VFS in the Linux kernel before 2.6.22.16, and 2.6.23.x before 2.6.23.14, performs tests of access mode by using the flag variable instead of the acc_mode variable, which might allow local users to bypass intended permissions and remove directories. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=974a9f0b47da74e28f68b9c8645c3786aa5ace1a http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.16 SUSE-SA:2008:006 SUSE-SA:2008:013 RHSA-2008:0055 1019289 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0021 DSA-1479 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.14 MDVSA-2008:044 MDVSA-2008:112 RHSA-2008:0089 20080117 rPSA-2008-0021-1 kernel 27280 USN-574-1 USN-578-1 ADV-2008-0151 linux-directory-security-bypass(39672) https://issues.rpath.com/browse/RPL-2146 oval:org.mitre.oval:def:9709 FEDORA-2008-0748 Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception. APPLE-SA-2008-10-09 SUSE-SR:2009:004 HPSBST02955 GLSA-200804-10 3638 http://support.apple.com/kb/HT3216 http://tomcat.apache.org/security-6.html 20080208 CVE-2008-0002: Tomcat information disclosure vulnerability 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 27703 31681 http://www.vmware.com/security/advisories/VMSA-2009-0016.html ADV-2008-0488 ADV-2008-2780 ADV-2009-3316 FEDORA-2008-1467 FEDORA-2008-1603 Stack-based buffer overflow in the PAMBasicAuthenticator::PAMCallback function in OpenPegasus CIM management server (tog-pegasus), when compiled to use PAM and without PEGASUS_USE_PAM_STANDALONE_PROC defined, might allow remote attackers to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2007-5360. HPSBMA02331 [Security-announce] 20080415 VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus 1019159 20080115 vuldb confusion between OpenPegasus issues RHSA-2008:0002 20080416 VMSA-2008-0007 Moderate Updated Service Console packages pcre, net-snmp, and OpenPegasus 27172 27188 ADV-2008-0063 ADV-2008-0638 ADV-2008-1234 ADV-2008-1391 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4129 https://bugzilla.redhat.com/show_bug.cgi?id=426578 openpegasus-pambasic-bo(39527) oval:org.mitre.oval:def:10282 FEDORA-2008-0506 FEDORA-2008-0572 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. mod_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset, which allows remote attackers to conduct cross-site scripting (XSS) attacks using UTF-7 encoding. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 SUSE-SA:2008:021 [security-announce] 20090820 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server SSRT090085 HPSBUX02465 SSRT090208 GLSA-200803-19 20080110 Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability 3526 http://support.avaya.com/elmodocs2/security/ASA-2008-032.htm MDVSA-2008:014 MDVSA-2008:015 MDVSA-2008:016 RHSA-2008:0004 RHSA-2008:0005 RHSA-2008:0006 RHSA-2008:0007 RHSA-2008:0008 RHSA-2008:0009 20080110 SecurityReason - Apache (mod_proxy_ftp) Undefined Charset UTF-7 XSS Vulnerability 20090821 VMSA-2009-0010 VMware Hosted products update libpng and Apache HTTP Server 27234 1019185 USN-575-1 ADV-2008-0924 ADV-2008-1875 apache-modproxyftp-utf7-xss(39615) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:10812 FEDORA-2008-1711 FEDORA-2008-1695 Buffer overflow in (1) X.Org Xserver before 1.4.1, and (2) the libfont and libXfont libraries on some platforms including Sun Solaris, allows context-dependent attackers to execute arbitrary code via a PCF font with a large difference between the last col and first col values in the PCF_BDF_ENCODINGS table. http://bugs.gentoo.org/show_bug.cgi?id=204362 http://docs.info.apple.com/article.html?artnum=307562 SSRT080083 JVN#88935101 JVNDB-2008-001043 APPLE-SA-2008-03-18 [xorg] 20080117 X.Org security advisory: multiple vulnerabilities in the X server SUSE-SA:2008:003 SUSE-SR:2008:008 GLSA-200801-09 GLSA-200804-05 1019232 103192 201230 http://support.avaya.com/elmodocs2/security/ASA-2008-038.htm http://support.avaya.com/elmodocs2/security/ASA-2008-077.htm GLSA-200805-07 MDVSA-2008:021 MDVSA-2008:022 MDVSA-2008:024 [4.1] 20080208 012: SECURITY FIX: February 8, 2008 [4.2] 20080208 006: SECURITY FIX: February 8, 2008 RHSA-2008:0029 RHSA-2008:0030 RHSA-2008:0064 20080130 rPSA-2008-0032-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs 27336 27352 ADV-2008-0179 ADV-2008-0184 ADV-2008-0497 ADV-2008-0703 ADV-2008-0924 ADV-2008-3000 http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=7&heading=AIX61&path=/200802/SECURITY/20080227/datafile112539&label=AIX%20X%20server%20multiple%20vulnerabilities https://bugzilla.redhat.com/show_bug.cgi?id=428044 xorg-pcffont-bo(39767) https://issues.rpath.com/browse/RPL-2010 oval:org.mitre.oval:def:10021 USN-571-1 FEDORA-2008-0760 FEDORA-2008-0794 FEDORA-2008-0831 FEDORA-2008-0891 Linux kernel before 2.6.22.17, when using certain drivers that register a fault handler that does not perform range checks, allows local users to access kernel memory via an out-of-range offset. SUSE-SA:2008:006 SUSE-SA:2008:017 [Security-announce] 20080728 VMSA-2008-00011 Updated ESX service console packages for Samba and vmnix [linux-kernel] 20080206 [patch 60/73] vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007) 1019357 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0048 DSA-1503 DSA-1504 DSA-1565 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22.17 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1 MDVSA-2008:044 MDVSA-2008:072 MDVSA-2008:112 MDVSA-2008:174 RHSA-2008:0211 RHSA-2008:0233 RHSA-2008:0237 RHSA-2008:0787 20080208 rPSA-2008-0048-1 kernel 27686 27705 USN-618-1 ADV-2008-0445 ADV-2008-2222 oval:org.mitre.oval:def:9412 The pa_drop_root function in PulseAudio 0.9.8, and a certain 0.9.9 build, does not check return values from (1) setresuid, (2) setreuid, (3) setuid, and (4) seteuid calls when attempting to drop privileges, which might allow local users to gain privileges by causing those calls to fail via attacks such as resource exhaustion. http://bugs.gentoo.org/show_bug.cgi?id=207214 http://pulseaudio.org/changeset/2100 GLSA-200802-07 DSA-1476 MDVSA-2008:027 27449 USN-573-1 ADV-2008-0283 https://bugzilla.novell.com/show_bug.cgi?id=347822 https://bugzilla.redhat.com/show_bug.cgi?id=425481 pulseaudio-padroproot-privilege-escalation(39992) FEDORA-2008-0963 FEDORA-2008-0994 The vmsplice_to_user function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which might allow local users to access arbitrary kernel memory locations. http://isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txt http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1 20080212 CSA-L03: Linux kernel vmsplice unchecked user-pointer dereference 27704 27799 ADV-2008-0487 https://bugzilla.redhat.com/show_bug.cgi?id=431206 FEDORA-2008-1422 FEDORA-2008-1423 The copy_from_user_mmap_sem function in fs/splice.c in the Linux kernel 2.6.22 through 2.6.24 does not validate a certain userspace pointer before dereference, which allow local users to read from arbitrary kernel memory locations. http://isec.pl/vulnerabilities/isec-0026-vmsplice_to_kernel.txt DSA-1494 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.1 20080212 CSA-L03: Linux kernel vmsplice unchecked user-pointer dereference 27704 27796 ADV-2008-0487 5093 FEDORA-2008-1422 FEDORA-2008-1423 Microsoft DirectX 8.1 through 9.0c, and DirectX on Microsoft XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, does not properly perform MJPEG error checking, which allows remote attackers to execute arbitrary code via a crafted MJPEG stream in a (1) AVI or (2) ASF file, aka the "MJPEG Decoder Vulnerability." HPSBST02344 1020222 29581 TA08-162B ADV-2008-1780 MS08-033 oval:org.mitre.oval:def:5236 Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to the product's configuration, a different vulnerability than CVE-2008-0013 and CVE-2008-0014. http://blogs.iss.net/archive/trend.html 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) VU#768681 32261 ADV-2008-3127 application-rpc-config1-bo(39918) Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to the product's configuration, a different vulnerability than CVE-2008-0012 and CVE-2008-0014. http://blogs.iss.net/archive/trend.html 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) VU#768681 32261 ADV-2008-3127 application-rpc-config2-bo(39919) Heap-based buffer overflow in an unspecified procedure in Trend Micro ServerProtect 5.7 and 5.58 allows remote attackers to execute arbitrary code via unknown vectors, possibly related to the product's configuration, a different vulnerability than CVE-2008-0012 and CVE-2008-0013. http://blogs.iss.net/archive/trend.html 20081111 Trend Micro ServerProtect [PROCEDURE NAME REDACTED] Heap Overflows (3) VU#768681 32261 ADV-2008-3127 application-rpc-config3-bo(39920) Stack-based buffer overflow in the CComVariant::ReadFromStream function in the Active Template Library (ATL), as used in the MPEG2TuneRequest ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via a crafted web page, as exploited in the wild in July 2009, aka "Microsoft Video ActiveX Control Vulnerability." http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx http://isc.sans.org/diary.html?storyid=6733 http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799 20090706 Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities VU#180513 http://www.microsoft.com/technet/security/advisory/972890.mspx 35558 35585 1022514 TA09-187A TA09-195A TA09-223A ADV-2009-2232 MS09-032 MS09-037 oval:org.mitre.oval:def:6333 oval:org.mitre.oval:def:6363 oval:org.mitre.oval:def:7436 Stack-based buffer overflow in the URL parsing implementation in Mozilla Firefox before 2.0.0.17 and SeaMonkey before 1.1.12 allows remote attackers to execute arbitrary code via a crafted UTF-8 URL in a link. http://download.novell.com/Download?buildid=WZXONb-tqBw~ SUSE-SA:2008:050 SSA:2008-269-02 SSA:2008-269-01 SSA:2008-270-01 256408 DSA-1649 DSA-1669 DSA-1696 DSA-1697 MDVSA-2008:205 MDVSA-2008:206 http://www.mozilla.org/security/announce/2008/mfsa2008-37.html RHSA-2008:0882 RHSA-2008:0908 31397 1020913 USN-645-1 USN-645-2 ADV-2008-2661 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=443288 https://bugzilla.mozilla.org/show_bug.cgi?id=451617 oval:org.mitre.oval:def:11579 FEDORA-2008-8401 FEDORA-2008-8429 The http-index-format MIME type parser (nsDirIndexParser) in Firefox 3.x before 3.0.4, Firefox 2.x before 2.0.0.18, and SeaMonkey 1.x before 1.1.13 does not check for an allocation failure, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP index response with a crafted 200 header, which triggers memory corruption and a buffer overflow. SUSE-SA:2008:055 256408 USN-667-1 DSA-1669 DSA-1671 DSA-1697 20081113 Mozilla Unchecked Allocation Remote Code Execution MDVSA-2008:228 MDVSA-2008:230 http://www.mozilla.org/security/announce/2008/mfsa2008-54.html RHSA-2008:0977 RHSA-2008:0978 32281 1021185 TA08-319A ADV-2008-3146 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=443299 oval:org.mitre.oval:def:11005 FEDORA-2008-9667 FEDORA-2008-9669 Unspecified vulnerability in the Load method in the IPersistStreamInit interface in the Active Template Library (ATL), as used in the Microsoft Video ActiveX control in msvidctl.dll in DirectShow, in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption, aka "ATL Header Memcopy Vulnerability," a different vulnerability than CVE-2008-0015. http://blogs.technet.com/srd/archive/2009/08/11/ms09-037-why-we-are-using-cve-s-already-used-in-ms09-035.aspx 20090706 Multiple Microsoft Video Control ActiveX Remote Code Execution Vulnerabilities 1022712 TA09-223A ADV-2009-2232 MS09-037 oval:org.mitre.oval:def:5850 SQL injection vulnerability in Cisco Unified CallManager/Communications Manager (CUCM) 5.0/5.1 before 5.1(3a) and 6.0/6.1 before 6.1(1a) allows remote authenticated users to execute arbitrary SQL commands via the key parameter to the (1) admin and (2) user interface pages. 20080213 SQL injection in Cisco Unified Communications Manager 27775 1019404 ADV-2008-0542 cucm-interface-sql-injection(40484) Heap-based buffer overflow in the Certificate Trust List (CTL) Provider service (CTLProvider.exe) in Cisco Unified Communications Manager (CUCM) 4.2 before 4.2(3)SR3 and 4.3 before 4.3(1)SR1, and CallManager 4.0 and 4.1 before 4.1(3)SR5c, allows remote attackers to cause a denial of service or execute arbitrary code via a long request. http://dvlabs.tippingpoint.com/advisory/TPTI-08-02 3551 20080116 Cisco Unified Communications Manager CTL Provider Heap Overflow 20080116 TPTI-08-02: Cisco Call Manager CTLProvider Heap Overflow Vulnerability 27313 1019223 ADV-2008-0171 cisco-cucm-ctl-bo(39704) Unspecified vulnerability in Cisco PIX 500 Series Security Appliance and 5500 Series Adaptive Security Appliance (ASA) before 7.2(3)6 and 8.0(3), when the Time-to-Live (TTL) decrement feature is enabled, allows remote attackers to cause a denial of service (device reload) via a crafted IP packet. 20080123 Cisco PIX and ASA Time-to-Live Vulnerability 27418 1019262 1019263 ADV-2008-0259 pix-asa-ttl-dos(39862) Cisco Application Velocity System (AVS) before 5.1.0 is installed with default passwords for some system accounts, which allows remote attackers to gain privileges. 20080123 Default Passwords in the Application Velocity System 27421 1019259 ADV-2008-0260 ciscoavs-default-password-admin-account(39860) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Unspecified vulnerability in Apple QuickTime before 7.4 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted Sorenson 3 video file, which triggers memory corruption. http://docs.info.apple.com/article.html?artnum=307301 APPLE-SA-2008-01-15 27298 1019221 TA08-016A ADV-2008-0148 quicktime-sorenson-code-execution(39695) Apple QuickTime before 7.4 allows remote attackers to execute arbitrary code via a movie file containing a Macintosh Resource record with a modified length value in the resource header, which triggers heap corruption. http://docs.info.apple.com/article.html?artnum=307301 20080115 Apple QuickTime Macintosh Resource Processing Heap Corruption Vulnerability APPLE-SA-2008-01-15 27301 1019221 TA08-016A ADV-2008-0148 quicktime-macintosh-code-execution(39696) Unspecified vulnerability in Apple QuickTime before 7.4 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via a movie file with Image Descriptor (IDSC) atoms containing an invalid atom size, which triggers memory corruption. http://docs.info.apple.com/article.html?artnum=307301 http://dvlabs.tippingpoint.com/advisory/TPTI-08-01 APPLE-SA-2008-01-15 20080115 TPTI-08-01: Apple Quicktime Image File IDSC Atom Memory Corruption Vulnerability 27299 1019221 TA08-016A ADV-2008-0148 quicktime-idsc-code-execution(39697) Unspecified vulnerability in Passcode Lock in Apple iPhone 1.0 through 1.1.2 allows users with physical access to execute applications without entering the passcode via vectors related to emergency calls. http://docs.info.apple.com/article.html?artnum=307302 APPLE-SA-2008-01-15 27297 1019219 ADV-2008-0147 iphone-passcode-lock-security-bypass(39701) Unspecified vulnerability in Foundation, as used in Apple iPhone 1.0 through 1.1.2, iPod touch 1.1 through 1.1.2, and Mac OS X 10.5 through 10.5.1, allows remote attackers to cause a denial of service (application termination) or execute arbitrary code via a crafted URL that triggers memory corruption in Safari. http://docs.info.apple.com/article.html?artnum=307302 http://docs.info.apple.com/article.html?artnum=307430 APPLE-SA-2008-02-11 APPLE-SA-2008-01-15 27296 1019220 TA08-043B ADV-2008-0147 ADV-2008-0495 iphone-ipod-foundation-code-execution(39700) Buffer overflow in Apple QuickTime before 7.4 allows remote attackers to execute arbitrary code via a crafted compressed PICT image, which triggers the overflow during decoding. http://docs.info.apple.com/article.html?artnum=307301 APPLE-SA-2008-07-10 APPLE-SA-2008-01-15 27300 1019221 TA08-016A ADV-2008-0148 ADV-2008-2064 quicktime-pict-bo(39698) X11 in Apple Mac OS X 10.5 through 10.5.1 does not properly handle when the "Allow connections from network client" preference is disabled, which allows remote attackers to bypass intended access restrictions and connect to the X server. http://docs.info.apple.com/article.html?artnum=307430 APPLE-SA-2008-02-11 27736 1019365 TA08-043B ADV-2008-0495 Launch Services in Apple Mac OS X 10.5 through 10.5.1 allows an uninstalled application to be launched if it is in a Time Machine backup, which might allow local users to bypass intended security restrictions or exploit vulnerabilities in the application. http://docs.info.apple.com/article.html?artnum=307430 APPLE-SA-2008-02-11 27736 1019360 TA08-043B ADV-2008-0495 Unspecified vulnerability in Mail in Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary commands via a crafted file:// URL. http://docs.info.apple.com/article.html?artnum=307430 APPLE-SA-2008-02-11 27736 1019361 TA08-043B ADV-2008-0495 Unspecified vulnerability in NFS in Apple Mac OS X 10.5 through 10.5.1 allows remote attackers to cause a denial of service (system shutdown) or execute arbitrary code via unknown vectors related to mbuf chains that trigger memory corruption. http://docs.info.apple.com/article.html?artnum=307430 APPLE-SA-2008-02-11 27736 1019362 TA08-043B ADV-2008-0495 Parental Controls in Apple Mac OS X 10.5 through 10.5.1 contacts www.apple.com "when a website is unblocked," which allows remote attackers to determine when a system is running Parental Controls. http://docs.info.apple.com/article.html?artnum=307430 APPLE-SA-2008-02-11 27736 1019363 TA08-043B ADV-2008-0495 Argument injection vulnerability in Terminal.app in Terminal in Apple Mac OS X 10.4.11 and 10.5 through 10.5.1 allows remote attackers to execute arbitrary code via unspecified URL schemes. http://docs.info.apple.com/article.html?artnum=307430 APPLE-SA-2008-02-11 VU#774345 27736 1019364 TA08-043B ADV-2008-0495 Format string vulnerability in Apple iPhoto before 7.1.2 allows remote attackers to execute arbitrary code via photocast subscriptions. http://docs.info.apple.com/article.html?artnum=307398 APPLE-SA-2008-02-05 27636 1019307 ADV-2008-0428 Multiple buffer overflows in AFP Client in Apple Mac OS X 10.4.11 and 10.5.2 allow remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted afp:// URL. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28320 1019640 TA08-079A ADV-2008-0924 macos-afpclient-bo(41319) Unspecified vulnerability in AFP Server in Apple Mac OS X 10.4.11 allows remote attackers to bypass cross-realm authentication via unknown manipulations of Kerberos principal realm names. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28323 1019642 TA08-079A ADV-2008-0924 macos-afpserver-security-bypass(41318) The Application Firewall in Apple Mac OS X 10.5.2 has an incorrect German translation for the "Set access for specific services and applications" radio button that might cause the user to believe that the button is used to restrict access only to specific services and applications, which might allow attackers to bypass intended access restrictions. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28368 1019658 TA08-079A ADV-2008-0924 macos-applicationfirewall-weak-security(41317) Heap-based buffer overflow in the cgiCompileSearch function in CUPS 1.3.5, and other versions including the version bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions. http://docs.info.apple.com/article.html?artnum=307562 20080318 Multiple Vendor CUPS CGI Heap Overflow Vulnerability APPLE-SA-2008-03-18 SUSE-SA:2008:015 GLSA-200804-01 DSA-1530 MDVSA-2008:081 RHSA-2008:0192 28307 1019646 USN-598-1 TA08-079A ADV-2008-0921 ADV-2008-0924 oval:org.mitre.oval:def:10085 FEDORA-2008-2131 FEDORA-2008-2897 Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via the a long file name to the NSDocument API. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28388 1019647 TA08-079A ADV-2008-0924 macos-appkit-nsdocument-bo(41315) AppKit in Apple Mac OS X 10.4.11 inadvertently makes an NSApplication mach port available for inter-process communication instead of inter-thread communication, which allows local users to execute arbitrary code via crafted messages to privileged applications. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28340 1019647 TA08-079A ADV-2008-0924 macos-appkit-code-execution(41314) CFNetwork in Apple Mac OS X 10.4.11 allows remote HTTPS proxy servers to spoof secure websites via data in a 502 Bad Gateway error. http://docs.info.apple.com/article.html?artnum=307562 http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-07-11 APPLE-SA-2008-03-18 28290 28356 1019655 TA08-079A ADV-2008-0920 ADV-2008-0924 ADV-2008-2094 macos-cfnetwork-502badgateway-spoofing(41313) Integer overflow in CoreFoundation in Apple Mac OS X 10.4.11 might allow local users to execute arbitrary code via crafted time zone data. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28375 1019670 TA08-079A ADV-2008-0924 macos-corefoundation-timezone-code-execution(41310) CoreServices in Apple Mac OS X 10.4.11 treats .ief as a safe file type, which allows remote attackers to force Safari users into opening an .ief file in AppleWorks, even when the "Open 'Safe' files" preference is set. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28384 1019671 TA08-079A ADV-2008-0924 macos-coreservices-weak-security(41312) Multiple buffer overflows in the HP-GL/2-to-PostScript filter in CUPS before 1.3.6 might allow remote attackers to execute arbitrary code via a crafted HP-GL/2 file. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 SUSE-SA:2008:020 GLSA-200804-01 DSA-1625 MDVSA-2008:081 RHSA-2008:0192 RHSA-2008:0206 28304 28334 1019672 USN-598-1 TA08-079A ADV-2008-0924 macos-cups-inputvalidation-unspecified(41272) oval:org.mitre.oval:def:10356 FEDORA-2008-2897 Foundation in Apple Mac OS X 10.4.11 might allow context-dependent attackers to execute arbitrary code via a malformed selector name to the NSSelectorFromString API, which causes an "unexpected selector" to be used. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28341 1019649 TA08-079A ADV-2008-0924 macos-nsselectorfromstring-code-execution(41355) Foundation in Apple Mac OS X 10.4.11 creates world-writable directories while NSFileManager copies files recursively and only modifies the permissions afterward, which allows local users to modify copied files to cause a denial of service and possibly gain privileges. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28343 1019649 TA08-079A ADV-2008-0924 macos-nsfilemanager-priv-escalation(41299) Stack-based buffer overflow in Foundation in Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via a "long pathname with an unexpected structure" that triggers the overflow in NSFileManager. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28357 1019649 TA08-079A ADV-2008-0924 macos-foundation-nsfilemanager-bo(41309) Multiple integer overflows in a "legacy serialization format" parser in AppKit in Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary code via a crafted serialized property list. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28358 1019648 TA08-079A ADV-2008-0924 macos-appkit-parser-bo(41298) Race condition in the NSURLConnection cache management functionality in Foundation for Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary code via unspecified manipulations that cause messages to be sent to a deallocated object. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28359 1019650 TA08-079A ADV-2008-0924 macos-foundation-nsurl-code-execution(41297) Race condition in NSXML in Foundation for Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via a crafted XML file, related to "error handling logic." http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28367 1019650 TA08-079A ADV-2008-0924 macos-foundation-code-execution(41296) Help Viewer in Apple Mac OS X 10.4.11 and 10.5.2 allows remote attackers to execute arbitrary Applescript via a help:topic_list URL that injects HTML or JavaScript into a topic list page, as demonstrated using a help:runscript link. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28371 1019657 TA08-079A ADV-2008-0924 macos-helpviewer-code-execution(41295) MaraDNS 1.0 before 1.0.41, 1.2 before 1.2.12.08, and 1.3 before 1.3.07.04 allows remote attackers to cause a denial of service via a crafted DNS packet that prevents an authoritative name (CNAME) record from resolving, aka "improper rotation of resource records." http://bugs.gentoo.org/show_bug.cgi?id=204351 http://maradns.blogspot.com/2007/08/maradns-update-all-versions.html GLSA-200801-16 DSA-1445 http://www.maradns.org/changelog.html 27124 ADV-2008-0026 KDC in MIT Kerberos 5 (krb5kdc) does not set a global variable for some krb4 message types, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted messages that trigger a NULL pointer dereference or double-free. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 SUSE-SA:2008:016 SSRT100495 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022520.html http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022542.html http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt http://wiki.rpath.com/Advisories:rPSA-2008-0112 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0112 DSA-1524 GLSA-200803-31 VU#895609 MDVSA-2008:069 MDVSA-2008:070 MDVSA-2008:071 RHSA-2008:0164 RHSA-2008:0180 RHSA-2008:0181 RHSA-2008:0182 20080318 MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc 20080319 rPSA-2008-0112-1 krb5 krb5-server krb5-services krb5-test krb5-workstation 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 28303 1019626 USN-587-1 http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-0922 ADV-2008-0924 ADV-2008-1102 ADV-2008-1744 krb5-kdc-code-execution(41275) oval:org.mitre.oval:def:9496 FEDORA-2008-2637 FEDORA-2008-2647 The Kerberos 4 support in KDC in MIT Kerberos 5 (krb5kdc) does not properly clear the unused portion of a buffer when generating an error message, which might allow remote attackers to obtain sensitive information, aka "Uninitialized stack values." http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 SUSE-SA:2008:016 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022520.html http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022542.html http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt http://wiki.rpath.com/Advisories:rPSA-2008-0112 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0112 DSA-1524 GLSA-200803-31 MDVSA-2008:069 MDVSA-2008:070 MDVSA-2008:071 RHSA-2008:0164 RHSA-2008:0180 RHSA-2008:0181 RHSA-2008:0182 20080318 MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc 20080319 rPSA-2008-0112-1 krb5 krb5-server krb5-services krb5-test krb5-workstation 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 28303 1019627 USN-587-1 http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-0922 ADV-2008-0924 ADV-2008-1102 ADV-2008-1744 krb5-kdc-kerberos4-info-disclosure(41277) oval:org.mitre.oval:def:8916 FEDORA-2008-2637 FEDORA-2008-2647 Stack-based buffer overflow in Pierre-emmanuel Gougelet (1) XnView 1.91 and 1.92, (2) NConvert 4.85, and (3) libgfl280.dll in GFL SDK 2.870 for Windows allows user-assisted remote attackers to execute arbitrary code via a crafted Radiance RGBE (.hdr) file. 27514 ADV-2008-0328 ADV-2008-0329 Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5.5, and 5.51 allow remote attackers to execute arbitrary code via a long (1) artist or (2) name tag in Ultravox streaming metadata, related to construction of stream titles. 27344 ADV-2008-0183 http://www.winamp.com/player/version-history winamp-inmp3-bo(39778) Multiple buffer overflows in htmsr.dll in the HTML speed reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes 7.0.2 and 7.0.3, allow remote attackers to execute arbitrary code via an HTML document with (1) "large chunks of data," or a long URL in the (2) BACKGROUND attribute of a BODY element or (3) SRC attribute of an IMG element. 20080414 Secunia Research: Lotus Notes htmsr.dll Buffer Overflows 28454 1019843 ADV-2008-1153 ADV-2008-1156 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21298453 autonomy-keyview-html-multiple-bo(41724) Multiple stack-based buffer overflows in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allow remote attackers to execute arbitrary code via (1) long string parameters to the OpenView5.exe CGI program; (2) a long string parameter to the OpenView5.exe CGI program, related to ov.dll; or a long string parameter to the (3) getcvdata.exe, (4) ovlaunch.exe, or (5) Toolbar.exe CGI program. HPSBMA02400 4885 8307 1021521 20090107 Secunia Research: HP OpenView Network Node Manager Multiple Vulnerabilities 33147 Directory traversal vulnerability in OpenView5.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to read arbitrary files via directory traversal sequences in the Action parameter. http://aluigi.altervista.org/adv/closedviewx-adv.txt SSRT080043 3814 20080411 Directory traversal and multiple Denials of Service in HP OpenView NNM 7.53 20080414 Secunia Research: HP OpenView Network Node Manager OpenView5.exeDirectory Traversal 28745 1019838 1019839 ADV-2008-1214 hpopenview-openview5-directory-traversal(41790) Stack-based buffer overflow in XnView 1.92 and 1.92.1 allows user-assisted remote attackers to execute arbitrary code via a long FontName parameter in a slideshow (.sld) file, a different vector than CVE-2008-1461. 28579 ADV-2008-1044 xnview-slideshow-bo(41542) 5346 Integer overflow in Orb Networks Orb 2.00.1014 and Winamp Remote BETA allows remote attackers to execute arbitrary code via an RPC request that specifies a large number of array dimensions, which triggers a heap-based buffer overflow. 28431 ADV-2008-0984 orb-dimensions-bo(41410) The Web UI interface in (1) BitTorrent before 6.0.3 build 8642 and (2) uTorrent before 1.8beta build 10524 allows remote attackers to cause a denial of service (application crash) via an HTTP request with a malformed Range header. 3943 1020266 20080611 Secunia Research: uTorrent / BitTorrent Web UI HTTP "Range" Header DoS 29661 1020265 ADV-2008-1808 ADV-2008-1809 5918 Format string vulnerability in the emf_multipart_encrypted function in mail/em-format.c in Evolution 2.12.3 and earlier allows remote attackers to execute arbitrary code via a crafted encrypted message, as demonstrated using the Version field. SUSE-SA:2008:014 GLSA-200803-12 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0105 DSA-1512 VU#512491 MDVSA-2008:063 RHSA-2008:0177 RHSA-2008:0178 20080528 rPSA-2008-0105-1 evolution 28102 1019540 USN-583-1 ADV-2008-0768 evolution-emfmultipart-format-string(41011) https://issues.rpath.com/browse/RPL-2310 oval:org.mitre.oval:def:10701 FEDORA-2008-2290 FEDORA-2008-2292 Array index error in the sdpplin_parse function in input/libreal/sdpplin.c in xine-lib 1.1.10.1 allows remote RTSP servers to execute arbitrary code via a large streamid SDP parameter. SUSE-SR:2008:007 SUSE-SR:2008:012 GLSA-200804-25 GLSA-200808-01 http://sourceforge.net/project/shownotes.php?release_id=585488&group_id=9655 http://wiki.videolan.org/Changelog/0.8.6f DSA-1536 DSA-1543 MDVSA-2008:178 MDVSA-2008:219 28312 1019682 SSA:2008-089-03 USN-635-1 http://www.videolan.org/security/sa0803.php ADV-2008-0923 ADV-2008-0985 http://xinehq.de/index.php/news xinelib-sdpplinparse-bo(41339) FEDORA-2008-2945 FEDORA-2008-2569 Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows local users to gain privileges via unknown vectors related to file change notifications in the TPRoot, NNTPFile\Root, or WWWRoot folders. HPSBST02314 27101 1019384 TA08-043C ADV-2008-0507 MS08-005 oval:org.mitre.oval:def:5389 Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows remote attackers to execute arbitrary code via crafted inputs to ASP pages. HPSBST02314 27676 1019385 TA08-043C ADV-2008-0508 MS08-006 oval:org.mitre.oval:def:5308 Unspecified vulnerability in Microsoft Internet Explorer 5.01, 6 SP1 and SP2, and 7 allows remote attackers to execute arbitrary code via crafted HTML layout combinations, aka "HTML Rendering Memory Corruption Vulnerability." HPSBST02314 27668 1019379 TA08-043C ADV-2008-0512 MS08-010 oval:org.mitre.oval:def:5487 Use-after-free vulnerability in Microsoft Internet Explorer 6 SP1, 6 SP2, and and 7 allows remote attackers to execute arbitrary code by assigning malformed values to certain properties, as demonstrated using the by property of an animateMotion SVG element, aka "Property Memory Corruption Vulnerability." 20080212 Microsoft Internet Explorer Property Memory Corruption Vulnerability HPSBST02314 VU#228569 20080213 ZDI-08-006: Microsoft Internet Explorer SVG animateMotion.by Code Execution Vulnerability 27666 1019380 TA08-043C ADV-2008-0512 http://www.zerodayinitiative.com/advisories/ZDI-08-006.html MS08-010 oval:org.mitre.oval:def:5396 Unspecified vulnerability in an ActiveX control (dxtmsft.dll) in Microsoft Internet Explorer 5.01, 6 SP1 and SP2, and 7 allows remote attackers to execute arbitrary code via a crafted image, aka "Argument Handling Memory Corruption Vulnerability." HPSBST02314 27689 1019381 TA08-043C ADV-2008-0512 MS08-010 oval:org.mitre.oval:def:4904 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Heap-based buffer overflow in the WebDAV Mini-Redirector in Microsoft Windows XP SP2, Server 2003 SP1 and SP2, and Vista allows remote attackers to execute arbitrary code via a crafted WebDAV response. HPSBST02314 27670 1019372 TA08-043C ADV-2008-0509 MS08-007 oval:org.mitre.oval:def:5381 Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka "Macro Validation Vulnerability," a different vulnerability than CVE-2007-3490. SSRT080028 1019200 947563 27305 TA08-071A ADV-2008-0146 ADV-2008-0846 MS08-014 microsoft-excel-unspecified-code-execution(39699) oval:org.mitre.oval:def:5546 An ActiveX control (Messenger.UIAutomation.1) in Windows Messenger 4.7 and 5.1 is marked as safe-for-scripting, which allows remote attackers to control the Messenger application, and "change state," obtain contact information, and establish audio or video connections without notification via unknown vectors. HPSBST02360 20080814 Microsoft Windows Messenger Remote Illegal Access Vulnerability 30551 1020681 TA08-225A ADV-2008-2354 MS08-050 oval:org.mitre.oval:def:5995 The (1) VBScript (VBScript.dll) and (2) JScript (JScript.dll) scripting engines 5.1 and 5.6, as used in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2, do not properly decode script, which allows remote attackers to execute arbitrary code via unknown vectors. SSRT080048 28551 1019799 TA08-099A ADV-2008-1146 MS08-022 oval:org.mitre.oval:def:5495 Unspecified vulnerability in the TCP/IP support in Microsoft Windows Vista allows remote DHCP servers to cause a denial of service (hang and restart) via a crafted DHCP packet. Apply patches. Windows Vista: http://www.microsoft.com/downloads/de...=8ce9608b-7049-47cd-adc4-22a803877d33 Windows Vista x64 Edition: http://www.microsoft.com/downloads/de...=d7b9c3d1-9c23-4e05-bac6-d0b327feaf53 HPSBST02314 27634 1019383 TA08-043C ADV-2008-0506 MS08-004 oval:org.mitre.oval:def:5240 SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2000 Desktop Engine (MSDE 2000) SP4, 2005 Express Edition SP1 and SP2, and 2000 Desktop Engine (WMSDE); Microsoft Data Engine (MSDE) 1.0 SP4; and Internal Database (WYukon) SP2 does not initialize memory pages when reallocating memory, which allows database operators to obtain sensitive information (database contents) via unknown vectors related to memory page reuse. 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 1020441 TA08-190A http://www.vmware.com/security/advisories/VMSA-2011-0003.html http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html ADV-2008-2022 MS08-040 oval:org.mitre.oval:def:14213 Buffer overflow in the convert function in Microsoft SQL Server 2000 SP4, 2000 Desktop Engine (MSDE 2000) SP4, and 2000 Desktop Engine (WMSDE) allows remote authenticated users to execute arbitrary code via a crafted SQL expression. 20080708 Re: [Full-disclosure] iDefense Security Advisory 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 1020441 TA08-190A http://www.vmware.com/security/advisories/VMSA-2011-0003.html http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html ADV-2008-2022 MS08-040 oval:org.mitre.oval:def:14052 The DNS client in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, and Vista uses predictable DNS transaction IDs, which allows remote attackers to spoof DNS responses. SSRT080048 20080408 Microsoft Windows DNS Stub Resolver Cache Poisoning (MS08-020) 28553 1019802 http://www.trusteer.com/docs/windowsresolver.html TA08-099A ADV-2008-1144 MS08-020 oval:org.mitre.oval:def:5314 Unspecified vulnerability in Active Directory on Microsoft Windows 2000 and Windows Server 2003, and Active Directory Application Mode (ADAM) on XP and Server 2003, allows remote attackers to cause a denial of service (hang and restart) via a crafted LDAP request. HPSBST02314 27638 1019382 TA08-043C ADV-2008-0505 MS08-003 oval:org.mitre.oval:def:5181 SQL injection vulnerability in uprofile.php in ClipShare allows remote attackers to execute arbitrary SQL commands via the UID parameter. 27108 clipshare-uprofile-sql-injection(39364) 4830 A certain ActiveX control in npUpload.dll in DivX Player 6.6.0 allows remote attackers to cause a denial of service (Internet Explorer 7 crash) via a long argument to the SetPassword method. 27106 divxwebplayer-npUpload-dos(39386) 4829 Directory traversal vulnerability in download2.php in AGENCY4NET WEBFTP 1 allows remote attackers to read and delete arbitrary files via a .. (dot dot) in the file parameter. 20080104 true: AGENCY4NET WEBFTP directory traversal; deletion possible 27092 ADV-2008-0051 agency4net-download2-directory-traversal(39343) 4828 Cross-site scripting (XSS) vulnerability in index.php in the search module in Appalachian State University phpWebSite 1.4.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. http://phpwebsite.appstate.edu/blog/2143 3511 20080101 Cross-Site Scripting (XSS) in phpWebSite 1.4.0 search 27090 phpwebsite-search-xss(39391) Multiple cross-site scripting (XSS) vulnerabilities in newticket.php in eTicket 1.5.5.2, and 1.5.6 RC2 and RC3, allow remote attackers to inject arbitrary web script or HTML via the (1) Name and (2) Subject parameters. http://www.digitrustgroup.com/advisories/web-application-security-eticket.html 27130 eticket-name-subject-xss(39400) Multiple directory traversal vulnerabilities in MODx Content Management System 0.9.6.1 allow remote attackers to (1) include and execute arbitrary local files via a .. (dot dot) in the as_language parameter to assets/snippets/AjaxSearch/AjaxSearch.php, reached through index-ajax.php; and (2) read arbitrary local files via a .. (dot dot) in the file parameter to assets/js/htcmime.php. http://modxcms.com/forums/index.php/topic,21290.0.html 3522 20080102 MODx CMS Source code disclosure, local file inclusion 27096 27097 modx-ajaxsearch-file-include(39352) The SIP channel driver in Asterisk Open Source 1.4.x before 1.4.17, Business Edition before C.1.0-beta8, AsteriskNOW before beta7, Appliance Developer Kit before Asterisk 1.4 revision 95946, and Appliance s800i 1.0.x before 1.0.3.4 allows remote attackers to cause a denial of service (daemon crash) via a BYE message with an Also (Also transfer) header, which triggers a NULL pointer dereference. http://bugs.digium.com/view.php?id=11637 http://downloads.digium.com/pub/security/AST-2008-001.html 3520 20080102 AST-2008-001: Crash from transfer using BYE with Also header 27110 1019152 ADV-2008-0019 asterisk-bye-also-dos(39361) FEDORA-2008-0198 FEDORA-2008-0199 Multiple buffer overflows in Georgia SoftWorks SSH2 Server (GSW_SSHD) 7.01.0003 and earlier allow remote attackers to execute arbitrary code via a (1) a long username, which triggers an overflow in the log function; or (2) a long password. http://aluigi.altervista.org/adv/gswsshit-adv.txt 3517 20080102 Multiple vulnerabilities in Georgia SoftWorks SSH2 Server 7.01.0003 27103 Format string vulnerability in the log function in Georgia SoftWorks SSH2 Server (GSW_SSHD) 7.01.0003 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username field, as demonstrated by a certain LoginPassword message. http://aluigi.altervista.org/adv/gswsshit-adv.txt 3517 20080102 Multiple vulnerabilities in Georgia SoftWorks SSH2 Server 7.01.0003 Buffer overflow in RealPlayer 11 build 6.0.14.748 allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: As of 20080103, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. http://gleg.net/realplayer11.html [Dailydave] 20080101 0day RealPlayer exploit demo 27091 1019153 http://www.us-cert.gov/current/index.html#public_exploit_code_for_realplayer ADV-2008-0016 Multiple SQL injection vulnerabilities in MyPHP Forum 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the searchtext parameter to search.php, and unspecified other vectors. 27118 4831 Stack-based buffer overflow in the Scene::errorf function in Scene.cpp in White_Dune 0.29 beta791 and earlier allows remote attackers to execute arbitrary code via a long string in a .WRL file. http://aluigi.altervista.org/adv/whitedunboffs-adv.txt 3516 http://vrml.cip.ica.uni-stuttgart.de/dune/news.html 20080102 Buffer-overflow and format string in White_Dune 0.29beta791 27102 whitedune-sceneerrorf-bo(39385) Format string vulnerability in the swDebugf function in DuneApp.cpp in White_Dune 0.29 beta791 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a .WRL file. http://aluigi.altervista.org/adv/whitedunboffs-adv.txt 3516 http://vrml.cip.ica.uni-stuttgart.de/dune/news.html 20080102 Buffer-overflow and format string in White_Dune 0.29beta791 27102 whitedune-swdegugf-format-string(39388) Unspecified vulnerability in Microsoft Office Publisher 2000, 2002, and 2003 SP2 allows remote attackers to execute arbitrary code via a crafted .pub file, related to invalid "memory values," aka "Publisher Invalid Memory Reference Vulnerability." HPSBST02314 27739 1019376 TA08-043C ADV-2008-0514 MS08-012 oval:org.mitre.oval:def:5305 Unspecified vulnerability in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP2, and Office 2004 for Mac allows remote attackers to execute arbitrary code via an Office document that contains a malformed object, related to a "memory handling error," aka "Microsoft Office Execution Jump Vulnerability." HPSBST02314 27738 1019375 TA08-043C ADV-2008-0515 MS08-013 oval:org.mitre.oval:def:5407 Unspecified vulnerability in Microsoft Office Publisher 2000, 2002, and 2003 SP2 allows remote attackers to execute arbitrary code via a crafted .pub file, aka "Publisher Memory Corruption Vulnerability." HPSBST02314 27740 1019377 TA08-043C ADV-2008-0514 MS08-012 oval:org.mitre.oval:def:4547 Microsoft Works 6 File Converter, as used in Office 2003 SP2 and SP3, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted section header index table information, aka "Microsoft Works File Converter Index Table Vulnerability." HPSBST02314 27658 1019387 TA08-043C ADV-2008-0513 MS08-011 oval:org.mitre.oval:def:5009 Buffer overflow in Microsoft SQL Server 2005 SP1 and SP2, and 2005 Express Edition SP1 and SP2, allows remote authenticated users to execute arbitrary code via a crafted insert statement. 20080708 Re: [Full-disclosure] iDefense Security Advisory 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 1020441 TA08-190A http://www.vmware.com/security/advisories/VMSA-2011-0003.html http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html ADV-2008-2022 MS08-040 oval:org.mitre.oval:def:13785 Integer underflow in SQL Server 7.0 SP4, 2000 SP4, 2005 SP1 and SP2, 2000 Desktop Engine (MSDE 2000) SP4, 2005 Express Edition SP1 and SP2, and 2000 Desktop Engine (WMSDE); Microsoft Data Engine (MSDE) 1.0 SP4; and Internal Database (WYukon) SP2 allows remote authenticated users to execute arbitrary code via a (1) SMB or (2) WebDAV pathname for an on-disk file (aka stored backup file) with a crafted record size value, which triggers a heap-based buffer overflow, aka "SQL Server Memory Corruption Vulnerability." 20080708 Microsoft SQL Server Restore Integer Underflow Vulnerability http://www.insomniasec.com/advisories/ISVA-080709.1.htm 20080708 Re: [Full-disclosure] iDefense Security Advisory 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX 30119 1020441 TA08-190A http://www.vmware.com/security/advisories/VMSA-2011-0003.html http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html ADV-2008-2022 MS08-040 oval:org.mitre.oval:def:13936 Stack-based buffer overflow in wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2 and SP3, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted field lengths, aka "Microsoft Works File Converter Field Length Vulnerability." 20080208 Microsoft Office Works Converter Stack-based Buffer Overflow Vulnerability HPSBST02314 27659 1019388 TA08-043C ADV-2008-0513 MS08-011 oval:org.mitre.oval:def:5202 5107 Word in Microsoft Office 2000 SP3, XP SP3, Office 2003 SP2, and Office Word Viewer 2003 allows remote attackers to execute arbitrary code via crafted fields within the File Information Block (FIB) of a Word file, which triggers length calculation errors and memory corruption. HPSBST02314 VU#692417 20080213 [Reversemode Advisory] February Advisories : Microsoft Word 2003 + Fortinet Forticlient 27656 1019374 TA08-043C ADV-2008-0511 MS08-009 oval:org.mitre.oval:def:5073 Unspecified vulnerability in Microsoft Outlook in Office 2000 SP3, XP SP3, 2003 SP2 and Sp3, and Office System allows user-assisted remote attackers to execute arbitrary code via a crafted mailto URI. SSRT080028 VU#393305 28147 1019579 TA08-071A ADV-2008-0847 MS08-015 oval:org.mitre.oval:def:5278 Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2007, Viewer 2003, Compatibility Pack, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted data validation records, aka "Excel Data Validation Record Vulnerability." SSRT080028 28094 1019582 TA08-071A ADV-2008-0846 MS08-014 oval:org.mitre.oval:def:5114 Unspecified vulnerability in Microsoft Excel 2000 SP3, and Office for Mac 2004 and 2008 allows user-assisted remote attackers to execute arbitrary code via a crafted .SLK file that is not properly handled when importing the file, aka "Excel File Import Vulnerability." SSRT080028 28095 1019583 TA08-071A ADV-2008-0846 MS08-014 oval:org.mitre.oval:def:5284 Unspecified vulnerability in Microsoft Office Excel Viewer 2003 up to SP3 allows user-assisted remote attackers to execute arbitrary code via an Excel document with malformed cell comments that trigger memory corruption from an "allocation error," aka "Microsoft Office Cell Parsing Memory Corruption Vulnerability." SSRT080028 20080311 ZDI-08-008: Microsoft Excel BIFF File Format Cell Record Parsing Memory Corruption Vulnerability 1019578 TA08-071A ADV-2008-0848 http://www.zerodayinitiative.com/advisories/ZDI-08-008 MS08-016 oval:org.mitre.oval:def:5421 Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office for Mac 2004 allows user-assisted remote attackers to execute arbitrary code via crafted Style records that trigger memory corruption. SSRT080028 28166 1019584 TA08-071A ADV-2008-0846 MS08-014 oval:org.mitre.oval:def:5456 Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2007, Viewer 2003, Compatibility Pack, and Office for Mac 2004 allows user-assisted remote attackers to execute arbitrary code via malformed formulas, aka "Excel Formula Parsing Vulnerability." SSRT080028 28167 1019585 TA08-071A ADV-2008-0846 MS08-014 oval:org.mitre.oval:def:5512 Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, Compatibility Pack, and Office 2004 and 2008 for Mac allows user-assisted remote attackers to execute arbitrary code via malformed tags in rich text, aka "Excel Rich Text Validation Vulnerability." http://dvlabs.tippingpoint.com/advisory/TPTI-08-03 SSRT080028 20080311 TPTI-08-03: Microsoft Excel Rich Text Memory Corruption Vulnerability 28168 1019586 TA08-071A ADV-2008-0846 MS08-014 oval:org.mitre.oval:def:5212 Unspecified vulnerability in Microsoft Excel 2000 SP3 and 2002 SP2, and Office 2004 and 2008 for Mac, allows user-assisted remote attackers to execute arbitrary code via crafted conditional formatting values, aka "Excel Conditional Formatting Vulnerability." SSRT080028 28170 1019587 TA08-071A ADV-2008-0846 MS08-014 oval:org.mitre.oval:def:5508 Unspecified vulnerability in Microsoft Office 2000 SP3, XP SP3, 2003 SP2, Excel Viewer 2003 up to SP3, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption from an "allocation error," aka "Microsoft Office Memory Corruption Vulnerability." SSRT080028 28146 1019578 TA08-071A ADV-2008-0848 MS08-016 oval:org.mitre.oval:def:5190 Unspecified vulnerability in Microsoft Publisher in Office 2000 and XP SP3, 2003 SP2 and SP3, and 2007 SP1 and earlier allows remote attackers to execute arbitrary code via a Publisher file with crafted object header data that triggers memory corruption, aka "Publisher Object Handler Validation Vulnerability." SSRT080071 20080514 Microsoft Office Publisher PUB File Parsing Remote Memory Corruption Vulnerability 29158 1020015 TA08-134A ADV-2008-1505 MS08-027 oval:org.mitre.oval:def:5303 Integer overflow in Microsoft PowerPoint Viewer 2003 allows remote attackers to execute arbitrary code via a PowerPoint file with a malformed picture index that triggers memory corruption, related to handling of CString objects, aka "Memory Allocation Vulnerability." 20080812 Microsoft PowerPoint Viewer 2003 Cstring Integer Overflow Vulnerability HPSBST02360 30552 1020676 TA08-225A ADV-2008-2355 MS08-051 oval:org.mitre.oval:def:5768 A "memory calculation error" in Microsoft PowerPoint Viewer 2003 allows remote attackers to execute arbitrary code via a PowerPoint file with an invalid picture index that triggers memory corruption, aka "Memory Calculation Vulnerability." 20080812 Microsoft PowerPoint Viewer 2003 Out of Bounds Array Index Vulnerability HPSBST02360 30554 1020676 TA08-225A ADV-2008-2355 MS08-051 oval:org.mitre.oval:def:5724 Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that triggers memory corruption. SUSE-SR:2008:006 FreeBSD-SA-08:02 238493 http://support.avaya.com/elmodocs2/security/ASA-2008-244.htm http://www.isc.org/index.pl?/sw/bind/bind-security.php VU#203611 RHSA-2008:0300 20080124 rPSA-2008-0029-1 bind bind-utils 27283 1019189 ADV-2008-0193 ADV-2008-0703 ADV-2008-1743 http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=7&heading=AIX61&path=/200802/SECURITY/20080227/datafile123640&label=AIX%20libc%20inet_network%20buffer%20overflow http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4167 https://bugzilla.redhat.com/show_bug.cgi?id=429149 freebsd-inetnetwork-bo(39670) https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04952488 https://issues.rpath.com/browse/RPL-2169 oval:org.mitre.oval:def:10190 FEDORA-2008-0903 FEDORA-2008-0904 Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8.3, and possibly other versions before 1.8.4, allows remote attackers to inject arbitrary web script or HTML via the dbname parameter. NOTE: this issue only exists until the installation is complete. 20080111 Cross site scripting (XSS) in Moodle 1.8.3 http://int21.de/cve/CVE-2008-0123-moodle.html SUSE-SR:2008:003 20080111 Cross site scripting (XSS) in Moodle 1.8.3 27259 ADV-2008-0164 moodle-install-xss(39630) Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3-beta1 allows remote authenticated users to inject arbitrary web script or HTML via (1) the "Real name" field in Personal Settings, which is presented to readers of articles; or (2) a file upload, as demonstrated by a .htm, .html, or .js file. http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html http://int21.de/cve/CVE-2008-0124-s9y.html DSA-1528 28003 1019502 ADV-2008-0700 serendipity-realname-username-xss(40851) Cross-site scripting (XSS) vulnerability in phpstats.php in Michael Wagner phpstats 0.1 alpha allows remote attackers to inject arbitrary web script or HTML via the baseDir parameter. 3765 20080317 Cross Site Scripting (XSS) in phpstats 0.1_alpha, CVE-2008-0125 28291 phpstats-phpstats-xss(41261) The administration interface in McAfee E-Business Server 8.5.2 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a long initial authentication packet. 3530 1019170 20080109 [INFIGO 2008-01-06]: McAfee E-Business Server Remote Preauth Code Execution / DoS 20080109 [INFIGO-2008-01-06]: McAfee E-Business Server Remote Preauth Code Execution / DoS - Corrected 27197 ADV-2008-0087 mcafee-ebusiness-authentication-packet-dos(39561) mcafee-ebusiness-packet-code-execution(39563) https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=614472&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=614472 4878 The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://issues.apache.org/bugzilla/show_bug.cgi?id=41217 SUSE-SR:2008:005 RHSA-2008:0630 http://security-tracker.debian.net/tracker/CVE-2008-0128 http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 RHSA-2008:0261 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 27365 ADV-2008-0192 ADV-2009-0233 apache-singlesignon-information-disclosure(39804) [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ SQL injection vulnerability in starnet/addons/slideshow_full.php in Site@School 2.3.10 and earlier allows remote attackers to execute arbitrary SQL commands via the album_name parameter. 27120 siteatschool-slideshowfull-sql-injection(39417) 4832 SQL injection vulnerability in login_form.asp in Instant Softwares Dating Site allows remote attackers to execute arbitrary SQL commands via the Username parameter, a different vulnerability than CVE-2007-6671. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. dating-site-loginform-sql-injection(39326) Cross-site scripting (XSS) vulnerability in login_form.asp in Instant Softwares Dating Site allows remote attackers to inject arbitrary web script or HTML via the msg parameter, a different product than CVE-2006-6022. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27121 Pragma FortressSSH 5.0 Build 4 Revision 293 and earlier handles long input to sshd.exe by creating an error-message window and waiting for the administrator to click in this window before terminating the sshd.exe process, which allows remote attackers to cause a denial of service (connection slot exhaustion) via a flood of SSH connections with long data objects, as demonstrated by (1) a long list of keys and (2) a long username. http://aluigi.altervista.org/adv/pragmassh-adv.txt http://aluigi.org/poc/pragmassh.zip 20080104 Some DoS in some telnet servers 27141 fortressssh-sshd-dos(39354) Multiple SQL injection vulnerabilities in Tribisur 2.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to cat_main.php and the (2) cat parameter to forum.php in a liste action. 27149 tribisur-catmain-forum-sql-injection(39443) 4840 Cross-site scripting (XSS) vulnerability in Forums/setup.asp in Snitz Forums 2000 3.4.06 and earlier allows remote attackers to inject arbitrary web script or HTML via the MAIL parameter. http://hackerscenter.com/archive/view.asp?id=28145 http://www.packetstormsecurity.org/0801-exploits/snitz-multi.txt 20080107 [HSC] Snitz Forums Multiple Vulnerabilities 27162 Snitz Forums 2000 3.4.06 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for forum/snitz_forums_2000.mdb. http://hackerscenter.com/archive/view.asp?id=28145 http://www.packetstormsecurity.org/0801-exploits/snitz-multi.txt 20080107 [HSC] Snitz Forums Multiple Vulnerabilities 20080107 RE: [HSC] Snitz Forums Multiple Vulnerabilities Snitz Forums 2000 3.4.05 allows remote attackers to obtain sensitive information via a direct request to forum/whereami.asp, which reveals the database path. http://hackerscenter.com/archive/view.asp?id=28145 http://www.packetstormsecurity.org/0801-exploits/snitz-multi.txt 20080107 [HSC] Snitz Forums Multiple Vulnerabilities 20080107 RE: [HSC] Snitz Forums Multiple Vulnerabilities PHP remote file inclusion vulnerability in config.inc.php in SNETWORKS PHP CLASSIFIEDS 5.0 allows remote attackers to execute arbitrary PHP code via a URL in the path_escape parameter. ADV-2008-0053 snetworks-configinc-file-include(39468) 4838 PHP remote file inclusion vulnerability in xoopsgallery/init_basic.php in the mod_gallery module for XOOPS, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter. 27155 xoops-modgallery-zendhashkey-file-include(39461) 4847 Eval injection vulnerability in loudblog/inc/parse_old.php in Loudblog 0.8.0 and earlier allows remote attackers to execute arbitrary PHP code via the template parameter. 27157 loudblog-template-code-execution(39445) 4849 Directory traversal vulnerability in error.php in Uebimiau Webmail 2.7.10 and 2.7.2 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the selected_theme parameter, a different vector than CVE-2007-3172. 20080107 Uebimiau Web-Mail 2.7.10/2.7.2 Remote File Disclosure Vulnerability 27154 uebimiau-webmail-error-directory-traversal(39460) 4846 actions.php in WebPortal CMS 0.6-beta generates predictable passwords containing only the time of day, which makes it easier for remote attackers to obtain access to any account via a lostpass action. 27145 webportal-action-weak-security(39486) 4835 Multiple SQL injection vulnerabilities in WebPortal CMS 0.6-beta allow remote attackers to execute arbitrary SQL commands via the user_name parameter to actions.php, and unspecified other vectors. 4835 PHP remote file inclusion vulnerability in common/db.php in samPHPweb, possibly 4.2.2 and others, as provided with SAM Broadcaster, allows remote attackers to execute arbitrary PHP code via a URL in the commonpath parameter. 27137 http://www.spacialaudio.com/news/index.html samPHPweb-db-file-include(39397) 4834 PHP remote file inclusion vulnerability in index.php in NetRisk 1.9.7 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. NOTE: this can also be leveraged for local file inclusion using directory traversal sequences. 20080105 NetRisk 1.9.7 Remote File Inclusion Vulnerability 27136 netrisk-index-file-include(39419) 4833 Unspecified vulnerability in glob in PHP before 4.4.8, when open_basedir is enabled, has unknown impact and attack vectors. NOTE: this issue reportedly exists because of a regression related to CVE-2007-4663. http://bugs.php.net/bug.php?id=41655 SSA:2008-045-03 http://www.php.net/ChangeLog-4.php http://www.php.net/releases/4_4_8.php ADV-2008-0059 php-glob-openbasedir-security-bypass(39401) Cross-site scripting (XSS) vulnerability in the error page in W3-mSQL allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the top-level URI. 3521 20080103 xss in w3-msql error page 27116 SQL injection vulnerability in index.php in SmallNuke 2.0.4 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via (1) the user_email parameter and possibly (2) username parameter in a Members action. 27180 smallnuke-index-sql-injection(39525) 4863 TUTOS 1.3 does not restrict access to php/admin/cmd.php, which allows remote attackers to execute arbitrary shell commands via the cmd parameter in a direct request. tutos-cmd-command-execution(39531) 4861 TUTOS 1.3 allows remote attackers to read system information via a direct request to php/admin/phpinfo.php, which calls the phpinfo function. 4861 Unspecified vulnerability in the LDAP authentication feature in Aruba Mobility Controller 2.3.6.15, 2.5.2.11, 2.5.4.25, 2.5.5.7, 3.1.1.3, and 2.4.8.11-FIPS or earlier allows remote attackers to bypass authentication mechanisms and obtain management or VPN interface access. 3529 http://www.arubanetworks.com/support/alerts/aid-122207.asc 20080104 Aruba Mobility Controller User Authentication Vulnerability - Aruba Advisory ID: AID-122207 27144 Heap-based buffer overflow in Foxit WAC Server 2.1.0.910, 2.0 Build 3503, and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Telnet request with long options. http://aluigi.altervista.org/adv/waccaz-adv.txt http://aluigi.altervista.org/adv/wachof-adv.txt 3525 20080104 Some DoS in some telnet servers 20080219 Two heap overflow in Foxit WAC Server 2.0 Build 3503 27142 wacserver-option-dos(39427) SLnet.exe in SeattleLab SLNet RF Telnet Server 4.1.1.3758 and earlier allows user-assisted remote attackers to cause a denial of service (crash) via unspecified telnet options, which triggers a NULL pointer dereference. NOTE: the crash is not user-assisted when the server is running in debug mode. http://aluigi.altervista.org/adv/slnetmsg-adv.txt 20080104 Some DoS in some telnet servers 27134 telnetd.exe in Pragma TelnetServer 7.0.4.589 allows remote attackers to cause a denial of service (process crash and resource exhaustion) via a crafted TELOPT PRAGMA LOGON telnet option, which triggers a NULL pointer dereference. http://aluigi.altervista.org/adv/pragmatel-adv.txt 20080104 Some DoS in some telnet servers 27143 pragmatelnetserver-telnetd-dos(39353) SQL injection vulnerability in index.php in EvilBoard 0.1a (Alpha) allows remote attackers to execute arbitrary SQL commands the c parameter. 27190 evilboard-index-sql-injection(39529) 4865 Cross-site scripting (XSS) vulnerability in index.php in EvilBoard 0.1a (Alpha) allows remote attackers to inject arbitrary web script or HTML via the c parameter. 27190 evilboard-index-xss(39526) 4865 Absolute path traversal vulnerability in index.php in Million Dollar Script 2.0.14 allows remote attackers to read arbitrary files via encoded "/" (%2F) sequences in the link parameter. 3524 20080107 Million Dollar Script 2.0.14 Remote File Disclosure Vulnerability. 27174 milliondollarscript-index-dir-traversal(39492) SQL injection vulnerability in FlexBB 0.6.3 and earlier allows remote attackers to execute arbitrary SQL commands via the flexbb_temp_id parameter in a cookie. 27164 flexbb-flexbbtempid-sql-injection(39475) 4858 Directory traversal vulnerability in index.php in Shop-Script 2.0 and possibly other versions allows remote attackers to read arbitrary files via a .. (dot dot) in the aux_page parameter. http://packetstormsecurity.org/0801-exploits/shopscript-disclose.txt 27165 shopscript-index-directory-traversal(39449) 4855 SQL injection vulnerability in index.php in eggBlog 3.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the eggblogpassword parameter in a cookie. 27168 eggblog-eggblogmail-sql-injection(39473) 4860 misc.c in splitvt 1.6.6 and earlier does not drop group privileges before executing xprop, which allows local users to gain privileges. GLSA-200803-05 DSA-1500 27936 Linux kernel 2.6, when using vservers, allows local users to access resources of other vservers via a symlink attack in /proc. DSA-1494 27704 27798 linux-kernel-proc-unauth-access(40486) Multiple cross-site request forgery (CSRF) vulnerabilities in Plone CMS 3.0.5 and 3.0.6 allow remote attackers to (1) add arbitrary accounts via the join_form page and (2) change the privileges of arbitrary groups via the prefs_groups_overview page. Must login to view link 1015140 http://plone.org/about/security/advisories/cve-2008-0164 3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf 20080313 PR08-02: Plone CMS Security Research - the Art of Plowning plone-joinform-csrf(41263) Cross-site request forgery (CSRF) vulnerability in Ikiwiki before 2.42 allows remote attackers to modify user preferences, including passwords, via the (1) preferences and (2) edit forms. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475445 http://ikiwiki.info/security/#index31h2 DSA-1553 ADV-2008-1297 ikiwiki-change-password-csrf(41904) OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys. http://metasploit.com/users/hdm/tools/debian-openssl/ [rsyncrypto-devel] 20080523 Advisory - Rsyncrypto maybe affected from Debian OpenSSL reduced entropy problem DSA-1571 DSA-1576 VU#925211 20080515 Debian generated SSH-Keys working exploit 29179 1020017 USN-612-1 USN-612-2 USN-612-3 USN-612-4 USN-612-7 TA08-137A openssl-rng-weak-security(42375) 5622 5632 5720 The write_array_file function in utils/include.pl in GForge 4.5.14 updates configuration files by truncating them to zero length and then writing new data, which might allow attackers to bypass intended access restrictions or have unspecified other impact in opportunistic circumstances. http://security.debian.org/pool/updates/main/g/gforge/gforge_4.5.14-22etch8.diff.gz DSA-1577 29215 ADV-2008-1537 gforge-unspecified-symlink(42456) Plugin/passwordauth.pm (aka the passwordauth plugin) in ikiwiki 1.34 through 2.47 allows remote attackers to bypass authentication, and login to any account for which an OpenID identity is configured and a password is not configured, by specifying an empty password during the login sequence. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483770 http://ikiwiki.info/news/version_2.48/index.html http://ikiwiki.info/security/#index33h2 [oss-security] 20080531 Re: CVE id request: ikiwiki 29479 ADV-2008-1710 ikiwiki-openid-passwordauth-auth-bypass(42798) regex/v4/perl_matcher_non_recursive.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (failed assertion and crash) via an invalid regular expression. http://bugs.gentoo.org/show_bug.cgi?id=205955 SUSE-SR:2008:006 48099 http://svn.boost.org/trac/boost/changeset/42674 http://svn.boost.org/trac/boost/changeset/42745 http://wiki.rpath.com/Advisories:rPSA-2008-0063 GLSA-200802-08 MDVSA-2008:032 20080213 rPSA-2008-0063-1 boost 27325 USN-570-1 ADV-2008-0249 https://issues.rpath.com/browse/RPL-2143 FEDORA-2008-0880 The get_repeat_type function in basic_regex_creator.hpp in the Boost regex library (aka Boost.Regex) in Boost 1.33 and 1.34 allows context-dependent attackers to cause a denial of service (NULL dereference and crash) via an invalid regular expression. http://bugs.gentoo.org/show_bug.cgi?id=205955 SUSE-SR:2008:006 48099 http://svn.boost.org/trac/boost/changeset/42674 http://svn.boost.org/trac/boost/changeset/42745 http://wiki.rpath.com/Advisories:rPSA-2008-0063 GLSA-200802-08 MDVSA-2008:032 20080213 rPSA-2008-0063-1 boost 27325 USN-570-1 ADV-2008-0249 https://issues.rpath.com/browse/RPL-2143 FEDORA-2008-0880 SQL injection vulnerability in Gforge 4.6.99 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified parameters, related to RSS exports. DSA-1459 27266 ADV-2008-0115 gforge-multiple-sql-injection(39666) GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the passwords and gain privileges. 3590 1019273 http://support.gefanuc.com/support/index?page=kbchannel&id=KB12459 VU#180876 20080125 C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Authentication Vulnerability 20080129 Re: C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Authentication Vulnerability 30754 Unrestricted file upload vulnerability in GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension to the main virtual directory. 3591 http://support.gefanuc.com/support/index?page=kbchannel&id=KB12460 VU#339345 20080125 C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Arbitrary File Upload and Execution 20080129 Re: C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Arbitrary File Upload and Execution 27446 1019274 ADV-2008-0307 Heap-based buffer overflow in w32rtr.exe in GE Fanuc CIMPLICITY HMI SCADA system 7.0 before 7.0 SIM 9, and earlier versions before 6.1 SP6 Hot fix - 010708_162517_6106, allow remote attackers to execute arbitrary code via unknown vectors. 3592 http://support.gefanuc.com/support/index?page=kbchannel&id=KB12458 VU#308556 20080125 C4 Security Advisory - GE Fanuc Cimplicity 6.1 Heap Overflow 20080129 Re: C4 Security Advisory - GE Fanuc Cimplicity 6.1 Heap Overflow 27447 1019275 ADV-2008-0306 The ipcomp6_input function in sys/netinet6/ipcomp_input.c in the KAME project before 20071201 does not properly check the return value of the m_pulldown function, which allows remote attackers to cause a denial of service (system crash) via an IPv6 packet with an IPComp header. http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/ipcomp_input.c?f=u&only_with_tag=netbsd-3-1 APPLE-SA-2008-07-11 APPLE-SA-2008-05-28 FreeBSD-SA-08:04 1019314 http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/ipcomp_input.c.diff?r1=1.36;r2=1.37 VU#110947 27642 TA08-150A ADV-2008-0441 ADV-2008-0688 ADV-2008-1697 ADV-2008-2094 5191 Cross-site scripting (XSS) vulnerability in the Enterprise Admin Session Monitoring component in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the User-Agent HTTP header. http://support.liferay.com/browse/LEP-4736 VU#326065 27547 Cross-site scripting (XSS) vulnerability in service/impl/UserLocalServiceImpl.java in Liferay Portal 4.3.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header, which is used when composing Forgot Password e-mail messages in HTML format. http://support.liferay.com/browse/LEP-4737 VU#888209 27550 Cross-site scripting (XSS) vulnerability in themes/_unstyled/templates/init.vm in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Greeting field in a User Profile. http://support.liferay.com/browse/LEP-4738 VU#732449 27546 Cross-site scripting (XSS) vulnerability in the Admin portlet in Liferay Portal 4.3.6 allows remote authenticated users to inject arbitrary web script or HTML via the Shutdown message. http://support.liferay.com/browse/LEP-4739 VU#217825 27554 Cross-site request forgery (CSRF) vulnerability in the Admin portlet in Liferay Portal before 4.4.0 allows remote authenticated users to perform unspecified actions as unspecified other authenticated users via the Shutdown message. http://support.liferay.com/browse/LEP-4739 VU#767825 Absolute path traversal vulnerability in index.php in Sys-Hotel on Line System allows remote attackers to read arbitrary files via an encoded "/" ("%2F") in the file parameter. 3528 20080108 sysHotel On Line Remote File Disclosure Vulnerability. 27184 SQL injection vulnerability in index.php in NetRisk 1.9.7 and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via the pid parameter in a profile page (possibly profile.php). http://sourceforge.net/project/shownotes.php?release_id=551208&group_id=129681 20080106 netrisk 1.9.7 Multiple Remote Vulnerabilities (sql injection/xss) 27161 4852 Cross-site scripting (XSS) vulnerability in index.php in NetRisk 1.9.7 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter, possibly related to CVE-2008-0144. 20080106 netrisk 1.9.7 Multiple Remote Vulnerabilities (sql injection/xss) 27161 4852 SQL injection vulnerability in songinfo.php in SAM Broadcaster samPHPweb, possibly 4.2.2 and earlier, allows remote attackers to execute arbitrary SQL commands via the songid parameter. 27147 sambroadcaster-songinfo-sql-injection(39463) 4836 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its requester. Further investigation showed that it was not a new security issue. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its requester. Further investigation showed that it was not a new security issue. Notes: none. Multiple cross-site scripting (XSS) vulnerabilities in templates/example_template.php in AwesomeTemplateEngine allow remote attackers to inject arbitrary web script or HTML via the (1) data[title], (2) data[message], (3) data[table][1][item], (4) data[table][1][url], or (5) data[poweredby] parameter. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument784.html http://websecurity.com.ua/1694/ 20080103 securityvulns.com russian vulnerabilities digest 27125 awesometemplateengine-multiple-xss(39396) WordPress 2.2.x and 2.3.x allows remote attackers to obtain sensitive information via an invalid p parameter in an rss2 action to the default URI, which reveals the full path and the SQL database structure. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument663.html http://websecurity.com.ua/1634/ 20080103 securityvulns.com russian vulnerabilities digest wordpress-p-path-disclosure(39423) Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the popuptitle parameter to (1) wp-admin/post.php or (2) wp-admin/page-new.php. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument714.html http://websecurity.com.ua/1658/ 20080103 securityvulns.com russian vulnerabilities digest 27123 wordpress-popuptitle-xss(39426) Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier, and possibly 2.1.x through 2.3.x, allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument755.html http://websecurity.com.ua/1676/ DSA-1502 20080103 securityvulns.com russian vulnerabilities digest 27123 Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. NOTE: this might be the same as CVE-2006-5705.1. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument755.html http://websecurity.com.ua/1676/ DSA-1502 20080103 securityvulns.com russian vulnerabilities digest WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PHP scripts under wp-admin/, which reveals the path in various error messages. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument762.html http://securityvulns.ru/Sdocument768.html http://securityvulns.ru/Sdocument772.html http://securityvulns.ru/Sdocument773.html http://websecurity.com.ua/1679/ http://websecurity.com.ua/1683/ http://websecurity.com.ua/1686/ http://websecurity.com.ua/1687/ 20080103 securityvulns.com russian vulnerabilities digest Multiple directory traversal vulnerabilities in WordPress 2.0.11 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in (1) the page parameter to certain PHP scripts under wp-admin/ or (2) the import parameter to wp-admin/admin.php, as demonstrated by discovering the full path via a request for the \..\..\wp-config pathname; and allow remote attackers to modify arbitrary files via a .. (dot dot) in the file parameter to wp-admin/templates.php. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument762.html http://securityvulns.ru/Sdocument768.html http://securityvulns.ru/Sdocument772.html http://securityvulns.ru/Sdocument773.html http://websecurity.com.ua/1679/ http://websecurity.com.ua/1683/ http://websecurity.com.ua/1686/ http://websecurity.com.ua/1687/ 20080103 securityvulns.com russian vulnerabilities digest Multiple cross-site scripting (XSS) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wpcf_email, (2) wpcf_subject, (3) wpcf_question, (4) wpcf_answer, (5) wpcf_success_msg, (6) wpcf_error_msg, or (7) wpcf_msg parameter to wp-admin/admin.php, or (8) the SRC attribute of an IFRAME element. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument546.html http://securityvulns.ru/Sdocument667.html http://websecurity.com.ua/1600/ http://websecurity.com.ua/1641/ 20080103 securityvulns.com russian vulnerabilities digest Multiple cross-site request forgery (CSRF) vulnerabilities in wp-contact-form/options-contactform.php in the WP-ContactForm 1.5 alpha and earlier plugin for WordPress allow remote attackers to perform actions as administrators via the (1) wpcf_question, (2) wpcf_success_msg, or (3) wpcf_error_msg parameter to wp-admin/admin.php. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument546.html http://securityvulns.ru/Sdocument667.html http://websecurity.com.ua/1600/ http://websecurity.com.ua/1641/ 20080103 securityvulns.com russian vulnerabilities digest PRO-Search 0.17 and earlier allows remote attackers to cause a denial of service via certain values of the show_page and time parameters to the default URI. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument731.html http://sourceforge.net/project/shownotes.php?release_id=563784&group_id=149797 http://websecurity.com.ua/1259/ 20080103 securityvulns.com russian vulnerabilities digest Multiple cross-site scripting (XSS) vulnerabilities in account/index.html in RotaBanner Local 3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) drop parameter. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument625.html http://websecurity.com.ua/1442/ 20080103 securityvulns.com russian vulnerabilities digest 27138 Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameter. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument472.html http://websecurity.com.ua/1454/ 20080103 securityvulns.com russian vulnerabilities digest 27128 expressionengine-index-xss(39442) CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument472.html http://websecurity.com.ua/1454/ 20080103 securityvulns.com russian vulnerabilities digest 27128 Multiple cross-site scripting (XSS) vulnerabilities in cryptographp/admin.php in the Cryptographp 1.2 and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) cryptwidth, (2) cryptheight, (3) bgimg, (4) charR, (5) charG, (6) charB, (7) charclear, (8) tfont, (9) charel, (10) charelc, (11) charelv, (12) charnbmin, (13) charnbmax, (14) charspace, (15) charsizemin, (16) charsizemax, (17) charanglemax, (18) noisepxmin, (19) noisepxmax, (20) noiselinemin, (21) noiselinemax, (22) nbcirclemin, (23) nbcirclemax, or (24) brushsize parameter to wp-admin/options-general.php. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://websecurity.com.ua/1596/ 20080103 securityvulns.com russian vulnerabilities digest Multiple cross-site scripting (XSS) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) mcsp_opt_msg_no_answer or (2) mcsp_opt_msg_wrong_answer parameter to wp-admin/options-general.php. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://websecurity.com.ua/1576/ 20080103 securityvulns.com russian vulnerabilities digest Multiple cross-site request forgery (CSRF) vulnerabilities in math-comment-spam-protection.php in the Math Comment Spam Protection 2.1 and earlier plugin for WordPress allow remote attackers to perform actions as administrators via the (1) mcsp_opt_msg_no_answer or (2) mcsp_opt_msg_wrong_answer parameter to wp-admin/options-general.php. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://websecurity.com.ua/1576/ 20080103 securityvulns.com russian vulnerabilities digest Multiple cross-site scripting (XSS) vulnerabilities in captcha\captcha.php in the Captcha! 2.5d and earlier plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) captcha_ttffolder, (2) captcha_numchars, (3) captcha_ttfrange, or (4) captcha_secret parameter. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://websecurity.com.ua/1588/ 20080103 securityvulns.com russian vulnerabilities digest Multiple cross-site scripting (XSS) vulnerabilities in PRO-Search 0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prot, (2) host, (3) path, (4) name, (5) ext, (6) size, (7) search_days, or (8) show_page parameter to the default URI. 20080103 securityvulns.com russian vulnerabilities digest 3539 http://securityvulns.ru/Sdocument731.html http://sourceforge.net/project/shownotes.php?release_id=563784&group_id=149797 http://websecurity.com.ua/1259/ 20080103 securityvulns.com russian vulnerabilities digest 27126 Cross-site scripting (XSS) vulnerability in login.asp in Snitz Forums 2000 3.4.05 and earlier allows remote attackers to inject arbitrary web script or HTML via the target parameter. http://hackerscenter.com/archive/view.asp?id=28145 http://www.packetstormsecurity.org/0801-exploits/snitz-multi.txt 20080107 [HSC] Snitz Forums Multiple Vulnerabilities 27162 Open redirect vulnerability in Forums/login.asp in Snitz Forums 2000 3.4.06 and earlier allows remote attackers to redirect users to arbitrary web sites via a URL in the target parameter. http://hackerscenter.com/archive/view.asp?id=28145 http://www.packetstormsecurity.org/0801-exploits/snitz-multi.txt 20080107 [HSC] Snitz Forums Multiple Vulnerabilities Uebimiau Webmail 2.7.10 and 2.7.2 does not protect authentication state variables from being set through HTTP requests, which allows remote attackers to bypass authentication via a sess[auth]=1 parameter settting. NOTE: this can be leveraged to conduct directory traversal attacks without authentication by using CVE-2008-0140. 27154 4846 Unspecified vulnerability in the BIOS F.04 through F.11 for the HP Compaq Business Notebook PC allows local users to cause a denial of service via unspecified vectors. SSRT080004 1019729 28494 ADV-2008-1042 compaq-businessnotebook-pcbios-dos(41520) ovtopmd in HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, and 7.51 allows remote attackers to cause a denial of service (crash) via a crafted TCP request that triggers an out-of-bounds memory access. 20080204 Hewlett-Packard Network Node Manager Topology Manager Service DoS Vulnerability HPSBMA02307 27629 1019306 ADV-2008-0424 Unspecified vulnerability in a certain ActiveX control for HP Virtual Rooms (HPVR) 6 and earlier allows remote attackers to execute arbitrary code via unknown vectors. SSRT080007 1019311 Multiple unspecified vulnerabilities in HP Select Identity 4.00, 4.01, 4.11, 4.12, 4.13, and 4.20 allow remote authenticated users to gain access via unknown vectors. In order to download the patch, user must login. HPSBMA02309 27667 1019322 ADV-2008-0472 Multiple unspecified vulnerabilities in HP Storage Essentials Storage Resource Management (SRM) before 6.0.0 allow remote attackers to obtain unspecified access to a managed device via unknown attack vectors. SSRT071474 27643 1019312 ADV-2008-0440 The ptsname function in FreeBSD 6.0 through 7.0-PRERELEASE does not properly verify that a certain portion of a device name is associated with a pty of a user who is calling the pt_chown function, which might allow local users to read data from the pty from another user. FreeBSD-SA-08:01 27284 1019191 freebsd-ptsname-information-disclosure(39667) The script program in FreeBSD 5.0 through 7.0-PRERELEASE invokes openpty, which creates a pseudo-terminal with world-readable and world-writable permissions when it is not run as root, which allows local users to read data from the terminal of the user running script. FreeBSD-SA-08:01 27284 1019191 freebsd-openpty-information-disclosure(39665) Cross-site scripting (XSS) vulnerability in admin/index.html in Merak IceWarp Mail Server allows remote attackers to inject arbitrary web script or HTML via the message parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27189 http://www.securityfocus.com/data/vulnerabilities/exploits/27189.html ADV-2008-0135 icewarpmailserver-index-xss(39564) SQL injection vulnerability in soporte_horizontal_w.php in PHP Webquest 2.6 allows remote attackers to execute arbitrary SQL commands via the id_actividad parameter, a different vector than CVE-2007-4920. 27192 webquest-soportehorizontalw-sql-injection(39560) 4867 Multiple stack-based buffer overflows in the WebLaunch.WeblaunchCtl.1 (aka CWebLaunchCtl) ActiveX control in weblaunch.ocx 1.0.0.1 in Gateway Weblaunch allow remote attackers to execute arbitrary code via a long string in the (1) second or (2) fourth argument to the DoWebLaunch method. NOTE: some of these details are obtained from third party information. 20080109 Gateway WebLaunch ActiveX Control Insecure Method VU#735441 27193 ADV-2008-0077 4869 4982 Directory traversal vulnerability in the WebLaunch.WeblaunchCtl.1 (aka CWebLaunchCtl) ActiveX control in weblaunch.ocx 1.0.0.1 in Gateway Weblaunch allows remote attackers to execute arbitrary programs via a ..\ (dot dot backslash) in the second argument to the DoWebLaunch method. NOTE: some of these details are obtained from third party information. 20080109 Gateway WebLaunch ActiveX Control Insecure Method ADV-2008-0077 4869 Unrestricted file upload vulnerability in ajaxfilemanager.php in the Wp-FileManager 1.2 plugin for WordPress allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors. 27151 wordpress-wpfilemanager-file-upload(39462) 4844 Buffer overflow in JustSystems JSFC.DLL, as used in multiple JustSystems products such as Ichitaro, allows remote attackers to execute arbitrary code via a crafted .JTD file. JVN#08237857 http://www.fourteenforty.jp/research/advisory.cgi?FFRRA-20080107 http://www.justsystems.com/jp/info/pd8001.html 27153 1019168 ADV-2008-0045 justsystems-jsfc-bo(39501) SQL injection vulnerability in index.php in the Newbb_plus 0.92 and earlier module in RunCMS 1.6.1 allows remote attackers to execute arbitrary SQL commands via the Client-Ip parameter. 27152 runcms-newbb-client-sql-injection(39478) 4845 Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute in an RTSP session, related to the rmff_dump_header function and related to disregarding the max field. NOTE: some of these details are obtained from third party information. http://aluigi.altervista.org/adv/xinermffhof-adv.txt http://bugs.gentoo.org/show_bug.cgi?id=205197 GLSA-200801-12 http://sourceforge.net/project/shownotes.php?release_id=567872 DSA-1472 MDVSA-2008:020 MDVSA-2008:045 SUSE-SR:2008:002 27198 USN-635-1 ADV-2008-0163 https://bugzilla.redhat.com/show_bug.cgi?id=428620 FEDORA-2008-0718 Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp. http://bugs.mysql.com/33814 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html APPLE-SA-2008-10-09 3531 http://support.apple.com/kb/HT3216 DSA-1478 MDVSA-2008:150 20080104 Multiple vulnerabilities in yaSSL 1.7.5 20080104 Pre-auth buffer-overflow in mySQL through yaSSL 27140 31681 USN-588-1 ADV-2008-0560 ADV-2008-2780 yassl-processoldclienthello-bo(39429) yassl-inputbufferoperator-bo(39431) yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allows remote attackers to cause a denial of service (crash) via a Hello packet containing a large size value, which triggers a buffer over-read in the HASHwithTransform::Update function in hash.cpp. http://bugs.mysql.com/33814 http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html APPLE-SA-2008-10-09 3531 http://support.apple.com/kb/HT3216 DSA-1478 MDVSA-2008:150 20080104 Multiple vulnerabilities in yaSSL 1.7.5 27140 31681 USN-588-1 ADV-2008-0560 ADV-2008-2780 yassl-hashwithtransformupdate-dos(39433) Cross-site request forgery (CSRF) vulnerability in apply.cgi in the Linksys WRT54GL Wireless-G Broadband Router with firmware 4.30.9 allows remote attackers to perform actions as administrators. 3534 20080107 Linksys WRT54 GL - Session riding (CSRF) 20080115 Re: Linksys WRT54 GL - Session riding (CSRF) linksys-apply-csrf(39502) The telnet service in LevelOne WBR-3460 4-Port ADSL 2/2+ Wireless Modem Router with firmware 1.00.11 and 1.00.12 does not require authentication, which allows remote attackers on the local or wireless network to obtain administrative access. 3533 20080108 Level-One WBR-3460A Grants Root Access 27183 1019162 PHP remote file inclusion vulnerability in php121db.php in osDate 2.0.8 and possibly earlier versions allows remote attackers to execute arbitrary PHP code via a URL in the php121dir parameter. http://packetstormsecurity.org/0801-exploits/osdata-lfi.txt 27208 osdate-php121db-file-include(39567) 4870 Multiple directory traversal vulnerabilities in index.php in Tuned Studios (1) Subwoofer, (2) Freeze Theme, (3) Orange Cutout, (4) Lonely Maple, (5) Endless, (6) Classic Theme, and (7) Music Theme webpage templates allow remote attackers to include and execute arbitrary files via ".." sequences in the page parameter. NOTE: this can be leveraged for remote file inclusion when running in some PHP 5 environments. 3532 20080109 LFI in Tuned Studios Templates 27196 tunedstudiostemplates-index-file-include(39555) 4876 Multiple SQL injection vulnerabilities in Zero CMS 1.0 Alpha allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to index.php, or the (2) f or t parameters to forums/index.php. http://packetstormsecurity.org/0801-exploits/zerocms-sql.txt 27186 zerocms-index-sql-injection(39530) 4864 Unrestricted file upload vulnerability in Zero CMS 1.0 Alpha and earlier allows remote attackers to bypass intended access restrictions and upload and execute arbitrary files by uploading an avatar file with an accepted Content-Type such as image/jpeg. http://packetstormsecurity.org/0801-exploits/zerocms-sql.txt 4864 Buffer overflow in Apple Quicktime Player 7.3.1.70 and other versions before 7.4.1, when RTSP tunneling is enabled, allows remote attackers to execute arbitrary code via a long Reason-Phrase response to an rtsp:// request, as demonstrated using a 404 error message. APPLE-SA-2008-07-10 APPLE-SA-2008-02-06 3537 VU#112179 20080110 Buffer-overflow in Quicktime Player 7.3.1.70 20080110 Re: Buffer-overflow in Quicktime Player 7.3.1.70 20080111 Re: Re: Buffer-overflow in Quicktime Player 7.3.1.70 20080111 Re: Buffer-overflow in Quicktime Player 7.3.1.70 20080114 Re: [Full-disclosure] Buffer-overflow in Quicktime Player 7.3.1.70 20080112 Re: Re: Buffer-overflow in Quicktime Player 7.3.1.70 20080112 Re: Buffer-overflow in Quicktime Player 7.3.1.70 27225 1019178 ADV-2008-0107 ADV-2008-2064 quicktime-rtsp-responses-bo(39601) 4885 4906 The Microsoft VFP_OLE_Server ActiveX control allows remote attackers to execute arbitrary code by invoking the foxcommand method. http://shinnai.altervista.org/exploits/txt/TXT_rNowA1916DKFNUF48NyS.html 27199 microsoft-vfpoleserver-command-execution(39559) 4875 An ActiveX control for Microsoft Visual FoxPro (vfp6r.dll 6.0.8862.0) allows remote attackers to execute arbitrary commands by invoking the DoCmd method. http://shinnai.altervista.org/exploits/txt/TXT_DiWu9j82RCq4zpaQAoxn.html 27205 microsoft-foxserver-command-execution(39558) 4873 The Microsoft Rich Textbox ActiveX Control (RICHTX32.OCX) 6.1.97.82 allows remote attackers to execute arbitrary commands by invoking the insecure SaveFile method. http://shinnai.altervista.org/exploits/txt/TXT_DZVN8CwCha0I2fI3NeEs.html 27201 microsoft-richtextbox-file-overwrite(39557) 4874 Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function, different vectors than CVE-2008-0225. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Please see the following link for more information regarding the exploit: http://aluigi.altervista.org/adv/xinermffhof-adv.txt http://bugs.gentoo.org/show_bug.cgi?id=205197 GLSA-200801-12 MDVSA-2008:020 MDVSA-2008:045 USN-635-1 Multiple cross-site scripting (XSS) vulnerabilities in Sun Java System Identity Manager 6.0 SP1 through SP3, 7.0, and 7.1 allow remote attackers to inject arbitrary HTML or web script via the (1) cntry or lang parameters to /idm/login.jsp, (2) resultsForm parameter to /idm/account/findForSelect.jsp, or (3) activeControl parameter to /idm/user/main.jsp. 3535 103180 200558 http://www.procheckup.com/Vulnerability_PR07-06.php http://www.procheckup.com/Vulnerability_PR07-07.php http://www.procheckup.com/Vulnerability_PR07-08.php http://www.procheckup.com/Vulnerability_PR07-09.php 20080110 PR07-06, PR07-07, PR07-08, PR07-09, PR07-10, PR07-12: Several XSS, Cross-domain Redirection and Frame Injection on Sun Java System Identity Manager 27214 1019175 ADV-2008-0089 sun-identity-login-xss(39580) sun-identity-lang-xss(39581) sun-identity-resultsform-xss(39582) sun-identity-main-xss(39583) /idm/help/index.jsp in Sun Java System Identity Manager 6.0 SP1 through SP3, 7.0, and 7.1 allows remote attackers to inject frames from arbitrary web sites and conduct phishing attacks via the helpUrl parameter, aka "frame injection." 3535 103180 200558 http://www.procheckup.com/Vulnerability_PR07-10.php 20080110 PR07-06, PR07-07, PR07-08, PR07-09, PR07-10, PR07-12: Several XSS, Cross-domain Redirection and Frame Injection on Sun Java System Identity Manager 27214 ADV-2008-0089 sun-identity-index-frame-injection(39586) Open redirect vulnerability in /idm/user/login.jsp in Sun Java System Identity Manager 6.0 SP1 through SP3, 7.0, and 7.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the nextPage parameter. 3535 103180 200558 http://www.procheckup.com/Vulnerability_PR07-12.php 20080110 PR07-06, PR07-07, PR07-08, PR07-09, PR07-10, PR07-12: Several XSS, Cross-domain Redirection and Frame Injection on Sun Java System Identity Manager 27214 ADV-2008-0089 sun-identity-login-security-bypass(39590) Unspecified vulnerability in libdevinfo in Sun Solaris 10 allows local users to access files and gain privileges via unknown vectors, related to login device permissions. 103165 200641 27253 1019187 ADV-2008-0131 solaris-libdevinfo-privilege-escalation(39629) oval:org.mitre.oval:def:5211 Unspecified vulnerability in Lotus Domino 7.0.2 before Fix Pack 3 allows attackers to cause a denial of service via unknown vectors. 27215 ADV-2008-0086 http://www-1.ibm.com/support/docview.wss?uid=swg27011539 lotus-domino-unspecified-dos(39588) SAP MaxDB 7.6.03 build 007 and earlier allows remote attackers to execute arbitrary commands via "&&" and other shell metacharacters in exec_sdbinfo and other unspecified commands, which are executed when MaxDB invokes cons.exe. http://aluigi.altervista.org/adv/sapone-adv.txt 3536 20080109 Pre-auth remote commands execution in SAP MaxDB 7.6.03.07 27206 1019171 ADV-2008-0104 maxdb-system-command-execution(39573) 4877 admin.php in UploadImage 1.0 does not check for the original password before making a change to a new password, which allows remote attackers to gain administrator privileges via the pass parameter in a nopass (Set Password) action. 27203 uploadimage-admin-command-execution(39571) 4871 admin.php in UploadScript 1.0 does not check for the original password before making a change to a new password, which allows remote attackers to gain administrator privileges via the pass parameter in a nopass (Set Password) action. 27203 uploadscript-admin-command-execution(39570) 4871 Heap-based buffer overflow in the Express Backup Server service (dsmsvc.exe) in IBM Tivoli Storage Manager (TSM) Express 5.3 before 5.3.7.3 allows remote attackers to execute arbitrary code via a packet with a large length value. 20080114 ZDI-08-001: IBM Tivoli Storage Manager Express Backup Server Heap Overflow Vulnerability 27235 1019182 ADV-2008-0106 http://www.zerodayinitiative.com/advisories/ZDI-08-001.html http://www-1.ibm.com/support/docview.wss?uid=swg21291536 ibm-tsmexpressserver-bo(39604) Buffer overflow in an ActiveX control in ccpm_0237.dll for StreamAudio ChainCast ProxyManager allows remote attackers to execute arbitrary code via a long URL argument to the InternalTuneIn method. 20080111 StreamAudio ChainCast ProxyManager ccpm_0237.dll Buffer Overflow 27247 ADV-2008-0133 streamaudio-chaincastproxymanager-bo(39622) 4894 PHP Webquest 2.6 allows remote attackers to retrieve database credentials via a direct request to admin/backup_phpwebquest.php, which leaks the credentials in an error message if a call to /usr/bin/mysqldump fails. NOTE: this might only be an issue in limited environments. 27202 phpwebquest-backup-information-disclosure(39572) 4872 Buffer overflow in Microsoft Visual InterDev 6.0 (SP6) allows user-assisted attackers to execute arbitrary code via a Studio Solution (.SLN) file with a long Project line. http://shinnai.altervista.org/exploits/txt/TXT_PoEOrFM8py30PXrDF7IY.html 27250 visualinterdev-sln-project-bo(41826) 4892 Unrestricted file upload vulnerability in PhotoPost vBGallery before 2.4.2 allows remote attackers to upload and execute arbitrary files via unknown vectors. http://www.photopost.com/forum/showthread.php?t=134909 http://www.photopost.com/forum/showthread.php?t=134910 vbgallery-unspecified-code-execution(39621) Directory traversal vulnerability in the _get_file_path function in (1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2) filter/sessionfilter.py in CherryPy 2.1, and (3) filter/sessionfilter.py in CherryPy 2.x allows remote attackers to create or delete arbitrary files, and possibly read and write portions of arbitrary files, via a crafted session id in a cookie. GLSA-200801-11 http://www.cherrypy.org/changeset/1774 http://www.cherrypy.org/changeset/1775 http://www.cherrypy.org/changeset/1776 http://www.cherrypy.org/ticket/744 DSA-1481 20080124 rPSA-2008-0030-1 CherryPy 27181 ADV-2008-0039 https://bugs.gentoo.org/show_bug.cgi?id=204829 https://issues.rpath.com/browse/RPL-2127 FEDORA-2008-0299 FEDORA-2008-0333 SQL injection vulnerability in full_text.php in Binn SBuilder allows remote attackers to execute arbitrary SQL commands via the nid parameter. 20080114 Binn SBuilder (nid) Remote Blind Sql Injection Vulnerabily 27264 binnsbuilder-fulltext-sql-injection(39634) 4904 SQL injection vulnerability in activate.php in TutorialCMS (aka Photoshop Tutorials) 1.02, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the userName parameter. 27263 tutorialcms-activate-sql-injection(39642) 4901 SQL injection vulnerability in archive.php in iGaming 1.5, and 1.3.1 and earlier, allows remote attackers to execute arbitrary SQL commands via the section parameter. 27230 igamingcms-archive-sql-injection(39598) 4886 Multiple SQL injection vulnerabilities in Matteo Binda ASP Photo Gallery 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) Imgbig.asp, (b) thumb.asp, and (c) thumbricerca.asp and the (2) ricerca parameter to (d) thumbricerca.asp. 27262 aspphotogallery-multiple-sql-injection(39646) 4900 Cross-site scripting (XSS) vulnerability in search.pl in Dansie Search Engine 2.7 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27269 dansiesearchengine-search-xss(39636) Cross-site scripting (XSS) vulnerability in index.php in PHP Running Management (phpRunMan) before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the message parameter. http://sourceforge.net/project/shownotes.php?release_id=568237&group_id=103505 http://sourceforge.net/tracker/index.php?func=detail&aid=1204199&group_id=103505&atid=634992 27268 phprunningmanagement-index-xss(39639) Multiple directory traversal vulnerabilities in _mg/php/mg_thumbs.php in minimal Gallery 0.8 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) thumbcat and (2) thumb parameters. 27265 minimalgallery-mgthumbs-file-include(39649) 4902 minimal Gallery 0.8 allows remote attackers to obtain configuration information via a direct request to php_info.php, which calls the phpinfo function. 4902 Unspecified vulnerability in the search component and module in Mambo 4.5.x and 4.6.x allows remote attackers to cause a denial of service (query flood) via unspecified vectors. http://forum.mambo-foundation.org/showthread.php?t=9651 27239 mambo-search-dos(39613) SQL injection vulnerability in includes/articleblock.php in Agares PhpAutoVideo 2.21 allows remote attackers to execute arbitrary SQL commands via the articlecat parameter. 27258 agares-articleblock-sql-injection(39641) 4898 4905 The SIP module in Ingate Firewall before 4.6.1 and SIParator before 4.6.1 does not reuse SIP media ports in unspecified call hold and send-only stream scenarios, which allows remote attackers to cause a denial of service (port exhaustion) via unspecified vectors. http://www.ingate.com/relnote-461.php 27222 1019176 1019177 ADV-2008-0108 Unspecified vulnerability in the Meta Tags (aka Nodewords) 5.x-1.6 module for Drupal, when images are permitted in node bodies, allows remote authenticated users to execute arbitrary code via unspecified vectors involving creation of a node. http://drupal.org/node/209759 ADV-2008-0129 drupal-metatags-code-execution(39638) Multiple cross-site scripting (XSS) vulnerabilities in the Search function in the web management interface in F5 BIG-IP 9.4.3 allow remote attackers to inject arbitrary web script or HTML via the SearchString parameter to (1) list_system.jsp, (2) list_pktfilter.jsp, (3) list_ltm.jsp, (4) resources_audit.jsp, and (5) list_asm.jsp in tmui/Control/jspmap/tmui/system/log/; and (6) list.jsp in certain directories. 3545 20080114 F5 BIG-IP Web Management List Search XSS 27272 1019190 ADV-2008-0181 f5bigip-searchstring-xss(39632) Cross-site request forgery (CSRF) vulnerability in admin.php in eTicket 1.5.5.2 allows remote attackers to change the administrative password and possibly perform other administrative tasks. NOTE: either the old password must be known, or the attacker must leverage a separate SQL injection vulnerability. 3542 20080106 eTicket 1.5.5.2 Multiple Vulnerabilities 27173 eticket-admin-csrf(39490) Multiple SQL injection vulnerabilities in eTicket 1.5.5.2 allow remote authenticated users to execute arbitrary SQL commands via the (1) status, (2) sort, and (3) way parameters to search.php; and allow remote authenticated administrators to execute arbitrary SQL commands via the (4) msg and (5) password parameters to admin.php. 3542 20080106 eTicket 1.5.5.2 Multiple Vulnerabilities 27173 eticket-admin-sql-injection(39487) eticket-search-sql-injection(39489) Cross-site scripting (XSS) vulnerability in view.php in eTicket 1.5.5.2 allows remote attackers to inject arbitrary web script or HTML via the s parameter. 3542 20080106 eTicket 1.5.5.2 Multiple Vulnerabilities 27173 eticket-view-xss(39488) Unspecified vulnerability in the dotoprocs function in Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors. 103188 201513 27260 1019186 ADV-2008-0130 solaris-dotoprocs-dos(39631) oval:org.mitre.oval:def:5400 SQL injection vulnerability in index.php in TaskFreak! 0.6.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the sContext parameter. 27257 taskfreak-index-sql-injection(39645) 4899 The editor deletion form in BUEditor 4.7.x before 4.7.x-1.0 and 5.x before 5.x-1.1, a module for Drupal, does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and delete custom editor interfaces. http://drupal.org/node/208534 ADV-2008-0128 drupal-bueditor-csrf(39614) Cross-site request forgery (CSRF) vulnerability in the aggregator module in Drupal 4.7.x before 4.7.11 and 5.x before 5.6 allows remote attackers to delete items from a feed as privileged users. http://drupal.org/node/208562 27238 http://www.vbdrupal.org/forum/showthread.php?p=6878 http://www.vbdrupal.org/forum/showthread.php?t=1349 ADV-2008-0127 ADV-2008-0134 drupal-aggregator-csrf(39617) Interpretation conflict in Drupal 4.7.x before 4.7.11 and 5.x before 5.6, when Internet Explorer 6 is used, allows remote attackers to conduct cross-site scripting (XSS) attacks via invalid UTF-8 byte sequences, which are not processed as UTF-8 by Drupal's HTML filtering, but are processed as UTF-8 by Internet Explorer, effectively removing characters from the document and defeating the HTML protection mechanism. http://drupal.org/node/208564 27238 http://www.vbdrupal.org/forum/showthread.php?p=6878 http://www.vbdrupal.org/forum/showthread.php?t=1349 ADV-2008-0127 ADV-2008-0134 drupal-utf8-xss(39619) Cross-site scripting (XSS) vulnerability in Drupal 4.7.x and 5.x, when certain .htaccess protections are disabled, allows remote attackers to inject arbitrary web script or HTML via crafted links involving theme .tpl.php files. http://drupal.org/node/208565 27238 http://www.vbdrupal.org/forum/showthread.php?p=6878 http://www.vbdrupal.org/forum/showthread.php?t=1349 ADV-2008-0127 ADV-2008-0134 drupal-theme-xss(39605) The Atom 4.7 before 4.7.x-1.0 and 5.x before 5.x-1.0 module for Drupal does not properly manage permissions for node (1) titles, (2) teasers, and (3) bodies, which might allow remote attackers to gain access to syndicated content. http://drupal.org/node/208527 drupal-atom-security-bypass(39607) Cross-site scripting (XSS) vulnerability in the Devel module before 5.x-0.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via a site variable, related to lack of escaping of the variable table. http://drupal.org/node/208524 drupal-devel-variable-xss(39606) Unspecified vulnerability in the Fileshare module for Drupal allows remote authenticated users with node-creation privileges to execute arbitrary code via unspecified vectors. http://drupal.org/node/208537 drupal-fileshare-code-execution(39609) SQL injection vulnerability in index.php in X7 Chat 2.0.5 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a sm_window action. 27277 x7chatday-sql-injection(39656) 4907 SQL injection vulnerability in liretopic.php in Xforum 1.4 and possibly others allows remote attackers to execute arbitrary SQL commands via the topic parameter. NOTE: the categorie parameter might also be affected. 27278 xforum-liretopic-sql-injection(39654) 4908 SQL injection vulnerability in index.php in MTCMS 2.0 and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via the (1) a or (2) cid parameter. 3544 20080110 MTCMS <=2.0 SQL Injection Vulnerbility 27224 mtcms-a-sql-injection(39597) 4882 SQL injection vulnerability in liste.php in ID-Commerce 2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the idFamille parameter. 20080110 ID-Commerce Security Advisory - SLR-2007-001 20080110 (( PoC)) ID-Commerce Security Advisory - SLR-2007-001 (( PoC)) 20080110 ID-Commerce Security Advisory - SLR-2007-001 27220 idcommerce-liste-sql-injection(39594) SQL injection vulnerability in welcome/inscription.php in DomPHP 0.81 and earlier allows remote attackers to execute arbitrary SQL commands via the mail parameter. 27212 domphp-inscription-sql-injection(39593) 4880 PHP remote file inclusion vulnerability in /aides/index.php in DomPHP 0.81 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. 27226 4883 Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.1.4 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) Itemid or (2) topic arguments. 3540 20080110 Simple Machines Forum Cross-Site Scripting Vulnerabilities 27218 simplemachinesforum-itemid-xss(39585) ngIRCd 0.10.x before 0.10.4 and 0.11.0 before 0.11.0-pre2 allows remote attackers to cause a denial of service (crash) via crafted IRC PART message, which triggers an invalid dereference. http://arthur.barton.de/cgi-bin/viewcvs.cgi/ngircd/ngircd/src/ngircd/irc-channel.c?r1=1.40&r2=1.41&diff_format=h http://bugs.gentoo.org/show_bug.cgi?id=204834 http://ngircd.barton.de/doc/ChangeLog GLSA-200801-13 27318 SQL injection vulnerability in admin/login.php in Article Dashboard allows remote attackers to execute arbitrary SQL commands via the (1) user or (2) password fields. 3546 20080115 Article DashBoard all version SQL Injection Vulnerability 20080116 Re: Article DashBoard all version SQL Injection Vulnerability 27286 articledashboard-login-sql-injection(39657) PHP remote file inclusion vulnerability in VisionBurst vcart 3.3.2 allows remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) index.php and (2) checkout.php. 27231 vcart-checkout-index-file-include(39616) 4889 Multiple SQL injection vulnerabilities in ImageAlbum 2.0.0b2 allow remote attackers to execute arbitrary SQL commands via the id, which is not properly handled in (1) classes/IADomain.php, (2) classes/IACollection.php, and (3) classes/IAUser.php, as demonstrated via the id parameter in a collection.imageview action. 3548 20080111 ImageAlbum Remote SQL Injection Vulnerabilities 27240 4895 PHP remote file inclusion vulnerability in view_func.php in Member Area System (MAS) 1.7 and possibly others allows remote attackers to execute arbitrary PHP code via a URL in the i parameter. NOTE: a second vector might exist via the l parameter. NOTE: as of 20080118, the vendor has disputed the set of affected versions, stating that the issue "is already fixed, for almost a year." 3547 20080111 Member Area System (MAS) Remote File Include Vulnerability (view_func.php) 20080118 Re: Member Area System (MAS) Remote File Include Vulnerability (view_func.php) 27244 mas-viewfunc-file-include(39611) Multiple SQL injection vulnerabilities in Digital Hive 2.0 RC2 and earlier allow (1) remote attackers to execute arbitrary SQL commands via the selectskin parameter to an unspecified program, or (2) remote authenticated administrators to execute arbitrary SQL commands via the user_id parameter in the gestion_membre.php page to base.php. 27232 digitalhive-base-sql-injection(39602) 4887 SQL injection vulnerability in showproduct.asp in RichStrong CMS allows remote attackers to execute arbitrary SQL commands via the cat parameter. 20080116 RichStrong CMS (showproduct.asp?cat=) Remote SQL Injection Exploit 27281 27310 richstrongcms-showproduct-sql-injection(39668) 4910 Cross-site scripting (XSS) vulnerability in photo_album.pl in Dansie Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. dansiephotoalbum-photoalbum-xss(39664) Unspecified vulnerability in cron.php in FreeSeat before 1.1.5d, when format.php has certain modifications, allows remote attackers to bypass authentication and gain privileges via unspecified vectors related to the show_foot function. http://sourceforge.net/project/shownotes.php?group_id=160239&release_id=568374 freeseat-cron-security-bypass(39648) Unspecified vulnerability in the seat-locking implementation in FreeSeat before 1.1.5d allows attackers to book a seat more than once via unspecified vectors. http://sourceforge.net/project/shownotes.php?release_id=568374&group_id=160239 27270 freeseat-seatlocking-security-bypass(39647) Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows user-assisted remote attackers to cause a denial of service (crash) or execute arbitrary code via long Session Description Protocol (SDP) data. http://aluigi.altervista.org/adv/vlcxhof-adv.txt DSA-1543 GLSA-200803-13 27221 ADV-2008-0105 oval:org.mitre.oval:def:14776 Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to cause a denial of service (application crash) or execute arbitrary code via a long string. http://aluigi.altervista.org/adv/vlcxhof-adv.txt DSA-1543 GLSA-200803-13 ADV-2008-0105 oval:org.mitre.oval:def:14597 PhotoKorn allows remote attackers to obtain database credentials via a direct request to update/update3.php, which includes the credentials in its output. photokorn-update3-information-disclosure(39652) 4897 KHTML WebKit as used in Apple Safari 2.x allows remote attackers to cause a denial of service (browser crash) via a crafted web page, possibly involving a STYLE attribute of a DIV element. 3549 http://www.s21sec.com/avisos/s21sec-039-en.txt 20080112 Safari 2 Denial of Service 27261 safari-khtml-webkit-dos(39635) common.py in Paramiko 1.7.1 and earlier, when using threads or forked processes, does not properly use RandomPool, which allows one session to obtain sensitive information from another session by predicting the state of the pool. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=460706 http://people.debian.org/~nion/nmu-diff/paramiko-1.6.4-1_1.6.4-1.1.patch GLSA-200803-07 27307 https://bugzilla.redhat.com/show_bug.cgi?id=428727 paramiko-randompool-info-disclosure(39749) FEDORA-2008-0644 FEDORA-2008-0722 mapFiler.php in Mapbender 2.4 to 2.4.4 allows remote attackers to execute arbitrary PHP code via PHP code sequences in the factor parameter, which are not properly handled when accessing a filename that contains those sequences. http://www.redteam-pentesting.de/advisories/rt-sa-2008-001.php 28195 mapbender-mapfiler-code-execution(41131) 5232 Multiple SQL injection vulnerabilities in Mapbender 2.4.4 allow remote attackers to execute arbitrary SQL commands via the gaz parameter to mod_gazetteer_edit.php and other unspecified vectors. 