Weekly Vulnerabilities Reports > December 30, 2013 to January 5, 2014

Overview

63 new vulnerabilities reported during this period, including 12 critical vulnerabilities and 5 high severity vulnerabilities. This weekly summary report vulnerabilities in 49 products from 39 vendors including HP, HOT, Wordpress, Fatfreecrm, and OP5. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "Improper Input Validation", "SQL Injection", and "Information Exposure".

  • 55 reported vulnerabilities are remotely exploitables.
  • 6 reported vulnerabilities have public exploit available.
  • 25 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 55 reported vulnerabilities are exploitable by an anonymous user.
  • HP has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • HP has the most reported critical vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

12 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-01-04 CVE-2013-6195 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-2008.

10.0
2014-01-04 CVE-2013-6194 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1905.

10.0
2014-01-04 CVE-2013-2350 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1897.

10.0
2014-01-04 CVE-2013-2349 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1896.

10.0
2014-01-04 CVE-2013-2348 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1892.

10.0
2014-01-04 CVE-2013-2347 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

The Backup Client Service (OmniInet.exe) in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary commands or cause a denial of service via a crafted EXEC_BAR packet to TCP port 5555, aka ZDI-CAN-1885.

10.0
2014-01-04 CVE-2013-2346 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1870.

10.0
2014-01-04 CVE-2013-2345 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1869.

10.0
2014-01-04 CVE-2013-2344 HP Unspecified vulnerability in HP Storage Data Protector 6.20/6.21

Unspecified vulnerability in HP Storage Data Protector 6.2X allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1866.

10.0
2013-12-31 CVE-2012-0264 OP5 Permissions, Privileges, and Access Controls vulnerability in OP5 Monitor 5.3.5/5.4.0/5.4.2

op5 Monitor and op5 Appliance before 5.5.0 do not properly manage session cookies, which allows remote attackers to have an unspecified impact via unspecified vectors.

10.0
2013-12-31 CVE-2012-0262 OP5 Code Injection vulnerability in OP5 Monitor and System-Op5Config

op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter.

10.0
2013-12-31 CVE-2012-0261 OP5 Code Injection vulnerability in OP5 Monitor and System-Portal

license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the timestamp parameter for an install action.

10.0

5 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-01-02 CVE-2013-5385 IBM Improper Input Validation vulnerability in IBM I and Z/Os

The OSPF implementation in IBM i 6.1 and 7.1, in z/OS on zSeries servers, and in Networking Operating System (aka NOS, formerly BLADE Operating System) does not properly validate Link State Advertisement (LSA) type 1 packets before performing operations on the LSA database, which allows remote attackers to cause a denial of service (routing disruption) or obtain sensitive packet information via a crafted LSA packet, a related issue to CVE-2013-0149.

8.5
2014-01-03 CVE-2013-7260 Realnetworks Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer

Multiple stack-based buffer overflows in RealNetworks RealPlayer before 17.0.4.61 on Windows, and Mac RealPlayer before 12.0.1.1738, allow remote attackers to execute arbitrary code via a long (1) version number or (2) encoding declaration in the XML declaration of an RMP file, a different issue than CVE-2013-6877.

7.5
2014-01-03 CVE-2009-5137 Mini Stream Buffer Errors vulnerability in Mini-Stream Castripper 2.50.70

Stack-based buffer overflow in Mini-stream CastRipper 2.50.70 allows remote attackers to execute arbitrary code via a long URL in the [playlist] section in a .pls file, a different vector than CVE-2009-1667.

7.5
2013-12-31 CVE-2013-6987 Synology Path Traversal vulnerability in Synology Diskstation Manager 4.33810

Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3 allow remote attackers to read, write, and delete arbitrary files via a ..

7.5
2013-12-30 CVE-2013-7232 Esri SQL Injection vulnerability in Esri Arcgis

SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service.

7.5

38 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-01-05 CVE-2013-7262 Osgeo
UMN
SQL Injection vulnerability in multiple products

SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.

6.8
2014-01-03 CVE-2014-0791 Freerdp Numeric Errors vulnerability in Freerdp 1.0.0/1.0.1/1.0.2

Integer overflow in the license_read_scope_list function in libfreerdp/core/license.c in FreeRDP through 1.0.2 allows remote RDP servers to cause a denial of service (application crash) or possibly have unspecified other impact via a large ScopeCount value in a Scope List in a Server License Request packet.

