Weekly Vulnerabilities Reports > June 20 to 26, 2016

Overview

47 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 9 high severity vulnerabilities. This weekly summary report vulnerabilities in 90 products from 24 vendors including Cisco, IBM, Cybozu, Collne, and Huawei. Vulnerabilities are notably categorized as "Information Exposure", "Improper Access Control", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Cross-site Scripting".

  • 36 reported vulnerabilities are remotely exploitables.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 37 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 8 reported vulnerabilities.
  • HP has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-06-20 CVE-2016-2362 Fonality Unspecified vulnerability in Fonality 12.6/12.8/14.1I

Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 has a hardcoded password for the FTP account, which allows remote attackers to obtain access via a (1) FTP or (2) SSH connection.

10.0
2016-06-20 CVE-2016-2177 HP
Openssl
Oracle
Integer Overflow or Wraparound vulnerability in multiple products

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

9.8

9 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-06-25 CVE-2016-4822 Corega Command Injection vulnerability in Corega Cg-Wlbargl Firmware

Corega CG-WLBARGL devices allow remote authenticated users to execute arbitrary commands via unspecified vectors.

8.0
2016-06-25 CVE-2016-4823 Corega Denial of Service vulnerability in CG-WLBARAGM

Corega CG-WLBARAGM devices allow remote attackers to cause a denial of service (reboot) via unspecified vectors.

7.8
2016-06-26 CVE-2015-7988 Apple NULL Pointer Dereference Remote Code Execution vulnerability in mDNSResponder

The handle_regservice_request function in mDNSResponder before 625.41.2 allows remote attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via unspecified vectors.

7.5
2016-06-25 CVE-2016-4519 Unitronics Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Unitronics Visilogic Oplc IDE 9.8.0.00

Stack-based buffer overflow in Unitronics VisiLogic OPLC IDE before 9.8.30 allows remote attackers to execute arbitrary code via a crafted filename field in a ZIP archive in a vlp file.

7.5
2016-06-24 CVE-2016-5722 Huawei Information Exposure vulnerability in Huawei Ocean Stor Firmware

Huawei OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, 6800 V3, 18800 V3, and 18500 V3 before V300R003C10 sends the plaintext session token in the HTTP header, which allows remote attackers to conduct replay attacks and obtain sensitive information by sniffing the network.

7.5
2016-06-23 CVE-2015-6289 Cisco Resource Management Errors vulnerability in Cisco IOS 15.5(3)M

Cisco IOS 15.5(3)M on Integrated Services Router (ISR) 800, 819, and 829 devices allows remote attackers to cause a denial of service (memory consumption) via crafted TCP packets on the SSH port, aka Bug ID CSCuu13476.

7.5
2016-06-24 CVE-2016-5723 Huawei Permissions, Privileges, and Access Controls vulnerability in Huawei Fusioninsight HD V100R002C30/V100R002C50

Huawei FusionInsight HD before V100R002C60SPC200 allows local users to gain root privileges via unspecified vectors.

7.2
2016-06-20 CVE-2016-2363 Fonality Permissions, Privileges, and Access Controls vulnerability in Fonality 12.6/12.8/14.1I

Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 uses weak permissions for the /var/www/rpc/surun script, which allows local users to obtain root access for unspecified command execution by leveraging access to the nobody account.

7.2
2016-06-24 CVE-2016-5435 Huawei Resource Management Errors vulnerability in Huawei Firmware V5500R001C00

Memory leak in Huawei IPS Module, NGFW Module, NIP6300, NIP6600, and Secospace USG6300, USG6500, USG6600, USG9500, and AntiDDoS8000 V500R001C00 before V500R001C20SPC100, when in hot standby networking where two devices are not directly connected, allows remote attackers to cause a denial of service (memory consumption and reboot) via a crafted packet.

7.1

31 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-06-24 CVE-2016-4802 Haxx Permissions, Privileges, and Access Controls vulnerability in Haxx Curl

Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory.

6.9
2016-06-26 CVE-2016-0301 IBM Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in IBM Domino

Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0278, and CVE-2016-0279.

6.8
2016-06-26 CVE-2016-0279 IBM Improper Access Control vulnerability in IBM Domino

Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0278, and CVE-2016-0301.

6.8
2016-06-26 CVE-2016-0278 IBM Improper Access Control vulnerability in IBM Domino

Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0277, CVE-2016-0279, and CVE-2016-0301.

6.8
2016-06-26 CVE-2016-0277 IBM Improper Access Control vulnerability in IBM Domino

Heap-based buffer overflow in the KeyView PDF filter in IBM Domino 8.5.x before 8.5.3 FP6 IF13 and 9.x before 9.0.1 FP6 allows remote attackers to execute arbitrary code via a crafted PDF document, a different vulnerability than CVE-2016-0278, CVE-2016-0279, and CVE-2016-0301.