20080311 Advisory: SQL-Injections in Mapbender 3728 http://www.redteam-pentesting.de/advisories/rt-sa-2008-002.php 20080311 Advisory: SQL-Injections in Mapbender 28193 mapbender-gaz-sql-injection(41139) 5233 Untrusted search path vulnerability in apt-listchanges.py in apt-listchanges before 2.82 allows local users to execute arbitrary code via a malicious apt-listchanges program in the current working directory. http://git.madism.org/?p=apt-listchanges.git;a=commitdiff;h=1bcfbf3dc55413bb83a1782dc9a54515a963fb32 http://packages.debian.org/changelogs/pool/main/a/apt-listchanges/apt-listchanges_2.82/changelog DSA-1465 27331 USN-572-1 The FTP print feature in multiple Canon printers, including imageRUNNER and imagePRESS, allow remote attackers to use the server as an inadvertent proxy via a modified PORT command, aka FTP bounce. http://itso.iu.edu/20080229_Canon_MFD_FTP_bounce_attack JVN#10056705 JVNDB-2008-000013 1019528 VU#568073 28042 http://www.usa.canon.com/html/security/pdf/CVA-001.pdf Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code via a crafted external-body MIME type in an e-mail message, related to an incorrect memory allocation during message preview. 20080226 Mozilla Thunderbird MIME External-Body Heap Overflow Vulnerability 1019504 SSA:2008-061-01 239546 DSA-1621 DSA-1697 GLSA-200805-18 VU#661651 MDVSA-2008:062 http://www.mozilla.org/security/announce/2008/mfsa2008-12.html 28012 USN-582-1 USN-582-2 ADV-2008-2091 oval:org.mitre.oval:def:11075 FEDORA-2008-2060 FEDORA-2008-2118 sdbstarter in SAP MaxDB 7.6.0.37, and possibly other versions, allows local users to execute arbitrary commands by using unspecified environment variables to modify configuration settings. 20080310 SAP MaxDB sdbstarter Privilege Escalation Vulnerability 28185 1019570 ADV-2008-0844 maxdb-sdbstarter-privilege-escalation(41104) Integer signedness error in vserver in SAP MaxDB 7.6.0.37, and possibly other versions, allows remote attackers to execute arbitrary code via unknown vectors that trigger heap corruption. 20080310 SAP MaxDB Signedness Error Heap Corruption Vulnerability 28183 1019571 ADV-2008-0844 maxdb-vserver-code-execution(41107) Symantec Decomposer, as used in certain Symantec antivirus products including Symantec Scan Engine 5.1.2 and other versions before 5.1.6.31, allows remote attackers to cause a denial of service (memory consumption) via a malformed RAR file to the Internet Content Adaptation Protocol (ICAP) port (1344/tcp). 20080226 Symantec Scan Engine 5.1.2 RAR File Denial of Service Vulnerability 27911 1019503 http://www.symantec.com/avcenter/security/Content/2008.02.27.html ADV-2008-0680 Stack-based buffer overflow in Symantec Decomposer, as used in certain Symantec antivirus products including Symantec Scan Engine 5.1.2 and other versions before 5.1.6.31, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed RAR file to the Internet Content Adaptation Protocol (ICAP) port (1344/tcp). 20080226 Symantec Scan Engine 5.1.2 RAR File Buffer Overflow Vulnerability 27913 1019503 http://www.symantec.com/avcenter/security/Content/2008.02.27.html ADV-2008-0680 Directory traversal vulnerability in pkgadd in SCO UnixWare 7.1.4 before p534589 allows local users to create or append to arbitrary files via ".." sequences in an unspecified environment variable, probably PKGINST. SCOSA-2008.1 20080403 SCO UnixWare pkgadd Directory Traversal Vulnerability http://www.sco.com/support/update/download/release.php?rid=324 1019787 sco-unixware-pkgadd-directory-traversal(41759) 5355 Stack-based buffer overflow in the PGMWebHandler::parse_request function in the StarTeam Multicast Service component (STMulticastService) 6.4 in Borland CaliberRM 2006 allows remote attackers to execute arbitrary code via a large HTTP request. 20080402 Borland CaliberRM StarTeam Multicast Service Buffer Overflow Vulnerability 1019786 28602 ADV-2008-1100 starteam-pgmwebhandlerparserequest-bo(41647) Stack-based buffer overflow in the AutoFix Support Tool ActiveX control 2.7.0.1 in SYMADATA.DLL in multiple Symantec Norton products, including Norton 360 1.0, AntiVirus 2006 through 2008, Internet Security 2006 through 2008, and System Works 2006 through 2008, allows remote attackers to execute arbitrary code via a long argument to the GetEventLogInfo method. NOTE: some of these details are obtained from third party information. 20080402 Symantec Norton Internet Security 2008 ActiveX Control Buffer Overflow Vulnerability http://securityresponse.symantec.com/avcenter/security/Content/2008.04.02a.html 28507 1019751 1019752 1019753 ADV-2008-1077 symantec-autofixtool-bo(41629) The ActiveDataInfo.LaunchProcess method in the SymAData.ActiveDataInfo.1 ActiveX control 2.7.0.1 in SYMADATA.DLL in multiple Symantec Norton products including Norton 360 1.0, AntiVirus 2006 through 2008, Internet Security 2006 through 2008, and System Works 2006 through 2008, does not properly determine the location of the AutoFix Tool, which allows remote attackers to execute arbitrary code via a remote (1) WebDAV or (2) SMB share. 20080402 Symantec Internet Security 2008 ActiveDataInfo.LaunchProcess Design Error Vulnerability http://securityresponse.symantec.com/avcenter/security/Content/2008.04.02a.html 28509 1019751 1019752 1019753 ADV-2008-1077 symantec-autofixtool-code-execution(41631) Heap-based buffer overflow in spin.c in libclamav in ClamAV 0.92.1 allows remote attackers to execute arbitrary code via a crafted PeSpin packed PE binary with a modified length value. http://kolab.org/security/kolab-vendor-notice-20.txt 20080414 ClamAV libclamav PeSpin Heap Overflow Vulnerability APPLE-SA-2008-09-15 SUSE-SA:2008:024 GLSA-200805-19 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html DSA-1549 VU#858595 MDVSA-2008:088 28784 1019851 TA08-260A ADV-2008-1227 ADV-2008-2584 clamav-spin-bo(41823) FEDORA-2008-3358 FEDORA-2008-3420 FEDORA-2008-3900 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=876 Integer overflow in the cli_scanpe function in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow. http://bugs.gentoo.org/show_bug.cgi?id=209915 http://docs.info.apple.com/article.html?artnum=307562 http://kolab.org/security/kolab-vendor-notice-19.txt 20080212 ClamAV libclamav PE File Integer Overflow Vulnerability APPLE-SA-2008-03-18 SUSE-SR:2008:004 GLSA-200802-09 1019394 http://sourceforge.net/project/shownotes.php?release_id=575703 http://support.novell.com/techcenter/psdb/512985d2cd3090bfb93dcb7b551179cf.html DSA-1497 MDVSA-2008:088 27751 ADV-2008-0503 ADV-2008-0606 ADV-2008-0924 FEDORA-2008-1608 FEDORA-2008-1625 Heap-based buffer overflow in the OLE importer in OpenOffice.org before 2.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an OLE file with a crafted DocumentSummaryInformation stream. 20080417 Multiple Vendor OpenOffice OLE DocumentSummaryInformation Heap Overflow Vulnerability GLSA-200805-16 231642 DSA-1547 MDVSA-2008:090 MDVSA-2008:095 SUSE-SA:2008:023 http://www.openoffice.org/security/bulletin.html http://www.openoffice.org/security/cves/CVE-2007-4770.html http://www.openoffice.org/security/cves/CVE-2007-5745.html http://www.openoffice.org/security/cves/CVE-2008-0320.html RHSA-2008:0175 RHSA-2008:0176 28819 1019890 USN-609-1 ADV-2008-1253 ADV-2008-1375 openoffice-ole-bo(41860) oval:org.mitre.oval:def:10318 FEDORA-2008-3251 The I2O Utility Filter driver (i2omgmt.sys) 5.1.2600.2180 for Microsoft Windows XP sets Everyone/Write permissions for the "\\.\I2OExc" device interface, which allows local users to gain privileges. NOTE: this issue can be leveraged to overwrite arbitrary memory and execute code via an IOCTL call with a crafted DeviceObject pointer. 20080512 Microsoft Windows I2O Filter Utility Driver (i2omgmt.sys) Local Privilege Escalation Vulnerability 29171 1020006 ADV-2008-1476 win-i2omgmt-code-execution(42358) Cisco Systems VPN Client IPSec Driver (CVPNDRVA.sys) 5.0.02.0090 allows local users to cause a denial of service (crash) by calling the 0x80002038 IOCTL with a small size value, which triggers memory corruption. 27289 1019240 ADV-2008-0170 cisco-vpnclient-cvpndrva-dos(39694) 4911 SQL injection vulnerability in show.php in FaScript FaPersian Petition allows remote attackers to execute arbitrary SQL commands via the id parameter. 27302 fascriptfapersian-show-sql-injection(39716) 4916 SQL injection vulnerability in class/show.php in FaScript FaPersianHack 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter to show.php. 27302 fascriptfapersianhack-show-sql-injection(39717) 4917 SQL injection vulnerability in show.php in FaScript FaMp3 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 27302 fascriptfamp3-show-sql-injection(39714) 4914 SQL injection vulnerability in page.php in FaScript FaName 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 27303 fascriptfaname-page-sql-injection(39715) 4915 LulieBlog 1.0.1 and 1.0.2 does not restrict access to (1) article_suppr.php, (2) comment_accepter.php, and (3) comment_refuser.php in Admin/, which allows remote attackers to accept comments, delete comments, and delete articles via the id parameter. 27290 lulieblog-admin-security-bypass(39669) 4912 Open System Consultants (OSC) Radiator before 4.0 allows remote attackers to cause a denial of service (daemon crash) via malformed RADIUS requests, as demonstrated by packets sent by nmap. http://www.open.com.au/radiator/history.html 27306 ADV-2008-0598 radiator-radius-dos(39730) osc-radiator-unspecified-dos(40664) Unspecified vulnerability in Funkwerk System Software before 7.4.1 PATCH 9 for certain Funkwerk Router / VPN devices allows remote attackers to cause a denial of service (panic and reboot) via unspecified DNS requests. http://www.funkwerk-ec.com/portal/downloadcenter/dateien/x2300/r7401p09/readme_741p9_en.pdf 27314 x2300-dns-dos(39731) Directory traversal vulnerability in arias/help/effect.php in aria 0.99-6 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page parameter. 20080116 [DSECRG-08-002] Local File Include in arias 0.99-6 27311 aria-effect-file-include(39712) 4920 Directory traversal vulnerability in download_view_attachment.aspx in AfterLogic MailBee WebMail Pro 4.1 for ASP.NET allows remote attackers to read arbitrary files via a .. (dot dot) in the temp_filename parameter. 27312 mailbeewebmail-download-directory-traversal(39724) 4921 Cross-site scripting (XSS) vulnerability in pm/language/spanish/preferences.php in PMachine Pro 2.4.1 allows remote attackers to inject arbitrary web script or HTML via the L_PREF_NAME[855] parameter. http://packetstormsecurity.org/0801-exploits/pMachinePro-241-xss.txt 27282 Cross-site scripting (XSS) vulnerability in BugTracker.NET before 2.7.2 allows remote attackers to inject arbitrary web script or HTML via an arbitrary custom text field. http://sourceforge.net/project/shownotes.php?release_id=568160 http://sourceforge.net/tracker/index.php?func=detail&aid=1867089&group_id=66812&atid=515837 27275 bugtrackernet-bug-xss(39650) Multiple cross-site request forgery (CSRF) vulnerabilities in BugTracker.NET before 2.7.2 allow remote attackers to delete arbitrary bugs and perform other administrative tasks via unspecified vectors, possibly related to delete_*.aspx pages, and massedit.aspx, subscribe.aspx, flag.aspx, and relationships.aspx. http://sourceforge.net/project/shownotes.php?group_id=66812&release_id=568160 http://sourceforge.net/tracker/index.php?func=detail&aid=1867089&group_id=66812&atid=515837 bugtrackernet-http-csrf(39651) Heap-based buffer overflow in the _mwProcessReadSocket function in http.c in MiniWeb HTTP Server 0.8.19 allows remote attackers to execute arbitrary code via a long URI. http://www.bugtraq.ir/adv/miniweb_english.pdf 27319 ADV-2008-0176 miniweb-mwprocessreadsocket-bo(39718) 4923 Directory traversal vulnerability in the mwGetLocalFileName function in http.c in MiniWeb HTTP Server 0.8.19 allows remote attackers to read arbitrary files and list arbitrary directories via a (1) .%2e (partially encoded dot dot) or (2) %2e%2e (encoded dot dot) in the URI. http://www.bugtraq.ir/adv/miniweb_english.pdf 27319 ADV-2008-0176 miniweb-mwgetlocal-directory-traversal(39713) 4923 Unspecified vulnerability in the XML DB component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 has unknown impact and remote attack vectors, aka DB01. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 have unknown impact and remote attack vectors, related to the (1) Advanced Queuing component (DB02) and (2) Oracle Spatial component (DB04). SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the Advanced Queuing component in Oracle Database 9.0.1.5 FIPS+ and 10.1.0.5 has unknown impact and remote attack vectors, aka DB03. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the Upgrade/Downgrade component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and remote attack vectors, aka DB05. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the Oracle Spatial component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, and 10.1.0.5 has unknown impact and remote attack vectors, aka DB06. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 and 10.2.0.3 has unknown impact and remote attack vectors, aka DB07. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the Core RDBMS component in Oracle Database 11.1.0.6 has unknown impact and remote attack vectors, aka DB08. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the Oracle Jinitiator component in Oracle Application Server 1.3.1.27 and E-Business Suite 11.5.10.2 has unknown impact and remote attack vectors, aka AS01. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the Oracle Ultra Search component in Oracle Collaboration Suite 10.1.2; Database 9.2.0.8, 10.1.0.5, and 10.2.0.3; and Application Server 9.0.4.3 and 10.1.2.0.2; has unknown impact and local attack vectors, aka OCS01. NOTE: Oracle has not disputed a reliable claim that this issue is related to WKSYS schema privileges. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html http://www.petefinnigan.com/Advisory_CPU_Jan_2008.htm 20080130 PeteFinnigan.com Limited advisory for Oracle January 2008 CPU 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Multiple unspecified vulnerabilities in the PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.18, 8.48.15, and 8.49.07 have unknown impact and remote attack vectors, aka (1) PSE01, (2) PSE03, and (3) PSE04. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 Unspecified vulnerability in the PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.15 and 8.49.07 has unknown impact and remote attack vectors, aka PSE02. SSRT061201 1019218 http://www.oracle.com/technetwork/topics/security/cpujan2008-086860.html 27229 TA08-017A ADV-2008-0150 ADV-2008-0180 admin/index.php in Evilsentinel 1.0.9 and earlier sends a redirect to the web browser but does not exit, which allows remote attackers to gain administrative privileges and make arbitrary configuration changes. http://evilsentinel.altervista.org/forum/index.php?topic=49.0 27227 4884 admin/config.php in Evilsentinel 1.0.9 and earlier allows remote attackers to bypass the CAPTCHA test by omitting the es_security_captcha parameter and not invoking captcha.php. 27227 4884 The Linux kernel 2.6.20 through 2.6.21.1 allows remote attackers to cause a denial of service (panic) via a certain IPv6 packet, possibly involving the Jumbo Payload hop-by-hop option (jumbogram). http://bugzilla.kernel.org/show_bug.cgi?id=8450 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.21.2 linux-kernel-ipv6-jumbogram-dos(39643) 4893 SQL injection vulnerability in visualizza_tabelle.php in php-residence 0.7.2 and 1.0 allows remote attackers to execute arbitrary SQL commands via the cognome_cerca parameter. NOTE: some of these details are obtained from third party information. 27320 phpresidence-visualizza-sql-injection(39739) 4925 Cross-site scripting (XSS) vulnerability in the chat client in IBM Lotus Sametime 7.5 and 7.5.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted message, which triggers code execution after a mouseover event initiated by the victim. 27316 1019224 ADV-2008-0168 http://www-1.ibm.com/support/docview.wss?uid=swg21292938 sametime-client-mouseover-xss(39726) SQL injection vulnerability in index.php in the forum module in PHPEcho CMS, probably 2.0-rc3 and earlier, allows remote attackers to execute arbitrary SQL commands via the id parameter in a section action, a different vector than CVE-2007-2866. 27326 phpechocms-index-sql-injection(39741) 4929 Buffer overflow in the Independent Management Architecture (IMA) service in Citrix Presentation Server (MetaFrame Presentation Server) 4.5 and earlier, Access Essentials 2.0 and earlier, and Desktop Server 1.0 allows remote attackers to execute arbitrary code via an invalid size value in a packet to TCP port 2512 or 2513. http://support.citrix.com/article/CTX114487 VU#412228 20080117 ZDI-08-002: Citrix Presentation Server IMA Service Heap Overflow Vulnerability 27329 1019231 ADV-2008-0172 http://zerodayinitiative.com/advisories/ZDI-08-002.html Directory traversal vulnerability in pages/upload.php in Galaxyscripts Mini File Host 1.2.1 and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the language parameter. 27327 minifilehost-uploadphp-file-include(39799) 4930 SQL injection vulnerability in index.php in Pixelpost 1.7 allows remote attackers to execute arbitrary SQL commands via the parent_id parameter. http://www.pixelpost.org/forum/showthread.php?t=7716 27242 1019238 pixelpost-indexphp-sql-injection(39721) 4924 Multiple cross-site scripting (XSS) vulnerabilities in BLOG:CMS 4.2.1b allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin.php or (2) index.php in photo/. http://blogcms.com/wiki/changelog 20080116 [DSECRG-08-003] blogcms 4.2.1b Multiple Security Vulnerabilities 27317 blogcms-index-xss(39710) 4919 Multiple SQL injection vulnerabilities in BLOG:CMS 4.2.1b allow remote attackers to execute arbitrary SQL commands via (1) the blogid parameter to index.php, (2) the user parameter to action.php, or (3) the field parameter to admin/plugins/table/index.php. http://blogcms.com/wiki/changelog 20080116 [DSECRG-08-003] blogcms 4.2.1b Multiple Security Vulnerabilities 27317 4919 Directory traversal vulnerability in agregar_info.php in GradMan 0.1.3 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tabla parameter. 3552 20080116 Gradman <= 0.1.3 (agregar_info.php?tabla=) Local File Inclusion Exploit 27324 gradman-agregarinfo-file-include(39732) 4926 Cross-site scripting (XSS) vulnerability in gallery.php in Clever Copy 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the album parameter. 3553 20080117 Clever Copy <=3.0 Multiple Remote Vulnerabilities 27335 clevercopy-gallery-xss(39747) Multiple SQL injection vulnerabilities in Clever Copy 3.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to postcomment.php and the (2) album parameter to gallery.php. 3553 20080117 Clever Copy <=3.0 Multiple Remote Vulnerabilities 27335 clevercopy-postcomment-sql-injection(39746) Buffer overflow in (1) BitTorrent 6.0 and earlier; and (2) uTorrent 1.7.5 and earlier, and 1.8-alpha-7834 and earlier in the 1.8.x series; on Windows allows remote attackers to cause a denial of service (application crash) via a long Unicode string representing a client version identifier. http://aluigi.altervista.org/adv/ruttorrent-adv.txt http://aluigi.org/poc/ruttorrent.zip http://download.utorrent.com/1.7.6/utorrent-1.7.6.txt http://forum.utorrent.com/viewtopic.php?id=29330 3554 20080116 Peers static overflow in BitTorrent 6.0 and uTorrent 1.7.5 27321 bittorrent-peers-bo(39719) utorrent-peers-bo(39720) Multiple buffer overflows in CORE FORCE before 0.95.172 allow local users to cause a denial of service (system crash) and possibly execute arbitrary code in the kernel context via crafted arguments to (1) IOCTL functions in the Firewall module or (2) SSDT hook handler functions in the Registry module. http://force.coresecurity.com/index.php?module=articles&func=display&aid=32 3555 http://www.coresecurity.com/?action=item&id=2025 20080117 CORE-2007-1119: CORE FORCE Kernel Buffer Overflow 27341 1019245 ADV-2008-0242 coreforce-firewall-registry-bo(39758) CORE FORCE before 0.95.172 does not properly validate arguments to SSDT hook handler functions in the Registry module, which allows local users to cause a denial of service (system crash) and possibly execute arbitrary code in the kernel context via crafted arguments. http://force.coresecurity.com/index.php?module=articles&func=display&aid=32 3555 http://www.coresecurity.com/?action=item&id=2025 20080117 CORE-2007-1119: CORE FORCE Kernel Buffer Overflow 27341 1019245 ADV-2008-0242 Mozilla Firefox 2.0.0.11, 3.0b2, and possibly earlier versions, when prompting for HTTP Basic Authentication, displays the site requesting the authentication after the Realm text, which might make it easier for remote HTTP servers to conduct phishing and spoofing attacks. http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx http://aviv.raffon.net/2008/01/05/FirefoxDialogSpoofingFAQ.aspx http://blog.mozilla.com/security/2008/01/04/basicauth-dialog-realm-value-spoofing/ 20080103 Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication 20080103 Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication 27111 https://bugzilla.mozilla.org/show_bug.cgi?id=244273 onedcu in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allows local users to create arbitrary files via the Trace file argument. 20080131 IBM Informix Dynamic Server onedcu File Creation Vulnerability 27328 1019237 ADV-2008-0169 IC54307 http://www-1.ibm.com/support/docview.wss?uid=swg27011556 ibm-ids-onedcu-sqlidebug-unspecified(39751) Multiple unspecified programs in IBM Informix Dynamic Server (IDS) 10.x before 10.00.xC8 allow local users to create arbitrary files by specifying the target file in the SQLIDEBUG environment variable, whose ownership is changed to the user invoking the programs. 20080131 IBM Informix Dynamic Server SQLIDEBUG File Creation Vulnerability 27328 1019237 ADV-2008-0169 IC54309 http://www-1.ibm.com/support/docview.wss?uid=swg27011556 ibm-ids-onedcu-sqlidebug-unspecified(39751) ibm-ids-sqlidebug-unspecified(40009) Cross-site scripting (XSS) vulnerability in dohtaccess.html in cPanel before 11.17 build 19417 allows remote attackers to inject arbitrary web script or HTML via the rurl parameter. NOTE: some of these details are obtained from third party information. http://aria-security.net/forum/showthread.php?p=1238 3561 20080116 cPanel Hosting Manager (dohtaccess.html) 27308 Multiple SQL injection vulnerabilities in aliTalk 1.9.1.1, when magic_quotes_gpc is disabled, allow remote authenticated users to execute arbitrary SQL commands via (1) the mohit parameter to (a) inc/receivertwo.php; and allow remote attackers to execute arbitrary SQL commands via (2) the id parameter to (b) inc/usercp.php, related to functionz/usercp.php; or (3) the username parameter to (c) admin/index.php, related to functionz/first_process.php, or (d) index.php. NOTE: some of these details are obtained from third party information. 27315 alitalk-receivertwo-sql-injection(39733) alitalk-adminindex-sql-injection(39735) alitalk-usercp-sql-injection(39736) alitalk-index-sql-injection(39745) 4922 8e6 R3000 Internet Filter 2.0.05.33, and other versions before 2.0.11, allows remote attackers to bypass intended restrictions via a fragmented HTTP request. 3557 20080116 8e6 Technologies R3000 Internet Filter Bypass by Request Split 20080121 Re: 8e6 Technologies R3000 Internet Filter Bypass by Request Split 27309 r3000-urlfilter-security-bypass(39723) Unrestricted file upload vulnerability in PHP F1 Max's File Uploader allows remote attackers to upload and execute arbitrary PHP files. 3572 20080115 Max's File Uploader File Upload Vulnerability 27285 max-index-file-upload(39740) OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 sends the configuration of the printer in cleartext, which allows remote attackers to obtain the administrative password by connecting to TCP port 5548 or 7777. 3569 http://www.csnc.ch/en/modules/news/news_0004.html_1394092626.html 20080117 [CSNC] OKI C5510MFP Printer Password Disclosure 27339 c5510mfp-configuration-info-disclosure(39775) Unspecified vulnerability in OKI C5510MFP Printer CU H2.15, PU 01.03.01, System F/W 1.01, and Web Page 1.00 allows remote attackers to set the password and obtain administrative access via unspecified vectors. 3569 http://www.csnc.ch/en/modules/news/news_0004.html_1394092626.html 20080117 [CSNC] OKI C5510MFP Printer Password Disclosure 27339 c5510mfp-password-security-bypass(39776) PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the cfile parameter. 27345 smallaxeweblog-linkbar-file-include(39765) 4937 MicroNews allows remote attackers to bypass authentication and gain administrative privileges via a direct request to admin.php. 3556 20080115 MicroNews Admin Direct Access vulnerability 27288 micronews-admin-authentication-bypass(39702) Stack-based buffer overflow in SocksCap 2.40-051231 and earlier, when "Resolve all names remotely" is enabled, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hostname. 3560 20080118 SocksCap Stack Overflow (<= 2.40-051231) 27357 sockscap-hostname-bo(39781) Race condition in the Enterprise Tree ActiveX control (EnterpriseControls.dll 11.5.0.313) in Crystal Reports XI Release 2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SelectedSession method, which triggers a buffer overflow. 27333 1019239 crystalreports-enterprisetree-bo(39743) 4931 Buffer overflow in the Digital Data Communications RtspVaPgCtrl ActiveX control (RtspVapgDecoder.dll 1.1.0.29) allows remote attackers to execute arbitrary code via a long MP4Prefix property. 27337 ADV-2008-0182 4932 Unspecified vulnerability in Mahara before 0.9.1 has unknown impact and remote attack vectors, probably related to cross-site scripting (XSS) in uploaded files. 27348 https://eduforge.org/frs/shownotes.php?release_id=342 Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php. 3559 20080116 [waraxe-2008-SA#061] - Remote Code Execution in MyBB 1.2.10 27322 4927 4928 Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php. http://community.mybboard.net/showthread.php?tid=27227 3558 20080116 [waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10 27323 http://www.waraxe.us/advisory-62.html mybb-moderationphp-sql-injection(39728) mybb-usergroups-sql-injection(39729) OpenBSD 4.2 allows local users to cause a denial of service (kernel panic) by calling the SIOCGIFRTLABEL IOCTL on an interface that does not have a route label, which triggers a NULL pointer dereference when the return value from the rtlabel_id2name function is not checked. [openbsd-security-announce] 20080111 errata 005 for OpenBSD 4.2: local users can provoke a kernel panic [4.2] 20080111 005: RELIABILITY FIX: January 11, 2008 27252 1019188 4935 SQL injection vulnerability in server/widgetallocator.php in Urulu 2.1 allows remote attackers to execute arbitrary SQL commands via the connectionId parameter to index.php with (1) statprt/js/request or (2) dyn/js/request in the PATH_INFO. 3707 http://www.csnc.ch/misc/files/advisories/CVE-2008-0385.txt 20080228 Urulu 2.1 Blind SQL Injection Vulnerability (CVE-2008-0385) 28032 Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email. http://bugs.gentoo.org/show_bug.cgi?id=207331 SUSE-SR:2008:004 GLSA-200801-21 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?view=log http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33 http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?view=log MDVSA-2008:031 27528 1019284 ADV-2008-0342 https://bugzilla.redhat.com/show_bug.cgi?id=429513 Integer overflow in Firebird SQL 1.0.3 and earlier, 1.5.x before 1.5.6, 2.0.x before 2.0.4, and 2.1.x before 2.1.0 RC1 might allow remote attackers to execute arbitrary code via crafted (1) op_receive, (2) op_start, (3) op_start_and_receive, (4) op_send, (5) op_start_and_send, and (6) op_start_send_and_receive XDR requests, which triggers memory corruption. GLSA-200803-02 3580 http://sourceforge.net/project/shownotes.php?group_id=9028&release_id=570800 http://tracker.firebirdsql.org/browse/CORE-1681 http://www.coresecurity.com/?action=item&id=2095 DSA-1529 20080128 CORE-2007-1219: Firebird Remote Memory Corruption 27403 firebird-xdrprotocol-integer-overflow(39996) SQL injection vulnerability in the WP-Forum 1.7.4 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the user parameter in a showprofile action to the default URI. 20080216 WordPress forumaction (PAGE_id)(user)SQL Injectio http://weblogtoolscollection.com/archives/2008/01/21/wp-forum-plugin-security-bulletin/ 27362 ADV-2008-0235 wpforum-index-sql-injection(39800) 4939 Unspecified vulnerability in the serveServletsByClassnameEnabled feature in IBM WebSphere Application Server (WAS) 6.0 through 6.0.2.25, 6.1 through 6.1.0.14, and 5.1.1.x before 5.1.1.18 has unknown impact and attack vectors. 27371 1019251 1019894 ADV-2008-0219 ADV-2008-1133 PK52059 http://www-1.ibm.com/support/docview.wss?uid=swg27006879#51118 websphere-serveservlets-unspecified(39808) stat.php in AuraCMS 1.62, and Mod Block Statistik for AuraCMS, allows remote attackers to inject arbitrary PHP code into online.db.txt via the X-Forwarded-For HTTP header in a stat action to index.php, and execute online.db.txt via a certain request to index.php. 27342 auracms-stat-code-execution(39777) 4933 inc/elementz.php in aliTalk 1.9.1.1 does not properly verify authentication, which allows remote attackers to add an arbitrary user account via a modified lilil parameter, in conjunction with the ubild and pa parameters. 27315 4922 Multiple buffer overflows in Microsoft Visual Basic Enterprise Edition 6.0 SP6 allow user-assisted remote attackers to execute arbitrary code via a .dsr file with a long (1) ConnectionName or (2) CommandName line. 27349 1019258 ADV-2008-0195 visualbasic-enterprise-dsr-bo(39773) 4938 Directory traversal vulnerability in info.php in GradMan 0.1.3 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tabla parameter, a different vector than CVE-2008-0361. 27343 gradman-info-file-include(39768) 4936 Buffer overflow in Citadel SMTP server 7.10 and earlier allows remote attackers to execute arbitrary code via a long RCPT TO command, which is not properly handled by the makeuserkey function. NOTE: some of these details were obtained from third party information. http://www.milw0rm.com/sploits/2008-vs-GNU-citadel.tar.gz 27376 1019255 ADV-2008-0252 citadel-makeuserkey-bo(39807) 4949 Kayako SupportSuite 3.11.01 allows remote attackers to obtain server configuration information via a direct request to syncml/index.php, which prints the contents of the $_SERVER superglobal. 3573 20080121 [waraxe-2008-SA#063] - Information Leakage in Kayako SupportSuite 3.11.01 http://www.waraxe.us/advisory-63.html Directory traversal vulnerability in BitDefender Update Server (http.exe), as used in BitDefender products including Security for Fileservers and Enterprise Manager (BDEM), allows remote attackers to read arbitrary files via .. (dot dot) sequences in an HTTP request. http://oliver.greyhat.de/2008/01/19/bitdefender-unauthorized-remote-file-access-vulnerability/ 3568 http://www.oliverkarow.de/research/bitdefender.txt 20080119 BitDefender Update Server - Unauthorized Remote File Access Vulnerability 27358 ADV-2008-0213 bitdefender-http-server-directory-traversal(39802) Multiple SQL injection vulnerabilities in aflog 1.01, and possibly earlier versions, allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to comments.php and (2) an unspecified parameter to view.php. 27398 ADV-2008-0255 aflog-comments-sql-injection(39825) 4958 Cross-site scripting (XSS) vulnerability in aflog 1.01, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the comment form. 27398 ADV-2008-0255 4958 Multiple buffer overflows in Toshiba Surveillance (Surveillix) RecordSend ActiveX control (MeIpCamX.DLL 1.0.0.4) allow remote attackers to execute arbitrary code via long arguments to the (1) SetPort and (2) SetIpAddress methods. http://retrogod.altervista.org/rgod_toshiba_control.html 27360 ADV-2008-0214 toshiba-recordsend-bo(39792) 4946 Cross-site scripting (XSS) vulnerability in header.tpl.php in the modern template for Singapore 0.10.1 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter to default.php. http://trew.icenetx.net/toolz/advisory-singapore-modern-template.txt 27382 ADV-2008-0234 Buffer overflow in the logging functionality of the HTTP server in IBM Tivoli Provisioning Manager for OS Deployment (TPMfOSD) before 5.1.0.3 Interim Fix 3 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an HTTP request with a long method string to port 443/tcp. 20080122 IBM Tivoli PMfOSD HTTP Request Method Buffer Overflow Vulnerability VU#158609 27387 1019249 ADV-2008-0239 http://www-1.ibm.com/support/docview.wss?uid=swg24018010 tivoli-provisioning-http-unspecified(39819) Unspecified vulnerability in IBM WebSphere Business Modeler Basic and Advanced 6.0.2.1 before Interim Fix 11 allows remote authenticated users to bypass intended access restrictions and delete unspecified repository resources via unknown vectors, even when they are not administrators or members of the repository's owning group. 27389 1019252 ADV-2008-0254 http://www-1.ibm.com/support/docview.wss?uid=swg24018060 http://www-1.ibm.com/support/docview.wss?uid=swg24018061 JR28175 websphere-repository-weak-security(39830) The web server in Belkin Wireless G Plus MIMO Router F5D9230-4 does not require authentication for SaveCfgFile.cgi, which allows remote attackers to read and modify configuration via a direct request to SaveCfgFile.cgi. 3566 20080119 Belkin Wireless G Plus MIMO Router F5D9230-4 Authentication Bypass Vulnerability 27359 ADV-2008-0215 belkin-savecfgfile-authentication-bypass(39793) 4941 Cross-site scripting (XSS) vulnerability in Mantis before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to the "Most active bugs" summary. http://sourceforge.net/project/shownotes.php?release_id=569765 27367 ADV-2008-0232 https://bugzilla.redhat.com/show_bug.cgi?id=429552 mantis-mostactive-xss(39801) FEDORA-2008-0796 FEDORA-2008-0856 Multiple directory traversal vulnerabilities in HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allow remote attackers to create arbitrary (1) files and (2) directories via a .. (dot dot) in an account name, when requesting the / URI; and (3) append arbitrary data to a file via a .. (dot dot) in an account name, when requesting a URI composed of a "/?%0a" sequence followed by the data. 3581 http://www.rejetto.com/hfs/?f=wn 20080123 Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities 27423 http://www.syhunt.com/advisories/hfshack.txt hfs-unspecified-command-execution(39873) HTTP File Server (HFS) before 2.2c, when account names are used as log filenames, allows remote attackers to cause a denial of service (daemon crash) via a long account name. 3581 http://www.rejetto.com/hfs/?f=wn 20080123 Syhunt: HFS (HTTP File Server) Log Arbitrary File/Directory Manipulation and Denial-of-Service Vulnerabilities 27423 http://www.syhunt.com/advisories/hfshack.txt hfs-filename-dos(39875) HTTP File Server (HFS) before 2.2c tags HTTP request log entries with the username sent during HTTP Basic Authentication, regardless of whether authentication succeeded, which might make it more difficult for an administrator to determine who made a remote request. 3582 http://www.rejetto.com/hfs/?f=wn 20080123 Syhunt: HFS (HTTP File Server) Username Spoofing and Log Forging/Injection Vulnerability 27423 http://www.syhunt.com/advisories/hfshack.txt hfs-username-spoofing(39877) HTTP File Server (HFS) before 2.2c allows remote attackers to append arbitrary text to the log file by using the base64 representation of this text during HTTP Basic Authentication. 3582 http://www.rejetto.com/hfs/?f=wn 20080123 Syhunt: HFS (HTTP File Server) Username Spoofing and Log Forging/Injection Vulnerability 27423 http://www.syhunt.com/advisories/hfshack.txt hfs-unspecified-log-injection(39876) Cross-site scripting (XSS) vulnerability in HTTP File Server (HFS) before 2.2c allows remote attackers to inject arbitrary web script or HTML via the userinfo subcomponent of a URL. 3583 http://www.rejetto.com/hfs/?f=wn 20080123 Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and Information Disclosure Vulnerabilities 27423 http://www.syhunt.com/advisories/hfshack.txt hfs-host-xss(39870) HTTP File Server (HFS) before 2.2c allows remote attackers to obtain configuration and usage details by using an id element such as <id>%version%</id> in HTTP Basic Authentication instead of a username and password, as demonstrated by placing this id element in the userinfo subcomponent of a URL. 3583 http://www.rejetto.com/hfs/?f=wn 20080123 Syhunt: HFS (HTTP File Server) Template Cross-Site Scripting and Information Disclosure Vulnerabilities 27423 http://www.syhunt.com/advisories/hfshack.txt hfs-sendhfsidentifier-info-disclosure(39871) Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator. SUSE-SA:2008:010 http://scary.beasts.org/security/CESA-2008-001.html SSA:2008-062-01 http://wiki.rpath.com/Advisories:rPSA-2008-0082 DSA-1510 GLSA-200803-14 MDVSA-2008:055 RHSA-2008:0155 20080228 rPSA-2008-0082-1 espgs 20080228 Ghostscript buffer overflow 28017 1019511 USN-599-1 ADV-2008-0693 https://issues.rpath.com/browse/RPL-2217 oval:org.mitre.oval:def:9557 FEDORA-2008-1998 The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame, and (6) nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 SSA:2008-061-01 238492 239546 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 http://wiki.rpath.com/Advisories:rPSA-2008-0093 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 MDVSA-2008:062 http://www.mozilla.org/security/announce/2008/mfsa2008-01.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 20080229 rPSA-2008-0093-1 thunderbird 27683 1019320 USN-576-1 USN-582-1 USN-582-2 ADV-2008-0453 ADV-2008-0454 ADV-2008-0627 ADV-2008-1793 ADV-2008-2091 https://bugzilla.mozilla.org/buglist.cgi?bug_id=398088,393141,364801,346405,396613,394337,406290 https://issues.rpath.com/browse/RPL-1995 oval:org.mitre.oval:def:10573 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via (1) a large switch statement, (2) certain uses of watch and eval, (3) certain uses of the mousedown event listener, and other vectors. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 SSA:2008-061-01 238492 239546 http://wiki.rpath.com/Advisories:rPSA-2008-0051 http://wiki.rpath.com/Advisories:rPSA-2008-0093 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 MDVSA-2008:062 http://www.mozilla.org/security/announce/2008/mfsa2008-01.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 20080229 rPSA-2008-0093-1 thunderbird 27683 1019321 USN-576-1 USN-582-1 USN-582-2 ADV-2008-0453 ADV-2008-0454 ADV-2008-0627 ADV-2008-1793 ADV-2008-2091 https://bugzilla.mozilla.org/buglist.cgi?bug_id=407720,390597,373344,398085,406572,391028,406036,402087 https://issues.rpath.com/browse/RPL-1995 oval:org.mitre.oval:def:10385 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to trick the user into uploading arbitrary files via label tags that shift focus to a file input field, aka "focus spoofing." http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 238492 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 http://www.mozilla.org/security/announce/2008/mfsa2008-02.html 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 27683 1019330 USN-576-1 ADV-2008-0453 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/buglist.cgi?bug_id=404451,408034,404391,405299 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs." http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 SSA:2008-061-01 238492 239546 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 http://wiki.rpath.com/Advisories:rPSA-2008-0093 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 MDVSA-2008:062 http://www.mozilla.org/security/announce/2008/mfsa2008-03.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 20080229 rPSA-2008-0093-1 thunderbird 27683 1019327 USN-576-1 USN-582-1 USN-582-2 ADV-2008-0453 ADV-2008-0454 ADV-2008-0627 ADV-2008-1793 ADV-2008-2091 https://bugzilla.mozilla.org/buglist.cgi?bug_id=386695,393761,393762,399298,407289,372075,363597 https://issues.rpath.com/browse/RPL-1995 oval:org.mitre.oval:def:9897 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allow remote attackers to inject arbitrary web script or HTML via certain character encodings, including (1) a backspace character that is treated as whitespace, (2) 0x80 with Shift_JIS encoding, and (3) "zero-length non-ASCII sequences" in certain Asian character sets. JVN#21563357 JVNDB-2008-000021 238492 239546 DSA-1484 DSA-1485 DSA-1489 GLSA-200805-18 http://www.mozilla.org/security/announce/2008/mfsa2008-13.html 29303 TLSA-2008-9 USN-592-1 TA08-087A ADV-2008-1793 ADV-2008-2091 https://bugzilla.mozilla.org/buglist.cgi?bug_id=404252,381412,407161 firefox-character-encoding-xss(40488) USN-576-1 CRLF injection vulnerability in Mozilla Firefox before 2.0.0.12 allows remote user-assisted web sites to corrupt the user's password store via newlines that are not properly handled when the user saves a password. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 238492 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 http://www.mozilla.org/security/announce/2008/mfsa2008-04.html RHSA-2008:0103 RHSA-2008:0104 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 27683 1019334 USN-576-1 ADV-2008-0453 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=394610 oval:org.mitre.oval:def:11154 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 SSA:2008-061-01 238492 239546 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 http://wiki.rpath.com/Advisories:rPSA-2008-0093 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/ VU#309608 MDVSA-2008:048 MDVSA-2008:062 http://www.mozilla.org/security/announce/2008/mfsa2008-05.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 20080229 rPSA-2008-0093-1 thunderbird 27406 1019329 USN-576-1 USN-582-1 USN-582-2 ADV-2008-0263 ADV-2008-0453 ADV-2008-0454 ADV-2008-0627 ADV-2008-1793 ADV-2008-2091 https://issues.rpath.com/browse/RPL-1995 oval:org.mitre.oval:def:10705 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via images in a page that uses designMode frames, which triggers memory corruption related to resize handles. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 238492 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 http://wiki.rpath.com/Advisories:rPSA-2008-0093 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 VU#879056 MDVSA-2008:048 http://www.mozilla.org/security/announce/2008/mfsa2008-06.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 20080229 rPSA-2008-0093-1 thunderbird 27683 1019328 USN-576-1 ADV-2008-0453 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=400556 https://issues.rpath.com/browse/RPL-1995 oval:org.mitre.oval:def:11652 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 does not properly perform certain calculations related to the mColors table, which allows remote attackers to read portions of memory uninitialized via a crafted 8-bit bitmap (BMP) file that triggers an out-of-bounds read within the heap, as demonstrated using a CANVAS element; or cause a denial of service (application crash) via a crafted 8-bit bitmap file that triggers an out-of-bounds read. NOTE: the initial public reports stated that this affected Firefox in Ubuntu 6.06 through 7.10. http://browser.netscape.com/releasenotes/ 1019434 238492 GLSA-200805-18 MDVSA-2008:048 http://www.mozilla.org/security/announce/2008/mfsa2008-07.html 20080216 [HISPASEC] FireFox 2.0.0.11 and Opera 9.50 beta Remote Memory Information Leak, FireFox 2.0.0.11 Remote Denial of Service 27826 USN-582-1 USN-582-2 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=408076 firefox-bmp-information-disclosure(40491) firefox-bmp-dos(40606) oval:org.mitre.oval:def:10119 USN-576-1 FEDORA-2008-2060 FEDORA-2008-2118 SQL injection vulnerability in Invision Gallery 2.0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the album parameter in a rate command. 4966 SQL injection vulnerability in mail.php in boastMachine (aka bMachine) 3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 3563 20080121 boastMachine <=3.1 SQL Injection Vulnerbility 20081120 boastMachine v3.1 Remote Sql Injection 27369 32379 ADV-2008-0227 boastmachine-mail-sql-injection(39813) 4952 Multiple PHP remote file inclusion vulnerabilities in Lama Software allow remote attackers to execute arbitrary PHP code via a URL in the MY_CONF[classRoot] parameter to (1) inc.steps.access_error.php, (2) inc.steps.check_login.php, or (3) inc.steps.init_system.php in admin/functions/. 27380 ADV-2008-0230 lamasoftware-myconf-file-include(39821) 4955 SQL injection vulnerability in blog.php in Mooseguy Blog System (MGBS) 1.0 allows remote attackers to execute arbitrary SQL commands via the month parameter. 27377 ADV-2008-0226 mooseguy-blog-sql-injection(39816) 4951 Absolute path traversal vulnerability in explorerdir.php in Frimousse 0.0.2 allows remote attackers to read arbitrary files and list arbitrary directories via a full pathname in the name parameter. 27385 ADV-2008-0216 frimousse-explorerdir-directory-traversal(39797) 4943 Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PacerCMS before 0.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) headline, or (3) text field in a message. http://pacercms.sourceforge.net/index.php/2008/01/21/pacercms-061-streamlines-code-base-addresses-security-issue/ 20080122 PacerCMS Multiple Vulnerabilities (XSS/SQL) 27386 pacercms-submit-xss(39832) Directory traversal vulnerability in file.php in bloofoxCMS 0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. http://bugreport.ir/?/27 20080120 Bloofox CMS SQL Injection (Authentication bypass) , Source code 20080120 Bloofox CMS SQL Injection (Authentication bypass) , Source codedisclosure 27361 ADV-2008-0218 bloofoxcms-file-directory-traversal(39795) 4945 Multiple SQL injection vulnerabilities in the login function in system/class_permissions.php in bloofoxCMS 0.3 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to admin/index.php. http://bugreport.ir/?/27 20080120 Bloofox CMS SQL Injection (Authentication bypass) , Source code 20080120 Bloofox CMS SQL Injection (Authentication bypass) , Source codedisclosure 27361 ADV-2008-0218 bloofoxcms-index-sql-injection(39794) 4945 SQL injection vulnerability in index.php in AlstraSoft Forum Pay Per Post Exchange 2.0 allows remote attackers to execute arbitrary SQL commands via the catid parameter in a forum_catview action. 27381 ADV-2008-0231 alstrasoft-indexphp-sql-injection(39820) 4956 6401 SQL injection vulnerability in form.php in 360 Web Manager 3.0 allows remote attackers to execute arbitrary SQL commands via the IDFM parameter. 27364 ADV-2008-0217 360web-form-sql-injection(39796) 4944 Directory traversal vulnerability in administrator/download.php in IDMOS (aka Phoenix) 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter. 27379 ADV-2008-0229 idmos-download-directory-traversal(39823) 4954 Cross-site scripting (XSS) vulnerability in index.php in phpAutoVideo 2.21 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat parameter. 3567 20080118 Agares PhpAutoVideo 2.21(XSS/RFI) Multiple Remote Vulnerabilities 27346 ADV-2008-0225 phpautovideo-index-xss(39771) PHP remote file inclusion vulnerability in theme/phpAutoVideo/LightTwoOh/sidebar.php in Agares phpAutoVideo 2.21 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the loadpage parameter, a different vector than CVE-2007-6614. 3567 20080118 Agares PhpAutoVideo 2.21(XSS/RFI) Multiple Remote Vulnerabilities 27346 ADV-2008-0225 phpautovideo-sidebar-file-include(39770) Format string vulnerability in the AXIMilter module in AXIGEN Mail Server 5.0.2 allows remote attackers to execute arbitrary code via format string specifiers in the CNHO command. 20080120 AXIGEN 5.0.x AXIMilter Format String Exploit 3570 20080120 AXIGEN 5.0.x AXIMilter Format String Exploit 27363 ADV-2008-0237 axigen-aximilter-format-string(39803) 4947 Directory traversal vulnerability in index.php in OZJournals 2.1.1 allows remote attackers to read portions of arbitrary files via a .. (dot dot) in the id parameter in a printpreview action. 27375 ADV-2008-0228 ozjournals-id-directory-traversal(39815) 4953 Cross-site scripting (XSS) vulnerability in profile-upload/upload.asp in PD9 Software MegaBBS 1.5.14b allows remote attackers to inject arbitrary web script or HTML via the target parameter. 3565 20080120 MegaBBS ASP Forum Cross-Site Scripting 27368 megabbs-upload-xss(39812) Multiple buffer overflows in the WebHPVCInstall.HPVirtualRooms14 ActiveX control in HPVirtualRooms14.dll 1.0.0.100, as used in the installation process for HP Virtual Rooms, allow remote attackers to execute arbitrary code via a long (1) AuthenticationURL, (2) PortalAPIURL, or (3) cabroot property value. NOTE: some of these details are obtained from third party information. 20080122 HP Virtual Rooms WebHPVCInstall Control Multiple Buffer Overflows 27384 ADV-2008-0236 hpvirtualrooms-hpvirtualrooms14-activex-bo(39836) 4959 Cross-site scripting (XSS) vulnerability in the font rendering functionality in Novemberborn sIFR 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the txt parameter to a Flash (SWF) file, as demonstrated by fonts/FuturaLt.swf. http://novemberborn.net/sifr/2.0.3 3571 http://www.procheckup.com/Vulnerability_PR07-38.php 20080122 PR07-38: XSS on sIFR 20080122 Re: PR07-38: XSS on sIFR 20080205 Re: PR07-38: XSS on sIFR 27394 sifr-fontname-xss(39835) Cross-site scripting (XSS) vulnerability in templates/default/admincp/attachments_header.php in DeluxeBB 1.1 allows remote attackers to inject arbitrary web script or HTML via the lang_listofmatches parameter. 3564 20080122 DeluxeBB 1.1 XSS Vulnerabilitie 27401 deluxbb-attachmentsheader-xss(39829) AlstraSoft Forum Pay Per Post Exchange 2.0 stores passwords in cleartext, which makes it easier for attackers to access user accounts. 4956 IBM Tivoli Business Service Manager (TBSM) 4.1.1 stores passwords in cleartext (1) after external authentication, which triggers writing the password to SM_server.log; and (2) after a reconfig action; which allows local users to obtain sensitive information. 27388 1019250 ADV-2008-0240 http://www-1.ibm.com/support/docview.wss?uid=swg24017939 tbsm-reconfig-information-disclosure(39822) PHP remote file inclusion vulnerability in inc/linkbar.php in Small Axe Weblog 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the ffile parameter, a different vector than CVE-2008-0376. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27383 Heap-based buffer overflow in the FileUploader.FUploadCtl.1 ActiveX control in FileUploader.dll 2.0.0.2 in Lycos FileUploader Module allows remote attackers to execute arbitrary code via a long HandwriterFilename property value. NOTE: some of these details are obtained from third party information. 27411 ADV-2008-0253 lycosfileuploader-fileuploader-activex-bo(39849) 4967 Cross-site scripting (XSS) vulnerability in Electronic Logbook (ELOG) before 2.7.0 allows remote attackers to inject arbitrary web script or HTML via subtext parameter to unspecified components. http://midas.psi.ch/elog/download/ChangeLog 27399 ADV-2008-0265 elog-subtext-xss(39828) The replace_inline_img function in elogd in Electronic Logbook (ELOG) before 2.7.1 allows remote attackers to cause a denial of service (infinite loop) via crafted logbook entries. NOTE: some of these details are obtained from third party information. 27399 ADV-2008-0265 elog-elogd-logbook-dos(39824) SQL injection vulnerability in voircom.php in LulieBlog 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter. 27416 lulieblog-voircom-sql-injection(39854) 4969 SQL injection vulnerability in index.php in Foojan WMS PHP Weblog 1.0 allows remote attackers to execute arbitrary SQL commands via the story parameter. 27415 foojanwms-index-sql-injection(39855) 4968 PHP remote file inclusion vulnerability in utils/class_HTTPRetriever.php in phpSearch allows remote attackers to execute arbitrary PHP code via a URL in the libcurlemuinc parameter. 20080120 Php Search Remote Inclusion phpsearch-classhttpretriever-file-include(39805) SQL injection vulnerability in paypalresult.asp in VP-ASP Shopping Cart 6.50 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27347 vpasp-paypalresult-sql-injection(39811) Multiple PHP remote file inclusion vulnerabilities in BLOG:CMS 4.2.1.c allow remote attackers to execute arbitrary PHP code via a URL in the (1) DIR_PLUGINS parameter to (a) index.php, and the (2) DIR_LIBS parameter to (b) media.php and (c) xmlrpc/server.php in admin/. 3576 20080121 BLOG:CMS 4.2.1.c (DIR_PLUGINS) Multiple Remote File Include Multiple SQL injection vulnerabilities in PacerCMS 0.6 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) siteadmin/article-edit.php; and unspecified parameters to (2) submitted-edit.php, (3) page-edit.php, (4) section-edit.php, (5) staff-edit.php, and (6) staff-access.php in siteadmin/. http://pacercms.sourceforge.net/index.php/2008/01/21/pacercms-061-streamlines-code-base-addresses-security-issue/ 3574 20080122 PacerCMS Multiple Vulnerabilities (XSS/SQL) 27397 pacercms-articleedit-sql-injection(39833) Directory traversal vulnerability in articles.php in Siteman 1.1.9 allows remote attackers to read arbitrary files via directory traversal sequences in the cat parameter in a viewart action. 27422 4973 SQL injection vulnerability in list.php in Easysitenetwork Recipe allows remote attackers to execute arbitrary SQL commands via the categoryid parameter. 27405 easysitenetworkrecipe-list-sql-injection(39853) 4960 Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS." 20080117 Skype videomood XSS 20080117 Re: Skype videomood XSS http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html http://skype.com/security/skype-sb-2008-001.html http://skype.com/security/skype-sb-2008-001-update1.html http://www.critical.lt/?opinions/show/1470 http://www.gnucitizen.org/blog/vulnerabilities-in-skype VU#248184 20080117 RE: Skype videomood XSS 27338 ADV-2008-0194 skype-addvideotochat-code-execution(39754) Cross-site scripting (XSS) vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary web script or HTML by uploading a file with a name containing XSS sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file. RHSA-2012:1591 RHSA-2012:1592 RHSA-2012:1594 RHSA-2013:0130 GLSA-200803-19 3575 1019256 http://www.mindedsecurity.com/MSA01150108.html 20080122 Apache mod_negotiation Xss and Http Response Splitting 27409 apache-modnegotiation-xss(39867) [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file. APPLE-SA-2009-05-12 RHSA-2013:0130 GLSA-200803-19 3575 1019256 http://support.apple.com/kb/HT3549 http://www.mindedsecurity.com/MSA01150108.html 20080122 Apache mod_negotiation Xss and Http Response Splitting 27409 TA09-133A ADV-2009-1297 apache-modnegotiation-response-splitting(39893) [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html Unrestricted file upload vulnerability in the FileUpload class running on the Symantec LiveState Apache Tomcat server, as used by Symantec Backup Exec System Recovery Manager 7.0 and 7.0.1, allows remote attackers to upload and execute arbitrary JSP files via unknown vectors. http://seer.entsupport.symantec.com/docs/297171.htm 20080206 ZDI-08-003: Symantec Backup Exec Remote File Upload Vulnerability 27487 1019303 http://www.symantec.com/avcenter/security/Content/2008.02.04.html ADV-2008-0413 http://www.zerodayinitiative.com/advisories/ZDI-08-003.html 5078 Directory traversal vulnerability in function/sources.php in SLAED CMS 2.5 Lite allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the newlang parameter to index.php. 27426 ADV-2008-0308 slaedcms-index-file-include(39897) 4975 Directory traversal vulnerability in update/index.php in Liquid-Silver CMS 0.35, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the update parameter. 27425 ADV-2008-0309 liquidsilvercms-index-file-include(39895) 4976 Cross-site scripting (XSS) vulnerability in api.php in (1) MediaWiki 1.11 through 1.11.0rc1, 1.10 through 1.10.2, 1.9 through 1.9.4, and 1.8; and (2) the BotQuery extension for MediaWiki 1.7 and earlier; when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. [MediaWiki-announce] 20080124 MediaWiki 1.11.1, 1.10.3, 1.9.5 released 28137 ADV-2008-0280 mediawiki-api-xss(39901) FEDORA-2008-2245 FEDORA-2008-2288 SQL injection vulnerability in index.php in the Search module in PHP-Nuke 8.0 FINAL and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the sid parameter in a comments action to modules.php. NOTE: some of these details are obtained from third party information. 27408 ADV-2008-0264 phpnuke-index-search-sql-injection(39850) 4965 Cross-site scripting (XSS) vulnerability in the Archive 5.x before 5.x-1.8 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/213478 27436 ADV-2008-0278 drupal-archive-unspecified-xss(39898) Cross-site scripting (XSS) vulnerability in the Workflow 4.7.x before 4.7.x-1.2 and 5.x before 5.x-1.2 module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving node properties. http://drupal.org/node/213473 27444 ADV-2008-0279 workflow-messages-xss(39896) Directory traversal vulnerability in archiv.cgi in absofort aconon Mail 2007 Enterprise SQL 11.7.0 and Mail 2004 Enterprise SQL 11.5.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter. http://burnachurch.com/67/directory-traversal-luecke-in-aconon-mail/ 20080124 Directory Traversal Vulnerability in Aconon Mail 27427 ADV-2008-0310 4977 Directory traversal vulnerability in optimizer.php in Seagull 0.6.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the files parameter. The vendor has released a patch for 0.6.3. A patch can be found at the following location: http://seagullproject.org/download/ http://seagullproject.org/publisher/articleview/action/view/frmArticleID/98/ 20080129 Seagull 0.6.3 Remote File Disclosure Vulnerability fixed 27437 ADV-2008-0311 seagullstable-optimizer-directory-traversal(39902) 4980 Web Wiz RTE_file_browser.asp in, as used in Web Wiz Rich Text Editor 4.0, Web Wiz Forums 9.07, and Web Wiz Newspad 1.02, does not require authentication, which allows remote attackers to list directories and read files. NOTE: this can be leveraged for listings outside the configured directory tree by exploiting a separate directory traversal vulnerability. 3584 1019267 http://www.bugreport.ir/?/29 http://www.bugreport.ir/?/31 20080123 Web Wiz Forums Directory traversal 20080123 Web Wiz Rich Text Editor Directory traversal + HTM/HTML filecreation on the server 27419 http://www.webwizguide.com/webwizrichtexteditor/kb/release_notes.asp 4970 4971 Stack-based buffer overflow in Firebird before 2.0.4, and 2.1.x before 2.1.0 RC1, might allow remote attackers to execute arbitrary code via a long username. GLSA-200803-02 http://sourceforge.net/project/shownotes.php?group_id=9028&release_id=570800 http://sourceforge.net/project/shownotes.php?release_id=570816&group_id=9028 http://tracker.firebirdsql.org/browse/CORE-1603 DSA-1529 27467 1019277 ADV-2008-0300 firebird-username-bo(39981) SQL injection vulnerability in category.php in Flinx 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 27448 ADV-2008-0313 flinx-category-sql-injection(39930) 4985 SQL injection vulnerability in index.php in Tiger Php News System (TPNS) 1.0b and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter in a newscat action. 3587 20080124 Tiger PHP News System SQL Injection 27445 ADV-2008-0312 tigerphpnewssystem-catid-sql-injection(39908) 4984 A certain ActiveX control in Comodo AntiVirus 2.0 allows remote attackers to execute arbitrary commands via the ExecuteStr method. 27424 comodo-antivirus-command-execution(39904) 4974 Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall action. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589 3585 DSA-1488 20080123 phpBB 2.0.22 Remote PM Delete XSRF Vulnerability Cross-site request forgery (CSRF) vulnerability in modcp.php in Woltlab Burning Board (wBB) 2.3.6 PL2 allows remote attackers to delete threads as moderators or administrators via a thread_del action. 3586 20080123 Woltlab Burning Board 2.3.6 PL2 Remote Delete Thread XSRF Vulnerability wbb-modcp-csrf(39878) RTE_popup_save_file.asp in Web Wiz Rich Text Editor 4.0 allows remote attackers to upload (1) .html and (2) .htm files via unspecified vectors. 3584 http://www.bugreport.ir/?/31 20080123 Web Wiz Rich Text Editor Directory traversal + HTM/HTML filecreation on the server 27419 27420 1019267 4971 Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4) redirectto, and (5) resourceid parameters to (a) jsp/ThresholdActionConfiguration.jsp; the (6) page and (7) redirect parameters to (b) jsp/UpdateGlobalSettings.jsp; and the (8) haid and (9) returnpath parameters to (c) showTile.do. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27443 manageengine-multiple-xss(39914) ManageEngine Applications Manager 8.1 build 8100 allows remote attackers to obtain sensitive information ( Home->Summary) via an invalid URI, as demonstrated by the "/-" URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27443 manageengine-home-information-disclosure(39917) ManageEngine Applications Manager 8.1 build 8100 does not check authentication for monitorType.do and unspecified other pages, which allows remote attackers to obtain sensitive information and change settings via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27443 manageengine-checks-security-bypass(39915) Stack-based buffer overflow in the QMPUpgrade.Upgrade.1 ActiveX control in QMPUpgrade.dll 1.0.0.1 in Move Networks Upgrade Manager allows remote attackers to execute arbitrary code via a long first argument to the Upgrade method. NOTE: some of these details are obtained from third party information. 27438 1019270 ADV-2008-0274 movenetworks-qmpupgrade-bo(39913) 4979 Directory traversal vulnerability in index.php in SetCMS 3.6.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the set parameter, as demonstrated by sending a certain CLIENT_IP HTTP header in an enter action to index.php, and injecting PHP sequences into files/enter.set, which is then included by index.php. 27407 setcms-index-file-include(39864) 4962 Directory traversal vulnerability in RTE_file_browser.asp in Web Wiz NewsPad 1.02 allows remote attackers to list arbitrary directories, and .txt and .zip files, via a .....\\\ in the sub parameter. 3588 http://www.bugreport.ir/?/30 20080123 Web Wiz NewsPad Directory traversal 27419 1019268 http://www.webwizguide.com/webwiznewspad/kb/release_notes.asp newspad-rte-directory-traversal(39863) 4972 Multiple directory traversal vulnerabilities in Web Wiz Forums 9.07 and earlier allow remote attackers to list arbitrary directories, and .txt and .zip files, via a .....\\\ in the sub parameter to (1) RTE_file_browser.asp or (2) file_browser.asp. 3589 http://www.bugreport.ir/?/29 20080123 Web Wiz Forums Directory traversal 27419 1019266 http://www.webwizguide.com/webwizforums/kb/release_notes.asp webwiz-rte-filebrowser-directory-traversal(39856) 4970 Directory traversal vulnerability in RTE_file_browser.asp in Web Wiz Rich Text Editor 4.0 allows remote attackers to list arbitrary directories, and .txt and .zip files, via a .....\\\ in the sub parameter in a save action. 3584 1019267 http://www.bugreport.ir/?/31 20080123 Web Wiz Rich Text Editor Directory traversal + HTM/HTML filecreation on the server 27419 http://www.webwizguide.com/webwizrichtexteditor/kb/release_notes.asp editor-rte-directory-traversal(39868) 4971 Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and earlier might allow remote attackers to execute arbitrary code via a QuickTime MOV file with a crafted stsc atom tag. 20080204 CORE-2008-0122: MPlayer arbitrary pointer dereference GLSA-200803-16 3607 http://www.coresecurity.com/?action=item&id=2102 DSA-1496 MDVSA-2008:045 http://www.mplayerhq.hu/design7/news.html 20080204 CORE-2008-0122: MPlayer arbitrary pointer dereference 27499 1019299 ADV-2008-0406 Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. http://bugs.gentoo.org/show_bug.cgi?id=209106 http://bugs.xine-project.org/show_bug.cgi?id=38 20080204 CORE-2007-1218: MPlayer 1.0rc2 buffer overflow vulnerability SUSE-SR:2008:006 GLSA-200802-12 GLSA-200803-16 3608 http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=574735 http://www.coresecurity.com/?action=item&id=2103 DSA-1496 DSA-1536 MDVSA-2008:045 MDVSA-2008:046 http://www.mplayerhq.hu/design7/news.html 20080204 CORE-2007-1218: MPlayer 1.0rc2 buffer overflow vulnerability 27441 USN-635-1 ADV-2008-0406 ADV-2008-0421 https://bugzilla.redhat.com/show_bug.cgi?id=431541 FEDORA-2008-1543 FEDORA-2008-1581 Multiple SQL injection vulnerabilities in login.asp in ASPired2Protect allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters. NOTE: some of these details are obtained from third party information. 3598 20080126 ASPired2Protect bypass 27474 aspired2protect-login-sql-injection(39989) Directory traversal vulnerability in tseekdir.cgi in VB Marketing allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the location parameter. 3596 20080128 VB Marketing "tseekdir.cgi" Local File Inclusion 27475 vbmarketing-tseekdir-file-include(39970) Directory traversal vulnerability in install.php in Clansphere 2007.4.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. 3597 20080127 ClanSphere 2007.4.4 Remote File Disclosure Vulnerability. 27471 clansphere-install-directory-traversal(39977) SQL injection vulnerability in functions/editevent.php in the WP-Cal 0.3 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. 27465 ADV-2008-0348 wpcal-editevent-sql-injection(39966) 4992 SQL injection vulnerability in fim_rss.php in the fGallery 2.4.1 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the album parameter. 27464 ADV-2008-0349 fgallery-fimrss-sql-injection(39964) 4993 Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to execute arbitrary code via a long argument to the AddFile method. NOTE: some of these details are obtained from third party information. 27456 ADV-2008-0315 persits-xupload-bo(39967) 4987 fpx.dll 3.9.8.0 in the FlashPix plugin for IrfanView 4.10 allows remote attackers to execute arbitrary code via a crafted FlashPix (.FPX) file, which triggers heap corruption. NOTE: some of these details are obtained from third party information. 27479 ADV-2008-0318 irfanview-flashpix-bo(40012) 4998 Cross-site scripting (XSS) vulnerability in vpnum/userslist.php in Endian Firewall 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the psearch parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://downloads.securityfocus.com/vulnerabilities/exploits/27477.html 27477 Unspecified vulnerability in the Pegasus CIM Server in IBM Hardware Management Console (HMC) 7 R3.2.0 allows remote attackers to cause a denial of service via unspecified vectors. 27484 1019280 ADV-2008-0323 ADV-2008-0638 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4129 hmc-pegasus-cim-dos(40021) https://www14.software.ibm.com/webapp/set2/sas/f/hmc/power6/install/v7.Readme.html Cross-site scripting (XSS) vulnerability in index.php in AmpJuke 0.7.0 allows remote attackers to inject arbitrary web script or HTML via the limit parameter in a search action. 3594 20080129 AmpJuke-0.7.0 (index.php) Xss VuLn. 27498 ADV-2008-0332 juke-index-xss(40023) Cross-site scripting (XSS) vulnerability in action.php in Nucleus CMS 3.31 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, which is not quoted when processing PHP_SELF. 3593 http://sourceforge.net/project/shownotes.php?group_id=66479&release_id=572117 http://www.nucleuscms.org/item/3047 20080129 Nucleus 3.31 XSS in path 20080129 [!!FIX Information ] Nucleus 3.31 XSS in path 27492 ADV-2008-0369 SQL injection vulnerability in main_bigware_53.tpl.php in Bigware Shop 2.0 allows remote attackers to execute arbitrary SQL commands via the pollid parameter in a results action to main_bigware_53.php. 27489 ADV-2008-0351 bigwareshop-mainbigware-sql-injection(40010) 5002 SQL injection vulnerability in Mambo LaiThai 4.5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://sourceforge.net/project/shownotes.php?group_id=192544&release_id=571300 27483 ADV-2008-0316 mambo-laithai-unspecified-sql-injection(40013) Multiple unspecified vulnerabilities in Mambo LaiThai 4.5.5 have unknown impact and attack vectors related to (1) mod_login and (2) mod_template_chooser. http://sourceforge.net/project/shownotes.php?group_id=192544&release_id=571300 27483 ADV-2008-0316 mambo-laithai-multiple-unspecified(40014) Directory traversal vulnerability in phpMyClub 0.0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page_courante parameter to the top-level URI. 27480 ADV-2008-0350 phpmyclub-pagecourante-file-include(40007) 5000 PHP remote file inclusion vulnerability in templates/Official/part_userprofile.php in Connectix Boards 0.8.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the template_path parameter. 27506 ADV-2008-0363 connectixboards-templatepath-file-include(40040) 5012 Eval injection vulnerability in admin/op/disp.php in Netwerk Smart Publisher 1.0.1 allows remote attackers to execute arbitrary PHP code via the filedata parameter. 27488 ADV-2008-0352 5003 Multiple SQL injection vulnerabilities in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) albumid, (2) startpic, and (3) numpics parameters to util.php; and (4) cid_array parameter to reviewcom.php. http://coppermine-gallery.net/forum/index.php?topic=50103.0 20080131 [waraxe-2008-SA#066] - Multiple Vulnerabilities in Coppermine 1.4.14 27509 1019285 ADV-2008-0367 http://www.waraxe.us/advisory-66.html Multiple cross-site scripting (XSS) vulnerabilities in docs/showdoc.php in Coppermine Photo Gallery (CPG) before 1.4.15 allow remote attackers to inject arbitrary web script or HTML via the (1) h and (2) t parameters. http://coppermine-gallery.net/forum/index.php?topic=50103.0 20080131 [waraxe-2008-SA#066] - Multiple Vulnerabilities in Coppermine 1.4.14 27511 1019285 ADV-2008-0367 http://www.waraxe.us/advisory-66.html include/imageObjectIM.class.php in Coppermine Photo Gallery (CPG) before 1.4.15, when the ImageMagick picture processing method is configured, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) quality, (2) angle, or (3) clipval parameter to picEditor.php. http://coppermine-gallery.net/forum/index.php?topic=50103.0 20080130 [waraxe-2008-SA#065] - Remote Shell Command Execution in Coppermine 1.4.14 27512 1019286 ADV-2008-0367 http://www.waraxe.us/advisory-65.html 5019 SQL injection vulnerability in adclick.php in the AdServe 0.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. 27504 ADV-2008-0364 adserve-adclick-sql-injection(40045) 5013 Cross-site request forgery (CSRF) vulnerability in deans_permalinks_migration.php in the Dean's Permalinks Migration 1.0 plugin for WordPress allows remote attackers to modify the oldstructure (aka dean_pm_config[oldstructure]) configuration setting as administrators via the old_struct parameter in a deans_permalinks_migration.php action to wp-admin/options-general.php, as demonstrated by placing an XSS sequence in this setting. http://g30rg3x.com/wp-files/dpm_11gx.zip http://g30rg3x.com/xsrf-bajo-deans-permalinks-migration-10 http://packetstorm.linuxsecurity.com/0801-advisories/deans-xsrf.txt 3595 20080122 XSRF under Dean&acirc;??s Permalinks Migration 1.0 ADV-2008-0281 permalinks-deanpmconfig-csrf(39845) Multiple buffer overflows in IBM AIX 4.3 allow remote attackers to cause a denial of service (crash) or possibly gain privileges via a long argument to (1) piox25, related to piox25.c; or (2) piox25remote, related to piox25remote.sh. 27510 ADV-2008-0324 IZ13739 oval:org.mitre.oval:def:5796 SQL injection vulnerability in index.php in the Newsletter (com_newsletter) component for Mambo 4.5 and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter. 27502 ADV-2008-0354 newsletter-index-sql-injection(40036) 5007 SQL injection vulnerability in index.php in the MaMML (com_mamml) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter. 27503 ADV-2008-0356 mamml-index-sql-injection(40037) 5009 SQL injection vulnerability in index.php in the fq (com_fq) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter. 27501 ADV-2008-0355 fq-index-sql-injection(40035) 5008 Directory traversal vulnerability in parser/include/class.cache_phpcms.php in phpCMS 1.2.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to parser/parser.php, as demonstrated by a filename ending with %00.gif, a different vector than CVE-2005-1840. 20080129 Remote File Disclosure in phpCMS 1.2.2 20080129 Re: Remote File Disclosure in phpCMS 1.2.2 27495 ADV-2008-0353 phpcms-parser-directory-traversal(40017) 5006 SQL injection vulnerability in index.php in the Glossary (com_glossary) 2.0 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a display action. 27505 ADV-2008-0357 glossary-index-sql-injection(40038) 5010 SQL injection vulnerability in index.php in the musepoes (com_musepoes) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an answer action. 27507 ADV-2008-0358 5011 PHP remote file inclusion vulnerability in spaw/dialogs/confirm.php in SQLiteManager 1.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the spaw_root parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27515 sqlitemanager-confirm-file-include(40065) SQL injection vulnerability in index.php in the Darko Selesi EstateAgent (com_estateagent) 0.1 component for Mambo 4.5.x and Joomla! allows remote attackers to execute arbitrary SQL commands via the objid parameter in a contact showObject action. 27520 ADV-2008-0362 estateagent-index-sql-injection(40060) 5016 SQL injection vulnerability in index.php in the Recipes (com_recipes) 1.00 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action. 27519 ADV-2008-0360 recipes-index-sql-injection(40064) 5014 SQL injection vulnerability in index.php in the Atapin Jokes (com_jokes) 1.0 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the cat parameter in a CatView action. 27522 ADV-2008-0361 jokes-index-sql-injection(40067) 5015 Multiple SQL injection vulnerabilities in main.php in the WassUp plugin 1.4 through 1.4.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) from_date or (2) to_date parameter to spy.php. Additional research found the following links: http://secunia.com/advisories/28702/ http://www.securityfocus.com/bid/27525 Additional research found the following link: http://downloads.wordpress.org/plugin/wassup.1.4.3a.zip 27525 ADV-2008-0365 http://www.wpwp.org/archives/warning-security-bug-in-version/ 5017 Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to read arbitrary files via a .. (dot dot) in the uri parameter to dispatcher.php in (1) examples/dispatcher/framework/, (2) examples/dispatcher/, (3) examples/wizard/, and (4) PHP/, different vectors than CVE-2008-0545. 27482 bubbling-dispatcher-directory-traversal(40008) 5001 Cross-site scripting (XSS) vulnerability in multiple Hal Networks shopping-cart products allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. JVN#01162446 http://www.hal9800.com/home/bug/20080123.html http://www.hal9800.com/home/bug/20080127.html http://www.hal9800.com/home/bug/20080128.html http://www.hal9800.com/home/bug/20080129.html 27513 ADV-2008-0368 Multiple cross-site scripting (XSS) vulnerabilities in SoftCart.exe in SoftCart 5.1.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) License_Plate, (2) License_State, (3) Ticket_Date, and (4) Ticket_Number parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27524 softcart-softcart-xss(40061) Cross-site request forgery (CSRF) vulnerability in the management interface in multiple Yamaha RT series routers allows remote attackers to change password settings and probably other configuration settings as administrators via unspecified vectors. JVN#88575577 http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/JVN88575577.html 27491 yamaha-routers-http-csrf(40015) PatchLink Update client for Unix, as used by Novell ZENworks Patch Management Update Agent for Linux/Unix/Mac (LUM) 6.2094 through 6.4102 and other products, allows local users to (1) truncate arbitrary files via a symlink attack on the /tmp/patchlink.tmp file used by the logtrimmer script, and (2) execute arbitrary code via a symlink attack on the /tmp/plshutdown file used by the rebootTask script. 3599 http://support.lumension.com/scripts/rightnow.cfg/php.exe/enduser/std_adp.php?p_faqid=527 http://support.lumension.com/scripts/rightnow.cfg/php.exe/enduser/std_adp.php?p_faqid=528 http://support.lumension.com/scripts/rightnow.cfg/php.exe/enduser/std_adp.php?p_faqid=530 20080125 Two vulnerabilities for PatchLink Update Client for Unix. 27458 1019272 ADV-2008-0426 patchlinkupdate-logtrimmer-symlink(39956) patchlinkupdate-reboottask-symlink(39958) https://secure-support.novell.com/KanisaPlatform/Publishing/18/3908994_f.SAL_Public.html Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SCCP firmware allows remote attackers to cause a denial of service (reboot) via a long ICMP echo request (ping) packet. In order to download the patch, login is required 20080213 Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 27774 1019407 ADV-2008-0543 cisco-unifiedipphone-icmp-dos(40487) The HTTP server in Cisco Unified IP Phone 7935 and 7936 running SCCP firmware allows remote attackers to cause a denial of service (reboot) via a crafted HTTP request. Patch download requires login 20080213 Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 27774 1019408 ADV-2008-0543 cisco-unifiedipphone-httpserver-dos(40489) Buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SIP firmware might allow remote attackers to execute arbitrary code via a SIP message with crafted MIME data. Patch requires login 20080213 Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 27774 1019409 ADV-2008-0543 cisco-unifiedipphone-sipmime-bo(40492) Buffer overflow in the telnet server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G running SCCP firmware might allow remote authenticated users to execute arbitrary code via a crafted command. Patch requires login 20080213 Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 27774 1019410 ADV-2008-0543 cisco-unifiedipphone-telnet-bo(40493) Buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SCCP and SIP firmware might allow remote attackers to execute arbitrary code via a crafted DNS response. Patch requires login 20080213 Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 27774 1019406 ADV-2008-0543 cisco-unifiedipphone-dns-bo(40485) Heap-based buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SIP firmware might allow remote SIP servers to execute arbitrary code via a crafted challenge/response message. Patch requires login 20080213 Cisco Unified IP Phone Overflow and Denial of Service Vulnerabilities 27774 1019411 ADV-2008-0543 cisco-unifiedipphone-sipproxy-bo(40498) Multiple buffer overflows in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to execute arbitrary code via a long argument located immediately after the Logout argument, and possibly unspecified other vectors. 3743 1019608 20080312 Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt 20080312 Cisco ACS UCP Remote Pre-Authentication Buffer Overflows 28222 ADV-2008-0868 cisco-acs-ucp-csusercgi-bo(41154) Multiple cross-site scripting (XSS) vulnerabilities in securecgi-bin/CSuserCGI.exe in User-Changeable Password (UCP) before 4.2 in Cisco Secure Access Control Server (ACS) for Windows and ACS Solution Engine allow remote attackers to inject arbitrary web script or HTML via an argument located immediately after the Help argument, and possibly unspecified other vectors. 3743 1019607 20080312 Cisco Secure Access Control Server for Windows User-Changeable Password Vulnerabilities http://www.recurity-labs.com/content/pub/RecurityLabs_Cisco_ACS_UCP_advisory.txt 20080312 Cisco ACS UCP Remote Pre-Authentication Buffer Overflows 28222 ADV-2008-0868 cisco-acs-ucp-csusercgi-xss(41156) The SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (device restart or daemon outage) via a high rate of login attempts, aka Bug ID CSCsi68582. 1020074 20080521 Cisco Service Control Engine Denial of Service Vulnerabilities http://www.icon-labs.com/news/read.asp?newsID=77 VU#626979 29316 29609 ADV-2008-1604 ADV-2008-1774 cisco-sce-sshlogin-dos(42565) Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (device instability) via "SSH credentials that attempt to change the authentication method," aka Bug ID CSCsm14239. 1020074 20080521 Cisco Service Control Engine Denial of Service Vulnerabilities http://www.icon-labs.com/news/read.asp?newsID=77 VU#626979 29316 29609 ADV-2008-1604 ADV-2008-1774 cisco-sce-ssh-credentials-dos(42567) Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) 3.0.x before 3.0.7 and 3.1.x before 3.1.0, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (management interface outage) via SSH traffic that occurs during management operations and triggers "illegal I/O operations," aka Bug ID CSCsh49563. 1020074 20080521 Cisco Service Control Engine Denial of Service Vulnerabilities http://www.icon-labs.com/news/read.asp?newsID=77 VU#626979 29316 29609 ADV-2008-1604 ADV-2008-1774 cisco-sce-managementagent-dos(42566) Unspecified vulnerability in the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720), and Route Switch Processor 720 (RSP720) for multiple Cisco products, when using Multi Protocol Label Switching (MPLS) VPN and OSPF sham-link, allows remote attackers to cause a denial of service (blocked queue, device restart, or memory leak) via unknown vectors. 20080326 Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720 28463 1019716 TA08-087B ADV-2008-1005 cisco-catalyst-sup-rsp-dos(41466) Multiple SQL injection vulnerabilities in phpIP Management 4.3.2 allow remote attackers to execute arbitrary SQL commands via the (1) password parameter to login.php, the (2) id parameter to display.php, and unspecified other vectors. NOTE: some of these details are obtained from third party information. 20080127 phpIP 4.3.2 - Numerous SQL Injection Vulnerablities 20080127 phpIP 4.3.2 - Numerous SQL Injection Vulnerablities 27468 ADV-2008-0346 phpip-display-sql-injection(39965) 4990 Cross-site scripting (XSS) vulnerability in dms/policy/rep_request.php in F5 BIG-IP Application Security Manager (ASM) 9.4.3 allows remote attackers to inject arbitrary web script or HTML via the report_type parameter. 3602 20080126 F5 BIG-IP Web Management ASM Security Report XSS 20080308 F5 BIG-IP Web Management Console XSS 27462 28151 1019276 ADV-2008-0301 f5bigipwebmgmt-reprequest-xss(39979) Multiple cross-site scripting (XSS) vulnerabilities in trixbox 2.4.2.0 allow remote attackers to inject arbitrary web script or HTML via the query string to index.php in (1) user/ or (2) maint/. http://www.digitrustgroup.com/advisories/web-application-security-trixbox.html 27460 Multiple cross-site scripting (XSS) vulnerabilities in forum.php in Gerd Tentler Simple Forum 3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) open and (2) date_show parameters. 27463 simpleforum-forum-xss(39978) 4989 Directory traversal vulnerability in thumbnail.php in Gerd Tentler Simple Forum 3.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. 27463 simpleforum-thumbnail-directory-traversal(39980) 4989 Multiple SQL injection vulnerabilities in Pre Dynamic Institution allow remote attackers to execute arbitrary SQL commands via the (1) sloginid and (2) spass parameters to (a) login.asp and (b) siteadmin/login.asp. NOTE: some of these details are obtained from third party information. 3603 20080124 Pre Dynamic Institution bypass 27451 predynamic-login-sql-injection(39942) Heap-based buffer overflow in the IMG_LoadLBM_RW function in IMG_lbm.c in SDL_image before 1.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted IFF ILBM file. NOTE: some of these details are obtained from third party information. http://bugs.gentoo.org/show_bug.cgi?id=207933 http://wiki.rpath.com/Advisories:rPSA-2008-0061 DSA-1493 GLSA-200802-01 http://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/IMG_lbm.c?r1=3341&r2=3521 http://www.libsdl.org/cgi/viewvc.cgi/trunk/SDL_image/IMG_lbm.c?revision=3521&view=markup MDVSA-2008:040 20080213 rPSA-2008-0061-1 SDL_image 27435 USN-595-1 ADV-2008-0266 sdlimage-imgloadlbmrw-bo(39899) https://issues.rpath.com/browse/RPL-2206 FEDORA-2008-1208 FEDORA-2008-1231 Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) uri parameter to (a) yui-menu.tpl.php, (b) simple.tpl.php, and (c) advanced.tpl.php in dispatcher/framework/; and the (2) page parameter to (d) yui-menu.php, (e) simple.php, and (f) advanced.php in dispatcher/framework/, different vectors than CVE-2008-0521. 27466 ADV-2008-0347 bubblinglibrary-page-uri-file-include(39969) 4991 Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idProduct and (2) options parameters to (a) ajax/ajax_optInventory.asp, or the (2) recid parameter to (b) ajax/ajax_getBrands.asp. 3600 http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1 20080125 [CandyPress] eCommerce suite (SQL Injection + XSS + Path Disclosure) 27454 ADV-2008-0314 ecommercesuite-ajaxgetbrands-sql-injection(39939) 4988 Cross-site scripting (XSS) vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and probably earlier 4.x and 3.x versions, allows remote attackers to inject arbitrary web script or HTML via the helpfield parameter. 3600 http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1 20080125 [CandyPress] eCommerce suite (SQL Injection + XSS + Path Disclosure 27454 ADV-2008-0314 ecommercesuite-utilitiesconfighelp-xss(39940) 4988 Steamcast 0.9.75 and earlier allows remote attackers to cause a denial of service (daemon crash) via a large integer in the Content-Length HTTP header, which triggers a NULL dereference when malloc fails. http://aluigi.altervista.org/adv/steamcazz-adv.txt steamcast-contentlength-dos(39927) Integer overflow in the OggHeaderParse function in Steamcast 0.9.75 and earlier allows remote authenticated users to cause a denial of service (daemon crash) via a long Ogg tag. http://aluigi.altervista.org/adv/steamcazz-adv.txt http://aluigi.org/poc/steamcazz.zip steamcast-oggheaderparse-dos(39929) Off-by-one error in Steamcast 0.9.75 and earlier allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a certain HTTP request that leads to a buffer overflow, as demonstrated by a long User-Agent header. http://aluigi.altervista.org/adv/steamcazz-adv.txt http://aluigi.org/poc/steamcazz.zip steamcast-http-bo(39928) The NamoInstaller.NamoInstall.1 ActiveX control in NamoInstaller.dll 3.0.0.1 and earlier in Namo Web Editor in Sejoong Namo ActiveSquare 6 allows remote attackers to execute arbitrary code via a URL in the argument to the Install method. NOTE: some of these details are obtained from third party information. 27453 27580 ADV-2008-0299 activesquare-namoinstaller-code-execution(39943) namoinstaller-namoinstaller-code-execution(39974) 4986 Cross-site scripting (XSS) vulnerability in index.php in eTicket 1.5.6-RC4 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. 3601 http://www.lonerunners.net/users/jekil/pub/hack-eticket/hack-eticket.txt 20080127 eTicket 'index.php' Cross Site Scripting Path Vulnerability 27473 1019278 eticket-index-xss(39968) Stack-based buffer overflow in the ReadImage function in tkImgGIF.c in Tk (Tcl/Tk) before 8.5.1 allows remote attackers to execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484. SUSE-SR:2008:008 1019309 http://sourceforge.net/project/shownotes.php?release_id=573933&group_id=10894 237465 USN-664-1 http://wiki.rpath.com/Advisories:rPSA-2008-0054 DSA-1490 DSA-1491 DSA-1598 MDVSA-2008:041 SUSE-SR:2008:013 RHSA-2008:0134 RHSA-2008:0135 RHSA-2008:0136 20080212 rPSA-2008-0054-1 tk 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 27655 http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-0430 ADV-2008-1456 ADV-2008-1744 https://bugzilla.redhat.com/show_bug.cgi?id=431518 https://issues.rpath.com/browse/RPL-2215 oval:org.mitre.oval:def:10098 FEDORA-2008-1323 FEDORA-2008-1131 FEDORA-2008-1122 FEDORA-2008-1384 FEDORA-2008-3545 Buffer overflow in the readImageData function in giftopnm.c in netpbm before 10.27 in netpbm before 10.27 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464056 USN-665-1 DSA-1579 MDVSA-2008:039 RHSA-2008:0131 27682 1019358 ADV-2008-0460 https://issues.rpath.com/browse/RPL-2216 oval:org.mitre.oval:def:10975 The ExpandCert function in Apache-SSL before apache_1.3.41+ssl_1.59 does not properly handle (1) '/' and (2) '=' characters in a Distinguished Name (DN) in a client certificate, which might allow remote attackers to bypass authentication via a crafted DN that triggers overwriting of environment variables. 3797 http://www.apache-ssl.org/advisory-cve-2008-0555.txt http://www.cynops.de/advisories/CVE-2008-0555.txt http://www.klink.name/security/aklink-sa-2008-005-apache-ssl.txt 20080402 ANNOUNCE: Apache-SSL security release - apache_1.3.41+ssl_1.59 28576 1019784 ADV-2008-1079 apachessl-expandcert-information-disclosure(41618) Cross-site request forgery (CSRF) vulnerability in OpenCA PKI 0.9.2.5, and possibly earlier versions, allows remote attackers to perform unauthorized actions as authorized users via a link or IMG tag to RAServer. 20080213 OpenCA XSRF (CVE-2008-0556) 1019426 VU#264385 ADV-2008-0588 openca-certificate-csrf(40476) https://www.cynops.de/advisories/CVE-2008-0556.txt SQL injection vulnerability in index.php in the CatalogShop (com_catalogshop) 1.0b1 componenent for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action. 27558 catalogshop-index-sql-injection(40142) 5030 Cross-site scripting (XSS) vulnerability in Uniwin eCart Professional before 2.0.16 allows remote attackers to inject arbitrary web script or HTML via the rp parameter to cartView.asp and unspecified other components. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27560 Multiple directory traversal vulnerabilities in Nilson's Blogger 0.11 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the permalink parameter in core.php, accessed through index.php; and (2) the thispost parameter in comments.php. 3604 20080131 nilson's blogger 0.11 remote file disclosure vulnerabilities 27559 ** DISPUTED ** PHP remote file inclusion vulnerability in cforms-css.php in Oliver Seidel cforms (contactforms), a Wordpress plugin, allows remote attackers to execute arbitrary PHP code via a URL in the tm parameter. NOTE: CVE disputes this issue for 7.3, since there is no tm parameter, and the code exits with a fatal error due to a call to an undefined function. 3605 20080131 [Fwd: contactforms "cforms-css.php" Remote File Inclusion] 20080131 contactforms "cforms-css.php" Remote File Inclusion contactform-cformscss-file-include(40143) SQL injection vulnerability in index.php in the Arthur Konze AkoGallery (com_akogallery) 2.5 beta component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action. 27557 akogallery-index-sql-injection(40141) 5029 SQL injection vulnerability in index.php in the Restaurant (com_restaurant) 1.0 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action. 27551 restaurant-index-sql-injection(40144) 5031 Cross-site request forgery (CSRF) vulnerability in service/impl/UserLocalServiceImpl.java in Liferay Portal 4.3.6 allows remote attackers to perform unspecified actions as unspecified authenticated users via the User-Agent HTTP header, which is used when composing Forgot Password e-mail messages in HTML format. http://support.liferay.com/browse/LEP-4737 Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636. APPLE-SA-2010-03-29-1 SUSE-SR:2008:017 [Mailman-Announce] 20080203 Mailman 2.1.10b3 Released (was: Re: Mailman 2.1.10b1 Released) http://sourceforge.net/project/shownotes.php?release_id=559308&group_id=103 http://support.apple.com/kb/HT4077 http://wiki.rpath.com/Advisories:rPSA-2008-0056 MDVSA-2008:061 RHSA-2011:0307 20080215 rPSA-2008-0056-1 mailman 27630 USN-586-1 ADV-2008-0422 ADV-2011-0542 https://bugzilla.redhat.com/show_bug.cgi?id=431526 https://issues.rpath.com/browse/RPL-2207 FEDORA-2008-1334 SQL injection vulnerability in vote.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 27530 5021 PHP remote file inclusion vulnerability in includes/smarty.php in DeltaScripts PHP Links 1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the full_path_to_public_program parameter. 27529 5022 Multiple PHP remote file inclusion vulnerabilities in ChronoEngine ChronoForms (com_chronocontact) 2.3.5 component for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) PPS/File.php, (2) Writer.php, and (3) PPS.php in excelwriter/; and (4) BIFFwriter.php, (5) Workbook.php, (6) Worksheet.php, and (7) Format.php in excelwriter/Writer/. 27531 5020 Unspecified vulnerability in the IP-authentication feature in the Secure Site 5.x-1.0 and 4.7.x-1.0 module for Drupal allows remote attackers to gain the privileges of a user who has authenticated from behind the same proxy server as the attacker. http://drupal.org/node/216019 27543 ADV-2008-0377 The Comment Upload 4.7.x before 4.7.x-0.1 and 5.x before 5.x-0.1 module for Drupal does not properly use functions in the upload module, which allows remote attackers to bypass upload validation, and upload arbitrary files and possibly execute arbitrary code, via unspecified vectors. http://drupal.org/node/216024 http://drupal.org/node/216035 http://drupal.org/node/216036 27544 ADV-2008-0374 The OpenID 5.x-1.0 and earlier module for Drupal does not properly verify the claimed_id returned by an OpenID provider, which allows remote OpenID providers to spoof OpenID authentication for domains associated with other providers. http://drupal.org/node/216022 27542 ADV-2008-0373 The point moderation form in the Userpoints 4.7.x before 4.7.x-2.3, 5.x-2 before 5.x-2.16, and 5.x-3 before 5.x-3.3 module for Drupal does not follow Drupal's Forms API submission model, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and manipulate points. http://drupal.org/node/216023 ADV-2008-0375 Multiple PHP remote file inclusion vulnerabilities in Mindmeld 1.2.0.10 allow remote attackers to execute arbitrary PHP code via a URL in the MM_GLOBALS[home] parameter to (1) acweb/admin_index.php; and (2) ask.inc.php, (3) learn.inc.php, (4) manage.inc.php, (5) mind.inc.php, and (6) sensory.inc.php in include/. 27538 5026 IPSecDrv.sys 10.4.0.12 in SafeNET HighAssurance Remote and SoftRemote allows local users to gain privileges via a crafted IPSECDRV_IOCTL IOCTL request. 27496 1019282 ADV-2008-0333 5004 Cross-site scripting (XSS) vulnerability in index.php in webSPELL 4.01.02 allows remote attackers to inject arbitrary web script or HTML via the sort parameter in a whoisonline action. 3606 20080130 Webspell 4.01.02 2 Vulnerabilites 27517 webspell-index-xss(40084) Cross-site request forgery (CSRF) vulnerability in admin/admincenter.php in webSPELL 4.01.02 allows remote attackers to assign the superadmin privilege level to arbitrary accounts as administrators via an "update member" action. 3606 20080130 Webspell 4.01.02 2 Vulnerabilites Cross-site scripting (XSS) vulnerability in the Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors that write to summary table pages. http://drupal.org/node/216062 ADV-2008-0376 The Project Issue Tracking module 5.x-2.x-dev before 20080130 in the 5.x-2.x series, 5.x-1.2 and earlier in the 5.x-1.x series, 4.7.x-2.6 and earlier in the 4.7.x-2.x series, and 4.7.x-1.6 and earlier in the 4.7.x-1.x series for Drupal (1) does not restrict the extensions of attached files when the Upload module is enabled for issue nodes, which allows remote attackers to upload and possibly execute arbitrary files; and (2) accepts the .html extension within the bundled file-upload functionality, which allows remote attackers to upload files containing arbitrary web script or HTML. http://drupal.org/node/216063 ADV-2008-0376 Cross-site scripting (XSS) vulnerability in the web management login page in Tripwire Enterprise 7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 3610 http://www.liquidmatrix.org/blog/2008/01/29/advisory-tripwire-enterprise-xss-vulnerability 20080129 Advisory: Tripwire Enterprise/Server XSS Vulnerability 27486 1019279 ADV-2008-0372 tripwire-login-xss(40016) SQL injection vulnerability in index.php in the buslicense (com_buslicense) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in a list action. 27508 ADV-2008-0359 5011 Geert Moernaut LSrunasE and Supercrypt use an encryption key composed of an SHA1 hash of a fixed string embedded in the executable file, which makes it easier for local users to obtain this key without reverse engineering. 3611 20080129 Insecure Use of RC4 in LSrunasE and Supercrypt (CVE-2007-6340) 27500 Geert Moernaut LSrunasE allows local users to gain privileges by obtaining the encrypted password from a batch file, and constructing a modified batch file that specifies this password in the /password switch and specifies an arbitrary program in the /command switch. 3611 20080129 Insecure Use of RC4 in LSrunasE and Supercrypt (CVE-2007-6340) Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.1 through 3.6.0.244 on Windows allows remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Full Name field of a reviewer of a business item entry, accessible through (1) the SkypeFind dialog and (2) a skype:?skypefind URI for the skype: URI handler. http://aviv.raffon.net/2008/01/31/AttackersCanSkypeFindYou.aspx VU#794236 20080131 Attackers can SkypeFind you 27338 Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Description and unspecified other metadata fields of a Metacafe movie submitted by Metacafe Pro to the Skype video gallery, accessible through a search within the (1) "Add video to chat" or (2) "Add video to mood" dialog, a different vector than CVE-2008-0454. http://aviv.raffon.net/2008/01/22/NoMoreVideosForYouComeBackWhenPatchAvailable.aspx http://skype.com/security/skype-sb-2008-001-update1.htm VU#794236 27338 skype-addvideotochat-code-execution(39754) Multiple buffer overflows in bos.rte.control in IBM AIX 5.2 and 5.3 allow local users to gain privileges via unspecified vectors related to the (1) swap, (2) swapoff, and (3) swapon programs. IY96095 IY96101 27432 ADV-2008-0261 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4064 oval:org.mitre.oval:def:5744 sysmgt.websm.webaccess in IBM AIX 5.2 and 5.3 has world writable permissions for unspecified WebSM Remote Client files, which allows local users to "alter the behavior of" this client by overwriting these files. IY97257 27433 ADV-2008-0261 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4066 aix-websm-insecure-permissions(39906) Multiple buffer overflows in IBM AIX 5.2 and 5.3 allow local users to gain privileges via unspecified vectors related to the (1) lchangevg, (2) ldeletepv, (3) putlvodm, (4) lvaryoffvg, and (5) lvgenminor programs in bos.rte.lvm; and the (6) tellclvmd program in bos.clvm.enh. http://aix.software.ibm.com/aix/efixes/security/lvm_advisory.asc IY98331 IY98340 IY99537 IZ00559 IZ10828 27431 ADV-2008-0261 IY98448 IY98450 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4068 aix-lvm-commands-bo(39907) oval:org.mitre.oval:def:5704 Buffer overflow in the uspchrp program in devices.chrp.base.diag in IBM AIX 5.2 and 5.3 allows local users to gain privileges via unspecified vectors. IZ06261 IZ06489 IZ06621 27429 ADV-2008-0261 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4072 aix-uspchrp-bo(39910) oval:org.mitre.oval:def:5686 Buffer overflow in the utape program in devices.scsi.tape.diag in IBM AIX 5.2 and 5.3 allows local users to gain privileges via unspecified vectors. IZ06260 IZ06488 IZ06620 27430 ADV-2008-0261 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4070 aix-utape-bo(39909) oval:org.mitre.oval:def:5572 The ps program in bos.rte.control in IBM AIX 5.2, 5.3, and 6.1 allows local users to obtain sensitive information via unspecified vectors. 1019265 IZ11242 IZ11243 IZ11244 IZ12745 27434 ADV-2008-0261 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4075 aix-ps-information-disclosure(39911) Buffer overflow in Ipswitch WS_FTP Server with SSH 6.1.0.0 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long opendir command. 3609 20080202 IpSwitch WS_FTPSERVER with SSH remote Buffer Overflow 27573 ADV-2008-0400 5044 Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 does not properly manage a delay timer used in confirmation dialogs, which might allow remote attackers to trick users into confirming an unsafe action, such as remote file execution, by using a timer to change the window focus, aka the "dialog refocus bug" or "ffclick2". 20070604 Assorted browser vulnerabilities http://browser.netscape.com/releasenotes/ http://lcamtuf.coredump.cx/ffclick2/ SUSE-SA:2008:008 2781 238492 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 http://wiki.rpath.com/Advisories:rPSA-2008-0093 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0093 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 MDVSA-2008:062 http://www.mozilla.org/security/announce/2008/mfsa2008-08.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20070604 Assorted browser vulnerabilities 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 20080229 rPSA-2008-0093-1 thunderbird 24293 27683 1019339 USN-576-1 ADV-2008-0453 ADV-2008-0454 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=376473 https://issues.rpath.com/browse/RPL-1995 oval:org.mitre.oval:def:10900 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 238492 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 http://www.mozilla.org/security/announce/2008/mfsa2008-09.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 27683 1019340 USN-576-1 ADV-2008-0453 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=387258 oval:org.mitre.oval:def:9972 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modify the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 238492 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 http://www.mozilla.org/security/announce/2008/mfsa2008-10.html RHSA-2008:0103 RHSA-2008:0104 RHSA-2008:0105 20080209 rPSA-2008-0051-1 firefox 27683 1019341 USN-576-1 ADV-2008-0453 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=397427 oval:org.mitre.oval:def:10075 FEDORA-2008-1435 FEDORA-2008-1459 FEDORA-2008-1535 FEDORA-2008-2060 FEDORA-2008-2118 Mozilla Firefox before 2.0.0.12 does not always display a web forgery warning dialog if the entire contents of a web page are in a DIV tag that uses absolute positioning, which makes it easier for remote attackers to conduct phishing attacks. http://browser.netscape.com/releasenotes/ SUSE-SA:2008:008 238492 http://support.novell.com/techcenter/psdb/6251b18e050302ebe7fe74294b55c818.html http://wiki.rpath.com/Advisories:rPSA-2008-0051 DSA-1484 DSA-1485 DSA-1489 DSA-1506 GLSA-200805-18 MDVSA-2008:048 http://www.mozilla.org/security/announce/2008/mfsa2008-11.html 20080209 rPSA-2008-0051-1 firefox 20080212 FLEA-2008-0001-1 firefox 27683 1019342 USN-576-1 ADV-2008-0453 ADV-2008-0627 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=408164 FEDORA-2008-1435 FEDORA-2008-1535 dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface. [dbus] 20080227 [ANNOUNCE] CVE-2008-0595 D-Bus Security Releases - D-Bus 1.0.3 and D-Bus 1.1.20 SUSE-SR:2008:006 openSUSE-SU-2012:1418 1019512 http://wiki.rpath.com/Advisories:rPSA-2008-0099 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0099 DSA-1599 http://www.j5live.com/2008/02/27/announce-d-bus-1120-conisten-water-released/ MDVSA-2008:054 RHSA-2008:0159 20080307 rPSA-2008-0099-1 dbus dbus-glib dbus-qt dbus-x11 28023 USN-653-1 ADV-2008-0694 https://issues.rpath.com/browse/RPL-2282 oval:org.mitre.oval:def:9353 FEDORA-2008-2043 FEDORA-2008-2070 Memory leak in CUPS before 1.1.22, and possibly other versions, allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a large number of requests to add and remove shared printers. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 SUSE-SA:2008:012 http://support.avaya.com/elmodocs2/security/ASA-2008-084.htm http://support.avaya.com/elmodocs2/security/ASA-2008-098.htm http://wiki.rpath.com/Advisories:rPSA-2008-0091 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0091 MDVSA-2008:050 RHSA-2008:0153 RHSA-2008:0161 20080229 rPSA-2008-0091-1 cups 27988 1019497 ADV-2008-0924 cups-ippbrowse-memoryleak-dos(40842) https://issues.rpath.com/browse/RPL-2283 oval:org.mitre.oval:def:10857 Use-after-free vulnerability in CUPS before 1.1.22, and possibly other versions, allows remote attackers to cause a denial of service (crash) via crafted IPP packets. SUSE-SA:2008:012 http://support.avaya.com/elmodocs2/security/ASA-2008-084.htm http://support.avaya.com/elmodocs2/security/ASA-2008-098.htm http://wiki.rpath.com/Advisories:rPSA-2008-0091 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0091 MDVSA-2008:050 RHSA-2008:0153 RHSA-2008:0161 20080229 rPSA-2008-0091-1 cups 27988 1019497 cups-ippbrowse-useafterfree-dos(40845) https://issues.rpath.com/browse/RPL-2283 oval:org.mitre.oval:def:9492 Unspecified vulnerability in the 32-bit and 64-bit emulation in the Linux kernel 2.6.9, 2.6.18, and probably other versions allows local users to read uninitialized memory via unknown vectors involving a crafted binary. SUSE-SA:2008:047 SUSE-SA:2008:048 SUSE-SA:2008:049 RHSA-2008:0508 DSA-1630 MDVSA-2008:220 RHSA-2008:0519 RHSA-2008:0973 RHSA-2009:0009 29942 1020367 USN-625-1 https://bugzilla.redhat.com/show_bug.cgi?id=433938 linux-kernel-emulation-disclosure(43554) oval:org.mitre.oval:def:10721 oval:org.mitre.oval:def:6201 The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI. http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u HPSBUX02342 APPLE-SA-2008-07-31 SSRT090085 HPSBUX02465 GLSA-200811-05 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176 VU#147027 MDVSA-2008:127 MDVSA-2008:128 [oss-security] 20080502 CVE Request (PHP) http://www.php.net/ChangeLog-5.php RHSA-2008:0505 20080523 rPSA-2008-0176-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 29009 1019958 SSA:2008-128-01 USN-628-1 ADV-2008-1412 ADV-2008-1810 ADV-2008-2268 php-vector-unspecified(42137) https://issues.rpath.com/browse/RPL-2503 oval:org.mitre.oval:def:5510 FEDORA-2008-3864 FEDORA-2008-3606 The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010. SUSE-SA:2008:007 SUSE-SA:2008:013 SUSE-SA:2008:030 [linux-kernel] 20080210 Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit [linux-kernel] 20080210 Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit [linux-kernel] 20080210 Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit [linux-kernel] 20080210 Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit [linux-kernel] 20080210 Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit 1019393 http://wiki.rpath.com/Advisories:rPSA-2008-0052 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0052 DSA-1494 MDVSA-2008:043 MDVSA-2008:044 RHSA-2008:0129 20080212 rPSA-2008-0052-1 kernel 27704 27801 USN-577-1 ADV-2008-0487 https://bugzilla.redhat.com/show_bug.cgi?id=432229 https://bugzilla.redhat.com/show_bug.cgi?id=432517 https://issues.rpath.com/browse/RPL-2237 oval:org.mitre.oval:def:11358 5092 FEDORA-2008-1422 FEDORA-2008-1423 FEDORA-2008-1433 FEDORA-2008-1629 SQL injection vulnerability in index.php in All Club CMS (ACCMS) 0.0.1f and earlier allows remote attackers to execute arbitrary SQL commands via the name parameter. 27624 5064 Directory traversal vulnerability in index.php in All Club CMS (ACCMS) 0.0.1f and earlier allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the class_name parameter. 5061 SQL injection vulnerability in index.php in the amazOOP Awesom! (com_awesom) 0.3.2component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the listid parameter in a viewlist task. 27607 5058 The LDAP authentication feature in XLight FTP Server before 2.83, when used with some unspecified LDAP servers, does not check for blank passwords, which allows remote attackers to bypass intended access restrictions. 27602 http://www.xlightftpd.com/whatsnew.htm Multiple cross-site scripting (XSS) vulnerabilities in AstroSoft HelpDesk before 1.95.228 allow remote attackers to inject arbitrary web script or HTML via the (1) txtSearch parameter to operator/article/article_search_results.asp and the (2) Attach_Id parameter to operator/article/article_attachment.asp. NOTE: for vector 2, the XSS occurs in a forced SQL error message. 3612 20080204 [DSECRG-08-011] Astrosoft HelpDesk Multiple XSS 20080214 [DSECRG-08-011 | FIX INFORMATION] Astrosoft HelpDesk Multiple XSS 27610 SQL injection vulnerability in index.php in the Shambo2 (com_shambo2) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter. 27609 shambo2-index-sql-injection(40238) 5059 SQL injection vulnerability in index.php in the Sigsiu Online Business Index 2 (SOBI2, com_sobi2) 2.5.3 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the catid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27617 5038 The Logging Server (ftplogsrv.exe) 7.9.14.0 and earlier in IPSwitch WS_FTP 6.1 allows remote attackers to cause a denial of service (loss of responsiveness) via a large number of large packets to port 5151/udp, which causes the listening socket to terminate and prevents log commands from being recorded, a different vulnerability than CVE-2007-3823. http://aluigi.altervista.org/adv/ftplogsrvz-adv.txt 20080204 Socket termination in FTP Log Server 7.9.14.0 27612 ADV-2008-0408 Directory traversal vulnerability in index.php in DivideConcept VHD Web Pack 2.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter. 3613 20080204 [DSECRG-08-010] VHD Web Pack 2.0 Local File Include 27621 5060 Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a modified size value. http://forum.ultravnc.info/viewtopic.php?t=11850 http://sourceforge.net/project/shownotes.php?release_id=571174&group_id=63887 http://ultravnc.svn.sourceforge.net/viewvc/ultravnc/UltraVNC%20Project%20Root/UltraVNC/vncviewer/ClientConnection.cpp?sortby=date&r1=169&r2=168&pathrev=169 18666 VU#721460 27561 1019293 ADV-2008-0392 SQL injection vulnerability in rmgs/images.php in the RMSOFT Gallery System 2.0 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter. 27623 5062 Directory traversal vulnerability in htdocs/install/index.php in XOOPS 2.0.18 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. 