Weekly Vulnerabilities Reports > October 5 to 11, 2015

Algorithmic complexity vulnerability in Address.pm in the Email-Address module 1.908 and earlier for Perl allows remote attackers to cause a denial of service (CPU consumption) via a crafted string containing a list of e-mail addresses in conjunction with parenthesis characters that can be associated with nested comments.

The HTTP application on Mitsubishi Electric MELSEC FX3G PLC devices before April 2015 allows remote attackers to cause a denial of service (device outage) via a long parameter.

Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code via a long CWD command.

Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long USER command.

Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse.

system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in a cookie.

GasGauge in Apple watchOS before 2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5918.

GasGauge in Apple watchOS before 2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5919.

The SMB implementation in the kernel in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.

IOGraphics in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5871, CVE-2015-5872, and CVE-2015-5873.

rsh in the remote_cmds component in Apple OS X before 10.11 allows local users to obtain root privileges via vectors involving environment variables.

The Install Framework Legacy component in Apple OS X before 10.11 allows local users to obtain root privileges via vectors involving a privileged executable file.

The Intel Graphics Driver component in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5830.

IOGraphics in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5871, CVE-2015-5872, and CVE-2015-5890.

IOGraphics in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5871, CVE-2015-5873, and CVE-2015-5890.

IOGraphics in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5872, CVE-2015-5873, and CVE-2015-5890.

The Login Window component in Apple OS X before 10.11 does not ensure that the screen is locked at the intended time, which allows physically proximate attackers to obtain access by visiting an unattended workstation.

The Intel Graphics Driver component in Apple OS X before 10.11 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-5877.

Cisco VPN Client 5.x through 5.0.07.0440 uses weak permissions for vpnclient.ini, which allows local users to gain privileges by entering an arbitrary program name in the Command field of the ApplicationLauncher section.

Untrusted search path vulnerability in python.exe in Python through 3.5.0 on Windows allows local users to gain privileges via a Trojan horse readline.pyd file in the current working directory.

The protected range register in the EFI component in Apple OS X before 10.11 has an incorrect value, which allows attackers to cause a denial of service (boot failure) via a crafted app that writes to an unintended address.

Cybozu Garoon 3.x through 3.7.5 and 4.x through 4.0.3 mishandles authentication requests, which allows remote authenticated users to conduct LDAP injection attacks, and consequently bypass intended login restrictions or obtain sensitive information, by leveraging certain group-administration privileges.

IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Heimdal, as used in Apple OS X before 10.11, allows remote attackers to conduct replay attacks against the SMB server via packet data that represents a Kerberos authenticated request.

The filtering implementation in AppleEvents in Apple OS X before 10.11 mishandles attempts to send events to a different user, which allows attackers to bypass intended access restrictions by leveraging a screen-sharing connection.

SQLite before 3.8.9, as used in Android before 5.1.1 LMY48T, allows attackers to gain privileges via a crafted application, aka internal bug 20099586.

The installer in ICZ MATCHA SNS before 1.3.7 does not properly configure the database, which allows remote attackers to execute arbitrary PHP code via unspecified vectors.

The installer in ICZ MATCHA INVOICE before 2.5.7 does not properly configure the database, which allows remote attackers to execute arbitrary PHP code via unspecified vectors.

The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address.

SQL injection vulnerability in Network Applied Communication Laboratory Pref Shimane CMS 2.x before 2.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in list.php in phpRechnung before 1.6.5 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

ICZ MATCHA SNS before 1.3.7 allows remote authenticated users to obtain administrative privileges via unspecified vectors.

Multiple SQL injection vulnerabilities in ICZ MATCHA INVOICE before 2.5.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

SQL injection vulnerability in baserCMS before 3.0.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

baserCMS before 3.0.8 allows remote authenticated users to modify arbitrary user settings via a crafted request.

SQL injection vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX004, and 7.6.0 before 7.6.0.1 IFIX002; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX004 and 7.6.0 before 7.6.0.1 IFIX002 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Ignite Realtime Openfire 3.10.2 allows remote authenticated users to gain administrator access via the isadmin parameter to user-edit-form.jsp.

Bluetooth in Android before 5.1.1 LMY48T allows attackers to remove stored SMS messages via a crafted application, aka internal bug 22343270.

Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0), 7.3(101.0), and 7.4(1.19) allow remote attackers to cause a denial of service (device outage) by sending malformed 802.11i management data to a managed access point, aka Bug ID CSCub65236.

IBM UrbanCode Deploy 6.0 and 6.0.1.x before 6.0.1.10, 6.1.1.x before 6.1.1.8, and 6.1.2 writes admin AUTH_TOKEN values to execution logs, which allows remote authenticated users to gain privileges by leveraging the ability to create and execute a process.

ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field.

Mail in Apple OS X before 10.11 does not properly recognize user preferences, which allows attackers to obtain sensitive information via an unspecified action during the printing of an e-mail message, a different vulnerability than CVE-2015-7760.

libxpc in launchd in Apple OS X before 10.11 does not restrict the creation of processes for network connections, which allows remote attackers to cause a denial of service (resource consumption) by repeatedly connecting to the SSH port, a different vulnerability than CVE-2015-7761.

The glob implementation in tnftpd (formerly lukemftpd), as used in Apple OS X before 10.11, allows remote attackers to cause a denial of service (memory consumption and daemon outage) via a STAT command containing a crafted pattern, as demonstrated by multiple instances of the {..,..,..}/* substring.

Apple OS X before 10.11 does not ensure that the keychain's lock state is displayed correctly, which has unspecified impact and attack vectors.

The bidirectional text-display and text-selection implementations in Terminal in Apple OS X before 10.11 interpret directional override formatting characters differently, which allows remote attackers to spoof the content of a text document via a crafted character sequence.

The REST interface in Cisco Unified Communications Manager IM and Presence Service 11.5(1) allows remote attackers to cause a denial of service (SIP proxy service restart) via a crafted HTTP request, aka Bug ID CSCuw31632.

mediaserver in Android 5.x before 5.1.1 LMY48T and 6.0 before 2015-10-01 allows attackers to cause a denial of service (process crash) via unspecified vectors, aka internal bug 22278703, a different vulnerability than CVE-2015-6605.

mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a denial of service (process crash) via unspecified vectors, aka internal bugs 20915134 and 23142203, a different vulnerability than CVE-2015-7718.

mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a denial of service (process crash) via unspecified vectors, aka internal bug 22954006.

Directory traversal vulnerability in AjaXplorer 2.0 allows remote attackers to read arbitrary files via unspecified vectors.

Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password transmission, which allows remote attackers to obtain sensitive information by sniffing the network during a PLC unlock request.

The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 provides different messages for attempts to join a meeting depending on the status of the meeting, which allows remote attackers to enumerate valid meeting ids via a series of requests.

The debugging feature in the kernel in Apple OS X before 10.11 mismanages state, which allows local users to cause a denial of service via unspecified vectors.

The EFI component in Apple OS X before 10.11 allows physically proximate attackers to modify firmware during the EFI update process by inserting an Apple Ethernet Thunderbolt adapter with crafted code in an Option ROM, aka a "Thunderstrike" issue.

The Address Book framework in Apple OS X before 10.11 allows local users to gain privileges by using an environment variable to inject code into processes that rely on this framework.

Cross-site scripting (XSS) vulnerability in Dojo Toolkit before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

The X.509 certificate-trust implementation in Apple OS X before 10.11 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle attackers to spoof endpoints by leveraging access to a revoked certificate.

IOGraphics in Apple OS X before 10.11 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.

Apple Online Store Kit in Apple OS X before 10.11 improperly validates iCloud keychain item ACLs, which allows attackers to obtain access to keychain items via a crafted app.

The API in the WebKit Plug-ins component in Apple Safari before 9 does not provide notification of an HTTP Redirection (aka 3xx) status code to a plugin, which allows remote attackers to bypass intended request restrictions via a crafted web site.

Media Projection in Android 5.x before 5.1.1 LMY48T and 6.0 before 2015-10-01 allows attackers to bypass an intended screen-recording warning feature and obtain sensitive screen-snapshot information via a crafted application that references a long application name, aka internal bug 23345192.

The Precious module in gollum before 4.0.1 allows remote attackers to read arbitrary files by leveraging the lack of a certain temporary-file check.

IBM Multi-Enterprise Integration Gateway 1.x through 1.0.0.1 and B2B Advanced Communications 1.0.0.2 and 1.0.0.3 before 1.0.0.3_2, when access by guests is enabled, place an internal hostname and a payload path in a response, which allows remote authenticated users to obtain sensitive information by leveraging a trading-partner relationship and reading response fields.

