Weekly Vulnerabilities Reports > September 2 to 8, 2013

Overview

46 new vulnerabilities reported during this period, including 9 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 149 products from 12 vendors including Open Xchange, Cisco, Trivantis, Supermicro, and IBM. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Input Validation", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", and "Cross-Site Request Forgery (CSRF)".

  • 44 reported vulnerabilities are remotely exploitables.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 36 reported vulnerabilities are exploitable by an anonymous user.
  • Open Xchange has the most reported vulnerabilities, with 13 reported vulnerabilities.
  • Cisco has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

9 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-09-08 CVE-2013-3609 Supermicro Improper Input Validation vulnerability in Supermicro products

The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices relies on JavaScript code on the client for authorization checks, which allows remote authenticated users to bypass intended access restrictions via a crafted request, related to the PrivilegeCallBack function.

10.0
2013-09-08 CVE-2013-3608 Supermicro Improper Input Validation vulnerability in Supermicro products

The web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices allows remote authenticated users to execute arbitrary commands via shell metacharacters, as demonstrated by the IP address field in config_date_time.cgi.

10.0
2013-09-08 CVE-2013-3607 Supermicro Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Supermicro products

Multiple stack-based buffer overflows in the web interface in the Intelligent Platform Management Interface (IPMI) implementation on Supermicro H8DC*, H8DG*, H8SCM-F, H8SGL-F, H8SM*, X7SP*, X8DT*, X8SI*, X9DAX-*, X9DB*, X9DR*, X9QR*, X9SBAA-F, X9SC*, X9SPU-F, and X9SR* devices allow remote attackers to execute arbitrary code on the Baseboard Management Controller (BMC), as demonstrated by the (1) username or (2) password field in login.cgi.

10.0
2013-09-06 CVE-2013-3599 Trivantis Improper Input Validation vulnerability in Trivantis Coursemill Learning Management System 6.6/6.8

userlogin.jsp in Coursemill Learning Management System (LMS) 6.6 and 6.8 allows remote attackers to gain privileges via a modified user-role value to home.html.

9.3
2013-09-06 CVE-2013-1119 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player

Buffer overflow in Cisco WebEx Recording Format (WRF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted DHT index value in JPEG data within a WRF file, aka Bug ID CSCuc24503.

9.3
2013-09-06 CVE-2013-1118 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player

Stack-based buffer overflow in Cisco WebEx Recording Format (WRF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCuc27645.

9.3
2013-09-06 CVE-2013-1117 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player

Buffer overflow in the exception handler in Cisco WebEx Recording Format (WRF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted WRF file, aka Bug ID CSCuc27639.

9.3
2013-09-06 CVE-2013-1116 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Advanced Recording Format Player

Buffer overflow in Cisco WebEx Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a crafted ARF file, aka Bug IDs CSCue74147 and CSCub28383.

9.3
2013-09-06 CVE-2013-1115 Cisco Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Advanced Recording Format Player

Buffer overflow in Cisco WebEx Advanced Recording Format (ARF) player T27 LD before SP32 EP16, T27 L10N before SP32_ORION111, and T28 before T28.8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted ARF file, aka Bug IDs CSCue74118, CSCub28371, CSCud23401, and CSCud31109.

9.3

3 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-09-06 CVE-2013-3600 Trivantis Improper Input Validation vulnerability in Trivantis Coursemill Learning Management System 6.6

Coursemill Learning Management System (LMS) 6.6 allows remote authenticated users to gain privileges via a modified userid value to unspecified functions.

8.5
2013-09-06 CVE-2013-3602 Trivantis SQL Injection vulnerability in Trivantis Coursemill Learning Management System 6.6

SQL injection vulnerability in admindocumentworker.jsp in Coursemill Learning Management System (LMS) 6.6 allows remote authenticated users to execute arbitrary SQL commands via the docID parameter.