3614 20080204 [DSECRG-08-009] xoops 2.0.18 Local File Include 27622 http://xoops.svn.sourceforge.net/viewvc/xoops/XoopsCore/branches/2.0.x/2.0.18.1/docs/changelog.txt?r1=1283&r2=1282&pathrev=1283 http://xoops.svn.sourceforge.net/viewvc/xoops?view=rev&revision=1283 5057 Open redirect vulnerability in htdocs/user.php in XOOPS 2.0.18 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the xoops_redirect parameter. 3614 http://sourceforge.net/tracker/index.php?func=detail&atid=430840&aid=1881236&group_id=41586 20080204 [DSECRG-08-009] xoops 2.0.18 Local File Include http://xoops.svn.sourceforge.net/viewvc/xoops?view=rev&revision=1282 5057 SQL injection vulnerability in index.php in Photokorn Gallery 1.543 allows remote attackers to execute arbitrary SQL commands via the pic parameter in a showpic action. 27627 5065 Directory traversal vulnerability in wp-admin/admin.php in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allows remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) folder and (2) file parameters. 3615 20080202 Wordpress Plugin dmsguestbook 1.7.0 Multiple Remote Vulnerabilities 27575 5035 SQL injection vulnerability in the administration panel in the DMSGuestbook 1.7.0 plugin for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. NOTE: it is not clear whether this issue crosses privilege boundaries. 3615 20080202 Wordpress Plugin dmsguestbook 1.7.0 Multiple Remote Vulnerabilities dmsguestbook-unspecified-sql-injection(40196) 5035 Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) file parameter to wp-admin/admin.php, or the (2) messagefield parameter in the guestbook page, and the (3) title parameter in the messagearea. 3615 20080202 Wordpress Plugin dmsguestbook 1.7.0 Multiple Remote Vulnerabilities 27575 5035 Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbemail, (3) gburl, and (4) gbmsg parameters to unspecified programs. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Buffer overflow in NeroMediaPlayer.exe in Nero Media Player 1.4.0.35 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (persistent crash) via a long URI in a .M3U file. 3616 20080205 NERO Media Player <= 1.4.0.35b Remote Buffer Overflow( .M3U) 27615 ADV-2008-0405 5063 SAPLPD 6.28 and earlier included in SAP GUI 7.10 and SAPSprint before 1018 allows remote attackers to cause a denial of service (crash) via a 0x53 LPD command, which causes the server to terminate. 3619 20080204 Multiple vulnerabilities in SAPlpd 6.28 20080205 Re: Multiple vulnerabilities in SAPlpd 6.28 27613 1019300 ADV-2008-0409 ADV-2008-0438 Buffer overflow in SAPLPD 6.28 and earlier included in SAP GUI 7.10 and SAPSprint before 1018 allows remote attackers to execute arbitrary code via long arguments to the (1) 0x01, (2) 0x02, (3) 0x03, (4) 0x04, and (5) 0x05 LPD commands. 3619 20080204 Multiple vulnerabilities in SAPlpd 6.28 20080205 Re: Multiple vulnerabilities in SAPlpd 6.28 27613 1019300 ADV-2008-0409 ADV-2008-0438 5079 Cross-site scripting (XSS) vulnerability in RaidenHTTPD 2.0.19 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the ulang parameter. JVN#91868305 http://www.raidenhttpd.com/jp/security.html 27628 ADV-2008-0411 Stack-based buffer overflow in the YMP Datagrid ActiveX control (datagrid.dll) in Yahoo! Music Jukebox 2.2.2.056 allows remote attackers to execute arbitrary code via a long argument to the AddImage method. VU#101676 27590 1019301 ADV-2008-0396 5043 5046 5048 Buffer overflow in the YMP Datagrid ActiveX control (datagrid.dll) in Yahoo! JukeBox 2.2.2.56 allows remote attackers to execute arbitrary code via a long argument to the AddButton method, a different vulnerability than CVE-2008-0623. VU#101676 27579 ADV-2008-0396 5051 Buffer overflow in the MediaGrid ActiveX control (mediagrid.dll) in Yahoo! Music Jukebox 2.2.2.56 allows remote attackers to execute arbitrary code via a long argument to the AddBitmap method. VU#340860 27578 1019298 ADV-2008-0396 5052 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-6303. Reason: This candidate is a duplicate of CVE-2007-6303. Notes: All CVE users should reference CVE-2007-6303 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. 3624 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-6304. Reason: This candidate is a duplicate of CVE-2007-6304. Notes: All CVE users should reference CVE-2007-6304 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. 3624 The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources. BEA08-201.00 http://scary.beasts.org/security/CESA-2007-002.html GLSA-200804-28 3621 231246 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0245 20080202 Sun JRE / JDK bug introduces XXE possibilities 27553 1019292 ADV-2008-0371 ADV-2008-1252 oval:org.mitre.oval:def:9847 Buffer overflow in stream_cddb.c in MPlayer 1.0rc2 and SVN before r25824 allows remote user-assisted attackers to execute arbitrary code via a CDDB database entry containing a long album title. GLSA-200803-16 DSA-1496 MDVSA-2008:045 http://www.mplayerhq.hu/design7/news.html 27765 Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allows remote attackers to execute arbitrary code via a crafted URL that prevents the IPv6 parsing code from setting a pointer to NULL, which causes the buffer to be reused by the unescape code. GLSA-200803-16 DSA-1496 MDVSA-2008:045 http://www.mplayerhq.hu/design7/news.html 27766 Multiple ActiveX controls in MailBee.dll in MailBee Objects 5.5 allow remote attackers to (1) overwrite arbitrary files via the SaveToDisk method, or (2) modify files via the AddStringToFile method. 27481 mailbee-mailbee-file-overwrite(40011) 4999 Unrestricted file upload vulnerability in cp_upload_image.php in LightBlog 9.5 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the blog's root directory. http://omni.netsons.org/blog/?p=11 3617 20080201 LightBlog Remote File Upload Vulnerability 27562 5033 Buffer overflow in Anon Proxy Server 0.102 and earlier, when user authentication is enabled, allows remote attackers to cause a denial of service (exception) via a user name with a large number of quotes, which triggers the overflow during escaping. 3618 20080203 Anon Proxy Server <= 0.102 remote buffer overflow 27593 https://sourceforge.net/project/shownotes.php?group_id=138780&release_id=571924 Buffer overflow in the NamoInstaller.NamoInstall.1 ActiveX control in NamoInstaller.dll 3.0.0.1, as used in Sejoong Namo ActiveSquare6, allows remote attackers to execute arbitrary code via a long argument to the Install method, a different vulnerability than CVE-2008-0551. namo-activesquare-bo(40199) 5045 Unspecified vulnerability in the delivery engine in Openads 2.4.0 through 2.4.2 allows remote attackers to execute arbitrary PHP code via unknown vectors. 3620 20080204 [OPENADS-SA-2008-001] Openads 2.4.2 vulnerability fixed 27603 Level Platforms, Inc. (LPI) Managed Workplace Service Center 4.x, 5.x and 6.x allows remote attackers to obtain sensitive information via a direct request to About/SC_About.htm, which provides version and patch information. 3659 20080208 SECURITY ADVISORY - Level Platforms, Inc. Service Center Install Data HTTP Vulnerability 20080214 Re: SECURITY ADVISORY - Level Platforms, Inc. Service Center Install Data HTTP Vulnerability 20080908 Re: Re: SECURITY ADVISORY - Level Platforms, Inc. Service Center Install Data HTTP Vulnerability 27702 Heap-based buffer overflow in the Veritas Enterprise Administrator (VEA) service (aka vxsvc.exe) in Symantec Veritas Storage Foundation 5.0 allows remote attackers to execute arbitrary code via a packet with a crafted value of a certain size field, which is not checked for consistency with the actual buffer size. 1019459 20080220 ZDI-08-007: Symantec VERITAS Storage Foundation Administrator Service Heap Overflow Vulnerability 25778 http://www.symantec.com/avcenter/security/Content/2008.02.20a.html http://www.zerodayinitiative.com/advisories/ZDI-08-007.html Stack-based buffer overflow in the EnumPrinters function in the Spooler service (nwspool.dll) in Novell Client 4.91 SP2, SP3, and SP4 for Windows allows remote attackers to execute arbitrary code via a crafted RPC request, aka Novell bug 353138, a different vulnerability than CVE-2006-5854. NOTE: this issue exists because of an incomplete fix for CVE-2007-6701. http://download.novell.com/Download?buildid=SszG22IIugM~ 20080211 ZDI-08-005: Novell Client NWSPOOL.DLL EnumPrinters Stack Overflow Vulnerability http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5008300.html 20080211 ZDI-08-005: Novell Client NWSPOOL.DLL EnumPrinters Stack Overflow Vulnerability 27741 1019366 ADV-2008-0496 http://www.zerodayinitiative.com/advisories/ZDI-08-005.html Symantec Ghost Solution Suite 1.1 before 1.1 patch 2, 2.0.0, and 2.0.1 does not authenticate connections between the console and the Ghost Management Agent, which allows remote attackers to execute arbitrary commands via unspecified RPC requests in conjunction with ARP spoofing. 27644 1019356 http://www.symantec.com/avcenter/security/Content/2008.02.07.html ADV-2008-0474 Cross-site scripting (XSS) vulnerability in files created by Adobe RoboHelp 6 and 7, possibly involving use of a (1) WebHelp5 (WebHelp5Ext) or (2) WildFire (WildFireExt) extension, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2007-1280. 1019397 http://www.adobe.com/support/security/bulletins/apsb08-05.html 27763 ADV-2008-0537 Cross-site scripting (XSS) vulnerability in Adobe ColdFusion MX 7 and ColdFusion 8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.adobe.com/support/security/bulletins/apsb08-06.html 28205 1019589 ADV-2008-0862 adobe-coldfusion-useragent-xss(41144) Adobe ColdFusion MX 7 and ColdFusion 8 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism for applications via unspecified vectors related to the setEncoding function. http://www.adobe.com/support/security/bulletins/apsb08-07.html 28205 1019590 ADV-2008-0862 coldfusion-setencoding-xss(41145) Multiple PHP remote file inclusion vulnerabilities in Portail Web Php 2.5.1.1 allow remote attackers to execute arbitrary PHP code via a URL in the site_path parameter to (1) config/conf-activation.php, (2) menu/item.php, and (3) modules/conf_modules.php in admin/system/; and (4) system/login.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27616 The bdecode_recursive function in include/libtorrent/bencode.hpp in Rasterbar Software libtorrent before 0.12.1, as used in Deluge before 0.5.8.3 and other products, allows context-dependent attackers to cause a denial of service (stack exhaustion and crash) via a crafted bencoded message. http://deluge-torrent.org/Changelog.php http://libtorrent.svn.sourceforge.net/viewvc/libtorrent/branches/RC_0_12/include/libtorrent/bencode.hpp?r1=956&r2=1968&pathrev=1968 http://libtorrent.svn.sourceforge.net/viewvc/libtorrent/branches/RC_0_12/include/libtorrent/bencode.hpp?view=log&pathrev=1968#rev1968 http://libtorrent.svn.sourceforge.net/viewvc/libtorrent/branches/RC_0_13/include/libtorrent/bencode.hpp?view=log&pathrev=1968 http://libtorrent.svn.sourceforge.net/viewvc/libtorrent/trunk/include/libtorrent/bencode.hpp?view=log&pathrev=1968 27597 ADV-2008-0383 ADV-2008-0384 FEDORA-2008-1198 Multiple stack-based buffer overflows in the HanGamePluginCn18.HanGamePluginCn18.1 ActiveX control in HanGamePluginCn18.dll in Ourgame GLWorld 2.6.1.29 (aka Lianzong Game Platform) allow remote attackers to execute arbitrary code via long arguments to the (1) hgs_startGame and (2) hgs_startNotify methods, as exploited in the wild as of February 2008. NOTE: some of these details are obtained from third party information. 27626 http://www.symantec.com/enterprise/security_response/weblog/2008/02/zeroday_exploit_for_lianzong_g.html ADV-2008-0427 5153 Multiple PHP remote file inclusion vulnerabilities in OpenSiteAdmin 0.9.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) indexFooter.php; and (2) DatabaseManager.php, (3) FieldManager.php, (4) Filter.php, (5) Form.php, (6) FormManager.php, (7) LoginManager.php, and (8) Filters/SingleFilter.php in scripts/classes/. 27640 5068 SQL injection vulnerability in detail.php in Astanda Directory Project (ADP) 1.2 and 1.3 allows remote attackers to execute arbitrary SQL commands via the link_id parameter. 27646 5071 SQL injection vulnerability in login.php in Simple OS CMS 0.1c beta allows remote attackers to execute arbitrary SQL commands via the username field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27589 SQL injection vulnerability in login.php in Pedro Santana Codice CMS allows remote attackers to execute arbitrary SQL commands via the username field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27592 SQL injection vulnerability in index.php in the Downloads (com_downloads) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in a selectfolder action. 27648 5073 SQL injection vulnerability in index.php in the Ynews (com_ynews) 1.0.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a showYNews action. 27649 5072 Multiple directory traversal vulnerabilities in Azucar CMS 1.3 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the _VIEW (view) parameter to (1) index.php, (2) html/sitio/index.php, or (3) src/sistema/vistas/template/tpl_inicio.php. 3622 20080205 [DSECRG-08-012] Multiple LFI in Azucar CMS 1.3 Multiple unspecified vulnerabilities in Adobe Reader and Acrobat before 8.1.2 have unknown impact and attack vectors. http://blogs.adobe.com/acroread/2008/02/adobe_reader_812_for_linux_and.html http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403079&sliceId=1 SUSE-SA:2008:009 GLSA-200803-01 1019346 239286 http://www.adobe.com/support/security/advisories/apsa08-01.html http://www.adobe.com/support/security/bulletins/apsb08-13.html RHSA-2008:0144 27641 TA08-043A ADV-2008-0425 ADV-2008-1966 oval:org.mitre.oval:def:10299 Unrestricted file upload vulnerability in dmclTrace.jsp in EMC Documentum Administrator 5.3.0.313 and Webtop 5.3.0.317 allows remote attackers to overwrite arbitrary files via the filename attribute. 3626 http://www.cybsec.com/vuln/CYBSEC-Security_Advisory_Documentum_dmclTrace_Arbitrary_file_overwrite.pdf 20080205 CYBSEC Security Advisory: Arbitrary file overwrite in Documentum Administrator / Documentum Webtop 27632 1019305 ADV-2008-0439 Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs. BEA08-201.00 SUSE-SA:2008:025 GLSA-200804-28 231261 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0123 RHSA-2008:0156 RHSA-2008:0210 27650 1019308 http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0429 ADV-2008-1252 ADV-2008-1856 oval:org.mitre.oval:def:11505 slapd/back-bdb/modrdn.c in the BDB backend for slapd in OpenLDAP 2.3.39 allows remote authenticated users to cause a denial of service (daemon crash) via a modrdn operation with a NOOP (LDAP_X_NO_OPERATION) control, a related issue to CVE-2007-6698. APPLE-SA-2009-11-09-1 SUSE-SR:2008:010 GLSA-200803-28 http://support.apple.com/kb/HT3937 http://wiki.rpath.com/Advisories:rPSA-2008-0059 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0059 DSA-1541 MDVSA-2008:058 http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/back-bdb/modrdn.c.diff?r1=1.197&r2=1.198&f=h http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5358 RHSA-2008:0110 20080212 rPSA-2008-0059-1 openldap openldap-clients openldap-servers 27778 1019481 USN-584-1 ADV-2008-0536 ADV-2009-3184 openldap-modrdn-dos(40479) oval:org.mitre.oval:def:9470 Stack-based buffer overflow in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.5.70 and earlier, as used in MySpace MySpaceUploader.ocx 1.0.0.4, allows remote attackers to execute arbitrary code via a long Action property. http://blogs.aurigma.com/post/2008/01/Another-security-problem---oh%2c-not-again.aspx 20080131 MySpace Uploader ActiveX Control Buffer Overflow http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060483 VU#776931 27533 ADV-2008-0344 ADV-2008-0345 myspace-myspaceuploader-bo(40118) 5025 Multiple stack-based buffer overflows in Aurigma Image Uploader ActiveX control (ImageUploader4.ocx) 4.6.17.0, 4.5.70.0, and 4.5.126.0, and ImageUploader5 5.0.10.0, as used by Facebook PhotoUploader 4.5.57.0, allow remote attackers to execute arbitrary code via long (1) ExtractExif and (2) ExtractIptc properties. 20080203 FaceBook/Aurigma Image/PhotoUploader Buffer Overflow http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060483 VU#776931 27576 27577 1019297 ADV-2008-0391 ADV-2008-0394 5049 Buffer overflow in dBpowerAMP Audio Player Release 2 allows remote attackers to execute arbitrary code via a .M3U file with a long URI. NOTE: this might be the same issue as CVE-2004-1569. 3623 20080205 dBpowerAMP Audio Player Release 2 Remote Buffer Overflow 27635 27639 5067 5069 The Auto Local Logon feature in Check Point VPN-1 SecuRemote/SecureClient NGX R60 and R56 for Windows caches credentials under the Checkpoint\SecuRemote registry key, which has Everyone/Full Control permissions, which allows local users to gain privileges by reading and reusing the credentials. http://digihax.com/ 3627 20080207 Checkpoint SecuRemote/Secure Client NGX Auto Local Logon Vulnerability 27675 1019317 ADV-2008-0475 https://usercenter.checkpoint.com/usercenter/portal/user/anon/page/supportCenter.psml Novell Challenge Response Client (LCM) 2.7.5 and earlier, as used with Novell Client for Windows 4.91 SP4, allows users with physical access to a locked system to obtain contents of the clipboard by pasting the contents into the Challenge Question field. 27631 1019304 ADV-2008-0423 https://secure-support.novell.com/KanisaPlatform/Publishing/686/3726376_f.SAL_Public.html The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors. http://wordpress.org/development/2008/02/wordpress-233/ DSA-1601 27669 1019316 http://www.village-idiot.org/archives/2008/02/02/wordpress-232-exploit-confirmed/ ADV-2008-0448 https://bugzilla.redhat.com/show_bug.cgi?id=431547 FEDORA-2008-1512 FEDORA-2008-1559 wml_backend/p1_ipp/ipp.src in Website META Language (WML) 2.0.11 allows local users to overwrite arbitrary files via a symlink attack on the ipp.$$.tmp temporary file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463907 GLSA-200803-23 DSA-1492 MDVSA-2008:076 27685 Website META Language (WML) 2.0.11 allows local users to overwrite arbitrary files via a symlink attack on (1) the /tmp/pe.tmp.$$ temporary file used by wml_contrib/wmg.cgi and (2) temporary files used by wml_backend/p3_eperl/eperl_sys.c. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463907 GLSA-200803-23 DSA-1492 MDVSA-2008:076 27685 The DOC.print function in the Adobe JavaScript API, as used by Adobe Acrobat and Reader before 8.1.2, allows remote attackers to configure silent non-interactive printing, and trigger the printing of an arbitrary number of copies of a document. NOTE: this issue might be subsumed by CVE-2008-0655. http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403079&sliceId=1 SUSE-SA:2008:009 GLSA-200803-01 3625 239286 http://www.adobe.com/support/security/advisories/apsa08-01.html http://www.adobe.com/support/security/bulletins/apsb08-13.html http://www.fortiguardcenter.com/advisory/FGA-2008-04.html RHSA-2008:0144 20080208 Adobe Reader/Acrobat Remote PDF Print Silently Vulnerability 27641 TA08-043A ADV-2008-0425 ADV-2008-1966 oval:org.mitre.oval:def:9731 The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information. http://bugs.gentoo.org/show_bug.cgi?id=208356 http://bugzilla.gnome.org/show_bug.cgi?id=505330 SUSE-SR:2008:016 GLSA-200802-05 DSA-1546 http://www.gnome.org/projects/gnumeric/announcements/1.8/gnumeric-1.8.1.shtml MDVSA-2008:056 27536 USN-604-1 ADV-2008-0462 FEDORA-2008-1313 FEDORA-2008-1403 Cross-site scripting (XSS) vulnerability in search.cgi in Sift Unity allows remote attackers to inject arbitrary web script or HTML via the qt parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27684 SQL injection vulnerability in index.php in the Noticias (com_noticias) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detalhe action. 27691 5081 Stack-based buffer overflow in the add_line_buffer function in TinTin++ 1.97.9 and WinTin++ 1.97.9 allows remote attackers to execute arbitrary code via a long chat message, related to conversion from LF to CRLF. http://aluigi.altervista.org/adv/rintintin-adv.txt GLSA-201111-07 3632 20080206 Chat vulnerabilities in TinTin++ 1.97.9 27660 ADV-2008-0449 The process_chat_input function in TinTin++ 1.97.9 and WinTin++ 1.97.9 allows remote attackers to cause a denial of service (application crash) via a YES message without a newline character, which triggers a NULL dereference. http://aluigi.altervista.org/adv/rintintin-adv.txt GLSA-201111-07 3632 20080206 Chat vulnerabilities in TinTin++ 1.97.9 27660 ADV-2008-0449 TinTin++ 1.97.9 and WinTin++ 1.97.9 open files on the basis of an inbound file-transfer request, before the user has an opportunity to decline the request, which allows remote attackers to truncate arbitrary files in the top level of a home directory. http://aluigi.altervista.org/adv/rintintin-adv.txt GLSA-201111-07 3632 20080206 Chat vulnerabilities in TinTin++ 1.97.9 27660 ADV-2008-0449 Buffer overflow in PCRE before 7.6 allows remote attackers to execute arbitrary code via a regular expression containing a character class with a large number of characters with Unicode code points greater than 255. http://ftp.gnome.org/pub/gnome/sources/glib/2.14/glib-2.14.6.news APPLE-SA-2008-07-31 APPLE-SA-2008-10-09 APPLE-SA-2009-08-05-1 SUSE-SR:2008:004 http://pcre.org/changelog.txt GLSA-200803-24 GLSA-200811-05 http://support.apple.com/kb/HT3216 http://support.apple.com/kb/HT3757 http://wiki.rpath.com/Advisories:rPSA-2008-0086 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0086 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176 DSA-1499 MDVSA-2008:053 [oss-security] 20080502 CVE Request (PHP) http://www.php.net/ChangeLog-5.php 20080228 rPSA-2008-0086-1 pcre 20080523 rPSA-2008-0176-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 27786 29009 31681 1022674 TA09-218A ADV-2008-0570 ADV-2008-0592 ADV-2008-1412 ADV-2008-2268 ADV-2008-2780 ADV-2009-2172 https://bugzilla.redhat.com/show_bug.cgi?id=431660 pcre-characterclass-bo(40505) https://issues.rpath.com/browse/RPL-2223 https://issues.rpath.com/browse/RPL-2503 USN-581-1 FEDORA-2008-1533 FEDORA-2008-1783 FEDORA-2008-1842 SQL injection vulnerability in cms/index.pl in The Everything Development Engine in The Everything Development System Pre-1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the node_id parameter. 3631 20080201 The Everything Development System - SQL Injection 27569 5037 Cross-site scripting (XSS) vulnerability in search.php in A-Blog 2 allows remote attackers to inject arbitrary web script or HTML via the words parameter. 27594 5050 SQL injection vulnerability in blog.php in A-Blog 2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a news action. 27594 5050 SQL injection vulnerability in index.php in BlogPHP 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in a page action. 27591 5042 Cross-site scripting (XSS) vulnerability in index.php in BlogPHP 2.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. 27591 5042 SNMPd in MikroTik RouterOS 3.2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP SET request. http://hellknights.void.ru/shados/snmp_sploit.c 27599 ADV-2008-0399 5054 SQL injection vulnerability in index.php in PHPShop 0.8.1 allows remote attackers to execute arbitrary SQL commands via the product_id parameter, as demonstrated by a shop/flypage action. 3628 20080202 phpShop <= v 0.8.1 Remote SQL injection / Filter Bypass 27570 5041 SQL injection vulnerability in wordspew-rss.php in the Wordspew plugin before 3.72 for Wordpress allows remote attackers to execute arbitrary SQL commands via the id parameter. http://pierre.sudarovich.free.fr/index.php/2006/02/28/ajax-shoutbox/ 27583 5039 SQL injection vulnerability in shiftthis-preview.php in the ShiftThis Newsletter (st_newsletter) plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the newsletter parameter. 27586 5053 Cross-site scripting (XSS) vulnerability in ViewCat.php in iTechClassifieds 3.0 allows remote attackers to inject arbitrary web script or HTML via the CatID parameter. 20080201 ITech Classifieds Multiple Remote Vulnerabilities 27574 SQL injection vulnerability in ViewCat.php in iTechClassifieds 3.0 allows remote attackers to execute arbitrary SQL commands via the CatID parameter. 20080201 ITech Classifieds Multiple Remote Vulnerabilities 27574 SQL injection vulnerability in index.php in the NeoReferences (com_neoreferences) 1.3.1 and 1.3.3 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter. 27564 neoreferences-index-sql-injection(40167) 5034 Cross-site scripting (XSS) vulnerability in siteadmin/editor_files/includes/load_message.php in the Youtube Clone Script allows remote attackers to inject arbitrary web script or HTML via the lang[please_wait] parameter. 3635 20080201 Youtube Clone Xross Site Scripting (load_message.php) 27598 Cross-site scripting (XSS) vulnerability in catalog.php in Smartscript Domain Trader 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a viewcategory action. 3633 20080202 Domain Trader v2.0 Xss Vulnerable 27571 SQL injection vulnerability in index.php in the Marketplace (com_marketplace) 1.1.1 and 1.1.1-pl1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a show_category action. 27600 5055 SQL injection vulnerability in index.php in the mosDirectory (com_directory) 2.3.2 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a viewcat action. 27585 5047 Multiple cross-site scripting (XSS) vulnerabilities in admin_panel.php in the Simon Elvery WP-Footnotes 2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) wp_footnotes_current_settings[priority], (2) wp_footnotes_current_settings[style_rules], (3) wp_footnotes_current_settings[pre_footnotes], and (4) wp_footnotes_current_settings[post_footnotes] parameters. 3634 20080201 Wordpress Pluging wp-footnotes 2.2 (admin_panel.php) Multiple Vulnerabilites 27572 wpfootnotes-adminpanel-security-bypass(40218) SQL injection vulnerability in bidhistory.php in iTechBids 3 Gold and 5.0 allows remote attackers to execute arbitrary SQL commands via the item_id parameter. 27601 5056 Stack-based buffer overflow in PQCore.exe in Print Manager Plus 2008 Client Billing and Authentication 7.0.127.16 allows remote attackers to cause a denial of service (service outage) via a series of long packets to TCP port 48101. http://aluigi.altervista.org/adv/pqcorez-adv.txt 27604 ADV-2008-0407 Cross-site scripting (XSS) vulnerability in the HTTP Server in IBM OS/400 V5R3M0 and V5R4M0 allows remote attackers to inject arbitrary web script or HTML via the Expect HTTP header. 27595 ADV-2008-0397 SE31823 SQL injection vulnerability in index.php in BookmarkX script 2007 allows remote attackers to execute arbitrary SQL commands via the topicid parameter in a showtopic action. 5040 IBM DB2 UDB before 8.2 Fixpak 16 does not properly check authorization for the ALTER TABLE statement, which has unknown impact and attack vectors. ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT ADV-2008-0401 Unspecified vulnerability in DB2PD in IBM DB2 UDB before 8.2 Fixpak 16 allows local users to gain root privileges via unspecified vectors. ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT ADV-2008-0401 Buffer overflow in the DAS server in IBM DB2 UDB before 8.2 Fixpak 16 has unknown attack vectors, and an impact probably involving "invalid memory access." ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT 27681 ADV-2008-0401 Unspecified vulnerability in the ADMIN_SP_C procedure (SYSPROC.ADMIN_SP_C) in IBM DB2 UDB before 8.2 Fixpak 16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unspecified attack vectors. ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT http://www.appsecinc.com/resources/alerts/db2/2008-02.shtml 20080418 Team SHATTER Security Advisory: IBM DB2 UDB Arbitrary code execution in ADMIN_SP_C/ADMIN_SP_C2 procedures ADV-2008-0401 IZ06972 IZ06973 IZ10917 Cross-site scripting (XSS) vulnerability in search.php in Crux Software CruxCMS 3.0 allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27588 ActivationHandler in Magnolia CE 3.5.x before 3.5.4 does not check permissions during importing, which allows remote attackers to have an unknown impact via activation of a new item, possibly involving addition of arbitrary new content. http://jira.magnolia.info/browse/MAGNOLIA-2021 http://sourceforge.net/project/shownotes.php?release_id=573088 27608 Multiple heap-based buffer overflows in Titan FTP Server 6.03 and 6.0.5.549 allow remote attackers to cause a denial of service (daemon crash or hang) and possibly execute arbitrary code via a long argument to the (1) USER or (2) PASS command, different vectors than CVE-2004-1641. 3639 20080201 Titan FTP Server Remote Heap Overflow (USER/PASS) 27568 ADV-2008-0393 5036 Multiple directory traversal vulnerabilities in sflog! 0.96 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) permalink or (2) section parameter to index.php, possibly involving includes/entries.inc.php and other files included by index.php. 3629 20080131 sflog! 0.96 remote file disclosure vulnerabilities 27541 sflog-blog-index-directory-traversal(40115) 5027 Unspecified vulnerability in the SSH server in HP OpenVMS TCP/IP Services on OpenVMS on the Alpha platform with 5.4 before ECO 7, and on the Integrity and Alpha platforms with 5.5 before ECO 3 and 5.6 before ECO 2, allows remote attackers to obtain unspecified access via unknown vectors. 28486 1019727 ADV-2008-1009 SSRT071479 openvms-sshserver-unauthorized-access(41519) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Unspecified vulnerability in the BIOS F.26 and earlier for the HP Compaq Notebook PC allows physically proximate attackers to obtain privileged access via unspecified vectors, possibly involving an authentication bypass of the power-on password. HPSBGN02319 1019730 28495 ADV-2008-1043 compaq-pcbios-security-bypass(41521) HP StorageWorks Library and Tape Tools (LTT) before 4.5 SR1 on HP-UX B.11.11 and B.11.23 allows local users to gain privileges via unspecified vectors. Link 1015143 requires login 1019651 28314 ADV-2008-0926 hp-storageworks-unspecified-priv-escalation(41337) SSRT080029 HP USB 2.0 Floppy Drive Key product options (1) 442084-B21 and (2) 442085-B21 for certain HP ProLiant servers contain the (a) W32.Fakerecy and (b) W32.SillyFDC worms, which might be launched if the server does not have up-to-date detection. SSRT080032 1019785 hp-usbfloppydrivekey-weak-security(41648) Multiple unspecified vulnerabilities in HP Select Identity 4.00, 4.01, 4.11, 4.12, 4.13, and 4.20 allow remote authenticated users to access other user accounts via unknown vectors, a different issue than CVE-2008-0214. HPSBMA02317 1019746 28558 ADV-2008-1072 hpselectidentity-useraccount-unauth-access(41583) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Unspecified vulnerability in the embedded management console in HP iLO-2 Management Processors (iLO-2 MP), as used in Integrity Servers rx2660, rx3600, and rx6600, and Integrity Blade Server model bl860c, allows remote attackers to cause a denial of service via unknown vectors. SSRT071455 3804 28673 1019795 ADV-2008-1132 hp-integrityserver-ilo2mp-console-dos(41696) Unspecified vulnerability in the HP HPeDiag (aka eSupportDiagnostics) ActiveX control in hpediag.dll in HP Software Update 4.000.009.002 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information via unspecified vectors. NOTE: this might overlap CVE-2007-6513. HPSBGN02333 28929 1019922 ADV-2008-1356 hpsoftware-hpediag-code-execution(42003) Unspecified vulnerability in the FTP server for HP-UX B.11.11, B.11.23, and B.11.31 allows remote authenticated users to cause a denial of service (FTP server outage) via unknown attack vectors. SSRT071403 29160 1020005 ADV-2008-1475 hpux-ftp-dos(42357) oval:org.mitre.oval:def:5289 SQL injection vulnerability in users.php in Mihalism Multi Host allows remote attackers to execute arbitrary SQL commands via the username parameter in a lost_password_go action. 27651 mihalism-users-sql-injection(40289) 5074 Buffer overflow in ACDSee Photo Manager 8.1, 9.0, and 10.0 allows user-assisted remote attackers to execute arbitrary code via a malformed XBM file. NOTE: this might be the same as CVE-2007-6009. http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+AcdSee+Photo+Manager ADV-2008-0443 The agent in Symantec Altiris Notification Server before 6.0 SP3 R7 allows local users to gain privileges via a "Shatter" style attack. http://securityresponse.symantec.com/avcenter/security/Content/2008.02.06.html 27645 1019313 ADV-2008-0444 Cross-site scripting (XSS) vulnerability in Caching Proxy (CP) 5.1 through 6.1 in IBM WebSphere Edge Server, when CGI mapping rules are enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger injection into an error response. 27665 1019315 ADV-2008-0446 http://www-1.ibm.com/support/docview.wss?uid=swg21294776 Unspecified vulnerability in the USB Mouse STREAMS module (usbms) in Sun Solaris 9 and 10, when 64-bit mode is enabled, allows local users to cause a denial of service (panic) via unspecified vectors. 201316 27773 ADV-2008-0451 oval:org.mitre.oval:def:5474 SQL injection vulnerability in customer_testimonials.php in the Customer Testimonials 3 and 3.1 Addon for osCommerce Online Merchant 2.2 allows remote attackers to execute arbitrary SQL commands via the testimonial_id parameter. 27664 5075 Cross-site scripting (XSS) vulnerability in Webmin 1.370 and 1.390 and Usermin 1.300 and 1.320 allows remote attackers to inject arbitrary web script or HTML via the search parameter to webmin_search.cgi (aka the search section), and possibly other components accessed through a "search box" or "open file box." NOTE: some of these details are obtained from third party information. http://forum.aria-security.net/showthread.php?t=511 20080206 Tested on Webmin 1.390 20080206 Re: Tested on Webmin 1.390 27662 ADV-2008-0450 SQL injection vulnerability in index.php in the Sermon (com_sermon) 0.2 component for Mambo allows remote attackers to execute arbitrary SQL commands via the gid parameter. 27673 5076 Cross-site scripting (XSS) vulnerability in index.php in Pagetool 1.0.7 allows remote attackers to inject arbitrary web script or HTML via the search_term parameter in a pagetool_search action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27653 4983 Cross-site scripting (XSS) vulnerability in mynews.inc.php in MyNews 1.6.4, and other earlier 1.6.x versions, allows remote attackers to inject arbitrary web script or HTML via the hash parameter in an admin action to index.php, a different vulnerability than CVE-2006-2208.1. 20080206 MyNews 1.6.X HTML/JS Injection Vulnerability 20080207 Re: MyNews 1.6.X HTML/JS Injection Vulnerability 27652 The Everything Development Engine in The Everything Development System Pre-1.0 and earlier stores passwords in cleartext in a database, which makes it easier for context-dependent attackers to obtain access to user accounts. 3631 20080201 The Everything Development System - SQL Injection 5037 Multiple heap-based buffer overflows in the (1) FTP service and (2) administration service in Titan FTP Server 6.0.5.549 allow remote attackers to cause a denial of service (daemon hang) and possibly execute arbitrary code via a long command. NOTE: the USER and PASS commands for the FTP service are covered by CVE-2008-0702. Integer overflow in Adobe Reader and Acrobat 8.1.1 and earlier allows remote attackers to execute arbitrary code via crafted arguments to the printSepsWithParams, which triggers memory corruption. SUSE-SA:2008:009 GLSA-200803-01 239286 http://www.adobe.com/support/security/advisories/apsa08-01.html http://www.adobe.com/support/security/bulletins/apsb08-13.html RHSA-2008:0144 20080211 ZDI-08-004: Adobe AcrobatReader Javascript for PDF Integer Overflow Vulnerability ADV-2008-1966 http://www.zerodayinitiative.com/advisories/ZDI-08-004.html oval:org.mitre.oval:def:10957 Multiple buffer overflows in oninit.exe in IBM Informix Dynamic Server (IDS) 7.x through 11.x allow (1) remote attackers to execute arbitrary code via a long password and (2) remote authenticated users to execute arbitrary code via a long DBPATH value. All IBM links require software support sign in to view. 3749 20080313 ZDI-08-011: IBM Informix Dynamic Server DBPATH Buffer Overflow Vulnerability 20080313 ZDI-08-012: IBM Informix Dynamic Server Authentication Password Stack Overflow Vulnerability 28198 ADV-2008-0860 http://www.zerodayinitiative.com/advisories/ZDI-08-011/ http://www.zerodayinitiative.com/advisories/ZDI-08-012/ IC55207 IC55208 IC55209 IC55210 ibm-informix-oninit-dbpath-bo(41202) ibm-informix-oninit-bo(41203) The unmew11 function in libclamav/mew.c in libclamav in ClamAV before 0.92.1 has unknown impact and attack vectors that trigger "heap corruption." http://bugs.gentoo.org/show_bug.cgi?id=209915 http://docs.info.apple.com/article.html?artnum=307562 http://kolab.org/security/kolab-vendor-notice-19.txt APPLE-SA-2008-03-18 SUSE-SR:2008:004 GLSA-200802-09 http://sourceforge.net/project/shownotes.php?release_id=575703 http://support.novell.com/techcenter/psdb/512985d2cd3090bfb93dcb7b551179cf.html MDVSA-2008:088 ADV-2008-0503 ADV-2008-0606 ADV-2008-0924 clamav-mewc-heap-corruption(40474) Mobile Safari on Apple iPhone 1.1.2 and 1.1.3 allows remote attackers to cause a denial of service (memory exhaustion and device crash) via certain JavaScript code that constructs a long string and an array containing long string elements, possibly a related issue to CVE-2006-3677. NOTE: some of these details are obtained from third party information. 3630 20080205 Apple iPhone 1.1.3 remote DoS exploit 20080519 Re: Apple iPhone 1.1.3 remote DoS exploit 27442 iphone-mobilesafari-dos(39998) 4978 The (1) Simplified Chinese, (2) Traditional Chinese, (3) Korean, and (4) Thai language input methods in Sun Solaris 10 create files and directories with weak permissions under (a) .iiim/le and (b) .Xlocale in home directories, which might allow local users to write to, or read from, the home directories of other users. 201315 27770 ADV-2008-0452 oval:org.mitre.oval:def:5545 The Linux kernel before 2.6.18.8-0.8 in SUSE openSUSE 10.2 does not properly handle failure of an AppArmor change_hat system call, which might allow attackers to trigger the unconfining of an apparmored task. SUSE-SA:2008:006 The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories. SUSE-SR:2008:003 SQL injection vulnerability in index.php in CS Team Counter Strike Portals allows remote attackers to execute arbitrary SQL commands via the id parameter, as demonstrated using the downloads page. 20080212 Kommentare zum Download script SQL Injection 27747 counterstrikeportals-index-sql-injection(40520) SQL injection vulnerability in class_auth.php in Limbo CMS 1.0.4.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the cuid cookie parameter to admin.php. 27710 limbo-admin-sql-injection(40415) 5088 SQL injection vulnerability in mod/gallery/ajax/gallery_data.php in AuraCMS 2.2 allows remote attackers to execute arbitrary SQL commands via the albums parameter. 27764 5105 admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and possibly other 4.x and 3.x versions, allows remote attackers to obtain the path via a certain value of the FedExAccount parameter. 3600 http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1 20080125 [CandyPress] eCommerce suite (SQL Injection + XSS + Path Disclosure) 27454 ADV-2008-0314 ecommerce-sashipfedexmeter-path-disclosure(39941) 4988 SQL injection vulnerability in admin/utilities_ConfigHelp.asp in CandyPress (CP) 4.1.1.26, and other 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the helpfield parameter. 3600 http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1 20080125 [CandyPress] eCommerce suite (SQL Injection + XSS + Path Disclosure) 27454 ADV-2008-0314 4988 Multiple SQL injection vulnerabilities in CandyPress (CP) 4.1.1.26, and earlier 4.1.x versions, allow remote attackers to execute arbitrary SQL commands via the (1) idcust parameter to (a) ajax_getTiers.asp and (b) ajax_getCust.asp in ajax/, and the (2) tableName parameter to (c) ajax/ajax_tableFields.asp. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1 ADV-2008-0314 SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter. http://www.candypress.com/CPforum/forum_posts.asp?TID=10630&PN=1 ADV-2008-0314 IBM WebSphere Application Server (WAS) before 6.0.2 Fix Pack 25 (6.0.2.25) and 6.1 before Fix Pack 15 (6.1.0.15) writes unspecified cleartext information to http_plugin.log, which might allow local users to obtain sensitive information by reading this file. 27400 ADV-2008-0241 http://www-1.ibm.com/support/docview.wss?uid=swg27006876 http://www-1.ibm.com/support/docview.wss?uid=swg27007951 Unspecified vulnerability in the PropFilePasswordEncoder utility in IBM WebSphere Application Server (WAS) before 6.0.2 Fix Pack 25 (6.0.2.25) has unknown impact and attack vectors. 1019254 27400 ADV-2008-0241 PK52709 http://www-1.ibm.com/support/docview.wss?uid=swg27006876 Multiple directory traversal vulnerabilities in PowerScripts PowerNews 2.5.6 allow remote attackers to read and include arbitrary files via a .. (dot dot) in the (1) subpage parameter in (a) categories.inc.php, (b) news.inc.php, (c) other.inc.php, (d) permissions.inc.php, (e) templates.inc.php, and (f) users.inc.php in pnadmin/; and (2) the page parameter to (g) pnadmin/index.php. NOTE: vector 2 is only exploitable by administrators. 3647 20080208 [DSECRG-08-014] Multiple LFI in PowerNews (Newsscript) 2.5.6 27688 5082 PHP remote file inclusion vulnerability in members_help.php in Joovili 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the hlp parameter. 3640 20080207 Joovili <= v.2.1 (members_help.php) Remote File &#304;nclude Vulnerability 27693 SQL injection vulnerability in user_login.asp in PreProjects.com Pre Hotels & Resorts Management System allows remote attackers to execute arbitrary SQL commands via the login page. 3644 20080124 Pre Hotel and Resorts reservation portal login bypass 27450 prehotel-login-sql-injection(39935) Directory traversal vulnerability in aides/index.php in DomPHP 0.82 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter. 27712 5089 SQL injection vulnerability in index.php in the Gallery (com_gallery) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action. 20080208 Mambo Component com_gallery Remote SQL Injection Vulnerability 20080208 Mambo Component com_gallery Remote SQL Injection Vulnerability 27695 5084 Stack-based buffer overflow in COWON America jetAudio 7.0.5 and earlier allows user-assisted remote attackers to execute arbitrary code via a long URL in a .asx file, a different vulnerability than CVE-2007-5487. 3642 20080208 jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow 27698 ADV-2008-0502 5085 Buffer overflow in the Sony AxRUploadServer.AxRUploadControl.1 ActiveX control in AxRUploadServer.dll 1.0.0.38 in SonyISUpload.cab 1.0.0.38 for Sony ImageStation allows remote attackers to execute arbitrary code via a long argument to the SetLogging method. NOTE: some of these details are obtained from third party information. 3648 20080208 Buffer Overflow Vulnerability in AxRUploadServer.dll, Activex Method (SetLogging) 20080208 Re: Buffer Overflow Vulnerability in AxRUploadServer.dll, Activex Method (SetLogging) 27715 ADV-2008-0483 5086 5100 Cross-site scripting (XSS) vulnerability in index.php in Calimero.CMS 3.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter in a calimero_webpage action. http://downloads.securityfocus.com/vulnerabilities/exploits/27690.html 27690 SQL injection vulnerability in philboard_forum.asp in Husrev BlackBoard 2.0.2 allows remote attackers to execute arbitrary SQL commands via the forumid parameter. 3641 20080207 Husrev Forums v2.0.1:PoWerBoard (tr) (id) Remote SQL Injection 20080207 Blackboard (id) Remote SQL Injection 27714 blackboard-philboardforum-sql-injection(40368) Cross-site scripting (XSS) vulnerability in the Freetag before 2.96 plugin for S9Y Serendipity, when using Internet Explorer 6 or 7, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to plugin/tag/. http://blog.s9y.org/archives/190-Freetag-plugin-updated-to-prevent-XSS.html 20080208 Serendipity Freetag-plugin XSS vulnerability http://www.bitsploit.de/uploads/Code/200802080000/ 27697 serendipity-freetag-xss(40376) SQL injection vulnerability in index.php in the Neogallery (com_neogallery) 1.1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a show action. 27692 neogallery-index-sql-injection(40357) 5083 SQL injection vulnerability in calendar.php in Virtual War (VWar) 1.5 allows remote attackers to execute arbitrary SQL commands via the month parameter. 3643 20080210 Vwar 1.5.0 27722 Multiple SQL injection vulnerabilities in index.php in the Rapid Recipe (com_rapidrecipe) 1.6.5 component for Joomla! allow remote attackers to execute arbitrary SQL commands via (1) the user_id parameter in a showuser action or (2) the category_id parameter in a viewcategorysrecipes action. 3649 20080210 Default Multiple Joomla! Component com_rapidrecipe "user_id=" Remote SQL Inj. 27724 Format string vulnerability in the ReportSysLogEvent function in the LPD server in cyan soft Opium OPI Server 4.10.1028 and earlier; cyanPrintIP Easy OPI, Professional, and Basic 4.10.1030 and earlier; Workstation 4.10.836 and earlier; and Standard 4.10.940 and earlier; might allow remote attackers to execute arbitrary code via format string specifiers in the queue name in a request. http://aluigi.altervista.org/adv/cyanuro-adv.txt 20080211 Format string and DoS in Opium OPI and cyanPrintIP servers 4.10.x 27728 27734 ADV-2008-0498 The LPD server in cyan soft Opium OPI Server 4.10.1028 and earlier; cyanPrintIP Easy OPI, Professional, and Basic 4.10.1030 and earlier; Workstation 4.10.836 and earlier; and Standard 4.10.940 and earlier; allows remote attackers to cause a denial of service (daemon crash) via a connection that begins with (1) a "Send queue state" LPD command 3 or (2) a "Send queue state" LPD command 4. http://aluigi.altervista.org/adv/cyanuro-adv.txt 20080211 Format string and DoS in Opium OPI and cyanPrintIP servers 4.10.x 27728 27734 ADV-2008-0498 Cross-site scripting (XSS) vulnerability in index.php in MercuryBoard 1.1.5 allows remote attackers to inject arbitrary web script or HTML via the message parameter (aka the message text area), which leads to an injection in the messenger during private message (PM) preview. NOTE: some of these details are obtained from third party information. http://forum.aria-security.net/showthread.php?t=522 20080210 Mercury v1.1.5 Send Message Cross-Site Scripting 27730 1019371 Multiple directory traversal vulnerabilities in the Zidget/HTTP embedded HTTP server in ExtremeZ-IP File and Print Server 5.1.2x15 and earlier allow remote attackers to read arbitrary (1) gif, (2) png, (3) jpg, (4) xml, (5) ico, (6) zip, and (7) html files via a "..\" (dot dot backslash) sequence in the filename. http://aluigi.altervista.org/adv/ezipirla-adv.txt http://aluigi.org/poc/ezipirla.zip http://www.grouplogic.com/files/ez/hot/hotFix51.cfm 20080211 Multiple vulnerabilities in EztremeZ-IP File and Printer Server 5.1.2x15 27718 ADV-2008-0485 ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earlier allows remote attackers to cause a denial of service (daemon crash) via an invalid UAM field in a request to the Apple Filing Protocol (AFP) service on TCP port 548. http://aluigi.altervista.org/adv/ezipirla-adv.txt http://aluigi.org/poc/ezipirla.zip http://www.grouplogic.com/files/ez/hot/hotFix51.cfm 20080211 Multiple vulnerabilities in EztremeZ-IP File and Printer Server 5.1.2x15 27718 ADV-2008-0485 Directory traversal vulnerability in SafeNet Sentinel Protection Server 7.4.1.0 and earlier, and Sentinel Keys Server 1.0.4.0 and earlier, allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the URI. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-6483. http://aluigi.altervista.org/adv/sentinella-adv.txt 3646 20080211 Directory traversal in SafeNet Sentinel Protection and Key Server 7.4.1.0 27735 ADV-2008-0499 SQL injection vulnerability in index.php in the Prince Clan Chess Club (com_pcchess) 0.8 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter in a players action. 27761 pcchessclub-index-sql-injection(40436) 5104 SQL injection vulnerability in index.php in the com_iomezun component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit action. 20080212 joomla (k12.tr)(com_iomezun)SQL Injection 27748 iomezun-index-sql-injection(40447) Stack-based buffer overflow in NPSpcSVR.exe in Larson Network Print Server (LstNPS) 9.4.2 build 105 and earlier allows remote attackers to execute arbitrary code via a long argument in a LICENSE command on TCP port 3114. http://aluigi.altervista.org/adv/lstnpsx-adv.txt 20080211 Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105 27732 ADV-2008-0500 networkprintserver-npspcsvr-bo(40421) Format string vulnerability in the logging function in Larson Network Print Server (LstNPS) 9.4.2 build 105 and earlier for Windows might allow remote attackers to execute arbitrary code via format string specifiers in a USEP command on TCP port 3114. http://aluigi.altervista.org/adv/lstnpsx-adv.txt 20080211 Format string and buffer-overflow in Lst Network Print Server 9.4.2 build 105 27732 ADV-2008-0500 networkprintserver-logging-format-string(40420) Multiple cross-site scripting (XSS) vulnerabilities in artmedic webdesign weblog allow remote attackers to inject arbitrary web script or HTML via the (1) date parameter to artmedic_print.php and the (2) jahrneu parameter to index.php. 20080212 artmedic weblog multiple xss vulnerabilities 20080215 artmedic_weblog Cross Site Scriptting Vulnerbility 20080215 Re: artmedic_weblog Cross Site Scriptting Vulnerbility 27745 Stack-based buffer overflow in RpmSrvc.exe in Brooks Remote Print Manager (RPM) 4.5.1.11 and earlier (Elite and Select) for Windows allows remote attackers to execute arbitrary code via a long filename in a "Receive data file" LPD command. NOTE: some of these details are obtained from third party information. http://aluigi.altervista.org/adv/rpmlpdbof-adv.txt 20080212 Unicode buffer-overflow in RPM Remote Print Manager 4.5.1.11 27742 ADV-2008-0501 rpm-receivedatafile-bo(40432) ExtremeZ-IP.exe in ExtremeZ-IP File and Print Server 5.1.2x15 and earlier does not verify that a certain "number of URLs" field is consistent with the packet length, which allows remote attackers to cause a denial of service (daemon crash) via a large integer in this field in a packet to the Service Location Protocol (SLP) service on UDP port 427, triggering an out-of-bounds read. http://aluigi.altervista.org/adv/ezipirla-adv.txt http://aluigi.org/poc/ezipirla.zip http://www.grouplogic.com/files/ez/hot/hotFix51.cfm 20080211 Multiple vulnerabilities in EztremeZ-IP File and Printer Server 5.1.2x15 27718 ADV-2008-0485 Multiple stack-based and heap-based buffer overflows in the Windows RPC components for IBM Informix Storage Manager (ISM), as used in Informix Dynamic Server (IDS) 10.00.xC8 and earlier and 11.10.xC2 and earlier, allow attackers to execute arbitrary code via crafted XDR requests. 27485 1019281 ADV-2008-0317 http://www-01.ibm.com/support/docview.wss?uid=swg21294211 IC55040 IC55041 ibm-ids-xdr-bo(40018) Cross-site scripting (XSS) vulnerability in Livelink ECM 9.0.0 through 9.7.0 and possibly earlier does not set the charset, which allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded input. 20080131 Livelink UTF-7 XSS Vulnerability http://withdk.com/archives/livelink-utf7-xss-advisory.pdf 27537 livelink-utf7-security-bypass(40123) SQL injection vulnerability in arcade.php in ibProArcade 3.3.0 and earlier allows remote attackers to execute arbitrary SQL commands via the g_display_order cookie parameter. ADV-2008-0366 5018 Multiple SQL injection vulnerabilities in default.asp in Site2Nite allow remote attackers to execute arbitrary SQL commands via the (1) txtUserName and (2) txtPassword parameters. NOTE: some of these details are obtained from third party information. 3650 20080116 [Aria-Security.Net] Real Estate Web SQL Injection 27330 realestatewebsite-default-sql-injection(39734) SQL injection vulnerability in index.php in the com_doc component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the sid parameter in a view task. 27679 5080 SQL injection vulnerability in Phil Taylor Comments (com_comments, aka Review Script) 0.5.8.5g and earlier component for Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter. 27731 5094 Cross-site scripting (XSS) vulnerability in search.cgi in Loris Hotel Reservation System 3.01 and possibly earlier allows remote attackers to inject arbitrary web script or HTML via the hotel_name parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27729 Cross-site scripting (XSS) vulnerability in sboxDB.php in Simple Machines Forum (SMF) Shoutbox 1.14 through 1.16b allows remote attackers to inject arbitrary web script or HTML via strings to the shoutbox form that start with "&#", contain the desired script, and end with ";". 3651 20080210 Simple Machines Forum "SMF Shoutbox" Mod Persistent XSS 20080321 Re: Simple Machines Forum "SMF Shoutbox" Mod Persistent XSS 20080422 Re: Simple Machines Forum "SMF Shoutbox" Mod Persistent XSS 27727 SQL injection vulnerability in detail.php in iTechBids Gold 6.0 allows remote attackers to execute arbitrary SQL commands via the item_id parameter. 27717 5096 The sendfile system call in FreeBSD 5.5 through 7.0 does not check the access flags of the file descriptor used for sending a file, which allows local users to read the contents of write-only files. FreeBSD-SA-08:03 1019416 27789 Multiple stack-based buffer overflows in an ActiveX control in QTPlugin.ocx for Apple QuickTime 7.4.1 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long arguments to the (1) SetBgColor, (2) SetHREF, (3) SetMovieName, (4) SetTarget, and (5) SetMatrix methods. 3652 20080212 QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow 27769 apple-quicktime-qtplugin-bo(40475) 5110 The fortimon.sys device driver in Fortinet FortiClient Host Security 3.0 MR5 Patch 3 and earlier does not properly initialize its DeviceExtension, which allows local users to access kernel memory and execute arbitrary code via a crafted request. http://kc.forticare.com/default.asp?id=3618 3660 http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=47&Itemid=15 20080213 [Reversemode Advisory] February Advisories : Microsoft Word 2003 + Fortinet Forticlient 27776 1019415 ADV-2008-0541 forticlient-fortimon-privilege-escalation(40512) Cross-site scripting (XSS) vulnerability in MoinMoin 1.5.x through 1.5.8 and 1.6.x before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via the login action. http://hg.moinmo.in/moin/1.5/rev/2f952fa361c7 http://hg.moinmo.in/moin/1.6/rev/9f4bdc7ef80d DSA-1514 GLSA-200803-27 27904 ADV-2008-0569 https://bugzilla.redhat.com/show_bug.cgi?id=432747 USN-716-1 FEDORA-2008-1880 FEDORA-2008-1905 Multiple cross-site scripting (XSS) vulnerabilities in action/AttachFile.py in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) message, (2) pagename, and (3) target filenames. http://hg.moinmo.in/moin/1.5/rev/db212dfc58ef DSA-1514 GLSA-200803-27 27904 ADV-2008-0569 https://bugzilla.redhat.com/show_bug.cgi?id=432748 USN-716-1 FEDORA-2008-1880 FEDORA-2008-1905 Directory traversal vulnerability in MoinMoin 1.5.8 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the MOIN_ID user ID in a cookie for a userform action. NOTE: this issue can be leveraged for PHP code execution via the quicklinks parameter. http://hg.moinmo.in/moin/1.5/rev/e69a16b6e630 20080124 MoinMoin 1.5.x MOIND_ID cookie Bug Remote Exploit DSA-1514 GLSA-200803-27 27404 ADV-2008-0569 moinmoin-readme-file-overwrite(39837) USN-716-1 4957 Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote attackers to inject arbitrary web script or HTML via (1) the view_type parameter to graph.php; (2) the filter parameter to graph_view.php; (3) the action parameter to the draw_navigation_text function in lib/functions.php, reachable through index.php (aka the login page) or data_input.php; or (4) the login_username parameter to index.php. http://bugs.cacti.net/view.php?id=1245 SUSE-SR:2008:005 GLSA-200803-18 3657 http://www.cacti.net/release_notes_0_8_7b.php DSA-1569 MDVSA-2008:052 20080212 cacti -- Multiple security vulnerabilities have been discovered 20080212 Cacti 0.8.7a Multiple Vulnerabilities 27749 34991 1019414 ADV-2008-0540 https://bugzilla.redhat.com/show_bug.cgi?id=432758 cacti-datainput-xss(50575) FEDORA-2008-1699 FEDORA-2008-1737 graph.php in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allows remote attackers to obtain the full path via an invalid local_graph_id parameter and other unspecified vectors. SUSE-SR:2008:005 GLSA-200803-18 3657 http://www.cacti.net/release_notes_0_8_7b.php MDVSA-2008:052 20080212 cacti -- Multiple security vulnerabilities have been discovered 20080212 Cacti 0.8.7a Multiple Vulnerabilities 27749 1019414 ADV-2008-0540 https://bugzilla.redhat.com/show_bug.cgi?id=432758 FEDORA-2008-1699 FEDORA-2008-1737 Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.php, (3) local_graph_id parameter to graph_xport.php, and (4) login_username parameter to index.php/login. SUSE-SR:2008:005 GLSA-200803-18 3657 http://www.cacti.net/release_notes_0_8_7b.php DSA-1569 MDVSA-2008:052 20080212 cacti -- Multiple security vulnerabilities have been discovered 20080212 Cacti 0.8.7a Multiple Vulnerabilities 27749 1019414 ADV-2008-0540 https://bugzilla.redhat.com/show_bug.cgi?id=432758 FEDORA-2008-1699 FEDORA-2008-1737 CRLF injection vulnerability in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k, when running on older PHP interpreters, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. SUSE-SR:2008:005 GLSA-200803-18 3657 http://www.cacti.net/release_notes_0_8_7b.php MDVSA-2008:052 20080212 cacti -- Multiple security vulnerabilities have been discovered 20080212 Cacti 0.8.7a Multiple Vulnerabilities 27749 1019414 ADV-2008-0540 https://bugzilla.redhat.com/show_bug.cgi?id=432758 FEDORA-2008-1699 FEDORA-2008-1737 SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php. http://community.mybboard.net/showthread.php?tid=27675 20080121 [waraxe-2008-SA#064] - Sql Injection in MyBB 1.2.11 27378 1019257 ADV-2008-0238 http://www.waraxe.us/advisory-64.html 5070 Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php. http://community.mybboard.net/showthread.php?tid=27675 3656 20080118 MyBB 1.2.11 Multiple XSRF Vulnerabilities ADV-2008-0238 SQL injection vulnerability in countdown.php in LI-Scripts LI-Countdown allows remote attackers to execute arbitrary SQL commands via the years parameter. 3655 20080212 LI-countdown SQL Injection Vulnerability 27753 Directory traversal vulnerability in ipdsserver.exe in Intermate WinIPDS 3.3 G52-33-021 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI. http://aluigi.altervista.org/adv/winipds-adv.txt 3658 20080212 Directory traversal and DoS in WinIPDS G52-33-021 20080313 Re: Directory traversal and DoS in WinIPDS G52-33-021 27757 ipdsserver.exe in Intermate WinIPDS 3.3 G52-33-021 allows remote attackers to cause a denial of service (CPU consumption) via short packets on TCP port 5001 with the 3, 5, 7, 13, 14, or 15 packet types. http://aluigi.altervista.org/adv/winipds-adv.txt 3658 20080212 Directory traversal and DoS in WinIPDS G52-33-021 20080313 Re: Directory traversal and DoS in WinIPDS G52-33-021 27757 Multiple F-Secure anti-virus products, including Internet Security 2006 through 2008, Anti-Virus 2006 through 2008, F-Secure Protection Service, and others, allow remote attackers to bypass malware detection via a crafted CAB archive. http://www.f-secure.com/security/fsc-2008-1.shtml 1019405 1019412 1019413 ADV-2008-0544 fsecure-cab-rar-security-bypass(40480) Multiple cross-site scripting (XSS) vulnerabilities in search.asp in Tendenci CMS allow remote attackers to inject arbitrary web script or HTML via the (1) category, (2) searchtext, (3) jobcategoryid, (4) contactcompany, and unspecified other parameters. NOTE: some of these details are obtained from third party information. NOTE: it is not clear whether this affects Tendenci Enterprise Edition in addition to the product's deployment on Tendenci's own server farm. If only the latter was affected, then this issue should not be included in CVE. http://blog.tendenci.com/2008/02/cross-site-scri.html http://holisticinfosec.blogspot.com/2008/02/fastest-fix-in-west-vendors-excellent.html 27782 tendencicms-search-xss(40477) Directory traversal vulnerability in user/header.php in Affiliate Market 0.1 BETA allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. 27777 affiliatemarket-header-file-include(40472) 5108 SQL injection vulnerability in index.php in the MGFi XfaQ (com_xfaq) 1.2 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an answer action. 27784 xfaq-index-sql-injection(40494) 5109 SQL injection vulnerability in threads.php in Nuboard 0.5 allows remote attackers to execute arbitrary SQL commands via the ssid parameter. 5115 Directory traversal vulnerability in lib/download.php in iTheora 1.0 rc1 allows remote attackers to read arbitrary files via directory traversal sequences in the url parameter. http://en.wikipedia.org/wiki/Talk:Itheora http://menguy.aymeric.free.fr/theora/news.php 27788 itheora-download-directory-traversal(40506) Multiple directory traversal vulnerabilities in artmedic webdesign weblog 1.0, when magic_quotes_gpc is disabled, allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ta parameter to artmedic_index.php, reached through index.php; and the (2) date parameter to artmedic_print.php. 20080213 artmedic weblog multiple local file inclusion vulnerabilities 27797 artmedicweblog-artmedicprint-file-include(40522) 5116 SQL injection vulnerability in index.php in the Quiz (com_quiz) 0.81 and earlier component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the tid parameter in a user_tst_shw action. 27808 5119 SQL injection vulnerability in index.php in the McQuiz (com_mcquiz) 0.9 Final component for Joomla! allows remote attackers to execute arbitrary SQL commands via the tid parameter in a user_tst_shw action. 27809 5118 SQL injection vulnerability in index.php in the PAXXGallery (com_paxxgallery) 0.2 component for Mambo and Joomla! allow remote attackers to execute arbitrary SQL commands via (1) the iid parameter in a view action, and possibly (2) the userid parameter. 27811 paxxgallery-index-sql-injection(40497) 5117 SQL injection vulnerability in index.php in the MediaSlide (com_mediaslide) 0.5 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the albumnum parameter in a contact action. 27805 mediaslide-index-sql-injection(40517) 5120 Multiple PHP remote file inclusion vulnerabilities in LookStrike Lan Manager 0.9 allow remote attackers to execute arbitrary PHP code via a URL in the sys_conf[path][real] parameter to (1) modules\class\Table.php; (2) db_admins.php, (3) db_alert.php, (4) db_double.php, (5) db_games.php, (6) db_matches.php, (7) db_match_teams.php, (8) db_news.php, (9) db_platform.php, (10) db_players.php, (11) db_server_group.php, (12) db_server_ip.php, (13) db_teams.php, (14) db_team_players.php, (15) db_tournaments.php, (16) db_tournament_teams.php, and (17) db_trees.php in modules\class\db\; and (18) Match.php, (19) MatchTeam.php, (20) Rule.php, (21) RuleBuilder.php, (22) RulePool.php, (23) RuleSingle.php, (24) RuleTree.php, (25) Tournament.php, (26) TournamentTeam.php, (27) Tree.php, and (28) TreeSingle.php in modules\class\tournament\. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences. lookstrikelanmanager-sysconf-file-include(40519) 5121 PHP remote file inclusion vulnerability in usrgetform.html in Thecus N5200Pro NAS Server allows remote attackers to execute arbitrary PHP code via a URL in the name parameter. 27865 5150 Unrestricted file upload vulnerability in image.php in PHPizabi 0.848b C1 HFP1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension from the event page, then accessing it via a direct request to the file in system/cache/pictures. 27847 ADV-2008-0585 5136 wyrd 1.4.3b allows local users to overwrite arbitrary files via a symlink attack on the wyrd-tmp.[USERID] temporary file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466382 27848 https://bugzilla.redhat.com/show_bug.cgi?id=433719 FEDORA-2008-1963 FEDORA-2008-1986 lib/Driver/sql.php in Turba 2 (turba2) Contact Manager H3 2.1.x before 2.1.7 and 2.2.x before 2.2-RC3, as used in products such as Horde Groupware before 1.0.4 and Horde Groupware Webmail Edition before 1.0.5, does not properly check access rights, which allows remote authenticated users to modify address data via a modified object_id parameter to edit.php, as demonstrated by modifying a personal address book entry when there is write access to a shared address book. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464058 [announce] 20080215 Turba H3 (2.1.7) (final) [announce] 20080215 Turba H3 (2.2-RC3) [announce] 20080215 Horde Groupware 1.0.4 (final) [announce] 20080215 Horde Groupware Webmail Edition 1.0.5 (final) DSA-1507 27844 1019433 ADV-2008-0593 https://bugzilla.redhat.com/show_bug.cgi?id=432027 FEDORA-2008-2040 FEDORA-2008-2087 Cross-site scripting (XSS) vulnerability in the meta plugin in Ikiwiki before 1.1.47 allows remote attackers to inject arbitrary web script or HTML via meta tags. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465110 http://ikiwiki.info/security/#index30h2 DSA-1523 27760 Cross-site scripting (XSS) vulnerability in the htmlscrubber in Ikiwiki before 1.1.46 allows remote attackers to inject arbitrary web script or HTML via title contents. http://ikiwiki.info/security/#index27h2 DSA-1523 27760 SQL injection vulnerability in the com_scheduling module for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter. 3662 20080216 joomla SQL Injection( com_scheduling) 27830 Multiple SQL injection vulnerabilities in AuraCMS 1.62 allow remote attackers to execute arbitrary SQL commands via (1) the kid parameter to (a) mod/dl.php or (b) mod/links.php, and (2) the query parameter to search.php. 27841 1019430 5130 Directory traversal vulnerability in DMS/index.php in BanPro DMS 1.0 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the action parameter. 3666 20080216 banpro-dms 1.0 local file inclusion vulnerability 27831 Directory traversal vulnerability in Download.php in XPWeb 3.0.1, 3.3.2, and possibly other versions, allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter. 27838 ADV-2008-0584 5137 Directory traversal vulnerability in download.php in Tracking Requirements & Use Cases (TRUC) 0.11.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the upload_filename parameter. 27839 5129 SQL injection vulnerability in the com_mezun component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit task. 3663 20080212 joomll(k12.tr)(com_mezun)SQL Injection 27755 mezun-index-sql-injection(40448) SQL injection vulnerability in the com_sg component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the pid parameter in an order task. 3664 20080215 joomla SQL Injection(com_sg) 27821 SQL injection vulnerability in the com_filebase component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in a selectfolder action. 3665 20080215 joomla SQL Injection(com_filebase) 20080216 joomla SQL Injection(com_filebase) 27829 filebase-index-sql-injection(40616) Multiple directory traversal vulnerabilities in freePHPgallery 0.6 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie to (1) comment.php, (2) index.php, and (3) show.php. http://sourceforge.net/forum/forum.php?forum_id=785794 27806 ADV-2008-0589 5124 Directory traversal vulnerability in index.php in PlutoStatus Locator 1.0 pre alpha allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter. The security focus bid link states that this is a local file include vulnerability. 3667 20080214 PlutoStatus Locator v1.0pre (alpha) local file inclusion vulnerability 27802 ** DISPUTED ** Cross-site scripting (XSS) vulnerability in index.php in Etomite 0.6.1.4 Final allows remote attackers to inject arbitrary web script or HTML via $_SERVER['PHP_INFO']. NOTE: the vendor disputes this issue in a followup, stating that the affected variable is $_SERVER['PHP_SELF'], and "This is not an Etomite specific exploit and I would like the report rescinded." 3669 http://www.etomite.com/forums/index.php?showtopic=7647 20080214 etomite xss 20080218 Re: etomite xss 27794 etomite-index-xss(40525) SQL injection vulnerability in admin/traffic/knowledge_searchm.php in OSI Codes Inc. PHP Live! 3.2.2 allows remote attackers to execute arbitrary SQL commands via the questid parameter in an expand_question action. 27807 5125 Directory traversal vulnerability in index.php in Scribe 0.2 allows remote attackers to read arbitrary local files via a .. (dot dot) in the page parameter. Security focus bid link notes that this is a local file include vulnerability. 3668 20080214 scribe 0.2 local file inclusion vulnerability 27803 5123 Unspecified vulnerability in the Header Image Module before 5.x-1.1 for Drupal allows remote attackers to access the administration pages via unknown attack vectors. http://drupal.org/node/221359 27787 ADV-2008-0571 drupal-headerimage-security-bypass(40510) Unspecified vulnerability in the php2phps function in Claroline before 1.8.9 has unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?release_id=575934 SQL injection vulnerability in Claroline before 1.8.9 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://sourceforge.net/project/shownotes.php?release_id=575934 27846 ADV-2008-0596 Cross-site scripting (XSS) vulnerability in Claroline before 1.8.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://sourceforge.net/project/shownotes.php?release_id=575934 27846 ADV-2008-0596 SQL injection vulnerability in the Books module of PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter. 27863 books-cid-sql-injection(40857) 5147 Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile. 3670 20080217 ATutor <= 1.5.5 Cross Site Scripting 27855 SQL injection vulnerability in jooget.php in the Joomlapixel Jooget! (com_jooget) 2.6.8 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail task. http://forum.joomlaitalia.com/index.php?topic=388.0 http://members.joomlapixel.eu/download/componenti/patch-jooget-2.6.8-sql-injection/details.html 27836 5132 The Digital Photo Access Protocol (DPAP) server for iPhoto 4.0.3 allows remote attackers to cause a denial of service (crash) via a malformed dpap: URI, a different vulnerability than CVE-2008-0043. 27867 1019488 5151 Multiple SQL injection vulnerabilities in the Rapid Recipe (com_rapidrecipe) 1.6.5 and earlier component for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) user_id or (2) category_id parameter. NOTE: this might overlap CVE-2008-0754. 5103 SQL injection vulnerability in index.php in the Kemas Antonius com_quran 1.1 and earlier component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the surano parameter in a viewayat action. 20080223 php-nuke Quran SQL Injection(surano) 27842 quran-index-sql-injection(40573) 5128 SQL injection vulnerability in index.php in the com_galeria component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action. 20080216 joomla SQL Injection(com_galeria) 27833 5134 Cross-site scripting (XSS) vulnerability in Lotus Quickr for i5/OS before 8.0.0.2 Hotfix 11, when anonymous access is disabled on HTTP ports, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 27840 1019431 ADV-2008-0590 http://www-1.ibm.com/support/docview.wss?uid=swg24016411 SQL injection vulnerability in indexen.php in Simple CMS 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the area parameter. 20080217 Simple CMS <= 1.0.3 (indexen.php area) Remote SQL Injection Exploit 27843 5131 Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solaris 9 and 10 on x86 architectures allows local users to cause a denial of service (panic) via unspecified vectors that trigger a NULL pointer dereference in the vuid3ps2 module, a different issue than CVE-2007-5319. 200635 1019429 ADV-2008-0582 Cross-site scripting (XSS) vulnerability in the log feature in the John Godley Search Unleashed 0.2.10 plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, which is not properly handled when the administrator views the log file. 3674 http://urbangiraffe.com/tracker/issues/show/60 20080213 Search Unleashed 0.2.10 JavaScript injection (Wordpress plugin) 27791 searchunleashed-log-xss(40513) Multiple cross-site scripting (XSS) vulnerabilities in the web administration interface in Sophos ES1000 and ES4000 Email Security Appliance 2.1.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) error and (2) go parameters to the login page. 3673 http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-02-13 20080215 [INFIGO-2008-02-13]: SOPHOS Email Security Appliance Cross Site Scripting Vulnerability 27813 1019427 http://www.sophos.com/support/knowledgebase/article/34733.html ADV-2008-0574 SQL injection vulnerability in refer.php in the astatsPRO (com_astatspro) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter. 27850 astatspro-refer-sql-injection(40611) 5138 Directory traversal vulnerability in view_member.php in Public Warehouse LightBlog 9.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the username parameter. 20080217 lightblog 9.6 local file inclusion vulnerability 27837 ADV-2008-0621 5140 SQL injection vulnerability in index.php in the Giorgio Nordo Ricette (com_ricette) 1.0 component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter. 27834 5133 SQL injection vulnerability in index.php in the Classifier (com_clasifier) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 27917 ADV-2008-0620 clasifier-index-sql-injection(40629) 5146 StatCounteX 3.0 and 3.1 allows remote attackers to obtain sensitive information and edit configuration scripts via a direct request to admin.asp. http://packetstormsecurity.org/1002-exploits/statcountex-disclose.txt 3675 11434 20080214 StatCounteX 3.0 & 3.1 Admin Vulnerability 27814 SQL injection vulnerability in index.php in the PccookBook (com_pccookbook) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the user_id parameter. 27864 pccookbook-index-sql-injection(40620) 5145 SQL injection vulnerability in wp-people-popup.php in Dean Logan WP-People plugin 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the person parameter. 3672 20080216 Wordpress Plugin (wp-people) SQL Injection 27858 wppeople-wppeoplepopup-sql-injection(40860) SQL injection vulnerability in index.php in the com_profile component for Joomla! allows remote attackers to execute arbitrary SQL commands via the oid parameter. 20080216 joomla SQL Injection(com_profile) 27851 SQL injection vulnerability in print.php in the myTopics module for XOOPS allows remote attackers to execute arbitrary SQL commands via the articleid parameter. 20080218 XOOPS Module myTopics-print SQL Injection(articleid) 27861 mytopics-print-sql-injection(40627) 5148 Cross-site scripting (XSS) vulnerability in lostsheep.php in Crafty Syntax Live Help (CSLH) before 2.14.16, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the versions claimed by the original researcher are probably incorrect. 3688 http://sourceforge.net/project/shownotes.php?release_id=580994 20080218 Crafty Syntax Xss Vulnerability 20080302 Re: Crafty Syntax Xss Vulnerability 27859 cslh-lostsheep-xss(40636) SQL injection vulnerability in index.php in the Downloads (com_downloads) component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the cat parameter in a selectcat function, a different vector than CVE-2008-0652. 3676 20080216 joomla SQL Injection (cat)(com_downloads) 27860 downloads-indexphp-sql-injection(40621) Multiple SQL injection vulnerabilities in Dokeos 1.8.4 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to whoisonline.php, (2) tracking_list_coaches_column parameter to main/mySpace/index.php, (3) tutor_name parameter to main/create_course/add_course.php, the (4) Referer HTTP header to index.php, and the (5) X-Fowarded-For HTTP header to main/admin/class_list.php. http://projects.dokeos.com/index.php?do=details&task_id=2218 3687 20080219 [DSECRG-08-015] Multiple Security Vulnerabilities in Dokeos 1.8.4 27792 1019425 ADV-2008-0587 Multiple cross-site scripting (XSS) vulnerabilities in Dokeos 1.8.4 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to inscription.php, (2) courseCode parameter to main/calendar/myagenda.php, (3) category parameter to main/admin/course_category.php, (4) message parameter to main/admin/session_list.php in a show_message action, and (5) an avatar image to main/auth/profile.php. http://projects.dokeos.com/index.php?do=details&task_id=2218 3687 20080219 [DSECRG-08-015] Multiple Security Vulnerabilities in Dokeos 1.8.4 27792 1019425 ADV-2008-0587 freeSSHd 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a SSH2_MSG_NEWKEYS packet to TCP port 22, which triggers a NULL pointer dereference. http://aluigi.altervista.org/adv/freesshdnull-adv.txt 20080219 NULL pointer crash in freeSSHd 1.20 27845 ADV-2008-0591 SQL injection vulnerability in the com_detail component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. NOTE: this issue might be site-specific. If so, it should not be included in CVE. 3677 20080216 joomla SQL Injection(com_detail) 20080218 joomla SQL Injection(com_detail) 27853 SQL injection vulnerability in the com_salesrep component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the rid parameter in a showrep action to index.php. 3678 20080215 joomla SQL Injection(com_salesrep) 27827 salesrep-index-sql-injection(40619) SQL injection vulnerability in the Facile Forms (com_facileforms) component for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php. 3679 20080218 joomla SQL Injection(com_facileforms) 27880 Multiple SQL injection vulnerabilities in e-Vision CMS 2.02 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) iframe.php and (2) print.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27816 evisioncms-iframe-print-sql-injection(40859) SQL injection vulnerability in index.php in WoltLab Burning Board 3.0.3 PL 1 allows remote attackers to execute arbitrary SQL commands via the sortOrder parameter to the PMList page. 3680 20080219 WoltLab Burning Board 3.0.3 PL1 SQL-Injection Vulnerability 27885 5164 Buffer overflow in the Visnetic anti-virus plugin in Kerio MailServer before 6.5.0 might allow remote attackers to execute arbitrary code via unspecified vectors. http://www.kerio.com/kms_history.html 27868 1019428 ADV-2008-0594 Unspecified vulnerability in Kerio MailServer before 6.5.0 allows remote attackers to cause a denial of service (crash) via unspecified vectors related to decoding of uuencoded input, which triggers memory corruption. http://www.kerio.com/kms_history.html 27868 1019428 ADV-2008-0594 Unspecified vulnerability in the AVG plugin in Kerio MailServer before 6.5.0 has unspecified impact via unknown remote attack vectors related to null DACLs. http://www.kerio.com/kms_history.html 27868 1019428 ADV-2008-0594 Cross-site scripting (XSS) vulnerability in leg/Main.nsf in IBM Lotus Quickplace 7.0 allows remote attackers to inject arbitrary web script or HTML via an h_SearchString sub-parameter in the PreSetFields parameter of an EditDocument action. http://www.securiteam.com/securitynews/5AP0B2KNFM.html 27871 1019432 ADV-2008-0841 IBM Lotus Notes 6.0, 6.5, 7.0, and 8.0 signs an unsigned applet when a user forwards an email message to another user, which allows user-assisted remote attackers to bypass Execution Control List (ECL) protection. ADV-2008-0600 http://www-1.ibm.com/support/docview.wss?uid=swg21257250 BEA WebLogic Server and WebLogic Express 9.0 and 9.1 exposes the web service's WSDL and security policies, which allows remote attackers to obtain sensitive information and potentially launch further attacks. BEA08-187.00 1019455 ADV-2008-0612 Admin Tools in BEA WebLogic Portal 8.1 SP3 through SP6 can inadvertently remove entitlements for pages when an administrator edits the page definition label, which might allow remote attackers to bypass intended access restrictions. BEA08-183.00 1019454 ADV-2008-0613 Unspecified vulnerability in BEA WebLogic Portal 8.1 through SP6 allows remote attackers to bypass entitlements for instances of a floatable WLP portlet via unknown vectors. BEA08-184.00 1019451 ADV-2008-0613 Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Workshop allow remote attackers to inject arbitrary web script or HTML via an invalid action URI, which is not properly handled by NetUI page flows. BEA08-185.00 1019441 ADV-2008-0611 Cross-site scripting (XSS) vulnerability in portal/server.pt in BEA AquaLogic Interaction 6.1 through MP1 and Plumtree Foundation 6.0 through SP1 allows remote attackers to inject arbitrary web script or HTML via the name parameter. BEA08-186.00 http://www.procheckup.com/Vulnerability_PR06-12.php 20080219 PR06-12: XSS on BEA Plumtree Foundation and AquaLogic Interaction portals 1019440 ADV-2008-0610 Cross-site scripting (XSS) vulnerability in Groupspace in BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 1 allows remote authenticated users to inject arbitrary web script or HTML via unknown vectors. BEA08-188.00 1019452 ADV-2008-0613 Cross-site scripting (XSS) vulnerability in BEA WebLogic Workshop 8.1 through SP6 and Workshop for WebLogic 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via a "framework defined request parameter" when using WebLogic Workshop or Apache Beehive NetUI framework with page flows. BEA08-189.00 1019438 ADV-2008-0611 ADV-2008-0612 BEA WebLogic Portal 10.0 and 9.2 through Maintenance Pack 2, under certain circumstances, can redirect a user from the https:// URI for the Portal Administration Console to an http URI, which allows remote attackers to sniff the session. BEA08-190.00 1019442 ADV-2008-0613 Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.27 and earlier allow remote attackers to execute arbitrary code via a (1) long password in an Authorization header to the HTTP service or a (2) large packet to the SMPP service. http://aluigi.altervista.org/adv/nowsmsz-adv.txt 20080219 Multiple buffer-overflow in NowSMS v2007.06.27 27896 ADV-2008-0615 5695 Cross-site scripting (XSS) vulnerability in SmarterTools SmarterMail Enterprise 4.3 allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute of an element in the Subject field of an e-mail message. http://es.geocities.com/jplopezy/SmarterMailXSS.txt 3686 20080219 SmarterMail Enterprise 4.3 - malformed mail XSS 27878 1019461 SQL injection vulnerability in index.php in the jlmZone Classifieds module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in an Adsview action. 3681 20080219 XOOPS Module classifieds SQL Injection(cid) 27895 5158 SQL injection vulnerability in index.php in the eEmpregos module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action. Additional information was found while analyzing this vulnerability. http://www.securityfocus.com/bid/27905 3682 20080219 XOOPS Module eEmpregos SQL Injection(cid) 27905 5157 Unspecified vulnerability in Hitachi EUR Print Manager, and related Client and Local Server products, 05-06 through 05-06-/B and 05-08 allows remote attackers to cause a denial of service (service hang or termination) via unspecified vectors related to "unexpected data." http://www.hitachi-support.com/security_e/vuls_e/HS08-001_e/index-e.html 27899 ADV-2008-0616 Unspecified vulnerability in the SEWB3 messaging service in Hitachi SEWB3/PLATFORM and SEWB3/MI-PLATFORM 01-00 through 02-14-/A allows remote attackers to cause a denial of service (service outage) via "invalid data." http://www.hitachi-support.com/security_e/vuls_e/HS08-002_e/index-e.html 27900 ADV-2008-0617 Multiple cross-site scripting (XSS) vulnerabilities in Jinzora Media Jukebox 2.7.5 allow remote attackers to inject arbitrary web script or HTML via the (1) frontend, (2) set_frontend, (3) jz_path, (4) theme, and (5) set_theme parameters to (a) index.php; the frontend, theme, and (6) language parameters to (b) ajax_request.php; the jz_path parameter to (c) slim.php; the frontend, theme, and jz_path parameters to (d) popup.php; the (13) PATH_INFO to index.php and (e) slim.php; and the (14) query parameter in a playlistedit action and (15) siteNewsData parameter in a sitenews action to (f) popup.php. During analysis additional information was found for this vulnerability. http://www.securityfocus.com/bid/27876/info 3683 20080219 [DSECRG-08-016] Jinzora 2.7.5 Multiple XSS 27876 SQL injection vulnerability in index.php in the MyAnnonces 1.7 and earlier module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action. Additional information is available at the following securityfocus bid link: http://www.securityfocus.com/bid/27902/info 27902 ADV-2008-0619 myannonces-index-sql-injection(40861) 5156 SQL injection vulnerability in modules.php in the Web_Links module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewlink action. http://packetstormsecurity.com/files/126697/PHP-Nuke-Web-Links-SQL-Injection.html 3684 20080219 PHP-Nuke Module Web_Links SQL Injection(cid) 27894 67463 weblinks-cid-sql-injection(40862) SQL injection vulnerability in modules.php in the EasyContent module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the page_id parameter. 27897 5155 SQL injection vulnerability in modules.php in the Okul 1.0 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the okulid parameter in an okullar action. More information is available at the following securityfocus bid link: http://www.securityfocus.com/bid/27909/info 27909 5159 Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. NOTE: some of these details are obtained from third party information. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 SUSE-SA:2008:012 GLSA-200804-01 http://www.cups.org/str.php?L2656 DSA-1530 MDVSA-2008:050 MDVSA-2008:051 RHSA-2008:0157 27906 1019473 USN-598-1 ADV-2008-0623 ADV-2008-0924 https://bugzilla.redhat.com/show_bug.cgi?id=433758 oval:org.mitre.oval:def:9625 FEDORA-2008-1901 FEDORA-2008-1976 acroread in Adobe Acrobat Reader 8.1.2 allows local users to overwrite arbitrary files via a symlink attack on temporary files related to SSL certificate handling. SUSE-SR:2008:005 240106 http://support.novell.com/techcenter/psdb/d8c48c63359fc807624182696d3d149c.html http://www.adobe.com/support/security/advisories/apsa08-02.html GLSA-200803-26 RHSA-2008:0641 28091 1019539 ADV-2008-0765 ADV-2008-2289 adobe-reader-acroread-symlink(40987) The Replace function in the capp-lspp-config script in the (1) lspp-eal4-config-ibm and (2) capp-lspp-eal4-config-hp packages before 0.65-2 in Red Hat Enterprise Linux (RHEL) 5 uses lstat instead of stat to determine the /etc/pam.d/system-auth file permissions, leading to a change to world-writable permissions for the /etc/pam.d/system-auth-ac file, which allows local users to gain privileges by modifying this file. RHSA-2008:0193 1019740 28557 https://bugzilla.redhat.com/show_bug.cgi?id=435442 redhat-lsppeal4config-insecure-permissions(41584) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-0882. Reason: This candidate is a duplicate of CVE-2008-0882. Notes: All CVE users should reference CVE-2008-0882 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. gnome-screensaver before 2.22.1, when a remote authentication server is enabled, crashes upon an unlock attempt during a network outage, which allows physically proximate attackers to gain access to the locked session, a related issue to CVE-2007-1859. SUSE-SR:2008:014 RHSA-2008:0197 GLSA-200804-12 1019749 MDVSA-2008:132 RHSA-2008:0218 28575 USN-669-1 https://bugzilla.redhat.com/show_bug.cgi?id=435773 oval:org.mitre.oval:def:10813 FEDORA-2008-2967 FEDORA-2008-3017 The NEEDBITS macro in the inflate_dynamic function in inflate.c for unzip can be invoked using invalid buffers, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger a free of uninitialized or previously-freed data. APPLE-SA-2010-03-29-1 SUSE-SR:2008:007 GLSA-200804-06 http://support.apple.com/kb/HT4077 http://wiki.rpath.com/Advisories:rPSA-2008-0116 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0116 DSA-1522 http://www.ipcop.org/index.php?name=News&file=article&sid=40 MDVSA-2008:068 RHSA-2008:0196 20080321 rPSA-2008-0116-1 unzip 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 28288 1019634 USN-589-1 http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-0913 ADV-2008-1744 unzip-inflatedynamic-code-execution(41246) https://issues.rpath.com/browse/RPL-2317 oval:org.mitre.oval:def:9733 Red Hat Directory Server 8.0, when running on Red Hat Enterprise Linux, uses insecure permissions for the redhat-idm-console script, which allows local users to execute arbitrary code by modifying the script. RHSA-2008:0191 28327 1019677 Red Hat Directory Server 7.1 before SP4 uses insecure permissions for certain directories, which allows local users to modify JAR files and execute arbitrary code via unknown vectors. RHSA-2008:0173 28204 1019577 rhds-jars-insecure-permissions(41152) Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information. http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html GLSA-200806-08 SSA:2008-210-08 http://sourceforge.net/project/shownotes.php?release_id=615606 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=738400 VU#661475 MDVSA-2008:107 http://www.openssl.org/news/secadv_20080528.txt 29405 1020121 USN-620-1 ADV-2008-1680 ADV-2008-1937 openssl-servername-dos(42666) FEDORA-2008-4723 The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5, allows remote attackers to execute arbitrary commands. HPSBUX02324 RHSA-2008:0199 RHSA-2008:0201 28802 1019856 ADV-2008-1449 https://bugzilla.redhat.com/show_bug.cgi?id=437301 rhds-replmonitor-command-execution(41840) FEDORA-2008-3214 FEDORA-2008-3220 Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5, does not properly restrict access to CGI scripts, which allows remote attackers to perform administrative actions. RHSA-2008:0201 28802 1019857 https://bugzilla.redhat.com/show_bug.cgi?id=437320 rhds-cgiscripts-security-bypass(41843) FEDORA-2008-3214 FEDORA-2008-3220 Apple Safari might allow remote attackers to obtain potentially sensitive memory contents or cause a denial of service (crash) via a crafted (1) bitmap (BMP) or (2) GIF file, a related issue to CVE-2008-0420. 3685 20080216 [HISPASEC] FireFox 2.0.0.11 and Opera 9.50 beta Remote Memory Information Leak, FireFox 2.0.0.11 Remote Denial of Service 27947 1019487 https://bugzilla.mozilla.org/show_bug.cgi?id=408076 BEA WebLogic Server and WebLogic Express 6.1 through 10.0 allows remote attackers to bypass authentication for application servlets via crafted request headers. BEA08-191.00 1019443 ADV-2008-0612 BEA WebLogic Portal 10.0 and 9.2 through MP1, when an administrator deletes a single instance of a content portlet, removes entitlement policies for other content portlets, which allows attackers to bypass intended access restrictions. BEA08-192.00 1019453 ADV-2008-0613 Unspecified vulnerability in BEA WebLogic Server 9.0 through 10.0 allows remote authenticated users without "receive" permissions to bypass intended access restrictions and receive messages from a standalone JMS Topic or secured Distributed Topic member destination, related to durable subscriptions. BEA08-193.00 1019444 ADV-2008-0612 The distributed queue feature in JMS in BEA WebLogic Server 9.0 through 10.0, in certain configurations, does not properly handle when a client cannot send a message to a member of a distributed queue, which allows remote authenticated users to bypass intended access restrictions for protected distributed queues. BEA08-194.00 1019447 ADV-2008-0612 Cross-site scripting (XSS) vulnerability in the Administration Console in BEA WebLogic Server and Express 9.0 through 10.0 allows remote attackers to inject arbitrary web script or HTML via URLs that are not properly handled by the Unexpected Exception Page. BEA08-195.00 1019448 ADV-2008-0612 Session fixation vulnerability in BEA WebLogic Server and Express 8.1 SP4 through SP6, 9.2 through MP1, and 10.0 allows remote authenticated users to hijack web sessions via unknown vectors. BEA08-196.00 1019439 ADV-2008-0612 BEA WebLogic Server and Express 7.0 through 10.0 allows remote attackers to conduct brute force password guessing attacks, even when account lockout has been activated, via crafted URLs that indicate whether a guessed password is successful or not. BEA08-197.00 http://www.s21sec.com/avisos/s21sec-040-en.txt 20080225 S21SEC-040-en: Infinite invalid authentication attempts possible in BEA WebLogic Server 1019449 ADV-2008-0612 Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 6.1 through 10.0 MP1 allow remote attackers to inject arbitrary web script or HTML via unspecified samples. NOTE: this might be the same issue as CVE-2007-2694. BEA08-80.04 ADV-2008-0612 Unspecified vulnerability in the BEA WebLogic Server and Express proxy plugin, as distributed before November 2007 and before 9.2 MP3 and 10.0 MP2, allows remote attackers to cause a denial of service (web server crash) via a crafted URL. BEA08-199.00 1019450 ADV-2008-0608 Unspecified vulnerability in the download servlet in BEA Plumtree Collaboration 4.1 through SP2 and AquaLogic Interaction 4.2 through MP1 allows remote attackers to read arbitrary files via a crafted URL. BEA08-200.00 1019437 ADV-2008-0607 Directory traversal vulnerability in globsy_edit.php in Globsy 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. 27910 5162 SQL injection vulnerability in the Docum module in PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle operation. 27912 docum-modules-sql-injection(40720) 5161 SQL injection vulnerability in the Inhalt module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter. 27886 5163 SQL injection vulnerability in browse.asp in Schoolwires Academic Portal allows remote attackers to execute arbitrary SQL commands via the c parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27903 schoolwires-browse-sql-injection(40687) Cross-site scripting (XSS) vulnerability in browse.asp in Schoolwires Academic Portal allows remote attackers to inject arbitrary web script or HTML via the c parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27903 Multiple F-Secure anti-virus products, including Internet Security 2006 through 2008, Anti-Virus 2006 through 2008, F-Secure Protection Service, and others, allow remote attackers to bypass malware detection via a crafted RAR archive. NOTE: this might be related to CVE-2008-0792. http://www.f-secure.com/security/fsc-2008-1.shtml 1019405 1019412 1019413 ADV-2008-0544 fsecure-cab-rar-security-bypass(40480) SQL injection vulnerability in productdetails.php in iScripts MultiCart 2.0 allows remote authenticated users to execute arbitrary SQL commands via the productid parameter. 27916 5166 Multiple heap-based buffer overflows in mlsrv10.exe in Sybase MobiLink 10.0.1.3629 and earlier, as used by SQL Anywhere Developer Edition 10.0.1.3415 and probably other products, allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a long (1) username, (2) version, or (3) remote ID. NOTE: some of these details are obtained from third party information. http://aluigi.altervista.org/adv/mobilinkhof-adv.txt 3691 20080220 Heap overflow in Sybase MobiLink 10.0.1.3629 20080328 Re: Heap overflow in Sybase MobiLink 10.0.1.3629 27914 1019469 ADV-2008-0626 Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB or IP.Board) 2.3.4 allows remote attackers to inject arbitrary web script or HTML via crafted BBCodes in an unspecified context. http://forums.invisionpower.com/index.php?showtopic=269961 Multiple cross-site scripting (XSS) vulnerabilities in the Mediation server in IPdiva SSL VPN Server 2.2 before 2.2.8.84 and 2.3 before 2.3.2.14 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 20080214 DOINGSOFT-2008-02-11-002 IP Diva VPN SSL many XSS attacks 3690 20080214 DOINGSOFT-2008-02-11-002 IP Diva VPN SSL many XSS attacks 20080214 Re: DOINGSOFT-2008-02-11-002 IP Diva VPN SSL many XSS attacks 27800 ipdivaserver-unspecified-xss(40545) The Mediation server in IPdiva SSL VPN Server 2.2 before 2.2.8.84 and 2.3 before 2.3.2.14 stores the number of remaining allowed login attempts in a cookie, which makes it easier for remote attackers to conduct brute force attacks by manipulating this cookie's value. 20080214 DOINGSOFT-2008-02-11 - IPDiva VPN SSL Brute force attack 3692 20080214 DOINGSOFT-2008-02-11 - IPDiva VPN SSL Brute force attack 27800 SQL injection vulnerability in the Highwood Design hwdVideoShare (com_hwdvideoshare) 1.1.3 Alpha component for Joomla! allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a viewcategory action to index.php. 27907 hwdvideoshare-index-sql-injection(40711) 5160 Cross-site scripting (XSS) vulnerability in Tor World Tor Search 1.1 and earlier, I-Navigator 4.0, Mobile Frontier 2.1 and earlier, Diary.cgi (aka Quotes of the Day) 1.5 and earlier, Tor News 1.21 and earlier, Simple BBS 1.3 and earlier, Interactive BBS 1.3 and earlier, Tor Board 1.1 and earlier, Simple Vote 1.1 and earlier, and Com Vote 1.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://download.torworld.com/bug/20080221.html JVN#54593414 27919 SQL injection vulnerability in includes/count_dl_or_link.inc.php in the astatsPRO (com_astatspro) 1.0.1 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to getfile.php, a different vector than CVE-2008-0839. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. astatspro-countdlorlink-sql-injection(40852) Cross-site scripting (XSS) vulnerability in session/login.php in Open Source Security Information Management (OSSIM) 0.9.9 rc5 and earlier allows remote attackers to inject arbitrary web script or HTML via the dest parameter. 3689 20080221 SQL-injection, XSS in OSSIM (Open Source Security Information Management) 20080222 Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management) 20080225 Re: Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management) 27929 5171 SQL injection vulnerability in port/modifyportform.php in Open Source Security Information Management (OSSIM) 0.9.9 rc5 allows remote authenticated users to execute arbitrary SQL commands via the portname parameter, which is not properly handled by a validation regular expression. 3689 20080221 SQL-injection, XSS in OSSIM (Open Source Security Information Management) 20080222 Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management) 27927 5171 SQL injection vulnerability in news.php in beContent 0.3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. 27928 5170 SQL injection vulnerability in the Manuales 0.1 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cid parameter in a viewdownload action to modules.php. 27933 5168 Directory traversal vulnerability in the Shared Folders feature for VMWare ACE 1.0.2 and 2.0.2, Player 1.0.4 and 2.0.2, and Workstation 5.5.4 and 6.0.2 allows guest OS users to read and write arbitrary files on the host OS via a multibyte string that produces a wide character string containing .. (dot dot) sequences, which bypasses the protection mechanism, as demonstrated using a "%c0%2e%c0%2e" string. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004034 20080225 CORE-2007-0930 Path Traversal vulnerability in VMware's shared folders implementation [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 3700 http://www.coresecurity.com/?action=item&id=2129 20080225 CORE-2007-0930 Path Traversal vulnerability in VMware's shared folders implementation 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 27944 28276 1019493 http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-0679 ADV-2008-0905 vmware-sharedfolders-directory-traversal(40837) Stack-based buffer overflow in the DoLBURPRequest function in libnldap in ndsd in Novell eDirectory 8.7.3.9 and earlier, and 8.8.1 and earlier in the 8.8.x series, allows remote attackers to cause a denial of service (daemon crash or CPU consumption) or execute arbitrary code via a long delRequest LDAP Extended Request message, probably involving a long Distinguished Name (DN) field. During analysis the following related page was found. http://www.zerodayinitiative.com/advisories/ZDI-08-013/ 20080326 ZDI-08-013: Novell eDirectory for Linux Stack Overflow 28434 1019692 ADV-2008-0987 http://www.zerodayinitiative.com/advisories/ZDI-08-013/ https://secure-support.novell.com/KanisaPlatform/Publishing/411/3382120_f.SAL_Public.html Cross-site scripting (XSS) vulnerability in the iMonitor interface in Novell eDirectory 8.7.3.x before 8.7.3 sp10, and 8.8.x before 8.8.2 ftf2, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters that are used within "error messages of the HTTP stack." 1020321 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037180.html http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037181.html http://www.novell.com/support/viewContent.do?externalId=3460217&sliceId=1 29782 ADV-2008-1863 novell-edirectory-imonitor-xss(43151) The SOAP interface to the eMBox module in Novell eDirectory 8.7.3.9 and earlier, and 8.8.x before 8.8.2, relies on client-side authentication, which allows remote attackers to bypass authentication via requests for /SOAP URIs, and cause a denial of service (daemon shutdown) or read arbitrary files. NOTE: it was later reported that 8.7.3.10 (aka 8.7.3 SP10) is also affected. 20080505 Novell eDirectory unauthenticated access to SOAP interface 28441 1019691 ADV-2008-0988 novell-edirectory-embox-unspecified(41426) https://secure-support.novell.com/KanisaPlatform/Publishing/876/3866911_f.SAL_Public.html dhost.exe in Novell eDirectory 8.7.3 before sp10 and 8.8.2 allows remote attackers to cause a denial of service (CPU consumption) via an HTTP request with (1) multiple Connection headers or (2) a Connection header with multiple comma-separated values. NOTE: this might be similar to CVE-2008-1777. http://www.novell.com/support/viewContent.do?externalId=3829452&sliceId=1 20080505 Novell eDirectory DoS via HTTP headers 28757 1019836 ADV-2008-1217 novell-edirectory-dhost-dos(41787) 5547 Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. SUSE-SR:2009:008 [debian-security] 20080219 qemu unchecked block read/write vulnerability DSA-1799 MDVSA-2008:162 MDVSA-2009:016 FEDORA-2008-1973 FEDORA-2008-1993 RHSA-2008:0194 28001 https://bugzilla.redhat.com/show_bug.cgi?id=433560 oval:org.mitre.oval:def:9706 FEDORA-2008-1995 FEDORA-2008-2001 FEDORA-2008-2057 FEDORA-2008-2083 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. w_editeur.c in XWine 1.0.1 for Debian GNU/Linux allows local users to overwrite or print arbitrary files via a symlink attack on the temporaire temporary file. NOTE: some of these details are obtained from third party information. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468050 DSA-1526 28049 w_export.c in XWine 1.0.1 on Debian GNU/Linux sets insecure permissions (0666) for /etc/wine/config, which might allow local users to execute arbitrary commands or cause a denial of service by modifying the file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=468050 DSA-1526 28369 diatheke.pl in The SWORD Project Diatheke 1.5.9 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the range parameter. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466449 GLSA-200803-06 DSA-1508 27874 27987 ADV-2008-0670 https://bugzilla.redhat.com/show_bug.cgi?id=433723 FEDORA-2008-1922 FEDORA-2008-1951 Multiple race conditions in the CPU Performance Counters (cpc) subsystem in the kernel in Sun Solaris 10 allow local users to cause a denial of service (panic) via unspecified vectors related to kcpc_unbind and kcpc_restore. 231466 27941 1019490 ADV-2008-0642 oval:org.mitre.oval:def:5476 SQL injection vulnerability in modules.php in the NukeC 2.1 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id_catg parameter in a ViewCatg action. 27937 5172 Stack-based buffer overflow in the Novell iPrint Control ActiveX control in ienipp.ocx in Novell iPrint Client before 4.34 allows remote attackers to execute arbitrary code via a long argument to the ExecuteRequest method. http://download.novell.com/Download?buildid=prBBH4JpImA~ 27939 1019489 ADV-2008-0639 SQL injection vulnerability in index.php in the Prayer List (prayerlist) 1.04 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view action. 20080221 XOOPS Module prayerlist SQL Injection(cid) 27934 SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter in a print action, a different vector than CVE-2007-1811. 20080221 XOOPS Module tinyevent-print SQL Injection(id) 27931 Unspecified vulnerability in the dynamic tracing framework (DTrace) in Sun Solaris 10 allows local users with PRIV_DTRACE_USER or PRIV_DTRACE_PROC privileges to obtain sensitive kernel information via unspecified vectors, a different vulnerability than CVE-2007-4126. 231803 27942 1019483 ADV-2008-0640 oval:org.mitre.oval:def:5451 Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Album (WPPA) before 1.1 plugin for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the photo parameter to index.php, used by the wppa_photo_name function; or (2) the album parameter to index.php, used by the wppa_album_name function. NOTE: some of these details are obtained from third party information. http://me.mywebsight.ws/web/wppa/ 3693 http://weblogtoolscollection.com/archives/2008/02/21/photo-album-plugin-vulnerabilities/ 20080216 WordPress album PHOTO SQL Injection 27832 ADV-2008-0586 photoalbum-index-sql-injection(40599) 5135 Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.4.24 allows remote attackers to inject arbitrary web script or HTML when creating a username, a different vulnerability than CVE-2007-0407. http://www.plainblack.com/getwebgui/advisories/webgui-7_4_24-stable-released 27869 Cross-site scripting (XSS) vulnerability in Eagle Software Aeries Browser Interface (ABI) 3.8.2.8 allows remote authenticated users to inject arbitrary web script or HTML via an event. 3694 20080221 aeries browser interface(ABI) 3.8.2.8 XSS 27924 abi-newevent-xss(40756) SQL injection vulnerability in GradebookStuScores.asp in Eagle Software Aeries Browser Interface (ABI) 3.8.2.8 allows remote attackers to execute arbitrary SQL commands via the GrdBk parameter. 