6.8
2016-06-26 CVE-2016-2901 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM web Content Manager and Websphere Portal

Cross-site request forgery (CSRF) vulnerability in the PA_Theme_Creator application in IBM WebSphere Portal 8.5 CF08 through CF10 and Web Content Manager allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

6.8
2016-06-26 CVE-2015-7987 Apple Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple products

Multiple buffer overflows in mDNSResponder before 625.41.2 allow remote attackers to read or write to out-of-bounds memory locations via vectors involving the (1) GetValueForIPv4Addr, (2) GetValueForMACAddr, (3) rfc3110_import, or (4) CopyNSEC3ResourceRecord function.

6.8
2016-06-25 CVE-2016-4825 Collne Improper Input Validation vulnerability in Collne Welcart E-Commerce

The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data.

6.8
2016-06-23 CVE-2016-1428 Cisco Denial of Service vulnerability in Cisco IOS XE 3.15.0S/3.16.0S/3.17.0S

Double free vulnerability in Cisco IOS XE 3.15S, 3.16S, and 3.17S allows remote authenticated users to cause a denial of service (device restart) via a sequence of crafted SNMP read requests, aka Bug ID CSCux13174.

6.8
2016-06-23 CVE-2016-0914 EMC Improper Access Control vulnerability in EMC products

EMC Documentum WebTop 6.8 before Patch 13 and 6.8.1 before Patch 02, Documentum Administrator 7.x before 7.2 Patch 13, Documentum Capital Projects 1.9 before Patch 23 and 1.10 before Patch 10, and Documentum TaskSpace 6.7 SP3 allow remote authenticated users to bypass intended access restrictions and execute arbitrary IAPI/IDQL commands via the IAPI/IDQL interface.

6.5
2016-06-25 CVE-2016-4828 Collne Data Processing Errors vulnerability in Collne Welcart E-Commerce

The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account.

6.4
2016-06-23 CVE-2016-1435 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco IP Phone 8800 Series Firmware 11.0(1)

Cisco 8800 phones with software 11.0(1) do not properly enforce mounted-filesystem permissions, which allows local users to write to arbitrary files by leveraging shell access, aka Bug ID CSCuz03014.

6.2
2016-06-25 CVE-2016-1189 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 3.x and 4.x before 4.2.1 allows remote authenticated users to bypass intended restrictions on reading, creating, or modifying a portlet via unspecified vectors.

5.5
2016-06-20 CVE-2016-2178 Openssl
Oracle
Suse
Nodejs
Debian
Canonical
Information Exposure Through Discrepancy vulnerability in multiple products

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

5.5
2016-06-25 CVE-2016-4824 Corega 7PK - Security Features vulnerability in Corega Cg-Wlr300Gnv-W Firmware and Cg-Wlr300Gnv Firmware

The Wi-Fi Protected Setup (WPS) implementation on Corega CG-WLR300GNV and CG-WLR300GNV-W devices does not restrict the number of PIN authentication attempts, which makes it easier for remote attackers to obtain network access via a brute-force attack.

5.0
2016-06-25 CVE-2016-1193 Cybozu Information Exposure vulnerability in Cybozu Garoon

Cybozu Garoon 3.7 through 4.2 allows remote attackers to obtain sensitive email-reading information via unspecified vectors.

5.0
2016-06-23 CVE-2016-1438 Cisco Improper Input Validation vulnerability in Cisco Asyncos 9.7.0125

Cisco AsyncOS 9.7.0-125 on Email Security Appliance (ESA) devices allows remote attackers to bypass intended spam filtering via crafted executable content in a ZIP archive, aka Bug ID CSCuy39210.

5.0
2016-06-23 CVE-2016-1436 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco ASR 5000 Software

The General Packet Radio Switching Tunneling Protocol 1 (aka GTPv1) implementation on Cisco ASR 5000 Packet Data Network Gateway devices before 19.4 allows remote attackers to cause a denial of service (Session Manager process restart) via a crafted GTPv1 packet, aka Bug ID CSCuz46198.

5.0
2016-06-20 CVE-2016-2364 Fonality Unspecified vulnerability in Fonality and HUD web

The Chrome HUDweb plugin before 2016-05-05 for Fonality (previously trixbox Pro) 12.6 through 14.1i uses the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.

5.0
2016-06-26 CVE-2016-4513 Schneider Electric Cross-site Scripting vulnerability in Schneider-Electric Powerlogic Pm8Ecc Firmware

Cross-site scripting (XSS) vulnerability in the Schneider Electric PowerLogic PM8ECC module before 2.651 for PowerMeter 800 devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2016-06-25 CVE-2016-4827 Collne Cross-site Scripting vulnerability in Collne Welcart E-Commerce

Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826.

