Weekly Vulnerabilities Reports > February 20 to 26, 2017

IBM Jazz for Service Management 1.1.2.1 and 1.1.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

OpenText Documentum Content Server (formerly EMC Documentum Content Server) 7.3, when PostgreSQL Database is used and return_top_results_row_based config option is false, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and execute arbitrary DML or DDL commands via a crafted request.

A vulnerability in the sponsor portal of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to access notices owned by other users, because of SQL Injection.

Multiple cross-site request forgery (CSRF) vulnerabilities in the access portal on the DIGISOL DG-HR1400 Wireless Router with firmware 1.00.02 allow remote attackers to hijack the authentication of administrators for requests that (1) change the SSID, (2) change the Wi-Fi password, or (3) possibly have unspecified other impact via crafted requests to form2WlanBasicSetup.cgi.

Privilege Escalation Vulnerability in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to change Master Admin's password and/or add new admin accounts.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.

IBM Rhapsody DM 4.0, 5.0 and 6.0 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data.

An HTTP Packet Processing vulnerability in the Web Bridge interface of the Cisco Meeting Server (CMS), formerly Acano Conferencing Server, could allow an authenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

An issue was discovered in certain Apple products.

JustSystems Ichitaro 2016 Trial contains a vulnerability that exists when trying to open a specially crafted PowerPoint file.

Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers to execute arbitrary code via a crafted executable, which triggers a buffer overflow.

An issue was discovered in tnef before 1.4.13.

An issue was discovered in tnef before 1.4.13.

An issue was discovered in tnef before 1.4.13.

An issue was discovered in tnef before 1.4.13.

An issue was discovered in ytnef before 1.9.1.

An issue was discovered in ytnef before 1.9.1.

An issue was discovered in ytnef before 1.9.1.

An issue was discovered in ytnef before 1.9.1.

An issue was discovered in ytnef before 1.9.1.

An issue was discovered in ytnef before 1.9.1.

An issue was discovered in ytnef before 1.9.1.

An issue was discovered in ytnef before 1.9.1.

Multiple use-after-free vulnerabilities in the gx_image_enum_begin function in base/gxipixel.c in Ghostscript before ecceafe3abba2714ef9b432035fe0739d9b1a283 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PostScript document.

Integer overflow in the mem_check_range function in drivers/infiniband/sw/rxe/rxe_mr.c in the Linux kernel before 4.9.10 allows local users to cause a denial of service (memory corruption), obtain sensitive information from kernel memory, or possibly have unspecified other impact via a write or read request involving the "RDMA protocol over infiniband" (aka Soft RoCE) technology.

The installPackage function in the installerHelper subcomponent in Libmacgpg in GPG Suite before 2015.06 allows local users to execute arbitrary commands with root privileges via shell metacharacters in the xmlPath argument.

GOM Player 2.3.10.5266 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted fpx file.

Sensitive Information Disclosure in com.trend.iwss.gui.servlet.ConfigBackup in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated, remote users with least privileges to backup the system configuration and download it onto their local machine.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

Use-after-free vulnerability in pcsc-lite before 1.8.20 allows a remote attackers to cause denial of service (crash) via a command that uses "cardsList" after the handle has been released through the SCardReleaseContext function.

tcpdf before 6.2.0 uploads files from the server generating PDF-files to an external FTP.

The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel before 4.9.11 allows remote attackers to cause a denial of service (infinite loop and soft lockup) via vectors involving a TCP packet with the URG flag.

D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-1510-28P, DGS-1510-28, and DGS-1510-20 Websmart devices with firmware before 1.31.B003 allow attackers to conduct Unauthenticated Information Disclosure attacks via unspecified vectors.

The route manager in FlightGear before 2016.4.4 allows remote attackers to write to arbitrary files via a crafted Nasal script.

A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to disclose sensitive information.

A vulnerability in an internal API of the Cisco Meeting Server (CMS) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on the affected appliance.

An exploitable denial-of-service vulnerability exists in the fabric-worker component of Aerospike Database Server 3.10.0.3.

The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations before 2.6.5 sends a cleartext HTTP response upon a request for the Settings screen, which allows remote attackers to discover the admin user password by sniffing the network.

Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial of service (CPU consumption) via a flood of ICMPv4 Port Unreachable packets.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors.

IBM Tivoli Storage Manager Server 7.1 could allow an authenticated user with TSM administrator privileges to cause a buffer overflow using a specially crafted SQL query and execute arbitrary code on the server.

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress.

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress.

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

The System Library in VCE Vision Intelligent Operations before 2.6.5 does not properly implement cryptography, which makes it easier for local users to discover credentials by leveraging administrative access.

IBM WebSphere MQ 8.0 could allow an authenticated user with access to the queue manager to bring down MQ channels using specially crafted HTTP requests.

IBM WebSphere MQ 8.0 could allow an authenticated user with access to the queue manager and queue, to deny service to other channels running under the same process.

IBM WebSphere MQ 8.0 could allow an authenticated user to crash the MQ channel due to improper data conversion handling.

Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.

Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) tribe_name or (2) tags parameter in a tribes page request to user/ or the (3) user_id or (4) fullname parameter to signup.php.

IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting.

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909.

The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting (XSS) attacks by leveraging mishandling of the < (less than) character in attribute values.

A vulnerability in the web-based management interface of Cisco Prime Collaboration Assurance could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

A vulnerability in the web interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to redirect a user to a malicious web page, aka an Open Redirect Vulnerability.

A vulnerability in Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to conduct a DOM-based cross-site scripting (XSS) attack against the user of the web interface of the affected system.

A vulnerability in the web framework of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of the affected software.

A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

A vulnerability in the web-based management interface of Cisco Unified Communications Manager Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.

A vulnerability in the serviceability page of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct reflected cross-site scripting (XSS) attacks.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

Under non-standard configurations, IBM WebSphere MQ might send password data in clear text over the network.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

A vulnerability in the Multipurpose Internet Mail Extensions (MIME) scanner of Cisco AsyncOS Software for Cisco Email Security Appliances (ESA) and Web Security Appliances (WSA) could allow an unauthenticated, remote attacker to bypass configured user filters on the device.

dwarf_form.c in libdwarf 20160115 allows remote attackers to cause a denial of service (crash) via a crafted elf file.

The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.

The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having "itself as ancestor more than once."

Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.

Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the "demangling of virtual tables."

Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "ktypevec."

Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "btypevec."

An issue was discovered in ytnef before 1.9.1.

The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by the r_read_le32 function.

In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes it easier to extract RSA key information for a malicious user who has access to view cache on a machine.

Munin before 2.999.6 has a local file write vulnerability when CGI graphs are enabled.

Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery.

Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation.

FastStone MaxView 3.0 and 3.1 allows user-assisted attackers to cause a denial of service (application crash) via a malformed BMP image with a crafted biSize field in the BITMAPINFOHEADER section.

gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to obtain sensitive information from process heap memory via a crafted EMF file, as demonstrated by an EMR_SETDIBITSTODEVICE record with modified Device Independent Bitmap (DIB) dimensions.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting.

A vulnerability in the web framework of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface.

Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages.

Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors.

A vulnerability in the web-based management interface of the Cisco Intrusion Prevention System Device Manager (IDM) could allow an unauthenticated, remote attacker to view sensitive information stored in certain HTML comments.

CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via defaultadmin.

CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows remote attackers to conduct information-disclosure attacks via exportxml.

F5 BIG-IP 12.0.0 and 11.5.0 - 11.6.1 REST requests which timeout during user account authentication may log sensitive attributes such as passwords in plaintext to /var/log/restjavad.0.log.

An issue was discovered in certain Apple products.

Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.

An issue was discovered in certain Apple products.

A vulnerability in exporting functions of the user interface for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to view file directory listings and download files.

A vulnerability in the file download functions for Cisco Prime Collaboration Assurance could allow an authenticated, remote attacker to download system files that should be restricted.

An XML External Entity vulnerability in the web-based user interface of the Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to have read access to part of the information stored in the affected system.

A vulnerability in the web framework Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to view sensitive data.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

IBM WebSphere MQ 8.0 could allow an authenticated user with authority to create a cluster object to cause a denial of service to MQ clustering.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.

An issue was discovered in certain Apple products.