6.8
2014-01-03 CVE-2013-7256 Opsview Cross-Site Request Forgery (CSRF) vulnerability in Opsview

Cross-site request forgery (CSRF) vulnerability in Opsview before 4.4.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2014-01-03 CVE-2013-6992 Askapache
Wordpress
Cross-Site Request Forgery (CSRF) vulnerability in Askapache Firefox Adsense 3.0

Cross-site request forgery (CSRF) vulnerability in askapache-firefox-adsense.php in the AskApache Firefox Adsense plugin 3.0 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the aafireadcode parameter to wp-admin/options-general.php.

6.8
2014-01-02 CVE-2013-7251 Projectforge Cross-Site Request Forgery (CSRF) vulnerability in Projectforge

Multiple cross-site request forgery (CSRF) vulnerabilities in ProjectForge before 5.3 allow remote attackers to hijack the authentication of arbitrary users via vectors related to (1) web/admin/, (2) web/core/, (3) web/dialog/, (4) web/fibu/, (5) web/mobile/, (6) web/task/, or (7) web/wicket/.

6.8
2014-01-02 CVE-2013-7223 Fatfreecrm Cross-Site Request Forgery (CSRF) vulnerability in Fatfreecrm FAT Free CRM

Multiple cross-site request forgery (CSRF) vulnerabilities in Fat Free CRM before 0.12.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to the lack of a protect_from_forgery line in app/controllers/application_controller.rb.

6.8
2013-12-30 CVE-2013-7209 Jforum Cross-Site Request Forgery (CSRF) vulnerability in Jforum

Cross-site request forgery (CSRF) vulnerability in admBase/login.page in the Admin module in JForum allows remote attackers to hijack the authentication of administrators for requests that change the user group permissions of arbitrary users via a groupsSave action.

6.8
2013-12-30 CVE-2013-7233 Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Wordpress

Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list.

6.8
2014-01-02 CVE-2013-7225 Fatfreecrm SQL Injection vulnerability in Fatfreecrm FAT Free CRM

Multiple SQL injection vulnerabilities in app/controllers/home_controller.rb in Fat Free CRM before 0.12.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the homepage timeline feature or (2) the activity feature.

6.5
2013-12-31 CVE-2013-7242 Zenphoto SQL Injection vulnerability in Zenphoto

SQL injection vulnerability in zp-core/zp-extensions/wordpress_import.php in Zenphoto before 1.4.5.4 allows remote authenticated administrators to execute arbitrary SQL commands via the tableprefix parameter.

6.5
2013-12-31 CVE-2013-6983 Cisco SQL Injection vulnerability in Cisco Unified Presence Server

SQL injection vulnerability in the web interface in Cisco Unified Presence Server allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuh35615.

6.5
2013-12-31 CVE-2013-3667 Barebones Improper Input Validation vulnerability in Barebones Bbedit, Textwrangler and Yojimbo

The software update mechanism as used in Bare Bones Software Yojimbo before 4.0, TextWrangler before 4.5.3, and BBEdit before 10.5.5 does not properly download and verify updates before installation, which allows attackers to perform "tampering or corruption" of the updates.

6.4
2013-12-30 CVE-2013-5220 HOT Improper Input Validation vulnerability in HOT Hotbox Router and Hotbox Router Firmware

goform/login on the HOT HOTBOX router with software 2.1.11 allows remote attackers to cause a denial of service (device crash) via crafted HTTP POST data.

6.1
2014-01-03 CVE-2013-7255 Opsview Improper Input Validation vulnerability in Opsview

Open redirect vulnerability in Opsview before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2014-01-01 CVE-2013-6450 Openssl Cryptographic Issues vulnerability in Openssl

The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.

5.8
2013-12-30 CVE-2013-5038 HOT Improper Authentication vulnerability in HOT Hotbox Router and Hotbox Router Firmware

The HOT HOTBOX router with software 2.1.11 allows remote attackers to bypass authentication by configuring a source IP address that had previously been used for an authenticated session.