4.3
2016-06-25 CVE-2016-4826 Collne Cross-site Scripting vulnerability in Collne Welcart E-Commerce

Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827.

4.3
2016-06-25 CVE-2016-4528 Advantech Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Advantech Webaccess

Buffer overflow in Advantech WebAccess before 8.1_20160519 allows local users to cause a denial of service via a crafted DLL file.

4.3
2016-06-23 CVE-2016-1439 Cisco Cross-site Scripting vulnerability in Cisco Unified Contact Center Enterprise

Cross-site scripting (XSS) vulnerability in the management interface in Cisco Unified Contact Center Enterprise through 10.5(2) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCux59650.

4.3
2016-06-20 CVE-2015-8289 Netgear Information Exposure vulnerability in Netgear D3600 Firmware and D6000 Firmware

The password-recovery feature on NETGEAR D3600 devices with firmware 1.0.0.49 and D6000 devices with firmware 1.0.0.49 and earlier allows remote attackers to discover the cleartext administrator password by reading the cgi-bin/passrec.asp HTML source code.

4.3
2016-06-20 CVE-2015-8288 Netgear Unspecified vulnerability in Netgear D3600 Firmware and D6000 Firmware

NETGEAR D3600 devices with firmware 1.0.0.49 and D6000 devices with firmware 1.0.0.49 and earlier use the same hardcoded private key across different customers' installations, which allows remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key from another installation.

4.3
2016-06-25 CVE-2016-1190 Cybozu Improper Access Control vulnerability in Cybozu Garoon

Cybozu Garoon 3.1 through 4.2 allows remote authenticated users to bypass intended restrictions on MultiReport reading via unspecified vectors.

4.0
2016-06-25 CVE-2016-1188 Cybozu Unspecified vulnerability in Cybozu Garoon

Cybozu Garoon 3.x and 4.x before 4.2.1 allows remote authenticated users to send spoofed e-mail messages via unspecified vectors.

4.0
2016-06-24 CVE-2016-5021 F5 Information Exposure vulnerability in F5 products

The iControl REST service in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.5.x before 11.5.4, 11.6.x before 11.6.1, and 12.x before 12.0.0 HF3; BIG-IP DNS 12.x before 12.0.0 HF3; BIG-IP GTM 11.5.x before 11.5.4 and 11.6.x before 11.6.1; BIG-IQ Cloud and Security 4.0.0 through 4.5.0; BIG-IQ Device 4.2.0 through 4.5.0; BIG-IQ ADC 4.5.0; BIG-IQ Centralized Management 4.6.0; and BIG-IQ Cloud and Orchestration 1.0.0 allows remote authenticated administrators to obtain sensitive information via unspecified vectors.

4.0
2016-06-23 CVE-2016-1437 Cisco SQL Injection vulnerability in Cisco Prime Collaboration Deployment

SQL injection vulnerability in the SQL database in Cisco Prime Collaboration Deployment before 11.5.1 allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuy92549.

4.0
2016-06-23 CVE-2016-1434 Cisco Improper Input Validation vulnerability in Cisco IP Phone 8800 Series Firmware 11.0(1)

The license-certificate upload functionality on Cisco 8800 phones with software 11.0(1) allows remote authenticated users to delete arbitrary files via an invalid file, aka Bug ID CSCuz03010.

4.0

5 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-06-26 CVE-2016-5087 Alertus Permissions, Privileges, and Access Controls vulnerability in Alertus Desktop Notification for OS X

Alertus Desktop Notification before 2.9.31.1710 on OS X uses weak permissions for configuration files and unspecified other files, which allows local users to suppress emergency notifications or change content via standard filesystem operations.

3.6
2016-06-25 CVE-2016-4525 Advantech Unspecified vulnerability in Advantech Webaccess

Unspecified ActiveX controls in Advantech WebAccess before 8.1_20160519 allow remote authenticated users to obtain sensitive information or modify data via unknown vectors, related to the INTERFACESAFE_FOR_UNTRUSTED_CALLER (aka safe for scripting) flag.

3.3
2016-06-26 CVE-2016-0259 IBM Information Exposure vulnerability in IBM Websphere MQ

runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to bypass an intended +dsp authority requirement and obtain sensitive information via unspecified display commands.

2.1
2016-06-26 CVE-2015-7473 IBM Improper Access Control vulnerability in IBM Websphere MQ

runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to bypass intended queue-manager command access restrictions by leveraging authority for +connect and +dsp.

2.1
2016-06-24 CVE-2016-5709 Solarwinds Information Exposure vulnerability in Solarwinds Virtualization Manager

SolarWinds Virtualization Manager 6.3.1 and earlier uses weak encryption to store passwords in /etc/shadow, which allows local users with superuser privileges to obtain user passwords via a brute force attack.

1.9