3695 20080221 aeries browser interface(ABI) 3.8.2.8 Remote SQL Injection 27924 abi-gradebookstuscores-sql-injection(40847) Multiple SQL injection vulnerabilities in Eagle Software Aeries Browser Interface (ABI) 3.7.2.2 allow remote attackers to execute arbitrary SQL commands via the (1) FC parameter to Comments.asp, or the Term parameter to (2) Labels.asp or (3) ClassList.asp. 3696 20080221 aeries browser interface(ABI) 3.7.2.2 Remote SQL Injection 27924 abi-fcterm-sql-injection(40757) Ipswitch Instant Messaging (IM) 2.0.8.1 and earlier allows remote attackers to cause a denial of service (NULL dereference and application crash) via a version field containing zero. http://aluigi.altervista.org/adv/ipsimene-adv.txt 3697 20080207 Multiple vulnerabilities in Ipswitch Instant Messaging 2.0.8.1 27677 Format string vulnerability in the logging function in the IM Server (aka IMserve or IMserver) in Ipswitch Instant Messaging (IM) 2.0.8.1 and earlier allows remote authenticated users to cause a denial of service (daemon crash) and possibly have unspecified other impact via format string specifiers in an IP address field. http://aluigi.altervista.org/adv/ipsimene-adv.txt http://aluigi.org/poc/ipsimene.zip 3697 20080207 Multiple vulnerabilities in Ipswitch Instant Messaging 2.0.8.1 27677 Directory traversal vulnerability in the IM Server (aka IMserve or IMserver) in Ipswitch Instant Messaging (IM) 2.0.8.1 and earlier allows remote authenticated users to create arbitrary empty files via a .. (dot dot) in the recipient field. http://aluigi.altervista.org/adv/ipsimene-adv.txt http://aluigi.org/poc/ipsimene.zip 3697 20080207 Multiple vulnerabilities in Ipswitch Instant Messaging 2.0.8.1 27677 Buffer overflow in the RPC library used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.4 through 1.6.3 allows remote attackers to execute arbitrary code by triggering a large number of open file descriptors. SUSE-SA:2008:016 SSRT100495 GLSA-200803-31 3752 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022520.html http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022542.html http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt http://wiki.rpath.com/Advisories:rPSA-2008-0112 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0112 DSA-1524 VU#374121 MDVSA-2008:069 MDVSA-2008:070 RHSA-2008:0164 20080318 MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc 20080318 MITKRB5-SA-2008-002: array overrun in RPC library used by kadmin (resend, corrected subject) 20080319 rPSA-2008-0112-1 krb5 krb5-server krb5-services krb5-test krb5-workstation 28302 1019631 USN-587-1 TA08-079B ADV-2008-0922 ADV-2008-1102 krb5-rpclibrary-bo(41273) oval:org.mitre.oval:def:10984 FEDORA-2008-2637 FEDORA-2008-2647 Buffer overflow in the RPC library (lib/rpc/rpc_dtablesize.c) used by libgssrpc and kadmind in MIT Kerberos 5 (krb5) 1.2.2, and probably other versions before 1.3, when running on systems whose unistd.h does not define the FD_SETSIZE macro, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by triggering a large number of open file descriptors. SUSE-SA:2008:016 SSRT100495 3752 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022520.html http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5022542.html http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt VU#374121 RHSA-2008:0181 20080318 MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc 20080318 MITKRB5-SA-2008-002: array overrun in RPC library used by kadmin (resend, corrected subject) 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 28302 1019631 TA08-079B http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-0922 ADV-2008-1102 ADV-2008-1744 krb5-rpclibrary-fdsetsize-bo(41274) oval:org.mitre.oval:def:9209 Unspecified vulnerability in IBM Informix Dynamic Server (IDS) 7.x through 11.x allows remote attackers to gain privileges via a malformed connection request packet. IBM links require software support sign in to access information. http://www.informixmag.com/content/view/11143/27/ http://www.informixmag.com/content/view/11144/27/ 28198 ADV-2008-0860 IC55224 IC55225 ibm-ids-unspecified-privilege-escalation(41370) Microsoft Windows Vista does not properly enforce the NoDriveTypeAutoRun registry value, which allows user-assisted remote attackers, and possibly physically proximate attackers, to execute arbitrary code by inserting a (1) CD-ROM device or (2) U3-enabled USB device containing a filesystem with an Autorun.inf file, and possibly other vectors related to (a) AutoRun and (b) AutoPlay actions. VU#889747 28360 1020446 ADV-2008-0954 MS08-038 vista-nodrivetypeautorun-weak-security(41349) The AppendStringToFile function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to create files with arbitrary content via a full pathname in the first argument and the content in the second argument, a different vulnerability than CVE-2007-5608 and CVE-2008-0953. http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf 29526 29535 1020165 ADV-2008-1740 HPSBMA02326 hp-instantsupport-append-file-overwrite(42834) The StartApp function in the HPISDataManagerLib.Datamgr ActiveX control in HPISDataManager.dll in HP Instant Support before 1.0.0.24 allows remote attackers to execute arbitrary programs via a .exe filename in the argument, a different vulnerability than CVE-2007-5608 and CVE-2008-0953. http://www.csis.dk/dk/forside/CSIS-RI-0003.pdf 29526 29533 1020165 ADV-2008-1740 SSRT071490 hp-instantsupport-startapp-code-execution(42851) Stack-based buffer overflow in the Creative Software AutoUpdate Engine ActiveX control in CTSUEng.ocx allows remote attackers to execute arbitrary code via a long CacheFolder property value. VU#501843 29391 ADV-2008-1668 creativesoftware-autoupdate-cachefolder-bo(42673) 5681 Multiple stack-based buffer overflows in the BackWeb Lite Install Runner ActiveX control in the BackWeb Web Package ActiveX object in LiteInstActivator.dll in BackWeb before 8.1.1.87, as used in Logitech Desktop Manager (LDM) before 2.56, allow remote attackers to execute arbitrary code via unspecified vectors. http://backweb.com/news_events/press_releases/051608.php HPSBST02344 VU#216153 29558 TA08-162B ADV-2008-1791 ADV-2008-1792 MS08-032 backweb-activex-liteinstactivator-bo(42991) Multiple stack-based buffer overflows in the PhotoStockPlus Uploader Tool ActiveX control (PSPUploader.ocx) allow remote attackers to execute arbitrary code via unspecified initialization parameters. VU#406937 29279 ADV-2008-1571 photostockplus-uploader-bo(42534) Multiple stack-based buffer overflows in the Online Media Technologies NCTSoft NCTAudioGrabber2 ActiveX control in NCTAudioGrabber2.dll allow remote attackers to execute arbitrary code via unspecified vectors. VU#656593 ADV-2008-1669 nctaudioeditor-nctaudiograbber2-bo(42678) Multiple stack-based buffer overflows in the Online Media Technologies NCTSoft NCTAudioInformation2 ActiveX control in NCTAudioInformation2.dll, as used in (1) Power Audio CD Grabber 1.0, (2) Power Audio CD Burner 1.02, (3) CinematicMP3 1.4.0.0, (4) Alive MP3 WAV Converter 3.9.3.2, and possibly other products, allow remote attackers to execute arbitrary code via unspecified vectors. VU#669265 ADV-2008-1669 nctaudiostudio-nctaudioinformation2-bo(42680) SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later; (9) HP OpenView SNMP Emanate Master Agent 15.x; and possibly other products relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. APPLE-SA-2008-06-30 [productinfo] 20080611 Ingate Firewall and SIParator affected by SNMPv3 vulnerability SUSE-SA:2008:039 SSRT080082 RHSA-2008:0528 GLSA-200808-02 3933 http://sourceforge.net/forum/forum.php?forum_id=833770 http://sourceforge.net/tracker/index.php?func=detail&aid=1989089&group_id=12694&atid=456380 238865 http://support.apple.com/kb/HT2163 http://support.avaya.com/elmodocs2/security/ASA-2008-282.htm 20080610 SNMP Version 3 Authentication Vulnerabilities DSA-1663 VU#878044 http://www.kb.cert.org/vuls/id/CTAR-7FBS8Q http://www.kb.cert.org/vuls/id/MIMG-7ETS5Z http://www.kb.cert.org/vuls/id/MIMG-7ETS87 MDVSA-2008:118 http://www.ocert.org/advisories/ocert-2008-006.html [oss-security] 20080609 [oCERT-2008-006] multiple SNMP implementations HMAC authentication spoofing RHSA-2008:0529 20080609 [oCERT-2008-006] multiple SNMP implementations HMAC authentication spoofing 20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff 29623 1020218 USN-685-1 TA08-162A http://www.vmware.com/security/advisories/VMSA-2008-0013.html http://www.vmware.com/security/advisories/VMSA-2008-0017.html ADV-2008-1787 ADV-2008-1788 ADV-2008-1797 ADV-2008-1800 ADV-2008-1801 ADV-2008-1836 ADV-2008-1981 ADV-2008-2361 ADV-2008-2971 ADV-2009-1612 https://bugzilla.redhat.com/show_bug.cgi?id=447974 oval:org.mitre.oval:def:10820 oval:org.mitre.oval:def:5785 oval:org.mitre.oval:def:6414 5790 FEDORA-2008-5215 FEDORA-2008-5224 FEDORA-2008-5218 EMV DiskXtender 6.20.060 has a hard-coded login and password, which allows remote attackers to bypass authentication via the RPC interface. 20080410 EMC DiskXtender Authentication Bypass Vulnerability 28727 1019827 ADV-2008-1198 emc-diskxtender-unauthorized-access(41772) Stack-based buffer overflow in the File System Manager for EMC DiskXtender 6.20.060 allows remote authenticated users to execute arbitrary code via a crafted request to the RPC interface. 20080410 EMC DiskXtender File System Manager Stack Buffer Overflow Vulnerability 28728 1019828 ADV-2008-1198 emc-diskxtender-filesystemmanager-bo(41774) Format string vulnerability in EMC DiskXtender MediaStor 6.20.060 allows remote authenticated users to execute arbitrary code via a crafted message to the RPC interface. 20080410 EMC DiskXtender MediaStor Format String Vulnerability 28727 28729 1019829 ADV-2008-1198 emc-diskxtender-mediastor-format-string(41773) Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via a crafted SMB packet. 20080804 Solaris snoop SMB Decoding Multiple Stack Buffer Overflow Vulnerabilities 240101 http://support.avaya.com/elmodocs2/security/ASA-2008-355.htm http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=766935 30556 1020633 ADV-2008-2311 solaris-snoop1m-bo(44222) oval:org.mitre.oval:def:5318 6328 Multiple format string vulnerabilities in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via format string specifiers in an SMB packet. 20080804 Solaris snoop SMB Decoding Multiple Format String Vulnerabilities 240101 http://support.avaya.com/elmodocs2/security/ASA-2008-355.htm http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=766935 30556 1020633 ADV-2008-2311 sun-solaris-snoop1m-command-execution(44222) solaris-snoop1m-format-string(44415) oval:org.mitre.oval:def:5742 Untrusted search path vulnerability in vmware-authd in VMware Workstation 5.x before 5.5.7 build 91707 and 6.x before 6.0.4 build 93057, VMware Player 1.x before 1.0.7 build 91707 and 2.x before 2.0.4 build 93057, and VMware Server before 1.0.6 build 91891 on Linux, and VMware ESXi 3.5 and VMware ESX 2.5.4 through 3.5, allows local users to gain privileges via a library path option in a configuration file. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' 20080604 VMware Multiple Products vmware-authd Untrusted Library Loading Vulnerability GLSA-201209-25 3922 1020198 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 29557 http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-1744 vmware-vmwareauthd-privilege-escalation(42878) oval:org.mitre.oval:def:4768 oval:org.mitre.oval:def:5583 Multiple cross-site scripting (XSS) vulnerabilities in index.cgi in Barracuda Spam Firewall (BSF) before 3.5.12.007, Message Archiver before 1.2.1.002, Web Filter before 3.3.0.052, IM Firewall before 3.1.01.017, and Load Balancer before 2.3.024 allow remote attackers to inject arbitrary web script or HTML via (1) the Policy Name field in Search Based Retention Policy in Message Archiver; unspecified parameters in the (2) IP Configuration, (3) Administration, (4) Journal Accounts, (5) Retention Policy, and (6) GroupWise Sync components in Message Archiver; (7) input to search operations in Web Filter; and (8) input used in error messages and (9) hidden INPUT elements in (a) Spam Firewall, (b) IM Firewall, and (c) Web Filter. http://dcsl.ul.ie/advisories/03.htm 4792 1021454 http://www.barracudanetworks.com/ns/support/tech_alert.php 20081216 CVE-2008-0971 - Barracuda Networks products Multiple Cross-Site Scripting Vulnerabilities Buffer overflow in Double-Take (aka HP StorageWorks Storage Mirroring) 4.5.0.1629, and other 4.5.0.x versions, allows remote attackers to have an unknown impact via a packet with a long string in the username field. http://aluigi.altervista.org/adv/doubletakedown-adv.txt http://aluigi.org/poc/doubletakedown.zip 3698 20080222 Multiple vulnerabilities in Double-Take 5.0.0.2865 27951 ADV-2008-0666 Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWorks Storage Mirroring name and other names, allows remote attackers to cause a denial of service (daemon termination) via (1) a large vector<T> value, which raises a "vector<T> too long" exception; or (2) a certain packet that raises an ospace/time/src\date.cpp exception. http://aluigi.altervista.org/adv/doubletakedown-adv.txt http://aluigi.org/poc/doubletakedown.zip 3698 20080222 Multiple vulnerabilities in Double-Take 5.0.0.2865 27951 ADV-2008-0666 Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWorks Storage Mirroring name and other names, allows remote attackers to cause a denial of service (CPU consumption) via a -1 value in the field that specifies the size of the vector<T> value. http://aluigi.altervista.org/adv/doubletakedown-adv.txt http://aluigi.org/poc/doubletakedown.zip 3698 20080222 Multiple vulnerabilities in Double-Take 5.0.0.2865 27951 ADV-2008-0666 Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWorks Storage Mirroring name and other names, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed packet, as demonstrated by a packet of type (1) 0x2722 or (2) 0x272a. http://aluigi.altervista.org/adv/doubletakedown-adv.txt http://aluigi.org/poc/doubletakedown.zip 3698 20080222 Multiple vulnerabilities in Double-Take 5.0.0.2865 27951 ADV-2008-0666 Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWorks Storage Mirroring name and other names, allows remote attackers to cause a denial of service (daemon crash) via a certain long packet that triggers an attempt to allocate a large amount of memory. http://aluigi.altervista.org/adv/doubletakedown-adv.txt http://aluigi.org/poc/doubletakedown.zip 3698 20080222 Multiple vulnerabilities in Double-Take 5.0.0.2865 27951 ADV-2008-0666 Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWorks Storage Mirroring name and other names, allows remote attackers to obtain sensitive information via a packet of type (1) 0x2728, which provides operating system and path information; (2) 0x274e, which lists Ethernet adapters; (3) 0x2726, which provides filesystem information; (4) 0x274f, which specifies the printer driver; or (5) 0x2757, which provides recent log entries. http://aluigi.altervista.org/adv/doubletakedown-adv.txt http://aluigi.org/poc/doubletakedown.zip 3698 20080222 Multiple vulnerabilities in Double-Take 5.0.0.2865 27951 ADV-2008-0666 Stack consumption vulnerability in Double-Take 5.0.0.2865 and earlier, distributed under the HP StorageWorks Storage Mirroring name and other names, allows remote attackers to cause a denial of service (daemon crash) via a certain packet that triggers the recursive calling of a function. http://aluigi.altervista.org/adv/doubletakedown-adv.txt http://aluigi.org/poc/doubletakedown.zip 3698 20080222 Multiple vulnerabilities in Double-Take 5.0.0.2865 27951 ADV-2008-0666 Multiple cross-site scripting (XSS) vulnerabilities in Spyce - Python Server Pages (PSP) 2.1.3 allow remote attackers to inject arbitrary web script or HTML via (1) the url or type parameter to docs/examples/redirect.spy; (2) the x parameter to docs/examples/handlervalidate.spy; (3) the name parameter to spyce/examples/request.spy; (4) the Name parameter to spyce/examples/getpost.spy; (5) the mytextarea parameter, the mypass parameter, or an empty parameter to spyce/examples/formtag.spy; (6) the newline parameter to the default URI under demos/chat/; (7) the text1 parameter to docs/examples/formintro.spy; or (8) the mytext or mydate parameter to docs/examples/formtag.spy. 3699 http://www.procheckup.com/Vulnerability_PR08-01.php 20080219 PR08-01: Several XSS, a cross-domain redirect and a webroot disclosure on Spyce - Python Server Pages (PSP) 27898 Open redirect vulnerability in spyce/examples/redirect.spy in Spyce - Python Server Pages (PSP) 2.1.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. 3699 http://www.procheckup.com/Vulnerability_PR08-01.php 20080219 PR08-01: Several XSS, a cross-domain redirect and a webroot disclosure on Spyce - Python Server Pages (PSP) 27898 Spyce - Python Server Pages (PSP) 2.1.3 allows remote attackers to obtain sensitive information via a direct request for spyce/examples/automaton.spy, which reveals the path in an error message. 3699 http://www.procheckup.com/Vulnerability_PR08-01.php 20080219 PR08-01: Several XSS, a cross-domain redirect and a webroot disclosure on Spyce - Python Server Pages (PSP) 27898 lighttpd 1.4.18, and possibly other versions before 1.5.0, does not properly calculate the size of a file descriptor array, which allows remote attackers to cause a denial of service (crash) via a large number of connections, which triggers an out-of-bounds access. SUSE-SR:2008:008 GLSA-200803-10 http://trac.lighttpd.net/trac/ticket/1562 http://wiki.rpath.com/Advisories:rPSA-2008-0084 DSA-1609 20080228 rPSA-2008-0084-1 lighttpd 27943 ADV-2008-0659 https://issues.rpath.com/browse/RPL-2284 FEDORA-2008-2262 FEDORA-2008-2278 The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier, as used in Miro Player 1.1 and earlier, allows remote attackers to overwrite arbitrary memory and execute arbitrary code via a malformed MP4 file. 20080227 CORE-2008-0130: VLC media player chunk context validation error http://www.coresecurity.com/?action=item&id=2147 DSA-1543 GLSA-200803-13 20080227 CORE-2008-0130: VLC media player chunk context validation error 28007 1019510 http://www.videolan.org/security/sa0802.html ADV-2008-0682 Heap-based buffer overflow in the GIF library in the WebKit framework for Google Android SDK m3-rc37a and earlier allows remote attackers to execute arbitrary code via a crafted GIF file whose logical screen height and width are different than the actual height and width. http://android-developers.blogspot.com/2008/03/android-sdk-update-m5-rc15-released.html 3727 http://www.coresecurity.com/?action=item&id=2148 20080304 CORE-2008-0124: Multiple vulnerabilities in Google's Android SDK 28005 androidsdk-gifimagedecoderondecode-bo(40998) Integer overflow in the BMP::readFromStream method in the libsgl.so library in Google Android SDK m3-rc37a and earlier, and m5-rc14, allows remote attackers to execute arbitrary code via a crafted BMP file with a header containing a negative offset field. http://android-developers.blogspot.com/2008/03/android-sdk-update-m5-rc15-released.html 3727 http://www.coresecurity.com/?action=item&id=2148 20080304 CORE-2008-0124: Multiple vulnerabilities in Google's Android SDK 28006 androidsdk-bmpreadfromstream-int-overflow(40999) Stack-based buffer overflow in Image Raw in Apple Mac OS X 10.5.2, and Digital Camera RAW Compatibility before Update 2.0 for Aperture 2 and iPhoto 7.1.2, allows remote attackers to execute arbitrary code via a crafted Adobe Digital Negative (DNG) image. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 APPLE-SA-2008-03-20 http://support.apple.com/kb/HT1232 28304 28363 1019659 1019683 1019684 TA08-079A ADV-2008-0924 ADV-2008-0957 macos-imageraw-bo(41294) Off-by-one error in the Libsystem strnstr API in libc on Apple Mac OS X 10.4.11 allows context-dependent attackers to cause a denial of service (crash) via crafted arguments that trigger a buffer over-read. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28374 1019661 TA08-079A ADV-2008-0924 Format string vulnerability in mDNSResponderHelper in Apple Mac OS X 10.5.2 allows local users to execute arbitrary code via format string specifiers in the local hostname. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28339 1019662 TA08-079A ADV-2008-0924 macos-mdnsresponderhelper-format-string(41292) notifyd in Apple Mac OS X 10.4.11 does not verify that Mach port death notifications have originated from the kernel, which allows local users to cause a denial of service via spoofed death notifications that prevent other applications from receiving notifications. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28345 1019663 TA08-079A ADV-2008-0924 macos-notifyd-dos(41289) Array index error in pax in Apple Mac OS X 10.5.2 allows context-dependent attackers to execute arbitrary code via an archive with a crafted length value. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28365 1019673 TA08-079A ADV-2008-0924 macos-pax-code-execution(41288) Podcast Capture in Podcast Producer for Apple Mac OS X 10.5.2 invokes a subtask with passwords in command line arguments, which allows local users to read the passwords via process listings. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28372 1019664 TA08-079A ADV-2008-0924 Preview in Apple Mac OS X 10.5.2 uses 40-bit RC4 when saving a PDF file with encryption, which makes it easier for attackers to decrypt the file via brute force methods. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28386 1019665 TA08-079A ADV-2008-0924 macos-preview-weak-encryption(41276) The Printing component in Apple Mac OS X 10.5.2 uses 40-bit RC4 when printing to an encrypted PDF file, which makes it easier for attackers to decrypt the file via brute force methods. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28387 1019667 TA08-079A ADV-2008-0924 macos-printing-weak-encryption(41287) The Printing component in Apple Mac OS X 10.5.2 might save authentication credentials to disk when starting a job on an authenticated print queue, which might allow local users to obtain the credentials. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28344 1019667 TA08-079A ADV-2008-0924 macos-printqueue-information-disclosure(41284) Stack-based buffer overflow in AppKit in Apple Mac OS X 10.4.11 allows user-assisted remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted PostScript Printer Description (PPD) file that is not properly handled when querying a network printer. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28364 1019648 TA08-079A ADV-2008-0924 macos-appkit-ppd-bo(41282) Unspecified vulnerability in NetCfgTool in the System Configuration component in Apple Mac OS X 10.4.11 and 10.5.2 allows local users to bypass authorization and execute arbitrary code via crafted distributed objects. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28385 1019674 TA08-079A ADV-2008-0924 macos-netcfgtool-code-execution(41281) Apple Mac OS X 10.5.2 allows user-assisted attackers to cause a denial of service (crash) via a crafted Universal Disc Format (UDF) disk image, which triggers a NULL pointer dereference. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 28304 28389 1019669 TA08-079A ADV-2008-0924 macos-udf-dos(41280) Directory traversal vulnerability in ContentServer.py in the Wiki Server in Apple Mac OS X 10.5.2 (aka Leopard) allows remote authenticated users to write arbitrary files via ".." sequences in file attachments. http://docs.info.apple.com/article.html?artnum=307562 APPLE-SA-2008-03-18 http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2189 20080318 CORE-2008-0123: Leopard Server Remote Path Traversal 28278 1019660 ADV-2008-0924 macos-contentserver-directory-traversal(41278) Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1, when running on Windows XP or Vista, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that is not properly handled in the error page. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28321 1019653 TA08-079A ADV-2008-0920 safari-errorpage-xss(41333) Cross-site scripting (XSS) vulnerability in Apple Safari before 3.1 allows remote attackers to inject arbitrary web script or HTML via a crafted javascript: URL. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 VU#766019 28290 28328 1019653 TA08-079A ADV-2008-0920 safari-javascripturls-security-bypass(41335) Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to sites that set the document.domain property or have the same document.domain. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28330 1019653 TA08-079A ADV-2008-0920 safari-documentdomain-security-bypass(41334) Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to the Web Inspector. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28347 1019653 TA08-079A ADV-2008-0920 safari-webinspector-security-bypass(41331) WebCore, as used in Apple Safari before 3.1, does not properly mask the password field when reverse conversion is used with the Kotoeri input method, which allows physically proximate attackers to read the password. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28326 1019656 TA08-079A ADV-2008-0920 safari-webcore-weak-security(41329) Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML by using the window.open function to change the security context of a web page. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28332 1019653 TA08-079A ADV-2008-0920 safari-windowopen-security-bypass(41326) WebCore, as used in Apple Safari before 3.1, does not enforce the frame navigation policy for Java applets, which allows remote attackers to conduct cross-site scripting (XSS) attacks. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28335 1019653 TA08-079A ADV-2008-0920 safari-navigation-policy-security-bypass(41324) Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via the document.domain property. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28336 1019653 TA08-079A ADV-2008-0920 safari-documentdomain-xss(41323) Cross-site scripting (XSS) vulnerability in WebCore, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary JavaScript by modifying the history object. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28337 1019653 TA08-079A ADV-2008-0920 safari-historyobject-security-bypass(41322) Buffer overflow in WebKit, as used in Apple Safari before 3.1, allows remote attackers to execute arbitrary code via crafted regular expressions in JavaScript. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28338 1019654 TA08-079A ADV-2008-0920 safari-webkit-bo(41321) FEDORA-2008-3229 Cross-site scripting (XSS) vulnerability in WebKit, as used in Apple Safari before 3.1, allows remote attackers to inject arbitrary web script or HTML via a frame that calls a method instance in another frame. http://docs.info.apple.com/article.html?artnum=307563 APPLE-SA-2008-03-18 28290 28342 1019653 TA08-079A ADV-2008-0920 safari-webkitcomponent-security-bypass(41320) FEDORA-2008-3229 Unspecified vulnerability in Apple AirPort Extreme Base Station Firmware 7.3.1 allows remote attackers to cause a denial of service (file sharing hang) via a crafted AFP request, related to "input validation." APPLE-SA-2008-03-19 http://support.apple.com/kb/HT1226 28348 1019678 ADV-2008-0955 airport-extremebasestation-afp-dos(41325) Apple QuickTime before 7.4.5 enables deserialization of QTJava objects by untrusted Java applets, which allows remote attackers to execute arbitrary code via a crafted applet. 1019757 http://support.apple.com/kb/HT1241 28583 TA08-094A ADV-2008-1078 quicktime-qtjava-code-execution(41601) Apple QuickTime before 7.4.5 does not properly handle external URLs in movies, which allows remote attackers to obtain sensitive information. 1019758 http://support.apple.com/kb/HT1241 28583 TA08-094A ADV-2008-1078 quicktime-moviefiles-information-disclosure(41602) Buffer overflow in the data reference atom handling in Apple QuickTime before 7.4.5 allows remote attackers to execute arbitrary code via a crafted movie. APPLE-SA-2008-07-10 1019759 http://support.apple.com/kb/HT1241 28583 TA08-094A ADV-2008-1078 ADV-2008-2064 quicktime-data-reference-bo(41604) Apple QuickTime before 7.4.5 does not properly handle movie media tracks, which allows remote attackers to execute arbitrary code via a crafted movie that triggers memory corruption. 1019760 http://support.apple.com/kb/HT1241 28583 TA08-094A ADV-2008-1078 quicktime-movie-media-code-execution(41605) Heap-based buffer overflow in clipping region (aka crgn) atom handling in quicktime.qts in Apple QuickTime before 7.4.5 allows remote attackers to execute arbitrary code via a crafted movie. APPLE-SA-2008-07-10 1019761 http://support.apple.com/kb/HT1241 20080403 ZDI-08-015: Apple QuickTime Clipping Region Heap Overflow Vulnerability 28583 TA08-094A ADV-2008-1078 ADV-2008-2064 http://www.zerodayinitiative.com/advisories/ZDI-08-015 quicktime-crgn-bo(41607) Heap-based buffer overflow in Apple QuickTime before 7.4.5 allows remote attackers to execute arbitrary code via an MP4A movie with a malformed Channel Compositor (aka chan) atom. APPLE-SA-2008-07-10 1019762 http://support.apple.com/kb/HT1241 20080403 ZDI-08-016: Apple QuickTime MP4A Atom Parsing Heap Corruption Vulnerability 28583 TA08-094A ADV-2008-1078 ADV-2008-2064 http://www.zerodayinitiative.com/advisories/ZDI-08-016 quicktime-chan-bo(41606) Heap-based buffer overflow in quickTime.qts in Apple QuickTime before 7.4.5 allows remote attackers to execute arbitrary code via a crafted PICT image file, related to an improperly terminated memory copy loop. 1019763 http://support.apple.com/kb/HT1241 20080403 ZDI-08-014: Apple Quicktime Multiple Opcode Memory Corruption Vulnerabilities 28583 TA08-094A ADV-2008-1078 http://www.zerodayinitiative.com/advisories/ZDI-08-014 quicktime-pict-records-bo(41609) Heap-based buffer overflow in quickTime.qts in Apple QuickTime before 7.4.5 on Windows allows remote attackers to execute arbitrary code via a crafted PICT image file with Kodak encoding, related to error checking and error messages. 1019764 http://support.apple.com/kb/HT1241 20080403 ZDI-08-017: Apple QuickTime Kodak Encoding Heap Overflow Vulnerability 28583 TA08-094A ADV-2008-1078 http://www.zerodayinitiative.com/advisories/ZDI-08-017 quicktime-pictimage-bo(41610) Heap-based buffer overflow in Animation codec content handling in Apple QuickTime before 7.4.5 on Windows allows remote attackers to execute arbitrary code via a crafted movie with run length encoding. 1019765 http://support.apple.com/kb/HT1241 20080403 ZDI-08-018: Apple QuickTime Run Length Encoding Heap Overflow Vulnerability 28583 TA08-094A ADV-2008-1078 http://www.zerodayinitiative.com/advisories/ZDI-08-018 quicktime-animation-codec-bo(41612) Stack-based buffer overflow in Apple QuickTime before 7.4.5 allows remote attackers to execute arbitrary code via a crafted VR movie with an obji atom of zero size. 1019766 http://support.apple.com/kb/HT1241 20080403 ZDI-08-019: Apple QuickTime Malformed VR obji Atom Parsing Memory Corruption Vulnerability 28583 TA08-094A ADV-2008-1078 http://www.zerodayinitiative.com/advisories/ZDI-08-019 quicktime-obji-atoms-bo(41613) Heap-based buffer overflow in Clip opcode parsing in Apple QuickTime before 7.4.5 on Windows allows remote attackers to execute arbitrary code via a crafted PICT image file. 1019767 http://support.apple.com/kb/HT1241 28583 TA08-094A ADV-2008-1078 quicktime-clip-opcodes-bo(41615) Apple Safari before 3.1.1, when running on Windows XP or Vista, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a file download with a crafted file name, which triggers memory corruption. APPLE-SA-2008-04-16 http://support.apple.com/kb/HT1467 VU#529441 28813 1019868 ADV-2008-0979 apple-safari-filedownload-code-execution(41864) Cross-site scripting (XSS) vulnerability in Apple WebKit, as used in Safari before 3.1.1, allows remote attackers to inject arbitrary web script or HTML via a crafted URL with a colon in the hostname portion. APPLE-SA-2008-07-11 APPLE-SA-2008-04-16 http://support.apple.com/kb/HT1467 VU#705529 28814 1019869 ADV-2008-1250 ADV-2008-2094 apple-safari-webkit-hostname-xss(41862) Integer overflow in the PCRE regular expression compiler (JavaScriptCore/pcre/pcre_compile.cpp) in Apple WebKit, as used in Safari before 3.1.1, allows remote attackers to execute arbitrary code via a regular expression with large, nested repetition counts, which triggers a heap-based buffer overflow. APPLE-SA-2008-07-11 APPLE-SA-2008-04-16 3815 http://support.apple.com/kb/HT1467 20080416 ZDI-08-022: Apple Safari WebKit PCRE Handling Integer Overflow Vulnerability 28815 1019870 ADV-2008-1250 ADV-2008-2094 http://www.zerodayinitiative.com/advisories/ZDI-08-022 apple-safari-webkit-pcrecompile-bo(41859) Apple Filing Protocol (AFP) Server in Apple Mac OS X before 10.5.3 does not verify that requested files and directories are inside shared folders, which allows remote attackers to read arbitrary files via unspecified AFP traffic. APPLE-SA-2008-05-28 1020130 29412 29490 TA08-150A ADV-2008-1697 macosx-afpserver-security-bypass(42703) Unspecified vulnerability in AppKit in Apple Mac OS X before 10.5 allows user-assisted remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted document file, as demonstrated by opening the document with TextEdit. APPLE-SA-2008-05-28 1020131 29412 29487 TA08-150A ADV-2008-1697 macosx-appkit-code-execution(42705) Integer overflow in the CFDataReplaceBytes function in the CFData API in CoreFoundation in Apple Mac OS X before 10.5.3 allows context-dependent attackers to execute arbitrary code or cause a denial of service (crash) via an invalid length argument, which triggers a heap-based buffer overflow. APPLE-SA-2008-05-28 1020135 29412 29491 TA08-150A ADV-2008-1697 macosx-corefoundation-cfdatareplacebytes-bo(42709) CoreGraphics in Apple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document, related to an uninitialized variable. APPLE-SA-2008-05-28 1020136 29412 29480 TA08-150A ADV-2008-1697 macosx-coregraphics-unspec-code-execution(42710) Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.5.3 allows user-assisted remote attackers to execute arbitrary code via an (1) Automator, (2) Help, (3) Safari, or (4) Terminal content type for a downloadable object, which does not trigger a "potentially unsafe" warning message in (a) the Download Validation feature in Mac OS X 10.4 or (b) the Quarantine feature in Mac OS X 10.5. Per: http://cwe.mitre.org/data/definitions/184.html 'CWE-184: Incomplete Blacklist' APPLE-SA-2008-05-28 1020137 29412 29481 TA08-150A ADV-2008-1697 macosx-coretypes-weak-security(42711) The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging is enabled and a printer requires a password, allows attackers to obtain sensitive information (credentials) by reading the log data, related to "authentication environment variables." APPLE-SA-2008-05-28 1020145 29412 29484 TA08-150A ADV-2008-1697 macosx-cups-info-disclosure(42713) Integer underflow in Help Viewer in Apple Mac OS X before 10.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted help:topic URL that triggers a buffer overflow. APPLE-SA-2008-05-28 1020138 VU#566875 29412 29483 TA08-150A ADV-2008-1697 macosx-helpviewer-bo(42716) Use-after-free vulnerability in Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to trigger memory corruption or possibly execute arbitrary code via an "ATTACH;VALUE=URI:S=osumi" line in a .ics file, which triggers a "resource liberation" bug. NOTE: CVE-2008-2007 was originally used for this issue, but this is the appropriate identifier. APPLE-SA-2008-05-28 http://www.coresecurity.com/?action=item&id=2219 20080521 CORE-2008-0126: Multiple vulnerabilities in iCal 20080527 Re: CORE-2008-0126: Multiple vulnerabilities in iCal 20080528 Re: CORE-2008-0126: Multiple vulnerabilities in iCal 28633 29412 29486 1020095 TA08-150A ADV-2008-1601 ADV-2008-1697 The International Components for Unicode (ICU) library in Apple Mac OS X before 10.5.3, Red Hat Enterprise Linux 5, and other operating systems omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. APPLE-SA-2008-05-28 1020139 http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0064 DSA-1762 RHSA-2009:0296 29412 29488 USN-747-1 TA08-150A ADV-2008-1697 macosx-icu-security-bypass(42717) oval:org.mitre.oval:def:10824 Cross-site scripting (XSS) vulnerability in the file listing function in the web management interface in Packeteer PacketShaper and PolicyCenter 8.2.2 allows remote attackers to inject arbitrary web script or HTML via the FILELIST parameter to an arbitrary component, which triggers injection into an Error Report page. 3701 20080224 Packeteer Products File Listing XSS 27982 1019501 PHP remote file inclusion vulnerability in mod/mod.extmanager.php in DBHcms 1.1.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the extmanager_install parameter. 27996 dbhcms-modextmanager-file-include(40835) 5189 SQL injection vulnerability in question.asp in PORAR WEBBOARD allows remote attackers to execute arbitrary SQL commands via the QID parameter. 27989 porar-question-sql-injection(40839) 5185 Buffer overflow in the Single Sign-On function in Fujitsu Interstage Application Server 8.0.0 through 8.0.3 and 9.0.0, Interstage Studio 8.0.1 and 9.0.0, and Interstage Apworks 8.0.0 allows remote attackers to execute arbitrary code via a long URI. http://www.fujitsu.com/global/support/software/security/products-f/interstage-200804e.html 27966 ADV-2008-0662 Cross-site scripting (XSS) vulnerability in mwhois.php in Matt Wilson Matt's Whois (MWhois) allows remote attackers to inject arbitrary web script or HTML via the domain parameter. http://www.packetstormsecurity.org/0802-exploits/mattswhois-xss.txt 27974 Directory traversal vulnerability in include/body.inc.php in Linux Web Shop (LWS) php Download Manager 1.0 and 1.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the content parameter. 27961 phpdownloadmanager-body-file-include(40795) 5183 PHP remote file inclusion vulnerability in templates/default/header.inc.php in Linux Web Shop (LWS) php User Base 1.3 BETA allows remote attackers to execute arbitrary PHP code via a URL in the menu parameter. 20080710 phpuserbase 1.3 (menu) Remote File Inclusion Vulnerability 27963 phpuserbase-header-file-include(40794) 5180 Stack-based buffer overflow in the Quantum Streaming Player (Quantum Streaming IE Player) ActiveX control (aka QSP2IE.QSP2IE) in qsp2ie07076007.dll 7.7.6.7 and qsp2ie07074039.dll 7.7.4.39 in Move Media Player allows remote attackers to execute arbitrary code via a long argument to the UploadLogs method, a different vector than CVE-2007-4722. NOTE: some of these details are obtained from third party information. 20080226 Move Networks Quantum Streaming Player UploadLogs() Buffer Overflow 27995 ADV-2008-0684 5190 Cross-site scripting (XSS) vulnerability in the file tree navigation function in system/workplace/views/explorer/tree_files.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the resource parameter. 3702 20080224 Alkacon OpenCms tree_files.jsp resource XSS 27986 PHP remote file inclusion vulnerability in footer.php in Quinsonnas Mail Checker 1.55 allows remote attackers to execute arbitrary PHP code via a URL in the op[footer_body] parameter. 5176 Cross-site scripting (XSS) vulnerability in tiki-edit_article.php in TikiWiki before 1.9.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://dev.tikiwiki.org/tiki-view_tracker_item.php?itemId=1498 http://tikiwiki.org/ReleaseNotes1910 27968 ADV-2008-0661 Cross-site scripting (XSS) vulnerability in manager/xmedia.php in Plume CMS 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. http://www.digitrustgroup.com/advisories/web-application-security-plume-cms.html 27999 1019507 plume-xmedia-xss(40841) Unspecified vulnerability in Parallels SiteStudio before 1.7.2, and 1.8.x before 1.8b, as used in Parallels H-Sphere 3.0 before Patch 9 and 2.5 before Patch 11, has unknown impact and attack vectors. http://www.psoft.net/misc/hs_ss_technical_update.html 28002 1019506 hsphere-sitestudio-unspecified(40846) SQL injection vulnerability in index.php in Softbiz Jokes & Funny Pics Script allows remote attackers to execute arbitrary SQL commands via the sbcat_id parameter. 3703 20080224 Softbiz jokes and funny pictures (index.php) sql injection 27973 PHP remote file inclusion vulnerability in include/body_comm.inc.php in phpProfiles 4.5.2 BETA allows remote attackers to execute arbitrary PHP code via a URL in the content parameter. 27952 5175 The administration web interface in NetWin SurgeFTP 2.3a2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a large integer in the Content-Length HTTP header, which triggers a NULL pointer dereference when memory allocation fails. http://aluigi.altervista.org/adv/surgeftpizza-adv.txt 3704 20080225 NULL pointer in SurgeFTP 2.3a2 27993 surgeftp-contentlength-dos(40843) Multiple SQL injection vulnerabilities in the Kose_Yazilari module for PHP-Nuke allow remote attackers to execute arbitrary SQL commands via the artid parameter in a (1) viewarticle or (2) printpage action to modules.php. 27991 koseyazilari-artid-sql-injection(40848) 5186 Stack-based buffer overflow in the _lib_spawn_user_getpid function in (1) swatch.exe and (2) surgemail.exe in NetWin SurgeMail 38k4 and earlier, and beta 39a, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via an HTTP request with multiple long headers to webmail.exe and unspecified other CGI executables, which triggers an overflow when assigning values to environment variables. NOTE: some of these details are obtained from third party information. http://aluigi.altervista.org/adv/surgemailz-adv.txt 3705 20080225 Format string and buffer-overflow in SurgeMail 38k4 27992 1019500 ADV-2008-0678 surgemail-webmail-bo(40834) Format string vulnerability in webmail.exe in NetWin SurgeMail 38k4 and earlier and beta 39a, and WebMail 3.1s and earlier, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in the page parameter. http://aluigi.altervista.org/adv/surgemailz-adv.txt 3705 20080225 Format string and buffer-overflow in SurgeMail 38k4 27990 1019500 ADV-2008-0678 surgemail-webmail-format-string(40833) Multiple stack-based buffer overflows in Symark PowerBroker 2.8 through 5.0.1 allow local users to gain privileges via a long argv[0] string when executing (1) pbrun, (2) pbsh, or (3) pbksh. NOTE: the product is often installed in environments with trust relationships that facilitate subsequent remote compromises. http://www.mnin.org/advisories/2008_symarkpb.pdf 28015 http://www.symark.com/support/PBFeb2008Announcement.html powerbroker-argv-bo(40872) The ip6_check_rh0hdr function in netinet6/ip6_input.c in OpenBSD 4.2 allows attackers to cause a denial of service (panic) via malformed IPv6 routing headers. 20080225 008: RELIABILITY FIX: February 25, 2008 27965 1019496 ADV-2008-0660 The tcp_respond function in netinet/tcp_subr.c in OpenBSD 4.1 and 4.2 allows attackers to cause a denial of service (panic) via crafted TCP packets. NOTE: some of these details are obtained from third party information. 20080222 013: RELIABILITY FIX: February 22, 2008 20080222 007: RELIABILITY FIX: February 22, 2008 27949 1019495 ADV-2008-0660 PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter. 3706 20080225 Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities 27985 sniplets-syntaxhighlight-file-include(40829) 5194 Eval injection vulnerability in modules/execute.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via the text parameter. 3706 20080225 Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities 27985 sniplets-execute-code-execution(40831) 5194 Multiple cross-site scripting (XSS) vulnerabilities in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter to (a) warning.php, (b) notice.php, and (c) inset.php in view/sniplets/, and possibly (d) modules/execute.php; the (2) url parameter to (e) view/admin/submenu.php; and the (3) page parameter to (f) view/admin/pager.php. 3706 20080225 Wordpress Plugin Sniplets 1.1.2 Multiple Vulnerabilities 27985 sniplets-multiple-xss(40830) 5194 InterVideo IMC Server (aka IMCSvr.exe) and InterVideo Home Theater (aka IHT.exe) in InterVideo WinDVD Media Center 2.11.15.0 allow remote attackers to cause a denial of service (NULL dereference and application crash) via a crafted packet with two CRLF sequences. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28016 Cross-site scripting (XSS) vulnerability index.php in the XM-Memberstats (xmmemberstats) module for XOOPS allows remote attackers to inject arbitrary web script or HTML via the sortby parameter. http://www.xssing.com/index.php?x=3&y=12 xmmemberstats-sortby-xss(41001) Cross-site scripting (XSS) vulnerability in images.php in the Red Mexico RMSOFT Gallery System (GS) 2.0 module (aka rmgs) for XOOPS allows remote attackers to inject arbitrary web script or HTML via the q parameter. http://www.xssing.com/index.php?x=3&y=12 rmsoftgallerysystem-images-xss(41013) Multiple SQL injection vulnerabilities in index.php in the XM-Memberstats (xmmemberstats) 2.0e module for XOOPS allow remote attackers to execute arbitrary SQL commands via the (1) letter or (2) sortby parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 27979 http://www.xssing.com/index.php?x=3&y=12 The modifier.regex_replace.php plugin in Smarty before 2.6.19, as used by Serendipity (S9Y) and other products, allows attackers to call arbitrary PHP functions via templates, related to a '\0' character in a search string. http://blog.s9y.org/archives/191-Serendipity-1.3-beta1-released.html SUSE-SR:2008:007 GLSA-201111-04 DSA-1520 http://www.phpinsider.com/smarty-forum/viewtopic.php?p=47652 28105 http://www.smarty.net/misc/NEWS smarty-modifierregexreplace-security-bypass(41002) FEDORA-2008-2650 FEDORA-2008-2587 FEDORA-2008-2656 Multiple PHP remote file inclusion vulnerabilities in phpQLAdmin 2.2.7 allow remote attackers to execute arbitrary PHP code via a URL in the _SESSION[path] parameter to (1) ezmlm.php and (2) tools/update_translations.php. 5173 Multiple PHP remote file inclusion vulnerabilities in Portail Web Php 2.5.1.1 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the site_path parameter to (1) Vert/index.php, (2) Noir/index.php, and (3) Bleu/index.php in template/, different vectors than CVE-2008-0645. 27962 5182 Multiple PHP remote file inclusion vulnerabilities in Quantum Game Library 0.7.2c allow remote attackers to execute arbitrary PHP code via a URL in the CONFIG[gameroot] parameter to (1) server_request.php and (2) qlib/smarty.inc.php. 27945 quantumgame-server-file-include(40776) 5174 The SCTP dissector in Wireshark (formerly Ethereal) 0.99.5 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet. SUSE-SR:2008:005 GLSA-200803-32 http://support.avaya.com/elmodocs2/security/ASA-2008-392.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0092 MDVSA-2008:057 RHSA-2008:0890 20080229 rPSA-2008-0092-1 tshark wireshark 28025 1019515 ADV-2008-0704 ADV-2008-2773 http://www.wireshark.org/security/wnpa-sec-2008-01.html https://issues.rpath.com/browse/RPL-2296 oval:org.mitre.oval:def:11378 oval:org.mitre.oval:def:14995 FEDORA-2008-2941 FEDORA-2008-3040 The SNMP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.7 allows remote attackers to cause a denial of service (crash) via a malformed packet. SUSE-SR:2008:005 GLSA-200803-32 http://support.avaya.com/elmodocs2/security/ASA-2008-392.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0092 MDVSA-2008:057 RHSA-2008:0890 20080229 rPSA-2008-0092-1 tshark wireshark 28025 1019515 ADV-2008-0704 ADV-2008-2773 http://www.wireshark.org/security/wnpa-sec-2008-01.html https://issues.rpath.com/browse/RPL-2296 oval:org.mitre.oval:def:11633 oval:org.mitre.oval:def:14784 FEDORA-2008-2941 FEDORA-2008-3040 The TFTP dissector in Wireshark (formerly Ethereal) 0.6.0 through 0.99.7, when running on Ubuntu 7.10, allows remote attackers to cause a denial of service (crash or memory consumption) via a malformed packet, possibly related to a Cairo library bug. SUSE-SR:2008:005 GLSA-200803-32 http://support.avaya.com/elmodocs2/security/ASA-2008-392.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0092 MDVSA-2008:057 RHSA-2008:0890 20080229 rPSA-2008-0092-1 tshark wireshark 28025 1019515 ADV-2008-0704 ADV-2008-2773 http://www.wireshark.org/security/wnpa-sec-2008-01.html https://issues.rpath.com/browse/RPL-2296 oval:org.mitre.oval:def:10188 FEDORA-2008-2941 FEDORA-2008-3040 Cross-site scripting (XSS) vulnerability in the report interface in Internet Security Systems (ISS) Internet Scanner 7.0 Service Pack 2 Build 7.2.2005.52 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. JVN#42381549 28014 1019508 ADV-2008-0681 PHP remote file inclusion vulnerability in lib/head_auth.php in GROUP-E 1.6.41 allows remote attackers to execute arbitrary PHP code via a URL in the CFG[PREPEND_FILE] parameter. http://sourceforge.net/project/shownotes.php?group_id=196032&release_id=581434 28024 ADV-2008-0766 5197 Cross-site scripting (XSS) vulnerability in index.php in Maian Cart 1.1 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a search command. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28028 Cross-site scripting (XSS) vulnerability in search.php in Interspire Shopping Cart 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28029 interspire-search-xss(40906) SQL injection vulnerability in index.php in the Simpleboard (com_simpleboard) 1.0.3 Stable component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a view action. 28018 5195 expn in the am-utils and net-fs packages for Gentoo, rPath Linux, and other distributions, allows local users to overwrite arbitrary files via a symlink attack on the expn[PID] temporary file. NOTE: this is the same issue as CVE-2003-0308.1. http://bugs.gentoo.org/show_bug.cgi?id=210158 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0088 GLSA-200804-09 20080228 rPSA-2008-0088-1 am-utils 28044 https://issues.rpath.com/browse/RPL-2255 FEDORA-2008-10755 The outboxWriteUnsent function in FTPThread.class in SendFile.jar for Beehive Software SendFile.NET uses hard-coded credentials for an FTP server, which allows remote attackers to gain privileges. 3711 20080229 Beehive/SendFile.NET - Secure File Transfer Appliance Hardcoded Credentials 28060 sendfile-sendfilejar-weak-security(40982) Opera before 9.26 allows user-assisted remote attackers to read arbitrary files by tricking a user into typing the characters of the target filename into a file input. SUSE-SA:2008:011 GLSA-200803-09 http://www.opera.com/docs/changelogs/linux/926/ http://www.opera.com/support/search/view/877/ 27901 ADV-2008-0622 Opera before 9.26 allows user-assisted remote attackers to execute arbitrary script via images that contain custom comments, which are treated as script when the user displays the image properties. SUSE-SA:2008:011 GLSA-200803-09 http://www.opera.com/docs/changelogs/linux/926/ http://www.opera.com/support/search/view/879/ 27901 ADV-2008-0622 Opera before 9.26 allows remote attackers to "bypass sanitization filters" and conduct cross-site scripting (XSS) attacks via crafted attribute values in an XML document, which are not properly handled during DOM presentation. SUSE-SA:2008:011 GLSA-200803-09 http://www.opera.com/docs/changelogs/linux/926/ http://www.opera.com/support/search/view/880/ 27901 ADV-2008-0622 Heap-based buffer overflow in the CreateDIBPatternBrushPt function in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF or WMF image file with a malformed header that triggers an integer overflow, aka "GDI Heap Overflow Vulnerability." 20080408 ZDI-08-020: Microsoft GDI WMF Parsing Heap Overflow Vulnerability 20080408 Microsoft Windows Graphics Rendering Engine Integer Overflow Vulnerability SSRT080048 948590 VU#632963 20080408 ZDI-08-020: Microsoft GDI WMF Parsing Heap Overflow Vulnerability 28571 30933 1019798 TA08-099A ADV-2008-1145 http://www.zerodayinitiative.com/advisories/ZDI-08-020/ MS08-021 win-emf-wmf-header-bo(41471) oval:org.mitre.oval:def:5441 5442 6330 Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, through Vista SP1, and Server 2008 allows local users to execute arbitrary code via unknown vectors related to improper input validation. NOTE: it was later reported that one affected function is NtUserFnOUTSTRING in win32k.sys. SSRT080048 http://milw0rm.com/sploits/2008-ms08-25-exploit.zip 28554 1019803 TA08-099A ADV-2008-1149 MS08-025 oval:org.mitre.oval:def:5437 5518 Use-after-free vulnerability in Microsoft Internet Explorer 5.01 SP4, 6 through SP1, and 7 allows remote attackers to execute arbitrary code via a crafted data stream that triggers memory corruption, as demonstrated using an invalid MIME-type that does not have a registered handler. SSRT080048 20080414 Secunia Research: Internet Explorer Data Stream HandlingVulnerability 28552 1019801 TA08-099A ADV-2008-1148 MS08-024 oval:org.mitre.oval:def:5563 The HxTocCtrl ActiveX control (hxvz.dll), as used in Microsoft Internet Explorer 5.01 SP4 and 6 SP1, in Windows XP SP2, Server 2003 SP1 and SP2, Vista SP1, and Server 2008, allows remote attackers to execute arbitrary code via malformed arguments, which triggers memory corruption. 20080408 Microsoft HxTocCtrl ActiveX Control Invalid Param Heap Corruption Vulnerability SSRT080048 28606 1019800 TA08-099A ADV-2008-1147 MS08-023 ie-hxvz-code-execution(41464) oval:org.mitre.oval:def:5475 Stack-based buffer overflow in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF image file with crafted filename parameters, aka "GDI Stack Overflow Vulnerability." SSRT080048 28570 1019798 TA08-099A ADV-2008-1145 MS08-021 oval:org.mitre.oval:def:5580 5442 6656 Microsoft Project 2000 Service Release 1, 2002 SP1, and 2003 SP2 allows user-assisted remote attackers to execute arbitrary code via a crafted Project file, related to improper validation of "memory resource allocations." SSRT080048 VU#155563 28607 1019797 TA08-099A ADV-2008-1142 MS08-018 project-file-code-execution(41447) oval:org.mitre.oval:def:5384 Unspecified vulnerability in Microsoft Visio 2002 SP2, 2003 SP2 and SP3, and 2007 up to SP1 allows user-assisted remote attackers to execute arbitrary code via a Visio file containing crafted object header data, aka "Visio Object Header Vulnerability." SSRT080048 28555 1019804 TA08-099A ADV-2008-1143 MS08-019 visio-object-header-code-execution(41451) oval:org.mitre.oval:def:5496 Unspecified vulnerability in Microsoft Visio 2002 SP2, 2003 SP2 and SP3, and 2007 up to SP1 allows user-assisted remote attackers to execute arbitrary code via a crafted .DXF file, aka "Visio Memory Validation Vulnerability." SSRT080048 28556 1019804 TA08-099A ADV-2008-1143 MS08-019 visio-file-code-execution(41452) oval:org.mitre.oval:def:5344 Unspecified vulnerability in Microsoft Word in Office 2000 and XP SP3, 2003 SP2 and SP3, and 2007 Office System SP1 and earlier allows remote attackers to execute arbitrary code via a Rich Text Format (.rtf) file with a malformed string that triggers a "memory calculation error" and a heap-based buffer overflow, aka "Object Parsing Vulnerability." SSRT080071 VU#543907 20080513 ZDI-08-023: Microsoft Office RTF Parsing Engine Memory Corruption Vulnerability 29104 1020013 TA08-134A ADV-2008-1504 http://www.zerodayinitiative.com/advisories/ZDI-08-023 MS08-026 oval:org.mitre.oval:def:5494 Buffer overflow in msjet40.dll before 4.0.9505.0 in Microsoft Jet Database Engine allows remote attackers to execute arbitrary code via a crafted Word file, as exploited in the wild in March 2008. NOTE: as of 20080513, Microsoft has stated that this is the same issue as CVE-2007-6026. SSRT080071 VU#936529 950627 1019686 MS08-028 microsoft-jet-msjet40-bo(41380) Acresso InstallShield Update Agent does not properly verify the authenticity of Rule Scripts obtained from GetRules.asp web pages on FLEXnet Connect servers, which allows remote man-in-the-middle attackers to execute arbitrary VBScript code via Trojan horse Rules. 4268 VU#837092 20080916 InstallShield Update Agent - Downloads and executes "Rule Scripts" insecurely. 31204 1020893 http://www.simplicity.net/vuln/CVE-2008-1093.txt ADV-2008-2613 SQL injection vulnerability in index.cgi in the Account View page in Barracuda Spam Firewall (BSF) before 3.5.12.007 allows remote authenticated administrators to execute arbitrary SQL commands via a pattern_x parameter in a search_count_equals action, as demonstrated by the pattern_0 parameter. http://dcsl.ul.ie/advisories/02.htm 4793 1021455 http://www.barracudanetworks.com/ns/support/tech_alert.php 20081216 CVE-2008-1094 - Barracuda Span Firewall SQL Injection Vulnerability 7496 Unspecified vulnerability in the Internet Protocol (IP) implementation in Sun Solaris 8, 9, and 10 allows remote attackers to bypass intended firewall policies or cause a denial of service (panic) via unknown vectors, possibly related to ICMP packets and IP fragment reassembly. 200183 http://support.avaya.com/elmodocs2/security/ASA-2008-119.htm 27967 ADV-2008-0645 solaris-ip-dos(40473) oval:org.mitre.oval:def:5511 The load_tile function in the XCF coder in coders/xcf.c in (1) ImageMagick 6.2.8-0 and (2) GraphicsMagick (aka gm) 1.1.7 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write, possibly related to the ScaleCharToQuantum function. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414370 SUSE-SR:2008:014 DSA-1858 MDVSA-2008:099 RHSA-2008:0145 28821 1019880 USN-681-1 https://bugzilla.redhat.com/show_bug.cgi?id=286411 imagemagick-loadtile-code-execution(41194) oval:org.mitre.oval:def:10843 Heap-based buffer overflow in the ReadPCXImage function in the PCX coder in coders/pcx.c in (1) ImageMagick 6.2.4-5 and 6.2.8-0 and (2) GraphicsMagick (aka gm) 1.1.7 allows user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted .pcx file that triggers incorrect memory allocation for the scanline array, leading to memory corruption. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413034 SUSE-SR:2008:014 GLSA-201311-10 DSA-1858 MDVSA-2008:099 RHSA-2008:0145 RHSA-2008:0165 28822 1019881 https://bugzilla.redhat.com/show_bug.cgi?id=285861 imagemagick-readpcximage-bo(41193) oval:org.mitre.oval:def:11237 Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin 1.5.8 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) certain input processed by formatter/text_gedit.py (aka the gui editor formatter); (2) a page name, which triggers an injection in PageEditor.py when the page is successfully deleted by a victim in a DeletePage action; or (3) the destination page name for a RenamePage action, which triggers an injection in PageEditor.py when a victim's rename attempt fails because of a duplicate name. NOTE: the AttachFile XSS issue is already covered by CVE-2008-0781, and the login XSS issue is already covered by CVE-2008-0780. http://hg.moinmo.in/moin/1.5/rev/4ede07e792dd http://hg.moinmo.in/moin/1.5/rev/d0152eeb4499 http://moinmo.in/SecurityFixes DSA-1514 GLSA-200803-27 28173 moinmoin-multiple-actions-xss(41037) USN-716-1 FEDORA-2008-3301 FEDORA-2008-3328 _macro_Getval in wikimacro.py in MoinMoin 1.5.8 and earlier does not properly enforce ACLs, which allows remote attackers to read protected pages. http://hg.moinmo.in/moin/1.5/rev/4a7de0173734 http://moinmo.in/SecurityFixes DSA-1514 GLSA-200803-27 28177 moinmoin-macrogetval-information-disclosure(41038) USN-716-1 FEDORA-2008-3301 FEDORA-2008-3328 Buffer overflow in the cli_scanpe function in libclamav (libclamav/pe.c) for ClamAV 0.92 and 0.92.1 allows remote attackers to execute arbitrary code via a crafted Upack PE file. http://kolab.org/security/kolab-vendor-notice-20.txt APPLE-SA-2008-09-15 SUSE-SA:2008:024 openSUSE-SU-2015:0906 GLSA-200805-19 DSA-1549 VU#858595 MDVSA-2008:088 28756 28784 1019837 TA08-260A ADV-2008-1218 ADV-2008-2584 clamav-cliscanpe-bo(41789) FEDORA-2008-3358 FEDORA-2008-3420 FEDORA-2008-3900 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=878 Buffer overflow in kvdocve.dll in the KeyView document viewing engine in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes 7.0.2 and 7.0.3, allows remote attackers to execute arbitrary code via a long pathname, as demonstrated by a long SRC attribute of an IMG element in an HTML document. 20080414 Secunia Research: Lotus Notes kvdocve.dll Path Processing BufferOverflow 28454 ADV-2008-1153 ADV-2008-1156 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21298453 autonomy-keyview-kvdocve-bo(41725) Stack-based buffer overflow in the imb_loadhdr function in Blender 2.45 allows user-assisted remote attackers to execute arbitrary code via a .blend file that contains a crafted Radiance RGBE image. SUSE-SR:2008:010 DSA-1567 GLSA-200805-12 MDVSA-2008:204 28870 ADV-2008-1308 blender-imbloadhdr-bo(41917) FEDORA-2008-3862 FEDORA-2008-3875 Multiple unspecified vulnerabilities in Blender have unknown impact and attack vectors, related to "temporary file issues." SUSE-SR:2008:010 GLSA-200805-12 MDVSA-2008:204 28936 blender-file-unspecified(42153) Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows user-assisted remote attackers to execute arbitrary code via a crafted PDF file, related to the util.printf JavaScript function and floating point specifiers in format strings. 3899 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=800801 VU#119747 20080520 Secunia Research: Foxit Reader "util.printf()" Buffer Overflow 29288 1020050 ADV-2008-1572 foxitreader-utilprintf-bo(42531) Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response. APPLE-SA-2008-06-30 SUSE-SA:2008:026 [Security-announce] 20080728 VMSA-2008-00011 Updated ESX service console packages for Samba and vmnix GLSA-200805-23 1020123 SSA:2008-149-01 249086 http://support.apple.com/kb/HT2163 http://wiki.rpath.com/Advisories:rPSA-2008-0180 DSA-1590 MDVSA-2008:108 RHSA-2008:0288 RHSA-2008:0289 RHSA-2008:0290 http://www.samba.org/samba/security/CVE-2008-1105.html 20080528 [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses 20080529 Secunia Research: Samba "receive_smb_raw()" Buffer OverflowVulnerability 20080602 rPSA-2008-0180-1 samba samba-client samba-server samba-swat 29404 31255 USN-617-1 USN-617-2 ADV-2008-1681 ADV-2008-1908 ADV-2008-1981 ADV-2008-2222 ADV-2008-2639 http://www.xerox.com/downloads/usa/en/c/cert_XRX08_009.pdf HPSBUX02341 samba-receivesmbraw-bo(42664) xerox-controller-samba-code-execution(45251) oval:org.mitre.oval:def:10020 oval:org.mitre.oval:def:5733 5712 FEDORA-2008-4679 FEDORA-2008-4724 FEDORA-2008-4797 The management interface in Akamai Client (formerly Red Swoosh) 3322 and earlier allows remote attackers to bypass authentication via an HTTP request that contains (1) no Referer header, or (2) a spoofed Referer header that matches an approved domain, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and force the client to download and execute arbitrary files. 3930 20080606 Akamai Technologies Security Advisory 2008-0003 (Akamai Client Software) 20080606 Secunia Research: Akamai Red Swoosh Cross-Site Request Forgery 1020208 ADV-2008-1761 redswoosh-http-csrf(42895) Multiple stack-based buffer overflows in the Danske Bank e-Sec Control Module ActiveX control (DanskeSikker.ocx) 3.1.0.48, and possibly earlier versions, allow remote attackers to execute arbitrary code via long arguments to unspecified methods, which are not properly handled by a logging function. 20090416 Secunia Research: Danske Bank e-Sec Control Module Error Logging Buffer Overflow 34549 ADV-2009-1047 danske-esec-activex-bo(49903) Buffer overflow in Evolution 2.22.1, when the ITip Formatter plugin is disabled, allows remote attackers to execute arbitrary code via a long timezone string in an iCalendar attachment. SUSE-SA:2008:028 GLSA-200806-06 MDVSA-2008:111 RHSA-2008:0514 RHSA-2008:0515 RHSA-2008:0516 RHSA-2008:0517 29527 1020169 USN-615-1 ADV-2008-1732 evolution-icalendar-bo(42824) oval:org.mitre.oval:def:10471 FEDORA-2008-4990 FEDORA-2008-5016 FEDORA-2008-5018 Heap-based buffer overflow in Evolution 2.22.1 allows user-assisted remote attackers to execute arbitrary code via a long DESCRIPTION property in an iCalendar attachment, which is not properly handled during a reply in the calendar view (aka the Calendars window). SUSE-SA:2008:028 GLSA-200806-06 MDVSA-2008:111 RHSA-2008:0514 RHSA-2008:0515 29527 1020170 USN-615-1 ADV-2008-1732 evolution-icalendar-description-bo(42826) oval:org.mitre.oval:def:10337 FEDORA-2008-4990 FEDORA-2008-5016 FEDORA-2008-5018 Buffer overflow in demuxers/demux_asf.c (aka the ASF demuxer) in the xineplug_dmx_asf.so plugin in xine-lib before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a crafted ASF header. NOTE: this issue leads to a crash when an attack uses the CVE-2006-1664 exploit code, but it is different from CVE-2006-1664. http://bugs.gentoo.org/show_bug.cgi?id=208100 http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=fb6d089b520dca199ef16a046da28c50c984c2d2;style=gitweb GLSA-200802-12 http://sourceforge.net/project/shownotes.php?group_id=9655&release_id=571608 MDVSA-2008:178 USN-635-1 http://xinehq.de/index.php/news http://xinehq.de/index.php/security xinelib-demuxasf-bo(41019) 1641 mod_cgi in lighttpd 1.4.18 sends the source code of CGI scripts instead of a 500 error when a fork failure occurs, which might allow remote attackers to obtain sensitive information. SUSE-SR:2008:008 GLSA-200803-10 http://trac.lighttpd.net/trac/changeset/2107 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106 DSA-1513 20080312 rPSA-2008-0106-1 lighttpd 28100 ADV-2008-0763 https://bugs.gentoo.org/show_bug.cgi?id=211956 lighttpd-modcgi-information-disclosure(41008) https://issues.rpath.com/browse/RPL-2326 FEDORA-2008-2262 FEDORA-2008-2278 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-0928. Reason: This candidate is a duplicate of CVE-2008-0928. Notes: All CVE users should reference CVE-2008-0928 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Cisco Unified Wireless IP Phone 7921, when using Protected Extensible Authentication Protocol (PEAP), does not validate server certificates, which allows remote wireless access points to steal hashed passwords and conduct man-in-the-middle (MITM) attacks. http://blogs.zdnet.com/security/?p=896 http://blogs.zdnet.com/security/?p=901 20080221 Cisco and Vocera wireless LAN VoIP devices don't check certificates 20080223 Cisco confirms vulnerability in 7921 Wi-Fi IP phone 1019494 27935 Vocera Communications wireless handsets, when using Protected Extensible Authentication Protocol (PEAP), do not validate server certificates, which allows remote wireless access points to steal hashed passwords and conduct man-in-the-middle (MITM) attacks. http://blogs.zdnet.com/security/?p=896 http://blogs.zdnet.com/security/?p=901 20080221 Cisco and Vocera wireless LAN VoIP devices don't check certificates 27935 http://www.vocera.com/downloads/InfrastructureGuide.pdf Unspecified vulnerability in Sun Solaris 8 directory functions allows local users to cause a denial of service (panic) via an unspecified sequence of system calls or commands. 200163 28069 ADV-2008-0644 oval:org.mitre.oval:def:5485 Insecure method vulnerability in the Web Scan Object ActiveX control (OL2005.dll) in Rising Antivirus Online Scanner allows remote attackers to force the download and execution of arbitrary code by setting the BaseURL property and invoking the UpdateEngine method. NOTE: some of these details are obtained from third party information. 27997 ADV-2008-0683 risingonline-webscan-code-execution(40838) 5188 Directory traversal vulnerability in the Notes (aka Flash Notes or instant messages) feature in tb2ftp.dll in Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, allows remote attackers to upload files to arbitrary locations via a destination filename with a \ (backslash) character followed by ../ (dot dot slash) sequences. NOTE: this can be leveraged for code execution by writing to a Startup folder. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4220. http://aluigi.altervista.org/adv/timbuto-adv.txt http://aluigi.org/poc/timbuto.zip 3741 http://www.coresecurity.com/?action=item&id=2166 20080310 Vulnerabilities in Timbuktu Pro 8.6.5 20080311 Re: [Full-disclosure] Vulnerabilities in Timbuktu Pro 8.6.5 20080311 CORE-2008-0204: Timbuktu Pro Remote Path Traversal and Log Injection 28081 ADV-2008-0840 4455 5238 Timbuktu Pro 8.6.5 for Windows, and possibly 8.7 for Mac OS X, does not perform input validation before logging information fields taken from packets from a remote peer, which allows remote attackers to generate crafted log entries, and possibly avoid detection of attacks, via modified (1) computer name, (2) user name, and (3) IP address fields. 3742 http://www.coresecurity.com/?action=item&id=2166 20080311 CORE-2008-0204: Timbuktu Pro Remote Path Traversal and Log Injection 28081 timbuktu-log-security-bypass(41330) 5238 Directory traversal vulnerability in include/doc/get_image.php in Centreon 1.4.2.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter. http://www.centreon.com/Product/Changelog-Centreon-1.4.x.html 28022 5204 Format string vulnerability in the embedded Internet Explorer component for Mirabilis ICQ 6 build 6043 allows remote servers to execute arbitrary code or cause a denial of service (crash) via unspecified vectors related to HTML code generation. http://board.raidrush.ws/showthread.php?t=386983 28027 ADV-2008-0701 SQL injection vulnerability in index.php in eazyPortal 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the session_vars cookie. 28019 5196 SQL injection vulnerability in the downloads module in Koobi Pro 5.7 allows remote attackers to execute arbitrary SQL commands via the categ parameter to index.php. NOTE: it was later reported that this also affects Koobi CMS 4.2.4, 4.2.5, and 4.3.0. 20080415 Koobi CMS 4.2.4/4.2.5/4.3.0 Multiple Remote SQL Injection Vulnerabilities 28031 koobi-categ-sql-injection(40903) 5198 5447 Multiple PHP remote file inclusion vulnerabilities in SiteBuilder Elite 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the CarpPath parameter to (1) files/carprss.php and (2) files/amazon-bestsellers.php. 28036 5199 Multiple PHP remote file inclusion vulnerabilities in Podcast Generator 1.0 BETA 2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the absoluteurl parameter to (1) components/xmlparser/loadparser.php; (2) admin.php, (3) categories.php, (4) categories_add.php, (5) categories_remove.php, (6) edit.php, (7) editdel.php, (8) ftpfeature.php, (9) login.php, (10) pgRSSnews.php, (11) showcat.php, and (12) upload.php in core/admin/; and (13) archive_cat.php, (14) archive_nocat.php, and (15) recent_list.php in core/. 28038 5200 Multiple directory traversal vulnerabilities in Podcast Generator 1.0 BETA 2 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) theme_path parameter to core/themes.php and the (2) filename parameter to download.php. 28038 5200 PHP remote file inclusion vulnerability in main.php in Barryvan Compo Manager 0.3 allows remote attackers to execute arbitrary PHP code via a URL in the pageURL parameter. More information available at: http://www.securityfocus.com/bid/28035/info 28035 5202 Format string vulnerability in the cryactio function in Crysis 1.1.1.5879 allows remote authenticated users to execute arbitrary code via format string specifiers in the user name, which is triggered when the game character is killed. 28039 ADV-2008-0735 5201 PHP remote file inclusion vulnerability in tourney/index.php in phpMyTourney 2 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. 3708 20080229 PHPMyTourney Remote file include Vulnerability 28057 Cross-site scripting (XSS) vulnerability in admin/users/self.php in XRMS CRM allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: some of these details are obtained from third party information. 3709 20080228 XSS on XRMS- open source CRM 28041 Unspecified vulnerability in IBM WebSphere MQ 6.0.x before 6.0.2.2 and 5.3 before Fix Pack 14 allows attackers to bypass access restrictions for a queue manager via a SVRCONN (MQ client) channel. 28046 1019527 ADV-2008-0719 IZ01272 Cross-site scripting (XSS) vulnerability in Drupal 6.0 allows remote authenticated users to inject arbitrary web script or HTML via titles in content edit forms. http://drupal.org/node/227608 28026 Untrusted search path vulnerability in src/mainwindow.c in Net Activity Viewer 0.2.1 allows local users with Net Activity Viewer privileges to execute arbitrary code via a malicious gksu program, which is invoked during the Restart As Root action. http://sourceforge.net/project/shownotes.php?release_id=579181 The Drupal.checkPlain function in Drupal 6.0 only escapes the first instance of a character in ECMAScript, which allows remote attackers to conduct cross-site scripting (XSS) attacks. http://drupal.org/node/227608 28026 OMEGA (aka Omegasoft) INterneSErvicesLosungen (INSEL) 7 supports authentication with a cookie that lacks a shared secret, which allows remote attackers to login as an arbitrary user via a modified cookie. 20080109 Privileg escalation in Omegasoft Insel 7 27210 insel-cookie-weak-security(39575) OMEGA (aka Omegasoft) INterneSErvicesLosungen (INSEL) 7 generates different responses depending on whether or not a username is valid in a failed login attempt, which allows remote attackers to enumerate valid usernames. 20080109 Privileg escalation in Omegasoft Insel 7 27210 insel-error-information-disclosure(39574) The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute arbitrary commands via shell metacharacters in a certain string to TCP port 5679. 3710 http://sourceforge.net/forum/forum.php?forum_id=766440 http://www.coresecurity.com/?action=item&id=2070 20080107 CORE-2007-1106: SynCE Remote Command Injection 27178 28141 synce-vdccm-command-execution(39506) FEDORA-2008-0680 SQL injection vulnerability in the Garys Cookbook (com_garyscookbook) 1.1.1 and earlier component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. 20080224 joomla com_garyscookbook SQL Injection(id) 27972 garyscookbook-index-sql-injection(40803) 5178 DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allows local users to cause a denial of service (system crash) via a certain ZERO_MEM DLMFENC_IOCTL request to \\.\DLKPFSD_Device, aka the "ring0 link list zero" vulnerability. ADV-2008-0597 deslock-dlmfencsys-dos(41204) 5142 DESlock+ 3.2.6 and earlier, when DLMFENC.sys 1.0.0.26 and DLMFDISK.sys 1.2.0.27 are present, allows local users to gain privileges via a certain DLMFENC_IOCTL request to \\.\DLKPFSD_Device that overwrites a pointer, aka the "ring0 link list zero SYSTEM" vulnerability. ADV-2008-0597 5143 DLMFDISK.sys 1.2.0.27 in DESlock+ 3.2.6 and earlier allows local users to gain privileges via a certain DLKFDISK_IOCTL request to \\.\DLKFDisk_Control that overwrites a data structure associated with a mounted pseudo-filesystem, aka the "ring0 SYSTEM" vulnerability. ADV-2008-0597 5144 Memory leak in DLMFENC.sys 1.0.0.26 in DESlock+ 3.2.6 and earlier allows local users to cause a denial of service (kernel memory consumption) via a series of DLMFENC_IOCTL requests to \\.\DLKPFSD_Device that allocate "link list structures." ADV-2008-0597 5141 rxvt 2.6.4 opens a terminal window on :0 if the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: it was later reported that rxvt-unicode, mrxvt, aterm, multi-aterm, and wterm are also affected. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine. http://article.gmane.org/gmane.comp.security.oss.general/122 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469296 SUSE-SR:2008:017 GLSA-200805-03 MDVSA-2008:161 MDVSA-2008:221 28512 The Marvell driver for the Netgear WN802T Wi-Fi access point with firmware 1.3.16 on the Marvell 88W8361P-BEM1 chipset does not properly parse EAPoL-Key packets, which allows remote authenticated users to cause a denial of service (device reboot or hang) or possibly execute arbitrary code via a malformed EAPoL-Key packet with a crafted "advertised length." 4227 20080904 Marvell Driver EAPoL-Key Length Overflow 31013 netgear-wn802t-eapolkey-dos(44919) Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. APPLE-SA-2008-06-30 SUSE-SR:2008:017 http://support.apple.com/kb/HT2163 http://wiki.rpath.com/Advisories:rPSA-2008-0123 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 VU#404515 MDVSA-2008:141 MDVSA-2008:142 RHSA-2008:0897 http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ 20080306 [DSECRG-08-018] Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory traversal file Download Vulnerability 20080306 Re: [DSECRG-08-018] Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory traversal file Download Vulnerability 20080325 rPSA-2008-0123-1 ruby 28123 1019562 ADV-2008-0787 ADV-2008-1981 ruby-webrick-directory-traversal(41010) https://issues.rpath.com/browse/RPL-2338 oval:org.mitre.oval:def:10937 5215 FEDORA-2008-2443 FEDORA-2008-2458 A certain pseudo-random number generator (PRNG) algorithm that uses XOR and 3-bit random hops (aka "Algorithm X3"), as used in OpenBSD 2.8 through 4.2, allows remote attackers to guess sensitive values such as DNS transaction IDs by observing a sequence of previously generated values. NOTE: this issue can be leveraged for attacks such as DNS cache poisoning against OpenBSD's modification of BIND. http://www.securiteam.com/securityreviews/5PP0H0UNGW.html 20080206 A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" 27647 http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf openbsd-prng-dns-spoofing(40329) A certain pseudo-random number generator (PRNG) algorithm that uses XOR and 2-bit random hops (aka "Algorithm X2"), as used in OpenBSD 2.6 through 3.4, Mac OS X 10 through 10.5.1, FreeBSD 4.4 through 7.0, and DragonFlyBSD 1.0 through 1.10.1, allows remote attackers to guess sensitive values such as IP fragmentation IDs by observing a sequence of previously generated values. NOTE: this issue can be leveraged for attacks such as injection into TCP packets and OS fingerprinting. 20080206 Re: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" 20080206 RE: A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_id.c?rev=1.10;contenttype= http://www.securiteam.com/securityreviews/5PP0H0UNGW.html 20080206 A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" 27647 http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf openbsd-prng-dns-spoofing(40329) openbsd-xor-weak-security(41155) A certain pseudo-random number generator (PRNG) algorithm that uses ADD with 0 random hops (aka "Algorithm A0"), as used in OpenBSD 3.5 through 4.2 and NetBSD 1.6.2 through 4.0, allows remote attackers to guess sensitive values such as (1) DNS transaction IDs or (2) IP fragmentation IDs by observing a sequence of previously generated values. NOTE: this issue can be leveraged for attacks such as DNS cache poisoning, injection into TCP packets, and OS fingerprinting. http://www.securiteam.com/securityreviews/5PP0H0UNGW.html 20080206 A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability" 27647 http://www.trusteer.com/docs/OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf openbsd-prng-dns-spoofing(40329) openbsd-add-weak-security(41157) phpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies. SUSE-SR:2008:026 SUSE-SR:2009:003 DSA-1557 GLSA-200803-15 MDVSA-2008:131 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1 28068 ADV-2008-0731 ADV-2008-0758 phpmyadmin-request-sql-injection(40968) FEDORA-2008-2189 FEDORA-2008-2229 The virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (resource exhaustion) via a series of PPTP sessions, related to the persistence of interface descriptor block (IDB) data structures after process termination, aka bug ID CSCdv59309. 1019714 20080326 Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability 28460 TA08-087B ADV-2008-1006 cisco-ios-vpdn-idb-dos(41484) oval:org.mitre.oval:def:5598 Memory leak in the virtual private dial-up network (VPDN) component in Cisco IOS before 12.3 allows remote attackers to cause a denial of service (memory consumption) via a series of PPTP sessions, related to "dead memory" that remains allocated after process termination, aka bug ID CSCsj58566. 1019714 20080326 Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability 28460 TA08-087B ADV-2008-1006 cisco-ios-vpdn-pptp-dos(41483) oval:org.mitre.oval:def:5287 The data-link switching (DLSw) component in Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (device restart or memory consumption) via crafted (1) UDP port 2067 or (2) IP protocol 91 packets. 20080326 Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS 28465 1019712 TA08-087B ADV-2008-1006 cisco-ios-dlsw-dos(41482) oval:org.mitre.oval:def:5821 Cisco IOS 12.1, 12.2, 12.3, and 12.4, with IPv4 UDP services and the IPv6 protocol enabled, allows remote attackers to cause a denial of service (device crash and possible blocked interface) via a crafted IPv6 packet to the device. 20080326 Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers VU#936177 28461 1019713 TA08-087B ADV-2008-1006 cisco-ios-ipv6-dualstack-dos(41475) oval:org.mitre.oval:def:5860 The Disaster Recovery Framework (DRF) master server in Cisco Unified Communications products, including Unified Communications Manager (CUCM) 5.x and 6.x, Unified Presence 1.x and 6.x, Emergency Responder 2.x, and Mobility Manager 2.x, does not require authentication for requests received from the network, which allows remote attackers to execute arbitrary code via unspecified vectors. 1019768 20080403 Cisco Unified Communications Disaster Recovery Framework Command Execution Vulnerability 28591 ADV-2008-1093 cisco-drf-command-execution(41632) Cisco Network Admission Control (NAC) Appliance 3.5.x, 3.6.x before 3.6.4.4, 4.0.x before 4.0.6, and 4.1.x before 4.1.2 allows remote attackers to obtain the shared secret for the Clean Access Server (CAS) and Clean Access Manager (CAM) by sniffing error logs. 20080416 Cisco Network Admission Control Shared Secret Vulnerability 28807 1019859 ADV-2008-1248 cisco-nac-unauthorized-access(41849) Unspecified vulnerability in the Multicast Virtual Private Network (MVPN) implementation in Cisco IOS 12.0, 12.2, 12.3, and 12.4 allows remote attackers to create "extra multicast states on the core routers" via a crafted Multicast Distribution Tree (MDT) Data Join message. 20080326 Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak 28464 1019715 TA08-087B ADV-2008-1006 cisco-ios-mvpm-information-disclosure(41468) oval:org.mitre.oval:def:5648 Cisco CiscoWorks Internetwork Performance Monitor (IPM) 2.6 creates a process that executes a command shell and listens on a randomly chosen TCP port, which allows remote attackers to execute arbitrary commands. 20080313 CiscoWorks Internetwork Performance Monitor Remote Command Execution Vulnerability 28249 1019611 ADV-2008-0876 cisco-ciscoworks-ipm-command-execution(41208) The Presence Engine (PE) service in Cisco Unified Presence before 6.0(1) allows remote attackers to cause a denial of service (core dump and service interruption) via malformed packets, aka Bug ID CSCsh50164. 1020023 20080514 Cisco Unified Presence Denial of Service Vulnerabilities 29219 ADV-2008-1534 cisco-unifiedpresence-presenceengine-dos(42412) Multiple unspecified vulnerabilities in the SSH server in Cisco IOS 12.4 allow remote attackers to cause a denial of service (device restart) via unknown vectors, aka Bug ID (1) CSCsk42419, (2) CSCsk60020, and (3) CSCsh51293. 1020073 20080521 Cisco IOS Secure Shell Denial of Service Vulnerabilities 29314 ADV-2008-1605 cisco-ios-ssh-multiple-dos(42563) oval:org.mitre.oval:def:5486 ZyXEL ZyWALL 1050 has a hard-coded password for the Quagga and Zebra processes that is not changed when it is set by a user, which allows remote attackers to gain privileges. http://packetstormsecurity.org/0803-exploits/ZyWALL.pdf http://www.secumania.org/exploits/remote/zyxel-zywall-quagga_zebra-(default-pass)-remote-root-vulnerability-2008032143791/ 28184 ADV-2008-0990 zywall-quagga-zebra-default-password(41424) 5289 Buffer overflow in the Matroska demuxer (demuxers/demux_matroska.c) in xine-lib before 1.1.10.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Matroska file with invalid frame sizes. http://hg.debian.org/hg/xine-lib/xine-lib?cmd=changeset;node=a62d6f482a69;style=gitweb SUSE-SR:2008:006 DSA-1536 MDVSA-2008:178 28543 USN-635-1 xinelib-demuxer-bo(41172) SQL injection vulnerability in album.php in PHP WEB SCRIPT Dynamic Photo Gallery 1.02 allows remote attackers to execute arbitrary SQL commands via the albumID parameter. http://forum.aria-security.net/showthread.php?p=1521 20080302 Dynamic photo gallery V1.02 SQL Injection 28067 5211 SQL injection vulnerability in index.php in phpArcadeScript 1.0 through 3.0 RC2 allows remote attackers to execute arbitrary SQL commands via the userid parameter in a profile action. 28065 5208 SQL injection vulnerability in index.php in phpComasy 0.8 allows remote attackers to execute arbitrary SQL commands via the mod_project_id parameter in a project_detail action. 28064 5209 Multiple cross-site scripting (XSS) vulnerabilities in Flyspray 0.9.9 through 0.9.9.4 allow remote attackers to inject arbitrary web script or HTML via (1) a forced SQL error message or (2) old_value and new_value database fields in task summaries, related to the item_summary parameter in a details action in index.php. NOTE: some of these details are obtained from third party information. http://flyspray.org/fsa:3 flyspray-itemsummary-xss(40963) Flyspray 0.9.9.4 generates different error messages depending on whether the username is valid or invalid, which allows remote attackers to enumerate usernames. 20080303 [DSECRG-08-017] Flyspray 0.9.9.4 Multiple Security Vulnerabilities flyspray-username-information-disclosure(40964) Stack-based buffer overflow in the useragent function in useragent.c in Squid Analysis Report Generator (Sarg) 2.2.3.1 allows remote attackers to execute arbitrary code via a long Squid proxy server User-Agent header. NOTE: some of these details are obtained from third party information. SUSE-SR:2008:006 http://sourceforge.net/project/shownotes.php?release_id=581212 GLSA-200803-21 MDVSA-2008:079 20080302 Squid Analysis Report Generator <= 2.2.3.1 buffer overflow 28077 1019536 ADV-2008-0749 sarg-useragent-bo(40970) Cross-site scripting (XSS) vulnerability in Squid Analysis Report Generator (Sarg) 2.2.3.1 allows remote attackers to inject arbitrary web script or HTML via the User-Agent header, which is not properly handled when displaying the Squid proxy log. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://sourceforge.net/project/shownotes.php?release_id=581509 GLSA-200803-21 MDVSA-2008:079 28077 ADV-2008-0750 sarg-useragent-xss(40972) Directory traversal vulnerability in the embedded HTTP server in SCI Photo Chat Server 3.4.9 and earlier allows remote attackers to read arbitrary files via a "..\" (dot dot backslash) or "../" (dot dot forward slash) in the GET command. http://aluigi.altervista.org/adv/scichatdt-adv.txt 27872 ADV-2008-0614 photochat-get-directory-traversal(40655) Multiple PHP remote file inclusion vulnerabilities in KCWiki 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the page parameter to (1) minimal/wiki.php and (2) simplest/wiki.php. 3714 20080302 kcwiki 1.0 multiple remote file inclusion vulnerabilities. 28074 kcwiki-wiki-file-include(40976) ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in the 123 Flash Chat Module for phpBB allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) 123flashchat.php and (2) phpbb_login_chat.php. NOTE: CVE disputes this issue because $phpbb_root_path is explicitly set to "./" in both programs. 3716 20080305 false: 123 Flash Chat RFI 20080228 123 Flash Chat Module for phpBB 20080228 Re: 123 Flash Chat Module for phpBB Cross-site request forgery (CSRF) vulnerabilities in account-inbox.php in TorrentTrader Classic 1.08 allow remote attackers to perform certain actions as other users, as demonstrated by sending messages. 3713 20080303 Cross-site Scripting and CSRF in TorrentTrader Classic v1.08 torrenttraderclassic-accountinbox-csrf(40981) Cross-site scripting (XSS) vulnerability in account-inbox.php in TorrentTrader Classic 1.08 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. 3713 20080303 Cross-site Scripting and CSRF in TorrentTrader Classic v1.08 28082 torrenttraderclassic-accountinbox-xss(40980) Cross-site scripting (XSS) vulnerability in editUser.asp in AuthentiX 6.3b1 Trial allows remote attackers to inject arbitrary web script or HTML via the username parameter. 20080226 XSS Vulnerability in AuthentiX 1019520 28040 Cross-site scripting (XSS) vulnerability in AuthentiX 6.3b1 Trial allows remote attackers to inject arbitrary web script or HTML via the username parameter to aspAdmin/deleteUser.asp, a different vector than CVE-2008-1174. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Cross-site scripting (XSS) vulnerability in function/sideblock.php in Affiliate Market (affmarket) 0.1 BETA allows remote attackers to inject arbitrary web script or HTML via the sideblock4 parameter. affiliatemarket-sideblock-xss(40514) 5114 SQL injection vulnerability in shop/detail.php in Affiliate Market (affmarket) 0.1 BETA allows remote attackers to execute arbitrary SQL commands via the id parameter. affiliatemarket-detail-sql-injection(40515) 5114 Directory traversal vulnerability in include/doc/index.php in Centreon 1.4.2.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter, a different vector than CVE-2008-1119. 3715 http://www.centreon.com/Product/Changelog-Centreon-1.4.x.html 20080229 Centreon <= 1.4.2.3 (index.php) Remote File Disclosure 28052 centreon-index-file-include(40950) Multiple cross-site scripting (XSS) vulnerabilities in include/common/javascript/color_picker.php in Centreon 1.4.2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name and (2) title parameters. NOTE: some of these details are obtained from third party information. http://www.centreon.com/Product/Changelog-Centreon-1.4.x.html 28043 centreon-colorpicker-xss(40924) Cross-site scripting (XSS) vulnerability in dana-na/auth/rdremediate.cgi in Juniper Networks Secure Access 2000 5.5 R1 build 11711 allows remote attackers to inject arbitrary web script or HTML via the delivery_mode parameter. 3720 http://www.procheckup.com/Vulnerability_PR07-41.php 20080228 PR07-41: XSS on Juniper Networks Secure Access 2000 28034 ADV-2008-0762 junipernetworks-rdremediate-xss(40916) Juniper Networks Secure Access 2000 5.5 R1 (build 11711) allows remote attackers to obtain sensitive information via a direct request for remediate.cgi without certain parameters, which reveals the path in an "Execute failed" error message. 3719 20080228 PR07-42: Webroot disclosure on Juniper Networks Secure Access 2000 28037 1019526 Cross-site scripting (XSS) vulnerability in BSD Perimeter pfSense before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://blog.pfsense.org/?p=170 28072 pfsense-unspecified-xss(40967) Multiple cross-site scripting (XSS) vulnerabilities in Crafty Syntax Live Help (CSLH) before 2.14.6 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) livehelp.php, (2) user_questions.php, and (3) leavemessage.php. NOTE: the lostsheep.php vector is covered by CVE-2008-0848. http://sourceforge.net/project/shownotes.php?release_id=580994 28071 cslh-multiple-xss(40636) The DNSSEC validation library (libval) library in dnssec-tools before 1.3.1 does not properly check that the signing key is the APEX trust anchor, which might allow attackers to conduct unspecified attacks. http://sourceforge.net/mailarchive/forum.php?thread_name=sdlk5lolzj.fsf%40wes.hardakers.net&forum_name=dnssec-tools-users 27998 ADV-2008-0673 dnssectools-libval-security-bypass(40836) FEDORA-2008-1758 FEDORA-2008-1771 Unspecified vulnerability in the Virtual Machine for Sun Java Runtime Environment (JRE) and JDK 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to gain privileges via an untrusted application or applet, a different issue than CVE-2008-1186, aka "the first issue." APPLE-SA-2008-09-24 SUSE-SA:2008:018 GLSA-200804-28 1019555 233321 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1856 java-virtualmachine-multiple-priv-escalation(41025) sun-jre-unspecified-priv-escalation(41138) oval:org.mitre.oval:def:9672 Unspecified vulnerability in the Virtual Machine for Sun Java Runtime Environment (JRE) and JDK 5.0 Update 13 and earlier, and SDK/JRE 1.4.2_16 and earlier, allows remote attackers to gain privileges via an untrusted application or applet, a different issue than CVE-2008-1185, aka "the second issue." APPLE-SA-2008-09-24 SUSE-SA:2008:018 GLSA-200804-28 1019555 233321 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1856 java-virtualmachine-multiple-priv-escalation(41025) sun-jre-unspecified-priv-escalation(41138) oval:org.mitre.oval:def:9585 Unspecified vulnerability in Sun Java Runtime Environment (JRE) and JDK 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to cause a denial of service (JRE crash) and possibly execute arbitrary code via unknown vectors related to XSLT transforms. BEA08-201.00 http://download.novell.com/Download?buildid=q5exhSqeBjA~ JVN#04032535 JVNDB-2008-000016 APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233322 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5033642.html GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0243 RHSA-2008:0244 RHSA-2008:0245 RHSA-2008:0267 RHSA-2008:0555 1019548 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1252 ADV-2008-1856 java-virtualmachine-multiple-priv-escalation(41025) oval:org.mitre.oval:def:10278 Multiple buffer overflows in the useEncodingDecl function in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier, allow remote attackers to execute arbitrary code via a JNLP file with (1) a long key name in the xml header or (2) a long charset value, different issues than CVE-2008-1189, aka "The first two issues." APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233323 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0267 1019549 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1856 http://www.zerodayinitiative.com/advisories/ZDI-08-009/ http://www.zerodayinitiative.com/advisories/ZDI-08-010/ javawebstart-application-priv-escalation(41029) javawebstart-multiple-unspecified-bo(41133) oval:org.mitre.oval:def:11209 Buffer overflow in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to execute arbitrary code via unknown vectors, a different issue than CVE-2008-1188, aka the "third" issue. APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233323 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0267 1019549 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1856 javawebstart-application-priv-escalation(41029) javawebstart-multiple-unspecified-bo(41133) javawebstart-unspecified-bo(41135) oval:org.mitre.oval:def:9582 Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier, 5.0 Update 14 and earlier, and SDK/JRE 1.4.2_16 and earlier allows remote attackers to gain privileges via an untrusted application, a different issue than CVE-2008-1191, aka the "fourth" issue. APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233323 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0267 1019549 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1856 javawebstart-application-priv-escalation(41029) oval:org.mitre.oval:def:9914 Unspecified vulnerability in Java Web Start in Sun JDK and JRE 6 Update 4 and earlier allows remote attackers to create arbitrary files via an untrusted application, a different issue than CVE-2008-1190, aka "The fifth issue." APPLE-SA-2008-09-24 SUSE-SA:2008:018 GLSA-200804-28 233323 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0267 1019549 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1856 javawebstart-application-priv-escalation(41029) javawebstart-unspecified-priv-escalation(41136) oval:org.mitre.oval:def:10167 Unspecified vulnerability in the Java Plug-in for Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier, and 1.3.1_21 and earlier; allows remote attackers to bypass the same origin policy and "execute local applications" via unknown vectors. BEA08-201.00 APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233324 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0267 1019550 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1252 ADV-2008-1856 java-plugin-unspecified-security-bypass(41031) oval:org.mitre.oval:def:11813 Unspecified vulnerability in Java Runtime Environment Image Parsing Library in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier, allows remote attackers to gain privileges via an untrusted application. BEA08-201.00 APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233325 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0244 RHSA-2008:0245 RHSA-2008:0267 28125 1019551 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1252 ADV-2008-1856 sun-jre-imagelibrary-privilege-escalation(41028) oval:org.mitre.oval:def:11409 Multiple unspecified vulnerabilities in the color management library in Sun JDK and JRE 6 Update 4 and earlier, and 5.0 Update 14 and earlier, allows remote attackers to cause a denial of service (crash) via unknown vectors. BEA08-201.00 APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233325 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 GLSA-200804-20 GLSA-200806-11 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0244 RHSA-2008:0245 RHSA-2008:0267 1019551 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1252 ADV-2008-1856 sun-jre-jdk-colorlibrary-dos(41132) oval:org.mitre.oval:def:9542 Unspecified vulnerability in Sun JDK and Java Runtime Environment (JRE) 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier; allows remote attackers to access arbitrary network services on the local host via unspecified vectors related to JavaScript and Java APIs. APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:019 SUSE-SA:2008:025 GLSA-200804-28 233326 238492 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 GLSA-200804-20 GLSA-200806-11 MDVSA-2008:080 http://www.mozilla.org/security/announce/2008/mfsa2008-18.html RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0267 20080327 rPSA-2008-0128-1 firefox 1019553 USN-592-1 TA08-066A TA08-087A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-0998 ADV-2008-1793 ADV-2008-1856 sun-jre-javascript-unauthorized-access(41030) oval:org.mitre.oval:def:9486 Stack-based buffer overflow in Java Web Start (javaws.exe) in Sun JDK and JRE 6 Update 4 and earlier and 5.0 Update 14 and earlier; and SDK and JRE 1.4.2_16 and earlier; allows remote attackers to execute arbitrary code via a crafted JNLP file. http://download.novell.com/Download?buildid=q5exhSqeBjA~ APPLE-SA-2008-09-24 SUSE-SA:2008:018 SUSE-SA:2008:025 GLSA-200804-28 233327 http://support.apple.com/kb/HT3178 http://support.apple.com/kb/HT3179 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5033642.html GLSA-200804-20 GLSA-200806-11 VU#223028 RHSA-2008:0186 RHSA-2008:0210 RHSA-2008:0267 RHSA-2008:0555 1019552 TA08-066A http://www.vmware.com/security/advisories/VMSA-2008-0010.html ADV-2008-0770 ADV-2008-1856 sun-java-webstart-javaws-bo(41026) oval:org.mitre.oval:def:10412 The Marvell driver for the Netgear WN802T Wi-Fi access point with firmware 1.3.16 on the Marvell 88W8361P-BEM1 chipset does not properly parse the SSID information element in an association request, which allows remote authenticated users to cause a denial of service (device reboot or hang) or possibly execute arbitrary code via a "Null SSID." 4215 20080904 Marvell Driver Null SSID Association Request Vulnerability 30976 netgear-wn802t-ssid-dos(44918) The default IPSec ifup script in Red Hat Enterprise Linux 3 through 5 configures racoon to use aggressive IKE mode instead of main IKE mode, which makes it easier for remote attackers to conduct brute force attacks by sniffing an unencrypted preshared key (PSK) hash. 48045 http://www.ernw.de/download/pskattack.pdf 1019563 https://bugzilla.redhat.com/show_bug.cgi?id=435274 ipsec-ifup-weak-security(41053) Dovecot before 1.0.11, when configured to use mail_extra_groups to allow Dovecot to create dotlocks in /var/mail, might allow local users to read sensitive mail files for other users, or modify files or directories that are writable by group, via a symlink attack. SUSE-SR:2008:020 GLSA-200803-25 DSA-1516 [Dovecot-news] 20080504 v1.0.11 released RHSA-2008:0297 20080304 Dovecot mail_extra_groups setting is often used insecurely 28092 dovecot-mailextragroups-unauth-access(41009) oval:org.mitre.oval:def:10739 USN-593-1 FEDORA-2008-2464 FEDORA-2008-2475 Unspecified vulnerability in Microsoft Access allows remote user-assisted attackers to execute arbitrary code via a crafted .MDB file, possibly related to Jet Engine (msjet40.dll). NOTE: this is probably a different issue than CVE-2007-6026. http://pandalabs.pandasecurity.com/archive/New-MS-Access-exploit.aspx 28087 Multiple unspecified vulnerabilities in FLA file parsing in Adobe Flash CS3 Professional, Flash Professional 8, and Flash Basic 8 on Windows allow user-assisted remote attackers to execute arbitrary code via a crafted .FLA file. http://ruder.cdut.net/blogview.asp?logID=241 http://www.adobe.com/support/security/advisories/apsa08-03.html http://www.fortiguardcenter.com/advisory/FGA-2008-07.html 28349 1019681 ADV-2008-0948 adobe-flash-fla-code-execution(41327) Cross-site scripting (XSS) vulnerability in the web management interface in Adobe LiveCycle Workflow 6.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 3729 http://www.adobe.com/support/security/bulletins/apsb08-10.html http://www.liquidmatrix.org/blog/2008/03/11/advisory-adobe-livecycle-workflow-xss-vulnerability/ 20080311 Advisory Adobe LiveCycle Workflow XSS Vulnerability 28209 1019588 ADV-2008-0864 adobe-lifecycle-loginpage-xss(41143) The administrator interface for Adobe ColdFusion 8 and ColdFusion MX7 does not log failed authentication attempts, which makes it easier for remote attackers to conduct brute force attacks without detection. http://www.adobe.com/support/security/bulletins/apsb08-08.html 28207 1019600 ADV-2008-0862 coldfusion-interface-brute-force(41150) Multiple cross-site scripting (XSS) vulnerabilities in the Administration Console in Sun Java System Access Manager 7.1 and 7 2005Q4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the (1) Help and (2) Version windows. 201251 28113 ADV-2008-0784 sun-jsam-adminconsole-xss(41024) Unspecified vulnerability in the ipsecah kernel module in Sun Solaris 10, when a key management daemon for IPsec security associations is running, allows local users to cause a denial of service (panic) via unspecified vectors. 233761 28112 ADV-2008-0783 solaris-ipsecah-dos(41023) Format string vulnerability in the log_message function in lks.c in Linux Kiss Server 1.2, when background (daemon) mode is disabled, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in an invalid command. 20080305 Vulnerability in Linux Kiss Server v1.2 28099 http://www.vashnukad.com/ ADV-2008-0785 linuxkissserver-logmessage-format-string(41018) Multiple unspecified vulnerabilities in Fujitsu Interstage Smart Repository, as used in multiple Fujitsu Interstage products, allow remote attackers to cause a denial of service (daemon crash) via (1) an invalid request or (2) a large amount of data sent to the registered attribute value. http://www.fujitsu.com/global/support/software/security/products-f/interstage-sr-200801e.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-sr-200802e.html 28114 ADV-2008-0786 interstage-smart-repository-dos(41039) interstage-smartrepository-update-dos(41041) Cross-site scripting (XSS) vulnerability in the login page in Check Point VPN-1 UTM Edge W Embedded NGX 7.0.48x allows remote attackers to inject arbitrary web script or HTML via the user parameter. http://www.louhi.fi/advisory/checkpoint_080306.txt 20080306 Checkpoint VPN-1 UTM Edge cross-site scripting 28116 1019554 ADV-2008-0788 vpn1utmedge-login-xss(41032) https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk34520 Cross-site scripting (XSS) vulnerability in redirect.do in Xitex WebContent M1 allows remote attackers to inject arbitrary web script or HTML via the sid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28115 xitex-redirect-xss(41021) Stack-based buffer overflow in the ctags parsing code in Programmer's Notepad before 2.0.8.718 allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted .c file, when the victim selects the Jump To dialog. NOTE: some of these details are obtained from third party information. http://sourceforge.net/project/shownotes.php?release_id=581499&group_id=45545 28119 programmersnotepad-ctags-bo(41022) Cross-site scripting (XSS) vulnerability in BosDates 3.x and 4.x allows remote attackers to inject arbitrary web script or HTML via (1) the type parameter in calendar.php and (2) the category parameter in calendar_search.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28117 bosdates-type-category-xss(41020) Cross-site scripting (XSS) vulnerability in set_permissions.php in Podcast Generator 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the scriptlang parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28106 podcastgenerator-setpermissions-xss(41130) Cross-site scripting (XSS) vulnerability in Numara FootPrints for Linux 8.1 allows remote attackers to inject arbitrary web script or HTML via the Title form field when setting an appointment. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28103 footprints-title-xss(41003) MRcgi/MRProcessIncomingForms.pl in Numara FootPrints 8.1 on Linux allows remote attackers to execute arbitrary code via shell metacharacters in the PROJECTNUM parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. footprints-projectnum-command-execution(41005) Stack-based buffer overflow in the command_Expand_Interpret function in command.c in ppp (aka user-ppp), as distributed in FreeBSD 6.3 and 7.0, OpenBSD 4.1 and 4.2, and the net/userppp package for NetBSD, allows local users to gain privileges via long commands containing "~" characters. [4.1] 20080307 014: SECURITY FIX: March 7, 2008 [4.2] 20080307 009: SECURITY FIX: March 7, 2008 20080229 *BSD user-ppp local root (when conditions permit) 20080301 Re: *BSD user-ppp local root (when conditions permit) 28090 userppp-commandexpandinterpret-bo(41034) IBM Lotus Quickr 8.0 server, and possibly QuickPlace 7.x, does not properly identify URIs containing cross-site scripting (XSS) attack strings, which allows remote attackers to inject arbitrary web script or HTML via a Calendar OpenDocument action to main.nsf with a Count parameter containing a JavaScript event in a malformed element, as demonstrated by an onload event in an IFRAME element. 3721 20080222 IBM Quickr 8 Calendar Xss Injection (Bypass Quickr 8.0 Xss Filter) 27925 ADV-2008-0667 Unspecified vulnerability in nlnotes.dll in the client in IBM Lotus Notes 6.5, 7.0.x before 7.0.2 CCH, and 8.0.x before 8.0.1 allows remote attackers to execute arbitrary code via a crafted attachment in an e-mail message sent over SMTP, a variant of CVE-2007-6706. 1019464 http://www-1.ibm.com/support/docview.wss?uid=swg21271957 Argument injection vulnerability in Dovecot 1.0.x before 1.0.13, and 1.1.x before 1.1.rc3, when using blocking passdbs, allows remote attackers to bypass the password check via a password containing TAB characters, which are treated as argument delimiters that enable the skip_password_check field to be specified. SUSE-SR:2008:020 GLSA-200803-25 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0108 DSA-1516 [Dovecot-news] 20080309 Security hole #6: Some passdbs allowed users to log in without a valid password [Dovecot-news] 20080309 v1.0.13 and v1.1.rc3 released 20080312 rPSA-2008-0108-1 dovecot 28181 dovecot-tab-authentication-bypass(41085) https://issues.rpath.com/browse/RPL-2341 USN-593-1 5257 FEDORA-2008-2464 FEDORA-2008-2475 SQL injection vulnerability in the Kutub-i Sitte (KutubiSitte) 1.1 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the kid parameter in a hadisgoster action to modules.php. 3722 http://www.rbt-4.net/forum/viewthread.php?forum_id=51&thread_id=3058 20080306 PHP-Nuke KutubiSitte "kid" SQL Injection 20080306 PHP-Nuke KutubiSitte "kid" SQL Injection exploit code adding 28126 kutubisitte-kid-sql-injection(41036) SQL injection vulnerability in the 4nChat 0.91 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the roomid parameter in an index action to modules.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28128 4nchat-roomid-sql-injection(41051) Absolute path traversal vulnerability in the FTP server in MicroWorld eScan Corporate Edition 9.0.742.98 and eScan Management Console (aka eScan Server) 9.0.742.1 allows remote attackers to read arbitrary files via an absolute pathname in the RETR (get) command. http://aluigi.altervista.org/adv/escaz-adv.txt 3723 20080306 Directory traversal in MicroWorld eScan Server 9.0.742.98 28127 escan-filename-directory-traversal(41033) Cross-site scripting (XSS) vulnerability in Dokeos 1.8.4 before SP3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://projects.dokeos.com/index.php?do=details&task_id=2312 http://www.dokeos.com/wiki/index.php/Security 28121 ADV-2008-0798 dokeos-unspecified-xss(41046) Unspecified vulnerability in Dokeos 1.8.4 before SP3 allows attackers to execute arbitrary code via unspecified vectors. http://projects.dokeos.com/index.php?do=details&task_id=2312 http://www.dokeos.com/wiki/index.php/Security 28121 ADV-2008-0798 dokeos-unspecified-code-execution(41048) Cross-site scripting (XSS) vulnerability in account.php in BosClassifieds Classified Ads System 3.0 allows remote attackers to inject arbitrary web script or HTML via the returnTo parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28140 classifiedads-account-xss(41045) Multiple cross-site scripting (XSS) vulnerabilities in WebCT Campus Edition 4.1.5.8, when "Don't wrap text" is enabled, allow remote authenticated users to inject arbitrary web script or HTML via a (1) mail message or (2) discussion board message. NOTE: this might overlap CVE-2005-1076. 20080305 WebCT 4.x Javascript Session Stealer Exploits http://www.balupton.com/blogs/dev?title=webct_session_stealer_exploit http://www.balupton.com/documents/webct_exploits.txt 28107 webct-dontwraptext-xss(41047) Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration Suite (ZCS) 4.0.3, 4.5.6, and possibly other versions before 4.5.10 allow remote attackers to inject arbitrary web script or HTML via an e-mail attachment, possibly involving a (1) .jpg or (2) .gif image attachment. JVN#95014590 JVNDB-2008-000004 28134 http://www.zimbra.com/jp/products/vulnerability.html zimbra-email-xss(41044) Stack-based buffer overflow in the silc_fingerprint function in lib/silcutil/silcutil.c in Secure Internet Live Conferencing (SILC) Toolkit 1.1.5, and unspecified earlier versions, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via long input data. NOTE: some of these details are obtained from third party information. SUSE-SR:2008:006 GLSA-200804-27 http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.6 MDVSA-2008:158 28101 ADV-2008-0769 https://bugzilla.redhat.com/show_bug.cgi?id=372021 silctoolkit-silcfingerprint-bo(41012) Cross-site scripting (XSS) vulnerability in admin.php in MG2 (formerly Minigal) allows remote attackers to inject arbitrary web script or HTML via the list parameter in an import action. 