7.5
2013-09-08 CVE-2013-3458 Cisco Buffer Errors vulnerability in Cisco products

Cisco Adaptive Security Appliances (ASA) devices, when SMP is used, do not properly process X.509 certificates, which allows remote attackers to cause a denial of service (device crash) via a large volume of (1) SSL or (2) TLS traffic, aka Bug ID CSCuh19462.

7.1

29 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-09-06 CVE-2013-5708 Trivantis Cross-Site Request Forgery (CSRF) vulnerability in Trivantis Coursemill Learning Management System 6.8

Coursemill Learning Management System (LMS) 6.8 constructs secret tokens based on time values, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via vectors related to cookies, a different vulnerability than CVE-2013-3605.

6.8
2013-09-06 CVE-2013-3605 Trivantis Cross-Site Request Forgery (CSRF) vulnerability in Trivantis Coursemill Learning Management System 6.6

Cross-site request forgery (CSRF) vulnerability in Coursemill Learning Management System (LMS) 6.6 allows remote attackers to hijack the authentication of arbitrary users via vectors related to cookies.

6.8
2013-09-05 CVE-2013-5471 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Global Site Selector

Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco Global Site Selector (GSS) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuh42164.

6.8
2013-09-05 CVE-2013-3479 Sharethis
Wordpress
Cross-Site Request Forgery (CSRF) vulnerability in Sharethis

Cross-site request forgery (CSRF) vulnerability in the ShareThis plugin before 7.0.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify this plugin's settings.

6.8
2013-09-06 CVE-2013-3601 Trivantis Permissions, Privileges, and Access Controls vulnerability in Trivantis Coursemill Learning Management System 6.6

Coursemill Learning Management System (LMS) 6.6 does not properly restrict JSP function calls, which allows remote authenticated users to perform arbitrary JSP operations by leveraging the Student role and providing an op parameter.

6.0
2013-09-05 CVE-2013-3276 EMC Permissions, Privileges, and Access Controls vulnerability in EMC RSA Archer Egrc

EMC RSA Archer GRC 5.x before 5.4 allows remote authenticated users to bypass intended access restrictions and complete a login by leveraging a deactivated account.

6.0
2013-09-05 CVE-2013-3277 EMC Improper Input Validation vulnerability in EMC RSA Archer Egrc

Open redirect vulnerability in EMC RSA Archer GRC 5.x before 5.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2013-09-05 CVE-2013-1651 Open Xchange Cryptographic Issues vulnerability in Open-Xchange Server 6.20.7/6.22.0/6.22.1

OXUpdater in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof update servers and install arbitrary software via a crafted certificate.

5.8
2013-09-08 CVE-2013-5132 Apple Numeric Errors vulnerability in Apple Airport Base Station Firmware

Apple AirPort Base Station Firmware before 7.6.4 does not properly handle incorrect frame lengths, which allows remote attackers to cause a denial of service (device crash) by associating with the access point and then sending a short frame.

5.4
2013-09-08 CVE-2013-0531 IBM Cryptographic Issues vulnerability in IBM Security Appscan

The SSL implementation in IBM Security AppScan Enterprise before 8.7.0.1 enables cipher suites with weak encryption algorithms, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.

5.0
2013-09-05 CVE-2013-2582 Open Xchange Code Injection vulnerability in Open-Xchange Appsuite and Open-Xchange Server

CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allows remote attackers to inject arbitrary HTTP headers and conduct open redirect attacks by leveraging improper sanitization of whitespace characters.

5.0
2013-09-05 CVE-2013-1647 Open Xchange Code Injection vulnerability in Open-Xchange Server 6.20.7/6.22.0/6.22.1

Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1) the location parameter to ajax/redirect or (2) multiple infostore URIs.

5.0
2013-09-04 CVE-2013-5470 Cisco Improper Input Validation vulnerability in Cisco Secure Access Control System

Cisco Secure Access Control System (ACS) does not properly handle requests to read from the TACACS+ socket, which allows remote attackers to cause a denial of service (process crash) via malformed TCP packets, aka Bug ID CSCuh12488.

