3.6 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via certain view configuration fields.

2.1
2013-03-27 CVE-2013-2715 Thomas Seidl
Drupal
Cross-Site Scripting vulnerability in Thomas Seidl Search API

Cross-site scripting (XSS) vulnerability in the admin view in the Search API (search_api) module 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a crafted field name.

2.1
2013-03-27 CVE-2013-1787 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Corporate

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Simple Corporate theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2013-03-27 CVE-2013-1786 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Company

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Company theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2013-03-27 CVE-2013-1785 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Responsive

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Premium Responsive theme before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2013-03-27 CVE-2013-1784 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Clean Theme 7.X1.0/7.X1.1/7.X1.2

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Clean Theme before 7.x-1.3 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2013-03-27 CVE-2013-1783 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Business

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in page--front.tpl.php in the Business theme before 7.x-1.8 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2013-03-27 CVE-2013-1782 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Responsive Blog

Cross-site scripting (XSS) vulnerability in the Responsive Blog Theme 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.

2.1
2013-03-27 CVE-2013-1781 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Professional Theme

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Professional theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2013-03-27 CVE-2013-1780 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Best Responsive 7.X1.0

Cross-site scripting (XSS) vulnerability in the Best Responsive Theme 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.

2.1
2013-03-27 CVE-2013-1779 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Fresh

Cross-site scripting (XSS) vulnerability in the 3 slide gallery in the Fresh theme before 7.x-1.4 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2013-03-27 CVE-2013-1778 Devsaran
Drupal
Cross-Site Scripting vulnerability in Devsaran Creative 7.X1.0/7.X1.1

Cross-site scripting (XSS) vulnerability in the Creative Theme 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the administer themes permission to inject arbitrary web script or HTML via vectors related to social icons.

2.1
2013-03-27 CVE-2013-0324 Tomasbarej
Drupal
Cross-Site Scripting vulnerability in Tomasbarej Menu Reference 7.X1.X

Cross-site scripting (XSS) vulnerability in the Rendered links formatter in the Menu Reference module 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with the "Administer menus and menu items" permission to inject arbitrary web script or HTML via the menu link title.

2.1
2013-03-27 CVE-2013-0260 Elliot Pahl
Drupal
Unspecified vulnerability in Elliot Pahl Drush Debian Packaging

Unspecified vulnerability in the Drush Debian Packaging module for Drupal allows local users to obtain database credentials via unknown vectors.

2.1
2013-03-27 CVE-2013-0259 Boxes Project
Drupal
Cross-Site Scripting vulnerability in Boxes Project Boxes 7.X1.0/7.X1.X

Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.

2.1
2013-03-26 CVE-2013-0525 IBM Cross-Site Scripting vulnerability in IBM Lotus Inotes

Multiple cross-site scripting (XSS) vulnerabilities in IBM iNotes 8.5.x allow local users to inject arbitrary web script or HTML via a shared mail file, aka SPR DKEN8PDNTX.

1.5