Cross-site scripting (XSS) vulnerability in IBM Multi-Enterprise Integration Gateway 1.x through 1.0.0.1 and B2B Advanced Communications 1.0.0.2 and 1.0.0.3 before 1.0.0.3_2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Cross-site scripting (XSS) vulnerability in IBM Emptoris Supplier Lifecycle Management and Emptoris Program Management 10.x before 10.0.1.4_iFix3, 10.0.2.x before 10.0.2.7_iFix1, 10.0.3.x before 10.0.3.2, and 10.0.4.x before 10.0.4.0_iFix1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

Cross-site scripting (XSS) vulnerability in 4images 1.7.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat_description parameter in an updatecat action to admin/categories.php.

IBM License Metric Tool 9 before 9.2.1.0 and Endpoint Manager for Software Use Analysis 9 before 9.2.1.0 allow remote authenticated users to bypass intended access restrictions and obtain sensitive information via a REST API request.

IBM Emptoris Sourcing 10.0.2.0 before iFix6, 10.0.2.2 before iFix11, 10.0.2.3, 10.0.2.5 before iFix4, 10.0.2.6 before iFix8, 10.0.2.7 before iFix1, and 10.0.4.x before iFix2 allows remote authenticated users to obtain sensitive supplier-bid information via unspecified vectors.

maximouiweb/webmodule/webclient/utility/merlin.jsp in IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX004, and 7.6.0 before 7.6.0.1 IFIX002; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX004 and 7.6.0 before 7.6.0.1 IFIX002 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to obtain sensitive information by reading a (1) backup or (2) debug application file.

GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php.

Cross-site scripting (XSS) vulnerability in an application console in the server in Symantec NetBackup OpsCenter before 7.7.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

IBM Sterling B2B Integrator 5.2 before 5020500_8 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors.

Cross-site scripting (XSS) vulnerability in IBM Emptoris Strategic Supply Management Platform and Emptoris Program Management 10.x before 10.0.1.4_iFix3, 10.0.2.x before 10.0.2.7_iFix1, 10.0.3.x before 10.0.3.2, and 10.0.4.x before 10.0.4.0_iFix1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX003, and 7.6.0 before 7.6.0.1 IFIX001; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX003 and 7.6.0 before 7.6.0.1 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 allows remote authenticated users to bypass intended access restrictions and log into arbitrary meetings by leveraging a meeting id and meetingAppSun.jar.

The Mail Drop feature in Mail in Apple OS X before 10.11 mishandles encryption parameters for attachments, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during transmission of an S/MIME e-mail message with a large attachment.

AirScan in Apple OS X before 10.11 allows man-in-the-middle attackers to obtain eSCL packet payload data via unspecified vectors.

Apple iOS before 9.0.2 does not properly restrict the options available on the lock screen, which allows physically proximate attackers to read contact data or view photos via unspecified vectors.

The Secure Empty Trash feature in Finder in Apple OS X before 10.11 improperly deletes Trash files, which might allow local users to obtain sensitive information by reading storage media, as demonstrated by reading a flash drive.

SMBClient in SMB in Apple OS X before 10.11 allows local users to obtain sensitive kernel memory-layout information via unspecified vectors.

Notes in Apple OS X before 10.11 misparses links, which allows local users to obtain sensitive information via unspecified vectors.

Cross-site scripting (XSS) vulnerability in Notes in Apple OS X before 10.11 allows local users to inject arbitrary web script or HTML via crafted text.

The debugging interfaces in the kernel in Apple OS X before 10.11 allow local users to obtain sensitive memory-layout information via unspecified vectors.

IOAudioFamily in Apple OS X before 10.11 allows local users to obtain sensitive kernel memory-layout information via unspecified vectors.

The backup implementation in Time Machine in Apple OS X before 10.11 allows local users to obtain access to keychain items via unspecified vectors.

Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 use a reversible format for password storage in object files on Compact Flash cards, which makes it easier for local users to obtain sensitive information by reading a file.

Omron CX-One CX-Programmer before 9.6 uses a reversible format for password storage in project source-code files, which makes it easier for local users to obtain sensitive information by reading a file.

The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.