5.8
2013-12-30 CVE-2013-5039 HOT Cross-Site Request Forgery (CSRF) vulnerability in HOT Hotbox Router and Hotbox Router Firmware

Cross-site request forgery (CSRF) vulnerability in goform/wlanBasicSecurity on the HOT HOTBOX router with software 2.1.11 allows remote attackers to hijack the authentication of administrators for requests that change the WiFi Security field to Deactivated via the WifiSecurity parameter.

5.4
2014-01-05 CVE-2012-2898 Google
Apple
Cryptographic Issues vulnerability in Google Chrome

Google Chrome before 21.0.1180.82 on iOS on iPad devices allows remote attackers to spoof the Omnibox URL via vectors involving SSL error messages, a related issue to CVE-2012-0674.

5.0
2014-01-03 CVE-2013-6953 Dotnetblogengine Information Exposure vulnerability in Dotnetblogengine Blogengine.Net

BlogEngine.NET 2.8.0.0 and earlier allows remote attackers to read usernames and password hashes via a request for the sioc.axd file.

5.0
2014-01-03 CVE-2013-7240 Westerndeal
Wordpress
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in download-file.php in the Advanced Dewplayer plugin 1.2 for WordPress allows remote attackers to read arbitrary files via a ..

5.0
2014-01-02 CVE-2013-7249 Fatfreecrm Information Exposure vulnerability in Fatfreecrm FAT Free CRM

Fat Free CRM before 0.12.1 does not restrict XML serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.xml, a different vulnerability than CVE-2013-7224.

5.0
2014-01-02 CVE-2013-7224 Fatfreecrm Information Exposure vulnerability in Fatfreecrm FAT Free CRM

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json.

5.0
2014-01-02 CVE-2013-7222 Fatfreecrm Cryptographic Issues vulnerability in Fatfreecrm FAT Free CRM

config/initializers/secret_token.rb in Fat Free CRM before 0.12.1 has a fixed FatFreeCRM::Application.config.secret_token value, which makes it easier for remote attackers to spoof signed cookies by referring to the key in the source code.

5.0
2014-01-02 CVE-2013-5211 Opensuse
NTP
Improper Input Validation vulnerability in multiple products

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.

5.0
2014-01-03 CVE-2013-2119 Phusion
Ruby Lang
Redhat
Permissions, Privileges, and Access Controls vulnerability in multiple products

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.

4.6
2014-01-05 CVE-2012-2899 Google
Apple
Cross-Site Scripting vulnerability in Google Chrome

Google Chrome before 21.0.1180.82 on iOS makes certain incorrect calls to WebView methods that trigger use of an applewebdata: URL, which allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors involving the document.write method.

4.3
2014-01-03 CVE-2013-7258 Web2Ldap Cross-Site Scripting vulnerability in Web2Ldap

Cross-site scripting (XSS) vulnerability in web2ldap 1.1.x before 1.1.49 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "displaying group DN and entry data in group administration UI."

4.3
2014-01-03 CVE-2013-7257 Codiad Cross-Site Scripting vulnerability in Codiad 2.0.7

Cross-site scripting (XSS) vulnerability in Codiad 2.0.7 allows remote attackers to inject arbitrary web script or HTML via the Project Name field.

4.3
2014-01-03 CVE-2013-7254 Opsview Cross-Site Scripting vulnerability in Opsview

Cross-site scripting (XSS) vulnerability in Opsview before 4.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2014-01-03 CVE-2013-6993 AD Minister Project
Wordpress
Cross-Site Scripting vulnerability in Ad-Minister Project Ad-Minister

Cross-site scripting (XSS) vulnerability in the Ad-minister plugin 0.6 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the key parameter in a delete action to wp-admin/tools.php.

4.3
2014-01-03 CVE-2013-6991 Wokamoto
Wordpress
Cross-Site Scripting vulnerability in Wokamoto Wp-Cron Dashboard

Cross-site scripting (XSS) vulnerability in the WP-Cron Dashboard plugin 1.1.5 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the procname parameter to wp-admin/tools.php.

4.3
2013-12-31 CVE-2013-3572 UI Cross-Site Scripting vulnerability in UI Unifi 2.3.5

Cross-site scripting (XSS) vulnerability in the administer interface in the UniFi Controller in Ubiquiti Networks UniFi 2.3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted client hostname.