20080304 Minigal 2 critical XSS 28098 Cross-site scripting (XSS) vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to inject arbitrary web script or HTML via the editor parameter, a different vector than CVE-2007-5120.b. Reference links suggest possible solution upgrade to latest version (2.6.1) at: http://www.jspwiki.org/wiki/JSPWikiDownload 20080213 JSPWiki Multiple Vulnerabilities http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0 27785 jspwiki-edit-xss(40507) 5112 Unrestricted file upload vulnerability in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to upload and execute arbitrary .jsp files via an unspecified manipulation that attaches a .jsp file to an "entry page." Reference links suggest possible solution upgrade to latest version (2.6.1) at: http://www.jspwiki.org/wiki/JSPWikiDownload 20080213 JSPWiki Multiple Vulnerabilities http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0 27785 jspwiki-install-file-upload(40511) 5112 Directory traversal vulnerability in Edit.jsp in JSPWiki 2.4.104 and 2.5.139 allows remote attackers to include and execute arbitrary local .jsp files, and obtain sensitive information, via a .. (dot dot) in the editor parameter. Reference links suggest possible solution upgrade to latest version (2.6.1) at: http://www.jspwiki.org/wiki/JSPWikiDownload 20080213 JSPWiki Multiple Vulnerabilities http://www.bugsec.com/articles.php?Security=48&Web-Application-Firewall=0 27785 jspwiki-edit-file-include(40508) 5112 Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. http://community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15/ca20090615-02-ca-service-desk-tomcat-cross-site-scripting-vulnerability.aspx APPLE-SA-2008-10-09 SUSE-SR:2008:018 SUSE-SR:2009:004 HPSBUX02401 HPSBST02955 4098 http://support.apple.com/kb/HT3216 http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html MDVSA-2008:188 RHSA-2008:0648 RHSA-2008:0862 RHSA-2008:0864 20080801 [CVE-2008-1232] Apache Tomcat XSS vulnerability 20090616 CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability 20090806 CA20090806-02: Security Notice for Unicenter Asset Portfolio Management, Unicenter Desktop and Server Management, Unicenter Patch Management 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 30496 31681 1020622 http://www.vmware.com/security/advisories/VMSA-2009-0002.html http://www.vmware.com/security/advisories/VMSA-2009-0016.html ADV-2008-2305 ADV-2008-2780 ADV-2008-2823 ADV-2009-0320 ADV-2009-0503 ADV-2009-1609 ADV-2009-2194 ADV-2009-3316 tomcat-httpservletresponse-xss(44155) [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ oval:org.mitre.oval:def:11181 oval:org.mitre.oval:def:5985 https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209500 https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=214095 FEDORA-2008-7977 FEDORA-2008-8113 FEDORA-2008-8130 Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via "XPCNativeWrapper pollution." SUSE-SA:2008:019 RHSA-2008:0208 238492 239546 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 DSA-1574 GLSA-200805-18 VU#466521 MDVSA-2008:080 MDVSA-2008:155 http://www.mozilla.org/security/announce/2008/mfsa2008-14.html RHSA-2008:0207 RHSA-2008:0209 20080327 rPSA-2008-0128-1 firefox 28448 1019694 SSA:2008-128-02 USN-592-1 USN-605-1 TA08-087A ADV-2008-0998 ADV-2008-0999 ADV-2008-1793 ADV-2008-2091 mozilla-settimeout-code-execution(41443) oval:org.mitre.oval:def:11078 FEDORA-2008-3519 FEDORA-2008-3557 Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to inject arbitrary web script or HTML via event handlers, aka "Universal XSS using event handlers." SUSE-SA:2008:019 RHSA-2008:0208 238492 239546 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 DSA-1574 GLSA-200805-18 VU#466521 MDVSA-2008:080 MDVSA-2008:155 http://www.mozilla.org/security/announce/2008/mfsa2008-14.html RHSA-2008:0207 RHSA-2008:0209 20080327 rPSA-2008-0128-1 firefox 28448 1019694 SSA:2008-128-02 USN-592-1 USN-605-1 TA08-087A ADV-2008-0998 ADV-2008-0999 ADV-2008-1793 ADV-2008-2091 firefox-eventhandlers-xss(41455) oval:org.mitre.oval:def:9551 FEDORA-2008-3519 FEDORA-2008-3557 Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to execute arbitrary code via unknown vectors that cause JavaScript to execute with the wrong principal, aka "Privilege escalation via incorrect principals." SUSE-SA:2008:019 RHSA-2008:0208 238492 239546 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 DSA-1574 GLSA-200805-18 VU#466521 MDVSA-2008:080 MDVSA-2008:155 http://www.mozilla.org/security/announce/2008/mfsa2008-14.html RHSA-2008:0207 RHSA-2008:0209 20080327 rPSA-2008-0128-1 firefox 28448 1019694 SSA:2008-128-02 USN-592-1 USN-605-1 TA08-087A ADV-2008-0998 ADV-2008-0999 ADV-2008-1793 ADV-2008-2091 mozilla-principal-code-execution(41457) oval:org.mitre.oval:def:10980 FEDORA-2008-3519 FEDORA-2008-3557 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the layout engine. SUSE-SA:2008:019 RHSA-2008:0208 238492 239546 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 DSA-1574 GLSA-200805-18 MDVSA-2008:080 MDVSA-2008:155 http://www.mozilla.org/security/announce/2008/mfsa2008-15.html RHSA-2008:0207 RHSA-2008:0209 20080327 rPSA-2008-0128-1 firefox 28448 1019695 SSA:2008-128-02 USN-592-1 USN-605-1 TA08-087A ADV-2008-0998 ADV-2008-0999 ADV-2008-1793 ADV-2008-2091 mozilla-layoutengine-code-execution(41445) oval:org.mitre.oval:def:11788 FEDORA-2008-3519 FEDORA-2008-3557 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13, Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine. SUSE-SA:2008:019 SUSE-SR:2008:011 RHSA-2008:0208 238492 239546 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 DSA-1574 GLSA-200805-18 MDVSA-2008:080 MDVSA-2008:155 http://www.mozilla.org/security/announce/2008/mfsa2008-15.html RHSA-2008:0207 RHSA-2008:0209 20080327 rPSA-2008-0128-1 firefox 28448 1019695 SSA:2008-128-02 USN-592-1 USN-605-1 TA08-087A ADV-2008-0998 ADV-2008-0999 ADV-2008-1793 ADV-2008-2091 firefox-javascript-engine-code-execution(41446) oval:org.mitre.oval:def:9651 FEDORA-2008-3519 FEDORA-2008-3557 Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating the HTTP Referer header, does not list the entire URL when it contains Basic Authentication credentials without a username, which makes it easier for remote attackers to bypass application protection mechanisms that rely on Referer headers, such as with some Cross-Site Request Forgery (CSRF) mechanisms. SUSE-SA:2008:019 RHSA-2008:0208 http://sla.ckers.org/forum/read.php?10,20033 238492 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 GLSA-200805-18 MDVSA-2008:080 http://www.mozilla.org/security/announce/2008/mfsa2008-16.html RHSA-2008:0207 RHSA-2008:0209 20080327 rPSA-2008-0128-1 firefox 28448 1019703 USN-592-1 TA08-087A ADV-2008-0998 ADV-2008-1793 mozilla-http-referrer-spoofing(41449) oval:org.mitre.oval:def:9889 LiveConnect in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9 does not properly parse the content origin for jar: URIs before sending them to the Java plugin, which allows remote attackers to access arbitrary ports on the local machine. NOTE: this is closely related to CVE-2008-1195. SUSE-SA:2008:019 238492 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 GLSA-200805-18 MDVSA-2008:080 http://www.mozilla.org/security/announce/2008/mfsa2008-18.html 20080327 rPSA-2008-0128-1 firefox 28448 USN-592-1 TA08-087A ADV-2008-0998 ADV-2008-1793 mozilla-liveconnect-unauthorized-access(41458) GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9 allows remote attackers to spoof form elements and redirect user inputs via a borderless XUL pop-up window from a background tab. SUSE-SA:2008:019 RHSA-2008:0208 238492 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0128 DSA-1532 DSA-1534 DSA-1535 GLSA-200805-18 MDVSA-2008:080 http://www.mozilla.org/security/announce/2008/mfsa2008-19.html RHSA-2008:0207 RHSA-2008:0209 20080327 rPSA-2008-0128-1 firefox 28448 1019700 USN-592-1 TA08-087A ADV-2008-0998 ADV-2008-1793 firefox-xul-popup-spoofing(41454) oval:org.mitre.oval:def:11163 The control panel on the Belkin F5D7230-4 router with firmware 9.01.10 maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user, a different vulnerability than CVE-2005-3802. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28317 belkin-f5d72304-security-bypass(41120) Cross-site scripting (XSS) vulnerability on the Linksys WRT300N router with firmware 2.00.20, when Mozilla Firefox or Apple Safari is used, allows remote attackers to inject arbitrary web script or HTML via the dyndns_domain parameter to the default URI. http://code.bulix.org/cx46qa-65489 http://code.bulix.org/koom78-65490 http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! linksys-wrt300n-dyndnsdomain-xss(41121) cgi-bin/setup_dns.exe on the Belkin F5D7230-4 router with firmware 9.01.10 does not require authentication, which allows remote attackers to perform administrative actions, as demonstrated by changing a DNS server via the dns1_1, dns1_2, dns1_3, and dns1_4 parameters. NOTE: it was later reported that F5D7632-4V6 with firmware 6.01.08 is also affected. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28319 https://bugzilla.mozilla.org/show_bug.cgi?id=371598 belkin-f5d72304-setupdns-security-bypass(41124) cgi-bin/setup_virtualserver.exe on the Belkin F5D7230-4 router with firmware 9.01.10 allows remote attackers to cause a denial of service (control center outage) via an HTTP request with invalid POST data and a "Connection: Keep-Alive" header. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28322 belkin-f5d72304-setupvirtualserver-dos(41116) ** DISPUTED ** The Cisco PIX/ASA Finesse Operation System 7.1 and 7.2 allows local users to gain privileges by entering characters at the enable prompt, erasing these characters via the Backspace key, and then holding down the Backspace key for one second after erasing the final character. NOTE: third parties, including one who works for the vendor, have been unable to reproduce the flaw unless the enable password is blank. http://hackathology.blogspot.com/2008/01/pixasa-finesse-71-72-privilege.html http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080124 PIX Privilege Escalation Vulnerability 20080124 Re: PIX Privilege Escalation Vulnerability 20080125 Re: Re: PIX Privilege Escalation Vulnerability 20080205 Re: Re: PIX Privilege Escalation Vulnerability 20080301 The Router Hacking Challenge is Over! 27457 cisco-pixasa-privilege-escalation(41129) The web interface on the Linksys WRT54g router with firmware 1.00.9 does not require credentials when invoking scripts, which allows remote attackers to perform arbitrary administrative actions via a direct request to (1) Advanced.tri, (2) AdvRoute.tri, (3) Basic.tri, (4) ctlog.tri, (5) ddns.tri, (6) dmz.tri, (7) factdefa.tri, (8) filter.tri, (9) fw.tri, (10) manage.tri, (11) ping.tri, (12) PortRange.tri, (13) ptrigger.tri, (14) qos.tri, (15) rstatus.tri, (16) tracert.tri, (17) vpn.tri, (18) WanMac.tri, (19) WBasic.tri, or (20) WFilter.tri. NOTE: the Security.tri vector is already covered by CVE-2006-5202. http://kinqpinz.info/lib/wrt54g/own.txt http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28381 linksys-wrt54g-security-bypass(41118) https://kinqpinz.info/lib/wrt54g/ https://kinqpinz.info/lib/wrt54g/own2.txt 5313 5926 The web interface on the central phone server for the Snom 320 SIP Phone allows remote attackers to make arbitrary phone calls via the "Call a number" field. NOTE: this might overlap CVE-2007-3440. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! snomsip-interface-unauth-access(41171) snomControl.swf in the central phone server for the Snom 320 SIP Phone allows remote attackers to cause a denial of service (application crash and corruption of call logs) via a "'); (double quote, quote, close parenthesis, semicolon) sequence in the "Call a number" field. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the central phone server for the Snom 320 SIP Phone allow remote attackers to perform actions as the phone user, as demonstrated by inserting an address-book entry containing an XSS sequence. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 27767 snom-sipphone-addressbook-csrf(40500) Cross-site scripting (XSS) vulnerability in the web interface on the central phone server for the Snom 320 SIP Phone allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 27767 snom-sipphone-addressbook-xss(40499) b_banner.stm (aka the login page) on the Deutsche Telekom Speedport W500 DSL router allows remote attackers to obtain the logon password by reading the pwd field in the HTML source. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28382 speedport-w500-bbanner-info-disclosure(41128) Cross-site scripting (XSS) vulnerability in cgi-bin/webcm on the D-Link DSL-G604T router allows remote attackers to inject arbitrary web script or HTML via the var:category parameter, as demonstrated by a request for advanced/portforw.htm on the fwan page. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28439 dlinkdslg604t-cgibinwebcm-xss(41117) Multiple cross-site request forgery (CSRF) vulnerabilities on the ZyXEL P-660HW series router allow remote attackers to (1) change DNS servers and (2) add keywords to the "bannedlist" via unspecified vectors. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! zyxel-p660hw-unspecified-csrf(41111) The ZyXEL P-660HW series router maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a previously authenticated user. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! zyxel-p660hw-ip-authentication-bypass(41114) The ZyXEL P-660HW series router has "admin" as its default password, which allows remote attackers to gain administrative access. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! zyxel-p660hw-default-password(41108) Cross-site scripting (XSS) vulnerability in Forms/DiagGeneral_2 on the ZyXEL P-660HW series router allows remote attackers to inject arbitrary web script or HTML via the PingIPAddr parameter. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! zyxel-p660hw-diaggeneral-xss(41109) Cross-site scripting (XSS) vulnerability in prim.htm on the D-Link DI-604 router allows remote attackers to inject arbitrary web script or HTML via the rf parameter. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28439 dlink-di604-prim-xss(41122) The Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware maintains authentication state by IP address, which allows remote attackers to bypass authentication by establishing a session from a source IP address of a user who previously authenticated within the previous 5 minutes. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! zyxel-ipaddress-authentication-bypass(41112) Multiple cross-site request forgery (CSRF) vulnerabilities on the Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware allow remote attackers to (1) make the admin web server available on the Internet (WAN) interface via the WWWAccessInterface parameter to Forms/RemMagWWW_1 or (2) change the IP whitelisting timeout via the StdioTimout parameter to Forms/rpSysAdmin_1. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! zyxel-p2602hw-multiple-csrf(41170) The Zyxel P-2602HW-D1A router with 3.40(AJZ.1) firmware provides different responses to admin page requests depending on whether a user is logged in, which allows remote attackers to obtain current login status by requesting an arbitrary admin URI. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! zyxel-p2602hwd1a-loginstatus-info-disclosure(41113) The administration panel on the Airspan WiMax ProST 4.1 antenna with 6.5.38.0 software does not verify authentication credentials, which allows remote attackers to (1) upload malformed firmware or (2) bind the antenna to a different WiMAX base station via unspecified requests to forms under process_adv/. http://airspan4wimax.googlepages.com/ http://www.0x000000.com/?i=524 http://www.gnucitizen.org/projects/router-hacking-challenge/ VU#248372 20080301 The Router Hacking Challenge is Over! 28122 http://www.sharemethods.net/nepal/servlet/open?keeppath=false&aid=29820 ADV-2008-0802 wimaxprost-webinterface-security-bypass(41052) The Linksys WRT54G router stores passwords and keys in cleartext in the Config.bin file, which might allow remote authenticated users to obtain sensitive information via an HTTP request for the top-level Config.bin URI. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! linksys-config-information-disclosure(41115) The Linksys WRT54G router has "admin" as its default FTP password, which allows remote attackers to access sensitive files including nvram.cfg, a file that lists all HTML documents, and an ELF executable file. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! linksys-wrt54g-ftp-default-password(41126) The Linksys WRT54G router allows remote attackers to cause a denial of service (device restart) via a long username and password to the FTP interface. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! linksys-wrt54g-ftp-dos(41127) Multiple buffer overflows in the web interface on the D-Link DI-524 router allow remote attackers to cause a denial of service (device crash) or possibly have unspecified other impact via (1) a long username or (2) an HTTP header with a large name and an empty value. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28439 dlink-di524-interface-dos(41125) The Siemens SpeedStream 6520 router allows remote attackers to cause a denial of service (web interface crash) via an HTTP request to basehelp_English.htm with a large integer in the Content-Length field. http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! 28490 speedstream-basehelpenglish-dos(41123) The FTP server on the Linksys WRT54G 7 router with 7.00.1 firmware does not verify authentication credentials, which allows remote attackers to establish an FTP session by sending an arbitrary username and password. http://swbae.egloos.com/1701135 http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! linksys-wrt54g-ftp-security-bypass(41119) cp06_wifi_m_nocifr.cgi in the admin panel on the Alice Gate 2 Plus Wi-Fi router does not verify authentication credentials, which allows remote attackers to disable Wi-Fi encryption via a certain request. http://vx.netlux.org/wargamevx/alice_gate2_pluswifi_PoC.zip http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! alicegate2pluswifi-admin-security-bypass(41110) mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory. SUSE-SR:2008:008 GLSA-200804-08 http://trac.lighttpd.net/trac/ticket/1587 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0106 DSA-1521 http://www.lighttpd.net/2008/3/10/1-4-19-made-in-germany http://www.lighttpd.net/security/lighttpd_sa_2008_03.txt 20080312 rPSA-2008-0106-1 lighttpd 28226 ADV-2008-0885 https://bugs.gentoo.org/show_bug.cgi?id=212930 lighttpd-moduserdir-information-disclosure(41173) https://issues.rpath.com/browse/RPL-2344 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1218. Reason: This candidate is a duplicate of CVE-2008-1218. Notes: All CVE users should reference CVE-2008-1218 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple SQL injection vulnerabilities in BM Classifieds 20080309 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showad.php and the (2) ad parameter to pfriendly.php. 28159 bmclassifieds-showad-sql-injection(41066) 5223 Multiple cross-site scripting (XSS) vulnerabilities in imageVue 1.7 allow remote attackers to inject arbitrary web script or HTML via the path parameter to (1) popup.php, (2) test/dir2.php, (3) admin/upload.php, and (4) dirxml.php in upload/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://downloads.securityfocus.com/vulnerabilities/exploits/28138.html 28138 imagevue-path-xss(41169) Untrusted search path vulnerability in man in IBM AIX 6.1.0 allows local users to execute arbitrary code via a malicious program in the man directory. Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' 28180 1019572 ADV-2008-0805 IZ17177 ibm-aix-man-privilege-escalation(41067) oval:org.mitre.oval:def:5169 Multiple unspecified vulnerabilities in the SMTP service in MailEnable Standard Edition 1.x, Professional Edition 3.x and earlier, and Enterprise Edition 3.x and earlier allow remote attackers to cause a denial of service (crash) via crafted (1) EXPN or (2) VRFY commands. http://www.mailenable.com/hotfix/ 28154 ADV-2008-0800 mailenable-expn-vrfy-dos(41083) 5235 Multiple buffer overflows in the IMAP service (MEIMAPS.EXE) in MailEnable Professional Edition and Enterprise Edition 3.13 and earlier allow remote authenticated attackers to execute arbitrary code via long arguments to the (1) FETCH, (2) EXAMINE, and (3) UNSUBSCRIBE commands. http://aluigi.altervista.org/adv/maildisable-adv.txt 3724 20080307 Multiple vulnerabilities in MailEnable Professional/Enterprise 3.13 28145 1019565 ADV-2008-0799 mailenable-imapservice-bo(41058) 5249 The IMAP service (MEIMAPS.exe) in MailEnable Professional Edition and Enterprise Edition 3.13 and earlier allows remote attackers to cause a denial of service (crash) via (1) SEARCH and (2) APPEND commands without required arguments, which triggers a NULL pointer dereference. http://aluigi.altervista.org/adv/maildisable-adv.txt 3724 20080307 Multiple vulnerabilities in MailEnable Professional/Enterprise 3.13 28145 1019565 ADV-2008-0799 mailenable-imapservice-dos(41059) The RemotelyAnywhere.exe service in the Remotely Anywhere Server and Workstation 8.0.668 and earlier allows remote attackers to cause a denial of service (crash) via an invalid Accept-Charset header, which triggers a NULL pointer dereference. NOTE: the service is automatically restarted. http://aluigi.altervista.org/adv/remotelynowhere-adv.txt 20080310 NULL pointer in Remotely Anywhere 8.0.668 28175 ADV-2008-0816 remotelyanywhere-http-dos(41077) Acronis True Image Group Server 1.5.19.191 and earlier, included in Acronis True Image Enterprise Server 9.5.0.8072 and the other True Image packages, allows remote attackers to cause a denial of service (crash) via a packet with an invalid length field, which causes an out-of-bounds read. http://aluigi.altervista.org/adv/acrogroup-adv.txt 20080310 Invalid memory access in Acronis True Image Group Server 1.5.19.191 28169 ADV-2008-0813 acronis-groupserver-dos(41071) Acronis True Image Windows Agent 1.0.0.54 and earlier, included in Acronis True Image Enterprise Server 9.5.0.8072 and the other True Image packages, allows remote attackers to cause a denial of service (crash) via a malformed packet to port 9876, which triggers a NULL pointer dereference. http://aluigi.altervista.org/adv/acroagent-adv.txt 20080310 NULL pointer in Acronis True Image Windows Agent 1.0.0.54 28169 ADV-2008-0812 acronis-windows-agent-dos(41070) Directory traversal vulnerability in TFTPsrvs.exe 2.5.3.1 and earlier, as used in Argon Technology Client Management Services (CMS) 1.31 and earlier, allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter. http://aluigi.altervista.org/adv/argonauti-adv.txt 20080310 Directory traversal in Argon Client Management Services 1.31 28160 ADV-2008-0815 argoncms-tftpsrvs-directory-traversal(41076) 5230 Buffer overflow in the BFup ActiveX control (BFup.dll) in B21Soft BFup before 1.0.802.29 allows remote attackers to execute arbitrary code via a long FilePath parameter. JVN#10606373 http://www.hi-ho.ne.jp/babaq/bfupinfo.html 28131 ADV-2008-0797 bfup-activex-bo(41050) Cross-site scripting (XSS) vulnerability in Neptune Web Server 3.0 allows remote attackers to inject arbitrary web script or HTML via the URI, which is not properly handled in the 404 error page. 3725 20080307 XSS in Neptune Web Server 28148 neptune-webserver-404errorpage-xss(41089) Directory traversal vulnerability in Horde 3.1.6, Groupware before 1.0.5, and Groupware Webmail Edition before 1.0.6, when running with certain configurations, allows remote authenticated users to read and execute arbitrary files via ".." sequences and a null byte in the theme name. [announce] 20080307 Horde 3.1.7 (final) [announce] 20080307 Horde Groupware 1.0.5 (final) [announce] 20080307 Horde Groupware Webmail Edition 1.0.6 (final) GLSA-200805-01 3726 DSA-1519 20080307 Horde Webmail file inclusion proof of concept & patch. 20080308 Re: Horde Webmail file inclusion proof of concept & patch. 28153 ADV-2008-0822 horde-theme-file-include(41054) FEDORA-2008-2362 FEDORA-2008-2406 Cross-site scripting (XSS) vulnerability in Sun Java Server Faces (JSF) 1.2 before 1.2_08 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. RHSA-2008:0825 RHSA-2008:0826 RHSA-2008:0827 RHSA-2008:0828 233561 http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.2.0.cp03/html-single/readme/index.html http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp01/html-single/readme/ 28192 1020628 ADV-2008-0808 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=437082 sun-jsf-routines-xss(41081) https://jira.jboss.org/jira/browse/JBPAPP-682 Unspecified vulnerability in Sun Java Web Console 3.0.2, 3.0.3, and 3.0.4 allows remote attackers to bypass intended access restrictions and determine the existence of files or directories via unknown vectors. 231526 28155 1019574 ADV-2008-0806 sun-javawebconsole-information-disclosure(41069) IBM Rational ClearQuest 7.0.1.1 and 7.0.0.2 generates different error messages depending on whether the username is valid or invalid, which allows remote attackers to enumerate usernames. 28132 1019566 ADV-2008-0804 PK55561 clearquest-username-information-disclosure(41042) IBM Rational ClearQuest 7.0.1.1 and 7.0.0.2 might allow local or remote attackers to obtain sensitive information about users by reading user cookies. 28133 1019567 ADV-2008-0804 PK55753 clearquest-cookie-information-disclosure(41043) Multiple buffer overflows in Asterisk Open Source 1.4.x before 1.4.18.1 and 1.4.19-rc3, Open Source 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6.1, AsteriskNOW 1.0.x before 1.0.2, Appliance Developer Kit before 1.4 revision 109386, and s800i 1.1.x before 1.1.0.2 allow remote attackers to (1) write a zero to an arbitrary memory location via a large RTP payload number, related to the ast_rtp_unset_m_type function in main/rtp.c; or (2) write certain integers to an arbitrary memory location via a large number of RTP payloads, related to the process_sdp function in channels/chan_sip.c. http://downloads.digium.com/pub/security/AST-2008-002.html http://labs.musecurity.com/advisories/MU-200803-01.txt 3763 1019628 http://www.asterisk.org/node/48466 20080318 AST-2008-002: Two buffer overflows in RTP Codec Payload Handling 28308 ADV-2008-0928 asterisk-rtppayload-bo(41302) asterisk-rtp-codecpayload-bo(41305) FEDORA-2008-2554 FEDORA-2008-2620 ViewVC before 1.0.5 includes "all-forbidden" files within search results that list CVS or Subversion (SVN) commits, which allows remote attackers to obtain sensitive information. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 http://bugs.gentoo.org/show_bug.cgi?id=212288 GLSA-200803-29 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD 28055 ADV-2008-0734 ViewVC before 1.0.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read files and list folders under the hidden CVSROOT folder. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 http://bugs.gentoo.org/show_bug.cgi?id=212288 GLSA-200803-29 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD 28055 ADV-2008-0734 ViewVC before 1.0.5 provides revision metadata without properly checking whether access was intended, which allows remote attackers to obtain sensitive information by reading (1) forbidden pathnames in the revision view, (2) log history that can only be reached by traversing a forbidden object, or (3) forbidden diff view path parameters. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471380 http://bugs.gentoo.org/show_bug.cgi?id=212288 GLSA-200803-29 http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD 28055 ADV-2008-0734 ldm in Linux Terminal Server Project (LTSP) 0.99 and 2 passes the -ac option to the X server on each LTSP client, which allows remote attackers to connect to this server via TCP port 6006 (aka display :6). http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469462 DSA-1561 [oss-security] 20080311 CVE request: insecure X11 handling in ltsp [oss-security] 20080312 Re: CVE request: insecure X11 handling in ltsp 28960 1019940 ltsp-ldm-weak-security(42080) USN-610-1 Linux kernel 2.6.17, and other versions before 2.6.22, does not check when a user attempts to set RLIMIT_CPU to 0 until after the change is made, which allows local users to bypass intended resource limits. http://bugs.gentoo.org/show_bug.cgi?id=215000 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=9926e4c74300c4b31dee007298c6475d33369df0 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22 DSA-1565 RHSA-2008:0612 29004 USN-618-1 linux-kernel-rlimitcpu-security-bypass(42145) oval:org.mitre.oval:def:10974 SQL injection vulnerability in archives.php in Gregory Kokanosky (aka Greg's Place) phpMyNewsletter 0.8 beta 5 and earlier allows remote attackers to execute arbitrary SQL commands via the msg_id parameter. 28189 phpmynewsletter-archives-sql-injection(41197) 5231 Multiple cross-site scripting (XSS) vulnerabilities in EncapsGallery 1.11.2 allow remote attackers to inject arbitrary web script or HTML via the file parameter to (1) watermark.php and (2) catalog_watermark.php in core/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28178 encapsgallery-file-xss(41164) SQL injection vulnerability in index.php in the eWriting (com_ewriting) 1.2.1 module for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the cat parameter in a selectcat action. 28179 ewriting-cat-sql-injection(41072) 5226 SQL injection vulnerability in Hadith module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cat parameter in a viewcat action to modules.php. 3730 http://www.rbt-4.net/forum/viewthread.php?forum_id=51&thread_id=3078 20080308 PHP-Nuke SQL injection Module "Hadith" [cat] 28171 hadith-cat-sql-injection(41092) Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus 7.0.0 Build 7011 for Windows allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28191 Cross-site scripting (XSS) vulnerability in the Logfile Viewer Settings function in system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp in Alkacon OpenCms 7.0.3 and 7.0.4 allows remote attackers to inject arbitrary web script or HTML via the filePath.0 parameter in a save action, a different vector than CVE-2008-1045. 3731 20080308 Alkacon OpenCms logfileViewSettings.jsp XSS, file disclosure 28152 opencms-logfileviewsettings-xss(41095) Absolute path traversal vulnerability in system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp in Alkacon OpenCms 7.0.3 and 7.0.4 allows remote authenticated administrators to read arbitrary files via a full pathname in the filePath.0 parameter. 3731 20080308 Alkacon OpenCms logfileViewSettings.jsp XSS, file disclosure 28152 opencms-logfileviewsettings-info-disclosure(41096) The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and earlier allows remote attackers to cause a denial of service (daemon crash) via a (1) server-DiffFile or (2) server-ReleaseFile command with a large integer value, which is used in an array initialization calculation, and leads to invalid memory access. http://aluigi.altervista.org/adv/perforces-adv.txt http://aluigi.org/poc/perforces.zip 3735 20080305 Multiple vulnerabilities in Perforce Server 2007.3/143793 28108 perforceserver-invalid-memory-dos(41016) perforce-server-p4sexe-dos(41363) The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and earlier allows remote attackers to cause a denial of service (daemon crash) via a missing parameter to the (1) dm-FaultFile, (2) dm-LazyCheck, (3) dm-ResolvedFile, (4) dm-OpenFile, (5) crypto, and possibly unspecified other commands, which triggers a NULL pointer dereference. http://aluigi.altervista.org/adv/perforces-adv.txt http://aluigi.org/poc/perforces.zip 3735 20080305 Multiple vulnerabilities in Perforce Server 2007.3/143793 28108 perforceserver-multiple-commands-dos(41015) Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) inviteemail parameter in an invite action to wp-admin/users.php and the (2) to parameter in a sent action to wp-admin/invites.php. 3732 1019564 20080307 WordPress Multiple Cross-Site Scripting Vulnerabilities 28139 wordpress-users-xss(41055) wordpress-invites-xss(41056) SQL injection vulnerability in filebase.php in the Filebase mod for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter. 28194 phpbb-filebase-sql-injection(41137) 5236 Multiple cross-site scripting (XSS) vulnerabilities in Savvy Content Manager (CM) allow remote attackers to inject arbitrary web script or HTML via the searchterms parameter to (1) searchresults.cfm, (2) search_results.cfm, and (3) search_results/index.cfm. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://www.besavvy.com/blog/index.cfm/2008/3/11/Security-Patch 28200 savvy-searchterms-xss(41342) Heap-based buffer overflow in the KUpdateObj2 Class ActiveX control in UpdateOcx2.dll in Beijing KingSoft Antivirus Online Update Module 2007.12.29.29 allows remote attackers to execute arbitrary code via a long argument to the SetUninstallName method. 28172 ADV-2008-0857 kingsoft-updateocx2-bo(41088) 5225 SQL injection vulnerability in the Sudirman Angriawan NukeC30 3.0 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id_catg parameter in a ViewCatg action to modules.php. 3733 20080311 PHP-Nuke Module NukeC30 sql injection 28197 The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll in RealNetworks RealPlayer Enterprise, RealPlayer 10, RealPlayer 10.5 before build 6.0.12.1675, and RealPlayer 11 before 11.0.3 build 6.0.14.806 does not properly manage memory for the (1) Console or (2) Controls property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory. 20080310 Real Networks RealPlayer ActiveX Control Heap Corruption http://service.real.com/realplayer/security/07252008_player/en/ VU#831457 20080725 ZDI-08-047: RealNetworks RealPlayer rmoc3260 ActiveX Control Memory Corruption Vulnerability 28157 1019576 1020563 ADV-2008-0842 ADV-2008-2194 http://www.zerodayinitiative.com/advisories/ZDI-08-047/ realplayer-realaudioobjects-code-execution(41087) 5332 Directory traversal vulnerability in the TFTP server in PacketTrap Networks pt360 Tool Suite 1.1.33.1.0, and other versions before 2.0.3900.0, allows remote attackers to read and overwrite arbitrary files via directory traversal sequences in the pathname. 20080303 DDIVRT-2008-10 PacketTrap TFTP Directory Traversal Vulnerability http://packetstorm.linuxsecurity.com/0803-advisories/DDIVRT-2008-10.txt http://www.emediawire.com/releases/2008/2/prweb731563.htm 28078 pt360-tftpserver-directory-traversal(40979) The TFTP server in PacketTrap pt360 Tool Suite PRO 2.0.3901.0 and earlier allows remote attackers to cause a denial of service (daemon hang) by uploading a file named (1) '|' (pipe), (2) '"' (quotation mark), or (3) "<>" (less than, greater than); or (4) a file with a long name. NOTE: the issue for vector 4 might exist because of an incomplete fix for CVE-2008-1312. http://aluigi.altervista.org/adv/packettrash-adv.txt http://aluigi.org/testz/tftpx.zip 3734 20080310 Denial of Service in PacketTrap TFTP server 2.0.3901.0 28187 ADV-2008-0811 pt360-tftpserver-filename-dos(41073) Unspecified vulnerability in the TFTP server in PacketTrap Networks pt360 Tool Suite 1.1.33.1.0, and other versions before 2.0.3900.0, allows remote attackers to cause a denial of service (daemon crash) via a long TFTP packet, a different vulnerability than CVE-2008-1311. 20080303 DDIVRT-2008-09 PacketTrap PT360 Tool Suite TFTP Denial of Service Vulnerability http://packetstorm.linuxsecurity.com/0803-advisories/DDIVRT-2008-09.txt http://www.emediawire.com/releases/2008/2/prweb731563.htm 28079 pt360-tftpserver-unspecified-dos(41267) Multiple SQL injection vulnerabilities in index.php in Bloo 1.00 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) post_id, (2) post_category_id, (3) post_year_month, and (4) static_page_id parameters; and unspecified other vectors. 28203 bloo-index-sql-injection(41141) 5234 SQL injection vulnerability in the Johannes Hass gaestebuch 2.2 module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the id parameter in an edit action to modules.php. http://cod3rz.helloweb.eu/exploits/gaestebuch.txt 20080301 PHP-Nuke Copyright 2005 SQL 28063 gaestebuch-id-sql-injection(40975) SQL injection vulnerability in the ZClassifieds module for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the cat parameter to modules.php. 3736 http://www.rbt-4.net/forum/viewthread.php?forum_id=51&thread_id=3109 20080311 PHP-Nuke Module ZClassifieds [cat] SQL Injection 28211 zclassifieds-modules-sql-injection(41149) SQL injection vulnerability in qtf_ind_search_ov.php in QT-cute QuickTalk Forum 1.6 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 28215 quicktalkforum-id-sql-injection(41148) 5240 Unspecified vulnerability in the Inter-Process Communication (IPC) message queue subsystem in Sun Solaris 10 allows local users to cause a denial of service (reboot) via blocked I/O message queues. 231403 28214 ADV-2008-0858 sun-solaris-ipc-dos(41146) Unspecified vulnerability in MediaWiki 1.11 before 1.11.2 allows remote attackers to obtain sensitive "cross-site" information via the callback parameter in an API call for JavaScript Object Notation (JSON) formatted results. [MediaWiki-announce] 20080307 MediaWiki 1.11.2 released (security) http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_11_2/phase3/RELEASE-NOTES 28070 1019535 ADV-2008-0732 mediawiki-jsoncallbacks-info-disclosure(40960) Untrusted search path and argument injection vulnerability in the VersantD service in Versant Object Database 7.0.1.3 and earlier, as used in Borland CaliberRM and probably other products, allows remote attackers to execute arbitrary commands via a request to TCP port 5019 with a modified VERSANT_ROOT field. http://aluigi.altervista.org/adv/versantcmd-adv.txt 20080304 Arbitrary commands execution in Versant Object Database 7.0.1.3 3738 20080304 Arbitrary commands execution in Versant Object Database 7.0.1.3 28097 ADV-2008-0764 objectdatabase-versantd-cmd-execution(40997) 5213 Multiple buffer overflows in ASG-Sentry Network Manager 7.0.0 and earlier allow remote attackers to execute arbitrary code or cause a denial of service (crash) via (1) a long request to FxIAList on TCP port 6162, or (2) an SNMP request with a long community string to FxAgent on UDP port 6161. http://aluigi.altervista.org/adv/asgulo-adv.txt 3737 20080310 Multiple vulnerabilities in ASG-Sentry 7.0.0 28188 ADV-2008-0839 asgsentry-fxagent-bo(41082) asgsentry-fxialist-bo(41086) 5229 The FxIAList service in ASG-Sentry Network Manager 7.0.0 and earlier does require authentication, which allows remote attackers to cause a denial of service (service termination) via the exit command to TCP port 6162, or have other impacts via other commands. http://aluigi.altervista.org/adv/asgulo-adv.txt 3737 20080310 Multiple vulnerabilities in ASG-Sentry 7.0.0 28188 ADV-2008-0839 asgsentry-fxialist-weak-security(41084) 5229 The File Check Utility (fcheck.exe) in ASG-Sentry Network Manager 7.0.0 and earlier allows remote attackers to cause a denial of service (CPU consumption) or overwrite arbitrary files via a query string that specifies the -b option, probably due to an argument injection vulnerability. http://aluigi.altervista.org/adv/asgulo-adv.txt 3737 20080310 Multiple vulnerabilities in ASG-Sentry 7.0.0 28188 ADV-2008-0839 asgsentry-fcheck-dos(41080) 5229 Cross-site request forgery (CSRF) vulnerability in index.php in WoltLab Burning Board Lite (wBB) 2 Beta 1 allows remote attackers to delete threads as other users via the ThreadDelete action. 3739 20080308 WoltLab Burning Board Lite 2 Beta 1 Thread Delete CSRF Vulnerability woltlabburningboard-index-csrf(41098) Multiple directory traversal vulnerabilities in index.php in Travelsized CMS 0.4.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) page_id and (2) language parameters. NOTE: this might be the same issue as CVE-2008-1325. 3740 20080311 travelsized cms 0.4.1 multiple local file inclusion vulnerabilities 28218 travelsized-index-file-include(41168) Multiple directory traversal vulnerabilities in index.php in Uberghey CMS 0.3.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) page_id and (2) language parameters. NOTE: this might be the same issue as CVE-2008-1324. 20080311 uberghey cms 0.3.1 multiple local file inclusion vulnerabilities 28217 uberghey-index-file-include(41151) Cross-site scripting (XSS) vulnerability in search.php in Gallarific allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://downloads.securityfocus.com/vulnerabilities/exploits/28163.html 28163 gallarific-search-xss(41105) Gallarific does not require authentication for (1) users.php and (2) index.php, which allows remote attackers to add and edit tasks via a direct request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://downloads.securityfocus.com/vulnerabilities/exploits/28163.html 28163 gallarific-index-users-auth-bypass(41106) Buffer overflow in the LGServer service in CA ARCserve Backup for Laptops and Desktops r11.0 through r11.5, and Suite 11.1 and 11.2, allows remote attackers to execute arbitrary code via unspecified "command arguments." 3800 20080404 CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities 28616 1019788 ADV-2008-1104 ca-arcservebackup-lgserverservice-bo(41641) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105 Unspecified vulnerability in the NetBackup service in CA ARCserve Backup for Laptops and Desktops r11.0 through r11.5, and Suite 11.1 and 11.2, allows remote attackers to execute arbitrary commands, related to "insufficient verification of file uploads." 3800 20080404 CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities 28616 1019788 ADV-2008-1104 ca-arcserverbackup-netbackup-code-execution(41642) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105 Unspecified vulnerability in the Windows client API in Novell GroupWise 7 before SP3 and 6.5 before SP6 Update 3 allows remote authenticated users to access the non-shared stored e-mail messages of another user who has shared at least one folder with the attacker. 1019616 28265 ADV-2008-0904 groupwise-clientapi-security-bypass(41223) https://secure-support.novell.com/KanisaPlatform/Publishing/732/3263374_f.SAL_Public.html cgi-data/FastJSData.cgi in OmniPCX Office with Internet Access services OXO210 before 210/091.001, OXO600 before 610/014.001, and other versions, allows remote attackers to execute arbitrary commands and "obtain OXO resources" via shell metacharacters in the id2 parameter. 20080521 [DSECRG-08-020] Alcatel OmniPCX Office Remote Comand Execution 28758 1020082 ADV-2008-1057 http://www1.alcatel-lucent.com/psirt/statements/2008001/OXOrexec.htm omnipcx-cgiscript-info-disclosure(41560) 5662 Unspecified vulnerability in Asterisk Open Source 1.2.x before 1.2.27, 1.4.x before 1.4.18.1 and 1.4.19-rc3; Business Edition A.x.x, B.x.x before B.2.5.1, and C.x.x before C.1.6.2; AsteriskNOW 1.0.x before 1.0.2; Appliance Developer Kit before 1.4 revision 109393; and s800i 1.0.x before 1.1.0.2; allows remote attackers to access the SIP channel driver via a crafted From header. http://downloads.digium.com/pub/security/AST-2008-003.html SUSE-SR:2008:010 GLSA-200804-13 1019629 http://www.asterisk.org/node/48466 DSA-1525 20080318 AST-2008-003: Unauthenticated calls allowed from SIP channel driver 28310 ADV-2008-0928 asterisk-sip-security-bypass(41308) FEDORA-2008-2554 FEDORA-2008-2620 Format string vulnerability in Asterisk Open Source 1.6.x before 1.6.0-beta6 might allow remote attackers to execute arbitrary code via logging messages that are not properly handled by (1) the ast_verbose logging API call, or (2) the astman_append function. http://downloads.digium.com/pub/security/AST-2008-004.html 1019630 http://www.asterisk.org/node/48466 DSA-1525 20080318 AST-2008-004: Format String Vulnerability in Logger and Manager 28311 ADV-2008-0928 asterisk-astverbose-dos(41301) cgi/b on the BT Home Hub router allows remote attackers to bypass authentication, and read or modify administrative settings or make arbitrary VoIP telephone calls, by placing a character at the end of the PATH_INFO, as demonstrated by (1) %5C (encoded backslash), (2) '%' (percent), and (3) '~' (tilde). NOTE: the '/' (slash) vector is already covered by CVE-2007-5383. http://www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-1/ http://www.gnucitizen.org/projects/router-hacking-challenge/ 20080301 The Router Hacking Challenge is Over! bthomehub-cgib-auth-bypass(41271) The ipsec4_get_ulp function in the kernel in NetBSD 2.0 through 3.1 and NetBSD-current before 20071028, when the fast_ipsec subsystem is enabled, allows remote attackers to bypass the IPsec policy by sending packets from a source machine with a different endianness than the destination machine, a different vulnerability than CVE-2006-0905. NetBSD-SA2008-002 1019533 28045 SQL injection vulnerability in Koobi CMS 4.2.3 through 4.3.0 allows remote attackers to execute arbitrary SQL commands via the categ parameter in a links action to index.php, a different vector than CVE-2008-1122. 20080301 Koobi CMS 4.3.0 - 4.2.3 (categ) Remote SQL Injection Vulnerability 20080415 Koobi CMS 4.2.4/4.2.5/4.3.0 Multiple Remote SQL Injection Vulnerabilities 28059 koobicms-categ-sql-injection(41207) 5206 5447 The instant message service in Timbuktu Pro 8.6.5 RC 229 and earlier for Windows allows remote attackers to cause (1) a denial of service (daemon crash) via an invalid Version field or (2) a denial of service (CPU consumption and daemon termination) via an invalid or partial message. http://aluigi.altervista.org/adv/timbuto-adv.txt http://aluigi.org/poc/timbuto.zip 3741 20080310 Vulnerabilities in Timbuktu Pro 8.6.5 ADV-2008-0840 The Perforce service (p4s.exe) in Perforce Server 2007.3/143793 and earlier allows remote attackers to cause a denial of service (daemon crash) via a server-DiffFile command with an integer value within a certain range, which causes a loop until all memory is exhausted. http://aluigi.altervista.org/adv/perforces-adv.txt http://aluigi.org/poc/perforces.zip 3735 20080305 Multiple vulnerabilities in Perforce Server 2007.3/143793 28108 perforceserver-serverdifffile-dos(41017) perforce-server-p4s-dos(41361) Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.0.x before 6.0.3, VMware Player 2.0.x before 2.0.3, and VMware ACE 2.0.x before 2.0.1 allows attackers to cause a denial of service (host OS crash) via crafted VMCI calls that trigger "memory exhaustion and memory corruption." [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues GLSA-201209-25 3755 1019624 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 28276 28289 http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-0905 vmware-vmci-dos(41250) SQL injection vulnerability in SearchResults.aspx in LaGarde StoreFront 6 before SP8 allows remote attackers to execute arbitrary SQL commands via the CategoryId parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28234 Multiple cross-site scripting (XSS) vulnerabilities in the search feature in Polymita BPM-Suite and CollagePortal allow remote attackers to inject arbitrary web script or HTML via the (1) _q and (2) lucene_index_field_value parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Directory traversal vulnerability in (1) pkgadd and (2) pkgrm in SCO UnixWare 7.1.4 allows local users to gain privileges via unknown vectors. SCOSA-2008.1 28236 ADV-2008-0871 sco-unixware-pkgadd-privilege-escalation(41200) Multiple SQL injection vulnerabilities in MyioSoft EasyCalendar 4.0tr and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year parameter in a dayview action to plugins/calendar/calendar_backend.php and the (2) page parameter to ajaxp_backend.php. 20080317 EasyCalendar <= 4.0tr - Multiple Remote Vulnerabilities 28232 easycalendar-year-page-sql-injection(41179) 5246 Cross-site scripting (XSS) vulnerability in plugins/calendar/calendar_backend.php in MyioSoft EasyCalendar 4.0tr and earlier allows remote attackers to inject arbitrary web script or HTML via the day parameter in a dayview action. 20080317 EasyCalendar <= 4.0tr - Multiple Remote Vulnerabilities 28232 easycalendar-calendarbackend-xss(41180) 5246 SQL injection vulnerability in staticpages/easygallery/index.php in MyioSoft EasyGallery 5.0tr and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter in a category action. 20080314 EasyGallery <= 5.0tr - Multiple Remote Vulnerabilities 28233 easygallery-index-sql-injection(41185) 5247 Multiple cross-site scripting (XSS) vulnerabilities in staticpages/easygallery/index.php in MyioSoft EasyGallery 5.0tr and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO or (2) the q parameter in an about action to the help system. 20080314 EasyGallery <= 5.0tr - Multiple Remote Vulnerabilities 28233 easygallery-index-xss(41186) 5247 Cross-site scripting (XSS) vulnerability in index.php in the eWebsite eWeather (Weather) module for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the chart parameter to modules.php. 3744 20080313 XSS in PHP-Nuke (eWeather module) 28241 eweather-modules-xss(41205) SQL injection vulnerability in viewcat.php in the bamaGalerie (Bama Galerie) 3.03 and 3.041 module for eXV2 2.0.6 allows remote attackers to execute arbitrary SQL commands via the cid parameter. http://packetstormsecurity.org/0804-exploits/runcms11a-sql.txt 28229 bamagalerie-viewcat-sql-injection(41188) 5244 5340 SQL injection vulnerability in kb.php in Fully Modded phpBB (phpbbfm) 80220 allows remote attackers to execute arbitrary SQL commands via the k parameter in an article action. 3745 20080312 Powered by phpBB 2001, 2006 (SQL) 28225 phpbb-kb-sql-injection(41192) 5243 SQL injection vulnerability in the Tutorials 2.1b module for XOOPS allows remote attackers to execute arbitrary SQL commands via the tid parameter to printpage.php, which is accessible directly or through a printpage action to index.php. 28230 5245 Directory traversal vulnerability in search.php in EdiorCMS (ecms) 3.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the _SearchTemplate parameter during a Title search. 3746 20080313 Directory traversal in EdiorCMS V3.0 28242 edior-search-directory-traversal(41189) zabbix_agentd in ZABBIX 1.4.4 allows remote attackers to cause a denial of service (CPU and connection consumption) via multiple vfs.file.cksum commands with a special device node such as /dev/urandom or /dev/zero. 3747 20080313 Zabbix (zabbix_agentd) denial of service 28244 ADV-2008-0878 zabbix-zabbixagentd-dos(41196) SQL injection vulnerability in MyIssuesView.asp in Advanced Data Solutions Virtual Support Office-XP (VSO-XP) allows remote attackers to execute arbitrary SQL commands via the Issue_ID parameter. 20080313 Office XP Remote SQL Injection 28247 vsoxp-myissuesview-sql-injection(41206) Cross-site scripting (XSS) vulnerability in index.php in Jeebles Technology Jeebles Directory 2.9.60 allows remote attackers to inject arbitrary web script or HTML via the path parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://downloads.securityfocus.com/vulnerabilities/exploits/28221.html 28221 jeeblesdirectory-path-xss(41183) Unspecified vulnerability in xscreensaver in Sun Solaris 10 Java Desktop System (JDS), when using the GNOME On-Screen Keyboard (GOK), allows local users to bypass authentication via unknown vectors that cause the screen saver to crash. 234661 28243 1019614 ADV-2008-0875 sun-solaris-xscreensaver-auth-bypass(41191) Format string vulnerability in the logDetail function of applib.dll in McAfee Common Management Agent (CMA) 3.6.0.574 (Patch 3) and earlier, as used in ePolicy Orchestrator 4.0.0 build 1015, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in a sender field in an AgentWakeup request to UDP port 8082. NOTE: this issue only exists when the debug level is 8. http://aluigi.altervista.org/adv/meccaffi-adv.txt 3748 20080312 Format string in McAfee Framework 3.6.0.569 (ePolicy Orchestrator 4.0) 28228 1019609 ADV-2008-0866 mcafee-framework-format-string(41178) https://knowledge.mcafee.com/article/234/615103_f.sal_public.html Stack-based buffer overflow in the IMAP server in Alt-N Technologies MDaemon 9.6.4 allows remote authenticated users to execute arbitrary code via a FETCH command with a long BODY. http://files.altn.com/MDaemon/Release/RelNotes_en.txt http://www.be4mind.com/?q=node/256 28245 1019615 ADV-2008-0877 mdaemon-hashcash-bo(41195) 5248 Cross-site scripting (XSS) vulnerability in Invision Power Board (IPB or IP.Board) 2.3.4 before 2008-03-13 allows remote attackers to inject arbitrary web script or HTML via nested BBCodes, a different vector than CVE-2008-0913. http://forums.invisionpower.com/index.php?showtopic=270637 ADV-2008-0899 ipb-nested-bbcodes-xss(41209) Cross-site scripting (XSS) vulnerability in Nagios before 2.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors to unspecified CGI scripts, a different issue than CVE-2007-5624. SUSE-SR:2008:011 MDVSA-2008:067 http://www.nagios.org/development/changelog.php#2x_branch 28250 ADV-2008-0900 nagios-unspecified-xss(41210) VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges via an unspecified manipulation that causes the authd process to connect to an arbitrary named pipe, a different vulnerability than CVE-2008-1362. [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues GLSA-201209-25 3755 1019621 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 28276 http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-0905 vmware-authd-privilege-escalation(41257) VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges or cause a denial of service by impersonating the authd process through an unspecified use of an "insecurely created named pipe," a different vulnerability than CVE-2008-1361. [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues GLSA-201209-25 3755 1019621 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 28276 http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-0905 vmware-namedpipes-privilege-escalation(41259) VMware Workstation 6.0.x before 6.0.3 and 5.5.x before 5.5.6, VMware Player 2.0.x before 2.0.3 and 1.0.x before 1.0.6, VMware ACE 2.0.x before 2.0.1 and 1.0.x before 1.0.5, and VMware Server 1.0.x before 1.0.5 on Windows allow local users to gain privileges via an unspecified manipulation of a config.ini file located in an Application Data folder, which can be used for "hijacking the VMX process." [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues GLSA-201209-25 3755 1019622 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 28276 http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-0905 vmware-config-privilege-escalation(41252) Unspecified vulnerability in the DHCP service in VMware Workstation 5.5.x before 5.5.6, VMware Player 1.0.x before 1.0.6, VMware ACE 1.0.x before 1.0.5, VMware Server 1.0.x before 1.0.5, and VMware Fusion 1.1.x before 1.1.1 allows attackers to cause a denial of service. [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues GLSA-201209-25 3755 1019623 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 28276 28289 http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.vmware.com/support/fusion/doc/releasenotes_fusion.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html ADV-2008-0905 vmware-dhcp-unspecified-dos(41254) Stack-based buffer overflow in Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189 and earlier, and 7.3 Patch 3 build 1314 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long encrypted password, which triggers the overflow in (1) cgiChkMasterPwd.exe, (2) policyserver.exe as reachable through cgiABLogon.exe, and other vectors. http://aluigi.altervista.org/adv/officescaz-adv.txt 28020 1019523 ADV-2008-0702 Trend Micro OfficeScan Corporate Edition 8.0 Patch 2 build 1189 and earlier, and 7.3 Patch 3 build 1314 and earlier, allows remote attackers to cause a denial of service (process consumption) via (1) an HTTP request without a Content-Length header or (2) invalid characters in unspecified CGI arguments, which triggers a NULL pointer dereference. http://aluigi.altervista.org/adv/officescaz-adv.txt 28020 1019522 ADV-2008-0702 gcc 4.3.x does not generate a cld instruction while compiling functions used for string manipulation such as memcpy and memmove on x86 and i386, which can prevent the direction flag (DF) from being reset in violation of ABI conventions and cause data to be copied in the wrong direction during signal handling in the Linux kernel, which might allow context-dependent attackers to trigger memory corruption. NOTE: this issue was originally reported for CPU consumption in SBCL. Subscription required to access Link 1014774 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=469058 [gcc-patches] 20080306 [PATCH, i386]: Emit cld instruction when stringops are used [gcc-patches] 20080306 Re: [PATCH, i386]: Emit cld instruction when stringops are used [gcc-patches] 20080306 Re: [PATCH, i386]: Emit cld instruction when stringops are used [gcc-patches] 20080307 Re: [PATCH, i386]: Emit cld instruction when stringops are used http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e40cd10ccff3d9fbffd57b93780bee4b7b9bff51 SUSE-SA:2008:030 SUSE-SA:2008:031 SUSE-SA:2008:032 [Security-announce] 20080728 VMSA-2008-00011 Updated ESX service console packages for Samba and vmnix [linux-kernel] 20080305 Linux doesn't follow x86/x86-64 ABI wrt direction flag http://lwn.net/Articles/272048/#Comments [git-commits-head] 20080307 x86: clear DF before calling signal handler RHSA-2008:0508 RHSA-2008:0211 RHSA-2008:0233 29084 ADV-2008-2222 https://bugzilla.redhat.com/show_bug.cgi?id=437312 gcc-cld-dos(41340) oval:org.mitre.oval:def:11108 CRLF injection vulnerability in Microsoft Internet Explorer 5 and 6 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded CRLF (%0D%0A) before the FTP command, which causes the commands to be inserted into an authenticated FTP connection established earlier in the same browser session, as demonstrated using a DELE command, a variant or possibly a regression of CVE-2004-1166. NOTE: a trailing "//" can force Internet Explorer to try to reuse an existing authenticated connection. 3750 http://www.rapid7.com/advisories/R7-0032.jsp 20080313 Rapid7 Advisory R7-0032: Microsoft Internet Explorer FTP Command Injection Vulnerability 28208 ADV-2008-0870 A certain incorrect Sun Solaris 10 image on SPARC Enterprise T5120 and T5220 servers has /etc/default/login and /etc/ssh/sshd_config files that configure root logins in a manner unintended by the vendor, which allows remote attackers to gain privileges via unspecified vectors. Sun link will not execute. 28469 1019708 ADV-2008-0810 sparc-configuration-privilege-escalation(41332) PHP remote file inclusion vulnerability in index.php in wildmary Yap Blog 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28120 yapblog-index-file-include(41049) Absolute path traversal vulnerability in install/index.php in Drake CMS 0.4.11 RC8 allows remote attackers to read and execute arbitrary files via a full pathname in the d_root parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. CVE description identifies vulnerability as remote attacker, but both links describe vulnerability as local-file inclusion. 28165 http://www.securityfocus.com/bid/28165/exploit drake-cms-index-file-include(41345) bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats. NetBSD-SA2008-004 http://kb.vmware.com/kb/1006982 http://kb.vmware.com/kb/1007198 http://kb.vmware.com/kb/1007504 APPLE-SA-2009-08-05-1 SUSE-SR:2008:011 GLSA-200903-40 241786 http://support.apple.com/kb/HT3757 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0118 http://www.bzip.org/CHANGES http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/ GLSA-200804-02 http://www.ipcop.org/index.php?name=News&file=article&sid=40 VU#813451 MDVSA-2008:075 RHSA-2008:0893 20080321 rPSA-2008-0118-1 bzip2 20081203 VMSA-2008-0019 VMware Hosted products and patches for ESX and ESXi resolve a critical security issue and update bzip2 28286 1020867 SSA:2008-098-02 TA09-218A ADV-2008-0915 ADV-2008-2557 ADV-2009-2172 https://bugs.gentoo.org/attachment.cgi?id=146488&action=view bzip2-archives-code-execution(41249) oval:org.mitre.oval:def:10067 oval:org.mitre.oval:def:6467 USN-590-1 FEDORA-2008-2970 FEDORA-2008-3037 Buffer overflow in the gif_read_lzw function in CUPS 1.3.6 allows remote attackers to have an unknown impact via a GIF file with a large code_size value, a similar issue to CVE-2006-4484. SUSE-SA:2008:020 GLSA-200804-01 http://wiki.rpath.com/Advisories:rPSA-2008-0136 http://www.cups.org/str.php?L2765 DSA-1625 MDVSA-2008:081 RHSA-2008:0192 RHSA-2008:0206 20080404 rPSA-2008-0136-1 cups 28544 1019739 USN-598-1 ADV-2008-1059 cups-gifreadlzw-bo(41587) oval:org.mitre.oval:def:11479 FEDORA-2008-2131 FEDORA-2008-2897 Integer overflow in pdftops filter in CUPS in Red Hat Enterprise Linux 3 and 4, when running on 64-bit platforms, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this issue is due to an incomplete fix for CVE-2004-0888. http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0245 RHSA-2008:0206 20080806 rPSA-2008-0245-1 cups cups-pdftops-bo(41758) https://issues.rpath.com/browse/RPL-2390 oval:org.mitre.oval:def:9636 Race condition in the directory notification subsystem (dnotify) in Linux kernel 2.6.x before 2.6.24.6, and 2.6.25 before 2.6.25.1, allows local users to cause a denial of service (OOPS) and possibly gain privileges via unspecified vectors. SUSE-SA:2008:030 SUSE-SA:2008:031 SUSE-SA:2008:032 [Security-announce] 20080728 VMSA-2008-00011 Updated ESX service console packages for Samba and vmnix [linux-kernel] 20080501 Linux 2.6.24.6 [linux-kernel] 20080501 Linux 2.6.25.1 http://wiki.rpath.com/Advisories:rPSA-2008-0157 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0157 DSA-1565 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.4 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.24.6 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.1 MDVSA-2008:104 MDVSA-2008:105 MDVSA-2008:167 RHSA-2008:0211 RHSA-2008:0233 RHSA-2008:0237 20080502 rPSA-2008-0157-1 kernel 20080507 rPSA-2008-0157-1 kernel 29003 1019959 USN-618-1 ADV-2008-1406 ADV-2008-1452 ADV-2008-2222 linux-kernel-dnotify-privilege-escalation(42131) https://issues.rpath.com/browse/RPL-2501 oval:org.mitre.oval:def:11843 USN-614-1 FEDORA-2008-3873 A certain Red Hat build script for nfs-utils before 1.0.9-35z.el5_2 on Red Hat Enterprise Linux (RHEL) 5 omits TCP wrappers support, which might allow remote attackers to bypass intended access restrictions. RHSA-2008:0486 RHSA-2009:0955 30466 1020589 redhat-nfsutils-weak-security(44256) oval:org.mitre.oval:def:10638 The (1) SProcRecordCreateContext and (2) SProcRecordRegisterClients functions in the Record extension and the (3) SProcSecurityGenerateAuthorization function in the Security extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via requests with crafted length values that specify an arbitrary number of bytes to be swapped on the heap, which triggers heap corruption. ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1377.diff SSRT080083 20080611 Multiple Vendor X Server Record and Security Extensions Multiple Memory Corruption Vulnerabilities APPLE-SA-2009-02-12 [xorg] 20080611 X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions SUSE-SA:2008:027 SUSE-SR:2008:019 RHSA-2008:0502 RHSA-2008:0504 RHSA-2008:0512 GLSA-200806-07 1020247 238686 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-249.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0201 DSA-1595 GLSA-200807-07 MDVSA-2008:115 MDVSA-2008:116 RHSA-2008:0503 20080620 rPSA-2008-0200-1 xorg-server 20080621 rPSA-2008-0201-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs USN-616-1 ADV-2008-1803 ADV-2008-1833 ADV-2008-1983 ADV-2008-3000 https://issues.rpath.com/browse/RPL-2607 https://issues.rpath.com/browse/RPL-2619 oval:org.mitre.oval:def:10109 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-2360, CVE-2008-2361, CVE-2008-2362. Reason: This candidate has been withdrawn by its CNA. It was SPLIT into separate candidates before publication. Notes: All CVE users should reference CVE-2008-2360, CVE-2008-2361, and CVE-2008-2362 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Integer overflow in the fbShmPutImage function in the MIT-SHM extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to read arbitrary process memory via crafted values for a Pixmap width and height. ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-1379.diff SSRT080083 20080611 Multiple Vendor X Server MIT-SHM Extension Information Disclosure Vulnerability APPLE-SA-2009-02-12 [xorg] 20080611 X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions SUSE-SA:2008:027 SUSE-SR:2008:019 RHSA-2008:0502 RHSA-2008:0504 RHSA-2008:0512 GLSA-200806-07 1020246 238686 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-249.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0201 DSA-1595 GLSA-200807-07 MDVSA-2008:115 MDVSA-2008:116 MDVSA-2008:179 RHSA-2008:0503 20080620 rPSA-2008-0200-1 xorg-server 20080621 rPSA-2008-0201-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs 29669 USN-616-1 ADV-2008-1803 ADV-2008-1833 ADV-2008-1983 ADV-2008-3000 xorg-fbshmputimage-information-disclosure(43016) https://issues.rpath.com/browse/RPL-2607 https://issues.rpath.com/browse/RPL-2619 oval:org.mitre.oval:def:8966 The JavaScript engine in Mozilla Firefox before 2.0.0.14, Thunderbird before 2.0.0.14, and SeaMonkey before 1.1.10 allows remote attackers to cause a denial of service (garbage collector crash) and possibly have other impacts via a crafted web page. NOTE: this is due to an incorrect fix for CVE-2008-1237. SUSE-SR:2008:011 GLSA-200808-03 SSA:2008-191-03 SSA:2008-108-01 238492 DSA-1555 DSA-1558 DSA-1562 DSA-1696 GLSA-200805-18 VU#441529 MDVSA-2008:110 http://www.mozilla.org/security/announce/2008/mfsa2008-20.html SUSE-SR:2008:013 RHSA-2008:0222 RHSA-2008:0223 RHSA-2008:0224 20080508 FLEA-2008-0008-1 firefox 28818 1019873 USN-602-1 ADV-2008-1251 ADV-2008-1793 https://bugzilla.mozilla.org/show_bug.cgi?id=425576 mozilla-garbage-code-execution(41857) oval:org.mitre.oval:def:10752 FEDORA-2008-3231 FEDORA-2008-3264 FEDORA-2008-3519 FEDORA-2008-3557 ZoneMinder before 1.23.3 allows remote authenticated users, and possibly unauthenticated attackers in some installations, to execute arbitrary commands via shell metacharacters in a crafted URL. The following link contains patch information: http://www.zoneminder.com/wiki/index.php/1.23.2_Patches http://www.awe.com/mark/blog/200804272230.html 28968 http://www.zoneminder.com/wiki/index.php/Change_History#Release_1.23.3 zoneminder-unspecified-code-execution(42046) FEDORA-2008-3516 FEDORA-2008-3462 libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory. http://libpng.sourceforge.net/Advisory-1.2.26.txt APPLE-SA-2008-09-15 APPLE-SA-2009-05-12 SUSE-SR:2008:010 GLSA-200804-15 GLSA-200805-10 GLSA-200812-15 SSA:2008-119-01 259989 1020521 http://support.apple.com/kb/HT3549 http://support.avaya.com/elmodocs2/security/ASA-2009-208.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0151 DSA-1750 MDVSA-2008:156 http://www.ocert.org/advisories/ocert-2008-003.html RHSA-2009:0333 20080414 [oCERT-2008-003] libpng zero-length chunks incorrect handling 20080429 rPSA-2008-0151-1 libpng 20090529 VMSA-2009-0007 VMware Hosted products and ESX and ESXi patches resolve security issues 28770 1019840 TA08-260A TA09-133A http://www.vmware.com/security/advisories/VMSA-2009-0007.html ADV-2008-1225 ADV-2008-2584 ADV-2009-1297 ADV-2009-1451 ADV-2009-1462 ADV-2009-1560 libpng-zero-length-code-execution(41800) oval:org.mitre.oval:def:10326 oval:org.mitre.oval:def:6275 FEDORA-2008-4847 FEDORA-2008-4910 FEDORA-2008-4947 FEDORA-2008-3683 FEDORA-2008-3979 FEDORA-2008-3937 The docert function in ssl-cert.eclass, when used by src_compile or src_install on Gentoo Linux, stores the SSL key in a binpkg, which allows local users to extract the key from the binpkg, and causes multiple systems that use this binpkg to have the same SSL key and certificate. GLSA-200803-30 28350 https://bugs.gentoo.org/show_bug.cgi?id=174759 gentoo-docert-sslkey-weak-security(41336) Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions). http://cvs.php.net/viewvc.cgi/php-src/NEWS?revision=1.2027.2.547.2.1120&view=markup SUSE-SR:2008:014 GLSA-200811-05 20080320 PHP 5.2.5 and prior : *printf() functions Integer Overflow http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0178 DSA-1572 MDVSA-2009:022 MDVSA-2009:023 20080321 {securityreason.com}PHP 5 *printf() - Integer Overflow 20080523 rPSA-2008-0176-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 20080527 rPSA-2008-0178-1 php php-mysql php-pgsql 28392 USN-628-1 php-phpsprintfappendstring-overflow(41386) https://issues.rpath.com/browse/RPL-2503 Cross-site scripting (XSS) vulnerability in the Top Referrers (aka referrer) plugin in Serendipity (S9Y) before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header. 20080422 Correcting CVEs (was Re: [Full-disclosure] Cross site scripting issues in s9y (CVE-2008-1386, CVE-2008-1387)) http://blog.s9y.org/archives/193-Serendipity-1.3.1-released.html http://int21.de/cve/CVE-2008-1385-s9y.html 20080422 Correcting CVEs (was Re: [Full-disclosure] Cross site scripting issues in s9y (CVE-2008-1386, CVE-2008-1387)) 28885 1019915 ADV-2008-1348 topreferrers-referer-xss(41965) Multiple cross-site scripting (XSS) vulnerabilities in the installer in Serendipity (S9Y) 1.3 allow remote attackers to inject arbitrary web script or HTML via (1) unspecified path fields or (2) the database host field. NOTE: the timing window for exploitation of this issue might be limited. 20080422 Correcting CVEs (was Re: [Full-disclosure] Cross site scripting issues in s9y (CVE-2008-1386, CVE-2008-1387)) http://blog.s9y.org/archives/193-Serendipity-1.3.1-released.html http://int21.de/cve/CVE-2008-1386-s9y.html 20080422 Correcting CVEs (was Re: [Full-disclosure] Cross site scripting issues in s9y (CVE-2008-1386, CVE-2008-1387)) 28885 1019915 ADV-2008-1348 serendipity-installer-xss(41967) ClamAV before 0.93 allows remote attackers to cause a denial of service (CPU consumption) via a crafted ARJ archive, as demonstrated by the PROTOS GENOME test suite for Archive Formats. http://int21.de/cve/CVE-2008-1387-clamav.html http://kolab.org/security/kolab-vendor-notice-20.txt APPLE-SA-2008-09-15 SUSE-SA:2008:024 GLSA-200805-19 http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/ MDVSA-2008:088 20080415 clamav: Endless loop / hang with crafter arj, CVE-2008-1387 28782 28784 TA08-260A ADV-2008-1227 ADV-2008-2584 clamav-arj-unspecified-dos(41822) https://www.clamav.net/bugzilla/show_bug.cgi?id=897 FEDORA-2008-3358 FEDORA-2008-3420 FEDORA-2008-3900 libclamav/chmunpack.c in the chm-parser in ClamAV before 0.94 allows remote attackers to cause a denial of service (application crash) via a malformed CHM file, related to an "invalid memory access." http://int21.de/cve/CVE-2008-1389-clamav-chd.html http://kolab.org/security/kolab-vendor-notice-22.txt APPLE-SA-2008-10-09 SUSE-SR:2008:018 GLSA-200809-18 http://sourceforge.net/project/shownotes.php?group_id=86638&release_id=623661 http://support.apple.com/kb/HT3216 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog MDVSA-2008:189 30994 31681 1020805 ADV-2008-2484 ADV-2008-2564 ADV-2008-2780 FEDORA-2008-9644 FEDORA-2008-9651 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1089 The AsteriskGUI HTTP server in Asterisk Open Source 1.4.x before 1.4.19-rc3 and 1.6.x before 1.6.0-beta6, Business Edition C.x.x before C.1.6, AsteriskNOW before 1.0.2, Appliance Developer Kit before revision 104704, and s800i 1.0.x before 1.1.0.2 generates insufficiently random manager ID values, which makes it easier for remote attackers to hijack a manager session via a series of ID guesses. http://downloads.digium.com/pub/security/AST-2008-005.html 3764 20080318 AST-2008-005: HTTP Manager ID is predictable 28316 1019679 asterisk-httpmanagerid-weak-security(41304) FEDORA-2008-2554 FEDORA-2008-2620 Multiple integer overflows in libc in NetBSD 4.x, FreeBSD 6.x and 7.x, and probably other BSD and Apple Mac OS platforms allow context-dependent attackers to execute arbitrary code via large values of certain integer fields in the format argument to (1) the strfmon function in lib/libc/stdlib/strfmon.c, related to the GET_NUMBER macro; and (2) the printf function, related to left_prec and right_prec. APPLE-SA-2008-12-15 20080325 *BSD libc (strfmon) Multiple vulnerabilities 3770 http://support.apple.com/kb/HT3338 DSA-2058 20080327 [securityreason] *BSD libc (strfmon) Multiple vulnerabilities 28479 1019722 TA08-350A ADV-2008-3444 bsd-strfmon-overflow(41504) SUSE-SA:2010:052 The default configuration of VMware Workstation 6.0.2, VMware Player 2.0.x before 2.0.3, and VMware ACE 2.0.x before 2.0.1 makes the console of the guest OS accessible through anonymous VIX API calls, which has unknown impact and attack vectors. [security-announce] 20080317 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues GLSA-201209-25 3755 20080318 VMSA-2008-0005 Updated VMware Workstation, VMware Player, VMware Server, VMware ACE, and VMware Fusion resolve critical security issues 28276 http://www.vmware.com/security/advisories/VMSA-2008-0005.html http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html vmware-vix-api-unspecified(41551) Plone CMS 3.0.5, and probably other 3.x versions, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network. http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords http://plone.org/products/plone/roadmap/48? 3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf 20080313 PR08-02: Plone CMS Security Research - the Art of Plowning plone-accookie-admin-mitm(41427) Plone CMS before 3 places a base64 encoded form of the username and password in the __ac cookie for all user accounts, which makes it easier for remote attackers to obtain access by sniffing the network. http://plone.org/about/security/overview/security-overview-of-plone/ 3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf 20080313 PR08-02: Plone CMS Security Research - the Art of Plowning plone-accookie-mitm(41425) Plone CMS does not record users' authentication states, and implements the logout feature solely on the client side, which makes it easier for context-dependent attackers to reuse a logged-out session. 3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf 20080313 PR08-02: Plone CMS Security Research - the Art of Plowning plone-authenticationstate-weak-security(41423) Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network. 3754 http://www.procheckup.com/Hacking_Plone_CMS.pdf 20080313 PR08-02: Plone CMS Security Research - the Art of Plowning plone-hmacsha1-mitm(41421) Check Point VPN-1 Power/UTM, with NGX R60 through R65 and NG AI R55 software, allows remote authenticated users to cause a denial of service (site-to-site VPN tunnel outage), and possibly intercept network traffic, by configuring the local RFC1918 IP address to be the same as one of this tunnel's endpoint RFC1918 IP addresses, and then using SecuRemote to connect to a network interface at the other endpoint. http://puresecurity.com.au/index.php?action=fullnews&id=5 VU#992585 http://www.puresecurity.com.au/files/PureSecurity%20VPN-1%20DoS_Spoofing%20Attack%20against%20VPN%20tunnels.pdf 28299 1019666 ADV-2008-0953 vpn1-ipaddress-dos(41260) https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk34579 SQL injection vulnerability in online.php in AuraCMS 2.0 through 2.2.1 allows remote attackers to execute arbitrary SQL commands via the X-Forwarded-For field (HTTP_X_FORWARDED_FOR environment variable) in an HTTP header. 28257 auracms-online-sql-injection(41217) 5256 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Clansphere 2008 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28224 clansphere-index-xss(41190) Directory traversal vulnerability in the Net Inspector HTTP Server (mghttpd) in MG-SOFT Net Inspector 6.5.0.828 and earlier for Windows allows remote attackers to read arbitrary files via a "..\" (dot dot backslash) or "../" (dot dot slash) in the URI. http://aluigi.altervista.org/adv/netinsp-adv.txt 20080317 Multiple vulnerabilities in Net Inspector 6.5.0.828 28266 5269 Format string vulnerability in the Net Inspector HTTP server (mghttpd) in MG-SOFT Net Inspector 6.5.0.828 and earlier for Windows allows remote attackers to execute arbitrary code via format string specifiers in the URI, which is recorded in a log file. http://aluigi.altervista.org/adv/netinsp-adv.txt 20080317 Multiple vulnerabilities in Net Inspector 6.5.0.828 28266 5269 MG-SOFT Net Inspector 6.5.0.828 and earlier for Windows allows remote attackers to cause a (1) denial of service (exception and crash) via a UDP packet to the SNMP Trap Service (MgWTrap3.exe) or (2) denial of service (device freeze or memory consumption) via a malformed request to the Net Inspector Server (niengine). http://aluigi.altervista.org/adv/netinsp-adv.txt 20080317 Multiple vulnerabilities in Net Inspector 6.5.0.828 28266 5269 Stack-based buffer overflow in the TFTP server in BootManage TFTPD 1.99 and earlier in BootManage Administrator 7.1 and earlier allows remote attackers to execute arbitrary code via a request with a long filename. http://aluigi.altervista.org/adv/bootixtftpd-adv.txt 20080317 Buffer-overflow in BootManage TFTPD 1.99 28270 bootmanage-tftpserver-filename-bo(41226) SQL injection vulnerability in index.php in the Viso (Industry Book) 2.04 and 2.03 module for eXV2 allows remote attackers to execute arbitrary SQL commands via the kid parameter. 28255 viso-index-sql-injection(41216) 5254 PHP remote file inclusion vulnerability in code/display.php in fuzzylime (cms) 3.01 allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter. http://irk4z.wordpress.com/2008/03/15/fuzzylime-cms-301-remote-file-inclusion-vulnerability/ ADV-2008-0912 fuzzylime-display-file-include(41221) 5260 SQL injection vulnerability in annonces-p-f.php in the MyAnnonces 1.8 module for eXV2 allows remote attackers to execute arbitrary SQL commands via the lid parameter in an ImprAnn action. 28254 myannonces-annoncespf-sql-injection(41214) 5252 SQL injection vulnerability in index.php in the WebChat 1.60 module for eXV2 allows remote attackers to execute arbitrary SQL commands via the roomid parameter. 28256 webchat-index-sql-injection(41213) 5255 SQL injection vulnerability in includes/functions/banners-external.php in phpBP 2 RC3 (2.204) FIX 4 allows remote attackers to execute arbitrary SQL commands via the id parameter in a banner_out action. http://irk4z.wordpress.com/2008/03/16/phpbp-rc3-2204-fix4-remote-sql-injection-vulnerability/ http://www.phpbp.com/filedownload-phpbp2-RC3-204-fix5_22.html 28272 ADV-2008-0910 phpbp-index-sql-injection(41222) 5263 Multiple directory traversal vulnerabilities in the Default theme in Exero CMS 1.0.1 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the theme parameter to (1) index.php, (2) editpassword.php, and (3) avatar.php in usercp/; (4) custompage.php; (5) errors/404.php; (6) memberslist.php and (7) profile.php in members/; (8) index.php and (9) fullview.php in news/; and (10) nopermission.php. 28273 ADV-2008-0909 exerocms-theme-file-include(41238) 5265 Directory traversal vulnerability in the PXE Server (pxesrv.exe) in Acronis Snap Deploy 2.0.0.1076 and earlier allows remote attackers to read arbitrary files via directory traversal sequences to the TFTP service. http://aluigi.altervista.org/adv/acropxe-adv.txt 3758 20080310 Directory traversal and NULL pointer in Acronis PXE Server 2.0.0.1076 28182 ADV-2008-0814 acronissnap-pxeserver-directory-traversal(41074) 5228 The PXE Server (pxesrv.exe) in Acronis Snap Deploy 2.0.0.1076 and earlier allows remote attackers to cause a denial of service (crash) via an incomplete TFTP request, which triggers a NULL pointer dereference. http://aluigi.altervista.org/adv/acropxe-adv.txt 3758 20080310 Directory traversal and NULL pointer in Acronis PXE Server 2.0.0.1076 28182 ADV-2008-0814 acronissnap-pxeserver-dos(41075) 5228 Unspecified vulnerability in multiple F-Secure anti-virus products, including Internet Security 2006 through 2008, Anti-Virus 2006 through 2008, and others, allows remote attackers to execute arbitrary code or cause a denial of service (hang or crash) via a malformed archive that triggers an unhandled exception, as demonstrated by the PROTOS GENOME test suite for Archive Formats. http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-cs-hotfixes.shtml http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-mimesweeper-hotfixes.shtml http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html http://www.ee.oulu.fi/research/ouspg/protos/testing/c10/archive/ http://www.f-secure.com/security/fsc-2008-2.shtml 28282 1019618 1019619 1019620 ADV-2008-0903 fsecure-archives-code-execution(41234) Cross-site scripting (XSS) vulnerability in search.php in SNewsCMS Rus 2.1 through 2.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter. 3757 20080316 vuln in snewscms Rus v 2.3 28262 snewscms-search-xss(41243) Cross-site scripting (XSS) vulnerability in Multiple Time Sheets (MTS) 5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the tab parameter to (1) index.php, as demonstrated using mixed case and encoded whitespace characters in the tag; or (2) clientinfo.php, (3) invoices.php, (4) smartlinks.php, and (5) todo.php, as demonstrated using a META tag. 3756 20080317 Mutiple Timesheets <= 5.0 - Multiple Remote Vulnerabilities 28263 ADV-2008-0911 mts-index-xss(41227) 5262 Directory traversal vulnerability in index.php in Multiple Time Sheets (MTS) 5.0 and earlier allows remote attackers to read arbitrary files via "../..//" (modified dot dot) sequences in the tab parameter. 3756 20080317 Mutiple Timesheets <= 5.0 - Multiple Remote Vulnerabilities 28263 ADV-2008-0911 5262 Multiple PHP remote file inclusion vulnerabilities in PHPauction GPL 2.51 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) converter.inc.php, (2) messages.inc.php, and (3) settings.inc.php in includes/. 28284 ADV-2008-0908 phpauction-includepath-file-include(41239) 5266 The prerm script in axyl 2.1.7 allows local users to overwrite arbitrary files via a symlink attack on the axyl.conf temporary file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=471227 axyl-prerm-symlink(41406) Xiph.org libvorbis 1.2.0 and earlier does not properly handle a zero value for codebook.dim, which allows remote attackers to cause a denial of service (crash or infinite loop) or trigger an integer overflow. SUSE-SR:2008:012 GLSA-200806-09 DSA-1591 MDVSA-2008:102 RHSA-2008:0270 RHSA-2008:0271 29206 1020029 USN-682-1 ADV-2008-1510 https://bugzilla.redhat.com/show_bug.cgi?id=440700 libvorbis-ogg-bo(42397) libvorbis-ogg-dos(42400) oval:org.mitre.oval:def:10104 FEDORA-2008-3934 FEDORA-2008-3898 FEDORA-2008-3910 Integer overflow in residue partition value (aka partvals) evaluation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to execute arbitrary code via a crafted OGG file, which triggers a heap overflow. SUSE-SR:2008:012 GLSA-200806-09 DSA-1591 MDVSA-2008:102 RHSA-2008:0270 RHSA-2008:0271 29206 1020029 USN-682-1 ADV-2008-1510 https://bugzilla.redhat.com/show_bug.cgi?id=440706 libvorbis-residue-bo(42402) oval:org.mitre.oval:def:9500 USN-825-1 FEDORA-2008-3934 FEDORA-2008-3898 FEDORA-2008-3910 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1419. Reason: This candidate is a reservation duplicate of CVE-2008-1419. Notes: All CVE users should reference CVE-2008-1419 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Integer overflow in a certain quantvals and quantlist calculation in Xiph.org libvorbis 1.2.0 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted OGG file with a large virtual space for its codebook, which triggers a heap overflow. SUSE-SR:2008:012 GLSA-200806-09 DSA-1591 MDVSA-2008:102 RHSA-2008:0270 RHSA-2008:0271 29206 1020029 USN-682-1 ADV-2008-1510 https://bugzilla.redhat.com/show_bug.cgi?id=440709 libvorbis-quantvals-quantlist-bo(42403) oval:org.mitre.oval:def:9851 FEDORA-2008-3934 FEDORA-2008-3898 FEDORA-2008-3910 SQL injection vulnerability in index.php in the gallery module in Easy-Clanpage 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a kate action. 28309 easyclanpage-index-sql-injection(41303) 5275 SQL injection vulnerability in album.asp in KAPhotoservice allows remote attackers to execute arbitrary SQL commands via the albumid parameter. 20080320 KAPhotoservice (album.asp) Remote SQL Injection Exploit 28306 kaphotoservice-album-sql-injection(41300) 5274 SQL injection vulnerability in the Joobi Acajoom (com_acajoom) 1.1.5 and 1.2.5 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the mailingid parameter in a mailing view action to index.php. 28305 acajoom-index-sql-injection(41290) 5273 Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-beta7 module for Drupal allow remote attackers to inject arbitrary web script or HTML via a text attribute value for a product. http://drupal.org/node/233492 ADV-2008-0867 ubercart-attribute-xss(41184) Secure Internet Live Conferencing (SILC) Server before 1.1.1 allows remote attackers to cause a denial of service (daemon crash) via a NEW_CLIENT packet without a nickname. GLSA-200804-27 http://silcnet.org/docs/release/SILC%20Server%201.1.1 28450 1019711 ADV-2008-0919 silc-server-newclient-dos(41307) SQL injection vulnerability in links.asp in ASPapp allows remote attackers to execute arbitrary SQL commands via the CatId parameter. 5276 RaidSonic NAS-4220-B with 2.6.0-n(2007-10-11) firmware stores a partition encryption key in an unencrypted /system/.crypt file with base64 encoding, which allows local users to obtain the key. 3760 20080316 raidsonic nas-4220 crypt disk key leak (stored in plain on unencrypted partition) 28264 Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine SupportCenter Plus 7.0.0 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter, a related issue to CVE-2008-1299. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Use-after-free vulnerability in Microsoft Word in Office 2000 and XP SP3, 2003 SP2 and SP3, and 2007 Office System SP1 and earlier allows remote attackers to execute arbitrary code via an HTML document with a large number of Cascading Style Sheets (CSS) selectors, related to a "memory handling error" that triggers memory corruption. 20080513 Microsoft Word CSS Processing Memory Corruption Vulnerability SSRT080071 29105 1020014 TA08-134A ADV-2008-1504 MS08-026 oval:org.mitre.oval:def:5012 Windows Explorer in Microsoft Windows Vista up to SP1, and Server 2008, allows user-assisted remote attackers to execute arbitrary code via crafted saved-search (.search-ms) files that are not properly handled when saving, aka "Windows Saved Search Vulnerability." 30109 1020436 TA08-190A ADV-2008-2020 MS08-038 oval:org.mitre.oval:def:5600 Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping. http://blogs.technet.com/msrc/archive/2008/04/17/msrc-blog-microsoft-security-advisory-951306.aspx http://isc.sans.org/diary.html?storyid=4306 http://milw0rm.com/sploits/2008-Churrasco.zip http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html http://securitywatch.eweek.com/flaws/microsoft_belatedly_admits_to_windows_server_2008_token_kidnapping.html http://www.argeniss.com/research/Churrasco.zip http://www.argeniss.com/research/TokenKidnapping.pdf http://www.microsoft.com/technet/security/advisory/951306.mspx 20080419 Token Kidnapping (Microsoft Security Advisory 951306) presentation available 20081008 Token Kidnapping Windows 2003 PoC exploit 28833 1019904 TA09-104A ADV-2008-1264 ADV-2009-1026 MS09-012 ms-windows-localsystem-privilege-escalation(41880) oval:org.mitre.oval:def:5891 6705 Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (engine hang and restart) via a crafted file, a different vulnerability than CVE-2008-1438. SSRT080071 29060 1020016 TA08-134A ADV-2008-1506 MS08-029 oval:org.mitre.oval:def:13981 Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (disk space exhaustion) via a file with "crafted data structures" that trigger the creation of large temporary files, a different vulnerability than CVE-2008-1437. SSRT080071 29073 1020016 TA08-134A ADV-2008-1506 MS08-029 oval:org.mitre.oval:def:14375 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Microsoft Windows XP SP2 and SP3, and Server 2003 SP1 and SP2, does not properly validate the option length field in Pragmatic General Multicast (PGM) packets, which allows remote attackers to cause a denial of service (infinite loop and system hang) via a crafted PGM packet, aka the "PGM Invalid Length Vulnerability." 1020230 29508 TA08-162B ADV-2008-1783 MS08-036 oval:org.mitre.oval:def:5473 Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system hang) via a series of Pragmatic General Multicast (PGM) packets with invalid fragment options, aka the "PGM Malformed Fragment Vulnerability." 1020231 29509 TA08-162B ADV-2008-1783 MS08-036 oval:org.mitre.oval:def:5604 Heap-based buffer overflow in the substringData method in Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code, related to an unspecified manipulation of a DOM object before a call to this method, aka the "HTML Objects Memory Corruption Vulnerability." HPSBST02344 3934 1020225 20080610 ZDI-08-039: Microsoft Internet Explorer DOM Ojbect substringData() Heap Overflow Vulnerability 29556 TA08-162B ADV-2008-1778 http://www.zerodayinitiative.com/advisories/ZDI-08-039/ MS08-031 oval:org.mitre.oval:def:5720 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Stack-based buffer overflow in Microsoft DirectX 7.0 and 8.1 on Windows 2000 SP4 allows remote attackers to execute arbitrary code via a Synchronized Accessible Media Interchange (SAMI) file with crafted parameters for a Class Name variable, aka the "SAMI Format Parsing Vulnerability." HPSBST02344 3937 1020223 20080610 ZDI-08-040: Microsoft DirectX SAMI File Format Name Parsing Stack Overflow Vulnerability 29578 TA08-162B ADV-2008-1780 http://www.zerodayinitiative.com/advisories/ZDI-08-040/ MS08-033 oval:org.mitre.oval:def:5562 Active Directory on Microsoft Windows 2000 Server SP4, XP Professional SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to cause a denial of service (system hang or reboot) via a crafted LDAP request. 1020229 20080613 Securify bulletin: Microsoft Active Directory Denial-of-service 20080613 RE: Securify bulletin: Microsoft Active Directory Denial-of-service 29584 TA08-162B ADV-2008-1782 MS08-035 oval:org.mitre.oval:def:4910 Integer overflow in the Internet Printing Protocol (IPP) ISAPI extension in Microsoft Internet Information Services (IIS) 5.0 through 7.0 on Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, and Server 2008 allows remote authenticated users to execute arbitrary code via an HTTP POST request that triggers an outbound IPP connection from a web server to a machine operated by the attacker, aka "Integer Overflow in IPP Service Vulnerability." SSRT080143 VU#793233 31682 1021048 TA08-288A ADV-2008-2813 MS08-062 win-ipp-service-code-execution(45545) win-ms08kb953155-update(45548) oval:org.mitre.oval:def:5764 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." NetBSD-SA2008-009 http://blog.invisibledenizen.org/2008/07/kaminskys-dns-issue-accidentally-leaked.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494401 HPSBOV02357 HPSBNS02405 APPLE-SA-2008-07-31 APPLE-SA-2008-09-09 APPLE-SA-2008-09-12 APPLE-SA-2008-09-15 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. SUSE-SA:2008:033 SUSE-SR:2008:017 SSRT080058 HPSBTU02358 HPSBMP02404 HPSBOV03226 RHSA-2008:0533 FreeBSD-SA-08:06 GLSA-200807-08 GLSA-200812-17 GLSA-201209-25 SSA:2008-205-01 SSA:2008-191 239392 240048 http://support.apple.com/kb/HT3026 http://support.apple.com/kb/HT3129 http://support.citrix.com/article/CTX117991 http://support.citrix.com/article/CTX118183 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=762152 http://up2date.astaro.com/2008/08/up2date_7202_released.html http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0231 http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0018 http://www.bluecoat.com/support/security-advisories/dns_cache_poisoning http://www.caughq.org/exploits/CAU-EX-2008-0002.txt http://www.caughq.org/exploits/CAU-EX-2008-0003.txt 20080708 Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks DSA-1603 DSA-1604 DSA-1605 DSA-1619 DSA-1623 http://www.doxpara.com/?p=1176 http://www.doxpara.com/DMK_BO2K8.ppt IZ26667 IZ26668 IZ26669 IZ26670 IZ26671 IZ26672 http://www.ipcop.org/index.php?name=News&file=article&sid=40 http://www.isc.org/index.pl?/sw/bind/bind-security.php VU#800113 http://www.kb.cert.org/vuls/id/MIMG-7DWR4J http://www.kb.cert.org/vuls/id/MIMG-7ECL8Q MDVSA-2008:139 http://www.nominum.com/asset_upload_file741_2661.pdf http://www.novell.com/support/viewContent.do?externalId=7000912 [4.2] 013: SECURITY FIX: July 23, 2008 [4.3] 004: SECURITY FIX: July 23, 2008 http://www.phys.uu.nl/~rombouts/pdnsd.html http://www.phys.uu.nl/~rombouts/pdnsd/ChangeLog RHSA-2008:0789 http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/VU800113.html http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/ 20080808 New paper: An Illustrated Guide to the Kaminsky DNS Vulnerability 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 30131 1020437 1020438 1020440 1020448 1020449 1020548 1020558 1020560 1020561 1020575 1020576 1020577 1020578 1020579 1020651 1020653 1020702 1020802 1020804 USN-622-1 USN-627-1 http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html TA08-190A TA08-190B TA08-260A http://www.vmware.com/security/advisories/VMSA-2008-0014.html ADV-2008-2019 ADV-2008-2023 ADV-2008-2025 ADV-2008-2029 ADV-2008-2030 ADV-2008-2050 ADV-2008-2051 ADV-2008-2052 ADV-2008-2055 ADV-2008-2092 ADV-2008-2113 ADV-2008-2114 ADV-2008-2123 ADV-2008-2139 ADV-2008-2166 ADV-2008-2195 ADV-2008-2196 ADV-2008-2197 ADV-2008-2268 ADV-2008-2291 ADV-2008-2334 ADV-2008-2342 ADV-2008-2377 ADV-2008-2383 ADV-2008-2384 ADV-2008-2466 ADV-2008-2467 ADV-2008-2482 ADV-2008-2525 ADV-2008-2549 ADV-2008-2558 ADV-2008-2582 ADV-2008-2584 ADV-2009-0297 ADV-2009-0311 ADV-2010-0622 MS08-037 win-dns-client-server-spoofing(43334) cisco-multiple-dns-cache-poisoning(43637) oval:org.mitre.oval:def:12117 oval:org.mitre.oval:def:5725 oval:org.mitre.oval:def:5761 oval:org.mitre.oval:def:5917 oval:org.mitre.oval:def:9627 6122 6123 6130 FEDORA-2008-6256 FEDORA-2008-6281 The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability." HPSBST02360 http://www.coresecurity.com/content/internet-explorer-zone-elevation 20080813 CORE-2008-0103: Internet Explorer Zone Elevation Restrictions Bypass and Security Zone Restrictions Bypass 30585 1020679 1020680 TA08-225A ADV-2008-2352 MS08-048 oval:org.mitre.oval:def:5886 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. The WINS service on Microsoft Windows 2000 SP4, and Server 2003 SP1 and SP2, does not properly validate data structures in WINS network packets, which allows local users to gain privileges via a crafted packet, aka "Memory Overwrite Vulnerability." 1020228 29588 TA08-162B ADV-2008-1781 MS08-034 oval:org.mitre.oval:def:5582 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. The Bluetooth stack in Microsoft Windows XP SP2 and SP3, and Vista Gold and SP1, allows physically proximate attackers to execute arbitrary code via a large series of Service Discovery Protocol (SDP) packets. 1020221 29522 TA08-162B ADV-2008-1777 MS08-030 oval:org.mitre.oval:def:4730 Unspecified vulnerability in Microsoft DNS in Windows 2000 SP4, Server 2003 SP1 and SP2, and Server 2008 allows remote attackers to conduct cache poisoning attacks via unknown vectors related to accepting "records from a response that is outside the remote server's authority," aka "DNS Cache Poisoning Vulnerability," a different vulnerability than CVE-2008-1447. 30132 1020437 TA08-190A ADV-2008-2019 MS08-037 oval:org.mitre.oval:def:5380 A "memory calculation error" in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, 2003 SP2, and 2007 through SP1; Office Compatibility Pack for Word, Excel, and PowerPoint 2007 through SP1; and Office 2004 for Mac allows remote attackers to execute arbitrary code via a PowerPoint file with crafted list values that trigger memory corruption, aka "Parsing Overflow Vulnerability." HPSBST02360 30579 1020676 TA08-225A ADV-2008-2355 MS08-051 oval:org.mitre.oval:def:5555 Array index vulnerability in the Event System in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote authenticated users to execute arbitrary code via a crafted event subscription request that is used to access an array of function pointers. HPSBST02360 30586 1020677 TA08-225A ADV-2008-2353 MS08-049 oval:org.mitre.oval:def:5630 The Event System in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate per-user subscriptions, which allows remote authenticated users to execute arbitrary code via a crafted event subscription request. HPSBST02360 30584 1020677 TA08-225A ADV-2008-2353 MS08-049 oval:org.mitre.oval:def:6095 Cross-site scripting (XSS) vulnerability in index.php in CS-Cart 1.3.2 allows remote attackers to inject arbitrary web script or HTML via the q parameter in a products search action. NOTE: it was also reported that 1.3.5-SP2 trial edition is also affected. 3762 20080319 CS-Cart XSS 28333 cscart-index-xss(41306) SQL injection vulnerability in the Alberghi (com_alberghi) 2.1.3 and earlier component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. 28331 alberghi-index-sql-injection(41285) 5278 SQL injection vulnerability in the Joovideo (com_joovideo) 1.0 and 1.2.2 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. 28318 joovideo-index-sql-injection(41279) 5277 Buffer overflow in XnView 1.92.1 allows user-assisted remote attackers to execute arbitrary code via a long filename argument on the command line. NOTE: it is unclear whether there are common handler configurations in which this argument is controlled by an attacker. 3761 http://www.click-internet.fr/index.php?cki=News&news=9 20080315 XNview 1.92.1 Long Filename Overflow 28259 xnview-filename-bo(41245) SQL injection vulnerability in the sections (Section) module in RunCMS allows remote attackers to execute arbitrary SQL commands via the artid parameter in a viewarticle action. 28378 section-index-sql-injection(41377) 5285 Cross-site scripting (XSS) vulnerability in the management GUI in Imperva SecureSphere MX Management Server 5.0 allows remote attackers to inject arbitrary web script or HTML via an invalid or prohibited request to a web server protected by SecureSphere, which triggers injection into the "corrective action" section of an alert page. http://imperva.com/go/secadv/20080318 28279 securesphere-mxmanagementserver-gui-xss(41359) Multiple SQL injection vulnerabilities in Gallarific Free Edition 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) query parameter to (a) search.php; (2) gusername and (3) gpassword parameters to (b) login.php; and the (4) username and (5) password parameters to (c) gadmin/index.php in a signin action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. More information is available at: http://www.securityfocus.com/bid/28163 SQL injection vulnerability in the Detodas Restaurante (com_restaurante) 1.0 component for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php, a different product than CVE-2008-0562. 28324 restaurante-index-sql-injection(41283) 5280 Multiple PHP remote file inclusion vulnerabilities in W-Agora 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the bn_dir_default parameter to (1) add_user.php, (2) create_forum.php, (3) create_user.php, (4) delete_notes.php, (5) delete_user.php, (6) edit_forum.php, (7) mail_users.php, (8) moderate_notes.php, and (9) reorder_forums.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28366 wagora-bndirdefault-file-include(41352) ** DISPUTED ** CenterIM 4.22.3 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URI, related to "received URLs in the message window." NOTE: this issue has been disputed due to the user-assisted nature, since the URL must be selected and launched by the victim. 28362 ADV-2008-0956 centerim-chat-shell-command-execution(41362) 5283 FEDORA-2008-2867 FEDORA-2008-2869 Cross-site scripting (XSS) vulnerability in namazu.cgi in Namazu before 2.0.18 allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded input, related to failure to set the charset, a different vector than CVE-2004-1318 and CVE-2001-1350. NOTE: some of these details are obtained from third party information. HPSBMA02492 JVN#00892830 SUSE-SR:2008:017 SSRT100083 http://www.namazu.org/security.html.en 28380 namazu-character-encoding-xss(41360) FEDORA-2008-2678 FEDORA-2008-2767 Gallarific Free Edition 1.1 does not require authentication for (1) photos.php, (2) comments.php, and (3) gallery.php in gadmin/, which allows remote attackers to edit objects via a direct request, different vectors than CVE-2008-1327. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. More information available at: http://www.securityfocus.com/bid/28163/info Incomplete blacklist vulnerability in IISWebAgentIF.dll in the WebID RSA Authentication Agent 5.3, and possibly earlier, allows remote attackers to conduct cross-site scripting (XSS) attacks via the postdata parameter, due to an incomplete fix for CVE-2005-1118. 3768 20080317 Security Advisory on RSA Web ID (XSS) 28277 The cpoint.sys driver in Panda Internet Security 2008 and Antivirus+ Firewall 2008 allows local users to cause a denial of service (system crash or kernel panic), overwrite memory, or execute arbitrary code via a crafted IOCTL request that triggers an out-of-bounds write of kernel memory. http://www.pandasecurity.com/homeusers/support/card?id=41231&idIdioma=2&ref=ProdExp http://www.pandasecurity.com/homeusers/support/card?id=41337&idIdioma=2&ref=ProdExp 20080308 [TKADV2008-001] Panda Internet Security/Antivirus+Firewall 2008 cpoint.sys Kernel Driver Memory Corruption Vulnerability 28150 1019568 http://www.trapkit.de/advisories/TKADV2008-001.txt ADV-2008-0801 panda-antivirus-cpointsys-priv-escalation(41079) Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method. http://community.ca.com/blogs/casecurityresponseblog/archive/2008/3/28.aspx 20080320 Note about recently publicized CA BrightStor ActiveX exploit code 20080328 CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability 28268 1019617 ADV-2008-0902 ca-arcserve-listctrl-bo(41225) 5264 The Altiris Client Service (AClient.exe) in Symantec Altiris Deployment Solution 6.8.x before 6.9.164 allows local users to gain privileges via a "Shatter" style attack. http://securityresponse.symantec.com/avcenter/security/Content/2008.03.10.html 28110 1019569 ADV-2008-0843 symantec-altiris-aclient-priv-escalation(41100) Multiple unspecified vulnerabilities in Roundup before 1.4.4 have unknown impact and attack vectors, some of which may be related to cross-site scripting (XSS). http://roundup.cvs.sourceforge.net/roundup/roundup/CHANGES.txt?revision=1.939&view=markup GLSA-200805-21 DSA-1554 28239 ADV-2008-0891 https://bugzilla.redhat.com/show_bug.cgi?id=436546 roundup-multiple-unspecified(41241) FEDORA-2008-2370 FEDORA-2008-2471 The xml-rpc server in Roundup 1.4.4 does not check property permissions, which allows attackers to bypass restrictions and edit or read restricted properties via the (1) list, (2) display, and (3) set methods. GLSA-200805-21 http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788 28238 ADV-2008-0891 https://bugzilla.redhat.com/show_bug.cgi?id=436546 roundup-xmlrpc-security-bypass(41240) FEDORA-2008-2370 FEDORA-2008-2471 FEDORA-2008-9712 FEDORA-2008-9734 Cross-site scripting (XSS) vulnerability in Serendipity (S9Y) before 1.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to received trackbacks. http://blog.s9y.org/archives/192-Serendipity-1.3-released-addresses-security.html DSA-1528 28298 ADV-2008-0925 serendipity-trackbacks-data-xss(41343) Multiple cross-site scripting (XSS) vulnerabilities in busca.php in eForum 0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) busca and (2) link parameters. http://omni.playhack.net/blog/?p=10 3767 20080318 eForum 0.4 XSS 28293 Home FTP Server 1.4.5.89 allows remote attackers to cause a denial of service (crash) by opening a FTP passive mode connection, then closing the original FTP connection. NOTE: some of these details are obtained from third party information. 3766 20080317 Home FTP Server DoS 28283 5270 Cross-site scripting (XSS) vulnerability in index.php in cyberfrogs.net cfnetgs 0.24 allows remote attackers to inject arbitrary web script or HTML via the directory parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28267 cfnetgs-index-xss(41391) rpc.metad in Sun Solaris 10 allows remote attackers to cause a denial of service (daemon crash) via a malformed RPC request. 249146 http://support.avaya.com/elmodocs2/security/ASA-2009-015.htm 28261 1019652 ADV-2008-0918 ADV-2009-0206 solaris-rpcmetad-dos(41224) oval:org.mitre.oval:def:5698 5258 Cross-site scripting (XSS) vulnerability in index.php in webSPELL 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the board parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28294 http://www.securityfocus.com/bid/28294/exploit webspell-board-xss(41417) Multiple integer overflows in xine-lib 1.1.11 and earlier allow remote attackers to trigger heap-based buffer overflows and possibly execute arbitrary code via (1) a crafted .FLV file, which triggers an overflow in demuxers/demux_flv.c; (2) a crafted .MOV file, which triggers an overflow in demuxers/demux_qt.c; (3) a crafted .RM file, which triggers an overflow in demuxers/demux_real.c; (4) a crafted .MVE file, which triggers an overflow in demuxers/demux_wc3movie.c; (5) a crafted .MKV file, which triggers an overflow in demuxers/ebml.c; or (6) a crafted .CAK file, which triggers an overflow in demuxers/demux_film.c. http://aluigi.altervista.org/adv/xinehof-adv.txt http://aluigi.org/poc/xinehof.zip SUSE-SR:2008:008 GLSA-200808-01 3769 SSA:2008-092-01 DSA-1586 MDVSA-2008:178 20080320 Multiple heap overflows in xine-lib 1.1.11 28370 USN-635-1 ADV-2008-0981 https://bugzilla.redhat.com/show_bug.cgi?id=438663 xinelib-multiple-bo(41350) FEDORA-2008-2945 FEDORA-2008-2849 OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. NetBSD-SA2008-005 http://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011 HPSBUX02337 APPLE-SA-2008-09-15 SUSE-SR:2008:009 FreeBSD-SA-08:05 http://sourceforge.net/project/shownotes.php?release_id=590180&group_id=69227 237444 1019235 http://support.attachmate.com/techdocs/2374.html http://support.avaya.com/elmodocs2/security/ASA-2008-205.htm 20130220 OpenSSH Forwarded X Connection Session Hijack Vulnerability http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0120 DSA-1576 GLSA-200804-03 [security-announce] 20080403 Globus Security Advisory 2008-01: GSI-OpenSSH vulnerability MDVSA-2008:078 20080325 rPSA-2008-0120-1 gnome-ssh-askpass openssh openssh-client openssh-server 28444 1019707 SSA:2008-095-01 TA08-260A ADV-2008-0994 ADV-2008-1123 ADV-2008-1124 ADV-2008-1448 ADV-2008-1526 ADV-2008-1624 ADV-2008-1630 ADV-2008-2396 ADV-2008-2584 openssh-sshd-session-hijacking(41438) https://issues.rpath.com/browse/RPL-2397 oval:org.mitre.oval:def:6085 USN-597-1 The password reset feature in PunBB 1.2.16 and earlier uses predictable random numbers based on the system time, which allows remote authenticated users to determine the new password via a brute force attack on a seed that is based on the approximate creation time of the targeted account. NOTE: this issue might be related to CVE-2006-5737. http://punbb.org/download/changelogs/1.2.16_to_1.2.17.txt http://punbb.org/forums/viewtopic.php?id=18460 http://sektioneins.de/advisories/SE-2008-01.txt 20080220 Advisory SE-2008-01: PunBB Blind Password Recovery Vulnerability 27908 5165 Cross-site scripting (XSS) vulnerability in PunBB 1.2.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the get_host parameter to moderate.php. http://punbb.org/download/changelogs/1.2.16_to_1.2.17.txt SQL injection vulnerability in Phorum before 5.2.6, when mysql_use_ft is disabled, allows remote attackers to execute arbitrary SQL commands via the non-fulltext search. http://www.phorum.org/phorum5/read.php?64,126815,126815 28540 phorum-nonfulltext-sql-injection(41418) Multiple cross-site scripting (XSS) vulnerabilities in LinPHA before 1.3.3 allow remote attackers to inject arbitrary web script or HTML via (1) ftp/index.php, (2) viewer.php, (3) functions/other.php, (4) include/left_menu.class.php, and (5) plugins/stats/stats_view.php. http://linpha.cvs.sourceforge.net/linpha/linpha/ChangeLog?view=markup http://linpha.sourceforge.net/wiki/index.php/Release_Notes#Version_1.3.3 Stack-based buffer overflow in apc.c in Alternative PHP Cache (APC) 3.0.11 through 3.0.16 allows remote attackers to execute arbitrary code via a long filename. http://papasian.org/~dannyp/apcsmash.php.txt http://pecl.php.net/bugs/bug.php?id=13415 GLSA-200804-07 MDVSA-2008:082 28457 apc-apcsearchpaths-bo(41420) FEDORA-2008-6344 FEDORA-2008-6401 Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC 0.8.6e allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MP4 RDRF box that triggers a heap-based buffer overflow, a different vulnerability than CVE-2008-0984. GLSA-200804-25 http://trac.videolan.org/vlc/changeset/09572892df7e72c0d4e598c0b5e076cf330d8b0a http://wiki.videolan.org/Changelog/0.8.6f DSA-1543 28433 http://www.videolan.org/security/sa0803.php ADV-2008-0985 vlcmediaplayer-mp4readbox-rdrf-bo(41412) oval:org.mitre.oval:def:14841 Buffer overflow in a certain Aurigma ActiveX control in ImageUploader4.ocx 4.1.36.0, as used with Piczo (aka Pizco) and possibly other online services, allows remote attackers to execute arbitrary code via unspecified vectors, possibly involving a long Action property, a different CLSID than CVE-2008-0659. 20080320 Pizco vulnerable to buffer overflow in activex 28354 aurigma-imageuploader41-bo(40152) Stack-based buffer overflow in the DPC Proxy server (DpcProxy.exe) in ASUS Remote Console (aka ARC or ASMB3) 2.0.0.19 and 2.0.0.24 allows remote attackers to execute arbitrary code via a long string to TCP port 623. http://aluigi.altervista.org/adv/asuxdpc-adv.txt 3771 20080321 Buffer-overflow in ASUS Remote Console 2.0.0.24 28394 ADV-2008-0982 asus-asmb3-dpcproxy-bo(41358) 5694 Multiple directory traversal vulnerabilities in CoronaMatrix phpAddressBook 2.11 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the skin parameter to (1) index.php and (2) install.php. NOTE: it was later reported that vector 1 is also present in 2.0. http://0x90.com.ar/Advisory/20080321.txt 3772 20080322 phpAddressBook v2.11 Multiple Local File Inclusion Vulnerabilities 20080501 php-addressbook v2.0 Multiple Remote Vulnerabilities (LFI/XSS) 28397 phpaddressbook-skin-directory-traversal(41394) 5288 Directory traversal vulnerability in login.php in Cuteflow Bin 1.5.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. 20080325 Cuteflow Bin v1.5.0 Local File Inclusion Vuln 28419 cuteflowbin-login-file-include(41392) 5296 SQL injection vulnerability in inc/module/online.php in Easy-Clanpage 2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter in a user details action, a different vector than CVE-2008-1425. 3773 20080320 Easy-Clanpage 2.2 (id) Remote SQL Injection Vulnerability 28329 Unrestricted file upload vulnerability in administrer/produits.php in PEEL, possibly 3.x and earlier, allows remote authenticated administrators to upload and execute arbitrary PHP files via a modified content type in an ajout action, as demonstrated by (1) image/gif and (2) application/pdf. http://realn.free.fr/releases/70207 28346 peel-produits-file-upload(41354) 5281 Multiple SQL injection vulnerabilities in PEEL, possibly 3.x and earlier, allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to (a) membre.php, and the (2) timestamp parameter to (b) the details action in achat/historique_commandes.php and (c) the facture action in factures/facture_html.php. http://realn.free.fr/releases/70207 28346 peel-timestamp-sql-injection(41341) peel-membre-sql-injection(41353) 5281 Stack-based buffer overflow in the IMAP service in NetWin SurgeMail 38k4-4 and earlier allows remote authenticated users to execute arbitrary code via long arguments to the LSUB command. 3774 http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-03-07 http://www.netwinsite.com/surgemail/help/updates.htm 20080321 [INFIGO-2008-03-07]: Surgemail 38k4 IMAP server remote stack overflow 28377 surgemail-imap-lsub-bo(41402) Stack-based buffer overflow in the IMAP service in NetWin Surgemail 3.8k4-4 and earlier allows remote authenticated users to execute arbitrary code via a long first argument to the LIST command. http://www.netwinsite.com/surgemail/help/updates.htm 28260 ADV-2008-0901 5259 Cross-site scripting (XSS) vulnerability in frontend/x/manpage.html in cPanel 11.18.3 and 11.21.0-BETA allows remote attackers to inject arbitrary web script or HTML via the query string. 