5.0
2013-09-04 CVE-2013-3469 Cisco Information Exposure vulnerability in Cisco Mobility Services Engine

Cisco Mobility Services Engine does not properly set up the Oracle SSL service, which allows remote attackers to obtain an unauthenticated session to the database-replication port, and consequently obtain sensitive information, via an SSL connection, aka Bug ID CSCue50794.

5.0
2013-09-05 CVE-2013-5035 Htmlcleaner Project
Open Xchange
Race Condition vulnerability in multiple products

Multiple race conditions in HtmlCleaner before 2.6, as used in Open-Xchange AppSuite 7.2.2 before rev13 and other products, allow remote authenticated users to read the private e-mail of other persons in opportunistic circumstances by leveraging lack of thread safety and performing a rapid series of (1) mail-sending or (2) draft-saving operations.

4.9
2013-09-08 CVE-2013-5483 Cisco Cross-Site Scripting vulnerability in Cisco Socialminer

Cross-site scripting (XSS) vulnerability in bookmarklet.jsp in Cisco SocialMiner allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuh73868.

4.3
2013-09-06 CVE-2013-5707 Trivantis Cross-Site Scripting vulnerability in Trivantis Coursemill Learning Management System 6.8

Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Learning Management System (LMS) 6.8 allow remote attackers to inject arbitrary web script or HTML via crafted input containing a %22 sequence, a different issue than CVE-2013-3604.

4.3
2013-09-06 CVE-2013-5706 Trivantis Cross-Site Scripting vulnerability in Trivantis Coursemill Learning Management System 6.8

Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Learning Management System (LMS) 6.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to error messages and (1) crafted event attributes or (2) > (greater than) characters that are optional within a browser's HTML implementation, a different issue than CVE-2013-3603.

4.3
2013-09-06 CVE-2013-3604 Trivantis Cross-Site Scripting vulnerability in Trivantis Coursemill Learning Management System 6.6

Multiple cross-site scripting (XSS) vulnerabilities in Coursemill Learning Management System (LMS) 6.6 allow remote attackers to inject arbitrary web script or HTML via crafted input.

4.3
2013-09-06 CVE-2013-3603 Trivantis Cross-Site Scripting vulnerability in Trivantis Coursemill Learning Management System 6.6

Cross-site scripting (XSS) vulnerability in Coursemill Learning Management System (LMS) 6.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.

4.3
2013-09-06 CVE-2013-1228 Cisco Cryptographic Issues vulnerability in Cisco Jabber

Cisco Jabber on Windows does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify the client-server data stream via a crafted certificate, aka Bug ID CSCug30280.

4.3
2013-09-06 CVE-2012-5990 Cisco Cross-Site Scripting vulnerability in Cisco products

Multiple cross-site scripting (XSS) vulnerabilities in Health Monitor Login pages in Cisco Prime Network Control System (NCS) and Wireless Control System (WCS) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCud18375.

4.3
2013-09-05 CVE-2013-3106 Open Xchange Cross-Site Scripting vulnerability in Open-Xchange Appsuite and Open-Xchange Server

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite and Server before 6.20.7 rev18, 6.22.0 before rev16, 6.22.1 before rev19, 7.0.1 before rev7, 7.0.2 before rev11, and 7.2.0 before rev8 allow remote attackers to inject arbitrary web script or HTML via (1) embedded VBScript, (2) object/data Base64 content, (3) a Content-Type header, or (4) UTF-16 encoding, aka Bug IDs 25957, 26237, 26243, and 26244.

4.3
2013-09-05 CVE-2013-2583 Open Xchange Cross-Site Scripting vulnerability in Open-Xchange Appsuite and Open-Xchange Server

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange AppSuite and Server before 6.20.7 rev16, 6.22.0 before rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allow remote attackers to inject arbitrary web script or HTML via (1) a javascript: URL, (2) malformed nested SCRIPT elements, (3) a mail signature, or (4) JavaScript code within an image file.