4.3
2013-12-31 CVE-2013-6459 Mislav Marohnic Cross-Site Scripting vulnerability in Mislav Marohnic Will Paginate

Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.

4.3
2013-12-31 CVE-2013-5573 Jenkins Cross-Site Scripting vulnerability in Jenkins 1.523

Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.

4.3
2013-12-31 CVE-2013-7241 Zenphoto Cross-Site Scripting vulnerability in Zenphoto

Cross-site scripting (XSS) vulnerability in the export function in zp-core/zp-extensions/mergedRSS.php in Zenphoto before 1.4.5.4 allows remote attackers to inject arbitrary web script or HTML via the URI.

4.3
2013-12-30 CVE-2013-5210 Adtran Cross-Site Scripting vulnerability in Adtran Aos, Netvanta 7060 and Netvanta 7100

Cross-site scripting (XSS) vulnerability in the GUI login page in ADTRAN AOS before R10.8.1 on the NetVanta 7100 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-12-30 CVE-2013-4858 Microsoft Improper Input Validation vulnerability in Microsoft Windows Movie Maker 2.1.4026.0

Microsoft Windows Movie Maker 2.1.4026.0 on Windows XP SP3 allows remote attackers to cause a denial of service (application crash) via a crafted .wav file, as demonstrated by movieMaker.wav.

4.3
2013-12-31 CVE-2012-0263 OP5 Information Exposure vulnerability in OP5 Monitor

monitor/index.php in op5 Monitor and op5 Appliance before 5.5.1 allows remote authenticated users to obtain sensitive information such as database and user credentials via error messages that are triggered by (1) a malformed hoststatustypes parameter to status/service/all or (2) a crafted request to config.

4.0

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-01-02 CVE-2013-7250 Projectforge Cross-Site Scripting vulnerability in Projectforge

Cross-site scripting (XSS) vulnerability in the JsonBuilder implementation in ProjectForge before 5.3 allows remote authenticated users to inject arbitrary web script or HTML via an autocompletion string, related to web/core/JsonBuilder.java and web/wicket/autocompletion/PFAutoCompleteBehavior.java.

3.5
2014-01-02 CVE-2011-5269 Projectforge Cross-Site Scripting vulnerability in Projectforge

Cross-site scripting (XSS) vulnerability in ProjectForge before 3.5.3 allows remote authenticated users to inject arbitrary web script or HTML via a validation message.

3.5
2013-12-30 CVE-2013-7231 Esri Cross-Site Scripting vulnerability in Esri Arcgis 10.1/10.2

Cross-site scripting (XSS) vulnerability in the Mobile Content Server in ESRI ArcGIS for Server 10.1 and 10.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-5222.

3.5
2013-12-30 CVE-2013-5222 Esri Cross-Site Scripting vulnerability in Esri Arcgis 10.1

Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2013-12-30 CVE-2013-5219 HOT Path Traversal vulnerability in HOT Hotbox Router and Hotbox Router Firmware

Directory traversal vulnerability on the HOT HOTBOX router with software 2.1.11 allows remote attackers to read arbitrary files via a ..

3.3
2013-12-30 CVE-2013-5037 HOT Credentials Management vulnerability in HOT Hotbox Router and Hotbox Router Firmware

The HOT HOTBOX router with software 2.1.11 has a default WPS PIN of 12345670, which makes it easier for remote attackers to obtain the WPA or WPA2 pre-shared key via EAP messages.

3.3
2013-12-30 CVE-2013-5218 HOT Cross-Site Scripting vulnerability in HOT Hotbox Router and Hotbox Router Firmware

Cross-site scripting (XSS) vulnerability on the HOT HOTBOX router with software 2.1.11 allows remote attackers to inject arbitrary web script or HTML via a crafted DHCP Host Name option, which is not properly handled during rendering of the DHCP table in wlanAccess.asp.

2.9
2014-01-05 CVE-2013-6402 HP Link Following vulnerability in HP Linux Imaging and Printing Project

base/pkit.py in HP Linux Imaging and Printing (HPLIP) through 3.13.11 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/hp-pkservice.log temporary file.

2.1