3775 20080321 XSS in cPanel 11.x 28403 cpanel-manpage-xss(41374) Cross-site scripting (XSS) vulnerability in index.php in TinyPortal 0.8.6 and 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the PHPSESSID parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28402 tinyportal-index-xss(41376) The send_user_mode function in s_user.c in (1) Undernet ircu 2.10.12.12 and earlier, (2) snircd 1.3.4 and earlier, and unspecified other ircu derivatives allows remote attackers to cause a denial of service (daemon crash) via a malformed MODE command. http://hg.quakenet.org/snircd/rev/2da2b881d9f5 20080324 ircu/snircd remote crash vulnerability 3779 20080324 ircu/snircd remote crash vulnerability 28413 1019687 1019688 ADV-2008-0977 ADV-2008-0978 snircd-sendusermode-dos(41397) undernet-ircu-sendusermode-dos(41401) 5306 The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols. http://docs.moodle.org/en/Release_Notes#Moodle_1.8.5 SUSE-SR:2008:015 DSA-1691 DSA-1871 http://www.egroupware.org/changelog http://www.egroupware.org/viewvc/branches/1.4/phpgwapi/inc/class.kses.inc.php?r1=23625&r2=25110&pathrev=25110 GLSA-200805-04 [oss-security] 20080708 Re: CVE request: moodle xss in < 1.8.5 28424 ADV-2008-0989 egroupware-badprotocolonce-security-bypass(41435) USN-658-1 FEDORA-2008-6226 Cross-site scripting (XSS) vulnerability in the web management interface in F5 BIG-IP 9.4.3 allows remote attackers to inject arbitrary web script or HTML via (1) the name of a node object, or the (2) sysContact or (3) sysLocation SNMP configuration field, aka "Audit Log XSS." NOTE: these issues might be resultant from cross-site request forgery (CSRF) vulnerabilities. 3778 20080323 F5 BIG-IP Web Management Audit Log XSS 28416 f5bigip-auditlog-xss(41440) Cross-site scripting (XSS) vulnerability in setup.php3 in phpHeaven phpMyChat 0.14.5 allows remote attackers to inject arbitrary web script or HTML via the Lang parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28399 phpmychat-setup-xss(41381) PHP remote file inclusion vulnerability in the SSTREAMTV custompages (com_custompages) 1.1 and earlier component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the cpage parameter to index.php. 28409 custompages-index-file-include(41396) 5294 PEEL, possibly 3.x and earlier, allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. http://realn.free.fr/releases/70207 peel-phpinfo-information-disclosure(41494) 5281 PEEL, possibly 3.x and earlier, has (1) a default info@peel.fr account with password admin, and (2) a default contact@peel.fr account with password cinema, which allows remote attackers to gain administrative access. http://realn.free.fr/releases/70207 peel-default-password(41493) 5281 SQL injection vulnerability in EfesTech E-Kont?r and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 3776 20080323 EfesTech E-Kont&ouml;r (id) Remote SQL INJECTION 28412 ekontor-id-sql-injection(41419) SQL injection vulnerability in index.php in XLPortal 2.2.4 and earlier allows remote attackers to execute arbitrary SQL commands via the query parameter. 28408 xlportal-index-sql-injection(41379) 5293 Cross-site scripting (XSS) vulnerability in system/workplace/admin/accounts/users_list.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the (1) searchfilter or (2) listSearchFilter parameter. 3777 20080323 Alkacon OpenCms users_list.jsp searchfilter XSS 28411 opencms-userslist-xss(41390) Multiple PHP remote file inclusion vulnerabilities in ooComments 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the PathToComment parameter for (1) classes/class_admin.php and (2) classes/class_comments.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28401 http://www.securityfocus.com/bid/28401/exploit Directory traversal vulnerability in admin/admin_xs.php in eXtreme Styles module (XS-Mod) 2.3.1 and 2.4.0 for phpBB allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the phpEx parameter. NOTE: some of these details are obtained from third party information. 28432 xs-adminxs-file-include(41404) 5301 SQL injection vulnerability in index.php in Danneo CMS 0.5.1 and earlier, when the Referers statistics option is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header. cmsdanneo-index-sql-injection(41153) 5239 arch/s390/kernel/ptrace.c in Linux kernel 2.6.9, and other versions before 2.6.27-rc6, on s390 platforms allows local users to cause a denial of service (kernel panic) via the user-area-padding test from the ptrace testsuite in 31-bit mode, which triggers an invalid dereference. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3d6e48f43340343d97839eadb1ab7b6a3ea98797 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.26.6 SUSE-SA:2008:051 RHSA-2008:0972 http://sourceware.org/systemtap/wiki/utrace/tests DSA-1653 DSA-1655 31177 https://bugzilla.redhat.com/show_bug.cgi?id=438147 linux-kernel-ptrace-dos(41501) oval:org.mitre.oval:def:9555 The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to "read and modify objects" via SOAP requests, related to "Missing security checks." SUSE-SR:2008:008 http://otrs.org/advisory/OSA-2008-01-en/ 28647 otrs-soapinterface-weak-security(41577) FEDORA-2008-3100 Array index error in the xnu (Mach) kernel in Apple Mac OS X 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (system shutdown) via unspecified vectors related to workqueues. 20090514 Apple Mac OS X xnu Kernel workqueue_additem/workqueue_removeitem Index Validation Vulnerability APPLE-SA-2009-05-12 http://support.apple.com/kb/HT3549 1022213 TA09-133A ADV-2009-1297 macos-kernel-workqueue-code-execution(50489) Stack-based buffer overflow in kl1.sys in Kaspersky Anti-Virus 6.0 and 7.0 and Internet Security 6.0 and 7.0 allows local users to gain privileges via an IOCTL 0x800520e8 call. 20080604 Kaspersky Internet Security IOCTL Stack Based Buffer Overflow Vulnerability 1020195 1020196 http://www.kaspersky.com/technews?id=203038727 ADV-2008-1739 kaspersky-internetsecurity-kl1-bo(42849) ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated users to gain privileges by accessing administrative URIs, as demonstrated by rpSysAdmin.html. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), have (1) "user" as their default password for the "user" account and (2) "1234" as their default password for the "admin" account, which makes it easier for remote attackers to obtain access. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! zyxelprestige-default-password(41508) ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated users to obtain ISP and Dynamic DNS credentials by sending a direct request for (1) WAN.html, (2) wzPPPOE.html, and (3) rpDyDNS.html, and then reading the HTML source. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! zyxelprestige-multiple-info-disclosure(41509) The SNMP service on ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), has "public" as its default community for both (1) read and (2) write operations, which allows remote attackers to perform administrative actions via SNMP, as demonstrated by reading the Dynamic DNS service password or inserting an XSS sequence into the system.sysName.0 variable, which is displayed on the System Status page. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! The default SNMP configuration on ZyXEL Prestige routers, including P-660 and P-661 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), has a Trusted Host value of 0.0.0.0, which allows remote attackers to send SNMP requests from any source IP address. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), do not use a salt when calculating an MD5 password hash, which makes it easier for attackers to crack passwords. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(PE9) and 3.40(AGD.2) through 3.40(AHQ.3), support authentication over HTTP via a hash string in the hiddenPassword field, which allows remote attackers to obtain access via a replay attack. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! ZyXEL Prestige routers, including P-660, P-661, and P-662 models with firmware 3.40(AGD.2) through 3.40(AHQ.3), allow remote authenticated users to obtain authentication data by making direct HTTP requests and then reading the HTML source, as demonstrated by a request for (1) RemMagSNMP.html, which discloses SNMP communities; or (2) WLAN.html, which discloses WEP keys. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! zyxelprestige-snmp-wep-info-disclosure(41511) ZyXEL Prestige routers have a minimum password length for the admin account that is too small, which makes it easier for remote attackers to guess passwords via brute force methods. http://www.gnucitizen.org/projects/router-hacking-challenge/ http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf 20080301 The Router Hacking Challenge is Over! zyxelprestige-password-weak-security(41513) GnuPG (gpg) 1.4.8 and 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted duplicate keys that are imported from key servers, which triggers "memory corruption around deduplication of user IDs." [Announce] 20080326 GnuPG 1.4.9 released http://www.ocert.org/advisories/ocert-2008-1.html 28487 ADV-2008-1056 https://bugs.g10code.com/gnupg/issue894 https://bugs.gentoo.org/show_bug.cgi?id=214990 gnupg-keys-code-execution(41547) The connection_state_machine function (connections.c) in lighttpd 1.4.19 and earlier, and 1.5.x before 1.5.0, allows remote attackers to cause a denial of service (active SSL connection loss) by triggering an SSL error, such as disconnecting before a download has finished, which causes all active SSL connections to be lost. SUSE-SR:2008:011 GLSA-200804-08 http://trac.lighttpd.net/trac/changeset/2136 http://trac.lighttpd.net/trac/changeset/2139 http://trac.lighttpd.net/trac/changeset/2140 http://trac.lighttpd.net/trac/ticket/285#comment:18 http://trac.lighttpd.net/trac/ticket/285#comment:21 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0132 DSA-1540 20080331 rPSA-2008-0132-1 lighttpd 28489 ADV-2008-1063 https://bugs.gentoo.org/show_bug.cgi?id=214892 lighttpd-sslerror-dos(41545) https://issues.rpath.com/browse/RPL-2407 FEDORA-2008-3343 FEDORA-2008-3376 Perlbal before 1.70, when buffered upload is enabled, allows remote attackers to cause a denial of service (crash) via a zero-byte chunked upload. http://bugs.gentoo.org/show_bug.cgi?id=214784 http://search.cpan.org/src/BRADFITZ/Perlbal-1.70/CHANGES 28491 ADV-2008-1045 https://bugzilla.redhat.com/show_bug.cgi?id=439054 perlbal-clientproxy-dos(41538) FEDORA-2008-2778 FEDORA-2008-2788 Unspecified vulnerability in the XML-RPC Blogger API plugin in Joomla! 1.5 allows remote attackers to perform unauthorized article operations on articles via unknown vectors. http://www.joomla.org/content/view/4560/1/ 27719 joomla-xmlrpc-data-manipulation(41563) Multiple directory traversal vulnerabilities in PowerPHPBoard 1.00b allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) settings[footer] parameter to footer.inc.php and the (2) settings[header] parameter to header.inc.php. 3782 20080324 [DSECRG-08-021] Multiple LFI in PowerPHPBoard 1.00b 28421 ADV-2008-0992 powerphpboard-footerheader-file-include(41403) 5303 SQL injection vulnerability in the Matti Kiviharju rekry (aka com_rekry or rekry!Joom) 1.0.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the op_id parameter in a view action to index.php. 28422 rekry!joom-index-sql-injection(41385) 5297 Cross-site scripting (XSS) vulnerability in index.php in Pictures Pro (aka Tim Grissett) Photo Cart 4.1 allows remote attackers to inject arbitrary web script or HTML via the amessage parameter. NOTE: some of these details are obtained from third party information. http://www.picturespro.com/community/forums/photo_cart/index.php?see=viewTopic&topic=296795080324075103 28430 photocart-index-xss(41409) Directory traversal vulnerability in pb_inc/admincenter/index.php in PowerScripts PowerBook 1.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL. 3783 20080324 [DSECRG-08-019] LFI in PowerBook 1.21 28418 powerbook-index-file-include(41393) 5302 Cross-site scripting (XSS) vulnerability in searchAction.do in ManageEngine EventLog Analyzer 5 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. eventloganalyzer-searchaction-xss(41408) SQL injection vulnerability in includes/dynamic_titles.php in PHP-Nuke Platinum 7.6.b.5 allows remote attackers to execute arbitrary SQL commands via the p parameter to modules.php for the Forums module. 28410 platinum-modules-sql-injection(41387) 5295 SQL injection vulnerability in the Datsogallery (com_datsogallery) 1.3.1 module for Joomla! and Mambo allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28361 datsogallery-index-sql-injection(41348) Directory traversal vulnerability in cgi-bin/his-webshop.pl in HIS Webshop 2.50 allows remote attackers to read arbitrary files via a .. (dot dot) in the t parameter. 3784 20080324 HIS-webshop is vulnerable against Directory-Traversal (www.shoppark.de) 28425 ADV-2008-0991 hiswebshop-hiswebshop-directory-traversal(41407) 5304 Airspan Base Station Distribution Unit (BSDU) has "topsecret" as its password for the root account, which allows remote attackers to obtain administrative access via a telnet login, a different vulnerability than CVE-2008-1262. http://airspan4wimax.googlepages.com/ VU#446403 micromax-default-password(41437) The Advanced User Interface Pages in the ProST Web Management component on the Airspan WiMAX ProST have a certain default User ID and password, which makes it easier for remote attackers to obtain partial administrative access, a different vulnerability than CVE-2008-1262. http://www.sharemethods.net/nepal/servlet/open?keeppath=false&aid=29820 wimaxprost-interface-default-password(41567) The setRequestHeader method of the XMLHttpRequest object in Microsoft Internet Explorer 5.01, 6, and 7 does not block dangerous HTTP request headers when certain 8-bit character sequences are appended to a header name, which allows remote attackers to (1) conduct HTTP request splitting and HTTP request smuggling attacks via an incorrect Content-Length header, (2) access arbitrary virtual hosts via a modified Host header, (3) bypass referrer restrictions via an incorrect Referer header, and (4) bypass the same-origin policy and obtain sensitive information via a crafted request header. HPSBST02344 3785 http://www.mindedsecurity.com/MSA02240108.html 20080321 [MSA02240108] IE7 allows overwriting of several headers leading to Http request Splitting and smuggling. 28379 1020226 TA08-162B ADV-2008-0980 ADV-2008-1778 MS08-031 oval:org.mitre.oval:def:5291 The setRequestHeader method of the XMLHttpRequest object in Microsoft Internet Explorer 7 does not restrict the dangerous Transfer-Encoding HTTP request header, which allows remote attackers to conduct HTTP request splitting and HTTP request smuggling attacks via a POST containing a "Transfer-Encoding: chunked" header and a request body with an incorrect chunk size. 3786 http://www.mindedsecurity.com/MSA01240108.html 20080321 [MSA01240108] IE7 Transfer-Encoding: chunked allows Request Splitting/Smuggling. ADV-2008-0980 ie-setrequestheader-chunk-security-bypass(42804) servlet/MIMEReceiveServlet in the web controller for Mitsubishi Electric GB-50 and GB-50A air-conditioning control systems allows remote attackers to cause a denial of service (air-conditioning outage) via an XML document containing a setRequest command. 3794 20071117 security contact for mitsubishi electric? 20080322 hacking the mitsubishi GB-50A 28406 mitsubishielectric-gb50a-unath-access(41503) Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the URL parameter. 4441 20081015 MS OWA 2003 Redirection Vulnerability 20081015 Re: MS OWA 2003 Redirection Vulnerability 20081015 Re: Re: MS OWA 2003 Redirection Vulnerability 20081017 Re: MS OWA 2003 Redirection Vulnerability - [MSRC 7368br] 20081019 Re: MS OWA 2003 Redirection Vulnerability - [MSRC7368br] 31765 owa-redir-phishing(46061) Multiple cross-site scripting (XSS) vulnerabilities in Aeries Browser Interface (ABI) 3.8.3.14 in Eagle Software Aries Student Information System allow remote attackers to inject arbitrary web script or HTML via the (1) UserName parameter to loginproc.asp and the (2) usr parameter to Login.asp. 3787 20080325 aeries browser interface(ABI) 3.8.3.14 Remote SQL Injection 28436 abi-loginproc-login-xss(41430) Multiple SQL injection vulnerabilities in Aeries Browser Interface (ABI) 3.8.3.14 in Eagle Software Aries Student Information System allow remote attackers to execute arbitrary SQL commands via the (1) GrdBk parameter to GradebookOptions.asp and the (2) SchlCode variable to loginproc.asp, a different vector than CVE-2008-0942. 3787 20080325 aeries browser interface(ABI) 3.8.3.14 Remote SQL Injection 28436 abi-gradebookoptions-loginproc-sql-injection(41429) Multiple cross-site scripting (XSS) vulnerabilities in index.php in CubeCart 4.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the _a parameter in a searchStr action and the (2) Submit parameter. http://holisticinfosec.org/content/view/51/45/ 28452 cubecart-indexphp-xss(41559) SQL injection vulnerability in viewcat.php in the Photo 3.02 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the cid parameter. 28395 photo-viewcat-sql-injection(41378) 5290 The silc_pkcs1_decode function in the silccrypt library (silcpkcs1.c) in Secure Internet Live Conferencing (SILC) Toolkit before 1.1.7, SILC Client before 1.1.4, and SILC Server before 1.1.2 allows remote attackers to execute arbitrary code via a crafted PKCS#1 message, which triggers an integer underflow, signedness error, and a buffer overflow. NOTE: the researcher describes this as an integer overflow, but CVE uses the "underflow" term in cases of wraparound from unsigned subtraction. SUSE-SR:2008:008 GLSA-200804-27 3795 http://silcnet.org/general/news/?item=client_20080320_1 http://silcnet.org/general/news/?item=server_20080320_1 http://silcnet.org/general/news/?item=toolkit_20080320_1 http://www.coresecurity.com/?action=item&id=2206 MDVSA-2008:158 20080325 CORE-2007-1212: SILC pkcs_decode buffer overflow 28373 1019690 ADV-2008-0974 silc-silcpkcs1decode-bo(41474) FEDORA-2008-2616 FEDORA-2008-2641 Directory traversal vulnerability in mod.php in TopperMod 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the to parameter. 28449 toppermod-mod-file-include(41442) 5312 SQL injection vulnerability in account/index.php in TopperMod 2.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a non-alphanumeric first character the localita parameter, which bypasses a protection mechanism. 20080327 TopperMod 2.0 Remote SQL Injection Vulnerability 28447 toppermod-mod-sql-injection(41441) 5311 Directory traversal vulnerability in system/_b/contentFiles/gbincluder.php in BolinOS 4.6.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the _bFileToInclude parameter. 3788 20080325 [DSECRG-08-022] Multiple Security Vulnerabilities in Bolinos 4.6.1 28445 bolinos-gbincluder-file-include(41431) 5309 Multiple cross-site scripting (XSS) vulnerabilities in BolinOS 4.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) url parameter to (a) system/actionspages/_b/contentFiles/gBImageViewer.php, (2) ForEditor parameter to (b) system/actionspages/_b/contentFiles/gBselectorContents.php, (3) the PATH_INFO to (c) gBLoginPage.php and (d) gBPassword.php in system/actionspages/_b/contentFiles/, (4) formlogin parameter to system/actionspages/_b/contentFiles/gBLoginPage.php, and the (5) bolini_searchengine46Search parameter to (e) help/index.php. 3788 20080325 [DSECRG-08-022] Multiple Security Vulnerabilities in Bolinos 4.6.1 28445 bolinos-multiple-xss(41432) 5309 BolinOS 4.6.1 allows remote attackers to obtain sensitive information via a direct request to system/actionspages/_b/contentFiles/gBphpInfo.php, which calls the phpinfo function. 3788 20080325 [DSECRG-08-022] Multiple Security Vulnerabilities in Bolinos 4.6.1 bolinos-gbphpinfo-information-disclosure(41434) 5309 Uncontrolled array index in the sdpplin_parse function in stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to overwrite memory and execute arbitrary code via a large streamid SDP parameter. NOTE: this issue has been referred to as an integer overflow. GLSA-200805-22 DSA-1552 MDVSA-2008:196 28851 ADV-2008-0997 mplayer-sdpplin-overflow(41490) 5307 SQL injection vulnerability in the Bernard Gilly AlphaContent (com_alphacontent) 2.5.8 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php. 28443 alphacontent-index-sql-injection(41428) 5310 Multiple cross-site scripting (XSS) vulnerabilities in Digiappz DigiDomain 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) domain parameter to lookup_result.asp, and the (2) word1 and (3) word2 parameters to suggest_result.asp. 3789 20080327 Multiple XSS in DigiDomain 28475 digidomain-multiple-xss(41500) Multiple unspecified vulnerabilities in Wireshark (formerly Ethereal) 0.99.5 through 0.99.8 allow remote attackers to cause a denial of service (application crash) via a malformed packet to the (1) X.509sat or (2) Roofnet dissectors. NOTE: Vector 2 might also lead to a hang. SUSE-SR:2008:008 http://support.avaya.com/elmodocs2/security/ASA-2008-392.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0138 GLSA-200805-05 MDVSA-2008:091 RHSA-2008:0890 20080404 rPSA-2008-0138-1 tshark wireshark 28485 1019728 ADV-2008-1007 ADV-2008-2773 http://www.wireshark.org/security/wnpa-sec-2008-02.html wireshark-x509sat-dissector-dos(41514) wireshark-roofnet-dissector-dos(41515) https://issues.rpath.com/browse/RPL-2418 oval:org.mitre.oval:def:15089 oval:org.mitre.oval:def:9315 FEDORA-2008-2941 FEDORA-2008-3040 The LDAP dissector in Wireshark (formerly Ethereal) 0.99.2 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet, a different vulnerability than CVE-2006-5740. SUSE-SR:2008:008 http://support.avaya.com/elmodocs2/security/ASA-2008-392.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0138 GLSA-200805-05 MDVSA-2008:091 RHSA-2008:0890 20080404 rPSA-2008-0138-1 tshark wireshark 28485 1019728 ADV-2008-1007 ADV-2008-2773 http://www.wireshark.org/security/wnpa-sec-2008-02.html wireshark-ldap-dissector-dos(41516) https://issues.rpath.com/browse/RPL-2418 oval:org.mitre.oval:def:14549 oval:org.mitre.oval:def:9318 FEDORA-2008-2941 FEDORA-2008-3040 The "decode as" feature in packet-bssap.c in the SCCP dissector in Wireshark (formerly Ethereal) 0.99.6 through 0.99.8 allows remote attackers to cause a denial of service (application crash) via a malformed packet. SUSE-SR:2008:008 http://support.avaya.com/elmodocs2/security/ASA-2008-392.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0138 GLSA-200805-05 MDVSA-2008:091 RHSA-2008:0890 20080404 rPSA-2008-0138-1 tshark wireshark 28485 1019728 ADV-2008-1007 ADV-2008-2773 http://www.wireshark.org/security/wnpa-sec-2008-02.html wireshark-sccp-dissector-dos(41517) https://issues.rpath.com/browse/RPL-2418 oval:org.mitre.oval:def:10238 oval:org.mitre.oval:def:15074 FEDORA-2008-2941 FEDORA-2008-3040 Directory traversal vulnerability in Dan Costin File Transfer before 1.2f allows remote attackers to read arbitrary files via a "..\" (dot dot backslash) in the filename. http://sourceforge.net/project/shownotes.php?group_id=178021&release_id=586923 http://sourceforge.net/tracker/index.php?func=detail&aid=1829601&group_id=178021&atid=883559 28453 filetransfer-file-directory-traversal(41489) Directory traversal vulnerability in forum/irc/irc.php in the PJIRC 0.5 module for phpBB allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the phpEx parameter. 3790 20080325 phpBB PJIRC mod LFI 28446 pjirc-irc-file-include(41456) Cross-site scripting (XSS) vulnerability in Search.do in ManageEngine Applications Manager 8.x allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28488 applicationsmanager-search-xss(41505) phpMyAdmin before 2.11.5.1 stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information. SUSE-SR:2008:026 SUSE-SR:2009:003 http://sourceforge.net/tracker/index.php?func=detail&aid=1909711&group_id=23067&atid=377408 DSA-1557 MDVSA-2008:131 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2 28560 ADV-2008-1037 phpmyadmin-sessiondata-info-disclosure(41541) FEDORA-2008-2825 FEDORA-2008-2874 comix 3.6.4 allows attackers to execute arbitrary commands via a filename containing shell metacharacters that are not properly sanitized when executing the rar, unrar, or jpegtran programs. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=462840 GLSA-200804-29 28547 comix-filename-command-execution(41554) FEDORA-2008-2981 FEDORA-2008-2993 policyd-weight 0.1.14 beta-16 and earlier allows local users to modify or delete arbitrary files via a symlink attack on temporary files that are used when creating a socket. GLSA-200804-11 DSA-1531 http://www.policyd-weight.org/ 28480 https://bugs.gentoo.org/show_bug.cgi?id=214403 policydweight-sockets-symlink(41565) Race condition in the create_lockpath function in policyd-weight 0.1.14 beta-16 allows local users to modify or delete arbitrary files by creating the LOCKPATH directory, then modifying it after the symbolic link check occurs. NOTE: this is due to an incomplete fix for CVE-2008-1569. GLSA-200804-11 https://bugs.gentoo.org/show_bug.cgi?id=214403 policydweight-createlockpath-race-condition(41570) Directory traversal vulnerability in the embedded web server in Image Capture in Apple Mac OS X before 10.5 allows remote attackers to read arbitrary files via directory traversal sequences in the URI. APPLE-SA-2008-05-28 1020141 29412 29501 TA08-150A ADV-2008-1697 macosx-imagecapture-directory-traversal(42718) Image Capture in Apple Mac OS X before 10.5 does not properly use temporary files, which allows local users to overwrite arbitrary files, and display images that are being resized by this application. APPLE-SA-2008-05-28 1020141 29412 29521 TA08-150A ADV-2008-1697 macosx-imagecapture-symlink(42719) The BMP and GIF image decoding engine in ImageIO in Apple Mac OS X before 10.5.3 allows remote attackers to obtain sensitive information (memory contents) via a crafted (1) BMP or (2) GIF image, which causes an out-of-bounds read. APPLE-SA-2008-06-19 APPLE-SA-2008-05-28 1020144 29412 29513 TA08-150A ADV-2008-1697 ADV-2008-1882 macosx-imageio-information-disclosure(42721) Integer overflow in ImageIO in Apple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG2000 image that triggers a heap-based buffer overflow. APPLE-SA-2008-05-28 1020144 29412 29514 TA08-150A ADV-2008-1697 macosx-imageio-jpeg2000-bo(42722) Unspecified vulnerability in the Apple Type Services (ATS) server in Apple Mac OS X 10.5 before 10.5.3 allows user-assisted remote attackers to execute arbitrary code via a crafted embedded font in a PDF document, related to memory corruption that occurs during printing. APPLE-SA-2008-05-28 1020133 29412 29492 TA08-150A ADV-2008-1697 macosx-ats-code-execution(42707) Mail in Apple Mac OS X before 10.5, when an IPv6 SMTP server is used, does not properly initialize memory, which might allow remote attackers to execute arbitrary code or cause a denial of service (application crash), or obtain sensitive information (memory contents) in opportunistic circumstances, by sending an e-mail message. APPLE-SA-2008-05-28 1020140 29412 29500 TA08-150A ADV-2008-1697 macosx-mail-code-execution(42723) Unspecified vulnerability in the Pixlet codec in Apple Pixlet Video in Apple Mac OS X before 10.5.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file, related to "multiple memory corruption issues." APPLE-SA-2008-05-28 1020132 29412 29489 TA08-150A ADV-2008-1697 macosx-pixlet-code-execution(42706) The sso_util program in Single Sign-On in Apple Mac OS X before 10.5.3 places passwords on the command line, which allows local users to obtain sensitive information by listing the process. APPLE-SA-2008-05-28 1020142 29412 29520 TA08-150A ADV-2008-1697 macosx-ssoutil-information-disclosure(42725) Wiki Server in Apple Mac OS X 10.5 before 10.5.3 allows remote attackers to obtain sensitive information (user names) by reading the error message produced upon access to a nonexistent blog. APPLE-SA-2008-05-28 1020143 29412 TA08-150A ADV-2008-1697 macosx-wikiserver-information-disclosure(42727) CFNetwork in Safari in Apple Mac OS X before 10.5.3 automatically sends an SSL client certificate in response to a web server's certificate request, which allows remote web sites to obtain sensitive information (Subject data) from personally identifiable certificates, and use arbitrary certificates to track user activities across domains, a related issue to CVE-2007-4879. APPLE-SA-2008-05-28 1020134 29412 29493 TA08-150A ADV-2008-1697 macosx-cfnetwork-info-disclosure(42708) Heap-based buffer overflow in Apple QuickTime before 7.5 on Windows allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted packed scanlines in PixData structures in a PICT image. APPLE-SA-2008-06-09 http://support.apple.com/kb/HT1991 20080610 Secunia Research: Apple QuickTime PICT Image Parsing Buffer Overflow 29619 29649 1020213 TA08-162C ADV-2008-1776 quicktime-pixdata-bo(42943) Unspecified vulnerability in Apple QuickTime before 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted AAC-encoded file that triggers memory corruption. APPLE-SA-2008-06-09 http://support.apple.com/kb/HT1991 29619 29654 1020214 TA08-162C ADV-2008-1776 quicktime-aacencoded-code-execution(42944) Heap-based buffer overflow in Apple QuickTime before 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PICT image, a different vulnerability than CVE-2008-1581. APPLE-SA-2008-06-09 http://support.apple.com/kb/HT1991 29619 29648 1020215 TA08-162C ADV-2008-1776 apple-quicktime-pict-image-bo(42945) Stack-based buffer overflow in Indeo.qtx in Apple QuickTime before 7.5 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via crafted Indeo video codec content in a movie file. APPLE-SA-2008-06-09 http://support.apple.com/kb/HT1991 20080610 ZDI-08-037: Apple QuickTime Indeo Video Buffer Overflow Vulnerability 29619 29652 1020216 TA08-162C ADV-2008-1776 http://www.zerodayinitiative.com/advisories/ZDI-08-037/ quicktime-indeo-video-bo(42947) Apple QuickTime before 7.5 uses the url.dll!FileProtocolHandler handler for unrecognized URIs in qt:next attributes within SMIL text in video files, which sends these URIs to explorer.exe and thereby allows remote attackers to execute arbitrary programs, as originally demonstrated by crafted file: URLs. APPLE-SA-2008-07-10 APPLE-SA-2008-06-09 http://support.apple.com/kb/HT1991 VU#132419 20080610 ZDI-08-038: QuickTime SMIL qtnext Redirect File Execution 29619 29650 1020217 TA08-162C ADV-2008-1776 ADV-2008-2064 http://www.zerodayinitiative.com/advisories/ZDI-08-038/ quicktime-quicktime-content-code-execution(42948) ImageIO in Apple iPhone OS 1.0 through 2.1 and iPhone OS for iPod touch 1.1 through 2.1 allow remote attackers to cause a denial of service (memory consumption and device reset) via a crafted TIFF image. APPLE-SA-2008-11-20 SUSE-SR:2009:004 http://support.apple.com/kb/HT3318 32394 1021270 ADV-2008-3232 Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows remote attackers to spoof the address bar via Unicode ideographic spaces in the URL. APPLE-SA-2008-07-11 APPLE-SA-2009-06-08-1 http://support.apple.com/kb/HT3613 30186 ADV-2008-2094 ADV-2009-1522 ipod-iphone-addressbar-spoofing(43732) Safari on Apple iPhone before 2.0 and iPod touch before 2.0 misinterprets a menu button press as user confirmation for visiting a web site with a (1) self-signed or (2) invalid certificate, which makes it easier for remote attackers to spoof web sites. JVN#88676089 JVNDB-2008-000039 APPLE-SA-2008-07-11 30186 ADV-2008-2094 ipod-iphone-certificate-info-disclosure(43734) JavaScriptCore in WebKit on Apple iPhone before 2.0 and iPod touch before 2.0 does not properly perform runtime garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors that trigger memory corruption, a different vulnerability than CVE-2008-2317. APPLE-SA-2008-07-11 30186 ADV-2008-2094 ipod-iphone-garbage-code-execution(43738) The pnVarPrepForStore function in PostNuke 0.764 and earlier skips input sanitization when magic_quotes_runtime is enabled, which allows remote attackers to conduct SQL injection attacks and execute arbitrary SQL commands via input associated with server variables, as demonstrated by the CLIENT_IP HTTP header (HTTP_CLIENT_IP variable). 28407 postnuke-index-script-sql-injection(41375) 5292 MQSeries 5.1 in IBM WebSphere MQ 5.1 through 5.3.1 on the HP NonStop and Tandem NSK platforms does not require mqm group membership for execution of administrative tasks, which allows local users to bypass intended access restrictions via the runmqsc program, related to "Pathway panels." 1019610 28235 ADV-2008-0869 http://www-1.ibm.com/support/docview.wss?uid=swg21297035 The checkpoint and restart feature in the kernel in IBM AIX 5.2, 5.3, and 6.1 does not properly protect kernel memory, which allows local users to read and modify portions of memory and gain privileges via unspecified vectors involving a restart of a 64-bit process, probably related to the as_getadsp64 function. 1019606 IZ11820 IZ12794 IZ16992 IZ17111 28467 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4153 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4154 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4155 oval:org.mitre.oval:def:4595 The kernel in IBM AIX 5.2 and 5.3 does not properly handle resizing JFS2 filesystems on concurrent volume groups spread across multiple nodes, which allows local users of one node to cause a denial of service (remote node crash) by using chfs or lreducelv to reduce a filesystem's size. 1019606 IZ04946 IZ04953 IZ05246 28467 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4153 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4154 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4155 oval:org.mitre.oval:def:5434 The proc filesystem in the kernel in IBM AIX 5.2 and 5.3 does not properly enforce directory permissions when a file executing from a directory has weaker permissions than the directory itself, which allows local users to obtain sensitive information. 1019606 IZ06022 IZ06505 IZ06663 28467 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4153 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4154 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4155 oval:org.mitre.oval:def:5321 Trusted Execution in IBM AIX 6.1 uses an incorrect pathname argument in a call to the trustchk_block_write function, which might allow local users to modify trusted files, related to missing checks in the TSD_FILES_LOCK policy for modifications performed via hard links, a different vulnerability than CVE-2007-6680. 1019606 IZ13418 28467 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4153 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4154 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4155 The WPAR system call implementation in the kernel in IBM AIX 6.1 allows local users to cause a denial of service via unknown calls that trigger "undefined behavior." 1019606 IZ13346 IZ13392 28467 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4153 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4154 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4155 oval:org.mitre.oval:def:6198 The kernel in IBM AIX 6.1 allows local users with ProbeVue privileges to read arbitrary kernel memory and obtain sensitive information via unspecified vectors. 1019606 IZ09545 28467 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4153 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4154 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4155 The nddstat programs on IBM AIX 5.2, 5.3, and 6.1 do not properly handle environment variables, which allows local users to gain privileges by invoking (1) atmstat, (2) entstat, (3) fddistat, (4) hdlcstat, or (5) tokstat. 1019604 IZ16975 IZ16991 IZ17058 IZ17059 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4156 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4157 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4158 oval:org.mitre.oval:def:5468 The lsmcode program on IBM AIX 5.2, 5.3, and 6.1 does not properly handle environment variables, which allows local users to gain privileges, a different vulnerability than CVE-2004-1329. 1019603 IZ15057 IZ15100 IZ15276 IZ15277 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4159 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4160 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4161 oval:org.mitre.oval:def:5566 Stack-based buffer overflow in the reboot program on IBM AIX 5.2 and 5.3 allows local users in the shutdown group to gain privileges. 1019602 IZ15479 IZ15480 ADV-2008-0865 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4162 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4163 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4164 oval:org.mitre.oval:def:5497 Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4 allows remote attackers to execute arbitrary code via a long download URL, which is not properly handled during Unicode conversion for a balloon notification after a download has failed. 3798 http://www.coresecurity.com/?action=item&id=2211 20080403 CORE-2008-0314 - Orbit Downloader "Download failed" buffer overflow 28541 ADV-2008-1101 orbitdownloader-url-bo(41649) Cross-site scripting (XSS) vulnerability in GNB DesignForm before 3.9 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the email form. JVN#58803701 http://www.gnbnet.com/cgi/readme/designform.html 28471 gnbdesignform-email-xss(41495) Cross-site scripting (XSS) vulnerability in PerlMailer before 3.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://cgi.din.or.jp/~hideyuki/cgi-bin/diary-s/perldiary-s.cgi JVN#76669770 JVNDB-2008-000019 28472 perlmailer-unspecified-xss(41491) The (1) ltmmCaptureCtrl Class, (2) ltmmConvertCtrl Class, and (3) ltmmPlayCtrl Class ActiveX controls (ltmm15.dll 15.1.0.17 and earlier) in LEADTOOLS Multimedia Toolkit 15 allow attackers to overwrite arbitrary files via the SaveSettingsToFile method. 28442 http://www.shinnai.altervista.org/index.php?mod=02_Forum&group=Security&argument=Remote_performed_exploits&topic=1206434746.ff.php&page=last http://www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html leadtools-multimedia-file-overwrite(41467) Multiple directory traversal vulnerabilities in Elastic Path (EP) 4.1 and 4.1.1 allow remote attackers to (1) download arbitrary files via a .. (dot dot) in the file parameter to manager/getImportFileRedirect.jsp, (2) upload arbitrary files via a "..\" (dot dot backslash) in the file parameter to importData.jsp, and (3) list directory contents via a .. (dot dot) in the dir parameter to manager/fileManager.jsp. http://developer.elasticpath.com/entry!default.jspa?categoryID=4&externalID=1334 http://weblog.nomejortu.com/?p=37 http://www.mwrinfosecurity.com/publications/mwri_elastic-path-arbitrary-file-system-access_2008-02-22.pdf 28352 elasticpath-multiple-directory-traversal(41356) elasticpath-pathdir-directory-traversal(41364) SQL injection vulnerability in haberoku.php in Serbay Arslanhan Bomba Haber 2.0 allows remote attackers to execute arbitrary SQL commands via the haber parameter. 28435 bombahaber-haberoku-sql-injection(41422) SQL injection vulnerability in postview.php in Clever Copy 3.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter, a different vector than CVE-2008-0363 and CVE-2006-0583. 28437 http://www.securityfocus.com/bid/28437/exploit clevercopy-postview-sql-injection(41450) 5502 Multiple PHP remote file inclusion vulnerabilities in just another flat file (JAF) CMS 4.0 RC2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) website parameter to (a) forum.php, (b) headlines.php, and (c) main.php in forum/, and (2) main_dir parameter to forum/forum.php. NOTE: other main_dir vectors are already covered by CVE-2006-7127. 20080327 JAF-CMS 4.0 RC2 Multiple Remote File Inclusion Vulnerabilities 20080327 Re: JAF-CMS 4.0 RC2 Multiple Remote File Inclusion Vulnerabilities 28476 jafcms-multiple-file-include(41753) 2474 5317 Stack-based buffer overflow in TallSoft Quick TFTP Server Pro 2.1 allows remote attackers to cause a denial of service or execute arbitrary code via a long mode field in a read or write request. http://www.offensive-security.com/0day/quick-tftp-poc.py.txt 28459 quicktftp-modefields-bo(41499) 5315 Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request. Information regarding how the service runs as system: http://www.tftp-server.com/ http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt 28462 tftpserver-filename-bo(41496) 5314 The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for CVE-2007-6239. SUSE-SR:2008:011 [squid-announce[ 20080322 Advisory Squid-2007:2 updated GLSA-200903-38 DSA-1646 MDVSA-2008:134 [oss-security] 20080401 CVE id request: squid RHSA-2008:0214 28693 http://www.squid-cache.org/Advisories/SQUID-2007_2.txt http://www.squid-cache.org/Versions/v2/2.6/changesets/11882.patch USN-601-1 squid-arrayshrink-dos(41586) oval:org.mitre.oval:def:11376 FEDORA-2008-2740 SQL injection vulnerability in ioRD.asp in RedDot CMS 7.5 Build 7.5.0.48, and possibly other versions including 6.5 and 7.0, allows remote attackers to execute arbitrary SQL commands via the LngId parameter. http://www.irmplc.com/index.php/167-Advisory-026 20080421 IRM Security Advisory : RedDot CMS SQL injection vulnerability 28872 reddot-iord-sql-injection(41924) 5482 suPHP before 0.6.3 allows local users to gain privileges via (1) a race condition that involves multiple symlink changes to point a file owned by a different user, or (2) a symlink to the directory of a different user, which is used to determine privileges. Addition information can be found at: http://secunia.com/advisories/29615/ [suPHP] 20080330 SECURITY ISSUE: Immediate update advised DSA-1550 28568 ADV-2008-1073 https://bugzilla.redhat.com/show_bug.cgi?id=439687 suphp-files-privilege-escalation(41582) FEDORA-2008-2815 FEDORA-2008-2868 Linux kernel 2.6.18, and possibly other versions, when running on AMD64 architectures, allows local users to cause a denial of service (crash) via certain ptrace calls. SUSE-SA:2008:030 SUSE-SA:2008:031 SUSE-SA:2008:032 SUSE-SA:2008:035 SUSE-SA:2008:038 DSA-1588 MDVSA-2008:167 MDVSA-2008:174 RHSA-2008:0237 RHSA-2008:0275 RHSA-2008:0585 29086 1020047 USN-625-1 https://bugzilla.redhat.com/show_bug.cgi?id=431430 linux-kernel-processtrace-dos(42278) oval:org.mitre.oval:def:9563 FEDORA-2008-4043 Double free vulnerability in Web TransferCtrl Class 8,2,1,4 (iManFile.cab), as used in WorkSite Web 8.2 before SP1 P2, allows remote attackers to execute arbitrary code via JavaScript that sets the Server property to a string, then sets the string to null. http://www.mwrinfosecurity.com/publications/mwri_interwoven-worksite-activex-control-remote-code-execution_2008-03-10.pdf 28628 ADV-2008-1134 worksite-webtransferctrl-code-execution(41699) The PPTP VPN service in Watchguard Firebox before 10, when performing the MS-CHAPv2 authentication handshake, generates different error codes depending on whether the username is valid or invalid, which allows remote attackers to enumerate valid usernames. http://www.mwrinfosecurity.com/publications/mwri_watchguard-firebox-pptp-vpn-user-enumeration-advisory_2008-04-04.pdf 28619 1019796 ADV-2008-1152 firebox-pptpvpn-mschapv2-info-disclosure(41683) The ssm_i emulation in Xen 5.1 on IA64 architectures allows attackers to cause a denial of service (dom0 panic) via certain traffic, as demonstrated using an FTP stress test tool. RHSA-2008:0233 29085 https://bugzilla.redhat.com/show_bug.cgi?id=437770 xen-ssmiemulation-dos(41633) oval:org.mitre.oval:def:10226 Directory traversal vulnerability in 2X TFTP service (TFTPd.exe) 3.2.0.0 and earlier in 2X ThinClientServer 5.0_sp1-r3497 and earlier allows remote attackers to read or overwrite arbitrary files via a ... (dot dot dot) in the filename. http://aluigi.altervista.org/adv/thindirtrav-adv.txt http://aluigi.org/testz/tftpx.zip 20080331 Directory traversal in 2X ThinClientServer v5.0_sp1-r3497 28504 ADV-2008-1040 2xthinclient-tftpd-directory-traversal(41528) Multiple cross-site scripting (XSS) vulnerabilities in GeeCarts allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) show.php, (2) search.php, and (3) view.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28470 http://www.securityfocus.com/bid/28470/exploit geecarts-id-xss(41506) Multiple PHP remote file inclusion vulnerabilities in GeeCarts allow remote attackers to execute arbitrary PHP code via a URL in the id parameter to (1) show.php, (2) search.php, and (3) view.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28470 geecarts-id-file-include(41507) SQL injection vulnerability in admin_view_image.php in Smoothflash allows remote attackers to execute arbitrary SQL commands via the cid parameter. Additional information can be found at: http://www.securityfocus.com/bid/28503 28503 smoothflash-adminviewimage-sql-injection(41526) 5322 Directory traversal vulnerability in v2demo/page.php in Jshop Server 1.x through 2.x allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xPage parameter. 28501 jshop-page-file-include(41524) 5325 aavmker4.sys in avast! Home and Professional 4.7 for Windows does not properly validate input to IOCTL 0xb2d60030, which allows local users to gain privileges via certain IOCTL requests. http://www.avast.com/eng/avast-4-home_pro-revision-history.html 20080330 [TKADV2008-002] avast! 4.7 aavmker4.sys Kernel Memory Corruption 28502 1019732 http://www.trapkit.de/advisories/TKADV2008-002.txt ADV-2008-1034 avast-aavmker4-privilege-escalation(41527) SQL injection vulnerability in eggBlog before 4.0.1 allows remote attackers to execute arbitrary SQL commands via an unspecified cookie. NOTE: this might overlap CVE-2008-0159. http://eggblog.net/news.php?id=39 http://sourceforge.net/project/showfiles.php?group_id=155425&package_id=173141&release_id=587701 28497 eggblog-unspecified-sql-injection(41512) CDS Invenio 0.92.1 and earlier allows remote authenticated users to delete email notification alerts of arbitrary users via a modified internal UID. http://cdsware.cern.ch/invenio/news.html http://cdsware.cern.ch/lists/project-cdsware-announce/archive/msg00021.shtml 28514 cdsinvenio-alert-weak-security(41546) Stack-based buffer overflow in the audit_log_user_command function in lib/audit_logging.c in Linux Audit before 1.7 might allow remote attackers to execute arbitrary code via a long command argument. NOTE: some of these details are obtained from third party information. Additional information can be found at: http://www.securityfocus.com/bid/28524/info http://www.frsirt.com/english/advisories/2008/1052 SUSE-SR:2008:010 http://people.redhat.com/sgrubb/audit/ChangeLog GLSA-200807-14 MDVSA-2008:083 28524 1019824 ADV-2008-1052 linuxaudit-auditlogusercommand-bo(41576) FEDORA-2008-3012 [linux-audit] 20080330 audit 1.7 released Cross-site scripting (XSS) vulnerability in PHPkrm before 1.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Additional information can be found at: http://www.securityfocus.com/bid/28510 http://freshmeat.net/projects/phpkrm/?branch_id=58803&release_id=274667 28510 phpkrm-unspecified-xss(41548) Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5) editmailinglist_step1.php, and (6) showtemplates.php in pages/. 3792 20080329 CuteFlow Version 1.5.0 Multiple Remote Vulnerabilities 28500 cuteflow-language-xss(41537) SQL injection vulnerability in login.php in CuteFlow 1.5.0 and 2.10.0 allows remote attackers to execute arbitrary SQL commands via the UserId parameter, related to the login form field in index.php. Additional information can be found at: http://www.securityfocus.com/bid/28500/info 3792 20080329 CuteFlow Version 1.5.0 Multiple Remote Vulnerabilities cuteflow-login-sql-injection(41544) Multiple SQL injection vulnerabilities in CuteFlow 2.10.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) listid parameter to pages/editmailinglist_step1.php, the (2) userid parameter to pages/edituser.php, the (3) fieldid parameter to pages/editfield.php, and the (4) templateid to pages/edittemplate_step1.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Addtional information can be found at: http://xforce.iss.net/xforce/xfdb/41537 cuteflow-multiple-sql-injection(41536) Unspecified vulnerability in Mondo Rescue before 2.2.5 has unknown impact and attack vectors, related to the use of (1) /tmp and (2) MINDI_CACHE. Additional information can be found at: http://www.securityfocus.com/bid/28522 http://www.mondorescue.org/news.shtml 28522 mondo-rescue-unspecified(41530) Cross-site scripting (XSS) vulnerability in index.php in JV2 Folder Gallery 3.1 allows remote attackers to inject arbitrary web script or HTML via the image parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28508 jv2foldergallery-index-xss(41569) Directory traversal vulnerability in view_private.php in Keep It Simple Guest Book (KISGB) 5.0.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tmp_theme parameter. NOTE: 5.1.1 is also reportedly affected. 28513 kisgb-viewprivate-file-include(41525) 5324 Cross-site scripting (XSS) vulnerability in index.php in JV2 Quick Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the f parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28511 jv2quickgallery-index-xss(41568) PowerDNS Recursor before 3.1.5 uses insufficient randomness to calculate (1) TRXID values and (2) UDP source port numbers, which makes it easier for remote attackers to poison a DNS cache, related to (a) algorithmic deficiencies in rand and random functions in external libraries, (b) use of a 32-bit seed value, and (c) choice of the time of day as the sole seeding information. http://doc.powerdns.com/changelog.html http://doc.powerdns.com/powerdns-advisory-2008-01.html SUSE-SR:2008:012 GLSA-200804-22 DSA-1544 20080331 Paper by Amit Klein (Trusteer): "PowerDNS Recursor DNS Cache Poisoning [pharming]" 28517 http://www.trusteer.com/docs/PowerDNS_recursor_DNS_Cache_Poisoning.pdf http://www.trusteer.com/docs/powerdnsrecursor.html ADV-2008-1046 powerdns-dnscache-weak-security(41534) FEDORA-2008-3010 FEDORA-2008-3036 Nik Sharpener Pro, possibly 2.0, uses world-writable permissions for plug-in files, which allows local users to gain privileges by replacing a plug-in with a Trojan horse. VU#124289 27707 niksharpenerpro-plugin-insecure-permissions(41535) SQL injection vulnerability in index.php in Neat weblog 0.2 allows remote attackers to execute arbitrary SQL commands via the articleId parameter in a show action, probably related to the showArticle function in lib/lib_article.include.php. 28534 ADV-2008-1053 neatweblog-index-sql-injection(41555) 5331 SQL injection vulnerability in jgs_treffen.php in the JGS-XA JGS-Treffen 2.0.2 and earlier addon for Woltlab Burning Board (wBB) allows remote attackers to execute arbitrary SQL commands via the view_id parameter in an ansicht action. 28530 ADV-2008-1054 jgstreffen-jgstreffen-sql-injection(41556) 5329 SQL injection vulnerability in default.asp in EfesTECH Video 5.0 allows remote attackers to execute arbitrary SQL commands via the catID parameter. 3791 20080329 Efestech Video v5,0 (id) Remote Sql Injection 28532 efestechvideo-default-sql-injection(41550) Directory traversal vulnerability in index.php in Sava's GuestBook 2.0 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the action parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28536 savasguestbook-index-file-include(41596) Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.exe) in LANDesk Management Suite (LDMS) 8.7 SP5 and earlier and 8.8 allows remote attackers to read arbitrary files via unspecified vectors. http://community.landesk.com/support/docs/DOC-2659 28535 1019748 ADV-2008-1051 landesk-pxetftp-directory-traversal(41562) SQL injection vulnerability in viewlinks.php in Sava's Link Manager 2.0 allows remote attackers to execute arbitrary SQL commands via the category parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28538 savaslinkmanager-category-sql-injection(41594) Directory traversal vulnerability in body.php in phpSpamManager (phpSM) 0.53 beta allows remote attackers to read arbitrary local files via a .. (dot dot) in the filename parameter. 28529 ADV-2008-1055 phpspammanager-body-file-include(41575) 5328 SQL injection vulnerability in wp-download.php in the WP-Download 1.2 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the dl_id parameter. 28516 wpdownload-wpdownload-sql-injection(41552) 5326 The ChilkatHttp.ChilkatHttp.1 and ChilkatHttp.ChilkatHttpRequest.1 ActiveX controls in ChilkatHttp.dll 2.4.0.0, 2.3.0.0, and earlier in ChilkatHttp ActiveX expose the unsafe SaveLastError method, which allows remote attackers to overwrite arbitrary files. NOTE: some of these details are obtained from third party information. 28546 http://www.shinnai.altervista.org/index.php?mod=02_Forum&group=Security&argument=Remote_performed_exploits&topic=1207033569.ff.php ADV-2008-1050 chilkathttp-activex-file-overwrite(45988) 5338 Sympa before 5.4 allows remote attackers to cause a denial of service (daemon crash) via an e-mail message with a malformed value of the Content-Type header and unspecified other headers. NOTE: some of these details are obtained from third party information. http://sourcesup.cru.fr/tracker/?func=detail&group_id=23&aid=3702&atid=167 DSA-1600 MDVSA-2008:133 28539 http://www.sympa.org/distribution/latest-stable/NEWS ADV-2008-1080 sympa-mimeentityhead-dos(41561) Cross-site scripting (XSS) vulnerability in staticpages/easypublish/index.php in EasyNews 4.0 allows remote attackers to inject arbitrary web script or HTML via the read parameter in an edp_pupublish action. Additional information may be found at: http://www.securityfocus.com/bid/28542 3793 20080401 EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI) 28542 easynews-index-xss(41593) 5333 SQL injection vulnerability in dynamicpages/index.php in EasyNews 4.0 allows remote attackers to execute arbitrary SQL commands via the read parameter in an edp_Help_Internal_News action. Additional information can be found at: http://www.securityfocus.com/bid/28542 3793 20080401 EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI) 28542 easynews-index-sql-injection(41590) 5333 Directory traversal vulnerability in admin/login.php in EasyNews 4.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter. Additional information can be found at: http://www.securityfocus.com/bid/28542 3793 20080401 EasyNews-40tr Multiple Remote Vulnerabilities (SQL Injection Exploit/XSS/LFI) 28542 easynews-login-file-include(41589) 5333 Directory traversal vulnerability in the _serve_request_multiple function in lib/Perlbal/ClientHTTPBase.pm in Perlbal before 1.70, when concat get is enabled, allows remote attackers to read arbitrary files in a parent directory via a directory traversal sequence in an unspecified parameter. NOTE: some of these details are obtained from third party information. http://search.cpan.org/src/BRADFITZ/Perlbal-1.70/CHANGES ADV-2008-1045 perlbal-serverequestmultiple-dir-traversal(41540) Directory traversal vulnerability in index.php in Sava's Link Manager 2.0 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the q parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28537 savaslinkmanager-index-file-include(41595) Interaction error between Adobe Flash and multiple Universal Plug and Play (UPnP) services allow remote attackers to perform Cross-Site Request Forgery (CSRF) style attacks by using the Flash navigateToURL function to send a SOAP message to a UPnP control point, as demonstrated by changing the primary DNS server. APPLE-SA-2008-05-28 SUSE-SA:2008:022 20080113 Hacking The Interwebs 20080113 Hacking The Interwebs 238305 http://www.adobe.com/support/security/bulletins/apsb08-11.html GLSA-200804-21 http://www.gnucitizen.org/blog/hacking-the-interwebs/ VU#347812 RHSA-2008:0221 28696 1019807 TA08-100A TA08-150A ADV-2008-1697 ADV-2008-1724 adobe-flash-navigatetourl-csrf(41718) oval:org.mitre.oval:def:11435 Unspecified vulnerability in Adobe Flash Player 9.0.115.0 and earlier, and 8.0.39.0 and earlier, makes it easier for remote attackers to conduct DNS rebinding attacks via unknown vectors. APPLE-SA-2008-05-28 SUSE-SA:2008:022 238305 http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html#goal_dns http://www.adobe.com/support/security/bulletins/apsb08-11.html GLSA-200804-21 RHSA-2008:0221 28697 1019808 TA08-100A TA08-150A ADV-2008-1697 ADV-2008-1724 adobe-flash-dnsrebinding-security-bypass(41807) oval:org.mitre.oval:def:10724 Adobe ColdFusion 8 and 8.0.1 does not properly implement the public access level for CFC methods, which allows remote attackers to invoke these methods via Flex 2 remoting, a different vulnerability than CVE-2006-4725. 1019806 http://www.adobe.com/support/security/bulletins/apsb08-12.html 28698 ADV-2008-1157 adobe-coldfusion-cfc-security-bypass(41720) OpenSSH 4.4 up to versions before 4.9 allows remote authenticated users to bypass the sshd_config ForceCommand directive by modifying the .ssh/rc session file. NetBSD-SA2008-005 http://aix.software.ibm.com/aix/efixes/security/ssh_advisory.asc APPLE-SA-2008-09-15 SUSE-SR:2008:009 http://support.attachmate.com/techdocs/2374.html http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0139 GLSA-200804-03 MDVSA-2008:098 [4.3] 001: SECURITY FIX: March 30, 2008 http://www.openssh.com/txt/release-4.9 20080404 rPSA-2008-0139-1 gnome-ssh-askpass openssh openssh-client openssh-server 28531 1019733 USN-649-1 TA08-260A ADV-2008-1035 ADV-2008-1624 ADV-2008-2396 ADV-2008-2584 openssh-forcecommand-command-execution(41549) https://issues.rpath.com/browse/RPL-2419 Format string vulnerability in the grant helper (polkit-grant-helper.c) in PolicyKit 0.7 and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in a password. http://bugs.freedesktop.org/show_bug.cgi?id=15295 http://gitweb.freedesktop.org/?p=PolicyKit.git;a=commitdiff;h=5bc86a14cc0e356bcf8b5f861674f842869b1be7 MDVSA-2008:087 28702 ADV-2008-1254 https://bugs.launchpad.net/ubuntu/+source/policykit/+bug/205037 policykit-granthelper-format-string(41877) FEDORA-2008-2987 Unspecified vulnerability in HP LDAP-UX vB.04.10 through vB.04.15 allows local users to gain privileges via unknown vectors. SSRT080053 29078 1019981 ADV-2008-1450 hpux-ldap-unspecified-privilege-escalation(42265) oval:org.mitre.oval:def:6037 Unspecified vulnerability in useradd on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to access arbitrary files and directories via unspecified vectors. SSRT071454 1020045 29286 ADV-2008-1570 hpux-useradd-security-bypass(42523) oval:org.mitre.oval:def:5558 Stack-based buffer overflow in DoubleTake.exe in HP StorageWorks Storage Mirroring (SWSM) before 4.5 SP2 allows remote attackers to execute arbitrary code via a crafted encoded authentication request. SSRT071428 1020157 ADV-2008-1723 hp-storageworks-unspecified-code-execution(42810) Unspecified vulnerability in the HP System Administration Manager (SAM) on HP-UX B.11.11 and B.11.23, when used to configure NFS, might allow remote attackers to read or modify arbitrary files, related to an "empty systems list." SSRT071466 1020580 30449 ADV-2008-2258 hp-hpux-sam-weak-security(44119) oval:org.mitre.oval:def:5814 Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) 2.1.10 and 2.1.11 on Linux and Windows allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. HPSBMA02345 3979 30029 1020406 ADV-2008-1990 Unspecified vulnerability in libc on HP HP-UX B.11.23 and B.11.31 allows remote attackers to cause a denial of service via unknown vectors. HPSBUX02355 1020637 30581 ADV-2008-2314 hpux-libc-unspecified-dos(44247) oval:org.mitre.oval:def:5855 Multiple unspecified vulnerabilities in HP Select Identity (HPSI) Active Directory Bidirectional LDAP Connector 2.20, 2.20.001, 2.20.002, and 2.30 allow remote attackers to execute arbitrary code via unspecified vectors. HPSBMA02346 30250 1020512 ADV-2008-2119 hpselect-adb-unspecified-unauth-access(43847) Unspecified vulnerability in HP Oracle for OpenView (OfO) 8.1.7, 9.1.01, 9.2, 9.2.0, 10g, and 10gR2 has unknown impact and attack vectors, possibly related to the July 2008 Oracle Critical Patch Update. SSRT061201 ADV-2008-2115 The Probe Builder Service (aka PBOVISServer.exe) in European Performance Systems (EPS) Probe Builder 2.2 before A.02.20.901, as used in HP OpenView Internet Services (OVIS) on Windows, allows remote attackers to kill arbitrary processes via a process ID number in an unspecified opcode. Vendor website was under construction during the scoring of this vulnerability. CPE information is not complete due to limited knowledge of Probe Builder version numbers. 20080728 Hewlett-Packard OVIS Probe Builder Arbitrary Process Termination Vulnerability SSRT080066 4054 30403 1020568 ADV-2008-2227 ADV-2008-2228 hp-ovis-pbovisserver-dos(44041) ftpd.c in (1) wu-ftpd 2.4.2 and (2) ftpd in HP HP-UX B.11.11 assigns uid 0 to the FTP client in certain operating-system misconfigurations in which PAM authentication can succeed even though no passwd entry is available for a user, which allows remote attackers to gain privileges, as demonstrated by a login attempt for an LDAP account when nsswitch.conf does not specify LDAP for passwd information. HPSBUX02356 [oss-security] 20080820 FW: CVE-2008-1668 - ftpd 2.4 - unauthorized root access - patch details 30666 1020682 ADV-2008-2364 hpux-ftpd-security-bypass(44414) oval:org.mitre.oval:def:5971 Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain "re-ordered access to the descriptor table." SUSE-SA:2008:030 SUSE-SA:2008:032 SUSE-SA:2008:035 SUSE-SA:2008:038 [Security-announce] 20080728 VMSA-2008-00011 Updated ESX service console packages for Samba and vmnix http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0162 DSA-1575 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.4 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.2 MDVSA-2008:104 MDVSA-2008:105 MDVSA-2008:167 RHSA-2008:0211 RHSA-2008:0233 RHSA-2008:0237 20080507 rPSA-2008-0162-1 kernel 29076 1019974 USN-618-1 ADV-2008-1451 ADV-2008-1452 ADV-2008-2222 linux-kernel-fcntlsetlk-dos(42242) https://issues.rpath.com/browse/RPL-2518 oval:org.mitre.oval:def:10065 USN-614-1 FEDORA-2008-3873 FEDORA-2008-3949 FEDORA-2008-4043 Heap-based buffer overflow in the progressive PNG Image loader (decoders/pngloader.cpp) in KHTML in KDE 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted image. SUSE-SR:2008:011 http://www.kde.org/info/security/advisory-20080426-1.txt 28937 1019929 ADV-2008-1371 kde-khtml-png-bo(42038) start_kdeinit in KDE 3.5.5 through 3.5.9, when installed setuid root, allows local users to cause a denial of service and possibly execute arbitrary code via "user-influenceable input" (probably command-line arguments) that cause start_kdeinit to send SIGUSR1 signals to other processes. ftp://ftp.kde.org/pub/kde/security_patches/post-kde-3.5.5-kinit.diff SUSE-SR:2008:011 GLSA-200804-30 http://www.kde.org/info/security/advisory-20080426-2.txt MDVSA-2008:097 28938 1019924 USN-608-1 ADV-2008-1370 kde-startkdeinit-privilege-escalation(42039) OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference. http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html GLSA-200806-08 SSA:2008-210-08 http://sourceforge.net/project/shownotes.php?release_id=615606 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=738400 VU#520586 MDVSA-2008:107 http://www.openssl.org/news/secadv_20080528.txt 20080602 rPSA-2008-0181-1 openssl openssl-scripts 29405 1020122 USN-620-1 ADV-2008-1680 ADV-2008-1937 openssl-serverkey-dos(42667) FEDORA-2008-4723 The asn1 implementation in (a) the Linux kernel 2.4 before 2.4.36.6 and 2.6 before 2.6.25.5, as used in the cifs and ip_nat_snmp_basic modules; and (b) the gxsnmp package; does not properly validate length values during decoding of ASN.1 BER data, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) a length greater than the working buffer, which can lead to an unspecified overflow; (2) an oid length of zero, which can lead to an off-by-one error; or (3) an indefinite length for a primitive encoding. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=33afb8403f361919aa5c8fe1d0a4f5ddbfbbea3c http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ddb2c43594f22843e9f3153da151deaba1a834c5 http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.6 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.5 SUSE-SA:2008:035 SUSE-SA:2008:038 SUSE-SA:2008:047 SUSE-SA:2008:048 SUSE-SA:2008:049 SUSE-SA:2008:052 SUSE-SR:2008:025 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0189 MDVSA-2008:113 MDVSA-2008:174 20080611 rPSA-2008-0189-1 kernel xen 29589 1020210 USN-625-1 ADV-2008-1770 https://bugzilla.redhat.com/show_bug.cgi?id=443962 linux-kernel-ber-decoder-bo(42921) FEDORA-2008-5308 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25.1 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory. [linux-kernel] 20080429 [26/37] tehuti: check register size (CVE-2008-1675) [linux-kernel] 20080429 [27/37] tehuti: move ioctl perm check closer to function start [linux-kernel] 20080429 [04/12] tehuti: check register size (CVE-2008-1675) http://wiki.rpath.com/Advisories:rPSA-2008-0157 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0157 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.1 MDVSA-2008:109 MDVSA-2008:167 20080502 rPSA-2008-0157-1 kernel 20080507 rPSA-2008-0157-1 kernel 29014 1019960 ADV-2008-1406 linux-kernel-tehuti-bo(42132) https://issues.rpath.com/browse/RPL-2501 USN-614-1 FEDORA-2008-3873 Red Hat PKI Common Framework (rhpki-common) in Red Hat Certificate System (aka Certificate Server or RHCS) 7.1 through 7.3, and Netscape Certificate Management System 6.x, does not recognize Certificate Authority profile constraints on Extensions, which might allow remote attackers to bypass intended restrictions and conduct man-in-the-middle attacks by submitting a certificate signing request (CSR) and using the resulting certificate. RHSA-2008:0500 RHSA-2008:0577 30062 1020427 https://bugzilla.redhat.com/show_bug.cgi?id=445227 rhcs-rhpkicommon-csr-security-bypass(43573) Buffer overflow in the regular expression handler in Red Hat Directory Server 8.0 and 7.1 before SP6 allows remote attackers to cause a denial of service (slapd crash) and possibly execute arbitrary code via a crafted LDAP query that triggers the overflow during translation to a regular expression. RHSA-2008:0268 RHSA-2008:0269 29126 1020001 https://bugzilla.redhat.com/show_bug.cgi?id=444712 rhds-fedora-expression-bo(42332) Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm. http://bugs.gentoo.org/show_bug.cgi?id=222643 APPLE-SA-2008-10-09 SUSE-SR:2008:024 [openssl-dev] 20080512 possible memory leak in zlib compression GLSA-200807-06 3981 SSA:2010-060-02 http://support.apple.com/kb/HT3216 http://svn.apache.org/viewvc?view=rev&revision=654119 MDVSA-2009:124 RHSA-2009:1075 31681 31692 USN-731-1 ADV-2008-2780 https://bugs.edge.launchpad.net/bugs/186339 https://bugs.edge.launchpad.net/bugs/224945 https://bugzilla.redhat.com/show_bug.cgi?id=447268 openssl-libssl-dos(43948) https://issues.apache.org/bugzilla/show_bug.cgi?id=44975 https://kb.bluecoat.com/index?page=content&id=SA50 oval:org.mitre.oval:def:9754 FEDORA-2008-6393 Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965. http://bugs.python.org/issue1179 http://bugs.python.org/msg64682 APPLE-SA-2009-02-12 SUSE-SR:2008:017 GLSA-200807-01 SSA:2008-217-01 http://support.apple.com/kb/HT3438 http://support.avaya.com/css/P8/documents/100074697 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0149 DSA-1551 DSA-1620 MDVSA-2008:163 MDVSA-2008:164 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5032900 USN-632-1 python-imageopc-bo(41958) https://issues.rpath.com/browse/RPL-2424 oval:org.mitre.oval:def:10583 oval:org.mitre.oval:def:7800 PHP-Nuke Platinum 7.6.b.5 allows remote attackers to obtain configuration information via a direct request to maintenance/index.php, which reveals settings such as magic_quotes_gpc. platinum-index-info-disclosure(41745) 5295 Unspecified vulnerability in IBM DB2 Content Manager before 8.3 FP8 has unknown impact and attack vectors related to the AllowedTrustedLogin privilege. http://publib.boulder.ibm.com/infocenter/cmgmt/v8r3m0/topic/com.ibm.cmgmtreadmefp.doc/aparlist.htm 28567 ADV-2008-1070 http://www-1.ibm.com/support/docview.wss?uid=swg27011946&aid=1 db2-allowedtrustedlogin-unspecified(41585) PHP remote file inclusion vulnerability in quiz/common/db_config.inc.php in the Online FlashQuiz (com_onlineflashquiz) 1.0.2 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the base_dir parameter. 28574 onlineflashquiz-dbconfig-file-include(41592) 5345 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-0887. Reason: This candidate is a duplicate of CVE-2008-0887. Notes: All CVE users should reference CVE-2008-0887 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. inetd on Sun Solaris 10, when debug logging is enabled, allows local users to write to arbitrary files via a symlink attack on the /var/tmp/inetd.log temporary file. 1019781 233284 28584 ADV-2008-1076 solaris-inetd1m-dos(41626) oval:org.mitre.oval:def:5369 ** DISPUTED ** gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999). http://gcc.gnu.org/bugzilla/show_bug.cgi?id=26763 VU#162289 gcc-weak-security(41686) Array index vulnerability in Speex 1.1.12 and earlier, as used in libfishsound 0.9.0 and earlier, including Illiminable DirectShow Filters and Annodex Plugins for Firefox, xine-lib before 1.1.12, and many other products, allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer. http://blog.kfish.org/2008/04/release-libfishsound-091.html SUSE-SR:2008:012 [Speex-dev] 20080406 libfishsound 0.9.1 Release GLSA-200804-17 SSA:2008-111-01 http://sourceforge.net/project/shownotes.php?release_id=592185 http://sourceforge.net/project/shownotes.php?release_id=592185&group_id=9655 DSA-1584 DSA-1585 DSA-1586 MDVSA-2008:092 MDVSA-2008:093 MDVSA-2008:094 MDVSA-2008:124 http://www.metadecks.org/software/sweep/news.html SUSE-SR:2008:013 http://www.ocert.org/advisories/ocert-2008-004.html http://www.ocert.org/advisories/ocert-2008-2.html RHSA-2008:0235 20080417 [oCERT-2008-004] multiple speex implementations insufficientboundary checks 28665 1019875 USN-611-1 USN-611-2 USN-611-3 USN-635-1 ADV-2008-1187 ADV-2008-1228 ADV-2008-1268 ADV-2008-1269 ADV-2008-1300 ADV-2008-1301 ADV-2008-1302 fishsound-libfishsound-speex-bo(41684) oval:org.mitre.oval:def:10026 FEDORA-2008-3059 FEDORA-2008-3103 FEDORA-2008-3191 The (1) maketemp and (2) mkstemp builtin functions in GNU m4 before 1.4.11 do not quote their output when a file is created, which might allow context-dependent attackers to trigger a macro expansion, leading to unspecified use of an incorrect filename. SSA:2008-098-01 [oss-security] 20080406 Security fixes in m4-1.4.11 [oss-security] 20080407 Re: Security fixes in m4-1.4.11 [oss-security] 20080406 Re: Security fixes in m4-1.4.11 [oss-security] 20080407 Re: Security fixes in m4-1.4.11 28688 ADV-2008-1151 gnu-m4-macros-weak-security(41706) Unspecified vulnerability in GNU m4 before 1.4.11 might allow context-dependent attackers to execute arbitrary code, related to improper handling of filenames specified with the -F option. NOTE: it is not clear when this issue crosses privilege boundaries. SSA:2008-098-01 [oss-security] 20080406 Security fixes in m4-1.4.11 [oss-security] 20080406 Re: Security fixes in m4-1.4.11 28688 ADV-2008-1151 gnu-m4-producefrozenstate-format-string(41704) Stack consumption vulnerability in WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (daemon crash) via a long request header in an HTTP request to TCP port 801. NOTE: some of these details are obtained from third party information. Only version information is located here: http://www.seattlelab.com/Products/SLMailPro/Utilities.asp. Versions 3.x, 4.x, and 5.x are vulnerable, but specific version information is not available. http://aluigi.altervista.org/adv/slmaildos-adv.txt http://aluigi.org/poc/slmaildos.zip 28505 ADV-2008-1039 slmailpro-webcontainer-bo(41532) WebContainer.exe 1.0.0.336 and earlier in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a long URI in HTTP requests to TCP port 801. NOTE: some of these details are obtained from third party information. http://aluigi.org/poc/slmaildos.zip 28505 ADV-2008-1039 slmailpro-webcontainer-code-execution(41531) Unspecified vulnerability in SLMail.exe in SLMail Pro 6.3.1.0 and earlier allows remote attackers to cause a denial of service (UDP service outage) via a large packet to UDP port 54. NOTE: some of these details are obtained from third party information. http://aluigi.altervista.org/adv/slmaildos-adv.txt 28505 ADV-2008-1039 slmailpro-slmail-dos(41533) Eterm 0.9.4 opens a terminal window on :0 if -display is not specified and the DISPLAY environment variable is not set, which might allow local users to hijack X11 connections. NOTE: realistic attack scenarios require that the victim enters a command on the wrong machine. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=473127 GLSA-200805-03 MDVSA-2008:222 28512 The CairoFont::create function in CairoFontEngine.cc in Poppler, possibly before 0.8.0, as used in Xpdf, Evince, ePDFview, KWord, and other applications, does not properly handle embedded fonts in PDF files, which allows remote attackers to execute arbitrary code via a crafted font object, related to dereferencing a function pointer associated with the type of this font object. SUSE-SR:2008:011 GLSA-200804-18 1019893 DSA-1548 DSA-1606 MDVSA-2008:089 MDVSA-2008:173 MDVSA-2008:197 SUSE-SR:2008:013 RHSA-2008:0238 RHSA-2008:0239 RHSA-2008:0240 RHSA-2008:0262 28830 USN-603-1 USN-603-2 ADV-2008-1265 ADV-2008-1266 xpdf-pdf-code-execution(41884) oval:org.mitre.oval:def:11226 FEDORA-2008-3312 vcdiff in Emacs 20.7 to 22.1.50, when used with SCCS, allows local users to overwrite arbitrary files via a symlink attack on temporary files. http://bugs.gentoo.org/show_bug.cgi?id=216880 MDVSA-2008:096 28857 1019909 ADV-2008-1309 ADV-2008-1310 https://bugzilla.redhat.com/show_bug.cgi?id=208483 xemacs-gnuemacs-vcdiff-symlink(41906) USN-607-1 Directory traversal vulnerability in makepost.php in DaZPHPNews 0.1-1, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the prefixdir parameter. 28582 dazphpnews-makepost-file-include(41608) 5347 Stack-based buffer overflow in ovwparser.dll in HP OpenView Network Node Manager (OV NNM) 7.53, 7.51, and earlier allows remote attackers to execute arbitrary code via a long URI in an HTTP request processed by ovas.exe, as demonstrated by a certain topology/homeBaseView request. NOTE: some of these details are obtained from third party information. SSRT080033 http://www.offensive-security.com/0day/hp-nnm-ov.py.txt 28569 1019782 ADV-2008-1085 hpopenview-ovas-bo(41600) 5342 Cross-site scripting (XSS) vulnerability in gallery.php in Simple Gallery 2.2 allows remote attackers to inject arbitrary web script or HTML via the album parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28596 simplegallery-index-album-xss(41622) SQL injection vulnerability in permalink.php in Desi Quintans Writer's Block CMS 3.8a allows remote attackers to execute arbitrary SQL commands via the PostID parameter. 3803 20080402 Writers Block SQL Injection Vulnerabilities 28564 writersblock-permalink-sql-injection(41619) The Web TransferCtrl Class 8,2,1,4 (iManFile.cab), as used in WorkSite Web 8.2 before SP1 P2, allows remote attackers to cause a denial of service (memory consumption) via a large number of SendNrlLink directives, which opens a separate window for each directive. http://www.mwrinfosecurity.com/publications/mwri_interwoven-worksite-activex-control-remote-code-execution_2008-03-10.pdf worksiteweb-webtransferctrl-imanfile-dos(41757) Novell NetWare 6.5 allows attackers to cause a denial of service (ABEND) via a crafted Macintosh iPrint client request. 28561 1019750 ADV-2008-1074 novell-netware-iprint-dos(41588) https://secure-support.novell.com/KanisaPlatform/Publishing/667/3842033_f.SAL_Public.html Absolute path traversal vulnerability in dload.php in the my_gallery 2.3 plugin for e107 allows remote attackers to obtain sensitive information via a full pathname in the file parameter. NOTE: some of these details are obtained from third party information. 3801 20080325 e107 My_Gallery Plugin Arbitrary File Download Vulnerability 28440 mygallery-dload-file-download(41433) 5308 Multiple buffer overflows in TIBCO Software Rendezvous before 8.1.0, as used in multiple TIBCO products, allow remote attackers to execute arbitrary code via a crafted message. 28717 1019826 http://www.tibco.com/resources/mk/rendezvous_security_advisory_20080409.txt ADV-2008-1189 ADV-2008-1190 tibco-rendezvous-multiple-code-execution(41760) Multiple buffer overflows in TIBCO Software Enterprise Message Service (EMS) before 4.4.3, and iProcess Engine 10.6.0 through 10.6.1, allow remote attackers to execute arbitrary code via a crafted message to the EMS server. 28717 1019826 http://www.tibco.com/resources/mk/ems_security_advisory_20080409.txt ADV-2008-1190 tibco-ems-iprocess-code-execution(41761) Format string vulnerability in the logging function in IBM solidDB 06.00.1018 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the (1) user name, (2) peer name, and possibly unspecified other fields. http://aluigi.altervista.org/adv/soliduro-adv.txt http://aluigi.org/poc/soliduro.zip 1019721 20080326 Multiple vulnerabilities in solidDB 06.00.1018 28468 ADV-2008-1038 ibm-soliddb-solid-format-string(41485) Uncontrolled array index in IBM solidDB 06.00.1018 and earlier allows remote attackers to cause a denial of service (daemon crash) via a large value in a certain 32-bit field. http://aluigi.altervista.org/adv/soliduro-adv.txt http://aluigi.org/poc/soliduro.zip 1019721 20080326 Multiple vulnerabilities in solidDB 06.00.1018 28468 ADV-2008-1038 ibm-soliddb-arrayindex-dos(41486) IBM solidDB 06.00.1018 and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a packet with an 0x11 value in a certain "type" field. http://aluigi.altervista.org/adv/soliduro-adv.txt http://aluigi.org/poc/soliduro.zip 1019721 20080326 Multiple vulnerabilities in solidDB 06.00.1018 28468 ADV-2008-1038 ibm-soliddb-solid-dos(41487) IBM solidDB 06.00.1018 and earlier does not validate a certain field that specifies an amount of memory to allocate, which allows remote attackers to cause a denial of service (daemon exit) via a packet with a large value in this field. http://aluigi.altervista.org/adv/soliduro-adv.txt http://aluigi.org/poc/soliduro.zip 1019721 20080326 Multiple vulnerabilities in solidDB 06.00.1018 28468 ADV-2008-1038 ibm-soliddb-memory-dos(41488) Buffer overflow in Microsoft Visual InterDev 6.0 (SP6) allows user-assisted attackers to execute arbitrary code via a Studio Solution (.SLN) file with a long malformed Project line beginning with a 'Project("{}") =' sequence, probably a different vector than CVE-2008-0250. visualinterdev-sln-project-bo(41826) 5349 Untrusted search path vulnerability in chnfsmnt in IBM AIX 6.1 allows local users to gain privileges via a modified PATH environment variable. 1019693 28429 ADV-2008-0983 IZ20391 IZ23556 IZ18296 oval:org.mitre.oval:def:5911 Terong PHP Photo Gallery (aka Advanced Web Photo Gallery) 1.0 stores passwords in cleartext in a MySQL database, which allows context-dependent attackers to obtain sensitive information. photogallery-password-info-disclosure(41820) 5364 PHP remote file inclusion vulnerability in includes/functions_weblog.php in mxBB mx_blogs 2.0.0 beta allows remote attackers to execute arbitrary PHP code via a URL in the mx_root_path parameter. 28515 mxblogs-functionsweblog-file-include(41819) 5323 MailServer.exe in NoticeWare Email Server 4.6.1.0 allows remote attackers to cause a denial of service (application crash) via a long string to IMAP port (143/tcp). 28559 emailserverng-mailserver-dos(41581) 5341 SQL injection vulnerability in show.php in FaScript FaPhoto 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. 28545 faphoto-show-sql-injection(41557) 5334 SQL injection vulnerability in content/user.php in AuraCMS 2.2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the country parameter. 28499 auracms-user-security-bypass(41529) 5319 Cross-site scripting (XSS) vulnerability in WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the (1) page and (2) form parameters, which are not properly handled when they are reflected back in an error message. 20080407 WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability 20080408 WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability 20080407 WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability 20080412 Re: WoltLab(R) Community Framework WCF 1.0.6 28678 wbb-wcf-page-form-xss(41714) WoltLab Community Framework (WCF) 1.0.6 in WoltLab Burning Board 3.0.5 allows remote attackers to obtain the full path via invalid (1) page and (2) form parameters, which leaks the path from an exception handler when a valid class cannot be found. 20080407 WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability 20080408 WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability 20080407 WoltLab(R) Community Framework XSS and Full Path Disclosure Vulnerability 20080412 Re: WoltLab(R) Community Framework WCF 1.0.6 28678 wbb-wcf-exception-info-disclosure(41713) Buffer overflow in mimesr.dll in Autonomy (formerly Verity) KeyView, as used in IBM Lotus Notes before 8.0, might allow user-assisted remote attackers to execute arbitrary code via an e-mail message with a crafted Text mail (MIME) attachment. Secunia information: http://secunia.com/advisories/28210 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21298453 autonomy-mimesr-bo(41856) Multiple cross-site request forgery (CSRF) vulnerabilities in Nuke ET 3.2 and 3.4 allow remote attackers to perform actions as administrators, as demonstrated by inserting an XSS sequence into a document. http://www.mrzayas.es/2008/04/07/xsrf-en-nuke-et-3x/ nukeet-multiple-unspecified-csrf(41851) Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors. SUSE-SR:2008:011 HPSBMA02447 http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff http://samba.anu.edu.au/rsync/security.html#s3_0_2 GLSA-200804-16 http://sourceforge.net/project/shownotes.php?release_id=591462&group_id=69227 DSA-1545 [rsync-announce] 20080408 Rsync 3.0.2 released w/xattr security fix (attn: 2.6.9 onward) MDVSA-2008:084 28726 1019835 ADV-2008-1191 ADV-2008-1215 rsync-xattr-bo(41766) USN-600-1 FEDORA-2008-3047 FEDORA-2008-3060 Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow. http://bugs.python.org/issue2586 APPLE-SA-2009-02-12 GLSA-200807-01 3802 SSA:2008-217-01 http://support.apple.com/kb/HT3438 http://support.avaya.com/css/P8/documents/100074697 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0149 DSA-1551 DSA-1620 MDVSA-2008:085 20080409 IOActive Security Advisory: Buffer overflow in Python zlib extension module 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 28715 1019823 USN-632-1 http://www.vmware.com/security/advisories/VMSA-2009-0016.html ADV-2008-1229 ADV-2009-3316 zlib-pystringfromstringandsize-bo(41748) https://issues.rpath.com/browse/RPL-2444 oval:org.mitre.oval:def:8249 oval:org.mitre.oval:def:8494 oval:org.mitre.oval:def:9407 Multiple integer overflows in (1) filter/image-png.c and (2) filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial of service (crash) and trigger memory corruption, as demonstrated via a crafted PNG image. http://www.cups.org/str.php?L2790 DSA-1625 GLSA-200804-23 VU#218395 MDVSA-2008:170 SUSE-SR:2008:013 28781 1019854 USN-606-1 ADV-2008-1226 cups-imagepng-imagezoom-bo(41832) oval:org.mitre.oval:def:8768 RHSA-2008:0498 USN-656-1 FEDORA-2008-3586 FEDORA-2008-3449 Stack-based buffer overflow in the IActiveXTransfer.FileTransfer method in the SecureTransport FileTransfer ActiveX control in vcst_en.dll 1.0.0.5 in Tumbleweed SecureTransport Server before 4.6.1 Hotfix 20 allows remote attackers to execute arbitrary code via a long remoteFile parameter. 3806 http://www.aushack.com/200708-tumbleweed.txt 20080407 Tumbleweed SecureTransport FileTransfer ActiveX Control Buffer Overflow 28662 ADV-2008-1165 securetransport-filetransfer-activex-bo(41692) 5398 The IBizEBank.FIProfile.1 ActiveX control in fiprofile20.ocx in IBiz E-Banking Integrator (formerly IBiz OFX Integrator) 2.0.2932 exposes the unsafe WriteOFXDataFile method, which allows remote attackers to overwrite arbitrary files via a full pathname in the argument. NOTE: some of these details are obtained from third party information. 28700 ibiz-fiprofile20-file-overwrite(41752) 5416 Multiple SQL injection vulnerabilities in KnowledgeQuest 2.6, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) kqid parameter to (a) articletext.php and (b) articletextonly.php and the (2) username parameter to (c) logincheck.php. 28713 28716 knowledgequest-kqid-username-sql-injection(41746) 5421 KnowledgeQuest 2.5 and 2.6 does not require authentication for access to admincheck.php, which allows remote attackers to create arbitrary admin accounts. knowledgequest-admincheck-security-bypass(41747) 5418 ConnectionManagerImpl.java in Ignite Realtime Openfire 3.4.5 allows remote authenticated users to cause a denial of service (daemon outage) by triggering large outgoing queues without reading messages. GLSA-200804-26 http://www.igniterealtime.org/builds/openfire/docs/latest/changelog.html http://www.igniterealtime.org/fisheye/changelog/svn-org?cs=10031 http://www.igniterealtime.org/issues/browse/JM-1289 [oss-security] 20080411 CVE request: openfire <3.5.0 Denial of Service 28722 ADV-2008-1188 openfire-connectionmanagerImpljava-dos(41744) The menu system in Drupal 6 before 6.2 has incorrect menu settings, which allows remote attackers to (1) edit the profile pages of arbitrary users, and obtain sensitive information from (2) tracker and (3) blog pages, related to a missing check for the "access content" permission; and (4) allows remote authenticated users, with administration page view access, to edit content types. http://drupal.org/node/244637 28714 ADV-2008-1185 drupal-menusystem-security-bypass(41755) Directory traversal vulnerability in download.html in ARWScripts Gallery Script Lite (aka gallery-script-lite or Free Photo Gallery Site Script), as of 20080411, allows remote attackers to read arbitrary local files via directory traversal sequences in the path parameter. 28718 galleryscriptlite-path-info-disclosure(41742) 5419 The Simple Access module for Drupal 5.x through 5.x-1.2-2 does not properly handle the privacy information for nodes, which might allow remote attackers to bypass intended access restrictions, and read or modify nodes, in opportunistic circumstances related to interaction between Simple Access and (1) Node clone or (2) Project issue tracking. http://drupal.org/node/244560 28720 ADV-2008-1184 simpleaccess-privacy-info-disclosure(41756) SQL injection vulnerability in showpredictionsformatch.php in Prediction Football 1.x allows remote attackers to execute arbitrary SQL commands via the matchid parameter in a dupa action. 28704 ADV-2008-1160 predictionfootball-matchid-sql-injection(41728) 5410 SQL injection vulnerability in puarcade.class.php 2.2 and earlier in the Pragmatic Utopia PU Arcade (com_puarcade) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter to index.php. 3807 20080409 Pu Arcade component for Joomla - SQL injection 28701 puarcade-gid-sql-injection(41726) Interpretation conflict in PHP Toolkit before 1.0.1 on Gentoo Linux might allow local users to cause a denial of service (PHP outage) and read contents of PHP scripts by creating a file with a one-letter lowercase alphabetic name, which triggers interpretation of a certain unquoted [a-z] argument as a matching shell glob for this name, rather than interpretation as the literal [a-z] regular-expression string, and consequently blocks the launch of the PHP interpreter within the Apache HTTP Server. http://bugs.gentoo.org/show_bug.cgi?id=209535 GLSA-200804-19 28844 phptoolkit-phpselect-dos(41928) BitDefender Antivirus 2008 20080118 and earlier allows local users to cause a denial of service (system crash) via an invalid pointer to the CLIENT_ID structure in a call to the NtOpenProcess hooked System Service Descriptor Table (SSDT) function. http://kb.bitdefender.com/KB419-en--Security-vulnerability-in-BitDefender-2008.html 3838 1019943 http://www.coresecurity.com/?action=item&id=2249 20080428 CORE-2008-0320 - Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls 28741 ADV-2008-1384 bitdefender-ssdt-dos(42081) Comodo Firewall Pro before 3.0 does not properly validate certain parameters to hooked System Service Descriptor Table (SSDT) functions, which allows local users to cause a denial of service (system crash) via (1) a crafted OBJECT_ATTRIBUTES structure in a call to the NtDeleteFile function, which leads to improper validation of a ZwQueryObject result; and unspecified calls to the (2) NtCreateFile and (3) NtSetThreadContext functions, different vectors than CVE-2007-0709. 3838 1019944 http://www.coresecurity.com/?action=item&id=2249 http://www.personalfirewall.comodo.com/release_notes.html 20080428 CORE-2008-0320 - Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls 28742 ADV-2008-1383 comodo-ssdt-dos(42082) Sophos Anti-Virus 7.0.5, and other 7.x versions, when Runtime Behavioural Analysis is enabled, allows local users to cause a denial of service (reboot with the product disabled) and possibly gain privileges via a zero value in a certain length field in the ObjectAttributes argument to the NtCreateKey hooked System Service Descriptor Table (SSDT) function. 3838 1019945 http://www.coresecurity.com/?action=item&id=2249 20080428 CORE-2008-0320 - Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls 28743 http://www.sophos.com/support/knowledgebase/article/37810.html ADV-2008-1381 sophos-ssdt-dos(42083) Rising Antivirus 2008 before 20.38.20 allows local users to cause a denial of service (system crash) via an invalid pointer to the _CLIENT_ID structure in a call to the NtOpenProcess hooked System Service Descriptor Table (SSDT) function. 3838 1019946 http://www.coresecurity.com/?action=item&id=2249 20080428 CORE-2008-0320 - Insufficient argument validation of hooked SSDT functions on multiple Antivirus and Firewalls 28744 ADV-2008-1382 risingantivirus-ssdt-dos(42084) Apple QuickTime before 7.4.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted ftyp atoms in a movie file, which triggers memory corruption. http://support.apple.com/kb/HT1241 apple-quicktime-ftyp-code-execution(45144) The Presence Engine (PE) service in Cisco Unified Presence before 6.0(1) allows remote attackers to cause a denial of service (core dump and service interruption) via an unspecified "stress test," aka Bug ID CSCsh20972. 1020023 20080514 Cisco Unified Presence Denial of Service Vulnerabilities 29220 ADV-2008-1534 cisco-unifiedpresence-presenceengine-dos(42412) The SIP Proxy (SIPD) service in Cisco Unified Presence before 6.0(3) allows remote attackers to cause a denial of service (core dump and service interruption) via a TCP port scan, aka Bug ID CSCsj64533. 1020023 20080514 Cisco Unified Presence Denial of Service Vulnerabilities 29222 ADV-2008-1534 cisco-unifiedpresence-sipproxy-dos(42413) Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, as demonstrated by TCPFUZZ, aka Bug ID CSCsj80609. 1020022 20080514 Cisco Unified Communications Manager Denial of Service Vulnerabilities 29221 ADV-2008-1533 cucm-ctlprovider-dos(42410) Memory leak in the Certificate Trust List (CTL) Provider service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (memory consumption and service interruption) via a series of malformed TCP packets, aka Bug ID CSCsi98433. 1020022 20080514 Cisco Unified Communications Manager Denial of Service Vulnerabilities 29221 ADV-2008-1533 cucm-ctl-dos(42414) The Certificate Authority Proxy Function (CAPF) service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, and 4.3 before 4.3(2) allows remote attackers to cause a denial of service (service crash) via malformed network traffic, aka Bug ID CSCsk46770. 1020022 20080514 Cisco Unified Communications Manager Denial of Service Vulnerabilities 29221 ADV-2008-1533 cucm-capf-dos(42415) Cisco Unified Communications Manager (CUCM) 5.x before 5.1(2) and 6.x before 6.1(1) allows remote attackers to cause a denial of service (service interruption) via a SIP JOIN message with a malformed header, aka Bug ID CSCsi48115. 1020022 20080514 Cisco Unified Communications Manager Denial of Service Vulnerabilities 29221 ADV-2008-1533 cucm-sip-join-dos(42417) The SNMP Trap Agent service in Cisco Unified Communications Manager (CUCM) 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (core dump and service restart) via a series of malformed UDP packets, as demonstrated by the IP Stack Integrity Checker (ISIC), aka Bug ID CSCsj24113. 1020022 20080514 Cisco Unified Communications Manager Denial of Service Vulnerabilities 29221 ADV-2008-1533 cucm-snmp-dos(42420) Unspecified vulnerability in Cisco Unified Communications Manager 4.1 before 4.1(3)SR6, 4.2 before 4.2(3)SR3, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) allows remote attackers to cause a denial of service (CCM service restart) via an unspecified SIP INVITE message, aka Bug ID CSCsk46944. 1020022 20080514 Cisco Unified Communications Manager Denial of Service Vulnerabilities 29221 ADV-2008-1533 cucm-sip-dos(42418) Cisco Unified Communications Manager 4.1 before 4.1(3)SR7, 4.2 before 4.2(3)SR4, 4.3 before 4.3(2), 5.x before 5.1(3), and 6.x before 6.1(1) does not properly validate SIP URLs, which allows remote attackers to cause a denial of service (service interruption) via a SIP INVITE message, aka Bug ID CSCsl22355. 1020022 20080514 Cisco Unified Communications Manager Denial of Service Vulnerabilities 29221 ADV-2008-1533 cucm-invite-dos(42419) Memory leak in Cisco Content Switching Module (CSM) 4.2(3) up to 4.2(8) and Cisco Content Switching Module with SSL (CSM-S) 2.1(2) up to 2.1(7) allows remote attackers to cause a denial of service (memory consumption) via TCP segments with an unspecified combination of TCP flags. 20080514 Cisco Content Switching Module Memory Leak Vulnerability 29216 1020021 ADV-2008-1532 cisco-csm-csms-dos(42409) SQL injection vulnerability in Integry Systems LiveCart 1.1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to the /category URI. http://livecart.com/news/LiveCart-1-1-2-released.12 20080503 Fixed: LiveCart SQL injection vulnerability fixed since version 1.1.2 28723 livecart-id-sql-injection(41750) 5422 Multiple directory traversal vulnerabilities in index.php in Ksemail allow remote attackers to read arbitrary local files via a .. (dot dot) in the (1) language and (2) lang parameters. 28724 ksemail-index-file-include(41749) 5423 ezRADIUS 0.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials via a direct request for (1) config.ini or (2) database.ini. NOTE: some of these details are obtained from third party information. http://sourceforge.net/forum/forum.php?forum_id=809832 http://sourceforge.net/project/shownotes.php?release_id=591272&group_id=221332 ezradius-config-database-info-disclosure(41767) Cross-site scripting (XSS) vulnerability in system/workplace/admin/workplace/sessions.jsp in Alkacon OpenCMS 7.0.3 allows remote attackers to inject arbitrary web script or HTML via the searchfilter parameter, a different vector than CVE-2008-1510. 3808 20080405 Alkacon OpenCms sessions.jsp searchfilter XSS 20080410 Re: Alkacon OpenCms sessions.jsp searchfilter XSS 28637 opencms-sessions-xss(41675) Symantec Altiris Deployment Solution before 6.9.164 stores the Deployment Solution Agent (aka AClient) password in cleartext in memory, which allows local users to obtain sensitive information by dumping the AClient.exe process memory. http://securityresponse.symantec.com/avcenter/security/Content/2008.04.10.html 28707 1019825 ADV-2008-1197 altiris-agent-aclient-info-disclosure(41771) Directory traversal vulnerability in the showSource function in showSource.php in World of Phaos 4.0.1 allows remote attackers to read arbitrary files via directory traversal sequences in the file parameter. 28719 worldofphaos-showsource-info-disclosure(41741) 5420 Unspecified vulnerability in the Qmaster daemon in Sun N1 Grid Engine 6.1 allows local users to cause a denial of service (daemon crash) via unspecified vectors. 234822 28731 1019830 ADV-2008-1196 sun-gridengine-qmaster-dos(41763) Cross-site scripting (XSS) vulnerability in index.php in the ConcoursPhoto module for KwsPHP 1.0 allows remote attackers to inject arbitrary web script or HTML via the VIEW parameter. 3809 20080404 KwsPHP Module ConcoursPhoto XSS 28612 concoursphoto-index-xss(41814) SQL injection vulnerability in the ConcoursPhoto module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the C_ID parameter to index.php. 28738 concoursphoto-cid-sql-injection(41636) 5353 SQL injection vulnerability in the jeuxflash module for KwsPHP allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php, a different vector than CVE-2007-4922. 28601 jeuxflash-cat-sql-injection(41635) 5352 Multiple PHP remote file inclusion vulnerabilities in Blogator-script before 1.01 allow remote attackers to execute arbitrary PHP code via a URL in the incl_page parameter in (1) struct_admin.php, (2) struct_admin_blog.php, and (3) struct_main.php in _blogadata/include. http://www.blogator-script.com/changelog.php 28627 blogatorscript-inclpage-file-include(41660) 5365 Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted newsfeed source, which triggers an invalid memory access. SUSE-SR:2008:009 GLSA-200804-14 http://www.opera.com/docs/changelogs/linux/927/ http://www.opera.com/support/search/view/881/ 28585 ADV-2008-1084 opera-newsfeed-code-execution(41625) Opera before 9.27 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted scaled image pattern in an HTML CANVAS element, which triggers memory corruption. SUSE-SR:2008:009 GLSA-200804-14 http://www.opera.com/docs/changelogs/linux/927/ http://www.opera.com/support/search/view/882/ 28585 ADV-2008-1084 opera-htmlcanvas-code-execution(41627) SQL injection vulnerability in _blogadata/include/sond_result.php in Blogator-script 0.95 allows remote attackers to execute arbitrary SQL commands via the id_art parameter. http://www.blogator-script.com/changelog.php 20080405 Blogator-script 0.95 SQL Injection Vulnerbility 28635 blogatorscript-sondresult-sql-injection(41658) 5368 Unspecified vulnerability in Opera before 9.27 has unknown impact and attack vectors related to "keyboard handling of password inputs." SUSE-SR:2008:009 GLSA-200804-14 http://www.opera.com/docs/changelogs/linux/927/ http://www.opera.com/docs/changelogs/windows/927/ opera-password-inputs-unspecified(41834) Buffer overflow in Adobe Photoshop Album Starter Edition 3.2, and possibly After Effects CS3, allows user-assisted remote attackers and physically proximate attackers to execute arbitrary code via a BMP file with an invalid image header. NOTE: the related issue in Photoshop CS3 is already covered by CVE-2007-2244. 20080421 Adobe Unchecked Overflow 1019910 http://www.adobe.com/support/security/advisories/apsa08-04.html 28874 ADV-2008-1317 adobe-bmp-image-file-bo(41941) 5479 Multiple unspecified vulnerabilities in phpBB before 3.0.1 have unknown impact and attack vectors, related to "two minor security-related bugs." http://www.phpbb.com/community/viewtopic.php?f=14&t=879735 ADV-2008-1236 phpbb-multiple-unspecified(41886) Buffer overflow in pattern.c in libxslt before 1.1.24 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XSL style sheet file with a long XSLT "transformation match" condition that triggers a large number of steps. http://bugzilla.gnome.org/show_bug.cgi?id=527297 APPLE-SA-2008-11-13 APPLE-SA-2008-07-11 APPLE-SA-2008-10-09 GLSA-200806-02 http://support.apple.com/kb/HT3216 http://support.apple.com/kb/HT3298 DSA-1589 MDVSA-2008:151 SUSE-SR:2008:013 RHSA-2008:0287 29312 31681 1020071 USN-633-1 ADV-2008-1580 ADV-2008-2094 ADV-2008-2780 libxslt-xsl-bo(42560) oval:org.mitre.oval:def:9785 Multiple integer overflows in VLC before 0.8.6f allow remote attackers to cause a denial of service (crash) via the (1) MP4 demuxer, (2) Real demuxer, and (3) Cinepak codec, which triggers a buffer overflow. GLSA-200804-25 http://wiki.videolan.org/Changelog/0.8.6f 28903 http://www.videolan.org/developers/vlc/NEWS http://www.videolan.org/security/sa0803.php ADV-2008-0985 oval:org.mitre.oval:def:14412 VLC before 0.8.6f allow remote attackers to cause a denial of service (crash) via a crafted Cinepak file that triggers an out-of-bounds array access and memory corruption. http://bugs.gentoo.org/show_bug.cgi?id=214627#c3 http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=cf489d7bff3c1b36b2d5501ecf21129c78104d98 GLSA-200804-25 http://wiki.videolan.org/Changelog/0.8.6f 28904 http://www.videolan.org/developers/vlc/NEWS http://www.videolan.org/security/sa0803.php ADV-2008-0985 oval:org.mitre.oval:def:14445 CRLF injection vulnerability in Akamai Download Manager ActiveX control before 2.2.3.6 allows remote attackers to force the download and execution of arbitrary files via a URL parameter containing an encoded LF followed by a malicious target line. 20080604 Akamai Technologies Security Advisory 2008-0001 (Download Manager) 20080604 Akamai Technologies Security Advisory 2008-0001 (Download Manager) 20080605 Akamai Download Manager File Downloaded To Arbitrary Location Vulnerability 1020194 ADV-2008-1746 downloadmanager-url-code-execution(42879) 5741 Integer overflow in the ws_getpostvars function in Firefly Media Server (formerly mt-daapd) 0.2.4.1 (0.9~r1696-1.2 on Debian) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a large Content-Length. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476241 http://sourceforge.net/project/shownotes.php?release_id=593465&group_id=98211 DSA-1597 28860 1019908 ADV-2008-1303 firefly-wsgetpostvars-bo(41850) FEDORA-2008-3250 iScripts SocialWare stores passwords in cleartext in a database, which allows context-dependent attackers to obtain sensitive information. socialware-password-info-disclosure(41812) 5402 PHP remote file inclusion vulnerability in includes/header.inc.php in Dragoon 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the root parameter. 28660 dragoon-headerinc-file-include(41680) 5393 SQL injection vulnerability in editlink.php in Pligg 9.9.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 28681 ADV-2008-1164 pliggcms-editlink-sql-injection(41709) 5406 Cross-site scripting (XSS) vulnerability in mindex.do in ManageEngine Firewall Analyzer 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the displayName parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28604 manageengine-mindex-xss(41810) PHP remote file inclusion vulnerability in modules/basicfog/basicfogfactory.class.php in PhpBlock A8.4 allows remote attackers to execute arbitrary PHP code via a URL in the PATH_TO_CODE parameter. 28588 phpblock-basicfogfactoryclass-file-include(41616) 5348 The eDirectory Host Environment service (dhost.exe) in Novell eDirectory 8.8.2 allows remote attackers to cause a denial of service (CPU consumption) via a long HTTP HEAD request to TCP port 8028. http://www.offensive-security.com/0day/novel-edir.py.txt 28572 1019783 ADV-2008-1075 Unspecified vulnerability in the floating point context switch implementation in Sun Solaris 9 and 10 on x86 platforms might allow local users to cause a denial of service (application exit), corrupt data, or trigger incorrect calculations via unknown vectors. 233921 28733 1019833 ADV-2008-1193 sun-solaris-floatingpoint-contextswitch-dos(41765) oval:org.mitre.oval:def:4950 Sun Solaris 8, 9, and 10 allows "remote privileged" users to cause a denial of service (panic) via unknown vectors related to self encapsulated IP packets. 235901 http://support.avaya.com/elmodocs2/security/ASA-2008-173.htm 28732 1019831 ADV-2008-1192 ADV-2008-1325 sun-solaris-selfencapsulatedippackets-dos(41762) oval:org.mitre.oval:def:4848 Unspecified vulnerability in the labeled networking functionality in Solaris 10 Trusted Extensions allows applications in separate labeling zones to bypass labeling restrictions via unknown vectors. 235421 28734 1019832 ADV-2008-1194 sun-solaris-extensions-security-bypass(41764) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its requester. Further investigation showed that it was not a security issue. Notes: none. phpdemo/viewsource.php in Advanced Software Engineering ChartDirector 4.1 allows remote attackers to read sensitive files via the file parameter. 28674 ADV-2008-1140 chartdirector-viewsource-info-disclosure(41701) 5399 Prozilla Reviews 1.0 allows remote attackers to delete arbitrary users via a modified UserID parameter in a direct request to siteadmin/DeleteUser.php. 28642 ADV-2008-1118 prozillareviews-deleteuser-weak-security(41678) 5387 Prozilla Topsites 1.0 allows remote attackers to perform administrative actions via a direct request to (1) addu.php, (2) editu.php, and (3) uidx.php in siteadmin/. 28641 ADV-2008-1117 prozillatopsites-multiple-security-bypass(41679) 5388 delete.php in Prozilla Top 100 1.2 allows remote authenticated users to delete statistics and accounts of arbitrary users via a modified s parameter. ADV-2008-1119 prozillatop100-delete-weak-security(41674) 5384 The DSM gui_cm_ctrls ActiveX control (gui_cm_ctrls.ocx), as used in multiple CA products including BrightStor ARCServe Backup for Laptops and Desktops r11.5, Desktop Management Suite r11.1 through r11.2 C2; Unicenter r11.1 through r11.2 C2; and Desktop and Server Management r11.1 through r11.2 C2 allows remote attackers to execute arbitrary code via crafted function arguments. http://community.ca.com/blogs/casecurityresponseblog/archive/2008/04/16/ca-dsm-gui-cm-ctrls-activex-control-vulnerability.aspx VU#684883 20080416 CA DSM gui_cm_ctrls ActiveX Control Vulnerability 28809 1019872 ADV-2008-1249 ca-dsmguicmctrls-code-execution(41853) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=174256 Multiple cross-site scripting (XSS) vulnerabilities in index.php in Poplar Gedcom Viewer 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) text and (2) ul parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://downloads.securityfocus.com/vulnerabilities/exploits/28608.html 28608 poplargedcomviewer-text-xss(41689) SQL injection vulnerability in directory.php in Prozilla Entertainers 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: some of these details are obtained from third party information. 5371 SQL injection vulnerability in forum.php in Prozilla Forum allows remote attackers to execute arbitrary SQL commands via the forum parameter. 28643 prozillaforum-forum-sql-injection(41702) 5385 Unrestricted file upload vulnerability in iScripts SocialWare allows remote authenticated administrators to upload arbitrary files via a crafted logo file in the "Manage Settings" functionality. NOTE: remote exploitation is facilitated by a separate SQL injection vulnerability. 28670 ADV-2008-1137 socialware-managesettings-file-upload(41751) 5402 SQL injection vulnerability in ladder.php in My Gaming Ladder 7.5 and earlier allows remote attackers to execute arbitrary SQL commands via the ladderid parameter. 28671 ADV-2008-1138 mygamingladder-ladder-sql-injection(41698) 5401 Cross-site scripting (XSS) vulnerability in the insertion filter in the Flickr Drupal module 5.x before 5.x-1.3 and 6.x before 6.x-1.0-alpha allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/241939 28594 ADV-2008-1082 flickr-unspecified-xss(41603) Multiple cross-site scripting (XSS) vulnerabilities in view.cgi in Smart Classified ADS Professional, Smart Photo ADS, and Smart Photo ADS Gold allow remote attackers to inject arbitrary web script or HTML via the (1) AdNum and (2) Department parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28595 homeofficeonline-smartads-view-xss(41611) Multiple cross-site scripting (XSS) vulnerabilities in the Webform Drupal module 5.x before 5.x-1.10, 5.x-2.x before 5.x-2.0-beta3, and 6.x before 6.x-1.0-beta3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/242053 28597 ADV-2008-1081 webform-mod-unspecified-xss(41617) Multiple cross-site scripting (XSS) vulnerabilities in Blackboard Academic Suite 7.x and earlier, and possibly some 8.0 versions, allow remote attackers to inject arbitrary web script or HTML via (1) the searchText parameter in a Course action to webapps/blackboard/execute/viewCatalog or (2) the data__announcements___pk1_pk2__subject parameter in an ADD action to bin/common/announcement.pl. http://secskill.wordpress.com/2008/03/27/hacking-blackboard-academic-suite-2/ 3810 http://www.scribd.com/doc/2363025/Hacking-Blackboard-Academic-Suite 20080326 Blackboard Academic Suite Multiple XSS Vulnerabilities 28455 1019710 blackboard-searchtext-xss(41478) Comix 3.6.4 creates temporary directories with predictable names, which allows local users to cause an unspecified denial of service. GLSA-200804-29 comix-temporary-directories-dos(41854) FEDORA-2008-2981 FEDORA-2008-2993 Unspecified vulnerability in Secure Computing Webwasher 5.30 before build 3159 and 6.3.0 before build 3150 allows remote attackers to cause a denial of service (freeze) via a crafted URL. 3811 20080403 Webwasher Denial of Service Vulnerability 28600 webwasher-unspecified-dos(41620) Directory traversal vulnerability in forum/kietu/libs/calendrier.php in Dragoon 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cal[lng] parameter. 28638 dragoon-calendrier-file-include(41669) 5369 Directory traversal vulnerability in thumbnails.php in sabros.us 1.75 allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter. 28623 sabrosus-thumbnails-file-include(41672) 5360 Multiple cross-site scripting (XSS) vulnerabilities in index.php in DivXDB 2002 0.94b allow remote attackers to inject arbitrary web script or HTML via the (1) choice, (2) _page_, (3) zone_admin, (4) general_search, and (5) import parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28566 divxdb-index-xss(41634) Integer underflow in the iso_recv_msg function (iso.c) in rdesktop 1.5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Remote Desktop Protocol (RDP) request with a small length field. 