4.3
2013-09-05 CVE-2013-1649 Open Xchange Credentials Management vulnerability in Open-Xchange Server 6.20.7/6.22.0/6.22.1

Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses the crypt and SHA-1 algorithms for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.

4.3
2013-09-05 CVE-2013-1646 Open Xchange Cross-Site Scripting vulnerability in Open-Xchange Server 6.20.7/6.22.0/6.22.1

Multiple cross-site scripting (XSS) vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary web script or HTML via (1) invalid JSON data in a mail-sending POST request, (2) an arbitrary parameter to servlet/TestServlet, (3) a javascript: URL in a standalone-mode action to a UWA module, (4) an infostore attachment, (5) JavaScript code in a contact image, (6) an RSS feed, or (7) a signature.

4.3
2013-09-04 CVE-2013-1661 Vmware Improper Input Validation vulnerability in VMWare ESX and Esxi

VMware ESXi 4.0 through 5.1, and ESX 4.0 and 4.1, does not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to cause a denial of service (unhandled exception and application crash) by modifying the client-server data stream.

4.3
2013-09-08 CVE-2013-3596 Advanceprotech Permissions, Privileges, and Access Controls vulnerability in Advanceprotech Advanceware

AdvancePro Advanceware allows remote authenticated users to obtain sensitive information about arbitrary customers' orders via a modified id parameter.

4.0
2013-09-05 CVE-2013-1645 Open Xchange Path Traversal vulnerability in Open-Xchange Server 6.20.7/6.22.0/6.22.1

Directory traversal vulnerability in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allows remote authenticated users to read arbitrary files via a ..

4.0

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-09-05 CVE-2013-5698 Open Xchange Cross-Site Scripting vulnerability in Open-Xchange Appsuite and Open-Xchange Server

Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite and Server before 6.22.0 rev16, 6.22.1 before rev19, 7.0.1 before rev7, 7.0.2 before rev11, and 7.2.0 before rev8 allows remote authenticated users to inject arbitrary web script or HTML via a delivery=view action, aka Bug ID 26373, a different vulnerability than CVE-2013-3106.

3.5
2013-09-05 CVE-2013-4790 Open Xchange Credentials Management vulnerability in Open-Xchange Appsuite

Open-Xchange AppSuite before 7.0.2 rev14, 7.2.0 before rev11, 7.2.1 before rev10, and 7.2.2 before rev9 relies on user-supplied data to predict the IMAP server hostname for an external domain name, which allows remote authenticated users to discover e-mail credentials of other users in opportunistic circumstances via a manual-mode association of a personal e-mail address with the hostname of a crafted IMAP server.

3.5
2013-09-05 CVE-2013-1648 Open Xchange Improper Input Validation vulnerability in Open-Xchange Server 6.20.7/6.22.0/6.22.1

The Subscriptions feature in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 does not properly validate the publication-source URL, which allows remote authenticated users to trigger arbitrary outbound TCP traffic via a crafted Source field, as demonstrated by (1) an ftp: URL, (2) a gopher: URL, or (3) an http://127.0.0.1/ URL, related to a "Server-side request forging (SSRF)" issue.

3.5
2013-09-05 CVE-2013-1650 Open Xchange Permissions, Privileges, and Access Controls vulnerability in Open-Xchange Server 6.20.7/6.22.0/6.22.1

Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 uses weak permissions (group "other" readable) under opt/open-xchange/etc/, which allows local users to obtain sensitive information via standard filesystem operations.

2.1
2013-09-08 CVE-2013-2997 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Security Appscan

IBM Security AppScan Enterprise before 8.7 does not invalidate the session context upon a logout action, which allows remote attackers to hijack sessions by leveraging an unattended workstation.

1.7