20080507 Multiple Vendor rdesktop iso_recv_msg() Integer Underflow Vulnerability http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/iso.c?r1=1.19&r2=1.20&pathrev=HEAD GLSA-200806-04 SSA:2008-148-01 240708 http://support.avaya.com/elmodocs2/security/ASA-2008-360.htm DSA-1573 MDVSA-2008:101 FEDORA-2008-3886 FEDORA-2008-3917 FEDORA-2008-3985 RHSA-2008:0575 RHSA-2008:0576 RHSA-2008:0725 29097 1019990 USN-646-1 ADV-2008-1467 ADV-2008-2403 rdesktop-isorecvmsg-code-execution(42272) oval:org.mitre.oval:def:11570 5561 Buffer overflow in the process_redirect_pdu (rdp.c) function in rdesktop 1.5.0 allows remote attackers to execute arbitrary code via a Remote Desktop Protocol (RDP) redirect request with modified length fields. 20080507 Multiple Vendor rdesktop process_redirect_pdu() BSS Overflow Vulnerability http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdp.c?r1=1.101&r2=1.102&pathrev=HEAD GLSA-200806-04 240708 http://support.avaya.com/elmodocs2/security/ASA-2008-360.htm DSA-1573 MDVSA-2008:101 FEDORA-2008-3886 FEDORA-2008-3917 FEDORA-2008-3985 29097 1019991 USN-646-1 ADV-2008-1467 ADV-2008-2403 rdesktop-processredirectpdu-bo(42275) 5585 Integer signedness error in the xrealloc function (rdesktop.c) in RDesktop 1.5.0 allows remote attackers to execute arbitrary code via unknown parameters that trigger a heap-based overflow. NOTE: the role of the channel_process function was not specified by the original researcher. 20080507 Multiple Vendor rdesktop channel_process() Integer Signedness Vulnerability http://rdesktop.cvs.sourceforge.net/rdesktop/rdesktop/rdesktop.c?r1=1.161&r2=1.162&pathrev=HEAD GLSA-200806-04 http://sourceforge.net/mailarchive/message.php?msg_name=20080511065217.GA24455%40cse.unsw.EDU.AU 240708 http://support.avaya.com/elmodocs2/security/ASA-2008-360.htm DSA-1573 MDVSA-2008:101 FEDORA-2008-3886 FEDORA-2008-3917 FEDORA-2008-3985 RHSA-2008:0575 29097 1019992 USN-646-1 ADV-2008-1467 ADV-2008-2403 rdesktop-xrealloc-bo(42277) oval:org.mitre.oval:def:9800 preprocessors/spp_frag3.c in Sourcefire Snort before 2.8.1 does not properly identify packet fragments that have dissimilar TTL values, which allows remote attackers to bypass detection rules by using a different TTL for each fragment. http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11 http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h 20080521 Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability 1020081 http://www.ipcop.org/index.php?name=News&file=article&sid=40 29327 ADV-2008-1602 snort-ttl-security-bypass(42584) FEDORA-2008-4986 FEDORA-2008-5001 FEDORA-2008-5045 Incomplete blacklist vulnerability in Skype 3.6.0.248, and other versions before 3.8.0.139, allows user-assisted remote attackers to bypass warning dialogs and possibly execute arbitrary code via a file: URI that ends in an executable extension that is not covered by the blacklist. 20080604 Skype File URI Security Bypass Code Execution Vulnerability 29553 1020201 http://www.skype.com/security/skype-sb-2008-003.html ADV-2008-1749 Integer overflow in FreeType2 before 2.3.6 allows context-dependent attackers to execute arbitrary code via a crafted set of 16-bit length values within the Private dictionary table in a Printer Font Binary (PFB) file, which triggers a heap-based buffer overflow. 20080610 Multiple Vendor FreeType2 PFB Integer Overflow Vulnerability APPLE-SA-2008-09-09 APPLE-SA-2008-09-12 APPLE-SA-2009-02-12 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. SUSE-SR:2008:014 GLSA-200806-10 GLSA-201209-25 1020238 http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=605780 239006 http://support.apple.com/kb/HT3026 http://support.apple.com/kb/HT3129 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-318.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0255 MDVSA-2008:121 RHSA-2008:0556 RHSA-2008:0558 20080814 rPSA-2008-0255-1 freetype 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 29640 USN-643-1 http://www.vmware.com/security/advisories/VMSA-2008-0014.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-1794 ADV-2008-1876 ADV-2008-2423 ADV-2008-2466 ADV-2008-2525 ADV-2008-2558 https://issues.rpath.com/browse/RPL-2608 oval:org.mitre.oval:def:9321 FEDORA-2008-5425 FEDORA-2008-5430 FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via an invalid "number of axes" field in a Printer Font Binary (PFB) file, which triggers a free of arbitrary memory locations, leading to memory corruption. 20080610 Multiple Vendor FreeType2 PFB Memory Corruption Vulnerability APPLE-SA-2008-09-09 APPLE-SA-2008-09-12 APPLE-SA-2009-02-12 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. SUSE-SR:2008:014 GLSA-200806-10 GLSA-201209-25 1020239 http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=605780 239006 http://support.apple.com/kb/HT3026 http://support.apple.com/kb/HT3129 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-318.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0255 MDVSA-2008:121 RHSA-2008:0556 RHSA-2008:0558 20080814 rPSA-2008-0255-1 freetype 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 29641 USN-643-1 http://www.vmware.com/security/advisories/VMSA-2008-0014.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-1794 ADV-2008-1876 ADV-2008-2423 ADV-2008-2466 ADV-2008-2525 ADV-2008-2558 https://issues.rpath.com/browse/RPL-2608 oval:org.mitre.oval:def:9767 FEDORA-2008-5425 FEDORA-2008-5430 Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow. 20080610 Multiple Vendor FreeType2 Multiple Heap Overflow Vulnerabilities APPLE-SA-2008-09-09 APPLE-SA-2008-09-12 APPLE-SA-2009-02-12 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. SUSE-SR:2008:014 GLSA-200806-10 GLSA-201209-25 1020240 http://sourceforge.net/project/shownotes.php?group_id=3157&release_id=605780 239006 http://support.apple.com/kb/HT3026 http://support.apple.com/kb/HT3129 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-318.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0255 MDVSA-2008:121 RHSA-2008:0556 RHSA-2008:0558 RHSA-2009:0329 20080814 rPSA-2008-0255-1 freetype 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 29637 29639 USN-643-1 http://www.vmware.com/security/advisories/VMSA-2008-0014.html http://www.vmware.com/support/player/doc/releasenotes_player.html http://www.vmware.com/support/player2/doc/releasenotes_player2.html http://www.vmware.com/support/server/doc/releasenotes_server.html http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html ADV-2008-1794 ADV-2008-1876 ADV-2008-2423 ADV-2008-2466 ADV-2008-2525 ADV-2008-2558 https://issues.rpath.com/browse/RPL-2608 oval:org.mitre.oval:def:11188 FEDORA-2008-5425 FEDORA-2008-5430 Heap-based buffer overflow in Novell eDirectory 8.7.3 before 8.7.3.10b, and 8.8 before 8.8.2 FTF2, allows remote attackers to execute arbitrary code via an LDAP search request containing "NULL search parameters." 20080709 Novell eDirectory LDAP Search Request Heap Corruption Vulnerability http://www.novell.com/support/viewContent.do?externalId=3843876 30175 1020470 ADV-2008-2062 novell-edirectory-ldap-bo(43716) Untrusted search path vulnerability in dbmsrv in SAP MaxDB 7.6.03.15 on Linux allows local users to gain privileges via a modified PATH environment variable. 20080730 SAP MaxDB dbmsrv Untrusted Execution Path Vulnerability 30474 1020585 ADV-2008-2267 maxdb-dbmsrv-code-execution(44125) Unspecified vulnerability in Oracle Application Express 3.0.1 has unspecified impact and remote authenticated attack vectors related to flows_030000.wwv_execute_immediate, aka APEX01. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that APEX01 is for insufficient authorization checks for SQL commands in the run_ddl function in flows_030000.wwv_execute_immediate, allowing privilege escalation by certain non-DBA remote authenticated users. 20080415 Oracle Application Express Privilege Escalation Vulnerability http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-apex-privilege-escalation(41988) Unspecified vulnerability in the Oracle Enterprise Manager component in Oracle Database 9.0.1.5 FIPS+; Application Server 1.0.2.2; and Enterprise Manager for AS 1.0.2.2 and Database 9.0.1.5 has unknown impact and local attack vectors, aka EM01. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-enterprise-manager-unspecified(41989) Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 have unknown impact and remote unauthenticated or authenticated attack vectors related to (1) SYS.DBMS_AQ in the Advanced Queuing component, aka DB01; (2) Core RDBMS, aka DB03; (3) SDO_GEOM in Oracle Spatial, aka DB06; (4) Export, aka DB12; and (5) DBMS_STATS in Query Optimizer, aka DB13. NOTE: the previous information was obtained from the Oracle CPU. Oracle has not commented on reliable researcher claims that DB06 is SQL injection, and DB13 occurs when the OUTLN account is reset to use a hard-coded password. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html http://www.red-database-security.com/advisory/oracle_outln_password_change.html http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_geom.html 20080416 Oracle - SQL Injection in package SDO_GEOM [DB06] 20080416 Oracle - Hardcoded Password and Password Reset of OUTLN User [DB13] HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-dbmsaq-unspecified(41991) oracle-database-corerdbms-unspecified(41992) oracle-database-sdogeom-sql-injection(41993) oracle-database-export-info-disclosure(41994) oracle-database-queryop-default-password(41995) Unspecified vulnerability in the Oracle Secure Enterprise Search or Ultrasearch component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3 and 10.1.2.2; and Oracle Collaboration Suite 10.1.2; has unknown impact and remote attack vectors, aka DB04. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-search-wksys-unspecified(41997) Unspecified vulnerability in the Change Data Capture component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to DBMS_CDC_UTILITY, aka DB02. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that DB02 is for SQL injection in LOCK_CHANGE_SET. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 20080501 Team SHATTER Security Advisory: Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET (DB02) 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-dbmscdcutility-unspecified(41998) Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 10.2.0.3 have unknown impact and remote authenticated attack vectors related to (1) SDO_UTIL in the Oracle Spatial component, aka DB05; or (2) fine grained auditing in the Audit component, aka DB14. NOTE: the previous information was obtained from the Oracle CPU. Oracle has not commented on reliable researcher claims that DB05 is SQL injection. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_util.html 20080416 Oracle - SQL Injection Vulnerability in SDO_UTIL [DB05] HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-sdoutil-sql-injection(41999) oracle-database-audit-unspecified(42000) Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.3, and 11.1.0.6 have unknown impact and remote attack vectors related to (1) SDO_IDX in the Spatial component, aka DB07; and (2) Core RDBMS, aka DB10. NOTE: the previous information was obtained from the Oracle CPU. Oracle has not commented on reliable researcher claims that DB07 is SQL injection. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_idx.html 20080416 Oracle - SQL Injection in package SDO_IDX [DB07] HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-sdoidx-sql-injection(42001) oracle-database-rdbms-info-disclosure(42002) Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.6 has unknown impact and remote attack vectors, aka DB08. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-auth-unspecified(42031) Unspecified vulnerability in the Oracle Net Services component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and local attack vectors, aka DB09. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-net-unspecified(42033) Unspecified vulnerability in the Data Pump component in Oracle Database 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 has unknown impact and remote attack vectors related to KUPF$FILE_INT, aka DB11. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that DB11 is for a buffer overflow in the SYS.KUPF$FILE_INT.GET_FULL_FILENAME procedure. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 20080501 Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-datapump-dos(42036) Unspecified vulnerability in the Advanced Queuing component in Oracle Database 9.0.1.5 FIPS+, and 10.1.0.5 has unknown impact and remote attack vectors related to SYS.DBMS_AQJMS_INTERNAL, aka DB15. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that DB15 is for multiple buffer overflows in the (1) AQ$_REGISTER and (2) AQ$_UNREGISTER procedures. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 20080501 Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.DBMS_AQJMS_INTERNAL (DB15) 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-database-advqueuing-dos(42037) Unspecified vulnerability in the Oracle Application Express component in Oracle Application Express 3.0.1 has unknown impact and remote attack vectors, aka APEX02. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-apex-unspecified-access(42041) Unspecified vulnerability in the Oracle Jinitiator component in Oracle Application Server 1.3.1.14 has unknown impact and remote attack vectors, aka AS01. According to the vendor " the impact of this vulnerability is limited to Jinitiator; there is no Oracle Application Server impact. Oracle Jinitiator versions 1.3.1.15 and later are not affected". http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-jinitiator-unauth-access(42045) Unspecified vulnerability in the Oracle Dynamic Monitoring Service component in Oracle Application Server 9.0.4.3, 10.1.2.2, and 10.1.3.3 has unknown impact and remote attack vectors, aka AS02. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-appserver-dynmon-unspecified(42050) Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3 has unknown impact and remote attack vectors, aka AS03. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-appserver-portal-unspecified5(42051) Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10.2 have unknown impact and attack vectors related to (a) Advanced Pricing, aka (1) APP01 and (2) APP10; and (b) Applications Framework, aka (3) APP05. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-ebusiness-advpricing-unspecified(42053) oracle-ebusiness-appframework-unspecified(42054) oracle-ebusiness-advpricing-unspecified2(42055) Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10.2 and 12.0.4 have unknown impact and attack vectors related to (a) Advanced Pricing component, aka (1) APP02, (2) APP03, and (3) APP09; (b) Application Object Library component, aka (4) APP04, (5) APP07, and (6) APP11; (c) Applications Manager component, aka (7) APP06; (d) and Applications Technology Stack component, aka (8) APP08. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-ebusiness-advpricing-unspecified3(42056) oracle-ebusiness-advpricing-unspecified4(42057) oracle-ebusiness-appobjlib-dos(42059) oracle-ebusiness-appmanager-unspecified(42060) oracle-ebusiness-appobjlib-unspecified(42061) oracle-ebusiness-apptechstack-unspecified(42062) oracle-ebusiness-advpricing-unspecified5(42063) oracle-ebusiness-appobjlib-unspecified2(42064) Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.19, 8.48.16, and 8.49.09 has unknown impact and remote authenticated attack vectors, aka PSE01. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-peoplesoft-peopletools-unspecified3(42065) Unspecified vulnerability in the PeopleSoft HCM Recruiting component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.8 SP1 has unknown impact and remote attack vectors, aka PSE02. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-peoplesoft-hcm-unspecified2(42066) Unspecified vulnerability in the PeopleSoft HCM ePerformance component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9 and 9.0 has unknown impact and remote attack vectors, aka PSE03. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-peoplesoft-eperformance-unspecified(42067) Multiple unspecified vulnerabilities in the Siebel SimBuilder component in Oracle Siebel Enterprise 7.8.2 and 7.8.5 have unknown impact and remote or local attack vectors, aka (1) SEBL01, (2) SEBL02, (3) SEBL03, (4) SEBL04, (5) SEBL05, and (6) SEBL06. http://www.oracle.com/technetwork/topics/security/cpuapr2008-082075.html HPSBMA02133 1019855 ADV-2008-1233 ADV-2008-1267 oracle-cpu-april-2008(41858) oracle-siebel-simbuilder-unspecified(42068) oracle-siebel-simbuilder-unspecified2(42069) oracle-siebel-simbuilder-unspecified3(42070) oracle-siebel-simbuilder-unspecified4(42071) lib/prefs.tcl in Cecilia 2.0.5 allows local users to overwrite arbitrary files via a symlink attack on the csvers temporary file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476321 28805 cecilia-locatecsound-symlink(41837) Heap-based buffer overflow in pe.c in libclamav in ClamAV 0.92.1 allows remote attackers to execute arbitrary code via a crafted WWPack compressed PE binary. http://kolab.org/security/kolab-vendor-notice-20.txt 20080414 ClamAV libclamav PE WWPack Heap Overflow Vulnerability APPLE-SA-2008-09-15 SUSE-SA:2008:024 GLSA-200805-19 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html DSA-1549 MDVSA-2008:088 28784 28798 1019850 TA08-260A ADV-2008-1227 ADV-2008-2584 clamav-wwpack-pe-bo(41833) FEDORA-2008-3358 FEDORA-2008-3420 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=877 swfdec_load_object.c in Swfdec before 0.6.4 does not properly restrict local file access from untrusted sandboxes, which allows remote attackers to read arbitrary files via a crafted Flash file. http://gitweb.freedesktop.org/?p=swfdec/swfdec.git;a=commit;h=326ee4ff631ecc11605f1251e1923a94561a3823 [Swfdec] 20080409 Swfdec 0.6.4 released 28881 swfdec-swfdecloadobject-info-disclosure(41887) ClamAV before 0.93 allows remote attackers to bypass the scanning enging via a RAR file with an invalid version number, which cannot be parsed by ClamAV but can be extracted by Winrar. APPLE-SA-2008-09-15 SUSE-SA:2008:024 GLSA-200805-19 http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html MDVSA-2008:088 28784 TA08-260A ADV-2008-2584 clamav-rar-weak-security(41874) https://wwws.clamav.net/bugzilla/show_bug.cgi?id=541 The rfc2231 function in message.c in libclamav in ClamAV before 0.93 allows remote attackers to cause a denial of service (crash) via a crafted message that produces a string that is not null terminated, which triggers a buffer over-read. APPLE-SA-2008-09-15 SUSE-SA:2008:024 GLSA-200805-19 http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html MDVSA-2008:088 28784 TA08-260A ADV-2008-2584 clamav-rfc2231-dos(41868) FEDORA-2008-3900 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=881 libclamunrar in ClamAV before 0.93 allows remote attackers to cause a denial of service (crash) via crafted RAR files that trigger "memory problems," as demonstrated by the PROTOS GENOME test suite for Archive Formats. APPLE-SA-2008-09-15 SUSE-SA:2008:024 GLSA-200805-19 http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html MDVSA-2008:088 28784 TA08-260A ADV-2008-1227 ADV-2008-2584 clamav-libclamunrar-dos(41870) https://wwws.clamav.net/bugzilla/show_bug.cgi?id=898 SQL injection vulnerability in BosClassifieds Classified Ads System 3.0 allows remote attackers to execute arbitrary SQL commands via the cat parameter to index.php. 28760 bosclassifieds-index-sql-injection(41799) 5444 Multgiple cross-site scripting (XSS) vulnerabilities in module/main.php in WORK system e-commerce 4.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) day, (2) month, and (3) year parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28785 work-systemecommerce-main-xss(41811) SQL injection vulnerability in upload.php in Coppermine Photo Gallery (CPG) 1.4.16 and earlier allows remote authenticated users or user-assisted remote HTTP servers to execute arbitrary SQL commands via the Content-Type HTTP response header provided by the HTTP server that is used for an upload. http://forum.coppermine-gallery.net/index.php/topic,51787,0.html http://sourceforge.net/project/shownotes.php?group_id=89658&release_id=592069 28766 coppermine-upload-sql-injection(41784) SQL injection vulnerability in the session handling functionality in bridge/coppermine.inc.php in Coppermine Photo Gallery (CPG) 1.4.17 and earlier allows remote attackers to execute arbitrary SQL commands via an input field associated with the session_id variable, as exploited in the wild in April 2008. NOTE: the fix for CVE-2008-1840 was intended to address this vulnerability, but is actually inapplicable. http://coppermine.svn.sourceforge.net/viewvc/coppermine/trunk/cpg1.4.x/bridge/coppermine.inc.php?r1=4380&r2=4381 http://coppermine.svn.sourceforge.net/viewvc/coppermine/trunk/cpg1.4.x/bridge/coppermine.inc.php?view=log http://forum.coppermine-gallery.net/index.php/topic,51882.0.html http://sourceforge.net/project/shownotes.php?group_id=89658&release_id=592069 28767 coppermine-coppermineinc-sql-injection(41788) Integer signedness error in ovspmd.exe in HP OpenView Network Node Manager (OV NNM) 8.01, and 7.53 and earlier, allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code via a long request to TCP port 8886 that begins with a certain negative integer, which passes a signed comparison and triggers a heap-based buffer overflow. http://aluigi.altervista.org/adv/closedview-adv.txt http://aluigi.org/poc/closedview.zip SSRT080024 1019821 HPSBMA02338 28689 ADV-2008-1159 hp-nnm-ovspmd-bo(41737) SQL injection vulnerability in browse.php in W2B DatingClub (aka Dating Club) allows remote attackers to execute arbitrary SQL commands via the age_to parameter in a browsebyCat action. http://forum.aria-security.com/showthread.php?p=70 20080410 w2b.ru multiple products SQL Injection 28737 datingclub-browse-sql-injection(41792) SQL injection vulnerability in cat.php in W2B phpHotResources allows remote attackers to execute arbitrary SQL commands via the kind parameter. http://forum.aria-security.com/showthread.php?p=70 20080410 w2b.ru multiple products SQL Injection 28736 phphotresources-cat-sql-injection(41793) The Korn shell (aka mksh) before R33d on MirOS (aka MirBSD) does not flush the tty's I/O when invoking mksh in a new terminal, which allows local users to gain privileges by opening a virtual terminal and entering command sequences, which might later be executed in opportunistic circumstances by a different user who launches mksh and specifies that terminal with the -T option. http://www.mirbsd.org/mksh.htm#clog 28768 mirbsd-tty-privilege-escalation(41794) The default configuration of SAP NetWeaver before 7.0 SP15 does not enable the "Always Use Secure HTML Editor" (aka Editor Security or Secure Editing) parameter, which allows remote attackers to conduct cross-site scripting (XSS) attacks by entering feedback for a file. 3812 http://www.aitsec.com/vulnerability-SAP-Netweaver-6.40-7.0-Cross-Site-Scripting.php 20080409 SAP Netweaver 6.40-7.0 Cross-Site-Scripting 28699 1019822 netweaver-feedbacksform-xss(41735) SQL injection vulnerability in view.php in CoronaMatrix phpAddressBook 2.11 allows remote attackers to execute arbitrary SQL commands via the id parameter. 28750 phpaddressbook-index-sql-injection(41498) 5432 Cross-site scripting (XSS) vulnerability in the joomlaXplorer (com_joomlaxplorer) Mambo/Joomla! component 1.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the error parameter in a show_error action to index.php. 28746 joomlaxplorer-index-xss(41779) 5431 Directory traversal vulnerability in index.php in the joomlaXplorer (com_joomlaxplorer) Mambo/Joomla! component 1.6.2 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the dir parameter in a show_error action. 28746 joomlaxplorer-index-directory-traversal(41778) 5431 Multiple cross-site scripting (XSS) vulnerabilities in login.php in Omnistar Interactive OSI Affiliate allow remote attackers to inject arbitrary web script or HTML via the (1) login, (2) profile, (3) profile2, and (4) ref parameters. http://www.mrzayas.es/2008/04/11/xss-en-osiaffiliate/ 28785 28793 work-systemecommerce-main-xss(41811) osi-affiliate-login-xss(41825) ovalarmsrv in HP OpenView Network Node Manager (OV NNM) 7.51, 7.53, and possibly other versions allows remote attackers to cause a denial of service (hang) via certain requests that do not provide all required arguments. http://aluigi.altervista.org/adv/closedviewx-adv.txt 20080411 Directory traversal and multiple Denials of Service in HP OpenView NNM 7.53 28745 1019839 ADV-2008-1214 hp-nnm-ovalarmsrv-bo(41694) ovalarmsrv in HP OpenView Network Node Manager (OV NNM) 7.51, 7.53, and possibly other versions allows remote attackers to cause a denial of service (crash) via certain requests that specify a large number of sub-arguments, which triggers a NULL pointer dereference due to memory allocation failure. http://aluigi.altervista.org/adv/closedviewx-adv.txt 20080411 Directory traversal and multiple Denials of Service in HP OpenView NNM 7.53 28745 1019839 ADV-2008-1214 hp-nnm-ovalarmsrv-dos(41695) The ovtopmd service in HP OpenView Network Node Manager (OV NNM) 7.51, 7.53, and possibly other versions allows remote attackers to cause a denial of service (exit) by sending a 0x36 packet (exit request). http://aluigi.altervista.org/adv/closedviewx-adv.txt 20080411 Directory traversal and multiple Denials of Service in HP OpenView NNM 7.53 28745 1019839 ADV-2008-1214 hp-nnm-ovalarmsrv-format-string(41693) Unspecified vulnerability in SmarterMail Web Server (SMWebSvr.exe) in SmarterMail 5.0.2999 allows remote attackers to cause a denial of service (service termination) via a long HTTP (1) GET, (2) HEAD, (3) PUT, (4) POST, or (5) TRACE request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28610 smartermail-webserver-smwebsvr-dos(41710) FrameworkService.exe in McAfee Common Management Agent (CMA) 3.6.0.574 Patch 3 and earlier, as used by ePolicy Orchestrator (ePO) and ProtectionPilot (PrP), allows remote attackers to corrupt memory and cause a denial of service (CMA Framework service crash) via a long invalid method in requests for the /spin//AVClient//AVClient.csp URI, a different vulnerability than CVE-2006-5274. http://www.offensive-security.com/0day/mcafee_again.py.txt 28573 1019794 ADV-2008-1122 mcafee-cma-frameworkservice-dos(41597) https://knowledge.mcafee.com/article/219/615324_f.SAL_Public.html 5343 plugins/maps/db_handler.php in LinPHA 1.3.3 and earlier does not require authentication for a settings action that modifies the configuration file, which allows remote attackers to conduct directory traversal attacks and execute arbitrary local files by placing directory traversal sequences into the maps_type configuration setting, and then sending a request to maps_view.php, which causes plugins/maps/map.main.class.php to use the modified configuration. http://sourceforge.net/project/shownotes.php?release_id=595725 28654 ADV-2008-1136 linpha-mapmainclass-file-include(41676) 5392 Multiple directory traversal vulnerabilities in viewsource.php in Make our Life Easy (Mole) 2.1.0 allow remote attackers to read arbitrary files via directory traversal sequences in the (1) dirn and (2) fname parameters. 28659 ADV-2008-1141 mole-viewsource-file-include(41681) 5394 SQL injection vulnerability in index.php in 724Networks 724CMS 4.01 and earlier allows remote attackers to execute arbitrary SQL commands via the ID parameter. 28672 ADV-2008-1139 724cms-index-sql-injection(41700) 5400 SQL injection vulnerability in events.php in iScripts SocialWare allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action. 28669 ADV-2008-1137 socialware-events-sql-injection(41697) 5402 Static code injection vulnerability in admin.php in LokiCMS 0.3.3 and earlier allows remote attackers to inject arbitrary PHP code into includes/Config.php via the default parameter. 20080531 LokiCMS Multiple Vulnerabilities through Authorization weakness ADV-2008-1162 lokicms-admin-code-execution(41736) 5408 Directory traversal vulnerability in modules/threadstop/threadstop.php in ExBB Italia 0.22 and earlier, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the exbb[default_lang] parameter. 28686 exbb-exbbdefaultlang-file-include(41707) 5405 ExBB Italia 0.22 and earlier only checks GET requests that use the QUERY_STRING for certain path manipulations, which allows remote attackers to bypass this check via (1) POST or (2) COOKIE variables, a different vector than CVE-2006-4488. NOTE: this can be leveraged to conduct PHP remote file inclusion attacks via a URL in the (a) new_exbb[home_path] or (b) exbb[home_path] parameter to modules/threadstop/threadstop.php. exbb-threadstop-file-include(41708) 5405 SQL injection vulnerability in view_reviews.php in Prozilla Cheat Script (aka Cheats) 2.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 28640 ADV-2008-1116 prozillacheats-viewreviews-sql-injection(41673) 5389 SQL injection vulnerability in project.php in Prozilla Freelancers allows remote attackers to execute arbitrary SQL commands via the project parameter. 28653 prozillafreelancers-project-sql-injection(41705) 5390 Stack-based buffer overflow in the msx_readnode function in libmosix.c in openmosix-tools (aka userspace-tools) in openMosix might allow local users to cause a denial of service (application crash) via a third-party program that calls this function with a long item argument. NOTE: the vendor does not provide any program that is capable of causing this overflow. 3813 20080406 openMosix userspace library stack-based buffer overflow 28663 openmosix-msxreadnode-bo(41691) admin/modif_config.php in Blog Pixel Motion (aka PixelMotion) does not require admin authentication, which allows remote authenticated users to upload arbitrary PHP scripts in a ZIP archive, which is written to templateZip/ and then automatically extracted under templates/ for execution via a direct request. 28646 ADV-2008-1121 blogpixelmotion-modifconfig-file-upload(41670) 5381 SQL injection vulnerability in Blog Pixel Motion (aka Blog PixelMotion) allows remote attackers to execute arbitrary SQL commands via the categorie parameter to index.php, possibly related to include/requetesIndex.php. 28645 ADV-2008-1121 blogpixelmotion-index-sql-injection(41668) 5382 admin/sauvBase.php in Blog Pixel Motion (aka Blog PixelMotion) does not require authentication, which allows remote attackers to trigger a database backup dump, and obtain the resulting blogPM.sql file that contains sensitive information. ADV-2008-1121 blogpixelmotion-sauvbase-info-disclosure(41671) 5380 SQL injection vulnerability in Site Sift Listings allows remote attackers to execute arbitrary SQL commands via the id parameter in a detail action to index.php. NOTE: this issue might be site-specific. 28644 ADV-2008-1120 sitesiftlistings-index-sql-injection(41662) 5383 SQL injection vulnerability in getdata.php in PIGMy-SQL 1.4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 28634 ADV-2008-1135 pigmysql-getdata-sql-injection(41657) 5367 SQL injection vulnerability in links.php in Scriptsagent.com Links Directory 1.1 allows remote authenticated users to execute arbitrary SQL commands via the cat_id parameter in a list action. 28655 ADV-2008-1126 linksdirectory-links-sql-injection(41661) 5377 SQL injection vulnerability in home.news.php in Comdev News Publisher 4.1.2 allows remote attackers to execute arbitrary SQL commands via the arcmonth parameter. NOTE: some of these details are obtained from third party information. 28622 newspublisher-index-sql-injection(41663) 5362 Cross-site scripting (XSS) vulnerability in the private message feature in Nuke ET 3.2 and 3.4, when using Internet Explorer, allows remote authenticated users to inject arbitrary web script or HTML via a CSS property in the STYLE attribute of a DIV element in the mensaje parameter. NOTE: some of these details are obtained from third party information. http://mrzayas.es/wp-content/poc/nukeet.txt http://www.mrzayas.es/2008/04/04/xploitnukeet3/ 28614 nukeet-messages-xss(41646) SQL injection vulnerability in account/user/mail.html in Xpoze Pro 3.05 and earlier allows remote authenticated users to execute arbitrary SQL commands via the reed parameter. 28618 xpoze-mail-sql-injection(41656) 5358 SQL injection vulnerability in index.php in Terong PHP Photo Gallery (aka Advanced Web Photo Gallery) 1.0 allows remote attackers to execute arbitrary SQL commands via the photo_id parameter. 28626 photogallery-index-sql-injection(41665) 5364 PHP remote file inclusion vulnerability in index.php in VisualPic 0.3.1 allows remote attackers to execute arbitrary PHP code via a URL in the _CONFIG[files][functions_page] parameter. ADV-2008-1127 visualpic-index-file-include(41667) 5375 tss 0.8.1 allows local users to read arbitrary files via the -a parameter, which is processed while tss is running with privileges. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475747 tss-file-information-disclosure(41929) Stack-based buffer overflow in the demux_nsf_send_chunk function in src/demuxers/demux_nsf.c in xine-lib 1.1.12 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long NSF title. SUSE-SR:2008:012 GLSA-200808-01 DSA-1586 MDVSA-2008:177 MDVSA-2008:178 28816 USN-635-1 ADV-2008-1247 xinelib-demuxnsfsendchunk-bo(41865) 5458 FEDORA-2008-3326 FEDORA-2008-3353 The default configuration of Firebird before 2.0.3.12981.0-r6 on Gentoo Linux sets the ISC_PASSWORD environment variable before starting Firebird, which allows remote attackers to bypass SYSDBA authentication and obtain sensitive database information via an empty password. http://bugs.gentoo.org/show_bug.cgi?id=216158 GLSA-200805-06 29123 firebird-sysdba-unath-access(42299) Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681. http://aluigi.altervista.org/adv/vlcboffs-adv.txt http://aluigi.org/adv/vlcboffs-adv.txt GLSA-200804-25 http://wiki.videolan.org/Changelog/0.8.6f 20080317 VLC highlander bug 28251 28274 vlcmediaplayer-subtitle-bo(41237) vlc-parsessa-bo(41936) oval:org.mitre.oval:def:14872 5250 The server in Blackboard Academic Suite 7.x stores MD5 password hashes that are provided directly by clients, which makes it easier for remote attackers to access accounts via a modified client that skips the javascript/md5.js hash calculation, and instead sends an arbitrary MD5 string. http://secskill.wordpress.com/2008/03/27/hacking-blackboard-academic-suite-2/ 3810 http://www.scribd.com/doc/2363025/Hacking-Blackboard-Academic-Suite 20080326 Blackboard Academic Suite Multiple XSS Vulnerabilities blackboard-client-information-disclosure(41935) Directory traversal vulnerability in index.php in Wikepage Opus 13 2007.2 allows remote attackers to read arbitrary files via directory traversal sequences in the wiki parameter, a different vector than CVE-2006-4418. 20080407 Wikepage Opus 13 2007.2 Directory Traversal Vulnerbility 28664 wikepage-index-multiple-file-include(41688) Directory traversal vulnerability in the NeffyLauncher 1.0.5 ActiveX control (NeffyLauncher.dll) in CDNetworks Nefficient Download allows remote attackers to download arbitrary code onto a client system via a .. (dot dot) in the SkinPath parameter and a .zip URL in the HttpSkin parameter. NOTE: this can be leveraged for code execution by writing to a Startup folder. 20080407 CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities 28666 ADV-2008-1186 nefficientdload-neffylauncher-dir-traversal(41743) 5397 The NeffyLauncher 1.0.5 ActiveX control (NeffyLauncher.dll) in CDNetworks Nefficient Download uses weak cryptography for a KeyCode that blocks unauthorized use of the control, which allows remote attackers to bypass this protection mechanism by calculating the required KeyCode. NOTE: this can be used by arbitrary web sites to host exploit code that targets this control. 20080407 CDNetworks Nefficient Download(NeffyLauncher.dll) Vulnerabilities 28666 nefficientdownload-keycode-security-bypass(41933) 5397 Python 2.5.2 and earlier allows context-dependent attackers to execute arbitrary code via multiple vectors that cause a negative size value to be provided to the PyString_FromStringAndSize function, which allocates less memory than expected when assert() is disabled and triggers a buffer overflow. http://bugs.python.org/issue2587 APPLE-SA-2009-02-12 SUSE-SR:2008:017 GLSA-200807-01 http://support.apple.com/kb/HT3438 http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0122 DSA-1551 DSA-1620 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5032900 20080411 IOActive Security Advisory: Incorrect input validation in PyString_FromStringAndSize() leads to multiple buffer overflows 20090824 rPSA-2009-0122-1 idle python 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 28749 USN-632-1 http://www.vmware.com/security/advisories/VMSA-2009-0016.html ADV-2009-3316 python-pystringfromstringandsize-bo(41944) oval:org.mitre.oval:def:10407 oval:org.mitre.oval:def:8624 Cross-site scripting (XSS) vulnerability in Microsoft Windows SharePoint Services 2.0 allows remote attackers to inject arbitrary web script or HTML via the Picture Source (aka picture object source) field in the Rich Text Editor. 20080409 CAU-2008-0002: Microsoft Windows SharePoint Services PictureSource XSS 28706 microsoft-sharepoint-picturesource-xss(41934) SQL injection vulnerability in viewcat.php in XplodPHP AutoTutorials 2.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter. 28808 ADV-2008-1244 autotutorials-viewcat-sql-injection(41855) 5457 SQL injection vulnerability in the Jom Comment 2.0 build 345 component for Joomla! allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28812 jomcomment-unspecified-sql-injection(41866) Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. http://aluigi.altervista.org/adv/webrickcgi-adv.txt SUSE-SR:2008:017 MDVSA-2008:140 MDVSA-2008:141 http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ ADV-2008-1245 ruby-webrick-cgi-info-disclosure(41824) FEDORA-2008-5649 Cross-site scripting (XSS) vulnerability in bs_auth.php in Blogator-script 0.95 and 1.01 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28810 blogatorscript-bsauth-xss(41930) PHP remote file inclusion vulnerability in index.php in W2B Online Banking allows remote attackers to execute arbitrary PHP code via a URL in the ilang parameter. 20080415 remote file include 28796 w2bonline-index-file-include(41931) Cross-site scripting (XSS) vulnerability in desktoplaunch/InfoView/logon/logon.object in BusinessObjects InfoView XI R2 SP1, SP2, and SP3 Java version before FixPack 3.5 allows remote attackers to inject arbitrary web script or HTML via the cms parameter. 20080413 DOINGSOFT-2008-03-10-001 - XSS issue in BOXiR2 20080413 DOINGSOFT-2008-03-10-001 - XSS issue in BOXiR2 http://resources.businessobjects.com/support/communitycs/FilesAndUpdates/boxir2_en_FixPack3.5_readme.pdf?recDnlReq=Record&dnlPath=boxir2_en_FixPack3.5_readme.pdf 28762 businessobjects-cms-xss(41875) Multiple SQL injection vulnerabilities in Carbon Communities 2.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) ID parameter to events.asp, the (2) UserName parameter to getpassword.asp, and possibly an unspecified parameter to (3) option_Update.asp in an edit action. http://bugreport.ir/index.php?/35 http://bugreport.ir/index.php?/35/exploit 20080416 Carbon Communities forum Multiple Vulnerabilities. 28806 carboncommunities-id-sql-injection(41845) 5456 Multiple cross-site scripting (XSS) vulnerabilities in Carbon Communities 2.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Redirect parameter to login.asp and the (2) OrderBy parameter to member_send.asp. http://bugreport.ir/index.php?/35 20080416 Carbon Communities forum Multiple Vulnerabilities. 28806 carboncommunities-login-membersend-xss(41846) 5456 The IAX2 channel driver (chan_iax2) in Asterisk Open Source 1.0.x, 1.2.x before 1.2.28, and 1.4.x before 1.4.19.1; Business Edition A.x.x, B.x.x before B.2.5.2, and C.x.x before C.1.8.1; AsteriskNOW before 1.0.3; Appliance Developer Kit 0.x.x; and s800i before 1.1.0.3, when configured to allow unauthenticated calls, does not verify that an ACK response contains a call number matching the server's reply to a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed ACK response that does not complete a 3-way handshake. NOTE: this issue exists because of an incomplete fix for CVE-2008-1923. http://bugs.digium.com/view.php?id=10078 http://downloads.digium.com/pub/security/AST-2008-006.html GLSA-200905-01 http://www.altsci.com/concepts/page.php?s=asteri&p=2 DSA-1563 20080422 AST-2008-006 - 3-way handshake in IAX2 incomplete 28901 1019918 ADV-2008-1324 asterisk-iax2protocol-ack-dos(41966) FEDORA-2008-3365 FEDORA-2008-3390 A certain ActiveX control in WkImgSrv.dll 7.03.0616.0, as distributed in Microsoft Works 7 and Microsoft Office 2003 and 2007, allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via an invalid WksPictureInterface property value, which triggers an improper function call. 20080502 Microsoft Work ActiveX Insecure Method Exploit http://blogs.technet.com/swi/archive/2008/06/05/why-there-wont-be-a-security-update-for-wkimgsrv-dll.aspx 20080417 Microsoft Works 7 WkImgSrv.dll crash POC 28820 microsoft-works-wkimgsrv-dos(41876) 5460 5530 option_Update.asp in Carbon Communities 2.4 and earlier allows remote attackers to edit arbitrary member information via a modified ID field. 20080416 Carbon Communities forum Multiple Vulnerabilities. carbon-optionupdate-sql-injection(41961) aptlinex before 0.91 allows local users to overwrite arbitrary files via a symlink attack on the gambas-apt.lock temporary file. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476588 aptlinex-gambasaptlock-symlink(41956) The GUI for aptlinex before 0.91 does not sufficiently warn the user of potentially dangerous actions, which allows remote attackers to remove or modify packages via an apt:// URL. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476572 aptlinex-gui-security-bypass(41954) PHP remote file inclusion vulnerability in news_show.php in Newanz NewsOffice 1.0 and 1.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the newsoffice_directory parameter. 28748 newsoffice-newsshow-file-include(41770) 5429 Cicoandcico CcMail 1.0.1 and earlier does not verify that the this_cookie cookie corresponds to an authenticated session, which allows remote attackers to obtain access to the "admin area" via a modified this_cookie cookie. 28751 ccmail-admin-security-bypass(41797) 5433 NMMediaServer.exe in Nero MediaHome 3.3.3.0 and earlier, as used in Nero 8.3.2.1 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a long HTTP request to TCP port 54444, a different vector than CVE-2007-2322. http://aluigi.altervista.org/adv/neromedia-adv.txt 28775 ADV-2008-1216 nero-nmmediaserver-dos(41795) Cross-site scripting (XSS) vulnerability in calendar.php in cpCommerce 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a view.year action. http://bugreport.ir/index.php?/34 28755 ADV-2008-1213 cpcommerce-calendar-xss(41780) 5437 Multiple SQL injection vulnerabilities in functions/display_page.func.php in cpCommerce 1.1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id_product, (2) id_manufacturer, and (3) id_category parameters to unspecified components. NOTE: this probably overlaps CVE-2007-2959 and CVE-2007-2890. http://bugreport.ir/index.php?/34 28755 cpcommerce-index-sql-injection(41781) 5437 Multiple directory traversal vulnerabilities in cpCommerce 1.1.0 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the language parameter in a language action to the default URI, which is not properly handled in actions/language.act.php, or (2) the action parameter to category.php. http://bugreport.ir/index.php?/34 28755 ADV-2008-1213 cpcommerce-multiple-file-include(41783) 5437 SQL injection vulnerability in comment.php in PHP Knowledge Base (PHPKB) 1.5 and 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. 28739 phpkb-comment-sql-injection(41769) 5428 Stack-based buffer overflow in the database service (ibserver.exe) in Borland InterBase 2007 SP2 allows remote attackers to execute arbitrary code via a malformed opcode 0x52 request to TCP port 3050. NOTE: this might overlap CVE-2007-5243 or CVE-2007-5244. 20080411 Borland InterBase 2007 "ibserver.exe" Buffer Overflow Vulnerability POC 28730 1019834 borland-ibserver-bo(41932) 5427 SQL injection vulnerability in includes/system.php in 1024 CMS 1.4.2 beta and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via a cookpass cookie. 28754 1024cms-system-sql-injection(41785) 5434 Stack-based buffer overflow in DivX Player 6.7 build 6.7.0.22 and earlier allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a long subtitle in a .SRT file. 20080415 DIVX Player <= 6.7.0 Buffer Overflow PoC ( .SRT ) 28799 1019921 ADV-2008-1235 5453 5492 SQL injection vulnerability in index.php in Lasernet CMS 1.5 and 1.11, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the new parameter in a new action. 28804 ADV-2008-1239 lasernet-index-sql-injection(41838) 5454 Stack-based buffer overflow in the AntServer module (AntServer.exe) in BigAnt IM Server in BigAnt Messenger 2.2 allows remote attackers to execute arbitrary code via a long URI in a request to TCP port 6080. NOTE: some of these details are obtained from third party information. 20080415 BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day) 20080417 Re: BigAnt Server 2.2 PreAuth Remote SEH Overflow Exploit (0day) 28795 ADV-2008-1238 bigantmessenger-antserver-bo(41830) 5451 SQL injection vulnerability in view.asp in DevWorx BlogWorx 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 28776 ADV-2008-1305 blogworx-view-sql-injection(41808) 5480 Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart 5.x before 5.x-1.0-rc1 module for Drupal allow remote attackers to inject arbitrary web script or HTML via text fields intended for the (1) address and (2) order information, which are later displayed on the order view page and unspecified other administrative pages, a different vulnerability than CVE-2008-1428. http://drupal.org/node/241944 ADV-2008-1083 ubercart-orders-xss(41624) Multiple cross-site scripting (XSS) vulnerabilities in AMFPHP 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) class parameter to (a) methodTable.php, (b) code.php, and (c) details.php in browser/; and the (2) location parameter to browser/code.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28789 amfphp-multiple-xss(41835) SQL injection vulnerability in submit.php in PHP-Fusion 6.01.14 and 6.00.307, when magic_quotes_gpc is disabled and the database table prefix is known, allows remote authenticated users to execute arbitrary SQL commands via the submit_info[] parameter in a link submission action. NOTE: it was later reported that 7.00.2 is also affected. http://www.php-fusion.co.uk/news.php 28855 ADV-2008-1318 phpfusion-submit-sql-injection(41914) phpfusion-submitinfo-sql-injection(47610) 5470 7576 SQL injection vulnerability in listtest.php in YourFreeWorld Apartment Search Script allows remote attackers to execute arbitrary SQL commands via the r parameter. 28853 ADV-2008-1339 apartment-listtest-sql-injection(41902) 5471 Heap-based buffer overflow in the boxelyRenderer module in the Personal Status Manager feature in ICQ 6.0 build 6043 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted personal status message. http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-04-08 20080416 [INFIGO-2008-04-08]: ICQ 6 remote buffer overflow vulnerability 28803 ADV-2008-1299 icq-boxelyrenderer-bo(41852) SQL injection vulnerability in store_pages/category_list.php in 5th Avenue Shopping Cart 1.2 trial edition allows remote attackers to execute arbitrary SQL commands via the category_ID parameter. http://forum.aria-security.com/showthread.php?p=76 http://forum.aria-security.net/showthread.php?p=2233 20080418 5th avenue Shopping Cart SQL Injection 28841 5thavenue-categorylist-sql-injection(41885) 5464 Multiple stack-based buffer overflows in Sarg might allow attackers to execute arbitrary code via unknown vectors, probably a crafted Squid log file. SUSE-SR:2008:011 MDVSA-2009:073 29141 sarg-unspecified-bo(42321) The IAX2 channel driver (chan_iax2) in Asterisk 1.2 before revision 72630 and 1.4 before revision 65679, when configured to allow unauthenticated calls, sends "early audio" to an unverified source IP address of a NEW message, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed NEW message. http://bugs.digium.com/view.php?id=10078 http://downloads.digium.com/pub/security/AST-2008-006.html http://www.altsci.com/concepts/page.php?s=asteri&p=1 asterisk-new-dos(42049) Unspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable. SUSE-SR:2008:026 SUSE-SR:2009:003 GLSA-200805-02 DSA-1557 MDVSA-2008:131 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-3 28906 ADV-2008-1328 phpmyadmin-unspecified-info-disclosure(41964) Buffer overflow in InspIRCd before 1.1.18, when using the namesx and uhnames modules, allows remote attackers to cause a denial of service (daemon crash) via a large number of channel users with crafted nicknames, idents, and long hostnames. GLSA-200805-08 http://www.inspircd.org/bugtrack/view_bug.php?bug_id=438 http://www.inspircd.org/forum/showthread.php?t=2945 [oss-security] 20080422 CVE Request: inspircd 28506 ADV-2008-1041 inspircd-multiple-dos(41543) Argument injection vulnerability in login (login-utils/login.c) in util-linux-ng 2.14 and earlier makes it easier for remote attackers to hide activities by modifying portions of log events, as demonstrated by appending an "addr=" statement to the login name, aka "audit log injection." http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=blobdiff;f=login-utils/login.c;h=230121316d953c59e7842c1325f6e9f326a37608;hp=aad27794327c60391b5148b367d2c79338fc6ee4;hb=8ccf0b253ac0f4f58d64bc9674de18bff5a88782;hpb=3a4a13b12a8065b0b5354686d2807cce421a9973 http://git.kernel.org/?p=utils/util-linux-ng/util-linux-ng.git;a=commit;h=8ccf0b253ac0f4f58d64bc9674de18bff5a88782 http://wiki.rpath.com/Advisories:rPSA-2009-0143 MDVSA-2008:114 RHSA-2009:0981 20091112 rPSA-2009-0143-1 util-linux util-linux-extras 28983 1022256 ADV-2008-1392 utillinuxng-login-data-manipulation(41987) oval:org.mitre.oval:def:9833 FEDORA-2008-3419 Double free vulnerability in Perl 5.8.8 allows context-dependent attackers to cause a denial of service (memory corruption and crash) via a crafted regular expression containing UTF8 characters. NOTE: this issue might only be present on certain operating systems. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=454792 APPLE-SA-2009-02-12 SUSE-SR:2008:017 http://rt.perl.org/rt3/Public/Bug/Display.html?id=48156 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-317.htm http://support.avaya.com/elmodocs2/security/ASA-2008-361.htm http://wiki.rpath.com/Advisories:rPSA-2009-0011 DSA-1556 GLSA-200805-17 http://www.ipcop.org/index.php?name=News&file=article&sid=41 MDVSA-2008:100 RHSA-2008:0522 RHSA-2008:0532 20090120 rPSA-2009-0011-1 perl 28928 1020253 USN-700-1 USN-700-2 http://www.vmware.com/security/advisories/VMSA-2008-0013.html ADV-2008-2265 ADV-2008-2361 ADV-2008-2424 ADV-2009-0422 perl-utf8-dos(41996) oval:org.mitre.oval:def:10579 FEDORA-2008-3392 FEDORA-2008-3399 Buffer overflow in Imager 0.42 through 0.63 allows attackers to cause a denial of service (crash) via an image based fill in which the number of input channels is different from the number of output channels. http://imager.perl.org/i/release064/Imager_0_64 http://rt.cpan.org/Public/Bug/Display.html?id=35324 28980 ADV-2008-1387 imager-doubleprecisionimage-bo(41986) FEDORA-2008-3352 The cookie authentication method in WordPress 2.5 relies on a hash of a concatenated string containing USERNAME and EXPIRY_TIME, which allows remote attackers to forge cookies by registering a username that results in the same concatenated string, as demonstrated by registering usernames beginning with "admin" to obtain administrator privileges, aka a "cryptographic splicing" issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-6013. http://wordpress.org/development/2008/04/wordpress-251/ http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt 20080425 Wordpress 2.5 Cookie Integrity Protection Vulnerability 28935 1019923 ADV-2008-1372 wordpress-cookie-security-bypass(42027) Realtek HD Audio Codec Drivers RTKVHDA.sys and RTKVHDA64.sys before 6.0.1.5605 on Windows Vista allow local users to create, write, and read registry keys via a crafted IOCTL request. 20080423 [W01-0408] Realtek HD Audio Codec Drivers (Vista) - Local Privilege Escalation 28909 ADV-2008-1350 http://www.wintercore.com/advisories/advisory_W010408.html realtek-ioctl-privilege-escalation(41976) Integer overflow in Realtek HD Audio Codec Drivers RTKVHDA.sys and RTKVHDA64.sys before 6.0.1.5605 on Windows Vista allows local users to execute arbitrary code via a crafted IOCTL request. 20080423 [W01-0408] Realtek HD Audio Codec Drivers (Vista) - Local Privilege Escalation 28909 ADV-2008-1350 http://www.wintercore.com/advisories/advisory_W010408.html realtek-ioctl-overflow(42079) Absolute path traversal vulnerability in a certain ActiveX control in Zune allows user-assisted remote attackers to overwrite arbitrary files via the SaveToFile method. NOTE: the victim must explicitly allow the code to run. 20080423 Zune software - arbitrary file overwrite zune-activex-file-overwrite(42028) 5489 SQL injection vulnerability in commentaires.php in Crazy Goomba 1.2.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. 28880 ADV-2008-1304 http://www.z0rlu.ownspace.org/index.php?/archives/58-Crazy-Goomba-1.2.1-SQL-inj.html crazygoomba-id-sql-injection(42023) 5481 SQL injection vulnerability in the Filiale 1.0.4 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the idFiliale parameter. 28900 ADV-2008-1346 filiale-index-sql-injection(41980) 5488 SQL injection vulnerability in index.php in Classifieds Caffe allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in an add action. NOTE: this issue might be site-specific. 20080416 Classifieds Caffe (index.php cat_id) Remote SQL Injection 28800 ADV-2008-1240 classifiedcaffe-index-sql-injection(42121) 5450 The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges. http://hg.moinmo.in/moin/1.6/rev/f405012e67af http://moinmo.in/SecurityFixes GLSA-200805-09 28869 ADV-2008-1307 moinmoin-userform-security-bypass(41909) Sony Mylo COM-2 Japanese model firmware before 1.002 does not properly verify web server SSL certificates, which allows remote attackers to obtain sensitive information and conduct spoofing attacks. http://esupport.sony.com/perl/news-item.pl?news_id=262&mdl=COM2 JVN#76788395 http://mylo.nccl.sony.co.jp/download/M-W002-001-02/index.html http://mylo.nccl.sony.co.jp/hotnews/2008/04/01/index.html 28905 ADV-2008-1349 sony-mylo-ssl-spoofing(41971) Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) topic parameters to (a) philboard_reply.asp, and the (3) forumid parameter to (b) philboard_newtopic.asp, different vectors than CVE-2007-2641 and CVE-2007-0920. 28871 ADV-2008-1340 philboard-philboardreply-sql-injection(41957) 5475 The RBAC functionality in grsecurity before 2.1.11-2.6.24.5 and 2.1.11-2.4.36.2 does not enforce user_transition_deny and user_transition_allow rules for the (1) sys_setfsuid and (2) sys_setfsgid calls, which allows local users to bypass restrictions for those calls. http://www.grsecurity.org/news.php#grsec21113 28889 1019919 ADV-2008-1323 grsecurity-rbac-security-bypass(41952) Cross-site scripting (XSS) vulnerability in the profile update feature in Akiva WebBoard 8.0 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in the form field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28895 webboard-profile-page-xss(41969) Foxit Reader 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PDF file with (1) a malformed ExtGState resource containing a /Font resource, or (2) an XObject resource with a Rotate setting, which triggers memory corruption. NOTE: this is probably a different vulnerability than CVE-2007-2186. 28890 http://www.vallejo.cc/proyectos/foxitreader1.htm http://www.vallejo.cc/proyectos/foxitreader2.htm ADV-2008-1327 foxitreader-pdf-xobject-code-execution(41972) foxitreader-extgstate-code-execution(41973) Buffer overflow in the backend of XenSource Xen Para Virtualized Frame Buffer (PVFB) 3.0 through 3.1.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted description of a shared framebuffer. Possible solution and more infomation located here: http://rhn.redhat.com/errata/RHSA-2008-0194.html RHSA-2008:0194 29183 1020008 ADV-2008-1900 https://bugzilla.redhat.com/show_bug.cgi?id=443078 xen-pvfb-description-dos(42387) oval:org.mitre.oval:def:10338 Buffer overflow in the backend framebuffer of XenSource Xen Para-Virtualized Framebuffer (PVFB) Message 3.0 through 3.0.3 allows local users to cause a denial of service (SDL crash) and possibly execute arbitrary code via "bogus screen updates," related to missing validation of the "format of messages." https://bugzilla.redhat.com/show_bug.cgi?id=443078 "The PVFB backend is a user space program running as root in dom0" RHSA-2008:0194 29186 1020009 https://bugzilla.redhat.com/show_bug.cgi?id=443390 xen-pvfb-message-dos(42388) oval:org.mitre.oval:def:10868 QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004. SUSE-SR:2009:008 DSA-1799 MDVSA-2008:162 30604 1020959 USN-776-1 qemu-image-security-bypass(44269) oval:org.mitre.oval:def:9905 RHSA-2008:0892 The default configuration of su in /etc/pam.d/su in GNU coreutils 5.2.1 allows local users to gain the privileges of a (1) locked or (2) expired account by entering the account name on the command line, related to improper use of the pam_succeed_if.so module. RHSA-2008:0780 1020552 30363 coreutils-pamsucceedif-security-bypass(43993) oval:org.mitre.oval:def:10029 Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add. APPLE-SA-2008-10-09 SUSE-SR:2008:014 SUSE-SR:2009:004 HPSBUX02401 HPSBST02955 [tomcat-user] 20080602 [SECURITY] CVE-2008-1947: Tomcat host-manager XSS vulnerability http://support.apple.com/kb/HT3216 http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html DSA-1593 MDVSA-2008:188 RHSA-2008:0648 RHSA-2008:0862 RHSA-2008:0864 20080602 [SECURITY] CVE-2008-1947: Tomcat host-manager XSS vulnerability 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 29502 31681 1020624 http://www.vmware.com/security/advisories/VMSA-2009-0002.html http://www.vmware.com/security/advisories/VMSA-2009-0016.html ADV-2008-1725 ADV-2008-2780 ADV-2008-2823 ADV-2009-0320 ADV-2009-0503 ADV-2009-3316 apache-tomcat-hostmanager-xss(42816) [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ oval:org.mitre.oval:def:11534 oval:org.mitre.oval:def:6009 FEDORA-2008-7977 FEDORA-2008-8113 FEDORA-2008-8130 The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hello message during extension handling, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a zero value for the length of Server Names, which leads to a buffer overflow in session resumption data in the pack_security_parameters function, aka GNUTLS-SA-2008-1-1. http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=bc8102405fda11ea00ca3b42acc4f4bce9d6e97b [gnutls-devel] 20080519 GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1] [gnutls-devel] 20080519 Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1] [gnutls-devel] 20080519 GnuTLS 2.2.5 - Brown paper bag release SUSE-SA:2008:046 GLSA-200805-20 3902 http://sourceforge.net/project/shownotes.php?release_id=600646&group_id=21558 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0174 http://www.cert.fi/haavoittuvuudet/advisory-gnutls.html DSA-1581 VU#111034 MDVSA-2008:106 [oss-security] 20080520 Re: CVE ID request: GNUTLS [oss-security] 20080520 Re: CVE ID request: GNUTLS [oss-security] 20080520 Re: CVE ID request: GNUTLS RHSA-2008:0489 RHSA-2008:0492 20080520 Vulnerability Advisory on GnuTLS 20080522 rPSA-2008-0174-1 gnutls 29292 1020057 USN-613-1 ADV-2008-1582 ADV-2008-1583 gnutls-gnutlsservernamerecvparams-bo(42532) https://issues.rpath.com/browse/RPL-2552 oval:org.mitre.oval:def:10935 FEDORA-2008-4183 FEDORA-2008-4259 FEDORA-2008-4274 The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already been processed, which allows remote attackers to cause a denial of service (NULL dereference and crash) via a TLS message containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2. http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=bc8102405fda11ea00ca3b42acc4f4bce9d6e97b [gnutls-devel] 20080519 GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1] [gnutls-devel] 20080519 Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1] [gnutls-devel] 20080519 GnuTLS 2.2.5 - Brown paper bag release SUSE-SA:2008:046 GLSA-200805-20 3902 http://sourceforge.net/project/shownotes.php?release_id=600646&group_id=21558 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0174 http://www.cert.fi/haavoittuvuudet/advisory-gnutls.html DSA-1581 VU#252626 MDVSA-2008:106 [oss-security] 20080520 Re: CVE ID request: GNUTLS [oss-security] 20080520 Re: CVE ID request: GNUTLS [oss-security] 20080520 Re: CVE ID request: GNUTLS RHSA-2008:0489 RHSA-2008:0492 20080520 Vulnerability Advisory on GnuTLS 20080522 rPSA-2008-0174-1 gnutls 29292 1020058 USN-613-1 ADV-2008-1582 ADV-2008-1583 gnutls-gnutlsrecvclientkxmessage-bo(42530) https://issues.rpath.com/browse/RPL-2552 oval:org.mitre.oval:def:9519 FEDORA-2008-4183 FEDORA-2008-4259 FEDORA-2008-4274 Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-read and crash) via a certain integer value in the Random field in an encrypted Client Hello message within a TLS record with an invalid Record Length, which leads to an invalid cipher padding length, aka GNUTLS-SA-2008-1-3. The vendor has released a statement regarding this issue: http://lists.gnupg.org/pipermail/gnutls-dev/2006-September/001208.html http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=bc8102405fda11ea00ca3b42acc4f4bce9d6e97b [gnutls-devel] 20080519 GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1] [gnutls-devel] 20080519 Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1] [gnutls-devel] 20080519 GnuTLS 2.2.5 - Brown paper bag release SUSE-SA:2008:046 GLSA-200805-20 3902 http://sourceforge.net/project/shownotes.php?release_id=600646&group_id=21558 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0174 http://www.cert.fi/haavoittuvuudet/advisory-gnutls.html DSA-1581 VU#659209 MDVSA-2008:106 [oss-security] 20080520 Re: CVE ID request: GNUTLS [oss-security] 20080520 Re: CVE ID request: GNUTLS [oss-security] 20080520 Re: CVE ID request: GNUTLS RHSA-2008:0489 RHSA-2008:0492 20080520 Vulnerability Advisory on GnuTLS 20080522 rPSA-2008-0174-1 gnutls 29292 1020059 USN-613-1 ADV-2008-1582 ADV-2008-1583 gnutls-gnutlsciphertext2compressed-bo(42533) https://issues.rpath.com/browse/RPL-2552 oval:org.mitre.oval:def:11393 FEDORA-2008-4183 FEDORA-2008-4259 FEDORA-2008-4274 Untrusted search path vulnerability in a certain Red Hat build script for Standards Based Linux Instrumentation for Manageability (sblim) libraries before 1-13a.el4_6.1 in Red Hat Enterprise Linux (RHEL) 4, and before 1-31.el5_2.1 in RHEL 5, allows local users to gain privileges via a malicious library in a certain subdirectory of /var/tmp, related to an incorrect RPATH setting, as demonstrated by a malicious libc.so library for tog-pegasus. 29913 1020354 https://bugzilla.redhat.com/show_bug.cgi?id=447705 redhat-sblim-privilege-escalation(43315) oval:org.mitre.oval:def:9635 RHSA-2008:0497 The backend for XenSource Xen Para Virtualized Frame Buffer (PVFB) in Xen ioemu does not properly restrict the frame buffer size, which allows attackers to cause a denial of service (crash) by mapping an arbitrary amount of guest memory. [Xen-devel] 20080521 [PATCH] ioemu: Fix PVFB backend to limit frame buffer size [oss-security] 20080521 New Xen ioemu: PVFB backend issue 30646 1020957 http://xenbits.xensource.com/xen-unstable.hg?rev/9044705960cb30cec385bdca7305bcf7db096721 xen-pvfb-ioemu-dos(43362) oval:org.mitre.oval:def:11189 RHSA-2008:0892 Cross-site scripting (XSS) vulnerability in the Sitedesigner before 1.1.5 search template in Magnolia Enterprise Edition allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://jira.magnolia.info/browse/MGNLSD-175 28897 magnolia-search-template-xss(41962) SQL injection vulnerability in one_day.php in Web Calendar Pro 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter. 28921 ADV-2008-1343 webcalendarpro-oneday-sql-injection(41963) 5485 Cross-site scripting (XSS) vulnerability in rep.php in Martin BOUCHER MyBoard 1.0.12 allows remote attackers to inject arbitrary web script or HTML via the id parameter. information. 28823 http://www.z0rlu.ownspace.org/index.php?/archives/52-MyBoard-1.0.12-XSS.html myboard-rep-xss(42024) Cross-site scripting (XSS) vulnerability in index.php in Wikepage Opus 13 2007.2 allows remote attackers to inject arbitrary web script or HTML via the wiki parameter. http://sourceforge.net/tracker/index.php?func=detail&aid=1938445&group_id=128991&atid=713448 20080418 Wikepage Wiki v.2007-2 Cross-Site Scripting 28842 wikepage-wiki-xss(42058) SQL injection vulnerability in news.php in Tr Script News 2.1 allows remote attackers to execute arbitrary SQL commands via the nb parameter in voir mode. 28876 ADV-2008-1319 trscriptnews-news-sql-injection(41946) 5483 Unrestricted file upload vulnerability in the ajout_cat mode in admin/main.php in Tr Script News 2.1 allows remote authenticated users to execute arbitrary code by uploading a file with a .php extension. trscriptnews-main-file-upload(41953) 5483 Stack-based buffer overflow in the get_remote_video_port_media function in call.cpp in SIPp 3.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted SIP message. NOTE: some of these details are obtained from third party information. http://sourceforge.net/project/shownotes.php?release_id=593806&group_id=104305 28884 ADV-2008-1322 sipp-getremotevideoportmedia-bo(41945) FEDORA-2008-3508 Cross-site scripting (XSS) vulnerability in cgi-bin/contray/search.cgi in ContRay 3.x allows remote attackers to inject arbitrary web script or HTML via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28883 contray-search-xss(41937) SQL injection vulnerability in index.php in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to execute arbitrary SQL commands via the AMG_id parameter in a comments action. 28850 allmyguests-index-sql-injection(41910) 5469 Multiple directory traversal vulnerabilities in Aterr 0.9.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) class parameter to include/functions.inc.php and the (2) file parameter to include/common.inc.php. 28861 aterr-functions-common-file-include(41903) 5474 PHP remote file inclusion vulnerability in includes/functions.php in Quate Grape Web Statistics 0.2a allows remote attackers to execute arbitrary PHP code via a URL in the location parameter. 28838 grapewebstatistics-functions-file-include(41883) 5463 ** DISPUTED ** Stack-based buffer overflow in the demux_nsf_send_headers function in src/demuxers/demux_nsf.c in xine-lib allows remote attackers to have an unknown impact via a long copyright field in an NSF header in an NES Sound file, a different issue than CVE-2008-1878. NOTE: a third party claims that the copyright field always has a safe length. 20080423 xine-lib NES Sound Format Demuxer Buffer Overflow 20080423 Re: xine-lib NES Sound Format Demuxer Buffer Overflow 28908 Argument injection vulnerability in the cai: URI handler in rcplauncher in IBM Lotus Expeditor Client for Desktop 6.1.1 and 6.1.2, as used by Lotus Symphony and possibly other products, allows remote attackers to execute arbitrary code by injecting a -launcher option via a cai: URI, as demonstrated by a reference to a UNC share pathname. 20080424 Lotus expeditor rcplauncher uri handler vulnerability http://thomas.pollet.googlepages.com/lotusexpeditorurihandlervulnerability 20080425 Lotus expeditor rcplauncher uri handler vulnerability 28926 1019951 1019952 ADV-2008-1394 http://www-1.ibm.com/support/docview.wss?uid=swg21303813 ibm-lotussymphony-rcplauncher-code-execution(41990) Multiple buffer overflows in the JAR file administration routines in the BSU JAVA subcomponent in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 allow remote authenticated users to cause a denial of service (instance crash) via a call to the (1) RECOVERJAR or (2) REMOVE_JAR procedure with a crafted parameter, related to (a) sqlj.install_jar and (b) sqlj.replace_jar. http://www-1.ibm.com/support/docview.wss?uid=swg21255572http://www-1.ibm.com/support/docview.wss?uid=swg21287889 http://www-1.ibm.com/support/docview.wss?uid=swg21256235 http://www.appsecinc.com/resources/alerts/db2/2008-04.shtml 20080418 Team SHATTER Security Advisory: Multiple DoS in JAR files manipulation procedures 28835 29601 IZ08512 IZ08945 IZ15496 http://www-1.ibm.com/support/docview.wss?uid=swg21255607 ibm-db2-recoverjar-removejar-dos(41955) Cross-site scripting (XSS) vulnerability in CFLogon/CFLogon.asp in Cezanne 6.5.1 and 7 allows remote attackers to inject arbitrary web script or HTML via the SleUserName parameter. 3828 20080414 S21SEC-041-en:Cezanne SW Cross-Site Scripting 28774 cezanne-cflogon-xss(41813) Multiple SQL injection vulnerabilities in Cezanne 7 allow remote authenticated users to execute arbitrary SQL commands via the FUNID parameter to (1) CFLookup.asp and (2) CznCommon/CznCustomContainer.asp. 3830 20080414 S21SEC-043-en:Cezanne SW Blind SQL Injection 28773 cezanne-funid-sql-injection(41816) Multiple cross-site scripting (XSS) vulnerabilities in Cezanne 6.5.1 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) LookUPId and (2) CbFun parameters to (a) CFLookUP.asp; (3) TitleParms, (4) WidgetsHeights, (5) WidgetsLinks, and (6) WidgetsTitles parameters to (b) CznCommon/CznCustomContainer.asp, (7) CFTARGET parameter to (c) home.asp, (8) PersonOid parameter to (d) PeopleWeb/Cards/CVCard.asp, (9) DESTLINKOID and PersonOID parameters to (e) PeopleWeb/Cards/PayrollCard.asp, and the (10) FolderTemplateId and (11) FolderTemplateName parameters to (f) PeopleWeb/CznDocFolder/CznDFStartProcess.asp. 3829 20080414 S21SEC-042-en:Cezanne SW Cross-Site Scripting (login required) 28772 cezanne-multiple-xss(41821) muCommander before 0.8.2 stores credentials.xml with insecure permissions, which allows local users to obtain credentials. http://www.mucommander.com/changes.php 28875 mucommander-credentials-info-disclosure(41908) phShoutBox Final 1.5 and earlier only checks passwords when specified in $_POST, which allows remote attackers to gain privileges by setting the (1) phadmin cookie to admin.php, or (2) in 1.4 and earlier, the ssbadmin cookie to shoutadmin.php. 28856 phshoutbox-admin-security-bypass(41901) 5467 Multiple cross-site scripting (XSS) vulnerabilities in the user account creation feature in Exponent CMS 0.96.6-GA20071003 and earlier, when the Allow Registration? configuration option is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) firstname, (3) lastname, and (4) e-mail address fields. NOTE: some of these details are obtained from third party information. Patch Link: http://www.exponentcms.org/index.php?action=view&id=64&module=newsmodule&src=%40random44fe03276195 http://sourceforge.net/project/shownotes.php?release_id=592961&group_id=118524 28834 exponentcms-newaccount-xss(41878) Heap-based buffer overflow in SubEdit Player build 4056 and 4066 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long subtitle file. 28858 ADV-2008-1306 subeditplayer-subtitle-bo(41913) 5472 Cross-site scripting (XSS) vulnerability in addevent.php in Horde Kronolith 2.1.7, Groupware Webmail Edition 1.0.6, and Groupware 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the url parameter. http://forum.aria-security.com/showthread.php?t=49 [kronolith] 20080427 Kronolith H3 (2.1.8) (final) 3831 20080422 Horde Webmail XSS [Aria-Security] 28898 1019934 ADV-2008-1373 horde-webmail-addevent-xss(41974) DSA-1560 FEDORA-2008-3543 FEDORA-2008-3460 SQL injection vulnerability in index.php in E-RESERV 2.1 allows remote attackers to execute arbitrary SQL commands via the ID_loc parameter. 28899 ADV-2008-1345 ereserv-idloc-sql-injection(41970) 5487 Multiple cross-site scripting (XSS) vulnerabilities in the Drupal modules (1) Internationalization (i18n) 5.x before 5.x-2.3 and 5.x-1.1 and 6.x before 6.x-1.0 beta 1; and (2) Localizer 5.x before 5.x-3.4, 5.x-2.1, and 5.x-1.11; allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/250344 28916 ADV-2008-1352 internationalization-localizer-xss(41977) Cross-site request forgery (CSRF) vulnerability in the Internationalization (i18n) Drupal module 5.x before 5.x-2.3 and 5.x-1.1, and 6.x before 6.x-1.0 beta 1, allows remote attackers to change node translation relationships via unspecified vectors. http://drupal.org/node/250344 28916 ADV-2008-1352 internationalization-translator-csrf(41982) Cross-site scripting (XSS) vulnerability in the Ubercart 5.x before 5.x-1.0 rc3 module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via node titles related to unspecified product features, a different vector than CVE-2008-1428. http://drupal.org/node/250343 28914 ADV-2008-1351 ubercart-module-xss(41975) The Discovery Service (casdscvc) in CA ARCserve Backup 12.0.5454.0 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large integer value used in an increment to TCP port 41523, which triggers a buffer over-read. http://aluigi.altervista.org/adv/carcbackazz-adv.txt 20080618 CA ARCserve Backup Discovery Service Denial of Service Vulnerability 28927 1020324 ADV-2008-1354 ca-arcservebackup-casdscvc-dos(41869) Cross-site scripting (XSS) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/250408 ADV-2008-1353 epublish-unspecified-xss(41979) Cross-site request forgery (CSRF) vulnerability in E-Publish 5.x before 5.x-1.1 and 6.x before 6.x-1.0 beta1, a Drupal module, allows remote attackers to perform unauthorized actions as other users via unspecified vectors. http://drupal.org/node/250408 ADV-2008-1353 epublish-forms-csrf(41978) SQL injection vulnerability in ss_load.php in the Spreadsheet (wpSS) 0.6 and earlier plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter. http://timrohrer.com/blog/?p=120 28894 ADV-2008-1344 spreadsheet-ssload-sql-injection(41968) 5486 Cross-site scripting (XSS) vulnerability in Advanced Electron Forum (AEF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the beg parameter in a members action to index.php. 28865 http://www.z0rlu.ownspace.org/index.php?/archives/60-Advanced-Electron-Forum-AEF-1.0.6-XSS.html advancedelectronforum-beg-xss(41951) The eTrust Common Services (Transport) Daemon (eCSqdmn) in CA Secure Content Manager 8.0.28000.511 and earlier allows remote attackers to cause a denial of service (crash or CPU consumption) via a malformed packet to TCP port 1882. http://aluigi.altervista.org/adv/ecsqdamn-adv.txt 28888 1019913 ADV-2008-1355 ca-scm-ecsqdmn-dos(41890) Cross-site scripting (XSS) vulnerability in base.php in DigitalHive 2.0 RC2 allows remote attackers to inject arbitrary web script or HTML via the mt parameter, possibly related to membres.php. 28918 http://www.z0rlu.ownspace.org/index.php?/archives/65-hive-v2.RC2-XSS.html digitalhive-base-xss(42006) Cross-site scripting (XSS) vulnerability in liste_article.php in Blog Pixel Motion (aka PixelMotion) allows remote attackers to inject arbitrary web script or HTML via the jours parameter. 28920 http://www.z0rlu.ownspace.org/index.php?/archives/63-Blog-PixelMotion-XSS.html blogpixelmotion-listearticle-xss(42011) Cross-site scripting (XSS) vulnerability in search.php in EncapsGallery 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the search parameter. http://www.encaps.net/software/encapsgallery/download-image-album.php 28887 encapsgallery-search-xss(41948) Unrestricted file upload vulnerability in the file_upload function in core/misc.class.php in EncapsGallery 2.0.2 allows remote authenticated administrators to upload and execute arbitrary PHP files by uploading a file with an executable extension, then accessing it via a direct request to the file in the rwx_gallery directory. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28887 encapsgallery-miscclass-file-upload(41949) PHP remote file inclusion vulnerability in 123flashchat.php in the 123 Flash Chat 6.8.0 module for e107, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the e107path parameter. 28828 123flashchat-e107path-file-include(41867) 5459 Multiple SQL injection vulnerabilities in Acidcat CMS 3.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) cID parameter to default.asp and the (2) username parameter to main_login2.asp. http://bugreport.ir/index.php?/36 3842 20080420 Acidcat CMS Multiple Vulnerabilities 28868 acidcat-default-sql-injection(41918) 5478 Cross-site scripting (XSS) vulnerability in admin_colors_swatch.asp in Acidcat CMS 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the field parameter. http://bugreport.ir/index.php?/36 3842 20080420 Acidcat CMS Multiple Vulnerabilities 28868 acidcat-admincolorsswatch-xss(41919) 5478 Acidcat CMS 3.4.1 does not properly restrict access to (1) default_mail_aspemail.asp, (2) default_mail_cdosys.asp or (3) default_mail_jmail.asp, which allows remote attackers to bypass restrictions and relay email messages with modified From, FromName, and To fields. http://bugreport.ir/index.php?/36 3842 20080420 Acidcat CMS Multiple Vulnerabilities 28868 acidcat-email-security-bypass(41921) 5478 Acidcat CMS 3.4.1 does not restrict access to the FCKEditor component, which allows remote attackers to upload arbitrary files. http://bugreport.ir/index.php?/36 3842 20080420 Acidcat CMS Multiple Vulnerabilities 28868 acidcat-fckeditor-file-upload(41922) 5478 Multiple stack-based buffer overflows in (a) acon.c, (b) menu.c, and (c) child.c in Acon 1.0.5-5 through 1.0.5-7 allow local users to execute arbitrary code via (1) a long HOME environment variable or (2) a large number of terminal columns. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475733 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=476603 28862 acon-home-bo(41915) Sun Java System Directory Proxy Server 6.0, 6.1, and 6.2 classifies a connection using the "bind-dn" criteria, which can cause an incorrect application of policy and allows remote attackers to bypass intended access restrictions for the server. 235381 28941 1019925 ADV-2008-1374 licq before 1.3.6 allows remote attackers to cause a denial of service (file-descriptor exhaustion and application crash) via a large number of connections. More information located: http://www.securityfocus.com/bid/28679/info SUSE-SR:2008:010 20080410 Re: licq remote DoS? 3851 http://www.licq.org/changeset/6146 http://www.licq.org/ticket/1623 MDVSA-2008:159 [oss-security] 20080425 CVE request: licq denial of service 20080408 licq remote DoS? 20080410 Re: Re: licq remote DoS? 28679 ADV-2008-1446 licq-connections-dos(41732) FEDORA-2008-3812 Unspecified vulnerability in the ADMIN_SP_C2 procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unknown vectors. NOTE: the ADMIN_SP_C issue is already covered by CVE-2008-0699. IBM link requires login credentials. 3841 http://www.appsecinc.com/resources/alerts/db2/2008-02.shtml 20080418 Team SHATTER Security Advisory: IBM DB2 UDB Arbitrary code execution in ADMIN_SP_C/ADMIN_SP_C2 procedures IZ06972 The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 on Windows allows remote authenticated users to overwrite arbitrary files via the log file parameter. 3840 http://www.appsecinc.com/resources/alerts/db2/2008-03.shtml 20080418 Team SHATTER Security Advisory: IBM DB2 UDB Arbitrary file overwrite in SYSPROC.NNSTAT procedure 28836 IZ06976 IZ06977 IZ10776 ibm-db2-nnstat-file-overwrite(41960) Apple Safari 3.1.1 allows remote attackers to spoof the address bar by placing many "invisible" characters in the userinfo subcomponent of the authority component of the URL (aka the user field), as demonstrated by %E3%80%80 sequences. http://es.geocities.com/jplopezy/pruebasafari3.html 3833 20080422 Safari 3.1.1 Multiple Vulnerabilities for windows ADV-2008-1347 apple-safari-user-addressbar-spoofing(41981) Unspecified vulnerability in Apple Safari 3.1.1 allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls document.write in an infinite loop. http://es.geocities.com/jplopezy/pruebasafari3.html 3833 20080422 Safari 3.1.1 Multiple Vulnerabilities for windows ADV-2008-1347 apple-safari-documentwrite-dos(41985) Apple Safari 3.1.1 allows remote attackers to cause a denial of service (application crash) via a file:///%E2 link that triggers an out-of-bounds access, possibly due to a NULL pointer dereference. http://es.geocities.com/jplopezy/pruebasafari3.html 3833 20080422 Safari 3.1.1 Multiple Vulnerabilities for windows ADV-2008-1347 apple-safari-file-dos(41984) Multiple cross-site request forgery (CSRF) vulnerabilities on Motorola Surfboard with software SB5100-2.3.3.0-SCM00-NOSH allow remote attackers to (1) cause a denial of service (device reboot) via the "Restart Cable Modem" value in the BUTTON_INPUT parameter to configdata.html, and (2) cause a denial of service (hard reset) via the "Reset All Defaults" value in the BUTTON_INPUT parameter to configdata.html. 3839 VU#643049 http://www.rooksecurity.com/blog/?p=4 20080418 Sea-Surfing on the Motorola Surfboard ADV-2008-1390 surfboard-configdata-csrf(42091) BadBlue 2.72 Personal Edition stores multiple programs in the web document root with insufficient access control, which allows remote attackers to (1) cause a denial of service via multiple invocations of uninst.exe, and have an unknown impact via (2) badblue.exe and (3) dyndns.exe. NOTE: this can be leveraged for arbitrary remote code execution in conjunction with CVE-2007-6378. 3832 20080424 DDIVRT-2008-11 BadBlue uninst.exe DoS badblue-multiple-weak-security(42090) The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. [Qemu-devel] 20080428 [4277] add format= to drive options (CVE-2008-2004) http://svn.savannah.gnu.org/viewvc/?view=rev&root=qemu&revision=4277 MDVSA-2008:162 SUSE-SR:2008:013 RHSA-2008:0194 29101 USN-776-1 qemu-driveinit-security-bypass(42268) oval:org.mitre.oval:def:11021 The SuiteLink Service (aka slssvc.exe) in WonderWare SuiteLink before 2.0 Patch 01, as used in WonderWare InTouch 8.0, allows remote attackers to cause a denial of service (NULL pointer dereference and service shutdown) and possibly execute arbitrary code via a large length value in a Registration packet to TCP port 5413, which causes a memory allocation failure. http://www.coresecurity.com/?action=item&id=2187 VU#596268 20080505 CORE-2008-0129 - Wonderware SuiteLink Denial of Service vulnerability 28974 1019966 suitelinkservice-slssvc-dos(42221) 6474 Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a .ics file containing (1) a large 16-bit integer on a TRIGGER line, or (2) a large integer in a COUNT field on an RRULE line. 3901 http://www.coresecurity.com/?action=item&id=2219 20080521 CORE-2008-0126: Multiple vulnerabilities in iCal 20080527 Re: CORE-2008-0126: Multiple vulnerabilities in iCal 20080528 Re: CORE-2008-0126: Multiple vulnerabilities in iCal 28629 28632 1020094 ADV-2008-1601 ical-trigger-dos(42569) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1035. Reason: This candidate is a reservation duplicate of CVE-2008-1035. Notes: All CVE users should reference CVE-2008-1035 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in the Display Names message feature in Cerulean Studios Trillian Basic and Pro 3.1.9.0 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long nickname in an MSN protocol message. 3849 20080424 Trillian 3.1 basic nick crash 28925 ADV-2008-1368 Xiph.org libvorbis before 1.0 does not properly check for underpopulated Huffman trees, which allows remote attackers to cause a denial of service (crash) via a crafted OGG file that triggers memory corruption during execution of the _make_decode_tree function. Per http://svn.xiph.org/trunk/vorbis/CHANGES, 1.0 is the first stable release of libvorbis. No version of libvorbis before 1.0 has been confirmed at this time. RHSA-2008:0271 1020029 USN-861-1 ADV-2008-1510 https://bugzilla.redhat.com/show_bug.cgi?id=444443 libvorbis-makedecodetree-dos(42521) Unspecified vulnerability in Apple QuickTime Player on Windows XP SP2 and Vista SP1 allows remote attackers to execute arbitrary code via a crafted QuickTime media file. NOTE: as of 20080429, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. http://www.gnucitizen.org/blog/quicktime-0day-for-vista-and-xp/ 28959 1019950 quicktime-unspecifiedremote-code-execution(42098) Cross-site scripting (XSS) vulnerability in the National Rail Enquiries Live Departure Boards gadget before 1.1 allows remote National Rail Enquiries servers or man-in-the-middle attackers to inject arbitrary web script or HTML, and execute arbitrary code, via a response body, as demonstrated by a SCRIPT element that references a vbscript: URI. http://www.mwrinfosecurity.com/news/1690.html http://www.mwrinfosecurity.com/publications/mwri_national-rail-enquiries-gadget-advisory_2008-04-24.pdf 28933 nationalrail-gadget-code-execution(42043) SQL injection vulnerability in index.php in the PostSchedule 1.0 module for PostNuke allows remote attackers to execute arbitrary SQL commands via the eid parameter in an event action. 28931 postschedule-index-sql-injection(42010) 5495 SQL injection vulnerability in index.php in the pnFlashGames 1.5 through 2.5 module for PostNuke, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a display action. 28948 pnflashgames-id-sql-injection(42019) 5500 Mozilla Firefox 3.0 beta 5 allows remote attackers to cause a denial of service (application crash) via JavaScript code that calls document.write in an infinite loop. 3835 20080422 Firefox 3.0 beta 5 crash 20080422 Re: Firefox 3.0 beta 5 crash 20080422 Re: Firefox 3.0 beta 5 crash (Slightly unrelated) 20080423 Re: Firefox 3.0 beta 5 crash firefox-documentwrite-dos(42154) Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7.0 allow remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the (1) CompactSave and (2) SaveSession method in one control, and the (3) saveRecordedExploreToFile method in a different control. NOTE: this can be leveraged for code execution by writing to a Startup folder. 28940 1019948 appscan-activex-file-overwrite(42077) 5496 PHP remote file inclusion vulnerability in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to execute arbitrary PHP code via a URL in the lang parameter to the default URI under install/. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences. 3837 20080427 bug report chicomas-multiple-file-include(42144) Directory traversal vulnerability in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the operation parameter to the default URI under install/. 3837 20080427 bug report chicomas-multiple-file-include(42144) The AssignUser function in template.class.php in PHPizabi 0.848b C1 HFP3 performs unsafe macro expansions on strings delimited by '{' and '}' characters, which allows remote authenticated users to obtain sensitive information via a comment containing a macro, as demonstrated by a "{user.password}" comment in the profile of the admin user. 28954 phpizabi-templateclass-info-disclosure(42143) 5506 Simple Machines Forum (SMF), probably 1.1.4, relies on "randomly generated static" to hinder brute-force attacks on the WAV file (aka audio) CAPTCHA, which allows remote attackers to pass the CAPTCHA test via an automated attack that considers Hamming distances. NOTE: this issue reportedly exists because of an insufficient fix for CVE-2007-3308. 3836 http://www.rooksecurity.com/blog/?p=6 20080419 Deciphering the Simple Machines Forum audio Captcha 28866 http://www.simplemachines.org/community/index.php?P=c3696c2022b54fa50c5f341bf5710aa3&topic=236816.0 smf-captcha-weak-security(42150) The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and (8) Labgab 1.1 uses a code_bg.jpg background image and the PHP ImageString function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings. 3834 http://www.rooksecurity.com/blog/?p=6 20080419 Deciphering the PHP-Nuke Capthca 28877 captcha-imagestring-codebg-weak-security(42152) Heap-based buffer overflow in Lhaplus before 1.57 allows remote attackers to execute arbitrary code via a long comment field in a ZOO archive. JVN#74468481 http://www.fourteenforty.jp/research/advisory.cgi?FFRRA-20080428 28953 ADV-2008-1369 http://www7a.biglobe.ne.jp/~schezo/ lhaplus-zoo-bo(42032) Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) toid parameter to send-private-message.asp and the (2) redirect parameter to admin/impersonate.asp. NOTE: vector 2 requires authentication. http://www.bugreport.ir/?/37 28961 megabbs-toid-xss(42040) megabbs-impersonate-xss(42042) 5507 Multiple SQL injection vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to execute arbitrary SQL commands via the (1) invisible and (2) timeoffset parameters to profile/controlpanel.asp and the (3) attachmentid parameter to forums/attach-file.asp. http://www.bugreport.ir/?/37 28961 megabbs-multiple-sql-injection(42044) 5507 Cross-site scripting (XSS) vulnerability in index.php in miniBB 2.2, and possibly earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the glang[] parameter in a registernew action. http://www.minibb.net/forums/9_5110_0.html 28930 minibb-glang-xss(42013) 5494 Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters." http://download.opensuse.org/update/10.3-test/repodata/patch-struts-5872.xml SUSE-SR:2009:008 http://support.novell.com/security/cve/CVE-2008-2025.html https://bugzilla.novell.com/show_bug.cgi?id=385273 https://launchpad.net/bugs/cve/2008-2025 Cross-site scripting (XSS) vulnerability in WebID/IISWebAgentIF.dll in RSA Authentication Agent 5.3.0.258, and other versions before 5.3.3.378, allows remote attackers to inject arbitrary web script or HTML via a URL-encoded postdata parameter. NOTE: this is different than CVE-2005-1118, but it might be the same as CVE-2008-1470. 3848 20080423 PR07-44: XSS on RSA Authentication Agent login page 1019920 Open redirect vulnerability in WebID/IISWebAgentIF.dll in RSA Authentication Agent 5.3.0.258 for Web for IIS, when accessed via certain browsers such as Mozilla Firefox, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an ftp URL in the url parameter to a Redirect action. 3850 http://www.procheckup.com/Vulnerability_PR07-43.php 20080423 PR07-43: Cross-domain redirect on RSA Authentication Agent 28907 rsa-agent-iiswebagentif-security-bypass(42184) miniBB 2.2, and possibly earlier, when register_globals is enabled, allows remote attackers to obtain the full path via a direct request to the glang parameter in a registernew action to index.php, which leaks the path in an error message. http://www.minibb.net/forums/9_5110_0.html minibb-bbfuncregusr-info-disclosure(42012) 5494 Multiple SQL injection vulnerabilities in (1) setup_mysql.php and (2) setup_options.php in miniBB 2.2 and possibly earlier, when register_globals is enabled, allow remote attackers to execute arbitrary SQL commands via the xtr parameter in a userinfo action to index.php. http://www.minibb.net/forums/9_5110_0.html 28930 minibb-multiple-sql-injection(42014) 5494 Cross-site scripting (XSS) vulnerability in installControl.php3 in F5 FirePass 4100 SSL VPN 5.4.2-5.5.2 and 6.0-6.2 allows remote attackers to inject arbitrary web script or HTML via the query string. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. http://downloads.securityfocus.com/vulnerabilities/exploits/28902.html 28902 firepass-installcontrol-xss(42078) VicFTPS 5.0 allows remote attackers to cause a denial of service (crash) via a crafted LIST command, which triggers a NULL pointer dereference. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28967 vicftps-list-dos(42074) The FTP service in Acritum Femitter Server 1.03 allows remote attackers to cause a denial of service (crash) by sending multiple crafted RETR commands. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28973 femitterserver-ftp-dos(42075) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1381. Reason: This candidate is a duplicate of CVE-2008-1381. Notes: All CVE users should reference CVE-2008-1381 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28975 downloadmonitor-id-sql-injection(42094) Cross-site scripting (XSS) vulnerability in the Bluemoon, Inc. (1) BackPack 0.91 and earlier, (2) BmSurvey 0.84 and earlier, (3) newbb_fileup 1.83 and earlier, (4) News_embed (news_fileup) 1.44 and earlier, and (5) PopnupBlog 3.19 and earlier modules for XOOPS 2.0.x, XOOPS Cube 2.1, and ImpressCMS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. JVN#31351020 http://www.bluemooninc.biz/~xoops/modules/news/article.php?storyid=69 28966 bluemoon-unspecified-xss(42072) SQL injection vulnerability in index.php in dream4 Koobi Pro 6.25 allows remote attackers to execute arbitrary SQL commands via the poll_id parameter in a poll action. 3843 20080415 Koobi Pro 6.25 poll Remote SQL Injection Vulnerability 28779 ADV-2008-1242 koobipro-pollid-sql-injection(41817) 5448 Multiple cross-site scripting (XSS) vulnerabilities in EditeurScripts EsContacts 1.0 allow remote authenticated users to inject arbitrary web script or HTML via the msg parameter to (1) login.php, (2) importer.php, (3) add_groupe.php, (4) contacts.php, (5) groupes.php, and (6) search.php. 28825 http://www.z0rlu.ownspace.org/index.php?/archives/50-EScontacts-XSS.html escontacts-msg-xss(41879) editeurscripts-login-xss(49237) Multiple SQL injection vulnerabilities in admin/adminindex.php in Turnkey Web Tools SunShop Shopping Cart 4.1.0 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) orderby and (2) sort parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 28832 sunshop-adminindex-sql-injection(41882) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Stack-based buffer overflow in the HTTP::getAuthUserPass function (core/common/http.cpp) in Peercast 0.1218 and gnome-peercast allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Basic Authentication string with a long (1) username or (2) password. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478573 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478680 GLSA-200807-11 DSA-1582 DSA-1583 28986 ADV-2008-1409 ADV-2008-1410 peercast-httpgetauthuserpass-bo(42092) Multiple unspecified vulnerabilities in eGroupWare before 1.4.004 have unspecified attack vectors and "grave" impact when the web server has write access to a directory under the web document root. http://www.egroupware.org/news GLSA-200805-04 28817 egroupware-webserver-unspecified(42141) The Javascript API in Adobe Acrobat Professional 7.0.9 and possibly 8.1.1 exposes a dangerous method, which allows remote attackers to execute arbitrary commands or trigger a buffer overflow via a crafted PDF file that invokes app.checkForUpdate with a malicious callback function. 3861 1019971 239286 http://www.adobe.com/support/security/bulletins/apsb08-13.html 20080507 Adobe Acrobat Professional Javascript For PDF Security Feature Bypass and Memory Corruption Vulnerabilities ADV-2008-1966 adobe-appcheckforupdate-code-execution(42237) Multiple cross-site request forgery (CSRF) vulnerabilities in cPanel, possibly 11.18.3 and 11.19.3, allow remote attackers to (1) execute arbitrary code via the command1 parameter to frontend/x2/cron/editcronsimple.html, and perform various administrative actions via (2) frontend/x2/sql/adddb.html, (3) frontend/x2/sql/adduser.html, and (4) frontend/x2/ftp/doaddftp.html. Additional information can be found at: http://secunia.com/advisories/30027/ http://www.frsirt.com/english/advisories/2008/1401 http://blog.cpanel.net/?p=39 VU#584089 http://www.rooksecurity.com/blog/?p=7 ADV-2008-1401 cpanel-http-csrf(42114) includes/library.php in netOffice Dwins 1.3 p2 compares the demoSession variable to the 'true' string literal instead of the true boolean literal, which allows remote attackers to bypass authentication and execute arbitrary code by setting this variable to 1, as demonstrated by uploading a PHP script via an add action to projects_site/uploadfile.php. http://netofficedwins.sourceforge.net/modules/news/article.php?storyid=47 3845 http://sourceforge.net/forum/forum.php?forum_id=814851 20080229 netOffice Dwins 1.3 Remote code execution. 20080502 Re: netOffice Dwins 1.3 Remote code execution. 28051 Absolute path traversal vulnerability in SugarCRM Sugar Community Edition 4.5.1 and 5.0.0 allows remote attackers to read arbitrary files via a full path in the URL parameter to modules/Feeds/Feed.php, which places the contents into a related cache file in the .cache/feeds directory. 3844 http://www.security-assessment.com/files/advisories/2008-04-29_SugarCRM_local_file_disclosure.pdf 20080429 SugarCRM Community Edition Local File Disclosure Vulnerability 28981 http://www.sugarcrm.com/docs/Release_Notes/CommunityEdition_ReleaseNotes_5.0d/Sugar_Release_Notes_5.0d.2.6.html http://www.sugarcrm.com/forums/showthread.php?t=31688 http://www.sugarcrm.com/forums/showthread.php?t=32252 ADV-2008-1388 sugar-feed-information-disclosure(42087) 5521 Cross-site scripting (XSS) vulnerability in index.php in Softpedia SiteXS CMS 0.1.1 Pre-Alpha allows remote attackers to inject arbitrary web script or HTML via the user parameter. 20080429 XSS Attack 28984 sitexs-index-xss(42093) Multiple SQL injection vulnerabilities in Angelo-Emlak 1.0 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) hpz/profil.asp and (2) hpz/prodetail.asp. 28949 ADV-2008-1385 angeloemlak-profil-sql-injection(42018) 5503 Cross-site scripting (XSS) vulnerability in hpz/admin/Default.asp in Angelo-Emlak 1.0 allows remote attackers to inject arbitrary web script or HTML via the sayfa parameter. 28949 ADV-2008-1385 angeloemlak-deafult-xss(42155) 5503 The POP3 server (EPSTPOP3S.EXE) 4.22 in E-Post Mail Server 4.10 allows remote attackers to obtain sensitive information via multiple crafted APOP commands for a known POP3 account, which displays the password in a POP3 error message. http://vuln.sg/epostmailserver410-en.html http://www.e-postinc.jp/Mail_Server.html 28951 1019930 ADV-2008-1389 epost-pop3-information-disclosure(42035) Stack-based buffer overflow in the FastCGI SAPI (fastcgi.c) in PHP before 5.2.6 has unknown impact and attack vectors. http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/fastcgi.c?r1=1.44&r2=1.45&diff_format=u APPLE-SA-2008-07-31 SUSE-SR:2008:014 GLSA-200811-05 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176 DSA-1572 MDVSA-2009:022 MDVSA-2009:023 [oss-security] 20080502 CVE Request (PHP) http://www.php.net/ChangeLog-5.php 20080523 rPSA-2008-0176-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 29009 SSA:2008-128-01 USN-628-1 ADV-2008-1412 ADV-2008-2268 php-fastcgisapi-bo(42133) https://issues.rpath.com/browse/RPL-2503 The escapeshellcmd API function in PHP before 5.2.6 has unknown impact and context-dependent attack vectors related to "incomplete multibyte chars." APPLE-SA-2008-07-31 SUSE-SR:2008:014 GLSA-200811-05 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0176 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0178 DSA-1572 DSA-1578 MDVSA-2008:125 MDVSA-2008:126 MDVSA-2008:127 MDVSA-2008:128 [oss-security] 20080502 CVE Request (PHP) http://www.php.net/ChangeLog-5.php RHSA-2008:0505 RHSA-2008:0544 RHSA-2008:0545 RHSA-2008:0546 RHSA-2008:0582 20080523 rPSA-2008-0176-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 20080527 rPSA-2008-0178-1 php php-mysql php-pgsql 29009 SSA:2008-128-01 USN-628-1 ADV-2008-1412 ADV-2008-2268 https://issues.rpath.com/browse/RPL-2503 oval:org.mitre.oval:def:10256 FEDORA-2008-3864 FEDORA-2008-3606 Open redirect vulnerability in redirect.php in Bitrix Site Manager 6.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the goto parameter. http://holisticinfosec.org/content/view/62/45/ bitrix-redirect-security-bypass(42157) Unspecified vulnerability in Cisco Unified Customer Voice Portal (CVP) 4.0.x before 4.0(2)_ES14, 4.1.x before 4.1(1)_ES11, and 7.x before 7.0(1) allows remote authenticated users with administrator role privileges to create, modify, or delete a superuser account. 1020080 20080521 Cisco Voice Portal Privilege Escalation Vulnerability 29315 ADV-2008-1603 cisco-cvp-unspecified-privilege-escalation(42564) Unspecified vulnerability in Cisco CiscoWorks Common Services 3.0.3 through 3.1.1 allows remote attackers to execute arbitrary code on a client machine via unknown vectors. 20080528 CiscoWorks Common Services Arbitrary Code Execution Vulnerability http://www.liquidmatrix.org/blog/2008/05/28/advisory-ciscoworks-arbitrary-code-execution-vulnerability/ 1020127 ADV-2008-1687 cisco-cwcs-unspecified-code-execution(42702) Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.1.x before 7.1(2)70, 7.2.x before 7.2(4), and 8.0.x before 8.0(3)10 allows remote attackers to cause a denial of service via a crafted TCP ACK packet to the device interface. 20080604 Multiple Vulnerabilities in Cisco PIX and Cisco ASA 1020176 1020177 ADV-2008-1750 cisco-asa-pix-tcpack-dos(42835) Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 8.0.x before 8.0(3)9 and 8.1.x before 8.1(1)1 allows remote attackers to cause a denial of service (device reload) via a crafted Transport Layer Security (TLS) packet to the device interface. 20080604 Multiple Vulnerabilities in Cisco PIX and Cisco ASA 1020178 1020179 ADV-2008-1750 cisco-pix-asa-tls-dos(42836) The Instant Messenger (IM) inspection engine in Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.2.x before 7.2(4), 8.0.x before 8.0(3)10, and 8.1.x before 8.1(1)2 allows remote attackers to cause a denial of service via a crafted packet. 1020180 1020181 20080604 Multiple Vulnerabilities in Cisco PIX and Cisco ASA ADV-2008-1750 cisco-asa-pix-im-dos(42837) Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.2.x before 7.2(3)2 and 8.0.x before 8.0(2)17 allows remote attackers to cause a denial of service (device reload) via a port scan against TCP port 443 on the device. 1020182 1020183 20080604 Multiple Vulnerabilities in Cisco PIX and Cisco ASA ADV-2008-1750 Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 8.0.x before 8.0(3)9 allows remote attackers to bypass control-plane ACLs for the device via unknown vectors. 20080604 Multiple Vulnerabilities in Cisco PIX and Cisco ASA 1020184 1020185 ADV-2008-1750 cisco-asa-pix-acl-weak-security(42841) Unspecified vulnerability in Cisco Intrusion Prevention System (IPS) 5.x before 5.1(8)E2 and 6.x before 6.0(5)E2, when inline mode and jumbo Ethernet support are enabled, allows remote attackers to cause a denial of service (panic), and possibly bypass intended restrictions on network traffic, via a "specific series of jumbo Ethernet frames." 20080618 Cisco Intrusion Prevention System Jumbo Frame Denial of Service 29791 1020326 ADV-2008-1872 cisco-ips-ethernetframes-dos(43166) The Computer Telephony Integration (CTI) Manager service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3c) and 6.x before 6.1(2) allows remote attackers to cause a denial of service (TSP crash) via malformed network traffic to TCP port 2748. 20080625 Cisco Unified Communications Manager Denial of Service and Authentication Bypass Vulnerabilities 29933 1020360 ADV-2008-1933 cucm-ctimanager-dos(43349) The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) before 4.2(3)SR4, and 4.3 before 4.3(2)SR1, allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsq35151. 20080625 Cisco Unified Communications Manager Denial of Service and Authentication Bypass Vulnerabilities 29935 1020361 ADV-2008-1933 cucm-risdatacollector-info-disclosure(43355) SQL injection vulnerability in browse.videos.php in Joovili 3.1 allows remote attackers to execute arbitrary SQL commands via the category parameter. 28979 joovili-category-sql-injection(42086) 5520 Multiple unspecified vulnerabilities in PhpGedView before 4.1.5 have unknown impact and attack vectors related to "a fundamental design flaw in the interface (API) to connect phpGedView with external programs like content management systems." http://sourceforge.net/project/shownotes.php?group_id=55456&release_id=595222 DSA-1580 http://www.phpgedview.net/ 28978 phpgedview-unspecified-code-execution(42085) SQL injection vulnerability in jokes.php in YourFreeWorld Jokes Site Script allows remote attackers to execute arbitrary SQL commands via the catagorie parameter. 28963 jokessitescript-jokes-sql-injection(42047) 5508 Cross-site scripting (XSS) vulnerability in bb_admin.php in miniBB 2.2a allows remote attackers to inject arbitrary web script or HTML via the whatus parameter in a searchusers2 action. NOTE: it was later reported that other versions before 3.0.1 are also vulnerable. 20130711 XSS and SQL Injection Vulnerabilities in MiniBB 3846 http://www.minibb.com/download.php?file=minibb_update http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html 20080428 Minibb 2.2a XSS Vulnerability 28957 61116 minibb-bbadmin-xss(42076) https://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-minibb/ SQL injection vulnerability in bb_admin.php in miniBB 2.2a allows remote attackers to execute arbitrary SQL commands via the whatus parameter in a searchusers2 action. NOTE: it was later reported that other versions before 3.0.1 are also vulnerable. 20130711 XSS and SQL Injection Vulnerabilities in MiniBB 3846 http://www.minibb.com/download.php?file=minibb_update http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html 20080428 Minibb 2.2a XSS Vulnerability 61116 minibb-bbadmin-sql-injection(42270) https://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-minibb/ Cross-site scripting (XSS) vulnerability in WordPress 2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://wordpress.org/development/2008/04/wordpress-251/ wordpress-unspecified-xss(42029) Buffer overflow in Novell GroupWise 7 allows remote attackers to cause a denial of service or execute arbitrary code via a long argument in a mailto: URI. 3847 20080428 GroupWise 7.0 mailto: scheme buffer overflow 20080502 Re: GroupWise 7.0 mailto: scheme buffer overflow 20080504 Re: Re: GroupWise 7.0 mailto: scheme buffer overflow 28969 1019942 ADV-2008-1393 novell-groupwise-mailto-bo(42052) 5515 The WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allows remote attackers to bypass XSS protection and inject arbitrary script or HTML via repeated, improperly-ordered "<" and ">" characters in the (1) issue parameter to scripts2/knowlegebase, (2) user parameter to scripts2/changeip, (3) search parameter to scripts2/listaccts, and other unspecified vectors. http://changelog.cpanel.net/?revision=0;tree=;treeview=;show=html;pp=25;te=1314;pg=2 20080509 XSS and CSRF vulnerability on cPanel 11 3866 20080509 XSS and CSRF vulnerability on Cpanel 11 29125 ADV-2008-1522 cpanel-whminterface-xss(42305) Multiple cross-site request forgery (CSRF) vulnerabilities in the WHM interface 11.15.0 for cPanel 11.18 before 11.18.4 and 11.22 before 11.22.3 allow remote attackers to perform unauthorized actions as cPanel administrators via requests to cpanel/whm/webmail and other unspecified vectors. http://changelog.cpanel.net/?revision=0;tree=;treeview=;show=html;pp=25;te=1314;pg=2 20080509 XSS and CSRF vulnerability on cPanel 11 3866 20080509 XSS and CSRF vulnerability on Cpanel 11 29125 ADV-2008-1522 cpanel-whminterface-csrf(42306) Cross-site scripting (XSS) vulnerability in index.php in Virtual Design Studio vlbook 1.21 allows remote attackers to inject arbitrary web script or HTML via the l parameter, a different vector than CVE-2006-3260. 3854 20080501 vlBook 1.21 (ALL VERSION) 29006 vlbook-l-xss(42126) 5529 Directory traversal vulnerability in include/global.inc.php in Virtual Design Studio vlbook 1.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the l parameter. 3854 20080501 vlBook 1.21 (ALL VERSION) 29006 vlbook-globalinc-file-include(42127) 5529 Multiple PHP remote file inclusion vulnerabilities Harris Yusuf Arifin Harris Wap Chat 1.0, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the sysFileDir parameter to (1) eng.writeMsg.php, (2) eng.adCreate.php, (3) eng.adCreateSave.php, (4) eng.adDispByTypeOptions.php, (5) eng.createRoom.php, (6) eng.forward.php, (7) eng.pageLogout.php, (8) eng.resultMember.php, (9) eng.roomDeleteConfirm.php, (10) eng.saveNewRoom.php, and (11) eng.searchMember.php in src/. 28995 harriswapchat-sysfiledir-file-include(42112) 5525 Cross-site scripting (XSS) vulnerability in pic.php in AstroCam 2.5.0 through 2.7.3 allows remote attackers to inject arbitrary web script or HTML via the picfile parameter. http://astrocam.svn.sourceforge.net/viewvc/astrocam/BUGS?view=markup http://astrocam.svn.sourceforge.net/viewvc/astrocam/CHANGELOG?view=markup http://astrocam.svn.sourceforge.net/viewvc/astrocam/v2.x/pic.php?r1=125&r2=126 3852 20080501 XSS in AstroCam 28998 http://www.wendzel.de/?sub=showpost&blogid=5&postid=56 astrocam-pic-xss(42122) Directory traversal vulnerability in admin.php in ActualScripts ActualAnalyzer Lite 2.78 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the style parameter. 29007 actualanalyzerlite-admin-file-include(42128) 5528 Unspecified vulnerability in Plain Black WebGUI 7.4.34 has unknown impact and attack vectors related to "data form list view." http://sourceforge.net/project/shownotes.php?release_id=595907&group_id=51417 http://www.plainblack.com/getwebgui/advisories/webgui-7_4_35-stable-released 28988 webgui-dataform-unspecified(42118) Robocode before 1.6.0 allows user-assisted remote attackers to "access the internals of the Robocode game" via unspecified vectors related to the AWT Event Queue. http://sourceforge.net/project/shownotes.php?release_id=596393 29016 robocode-awteventqueue-security-bypass(42136) MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future. Per http://www.securityfocus.com/bid/29106 and http://secunia.com/advisories/32222, this vulnerability is remotely exploitable. http://bugs.mysql.com/bug.php?id=32167 http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.html http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-60.html http://dev.mysql.com/doc/refman/5.1/en/news-5-1-24.html http://dev.mysql.com/doc/refman/6.0/en/news-6-0-5.html APPLE-SA-2008-10-09 APPLE-SA-2009-09-10-2 SUSE-SR:2008:017 http://support.apple.com/kb/HT3216 http://support.apple.com/kb/HT3865 DSA-1608 MDVSA-2008:149 MDVSA-2008:150 RHSA-2008:0505 RHSA-2008:0510 RHSA-2008:0768 RHSA-2009:1289 29106 31681 1019995 USN-671-1 ADV-2008-1472 ADV-2008-2780 mysql-myisam-security-bypass(42267) oval:org.mitre.oval:def:10133 Stack-based buffer overflow in the Read32s_64 function in src/lib/cdfread64.c in the NASA Goddard Space Flight Center Common Data Format (CDF) library before 3.2.1 allows context-dependent attackers to execute arbitrary code via a .cdf file with crafted length tags. http://cdf.gsfc.nasa.gov/CDF32_buffer_overflow.html GLSA-200805-14 http://www.coresecurity.com/?action=item&id=2260 29045 1019965 ADV-2008-1440 cdf-read32s64-bo(42219) Directory traversal vulnerability in index.php in Siteman 2.0.x2 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the module parameter. http://ircrash.com/english/index.php?topic=29.0 28943 siteman-index-directory-travesal(42021) siteman-admin-code-execution(42022) 5499 Cross-site scripting (XSS) vulnerability in index.php in Siteman 2.0.x2 allows remote attackers to inject arbitrary web script or HTML via the module parameter, which leaks the path in an error message. http://ircrash.com/english/index.php?topic=29.0 28943 siteman-index-xss(42020) 5499 SQL injection vulnerability in directory.php in Prozilla Hosting Index, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a list action. 3853 20080428 [ECHO_ADV_88$2008] Prozilla Hosting Index (directory.php cat_id) Blind Sql Injection Vulnerability 28970 hostingindex-directory-sql-injection(42269) 5516 SQL injection vulnerability in topics.php in the MyArticles 0.6 beta-1 module for RunCMS allows remote attackers to execute arbitrary SQL commands via the topic_id parameter in a listarticles action. 28952 myarticles-topics-sql-injection(42016) 5505 Multiple stack-based buffer overflows in the (1) get_remote_ip_media and (2) get_remote_ipv6_media functions in call.cpp in SIPp 3.1 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted SIP message. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479039 29064 ADV-2008-1447 sipp-getremoteipmedia-bo(42234) FEDORA-2008-6210 FEDORA-2008-6219 Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allow remote attackers to execute arbitrary code via a crafted jnlp file that modifies the (1) java.home, (2) java.ext.dirs, or (3) user.home System Properties, aka "Java Web Start File Inclusion" and CR 6694892. APPLE-SA-2009-02-12 SUSE-SA:2009:007 SUSE-SA:2009:018 SUSE-SR:2009:010 SSRT080111 SSRT090049 RHSA-2008:1025 GLSA-200911-02 4693 244988 http://support.avaya.com/elmodocs2/security/ASA-2008-486.htm http://support.avaya.com/elmodocs2/security/ASA-2009-012.htm http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=829914&poid= RHSA-2008:1018 RHSA-2009:0015 RHSA-2009:0016 RHSA-2009:0445 20081204 CVE-2008-2086: Java Web Start File Inclusion via System PropertiesOverride 32620 1021318 TA08-340A http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt ADV-2009-0424 ADV-2009-0672 http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdf oval:org.mitre.oval:def:5601 SQL injection vulnerability in search_result.php in Softbiz Web Host Directory Script, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the host_id parameter, a different vector than CVE-2005-3817. 3855 20080428 [ECHO_ADV_89$2008] Softbiz Web Host Directory Script (search_result.php host_id) Blind Sql Injection Vulnerability 28971 webhostdirectoryscript-hostid-sql-injection(42096) 5517 SQL injection vulnerability in admin/news.php in PHP Forge 3.0 beta 2 allows remote attackers to execute arbitrary SQL commands via the id parameter in the news module to admin.php. 28950 ADV-2008-1386 phpforge-admin-sql-injection(42017) 5504 Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (panic) via a crafted SCTP packet. 236321 29023 1019961 ADV-2008-1429 sun-solaris-sctp-dos(42160) oval:org.mitre.oval:def:5165 Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (CPU consumption and network traffic amplification) via a crafted SCTP packet. 236521 29024 1019962 ADV-2008-1429 sun-solaris-sctp-dos(42160) oval:org.mitre.oval:def:5258 Directory traversal vulnerability in ipn.php in KubeLabs Kubelance 1.6.4 allows remote attackers to include and execute arbitrary local files via the i parameter. 28873 ADV-2008-1341 kubelance-ipn-file-include(41905) 5477 Linksys SPA-2102 Phone Adapter 3.3.6 allows remote attackers to cause a denial of service (crash) via a long ping packet ("ping of death"). NOTE: the severity of this issue has been disputed since there are limited attack scenarios. 20080324 Linksys phone adapter denial of service 20080324 Re: Linksys phone adapter denial of service 20080324 Re: Re: Linksys phone adapter denial of service 20080324 Re: Linksys phone adapter denial of service 20080325 Re: Linksys phone adapter denial of service 28414 linksys-spa2102-phoneadapter-ping-dos(41436) SQL injection vulnerability in the Profiler (com_comprofiler) component in Community Builder for Mambo and Joomla! allows remote attackers to execute arbitrary SQL commands via the user parameter in a userProfile action to index.php. 28911 communitybuilder-user-sql-injection(42008) 5491 SQL injection vulnerability in article.php in the Article module for XOOPS allows remote attackers to execute arbitrary SQL commands via the id parameter. 3856 20080419 Xoops All Version -Articles- Article.PHP (ID) Blind SQL Injection ExpL0it 28879 articlemodule-article-sql-injection(41943) SQL injection vulnerability in index.php in the FlippingBook (com_flippingbook) 1.0.4 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the book_id parameter. 28886 ADV-2008-1342 flippingbook-index-sql-injection(41942) 5484 SQL injection vulnerability in BackLinkSpider allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to a site-specific component name such as link.php or backlinkspider.php. 3857 20080505 [ECHO_ADV_95$2008] BackLinkSpider (cat_id) Blind Sql Injection Vulnerability 29054 backlinkspider-catid-sql-injection(42189) 5546 Buffer overflow in the openwsman management service in VMware ESXi 3.5 and ESX 3.5 allows remote authenticated users to gain privileges via an "invalid Content-Length." SUSE-SR:2008:012 3922 1020199 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 29547 http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-1744 vmware-openwsman-privilege-escalation(42875) oval:org.mitre.oval:def:5640 oval:org.mitre.oval:def:5759 Heap-based buffer overflow in the VMware Host Guest File System (HGFS) in VMware Workstation 6 before 6.0.4 build 93057, VMware Player 2 before 2.0.4 build 93057, VMware ACE 2 before 2.0.2 build 93057, and VMware Fusion before 1.1.2 build 87978, when folder sharing is used, allows guest OS users to execute arbitrary code on the host OS via unspecified vectors. GLSA-201209-25 20080530 VMSA-2008-0008 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion resolve critical security issues 1020148 http://www.vmware.com/security/advisories/VMSA-2008-0008.html ADV-2008-1707 vmware-hgfs-bo(42753) Unspecified vulnerability in VMCI in VMware Workstation 6 before 6.0.4 build 93057, VMware Player 2 before 2.0.4 build 93057, and VMware ACE 2 before 2.0.2 build 93057 on Windows allows guest OS users to execute arbitrary code on the host OS via unspecified vectors. 20080530 VMSA-2008-0008 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion resolve critical security issues 29443 1020149 http://www.vmware.com/security/advisories/VMSA-2008-0008.html ADV-2008-1707 vmware-vmci-code-execution(42757) Multiple buffer overflows in VIX API 1.1.x before 1.1.4 build 93057 on VMware Workstation 5.x and 6.x, VMware Player 1.x and 2.x, VMware ACE 2.x, VMware Server 1.x, VMware Fusion 1.x, VMware ESXi 3.5, and VMware ESX 3.0.1 through 3.5 allow guest OS users to execute arbitrary code on the host OS via unspecified vectors. GLSA-201209-25 3922 1020200 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues 29552 http://www.vmware.com/security/advisories/VMSA-2008-0009.html ADV-2008-1744 vmware-vixapi-multiple-unspecified-bo(42872) oval:org.mitre.oval:def:5081 oval:org.mitre.oval:def:5647 The VMware Consolidated Backup (VCB) command-line utilities in VMware ESX 3.0.1 through 3.0.3 and ESX 3.5 place a password on the command line, which allows local users to obtain sensitive information by listing the process. 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. GLSA-201209-25 4202 1020794 20080830 VMSA-2008-0014 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX address information disclosure, privilege escalation and other security issues. 30937 http://www.vmware.com/security/advisories/VMSA-2008-0014.html ADV-2008-2466 vmware-esx-vcb-info-disclosure(44797) Cross-site scripting (XSS) vulnerability in Bugzilla 2.17.2 and later allows remote attackers to inject arbitrary web script or HTML via the id parameter to the "Format for Printing" view or "Long Format" bug list. http://www.bugzilla.org/security/2.20.5/ 29038 1019967 ADV-2008-1428 https://bugzilla.mozilla.org/show_bug.cgi?id=425665 bugzilla-bugview-xss(42216) FEDORA-2008-3442 FEDORA-2008-3488 The WebService in Bugzilla 3.1.3 allows remote authenticated users without canconfirm privileges to create NEW or ASSIGNED bug entries via a request to the XML-RPC interface, which bypasses the canconfirm check. http://www.bugzilla.org/security/2.20.5/ 29038 1019968 ADV-2008-1428 https://bugzilla.mozilla.org/show_bug.cgi?id=415471 bugzilla-xmlrpc-security-bypass(42218) email_in.pl in Bugzilla 2.23.4, 3.0.x before 3.0.4, and 3.1.x before 3.1.4 allows remote authenticated users to more easily spoof the changer of a bug via a @reporter command in the body of an e-mail message, which overrides the e-mail address as normally obtained from the From e-mail header. NOTE: since From headers are easily spoofed, this only crosses privilege boundaries in environments that provide additional verification of e-mail addresses. http://www.bugzilla.org/security/2.20.5/ 29038 1019969 ADV-2008-1428 https://bugzilla.mozilla.org/show_bug.cgi?id=419188 bugzilla-emailin-security-bypass(42235) FEDORA-2008-3442 FEDORA-2008-3488 Call of Duty 4 (CoD4) 1.5 and earlier allows remote authenticated users to cause a denial of service (crash) via a type 7 stats packet, which triggers a memcpy with a negative value. http://aluigi.altervista.org/adv/cod4statz-adv.txt 3858 20080502 Denial of Service in Call of Duty 4 1.5 29026 callofduty4-stats-dos(42163) The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 32-bit systems, performs a multiplication using values that can produce a zero seed in rare circumstances, which allows context-dependent attackers to predict subsequent values of the rand and mt_rand functions and possibly bypass protection mechanisms that rely on an unknown initial seed. 20080506 Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability SUSE-SR:2008:014 GLSA-200811-05 3859 DSA-1789 MDVSA-2008:125 MDVSA-2008:126 MDVSA-2008:127 MDVSA-2008:128 MDVSA-2008:129 MDVSA-2008:130 RHSA-2008:0505 RHSA-2008:0544 RHSA-2008:0545 RHSA-2008:0546 RHSA-2008:0582 20080506 Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability http://www.sektioneins.de/advisories/SE-2008-02.txt USN-628-1 php-generateseed-weak-security(42226) php-generateseed-security-bypass(42284) oval:org.mitre.oval:def:10644 FEDORA-2008-3864 FEDORA-2008-3606 The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions. 20080506 Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability GLSA-200811-05 3859 DSA-1789 MDVSA-2008:125 MDVSA-2008:126 MDVSA-2008:127 MDVSA-2008:128 MDVSA-2008:129 MDVSA-2008:130 RHSA-2008:0505 RHSA-2008:0544 RHSA-2008:0545 RHSA-2008:0546 RHSA-2008:0582 20080506 Advisory SE-2008-02: PHP GENERATE_SEED() Weak Random Number Seed Vulnerability http://www.sektioneins.de/advisories/SE-2008-02.txt USN-628-1 php-generateseed-weak-security(42226) oval:org.mitre.oval:def:10844 FEDORA-2008-3864 FEDORA-2008-3606 field.c in the libid3tag 0.15.0b library allows context-dependent attackers to cause a denial of service (CPU consumption) via an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0', which triggers an infinite loop. http://bugs.gentoo.org/show_bug.cgi?id=210564 GLSA-200805-15 MDVSA-2008:103 [mad-dev] 20080112 Initite loop bug in libid3tag-0.15.0b 29210 libid3tag-field-dos(42271) FEDORA-2008-3757 Unrestricted file upload vulnerability in qtofm.php in QTOFileManager 1.0 allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension, then accessing it via a direct request. 3860 20080505 QTOFileManager V 1.0<== Remote File Upload Vulnerability 20080507 Re: QTOFileManager V 1.0<== Remote File Upload Vulnerability 29072 qtofilemanager-qtofm-file-upload(42236) The ActiveX Control (yNotifier.dll) in Yahoo! Assistant 3.6 and earlier allows remote attackers to execute arbitrary code via unspecified vectors in the Ynoifier COM object that trigger memory corruption. http://secway.org/advisory/AD20080506EN.txt 29065 1020004 ADV-2008-1471 yahoo-assistant-ynotifier-code-execution(42233) Unspecified vulnerability in Sun Ray Kiosk Mode 4.0 allows local and remote authenticated Sun Ray administrators to gain root privileges via unknown vectors related to utconfig. 236944 29092 1019993 ADV-2008-1454 sunray-kiosk-privilege-escalation(42262) SQL injection vulnerability in annuaire.php in PHPEasyData 1.5.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 29068 phpeasydata-annuaire-sql-injection(42230) 5552 SQL injection vulnerability in emall/search.php in Pre Shopping Mall 1.1 allows remote attackers to execute arbitrary SQL commands via the search parameter. 29067 preshoppingmall-search-sql-injection(42227) 5551 Multiple cross-site scripting (XSS) vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) te and (2) dir parameters in a tempedit action. 3864 20080506 Power Editor LOCAL FILE INCLUSION Vulnerbility 29063 powereditor-editor-xss(42223) 5549 Multiple directory traversal vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to read arbitrary local files via a .. (dot dot) in the (1) te and (2) dir parameters in a tempedit action. 3864 20080506 Power Editor LOCAL FILE INCLUSION Vulnerbility 29063 powereditor-editor-file-include(42222) 5549 Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Project Alumni 1.0.9 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a news action to index.php, a different vector than CVE-2007-6126. 3863 20080502 project alumni v1.0.9 (info.php) SQL Injection Vulnerability 29019 projectalumni-year-xss(42149) SQL injection vulnerability in info.php in Project Alumni 1.0.9 allows remote attackers to execute arbitrary SQL commands via the id parameter. 3863 20080502 project alumni v1.0.9 (info.php) SQL Injection Vulnerability 29019 projectalumni-info-sql-injection(42148) Asterisk Open Source 1.0.x and 1.2.x before 1.2.29 and Business Edition A.x.x and B.x.x before B.2.5.3, when pedantic parsing (aka pedanticsipchecking) is enabled, allows remote attackers to cause a denial of service (daemon crash) via a SIP INVITE message that lacks a From header, related to invocations of the ast_uri_decode function, and improper handling of (1) an empty const string and (2) a NULL pointer. http://bugs.digium.com/view.php?id=12607 http://downloads.digium.com/pub/security/AST-2008-008.html GLSA-200905-01 http://svn.digium.com/view/asterisk?view=rev&revision=120109 20080603 AST-2008-008: Remote Crash Vulnerability in SIP channel driver when run in pedantic mode 1020166 ADV-2008-1731 asterisk-asturidecode-dos(42823) 5749 Unspecified vulnerability in Sun Java System Application Server 7 2004Q2 before Update 6, Web Server 6.1 before SP8, and Web Server 7.0 before Update 1 allows remote attackers to obtain source code of JSP files via unknown vectors. 201255 29088 1019985 1019986 ADV-2008-1457 javasystem-jsp-information-disclosure(42266) The TCP implementation in Sun Solaris 8, 9, and 10 allows remote attackers to cause a denial of service (CPU consumption and new connection timeouts) via a TCP SYN flood attack. 200864 http://support.avaya.com/elmodocs2/security/ASA-2008-206.htm 29089 1019989 ADV-2008-1453 ADV-2008-1585 sunsolaris-tcp-dos(42264) IBM Rational Build Forge 7.0.2 allows remote attackers to cause a denial of service (CPU consumption) via a port scan, which spawns multiple bfagent server processes that attempt to read data from closed sockets. 29036 1019964 ADV-2008-1427 http://www-1.ibm.com/support/docview.wss?uid=swg21303877 ibmrationalbuild-buildforgeagent-dos(42173) Cross-site scripting (XSS) vulnerability in WGate in SAP Internet Transaction Server (ITS) 6.20 allows remote attackers to inject arbitrary web script or HTML via (1) a "<>" sequence in the ~service parameter to wgate.dll, or (2) Javascript splicing in the query string, a different vector than CVE-2006-5114. http://www.portcullis-security.com/275.php 29103 1019998 ADV-2008-1466 sap-internettransactionserver-wgate-xss(42281) SQL injection vulnerability in modules/print.asp in fipsASP fipsCMS allows remote attackers to execute arbitrary SQL commands via the lg parameter. 29095 fipscms-print-sql-injection(42257) 5553 SQL injection vulnerability in viewalbums.php in Musicbox 2.3.6 and 2.3.7 allows remote attackers to execute arbitrary SQL commands via the artistId parameter. 29100 musicbox-viewalbums-sql-injection(42259) 5560 Multiple cross-site scripting (XSS) vulnerabilities in Tux CMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to index.php and the (2) returnURL parameter to tux-login.php. 20080507 Multiple XSS In TuxCMS All Version 29090 tuxcms-multiple-xss(42252) Cross-site scripting (XSS) vulnerability in search.php in CMS Faethon 2.2 Ultimate allows remote attackers to inject arbitrary web script or HTML via the what parameter. NOTE: some of these details are obtained from third party information. 29099 cmsfaethon-search-xss(42258) 5558 PHP remote file inclusion vulnerability in templates/header.php in CMS Faethon 2.2 Ultimate allows remote attackers to execute arbitrary PHP code via a URL in the mainpath parameter, a different vulnerability than CVE-2006-5588 and CVE-2006-3185. cmsfaethon-header-file-include(42376) 5558 SQL injection vulnerability in index.php in Galleristic 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter. 29096 galleristic-index-sql-injection(42253) 5554 SQL injection vulnerability in poll_vote.php in iGaming CMS 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter. http://downloads.securityfocus.com/vulnerabilities/exploits/29059.pl 29059 igamingcms-pollvote-sql-injection(42229) Cross-site scripting (XSS) vulnerability in mvnForum 1.1 GA allows remote authenticated users to inject arbitrary web script or HTML via the topic field, which is later displayed by user/viewthread.jsp through use of the "quick reply button." http://mvnforum.cvs.sourceforge.net/mvnforum/mvnforum/srcweb/mvnplugin/mvnforum/user/viewthread.jsp?r1=1.316&r2=1.317 3862 http://users.own-hero.net/~decoder/advisories/mvnforum-jsxss.txt 20080506 mvnForum 1.1 Cross Site Scripting 29075 mvnforum-quickreply-xss(42241) SQL injection vulnerability in step1.asp in Systementor PostcardMentor allows remote attackers to execute arbitrary SQL commands via the cat_fldAuto parameter. 29094 postcardmentor-step1-sql-injection(42256) 5556 Cross-site scripting (XSS) vulnerability in the Journal module in Tru-Zone Nuke ET 3.x allows remote attackers to inject arbitrary web script or HTML via the title parameter in a new entry, as demonstrated by a CSS property in the STYLE attribute of a DIV element, a different vulnerability than CVE-2008-1873. http://truzone.org/modules.php?name=Forums&file=viewtopic&t=55141 http://www.mrzayas.es/2008/05/04/multiples-vulnerabilidades-en-nuket-3x/ 29080 nukeet-journalentry-xss(42238) The Journal module in Tru-Zone Nuke ET 3.x allows remote attackers to obtain access to arbitrary user accounts, and alter or delete data, via a modified username in an unspecified cookie. http://truzone.org/modules.php?name=Forums&file=viewtopic&p=332746 http://www.mrzayas.es/2008/05/04/multiples-vulnerabilidades-en-nuket-3x/ 29080 nukeet-journalmodule-security-bypass(42239) Multiple SQL injection vulnerabilities in VisualShapers ezContents 2.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) contentname parameter to showdetails.php and the (2) article parameter to printer.php. 3865 20080508 ezContents CMS Version 2.0.0 SQL Injection Vulnerabilities 29098 ezcontents-showdetails-sql-injection(42260) 5559 Memory leak in the ipip6_rcv function in net/ipv6/sit.c in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3 allows remote attackers to cause a denial of service (memory consumption) via network traffic to a Simple Internet Transition (SIT) tunnel interface, related to the pskb_may_pull and kfree_skb functions, and management of an skb reference count. http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.3 SUSE-SA:2008:030 SUSE-SA:2008:032 [linux-kernel] 20080509 Re: When should kfree_skb be used? http://support.avaya.com/elmodocs2/security/ASA-2008-362.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0169 DSA-1588 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.5 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.3 MDVSA-2008:167 MDVSA-2008:174 RHSA-2008:0585 RHSA-2008:0607 RHSA-2008:0612 RHSA-2008:0787 RHSA-2008:0973 29235 1020118 USN-625-1 ADV-2008-1543 ADV-2008-1716 linux-kernel-ipip6rcv-dos(42451) oval:org.mitre.oval:def:11038 oval:org.mitre.oval:def:6503 FEDORA-2008-3949 The (1) sparc_mmap_check function in arch/sparc/kernel/sys_sparc.c and the (2) sparc64_mmap_check function in arch/sparc64/kernel/sys_sparc.c, in the Linux kernel 2.4 before 2.4.36.5 and 2.6 before 2.6.25.3, omit some virtual-address range (aka span) checks when the mmap MAP_FIXED bit is not set, which allows local users to cause a denial of service (panic) via unspecified mmap calls. [git-commits-head] 20080507 sparc: Fix mmap VA span checking. DSA-1588 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.36.5 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.3 29397 1020119 USN-625-1 ADV-2008-1716 linux-kernel-mmap-dos(42681) Oracle Application Server (OracleAS) Portal 10g allows remote attackers to bypass intended access restrictions and read the contents of /dav_portal/portal/ by sending a request containing a trailing "%0A" (encoded line feed), then using the session ID that is generated from that request. NOTE: as of 20080512, Oracle has not commented on the accuracy of this report. 3867 20080509 Oracle Application Server 10G ORA_DAV Basic Authentication Bypass Vulnerability 29119 1020034 oracle-aps-cookie-auth-bypass(42302) The rootpw plugin in rPath Appliance Platform Agent 2 and 3 does not re-validate requests from a browser with a valid administrator session, including requests to change the password, which makes it easier for physically proximate attackers to gain privileges and maintain control over the administrator account. http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0148 rootpw-rpath-appliance-csrf(42393) rootpw-rpath-appliance-privilege-escalation(42394) Cross-site request forgery (CSRF) vulnerability in the rootpw plugin in rPath Appliance Platform Agent 2 and 3 allows remote attackers to reset the root password as the administrator via a crafted URL. http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0148 rootpw-rpath-appliance-csrf(42393) Emacs 21 and XEmacs automatically load and execute .flc (fast lock) files that are associated with other files that are edited within Emacs, which allows user-assisted attackers to execute arbitrary code. [emacs-devel] 20080510 [mwelinder@bogus.example.com: Emacs security bug] SUSE-SR:2008:012 GLSA-200902-06 http://thread.gmane.org/gmane.emacs.devel/96903 http://tracker.xemacs.org/XEmacs/its/issue378 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0177 MDVSA-2008:153 MDVSA-2008:154 20080527 rPSA-2008-0177-1 emacs emacs-leim 29176 1020019 ADV-2008-1539 ADV-2008-1540 https://bugs.gentoo.org/show_bug.cgi?id=221197 xemacs-gnuemacs-flc-code-execution(42362) https://issues.rpath.com/browse/RPL-2529 FEDORA-2008-5446 FEDORA-2008-5504 Unspecified versions of Microsoft Outlook Web Access (OWA) use the Cache-Control: no-cache HTTP directive instead of no-store, which might cause web browsers that follow RFC-2616 to cache sensitive information. VU#829876 29121 microsoft-owa-nostore-info-disclosure(42301) Multiple unspecified vulnerabilities in Solaris print service for Sun Solaris 8, 9, and 10 allow remote attackers to cause a denial of service or execute arbitrary code via unknown vectors. 236884 http://support.avaya.com/elmodocs2/security/ASA-2008-216.htm 29135 1020003 ADV-2008-1473 ADV-2008-1709 solaris-print-code-execution(42322) oval:org.mitre.oval:def:5269 Stack-based buffer overflow in Novell Client 4.91 SP4 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long username in the "forgotten password" dialog. 3868 20080508 Novell Client <= 4.91 SP4 Local Stack overflow / B.S.O.D (unauthentificated user) 29109 1020020 ADV-2008-1503 novell-client-username-bo(42359) wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. http://trac.wordpress.org/changeset/6029 http://trac.wordpress.org/changeset?old_path=tags%2F2.2.2&old=6063&new_path=tags%2F2.2.3&new=6063#file10 http://trac.wordpress.org/ticket/4748 wordpress-vars-security-bypass(42379) Untrusted search path vulnerability in VideoLAN VLC before 0.9.0 allows local users to execute arbitrary code via a malicious library under the modules/ or plugins/ subdirectories of the current working directory. http://git.videolan.org/?p=vlc.git;a=commit;h=c7cef4fdd8dd72ce0a45be3cda8ba98df5e83181 GLSA-200807-13 http://trac.videolan.org/vlc/ticket/1578 vlc-searchpath-code-execution(42377) The utimensat system call (sys_utimensat) in Linux kernel 2.6.22 and other versions before 2.6.25.3 does not check file permissions when certain UTIME_NOW and UTIME_OMIT combinations are used, which allows local users to modify file times of arbitrary files, possibly leading to a denial of service. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f9dfda1ad0637a89a64d001cf81478bd8d9b6306 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.3 SUSE-SA:2008:030 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0169 MDVSA-2008:167 RHSA-2008:0585 29134 USN-625-1 ADV-2008-1543 linux-kernel-sysutimensat-dos(42342) Stack-based buffer overflow in the searchwn function in Wordnet 2.0, 2.1, and 3.0 might allow context-dependent attackers to execute arbitrary code via a long command line option. NOTE: this issue probably does not cross privilege boundaries except in cases in which Wordnet is used as a back end. DSA-1634 GLSA-200810-01 MDVSA-2008:182 29208 ADV-2008-1527 https://bugs.gentoo.org/show_bug.cgi?id=211491 wordnet-searchwn-bo(42378) Integer overflow in the rtl_allocateMemory function in sal/rtl/source/alloc_global.c in OpenOffice.org (OOo) 2.0 through 2.4 allows remote attackers to execute arbitrary code via a crafted file that triggers a heap-based buffer overflow. 20080610 Multiple Vendor OpenOffice rtl_allocateMemory() Integer Overflow Vulnerability GLSA-200807-05 237944 MDVSA-2008:137 MDVSA-2008:138 http://www.openoffice.org/security/cves/CVE-2008-2152.html RHSA-2008:0537 RHSA-2008:0538 29622 1020219 ADV-2008-1773 ADV-2008-1804 openoffice-rtlallocatememory-bo(42957) oval:org.mitre.oval:def:9787 FEDORA-2008-5143 FEDORA-2008-5239 FEDORA-2008-5247 IBM DB2 8 before FP17, 9.1 before FP5, and 9.5 before FP2 provides an INSTALL_JAR (aka sqlj.install_jar) procedure, which allows remote authenticated users to create or overwrite arbitrary files via unspecified calls. ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/aparlist/db2_v82/APARLIST.TXT 35409 IZ21983 IZ22142 IZ22143 http://www-01.ibm.com/support/docview.wss?uid=swg21318189 db2-installjar-priv-escalation(51105) robotd in the Library Manager in EMC AlphaStor 3.1 SP1 for Windows allows remote attackers to execute arbitrary commands via an unspecified string field in a packet to TCP port 3500. 20080527 EMC AlphaStor Library Manager Arbitrary Command Execution Vulnerability 1020116 ADV-2008-1670 alphastor-librarymanager-code-execution(42671) Multiple stack-based buffer overflows in the Command Line Interface process in the Server Agent in EMC AlphaStor 3.1 SP1 for Windows allow remote attackers to execute arbitrary code via crafted TCP packets to port 41025. 20080527 EMC AlphaStor Server Agent Multiple Stack Buffer Overflow Vulnerabilities 1020115 29399 ADV-2008-1670 alphastor-commandline-bo(42669) Microsoft Internet Explorer 7 can save encrypted pages in the cache even when the DisableCachingOfSSLPages registry setting is enabled, which might allow local users to obtain sensitive information. VU#468843 29120 ADV-2008-1470 ie-disablecachingofsslpages-weak-security(42307) Multiple unspecified vulnerabilities in the JPEG (GDI+) and GIF image processing in Microsoft Windows CE 5.0 allow remote attackers to execute arbitrary code via crafted (1) JPEG and (2) GIF images. 948812 29147 1020007 ADV-2008-1469 wince-jpeg-code-execution(42334) Buffer overflow in TFTP Server SP 1.4 and 1.5 on Windows, and possibly other versions, allows remote attackers to execute arbitrary code via a long TFTP error packet. NOTE: some of these details are obtained from third party information. 29111 ADV-2008-1468 tftpserversp-errormessage-bo(42298) 5563 Cross-site scripting (XSS) vulnerability in SonicWall Email Security 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the Host header in a request to a non-existent web page, which is not properly sanitized in an error page. 20080508 SonicWall e-mail security Host Header XSS Vulnerability 29107 1019999 sonicwall-host-header-xss(42283) Cross-site scripting (XSS) vulnerability in IBM Lotus Quickr 8.1 before Hotfix 5 for Windows and AIX, and before Hotfix 3 for i5/OS, allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to "WYSIWYG editors." 29175 ADV-2008-1502 http://www-01.ibm.com/support/docview.wss?uid=swg27013341 http://www-1.ibm.com/support/docview.wss?uid=swg24018711 ibm-lotus-quickr-wysiwyg-xss(42360) Cross-site scripting (XSS) vulnerability in AccessCodeStart.asp in Cisco Building Broadband Service Manager (BBSM) Captive Portal 5.3 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. 3895 1020018 20080513 Cisco BBSM Captive Portal Cross-site Scripting 20080514 Re: Cisco BBSM Captive Portal Cross-site Scripting 29191 ADV-2008-1535 cisco-bbsm-accesscodestart-xss(42395) Cross-site scripting (XSS) vulnerability in the search module in Sun Java System Web Server 6.1 before SP9 and 7.0 before Update 2 allows remote attackers to inject arbitrary web script or HTML via unknown parameters in index.jsp. 231467 29087 1019987 ADV-2008-1455 javasystem-search-xss(42263) Cross-site scripting (XSS) vulnerability in ZyXEL ZyWALL 100 allows remote attackers to inject arbitrary web script or HTML via the Referer header, which is not properly handled in a 404 Error page. 20080508 ZYWALL Referer Header XSS Vulnerability 3869 20080508 ZYWALL Referer Header XSS Vulnerability 29110 1020000 ADV-2008-1501 zywall-referer-xss(42282) Cross-site scripting (XSS) vulnerability in Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page. HPSBUX02365 SSRT090085 HPSBUX02465 3889 20080508 Apache Server HTML Injection and UTF-7 XSS Vulnerability 20080510 Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability 20080510 Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability 20080512 Re: Re: Re: Apache Server HTML Injection and UTF-7 XSS Vulnerability 29112 USN-731-1 apache-403-xss(42303) oval:org.mitre.oval:def:5143 Unspecified vulnerability in Avici routers allows remote attackers to cause a denial of service (dropped session) via crafted BGP UPDATE messages, leading to route flapping, possibly a related issue to CVE-2007-6372. VU#929656 28999 Unspecified vulnerability in Century routers allows remote attackers to cause a denial of service (dropped session) via crafted BGP UPDATE messages, leading to route flapping, possibly a related issue to CVE-2007-6372. VU#929656 28999 Unspecified vulnerability in AlaxalA AX routers allows remote attackers to cause a denial of service (dropped session) via crafted BGP UPDATE messages, leading to route flapping, possibly a related issue to CVE-2007-6372. VU#929656 http://www.kb.cert.org/vuls/id/MIMG-79UV2A 28999 ADV-2008-1407 Unspecified vulnerability in Hitachi GR routers allows remote attackers to cause a denial of service (dropped session) via crafted BGP UPDATE messages, leading to route flapping, possibly a related issue to CVE-2007-6372. VU#929656 http://www.kb.cert.org/vuls/id/MIMG-79UV2A 28999 ADV-2008-1405 Unspecified vulnerability in Yamaha routers allows remote attackers to cause a denial of service (dropped session) via crafted BGP UPDATE messages, leading to route flapping, possibly a related issue to CVE-2007-6372. VU#929656 28999 Multiple unspecified vulnerabilities in Robin Rawson-Tetley Animal Shelter Manager (ASM) before 2.2.2 have unknown impact and attack vectors, related to "various areas where security was missing." http://sourceforge.net/forum/forum.php?forum_id=818214 http://sourceforge.net/project/shownotes.php?group_id=82533&release_id=596220 29022 asm-unspecified-security-bypass(42139) SQL injection vulnerability in comments.php in Gamma Scripts BlogMe PHP 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. 29030 blogmephp-comments-sql-injection(42193) 5533 Cross-site scripting (XSS) vulnerability in admin/category.php in Zomplog 3.8.2 allows remote attackers to inject arbitrary web script or HTML via the catname parameter. 3870 20080502 Zomplog 3.8.2 XSS Vulnerability 29021 zomplog-category-xss(42146) Multiple SQL injection vulnerabilities in phpDirectorySource 1.1.06, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to show.php and the (2) login parameter to admin.php. 29039 ADV-2008-1432 phpdirectorysource-show-sql-injection(42212) phpdirectorysource-admin-sql-injection(42213) 5537 Cross-site scripting (XSS) vulnerability in admin.php in LifeType 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the searchTerms parameter in an editArticleCategories operation (aka an admin category search). http://lifetype.net/post/2008/05/04/lifetype-1.2.8-released 3871 http://wiki.lifetype.net/index.php/Release_notes_Lifetype_1.2.8 20080502 Lifetype 1.2.7 XSS Vulnerability 20080504 Re: Lifetype 1.2.7 XSS Vulnerability 29017 lifetype-admin-xss(42151) Cross-site scripting (XSS) vulnerability in SystemList.jsp in SysAid 5.1.08 allows remote attackers to inject arbitrary web script or HTML via the searchField parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29037 sysaid-searchfield-xss(42243) Multiple SQL injection vulnerabilities in cpLinks 1.03, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) admin_username parameter (aka the username field) to admin/index.php and the (2) search_text and (3) search_category parameters to search.php. NOTE: some of these details are obtained from third party information. 29035 ADV-2008-1431 cplinks-index-search-sql-injection(42170) 5538 Multiple cross-site scripting (XSS) vulnerabilities in search.php in cpLinks 1.03 allow remote attackers to inject arbitrary web script or HTML via the (1) search_text and (2) search_category parameters. NOTE: the XSS reportedly occurs in a forced SQL error message. NOTE: some of these details are obtained from third party information. 29035 ADV-2008-1431 cplinks-search-xss(42171) 5538 Cross-site scripting (XSS) vulnerability in the powermail extension before 1.1.10 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080505-2/ 29040 powermail-typo3-unspecified-xss(42188) SQL injection vulnerability in index.php in SMartBlog (aka SMBlog) 1.3 allows remote attackers to execute arbitrary SQL commands via the idt parameter. 29033 smartblog-index-logon-sql-injection(42190) 5535 Multiple SQL injection vulnerabilities in SMartBlog (aka SMBlog) 1.3 allow remote attackers to execute arbitrary SQL commands via the (1) mois, (2) an, (3) jour, and (4) id parameters to index.php, and the (5) login parameter to gestion/logon.php, different vectors than CVE-2008-2183. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29043 smartblog-index-logon-sql-injection(42190) smartblog-logon-sql-injection(42245) Directory traversal vulnerability in index.php in SMartBlog (aka SMBlog) 1.3 allows remote attackers to include arbitrary local files via directory traversal sequences in the page parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29043 smartblog-page-file-include(42192) Cross-site scripting (XSS) vulnerability in index.php in Chilek Content Management System (aka ChiCoMaS) 2.0.4 allows remote attackers to inject arbitrary web script or HTML via the q parameter. 20080502 chicomas.2.0.4 http://www.bugreport.ir/index_59.htm 20081220 chicomas <=2.0.4 Multiple Vulnerabilities 20081220 Re: chicomas <=2.0.4 Multiple Vulnerabilities 29025 chicomas-index-xss(42156) 7532 Cross-site scripting (XSS) vulnerability in mjguest.php in Mjguest 6.7 GT Rev.01 allows remote attackers to inject arbitrary web script or HTML via the level parameter in a redirect action, possibly involving interface/redirect.htm.php. 3872 http://www.mdsjack.bo.it/public/phpBB3/viewtopic.php?t=2049 20080501 mjguest 6.7 (ALL VERSION) Xss & Redirection Vuln 20080521 Re: mjguest 6.7 (ALL VERSION) Xss & Redirection Vuln 29002 mjguest-mjguest-xss(42129) Multiple cross-site scripting (XSS) vulnerabilities in EJ3 BlackBook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) bookCopyright and (2) ver parameters to (a) footer.php, and the (3) bookName, (4) bookMetaTags, and (5) estiloCSS parameters to (b) header.php. 3873 20080502 BlackBook v1.0 Multiple XSS Vulnerabilities 29015 blackbook-multiple-xss(42147) SQL injection vulnerability in viewfaqs.php in AnServ Auction XL allows remote attackers to execute arbitrary SQL commands via the cat parameter. 3874 20080505 [ECHO_ADV_92$2008] Anserv Auction XL (viewfaqs.php cat) Blind Sql Injection Vulnerability 29053 auctionxl-viewfaqs-sql-injection(42214) 5543 SQL injection vulnerability in index.php in Online Rent (aka Online Rental Property Script) 4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the pid parameter. NOTE: it was later reported that 5.0 and earlier are also affected. 3875 20080505 [ECHO_ADV_91$2008] Online Rental Property Script <= 4.5 (pid) Blind Sql Injection Vulnerability 20080508 Re: [ECHO_ADV_91$2008] Online Rental Property Script <= 4.5 (pid) Blind Sql Injection Vulnerability 29052 35005 ADV-2009-1366 onlinerental-index-sql-injection(42191) 5542 8711 SQL injection vulnerability in the pnEncyclopedia module 0.2.0 and earlier for PostNuke allows remote attackers to execute arbitrary SQL commands via the id parameter in a display_term action to index.php. 3876 20080505 [ECHO_ADV_90$2008] PostNuke Module pnEncyclopedia <= 0.2.0 (id) Blind Sql Injection Vulnerability 29046 pnencyclopedia-index-sql-injection(42185) 5541 Static code injection vulnerability in box/minichat/boxpop.php in IT!CMS (aka itcms) 1.9 allows remote attackers to inject arbitrary PHP code into box/MiniChat/data/shouts.php via the shout parameter. 29028 itcms-boxpop-file-include(42172) 5532 PHP remote file inclusion vulnerability in example.php in Thomas Gossmann ScorpNews 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the site parameter. 29041 ADV-2008-1430 scorpnews-example-file-include(42517) 5539 SQL injection vulnerability in forums.php in DeluxeBB 1.2 and earlier allows remote attackers to execute arbitrary SQL commands via the sort parameter. 29062 deluxebb-forums-sql-injection(42224) 5550 Static code injection vulnerability in admincp.php in DeluxeBB 1.2 and earlier allows remote authenticated administrators to inject arbitrary PHP code into logs/cp.php via the URI. 29062 deluxebb-admincp-code-execution(42225) 5550 Cross-site scripting (XSS) vulnerability in admin.php in LifeType 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the newBlogUserName parameter in an addBlogUser action, a different vector than CVE-2008-2178. 3879 20080505 LifeType 1.2.8 29050 lifetype-newblogusername-xss(42228) SQL injection vulnerability in the blogwriter module 2.0 for Miniweb allows remote attackers to execute arbitrary SQL commands via the historymonth parameter to index.php. 29061 blogwriter-historymonth-sql-injection(42220) 5548 PHP remote file inclusion vulnerability in kmitaadmin/kmitat/htmlcode.php in Kmita Tellfriend 2.0 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. 3877 20080505 [ECHO_ADV_93$2008] Kmita Tellfriend <= 2.0 (file) Remote File Inclusion Vulnerability 29042 kmitatellfriend-htmlcode-file-include(42186) 5544 PHP remote file inclusion vulnerability in kmitaadmin/kmitam/htmlcode.php in Kmita Mail 3.0 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. 3878 20080505 [ECHO_ADV_94$2008] Kmita Mail <= 3.0 (file) Remote File Inclusion Vulnerability 29044 kmitamail-htmlcode-file-include(42187) 5545 Multiple cross-site scripting (XSS) vulnerabilities in Maian Weblog 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) keywords parameter to admin/index.php in a blogs search action, the (2) msg_charset and (3) msg_header9 parameters to admin/inc/header.php, and the (4) keywords parameter to index.php in a search action. 3880 20080503 Maian Weblog v4.0 XSS Vulnerabilities 29032 maian-weblog-index-header-xss(42207) Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/header.php in Maian Recipe 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) header, (2) header2, (3) header3, (4) header4, (5) header5, (6) header6, (7) header7, (8) header8, and (9) header9 parameters. 3881 20080503 Maian Recipe v1.2 Xss Vulnerabilities 29032 maian-recipe-header-xss(42206) Multiple cross-site scripting (XSS) vulnerabilities in Maian Uploader 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) keywords parameter to upload/admin/index.php in a search action, the (2) msg_charset and (3) msg_header9 parameters to admin/inc/header.php, and the (4) keywords parameter to index.php in a search action. 3882 20080505 Maian Uploader v4.0 XSS Vulnerabilities 29051 maian-uploader-index-header-xss(42203) SQL injection vulnerability in search.php in Maian Search 1.1 allows remote attackers to execute arbitrary SQL commands via the keywords parameter in a search action. 3883 20080503 Maian Search v1.1 Multiple Vulnerabilities (XSS/SQL INJECTION) 29032 maian-search-search-sql-injection(42196) Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/header.php in Maian Search 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) header, (2) header2, (3) header3, (4) header4, (5) header5, (6) header6, (7) header7, (8) header8, and (9) header9 parameters. 3883 20080503 Maian Search v1.1 Multiple Vulnerabilities (XSS/SQL INJECTION) 29032 SQL injection vulnerability in index.php in Maian Music 1.1 allows remote attackers to execute arbitrary SQL commands via the album parameter in an album action. 3884 20080503 Maian Music v1.1 Multiple Vulnerabilities (Xss/SQL Injection) 29032 maian-music-album-sql-injection(42209) Multiple cross-site scripting (XSS) vulnerabilities in Maian Music 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) keywords parameter in a search action to index.php, and the (2) msg_script parameter to admin/inc/footer.php. 3884 20080503 Maian Music v1.1 Multiple Vulnerabilities (Xss/SQL Injection) 29032 maian-music-index-footer-xss(42210) Cross-site scripting (XSS) vulnerability in admin/index.php in Maian Gallery 2.0 allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a search action. 3885 20080503 Maian Gallery v2.0 XSS Vulnerability 29032 maian-gallery-keywords-xss(42195) SQL injection vulnerability in index.php in Maian Greeting 2.1 allows remote attackers to execute arbitrary SQL commands via the keywords parameter in a search action. 3887 20080503 Maian Greeting v2.1 Multiple Vulnerabilities (XSS/SQL INJECTION) 29032 maian-greeting-keywords-sql-injection(42199) Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/header.php in Maian Greeting 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) msg_script and (2) msg_script2 parameters. 3887 20080503 Maian Greeting v2.1 Multiple Vulnerabilities (XSS/SQL INJECTION) 29032 maian-greeting-header-xss(42200) Multiple cross-site scripting (XSS) vulnerabilities in Maian Support 1.3 allow remote attackers to inject arbitrary web script or HTML via the (1) msg_script, (2) msg_script2, and (3) msg_script3 parameters to admin/inc/footer.php; and the (4) msg_script2 parameter to admin/inc/header.php. 3888 20080503 Maian Support v1.3 Xss Vulnerabilities 29032 maian-support-footer-header-xss(42205) Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/footer.php in Maian Guestbook 3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) msg_script2 and (2) msg_script3 parameters. 3890 20080503 Maian Guestbook v3.2 XSS Vulnerabilities 29032 maian-guestbook-footer-xss(42198) Multiple cross-site scripting (XSS) vulnerabilities in Maian Cart 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) msg_adminheader, (2) msg_adminheader2, (3) msg_adminheader3, (4) msg_adminheader4, and unspecified other parameters to admin/inc/header.php; the (5) msg_script3 and unspecified other parameters to admin/inc/footer.php; and the (6) keywords parameter to index.php in a search action. 3891 20080503 Maian Cart v1.1 XSS Vulnerabilities 29032 maian-cart-multiple-xss(42194) Multiple cross-site scripting (XSS) vulnerabilities in admin/inc/footer.php in Maian Links 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) msg_script2 and (2) msg_script3 parameters. 3892 20080503 Maian Links v3.1 XSS Vulnerabilities 29032 maian-links-footer-xss(42208) Stack-based buffer overflow in the Network Manager in Castle Rock Computing SNMPc 7.1 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long community string in an SNMP TRAP packet. 3886 http://www.ngssoftware.com/advisories/critical-vulnerability-in-snmpc/ 20080430 Critical Vulnerability in SNMPc 28990 1019953 ADV-2008-1403 snmpc-snmptrap-bo(42104) Multiple directory traversal vulnerabilities in Project-Based Calendaring System (PBCS) 0.7.1-1 allow remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter to (1) src/yopy_sync.php and (2) system-logger/print_logs.php. 28991 pbcs-filename-directory-traversal(42106) 5523 Unrestricted file upload vulnerability in src/yopy_upload.php in Project-Based Calendaring System (PBCS) 0.7.1 allows remote authenticated users to upload arbitrary files to tmp/uploads. 28991 pbcs-yopyupload-file-upload(42105) 5523 Directory traversal vulnerability in cm/graphie.php in Content Management System 0.6.1 for Phprojekt allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the cm_imgpath parameter. 28958 cmsphprojekt-graphie-file-include(42510) 5510 Buffer overflow in the Multimedia PC Client in Nortel Multimedia Communication Server (MCS) before Maintenance Release 3.5.8.3 and 4.0.25.3 allows remote attackers to cause a denial of service (crash) via a flood of "extraneous" messages, as demonstrated by the Nessus "Generic flood" denial of service plugin. http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=719698 28994 1019957 ADV-2008-1404 nortel-mcs-client-bo(42115) Cross-site scripting (XSS) vulnerability in install.php in C-News.fr C-News 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the etape parameter. 28989 http://www.z0rlu.ownspace.org/index.php?/archives/70-cnews-1.0.1-XSS.html cnews-install-xss(42509) Multiple PHP remote file inclusion vulnerabilities in Interact Learning Community Environment Interact 2.4.1, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) CONFIG[LANGUAGE_CPATH] parameter to modules/forum/embedforum.php and the (2) CONFIG[BASE_PATH] parameter to modules/scorm/lib.inc.php, different vectors than CVE-2006-4448. 28996 interact-embedforum-file-include(42113) 5526 Unspecified vulnerability in the Java plugin in IBM WebSphere Application Server 5.0.2 allows untrusted applets to gain privileges via unknown attack vectors. 28997 1019956 ADV-2008-1411 PK65161 websphere-javaplugin-privilege-escalation(42116) SQL injection vulnerability in login.php in EQdkp 1.3.2f allows remote attackers to bypass EQdkp user authentication via the user_id parameter. 29184 eqdkp-userid-sql-injection(42381) 5603 SQL injection vulnerability in group_posts.php in vShare YouTube Clone 2.6 allows remote attackers to execute arbitrary SQL commands via the tid parameter. http://forums.buyscripts.in/viewtopic.php?f=7&t=3389 29114 youtubeclone-groupposts-sql-injection(42285) 5565 Multiple PHP remote file inclusion vulnerabilities in SazCart 1.5.1, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) _saz[settings][site_dir] parameter to layouts/default/header.saz.php and the (2) _saz[settings][site_url] parameter to admin/alayouts/default/pages/login.php. 29113 sazcart-headersaz-file-include(42289) 5566 SQL injection vulnerability in index.php in gameCMS Lite 1.0 allows remote attackers to execute arbitrary SQL commands via the systemId parameter. 29093 gamecmslite-index-sql-injection(42251) 5555 Unspecified vulnerability in the export feature in OpenKM before 2.0 allows remote attackers to export arbitrary documents via unspecified vectors. NOTE: some of these details are obtained from third party information. http://sourceforge.net/project/shownotes.php?release_id=597940 29117 openkm-export-information-disclosure(42297) Multiple directory traversal vulnerabilities in PHP-Fusion Forum Rank System 6 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the settings[locale] parameter to (1) forum.php and (2) profile.php in infusions/rank_system/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29077 http://www.securityfocus.com/bid/29077/exploit forumranksystem-settingslocale-file-include(42244) PHP remote file inclusion vulnerability in portfolio/commentaires/derniers_commentaires.php in Cyberfolio 7.12, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the rep parameter. 29124 cyberfolio-rep-file-include(42286) 5567 Untrusted search path vulnerability in (1) reportbug 3.8 and 3.31, and (2) reportbug-ng before 0.2008.06.04, allows local users to execute arbitrary code via a malicious module file in the current working directory. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484311 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484474 reportbug-searchpath-code-execution(43001) SQL injection vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to execute SQL commands and read table information via the id parameter. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484499 [oss-security] 20080604 CVE id request: slash [oss-security] 20080604 Re: CVE id request: slash 3923 http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environment/Environment.pm?r1=1.223&r2=1.225 DSA-1633 29548 1020206 http://www.slashcode.com/article.pl?sid=08/01/04/1950244&tid=4 http://www.slashcode.com/article.pl?sid=08/01/07/2314232 slash-id-sql-injection(42880) The expand_template function in afuse.c in afuse 0.2 allows local users to gain privileges via shell metacharacters in a pathname. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=490921 DSA-1611 30245 afuse-filenames-command-execution(43834) FEDORA-2009-8792 FEDORA-2009-8816 The client in Openwsman 1.2.0 and 2.0.0, in unknown configurations, allows remote Openwsman servers to replay SSL sessions via unspecified vectors. SUSE-SA:2008:041 30694 ADV-2008-2397 Multiple buffer overflows in Openwsman 1.2.0 and 2.0.0 allow remote attackers to execute arbitrary code via a crafted "Authorization: Basic" HTTP header. SUSE-SA:2008:041 [security-announce] 20080918 VMSA-2008-0015 Updated ESXi and ESX 3.5 packages address critical security issue in openwsman 20080919 VMSA-2008-0015 Updated ESXi and ESX 3.5 packages address critical security issue in openwsman 30694 http://www.vmware.com/security/advisories/VMSA-2008-0015.html ADV-2008-2397 ADV-2008-2624 openwsman-authentication-header-bo(44481) openwsman-session-replay-code-execution(44484) OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN. SUSE-SR:2008:019 SUSE-SR:2009:004 GLSA-200812-09 MDVSA-2008:183 [opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11 http://www.opensc-project.org/security.html 30473 opensc-smartcard-cryptotoken-weak-security(44140) DSA-1627 FEDORA-2009-2267 Cross-site scripting (XSS) vulnerability in blosxom.cgi in Blosxom before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the flav parameter (flavour variable). NOTE: some of these details are obtained from third party information. JVN#03300113 JVNDB-2008-000073 http://sourceforge.net/project/shownotes.php?release_id=630149 31535 blosxom-flav-xss(45600) Heap-based buffer overflow in OpenOffice.org (OOo) 2.x before 2.4.2 allows remote attackers to execute arbitrary code via a crafted WMF file associated with a StarOffice/StarSuite document. SUSE-SR:2008:026 http://neowiki.neooffice.org/index.php/NeoOffice_2.2.5_Patch_3_New_Features#Security_fixes GLSA-200812-13 242627 DSA-1661 http://www.openoffice.org/security/cves/CVE-2008-2237.html RHSA-2008:0939 31962 1021120 USN-677-1 USN-677-2 ADV-2008-2947 ADV-2008-3103 openoffice-wmf-bo(46165) oval:org.mitre.oval:def:10784 FEDORA-2008-9313 FEDORA-2008-9333 Multiple integer overflows in OpenOffice.org (OOo) 2.x before 2.4.2 allow remote attackers to execute arbitrary code via crafted EMR records in an EMF file associated with a StarOffice/StarSuite document, which trigger a heap-based buffer overflow. 20081031 OpenOffice EMF Record Parsing Multiple Integer Overflow Vulnerabilities SUSE-SR:2008:026 http://neowiki.neooffice.org/index.php/NeoOffice_2.2.5_Patch_3_New_Features#Security_fixes GLSA-200812-13 243226 DSA-1661 http://www.openoffice.org/security/cves/CVE-2008-2238.html RHSA-2008:0939 31962 1021121 USN-677-1 USN-677-2 ADV-2008-2947 ADV-2008-3103 ADV-2008-3153 openoffice-emf-file-bo(46166) oval:org.mitre.oval:def:10849 FEDORA-2008-9313 FEDORA-2008-9333 Stack-based buffer overflow in the Web Server service in IBM Lotus Domino before 7.0.3 FP1, and 8.x before 8.0.1, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long Accept-Language HTTP header. 20080522 Who's Right 20080522 Who's Right http://www.mwrinfosecurity.com/publications/mwri_ibm-lotus-domino-accept-language-stack-overflow_2008-05-20.pdf 29310 1020098 ADV-2008-1597 http://www-1.ibm.com/support/docview.wss?uid=swg21303057 ibm-lotusdomino-acceptlanguage-bo(42552) Directory traversal vulnerability in caloggerd in CA BrightStor ARCServe Backup 11.0, 11.1, and 11.5 allows remote attackers to append arbitrary data to arbitrary files via directory traversal sequences in unspecified input fields, which are used in log messages. NOTE: this can be leveraged for code execution in many installation environments by writing to a startup file or configuration file. 20080519 ZDI-08-027: CA BrightStor ARCserve Backup Arbitrary File Writing Vulnerability 20080519 CA ARCserve Backup caloggerd and xdr Functions Vulnerabilities 29283 1020043 ADV-2008-1573 http://www.zerodayinitiative.com/advisories/ZDI-08-027/ ca-arcservebackup-caloggerd-code-execution(42524) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 Multiple buffer overflows in xdr functions in the server in CA BrightStor ARCServe Backup 11.0, 11.1, and 11.5 allow remote attackers to execute arbitrary code, as demonstrated by a stack-based buffer overflow via a long parameter to the xdr_rwsstring function. 20080519 CA ARCserve Backup caloggerd and xdr Functions Vulnerabilities 20080519 ZDI-08-026: CA BrightStor ARCserve Backup Remote Buffer Overflow 29283 1020044 ADV-2008-1573 http://www.zerodayinitiative.com/advisories/ZDI-08-026/ ca-arcservebackup-xdrrwsstring-bo(42527) https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=176798 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Microsoft Office Word 2002 SP3 allows remote attackers to execute arbitrary code via a .doc file that contains malformed data, as exploited in the wild in July 2008, and as demonstrated by attachement.doc. http://blogs.technet.com/msrc/archive/2008/07/08/vulnerability-in-microsoft-word-could-allow-remote-code-execution.aspx http://isc.sans.org/diary.html?storyid=4696 SSRT080117 http://www.microsoft.com/technet/security/advisory/953635.mspx 30124 1020447 TA08-225A ADV-2008-2028 microsoft-word-unspecified-code-execution(43663) oval:org.mitre.oval:def:5897 Heap-based buffer overflow in the InternalOpenColorProfile function in mscms.dll in Microsoft Windows Image Color Management System (MSCMS) in the Image Color Management (ICM) component on Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted image file. 20080812 Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability HPSBST02360 VU#309739 30594 1020675 TA08-225A ADV-2008-2350 MS08-046 oval:org.mitre.oval:def:5923 6732 Microsoft Windows Vista through SP1 and Server 2008 do not properly import the default IPsec policy from a Windows Server 2003 domain to a Windows Server 2008 domain, which prevents IPsec rules from being enforced and allows remote attackers to bypass intended access restrictions. HPSBST02360 30634 1020678 TA08-225A ADV-2008-2351 MS08-047 oval:org.mitre.oval:def:6060 Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified e-mail fields, a different vulnerability than CVE-2008-2248. 30130 1020439 TA08-190A ADV-2008-2021 MS08-039 exchange-owa-email-fields-xss(43328) oval:org.mitre.oval:def:5354 Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified HTML, a different vulnerability than CVE-2008-2247. 30078 1020439 TA08-190A ADV-2008-2021 MS08-039 exchange-owa-html-xss(43329) oval:org.mitre.oval:def:5695 Integer overflow in GDI in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a malformed header in a crafted WMF file, which triggers a buffer overflow, aka "GDI Integer Overflow Vulnerability." 20081209 Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability 1021365 TA08-344A ADV-2008-3383 MS08-071 oval:org.mitre.oval:def:5984 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate window properties sent from a parent window to a child window during creation of a new window, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Window Creation Vulnerability." SSRT080143 31651 1021046 TA08-288A ADV-2008-2812 MS08-061 win-kernel-window-privilege-escalation(45541) win-ms08kb954211-update(45544) oval:org.mitre.oval:def:5902 Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows local users to gain privileges via a crafted application that makes system calls within multiple threads, aka "Windows Kernel Unhandled Exception Vulnerability." NOTE: according to Microsoft, this is not a duplicate of CVE-2008-4510. SSRT080143 31653 1021046 TA08-288A ADV-2008-2812 MS08-061 win-kernel-system-calls-privilege-escalation(45542) win-ms08kb954211-update(45544) oval:org.mitre.oval:def:6010 The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate parameters sent from user mode to the kernel, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Memory Corruption Vulnerability." SSRT080143 31652 1021046 TA08-288A MS08-061 win-kernel-input-privilege-escalation(45543) win-ms08kb954211-update(45544) oval:org.mitre.oval:def:6045 Unspecified vulnerability in Microsoft Windows Media Player 11 allows remote attackers to execute arbitrary code via a crafted audio-only file that is streamed from a Server-Side Playlist (SSPL) on Windows Media Server, aka "Windows Media Player Sampling Rate Vulnerability." http://www.microsoft.com/technet/security/Bulletin/MS08-054.mspx Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update. *Windows Server 2008 server core installation not affected. The vulnerability addressed by this update does not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option, even though the files affected by this vulnerability may be present on the system. However, users with the affected files will still be offered this update because the update files are newer (with higher version numbers) than the files that are currently on your system. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options. HPSBST02372 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=766863#PRODUCTS 30550 1020831 TA08-253A ADV-2008-2522 MS08-054 oval:org.mitre.oval:def:5615 Microsoft Internet Explorer 6 and 7 accesses uninitialized memory, which allows remote attackers to cause a denial of service (crash) and execute arbitrary code via unknown vectors, aka "HTML Object Memory Corruption Vulnerability." HPSBST02360 30614 1020674 TA08-225A ADV-2008-2349 MS08-045 oval:org.mitre.oval:def:5820 Microsoft Internet Explorer 5.01, 6, and 7 accesses uninitialized memory, which allows remote attackers to cause a denial of service (crash) and execute arbitrary code via unknown vectors, a different vulnerability than CVE-2008-2254, aka "HTML Object Memory Corruption Vulnerability." HPSBST02360 1020674 TA08-225A ADV-2008-2349 MS08-045 oval:org.mitre.oval:def:5602 Microsoft Internet Explorer 5.01, 6, and 7 does not properly handle objects that have been incorrectly initialized or deleted, which allows remote attackers to cause a denial of service (crash) and execute arbitrary code via unknown vectors, aka "Uninitialized Memory Corruption Vulnerability." HPSBST02360 30611 1020674 TA08-225A ADV-2008-2349 MS08-045 oval:org.mitre.oval:def:5366 Microsoft Internet Explorer 5.01, 6, and 7 accesses uninitialized memory in certain conditions, which allows remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to a document object "appended in a specific order," aka "HTML Objects Memory Corruption Vulnerability" or "XHTML Rendering Memory Corruption Vulnerability," a different vulnerability than CVE-2008-2258. HPSBST02360 20080812 ZDI-08-050: Microsoft Internet Explorer XHTML Rendering Memory Corruption Vulnerability 30613 1020674 TA08-225A ADV-2008-2349 http://www.zerodayinitiative.com/advisories/ZDI-08-050/ MS08-045 oval:org.mitre.oval:def:5266 Microsoft Internet Explorer 5.01, 6, and 7 accesses uninitialized memory in certain conditions, which allows remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to a document object "appended in a specific order" with "particular functions ... performed on" document objects, aka "HTML Objects Memory Corruption Vulnerability" or "Table Layout Memory Corruption Vulnerability," a different vulnerability than CVE-2008-2257. HPSBST02360 20080812 ZDI-08-051: Microsoft Internet Explorer Table Layout Memory Corruption Vulnerability 30610 1020674 TA08-225A ADV-2008-2349 http://www.zerodayinitiative.com/advisories/ZDI-08-051/ MS08-045 oval:org.mitre.oval:def:6025 Microsoft Internet Explorer 6 and 7 does not perform proper "argument validation" during print preview, which allows remote attackers to execute arbitrary code via unknown vectors, aka "HTML Component Handling Vulnerability." HPSBST02360 30612 1020674 TA08-225A ADV-2008-2349 MS08-045 oval:org.mitre.oval:def:5913 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. SQL injection vulnerability in linking.page.php in Automated Link Exchange Portal allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. NOTE: linking.page.php is commonly renamed to link.php, links.php, etc. 29205 automatedlinkexchange-catid-sql-injection(42401) 5611 Cross-site scripting (XSS) vulnerability in index.php in CyrixMED 1.4 allows remote attackers to inject arbitrary web script or HTML via the msg_erreur parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29153 cyrixmed-index-xss(42353) SQL injection vulnerability in news.php in EMO Realty Manager allows remote attackers to execute arbitrary SQL commands via the ida parameter. 29202 ADV-2008-1525 emorealtymanager-news-sql-injection(42404) 5609 uulib/uunconc.c in UUDeview 0.5.20, as used in nzbget before 0.3.0 and possibly other products, allows local users to overwrite arbitrary files via a symlink attack on a temporary filename generated by the tempnam function. NOTE: this may be a CVE-2004-2265 regression. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480972 GLSA-200808-11 [oss-security] 20080514 Re: CVE id request: uudeview [oss-security] 20080530 Re: CVE id request: uudeview 29211 uudeview-tempnam-symlink(42407) Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6) .php5, or (7) .jar, then accessing it via a direct request to the file in modules/FileManager/postlet/. http://blog.cmsmadesimple.org/2008/05/12/announcing-cms-made-simple-125/ 20080514 PHP File Upload Vulnerability with extra Extension 29170 cmsmadesimple-javaupload-file-upload(42371) 5600 Open redirect vulnerability in interface/redirect.htm.php in Mjguest 6.7 GT Rev.01 allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the goto parameter in a redirect action to mjguest.php. NOTE: this is user-assisted because there is a delay and a notification before redirection occurs. 3872 http://www.mdsjack.bo.it/public/phpBB3/viewtopic.php?t=2049 20080501 mjguest 6.7 (ALL VERSION) Xss & Redirection Vuln 20080521 Re: mjguest 6.7 (ALL VERSION) Xss & Redirection Vuln mjguest-mjguest-security-bypass(42130) AustinSmoke GasTracker (AS-GasTracker) 1.0.0 allows remote attackers to bypass authentication and gain privileges by setting the gastracker_admin cookie to TRUE. 29224 asgastracker-admin-security-bypass(42435) 5615 Multiple PHP remote file inclusion vulnerabilities in PHPWAY Kostenloses Linkmanagementscript allow remote attackers to execute arbitrary PHP code via a URL in the (1) main_page_directory and (2) page_to_include parameters in template\index.php. 29234 kostenloses-index-file-include(42446) 5621 The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the "access content" permission to list tables and obtain session IDs from the database. http://drupal.org/node/258547 29242 ADV-2008-1541 site-access-content-info-disclosure(42453) Multiple cross-site scripting (XSS) vulnerabilities in the web interface in Aruba Mobility Controller 2.4.8.x-FIPS, 2.5.5.x, 2.5.6.x, 3.1.1.x, 3.2.0.x, and 3.3.1.x allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.arubanetworks.com/support/alerts/aid-051408.asc 20080515 Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities (Aruba Advisory ID: AID-051408) 29240 1020033 aruba-webui-xss(42433) Unspecified vulnerability in the TACACS authentication component in Aruba Mobility Controller 3.1.x, 3.2.x, and 3.3.x allows remote authenticated users to gain privileges via unknown vectors. http://www.arubanetworks.com/support/alerts/aid-051408.asc 20080515 Aruba Mobility Controller TACACS User Authentication and Cross Site Scripting Vulnerabilities (Aruba Advisory ID: AID-051408) 29240 1020032 aruba-tacacs-security-bypass(42434) Cross-site scripting (XSS) vulnerability in the sr_feuser_register 1.4.0, 1.6.0, 2.2.1 to 2.2.7, 2.3.0 to 2.3.6, 2.4.0, and 2.5.0 to 2.5.9 extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080515-1/ 29239 srfeuserregister-unspecified-xss(42443) Unspecified vulnerability in sr_feuser_register 1.4.0, 1.6.0, 2.2.1 to 2.2.7, 2.3.0 to 2.3.6, 2.4.0, and 2.5.0 to 2.5.9 extension for TYPO3 allows remote attackers to execute arbitrary code and delete arbitrary files via unspecified attack vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080515-1/ 29239 srfeuserregister-unspecified-code-execution(42445) Cross-site request forgery (CSRF) vulnerability in manage_user_create.php in Mantis 1.1.1 allows remote attackers to create new administrative users via a crafted link. 20080520 Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities http://sourceforge.net/project/shownotes.php?group_id=14963&release_id=595025 GLSA-200809-10 29297 ADV-2008-1598 mantis-usercreate-csrf(42447) 5657 FEDORA-2008-6647 FEDORA-2008-6657 SQL injection vulnerability in detail.php in Feedback and Rating Script 1.0 allows remote attackers to execute arbitrary SQL commands via the listingid parameter. 29228 feedbackratingscript-detail-sql-injection(42428) 5614 SQL injection vulnerability in browseproject.php in Freelance Auction Script 1.0 allows remote attackers to execute arbitrary SQL commands via the pid parameter in a pdetails action. 29225 freelance-browseproject-sql-injection(42424) 5613 Freelance Auction Script 1.0 stores user passwords in plaintext in the tbl_users table, which allows attackers to gain privileges by reading the table. freelance-password-info-disclosure(42426) 5613 Cross-site scripting (XSS) vulnerability in admin/index.php in Script PHP PicEngine 1.0 allows remote attackers to inject arbitrary web script or HTML via the l parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29214 http://www.securityfocus.com/bid/29214/exploit picsengine-index-xss(42421) Cross-zone scripting vulnerability in the Print Table of Links feature in Internet Explorer 6.0, 7.0, and 8.0b allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via an HTML document with a link containing JavaScript sequences, which are evaluated by a resource script when a user prints this document. http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrintTableOfLinksquotCrossZoneScriptingVulnerability.aspx 29217 ADV-2008-1529 ie-printtableoflinks-code-execution(42416) 5619 admin.php in Internet Photoshow and Internet Photoshow Special Edition (SE) allows remote attackers to bypass authentication by setting the login_admin cookie to true. 29227 internetphotoshow-cookie-auth-bypass(42422) 5617 IDAutomation allows remote attackers to overwrite arbitrary files via the argument to the (1) SaveBarCode and (2) SaveEnhWMF methods in (a) the IDAuto.BarCode.1 ActiveX control in IDAutomationLinear6.dll (aka IDAutomation Linear BarCode) 1.6.0.6, (b) the IDAuto.Datamatrix.1 ActiveX control in IDAutomationDMATRIX6.DLL (aka IDautomation Datamatrix Barcode) 1.6.0.6, (c) the IDAuto.PDF417.1 ActiveX control in IDAutomationPDF417_6.dll (aka IDautomation PDF417 Barcode) 1.6.0.6, and (d) the IDAuto.Aztec.1 ActiveX control in IDAutomationAZTEC.dll (aka IDautomation Aztec Barcode) 1.7.1.0. 29204 http://www.shinnai.altervista.org/index.php?mod=02_Forum&group=Security&argument=Remote_performed_exploits&topic=1210750552.ff.php&page=last idautomation-activex-file-overwrite(42406) 5612 PHP remote file inclusion vulnerability in fusebox5.php in Fusebox 5.5.1 allows remote attackers to execute arbitrary PHP code via a URL in the FUSEBOX_APPLICATION_PATH parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29163 fusebox-fusebox5-file-include(42389) The ssh-vulnkey tool on Ubuntu Linux 7.04, 7.10, and 8.04 LTS does not recognize authorized_keys lines that contain options, which makes it easier for remote attackers to exploit CVE-2008-0166 by guessing a key that was not identified by this tool. USN-612-5 sshvulnkey-authorizedkeys-weak-security(42568) SQL injection vulnerability in axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 allows remote attackers to execute arbitrary SQL commands via unspecified string fields in a notification packet. SSRT080115 45313 29552 20080515 ZDI-08-024: Symantec Altiris Deployment Solution SQL Injection Vulnerability 20080518 Insomnia : ISVA-080516.1 - Altiris Deployment Solution - SQL Injection 29198 1020024 http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ADV-2008-1542 http://www.zerodayinitiative.com/advisories/ZDI-08-024/ symantec-altiris-axengine-sql-injection(42436) Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 does not properly protect the install directory, which might allow local users to gain privileges by replacing an application component with a Trojan horse. SSRT080115 29197 1020024 http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ADV-2008-1542 symantec-altiris-install-code-execution(42442) Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 has insufficient access control for deletion and modification of registry keys, which allows local users to cause a denial of service or obtain sensitive information. SSRT080115 29196 1020024 http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ADV-2008-1542 symantec-altiris-keys-data-manipulation(42441) Unspecified vulnerability in a tooltip element in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 allows local users to gain privileges via unknown attack vectors. SSRT080115 29218 1020024 http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ADV-2008-1542 symantec-altiris-tooltip-priv-escalation(42440) Unspecified vulnerability in the Agent user interface in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 allows local users to gain privileges via unknown attack vectors. SSRT080115 29194 1020024 http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ADV-2008-1542 symantec-altiris-interface-priv-escalation(42438) axengine.exe in Symantec Altiris Deployment Solution 6.8.x and 6.9.x before 6.9.176 generates credentials with a fixed salt or without any salt, which makes it easier for remote attackers to guess encrypted domain credentials. SSRT080115 http://www.insomniasec.com/advisories/ISVA-080516.2.htm 20080515 ZDI-08-025: Symantec Altiris Deployment Solution Domain Credential Disclosure Vulnerability 20080518 Insomnia : ISVA-080516.2 - Altiris Deployment Solution - Domain Account Disclosure 29199 1020024 http://www.symantec.com/avcenter/security/Content/2008.05.14a.html ADV-2008-1542 http://www.zerodayinitiative.com/advisories/ZDI-08-025/ symantec-altiris-axengine-info-disclosure(42437) Buffer overflow in the __snprint_value function in snmp_get in Net-SNMP 5.1.4, 5.2.4, and 5.4.1, as used in SNMP.xs for Perl, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large OCTETSTRING in an attribute value pair (AVP). SUSE-SA:2008:039 GLSA-200808-02 http://sourceforge.net/tracker/index.php?func=detail&aid=1826174&group_id=12694&atid=112694 239785 http://support.avaya.com/elmodocs2/security/ASA-2008-282.htm DSA-1663 MDVSA-2008:118 RHSA-2008:0529 29212 1020527 USN-685-1 http://www.vmware.com/security/advisories/VMSA-2008-0013.html ADV-2008-1528 ADV-2008-2141 ADV-2008-2361 netsnmp-snprintvalue-bo(42430) oval:org.mitre.oval:def:11261 FEDORA-2008-5215 FEDORA-2008-5224 FEDORA-2008-5218 admin.php in Multi-Page Comment System (MPCS) 1.0 and 1.1 allows remote attackers to bypass authentication and gain privileges by setting the CommentSystemAdmin cookie to 1. 29244 mpcs-cookie-auth-bypass(42463) 5630 Pet Grooming Management System 2.0 allows remote attackers to gain privileges via a direct request to useradded.php with a modified user name for "admin." 29252 pgms-useradded-security-bypass(42466) 5627 Cross-site scripting (XSS) vulnerability in rg_search.php in Rgboard 3.0.12, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the s_text parameter and other unspecified vectors. 29230 rgboard-rgsearch-xss(42432) 5620 PHP remote file inclusion vulnerability in include/bbs.lib.inc.php in Rgboard 3.0.12 allows remote attackers to execute arbitrary PHP code via a URL in the site_path parameter. 29230 rgboard-sitepath-file-include(42431) 5620 The admin.php file in Rantx allows remote attackers to bypass authentication and gain privileges by setting the logininfo cookie to "<?php" or "?>", which is present in the password file and probably passes an insufficient comparison. 29243 rantx-admin-auth-bypass(42464) 5628 Admin.php in Web Slider 0.6 allows remote attackers to bypass authentication and gain privileges by setting the admin cookie to 1. 29246 webslider-admin-security-bypass(42468) 5629 Unspecified vulnerability in SecureICA and ICA Basic encryption of Citrix Presentation Server 4.5 and earlier, Access Essentials 2.0 and earlier, and Desktop Server 1.0 can cause clients to use weaker encryption settings than configured by the administrator, which might allow attackers to bypass intended restrictions. http://support.citrix.com/article/CTX114893 29233 1020026 ADV-2008-1531 citrix-presentationserver-ica-weak-security(42444) Unspecified vulnerability in Citrix Presentation Server 4.5 and earlier, Citrix Access Essentials 2.0 and earlier, and Citrix Desktop Server 1.0 allows remote authenticated users to access unauthorized desktops via unknown attack vectors. http://support.citrix.com/article/CTX116941 29232 1020027 ADV-2008-1530 citrix-presentationserver-unauth-access(42439) SQL injection vulnerability in Kostenloses Linkmanagementscript allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) top_view.php. 3893 20080515 Kostenloses Linkmanagementscript SQL Injection Vulnerabilities 29236 kostenloses-view-sql-injection(42455) 5623 Cross-site scripting (XSS) vulnerability in the login form in the administration application in Django 0.91 before 0.91.2, 0.95 before 0.95.3, and 0.96 before 0.96.2 allows remote attackers to inject arbitrary web script or HTML via the URI of a certain previous request. 1020028 http://www.djangoproject.com/weblog/2008/may/14/security/ 29209 ADV-2008-1618 django-loginform-xss(42396) Integer signedness error in Safari on Apple iPhone before 2.0 and iPod touch before 2.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving JavaScript array indices that trigger an out-of-bounds access, a different vulnerability than CVE-2008-2307. APPLE-SA-2008-11-13 APPLE-SA-2008-07-11 http://support.apple.com/kb/HT3298 30186 ADV-2008-2094 ipod-iphone-javascript-code-execution(43736) Buffer overflow in Apple Core Image Fun House 2.0 and earlier in CoreImage Examples in Xcode tools before 3.1 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a .funhouse file with a string XML element that contains many characters. APPLE-SA-2008-07-11 3988 http://support.apple.com/kb/HT2352 20080711 [NETRAGARD SECURITY ADVISORY][Apple Core Image Fun House <= 2.0 OS X -- Arbitrary Code Execution][NETRAGARD-20080711] 30189 1020472 ADV-2008-2093 apple-xcode-funhouse-bo(43733) 6043 Heap-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.4.11 and 10.5 through 10.5.4 allows remote attackers to execute arbitrary code via a document containing a crafted font, related to "PostScript font names." APPLE-SA-2008-09-15 1020873 31189 TA08-260A ADV-2008-2584 macos-ats-bo(45162) Apple Safari before 3.1.2 on Windows does not properly interpret the URLACTION_SHELL_EXECUTE_HIGHRISK Internet Explorer zone setting, which allows remote attackers to bypass intended access restrictions, and force a client system to download and execute arbitrary files. APPLE-SA-2008-06-19 VU#127185 29835 1020329 ADV-2008-1882 Unspecified vulnerability in WebKit in Apple Safari before 3.1.2, as distributed in Mac OS X before 10.5.4, and standalone for Windows and Mac OS X 10.4, allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors involving JavaScript arrays that trigger memory corruption. APPLE-SA-2008-07-11 APPLE-SA-2008-06-19 APPLE-SA-2008-06-30 http://support.apple.com/kb/HT2092 http://support.apple.com/kb/HT2163 http://support.apple.com/kb/HT2165 VU#361043 29836 1020330 ADV-2008-1882 ADV-2008-1980 ADV-2008-1981 ADV-2008-2094 FEDORA-2008-6186 FEDORA-2008-6220 Unspecified vulnerability in Alias Manager in Apple Mac OS X 10.5.1 and earlier on Intel platforms allows local users to gain privileges or cause a denial of service (memory corruption and application crash) by resolving an alias that contains crafted AFP volume mount information. APPLE-SA-2008-06-30 1020390 http://support.apple.com/kb/HT2163 30018 ADV-2008-1981 macos-aliasmanager-code-execution(43474) Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.5.4 allows user-assisted remote attackers to execute arbitrary code via a (1) .xht or (2) .xhtm file, which does not trigger a "potentially unsafe" warning message in (a) the Download Validation feature in Mac OS X 10.4 or (b) the Quarantine feature in Mac OS X 10.5. APPLE-SA-2008-06-30 1020391 http://support.apple.com/kb/HT2163 30018 ADV-2008-1981 macos-coretypes-code-execution(43493) Format string vulnerability in c++filt in Apple Mac OS X 10.5 before 10.5.4 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string in (1) C++ or (2) Java source code. APPLE-SA-2008-06-30 1020392 http://support.apple.com/kb/HT2163 30018 ADV-2008-1981 macos-c++filt-format-string(43494) Launch Services in Apple Mac OS X before 10.5, when Open Safe Files is enabled, allows remote attackers to execute arbitrary code via a symlink attack, probably related to a race condition and automatic execution of a downloaded file. APPLE-SA-2008-06-30 1020393 http://support.apple.com/kb/HT2163 30018 ADV-2008-1981 macos-launchservices-code-execution(43495) Network Preferences in Apple Mac OS X 10.4.11 stores PPP passwords in cleartext in a world-readable file, which allows local users to obtain sensitive information by reading this file. APPLE-SA-2008-09-15 1020881 31189 TA08-260A ADV-2008-2584 macos-ppppassword-information-disclosure(45173) Apple Mac OS X before 10.5 uses weak permissions for the User Template directory, which allows local users to gain privileges by inserting a Trojan horse file into this directory. APPLE-SA-2008-06-30 1020394 http://support.apple.com/kb/HT2163 30018 ADV-2008-1981 macos-usertemplate-code-execution(43496) Dock in Apple Mac OS X 10.5 before 10.5.4, when Expos? hot corners is enabled, allows physically proximate attackers to gain access to a locked session in (1) sleep mode or (2) screen saver mode via unspecified vectors. APPLE-SA-2008-06-30 1020395 http://support.apple.com/kb/HT2163 30018 ADV-2008-1981 macos-dock-security-bypass(43497) Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. http://bugs.gentoo.org/attachment.cgi?id=159418&action=view http://bugs.gentoo.org/show_bug.cgi?id=230640 APPLE-SA-2009-02-12 SUSE-SR:2008:017 GLSA-200807-16 SSA:2008-217-01 http://support.apple.com/kb/HT3438 http://support.avaya.com/css/P8/documents/100074697 DSA-1667 MDVSA-2008:163 MDVSA-2008:164 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5032900 [oss-security] 20081105 CVE Request - Python string expandtabs [oss-security] 20081105 Re: CVE Request - Python string expandtabs 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 30491 USN-632-1 http://www.vmware.com/security/advisories/VMSA-2009-0016.html ADV-2008-2288 ADV-2009-3316 python-modules-bo(44172) python-multiple-bo(44173) oval:org.mitre.oval:def:8445 oval:org.mitre.oval:def:8683 oval:org.mitre.oval:def:9761 Integer overflow in _hashopenssl.c in the hashlib module in Python 2.5.2 and earlier might allow context-dependent attackers to defeat cryptographic digests, related to "partial hashlib hashing of data exceeding 4GB." http://bugs.gentoo.org/attachment.cgi?id=159422&action=view http://bugs.gentoo.org/show_bug.cgi?id=230640 APPLE-SA-2009-02-12 SUSE-SR:2008:017 GLSA-200807-16 SSA:2008-217-01 http://support.apple.com/kb/HT3438 http://wiki.rpath.com/Advisories:rPSA-2008-0243 MDVSA-2008:163 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5032900 20080813 rPSA-2008-0243-1 idle python 30491 USN-632-1 ADV-2008-2288 python-multiple-bo(44173) python-hashlib-overflow(44174) WebCore in Apple Safari does not properly perform garbage collection of JavaScript document elements, which allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via a reference to the ownerNode property of a copied CSSStyleSheet object of a STYLE element, as originally demonstrated on Apple iPhone before 2.0 and iPod touch before 2.0, a different vulnerability than CVE-2008-1590. APPLE-SA-2008-11-13 APPLE-SA-2008-07-11 http://support.apple.com/kb/HT3298 20080725 ZDI-08-045: Apple Safari StyleSheet ownerNode Heap Corruption Vulnerability 30186 ADV-2008-2094 http://www.zerodayinitiative.com/advisories/ZDI-08-045/ ipod-iphone-stylesheets-code-execution(43737) The WOHyperlink implementation in WebObjects in Apple Xcode tools before 3.1 appends local session IDs to generated non-local URLs, which allows remote attackers to obtain potentially sensitive information by reading the requests for these URLs. APPLE-SA-2008-07-11 http://support.apple.com/kb/HT2352 30191 1020473 ADV-2008-2093 apple-xcode-webobjects-info-disclosure(43735) Stack-based buffer overflow in CarbonCore in Apple Mac OS X 10.4.11 and 10.5.4, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long filename to the file management API. APPLE-SA-2008-07-31 APPLE-SA-2009-06-08-1 APPLE-SA-2009-06-17-1 http://support.apple.com/kb/HT3613 http://support.apple.com/kb/HT3639 20080801 n.runs-SA-2008.005 - Apple Inc. - CoreServices Framework&acirc;??s CarbonCore Framework - Arbitrary Code Execution (remote) 30483 30487 1020602 ADV-2008-2268 ADV-2009-1522 ADV-2009-1621 macosx-carboncore-bo(44126) Unspecified vulnerability in CoreGraphics in Apple Mac OS X 10.4.11 and 10.5.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unknown vectors involving "processing of arguments." APPLE-SA-2008-07-31 APPLE-SA-2008-11-20 APPLE-SA-2009-06-08-1 http://support.apple.com/kb/HT3318 http://support.apple.com/kb/HT3613 30483 30488 1020603 ADV-2008-2268 ADV-2008-3232 ADV-2009-1522 macosx-coregraphics-code-execution(44127) Integer overflow in CoreGraphics in Apple Mac OS X 10.4.11, 10.5.2, and 10.5.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF file with a long Type 1 font, which triggers a heap-based buffer overflow. 20080731 Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability APPLE-SA-2008-07-31 30483 30489 1020604 ADV-2008-2268 macosx-coregraphics-pdf-bo(44128) Unspecified vulnerability in Data Detectors Engine in Apple Mac OS X 10.5.4 allows attackers to cause a denial of service (resource consumption) via crafted textual content in messages. APPLE-SA-2008-07-31 30483 30490 1020606 ADV-2008-2268 macosx-datadetectorengine-dos(44130) The Repair Permissions tool in Disk Utility in Apple Mac OS X 10.4.11 adds the setuid bit to the emacs executable file, which allows local users to gain privileges by executing commands within emacs. APPLE-SA-2008-07-31 30483 30492 1020605 ADV-2008-2268 macosx-diskutility-privilege-escalation(44132) QuickLook in Apple Mac OS X 10.4.11 and 10.5.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office file, related to insufficient "bounds checking." APPLE-SA-2008-07-31 30483 30493 1020607 ADV-2008-2268 macosx-quicklook-code-execution(44135) mDNSResponder in the Bonjour Namespace Provider in Apple Bonjour for Windows before 1.0.5 allows attackers to cause a denial of service (NULL pointer dereference and application crash) by resolving a crafted .local domain name that contains a long label. APPLE-SA-2009-09-09 http://support.apple.com/kb/HT2990 31091 1020845 ADV-2008-2524 apple-bonjour-mdnsresponder-dos(45005) Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code. http://bugs.gentoo.org/show_bug.cgi?id=234080 APPLE-SA-2008-11-13 APPLE-SA-2008-09-15 APPLE-SA-2008-11-20 SUSE-SR:2008:018 GLSA-200809-07 http://security-tracker.debian.net/tracker/CVE-2008-2327 http://security-tracker.debian.net/tracker/DSA-1632-1 http://security-tracker.debian.net/tracker/DTSA-160-1 265030 http://support.apple.com/kb/HT3276 http://support.apple.com/kb/HT3298 http://support.apple.com/kb/HT3318 DSA-1632 MDVSA-2008:184 RHSA-2008:0847 RHSA-2008:0848 RHSA-2008:0863 20080905 rPSA-2008-0268-1 libtiff 20081031 VMSA-2008-0017 Updated ESX packages for libxml2, ucd-snmp, libtiff 30832 1020750 USN-639-1 TA08-260A http://www.vmware.com/security/advisories/VMSA-2008-0017.html ADV-2008-2438 ADV-2008-2584 ADV-2008-2776 ADV-2008-2971 ADV-2008-3107 ADV-2008-3232 ADV-2009-2143 https://bugzilla.redhat.com/show_bug.cgi?id=458674 oval:org.mitre.oval:def:11489 oval:org.mitre.oval:def:5514 FEDORA-2008-7370 FEDORA-2008-7388 Directory Services in Apple Mac OS X 10.5 through 10.5.4, when Active Directory is used, allows attackers to enumerate user names via wildcard characters in the Login Window. APPLE-SA-2008-09-15 1020874 31189 TA08-260A ADV-2008-2584 macos-directoryservices-info-disclosure(45163) slapconfig in Directory Services in Apple Mac OS X 10.5 through 10.5.4 allows local users to select a readable output file into which the server password will be written by an OpenLDAP system administrator, related to the mkfifo function, aka an "insecure file operation issue." APPLE-SA-2008-09-15 1020874 31189 TA08-260A ADV-2008-2584 macos-slapconfig-information-disclosure(45164) Finder in Apple Mac OS X 10.5 through 10.5.4 does not properly update permission data in the Get Info window after a lock operation that modifies Sharing & Permissions in a filesystem, which might allow local users to leverage weak permissions that were not intended by an administrator. APPLE-SA-2008-09-15 1020875 31189 TA08-260A ADV-2008-2584 macos-finder-weak-security(45165) ImageIO in Apple Mac OS X 10.4.11 and 10.5 through 10.5.4 allows context-dependent attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a crafted TIFF image. APPLE-SA-2008-11-13 APPLE-SA-2008-09-15 http://support.apple.com/kb/HT3276 http://support.apple.com/kb/HT3298 31189 1020876 TA08-260A ADV-2008-2584 ADV-2008-3107 macos-tiff-code-execution(45167) Cross-site scripting (XSS) vulnerability in ldap_test.cgi in Barracuda Spam Firewall (BSF) before 3.5.11.025 allows remote attackers to inject arbitrary web script or HTML via the email parameter. http://www.barracudanetworks.com/ns/support/tech_alert.php http://www.irmplc.com/index.php/168-Advisory-027 20080522 IRM Security Advisory : Barracuda Networks Spam Firewall Cross-Site Scripting Vulnerability 29340 1020108 ADV-2008-1627 barracuda-email-xss(42594) Multiple SQL injection vulnerabilities in W1L3D4 Philboard 0.5 allow remote attackers to execute arbitrary SQL commands via the (1) forumid parameter to (a) admin/philboard_admin-forumedit.asp, (b) admin/philboard_admin-forum.asp, and (c) W1L3D4_foruma_yeni_konu_ac.asp; the (2) id parameter to (d) W1L3D4_konuoku.asp and (e) W1L3D4_konuya_mesaj_yaz.asp; and the (3) topic parameter to W1L3D4_konuya_mesaj_yaz.asp, different vectors than CVE-2008-1939, CVE-2007-2641, and CVE-2007-0920. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29229 http://www.securityfocus.com/bid/29229/exploit philboard-multiple-sql-injection(42452) Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected. http://holisticinfosec.org/content/view/65/45/ http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html 20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/ 27519 29238 ADV-2008-2552 phpvid-query-xss(42450) 6422 SQL injection vulnerability in category.php in 68 Classifieds 4.0.1 allows remote attackers to execute arbitrary SQL commands via the cat parameter. 29249 68classifieds-category-sql-injection(42465) 5626 Multiple SQL injection vulnerabilities in IMGallery 2.5, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) kategoria parameter to (a) galeria.php and the (2) id_phot parameter to (b) popup/koment.php and (c) popup/opis.php in, different vectors than CVE-2006-3163. 29250 imgallery-multiple-sql-injection(42474) 5631 Interspire ActiveKB 1.5 and earlier allows remote attackers to gain privileges by setting the auth cookie to true when accessing unspecified scripts in /admin. 29226 1020035 activekb-admin-security-bypass(42427) 5616 SQL injection vulnerability in index.php in Turnkey Web Tools SunShop Shopping Cart 3.5.1 allows remote attackers to execute arbitrary SQL commands via the id parameter in an item action, a different vector than CVE-2008-2038, CVE-2007-4597, and CVE-2007-2549. 3894 20080515 SunShop Version 3.5.1 Remote Blind Sql Injection 29241 sunshop-id-sql-injection(42467) Multiple SQL injection vulnerabilities in News Manager 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) lang parameter to (a) advsearch.php, (b) archive.php, and (c) index.php, and the (2) pid parameter to (d) list_tagitems.php. 29251 newsmanager-multiple-sql-injection(42461) 5624 PHP remote file inclusion vulnerability in ch_readalso.php in News Manager 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the read_xml_include parameter. 29251 newsmanager-chreadalso-file-include(42459) 5624 Directory traversal vulnerability in attachments.php in News Manager 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter. 29251 newsmanager-attachments-directory-traversal(42460) 5624 News Manager 2.0 allows remote attackers to bypass restrictions and obtain sensitive information via a direct request to (1) db/connect_str.php and (2) login/info.php. 29251 newsmanager-multiple-info-disclosure(42462) 5624 Cross-site scripting (XSS) vulnerability in the air_filemanager 0.6.0 and earlier extension for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080515-2/ airfilemanager-unspecified-xss(42448) Unspecified vulnerability in the air_filemanager 0.6.0 and earlier extension for TYPO3 allows remote attackers to execute arbitrary PHP code via unspecified vectors related to "insufficient file filtering." http://typo3.org/teams/security/security-bulletins/typo3-20080515-2/ airfilemanager-unspecified-code-execution(42449) AlkalinePHP 0.77.35 and earlier allows remote attackers to bypass authentication and gain administrative access by creating an admin account via a direct request to adduser.php. 29267 alkalinephp-adduser-security-bypass(42502) 5645 MyPicGallery 1.0 allows remote attackers to bypass application authentication and gain administrative access by setting the userID parameter to "admin" in a direct request to admin/addUser.php. 29272 mypicgallery-adduser-security-bypass(42507) 5650 MeltingIce File System 1.0 allows remote attackers to bypass application authentication, create new user accounts, and exceed application quotas via a direct request to admin/adduser.php. 29271 meltingice-adduser-security-bypass(42503) 5648 Zomplog 3.8.2 and earlier allows remote attackers to gain administrative access by creating an admin account via a direct request to install/newuser.php with the admin parameter set to 1. 29258 zomplog-newuser-security-bypass(42476) 5634 Directory traversal vulnerability in highlight.php in bcoos 1.0.9 through 1.0.13 allows remote attackers to read arbitrary files via (1) .. (dot dot) or (2) C: folder sequences in the file parameter. http://lostmon.blogspot.com/2008/05/bcoos-highlightphp-traversal-file.html 29275 bcoos-highlight-directory-traversal(42506) Multiple SQL injection vulnerabilities in index.php in CMS WebManager-Pro allow remote attackers to execute arbitrary SQL commands via the (1) lang_id and (2) menu_id parameters. 29266 ADV-2008-1562 cmswebmanagerpro-index-sql-injection(42508) 5641 Directory traversal vulnerability in index.php in Smeego 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang cookie. 20080517 Smeego CMS vulnerability 29264 ADV-2008-1563 smeego-index-file-include(42498) 5640 Directory traversal vulnerability in admin.php in GNU/Gallery 1.1.1.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the show parameter. 29270 ADV-2008-1560 gnugallery-admin-file-include(42501) 5647 Unspecified vulnerability in the data export function in testMaker before 3.0p10 allows test authors to obtain access to export data via unknown vectors. http://sourceforge.net/project/shownotes.php?group_id=194778&release_id=599729 29273 testmaker-dataexport-information-disclosure(42499) Directory traversal vulnerability in index.php in WR-Meeting 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the msnum parameter in a coment event. 29262 ADV-2008-1566 wrmeeting-index-file-include(42497) 5637 SQL injection vulnerability in index.php in Archangel Weblog 0.90.02 and earlier allows remote attackers to execute arbitrary SQL commands via the post_id parameter. 29257 archangel-index-sql-injection(42475) 5635 Stack-based buffer overflow in the split_redraw function in split.c in mtr before 0.73, when invoked with the -p (aka --split) option, allows remote attackers to execute arbitrary code via a crafted DNS PTR record. NOTE: it could be argued that this is a vulnerability in the ns_name_ntop function in resolv/ns_name.c in glibc and the proper fix should be in glibc; if so, then this should not be treated as a vulnerability in mtr. ftp://ftp.bitwizard.nl/mtr/mtr-0.73.diff SUSE-SR:2008:014 20080519 Mtr - remote and local stack overflow - uncomment situation in libresolv. GLSA-200806-01 3903 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0175 DSA-1587 MDVSA-2008:176 [oss-security] 20080521 Re: CVE request: mtr [oss-security] 20080521 Re: CVE request: mtr [oss-security] 20080521 Re: CVE request: mtr 20080519 Mtr - remote and local stack overflow - uncomment situation in libresolv. 29290 1020046 mtr-splitredraw-bo(42535) https://issues.rpath.com/browse/RPL-2558 Integer overflow in the dccp_feat_change function in net/dccp/feat.c in the Datagram Congestion Control Protocol (DCCP) subsystem in the Linux kernel 2.6.18, and 2.6.17 through 2.6.20, allows local users to gain privileges via an invalid feature length, which leads to a heap-based buffer overflow. Patch information can be found at the following location: http://lists.debian.org/debian-security-announce/2008/msg00172.html SUSE-SA:2008:030 DSA-1592 MDVSA-2008:112 MDVSA-2008:167 RHSA-2008:0519 29603 1020211 USN-625-1 https://bugzilla.redhat.com/show_bug.cgi?id=447389 linux-kernel-dccpfeatchange-bo(43034) oval:org.mitre.oval:def:9644 FEDORA-2008-5893 The default configuration of consolehelper in system-config-network before 1.5.10-1 on Fedora 8 lacks the USER=root directive, which allows local users of the workstation console to gain privileges and change the network configuration. https://bugzilla.redhat.com/show_bug.cgi?id=448557 fedora-consolehelper-privilege-escalation(42867) FEDORA-2008-4633 Integer overflow in the AllocateGlyph function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to execute arbitrary code via unspecified request fields that are used to calculate a heap buffer size, which triggers a heap-based buffer overflow. ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2360.diff 20080611 Multiple Vendor X Server Render Extension AllocateGlyph() Integer Overflow Vulnerability APPLE-SA-2009-02-12 [xorg] 20080611 X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions SUSE-SA:2008:027 SUSE-SR:2008:019 RHSA-2008:0502 RHSA-2008:0504 RHSA-2008:0512 GLSA-200806-07 1020243 238686 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-249.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0201 DSA-1595 GLSA-200807-07 MDVSA-2008:115 MDVSA-2008:116 MDVSA-2008:179 RHSA-2008:0503 20080620 rPSA-2008-0200-1 xorg-server 20080621 rPSA-2008-0201-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs USN-616-1 ADV-2008-1803 ADV-2008-1833 ADV-2008-1983 https://issues.rpath.com/browse/RPL-2607 https://issues.rpath.com/browse/RPL-2619 oval:org.mitre.oval:def:9329 Integer overflow in the ProcRenderCreateCursor function in the Render extension in the X server 1.4 in X.Org X11R7.3 allows context-dependent attackers to cause a denial of service (daemon crash) via unspecified request fields that are used to calculate a glyph buffer size, which triggers a dereference of unmapped memory. ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2361.diff 20080611 Multiple Vendor X Server Render Extension ProcRenderCreateCursor() Integer Overflow Vulnerability APPLE-SA-2009-02-12 [xorg] 20080611 X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions SUSE-SA:2008:027 SUSE-SR:2008:019 RHSA-2008:0502 RHSA-2008:0504 GLSA-200806-07 1020244 238686 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-249.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0201 DSA-1595 GLSA-200807-07 MDVSA-2008:115 MDVSA-2008:116 MDVSA-2008:179 RHSA-2008:0503 20080620 rPSA-2008-0200-1 xorg-server 20080621 rPSA-2008-0201-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs 29665 USN-616-1 ADV-2008-1803 ADV-2008-1833 ADV-2008-1983 https://issues.rpath.com/browse/RPL-2607 https://issues.rpath.com/browse/RPL-2619 oval:org.mitre.oval:def:8978 Multiple integer overflows in the Render extension in the X server 1.4 in X.Org X11R7.3 allow context-dependent attackers to execute arbitrary code via a (1) SProcRenderCreateLinearGradient, (2) SProcRenderCreateRadialGradient, or (3) SProcRenderCreateConicalGradient request with an invalid field specifying the number of bytes to swap in the request data, which triggers heap memory corruption. ftp://ftp.freedesktop.org/pub/xorg/X11R7.3/patches/xorg-xserver-1.4-cve-2008-2362.diff 20080611 Multiple Vendor X Server Render Extension Gradient Creation Integer Overflow Vulnerability APPLE-SA-2009-02-12 [xorg] 20080611 X.Org security advisory june 2008 - Multiple vulnerabilities in X server extensions SUSE-SA:2008:027 SUSE-SR:2008:019 RHSA-2008:0504 GLSA-200806-07 1020245 238686 http://support.apple.com/kb/HT3438 http://support.avaya.com/elmodocs2/security/ASA-2008-249.htm http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0201 DSA-1595 GLSA-200807-07 MDVSA-2008:116 MDVSA-2008:179 20080620 rPSA-2008-0200-1 xorg-server 20080621 rPSA-2008-0201-1 xorg-x11 xorg-x11-fonts xorg-x11-tools xorg-x11-xfs 29670 USN-616-1 ADV-2008-1803 ADV-2008-1833 ADV-2008-1983 https://issues.rpath.com/browse/RPL-2607 https://issues.rpath.com/browse/RPL-2619 oval:org.mitre.oval:def:11246 The PartsBatch class in Pan 0.132 and earlier does not properly manage the data structures for Parts batches, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted .nzb file that triggers a heap-based buffer overflow. http://bugs.gentoo.org/show_bug.cgi?id=224051 http://bugzilla.gnome.org/show_bug.cgi?id=535413 [oss-security] 20080529 CVE-2008-2363: pan - heap overflow GLSA-200807-15 MDVSA-2008:201 SUSE-SR:2008:013 29421 https://bugzilla.redhat.com/show_bug.cgi?id=446902 pan-nzb-bo(42750) The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. HPSBUX02365 APPLE-SA-2008-10-09 SUSE-SR:2009:006 SUSE-SR:2009:007 HPSBUX02401 HPSBUX02465 RHSA-2008:0967 GLSA-200807-06 247666 http://support.apple.com/kb/HT3216 http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_http.c?r1=666154&r2=666153&pathrev=666154 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0328 MDVSA-2008:195 MDVSA-2008:237 http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html RHSA-2008:0966 20080729 rPSA-2008-0236-1 httpd mod_ssl 20081122 rPSA-2008-0328-1 httpd mod_ssl 29653 31681 1020267 USN-731-1 ADV-2008-1798 ADV-2008-2780 ADV-2009-0320 http://www-01.ibm.com/support/docview.wss?uid=swg27008517 PK67579 apache-modproxy-module-dos(42987) [httpd-cvs] 20190815 svn commit: r1048742 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [2/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html oval:org.mitre.oval:def:11713 oval:org.mitre.oval:def:6084 oval:org.mitre.oval:def:9577 FEDORA-2008-6393 FEDORA-2008-6314 Race condition in the ptrace and utrace support in the Linux kernel 2.6.9 through 2.6.25, as used in Red Hat Enterprise Linux (RHEL) 4, allows local users to cause a denial of service (oops) via a long series of PTRACE_ATTACH ptrace calls to another user's process that trigger a conflict between utrace_detach and report_quiescent, related to "late ptrace_may_attach() check" and "race around &dead_engine_ops setting," a different vulnerability than CVE-2007-0771 and CVE-2008-1514. NOTE: this issue might only affect kernel versions before 2.6.16.x. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=5ecfbae093f0c37311e89b29bfc0c9d586eace87 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f358166a9405e4f1d8e50d8f415c26d95505b6de http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commit;h=f5b40e363ad6041a96e3da32281d8faa191597b9 [linux-kernel] 20070508 Re: [PATCH -utrace] Move utrace into task_struct RHSA-2008:0508 3965 http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/late-ptrace-may-attach-check.c?cvsroot=systemtap [oss-security] 20080626 CVE-2008-2365 kernel: ptrace: Crash on PTRACE_{ATTACH,DETACH} race -- affecting kernel versions <= 2.6.25 [oss-security] 20080714 Re: CVE-2008-2365 kernel: ptrace: Crash on PTRACE_{ATTACH,DETACH} race -- affecting kernel versions <= 2.6.25 29945 1020362 USN-625-1 https://bugzilla.redhat.com/show_bug.cgi?id=449359 linux-kernel-ptraceattach-dos(43567) oval:org.mitre.oval:def:10749 Untrusted search path vulnerability in a certain Red Hat build script for OpenOffice.org (OOo) 1.1.x on Red Hat Enterprise Linux (RHEL) 3 and 4 allows local users to gain privileges via a malicious library in the current working directory, related to incorrect quoting of the ORIGIN symbol for use in the RPATH library path. 1020278 RHSA-2008:0538 29695 https://bugzilla.redhat.com/show_bug.cgi?id=450532 redhat-ooo-buildscript-code-execution(43322) oval:org.mitre.oval:def:11361 Red Hat Certificate System 7.2 uses world-readable permissions for password.conf and unspecified other configuration files, which allows local users to discover passwords by reading these files. 1021608 33288 ADV-2009-0145 https://bugzilla.redhat.com/show_bug.cgi?id=451998 redhat-cs-configfile-info-disclosure(48021) RHSA-2009:0006 RHSA-2009:0007 Red Hat Certificate System 7.2 stores passwords in cleartext in the UserDirEnrollment log, the RA wizard installer log, and unspecified other debug log files, and uses weak permissions for these files, which allows local users to discover passwords by reading the files. 1021608 33288 ADV-2009-0145 https://bugzilla.redhat.com/show_bug.cgi?id=452000 redhat-cs-debuglog-info-disclosure(48022) RHSA-2009:0006 RHSA-2009:0007 manzier.pxt in Red Hat Network Satellite Server before 5.1.1 has a hard-coded authentication key, which allows remote attackers to connect to the server and obtain sensitive information about user accounts and entitlements. RHSA-2008:0630 1020694 30679 rhnss-manzier-information-disclosure(44452) Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. APPLE-SA-2008-10-09 SUSE-SR:2008:018 SUSE-SR:2009:004 HPSBUX02401 HPSBST02955 4099 http://support.apple.com/kb/HT3216 http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html MDVSA-2008:188 RHSA-2008:0648 RHSA-2008:0862 RHSA-2008:0864 20080801 [CVE-2008-2370] Apache Tomcat information disclosure vulnerability 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components 30494 31681 1020623 http://www.vmware.com/security/advisories/VMSA-2009-0002.html http://www.vmware.com/security/advisories/VMSA-2009-0016.html ADV-2008-2305 ADV-2008-2780 ADV-2008-2823 ADV-2009-0320 ADV-2009-0503 ADV-2009-1535 ADV-2009-2215 ADV-2009-3316 tomcat-requestdispatcher-info-disclosure(44156) [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ oval:org.mitre.oval:def:10577 oval:org.mitre.oval:def:5876 FEDORA-2008-7977 FEDORA-2008-8113 FEDORA-2008-8130 Heap-based buffer overflow in pcre_compile.c in the Perl-Compatible Regular Expression (PCRE) library 7.7 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a regular expression that begins with an option and contains multiple branches. http://bugs.gentoo.org/show_bug.cgi?id=228091 http://ftp.gnome.org/pub/GNOME/sources/glib/2.16/glib-2.16.4.changes APPLE-SA-2008-10-09 APPLE-SA-2009-05-12 SUSE-SR:2008:014 SSRT090085 HPSBUX02465 GLSA-200811-05 http://support.apple.com/kb/HT3216 http://support.apple.com/kb/HT3549 USN-624-2 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0305 DSA-1602 GLSA-200807-03 MDVSA-2008:147 MDVSA-2009:023 20081027 rPSA-2008-0305-1 pcre 30087 31681 USN-624-1 USN-628-1 TA09-133A ADV-2008-2005 ADV-2008-2006 ADV-2008-2336 ADV-2008-2780 ADV-2009-1297 ADV-2010-0833 FEDORA-2008-6025 FEDORA-2008-6048 The Linux kernel 2.6.24 and 2.6.25 before 2.6.25.9 allows local users to cause a denial of service (memory consumption) via a large number of calls to the get_user_pages function, which lacks a ZERO_PAGE optimization and results in allocation of "useless newly zeroed pages." http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=89f5b7da2a6bad2e84670422ab8192382a5aeb9f http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.9 SUSE-SA:2008:035 SUSE-SA:2008:037 SUSE-SA:2008:038 http://new-ubuntu-news.blogspot.com/2008/06/re-pending-stable-kernel-security_25.html http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0207 RHSA-2008:0585 RHSA-2008:0957 USN-659-1 [linux-kernel] 20080430 Re: Page Faults slower in 2.6.25-rc9 than 2.6.23 linux-kernel-getuserpages-dos(43550) https://issues.rpath.com/browse/RPL-2629 oval:org.mitre.oval:def:9383 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-2863. Reason: This candidate is a reservation duplicate of CVE-2008-2863. Notes: All CVE users should reference CVE-2008-2863 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. src/sdp.c in bluez-libs 3.30 in BlueZ, and other bluez-libs before 3.34 and bluez-utils before 3.34 versions, does not validate string length fields in SDP packets, which allows remote SDP servers to cause a denial of service or possibly have unspecified other impact via a crafted length field that triggers excessive memory allocation or a buffer over-read. SUSE-SR:2008:019 GLSA-200903-29 [bluez-devel] 20080616 SDP payload processing vulnerability http://www.bluez.org/bluez-334/ MDVSA-2008:145 RHSA-2008:0581 30105 1020479 ADV-2008-2096 oval:org.mitre.oval:def:9973 FEDORA-2008-6140 FEDORA-2008-6133 Memory leak in a certain Red Hat deployment of vsftpd before 2.0.5 on Red Hat Enterprise Linux (RHEL) 3 and 4, when PAM is used, allows remote attackers to cause a denial of service (memory consumption) via a large number of invalid authentication attempts within the same session, a different vulnerability than CVE-2007-5962. http://support.avaya.com/elmodocs2/security/ASA-2008-398.htm http://wiki.rpath.com/Advisories:rPSA-2008-0217 [oss-security] 20080630 CVE-2008-2375 older vsftpd authentication memory leak RHSA-2008:0579 RHSA-2008:0680 20080708 rPSA-2008-0217-1 vsftpd 30364 1020546 ADV-2008-2820 https://bugzilla.redhat.com/attachment.cgi?id=201051 https://issues.rpath.com/browse/RPL-2640 oval:org.mitre.oval:def:10138 Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows. APPLE-SA-2008-09-15 GLSA-200812-17 http://wiki.rpath.com/Advisories:rPSA-2008-0218 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0218 DSA-1612 DSA-1618 MDVSA-2008:140 MDVSA-2008:141 MDVSA-2008:142 [oss-security] 20080702 More ruby integer overflows (rb_ary_fill / Array#fill) RHSA-2008:0561 20080708 rPSA-2008-0218-1 ruby TA08-260A ADV-2008-2584 https://issues.rpath.com/browse/RPL-2639 oval:org.mitre.oval:def:9863 USN-651-1 FEDORA-2008-6094 Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle. [gnutls-devel] 20080630 GnuTLS 2.4.1 http://www.gnu.org/software/gnutls/security.html [gnutls-devel] 20080630 Details on the gnutls_handshake local crash problem [GNUTLS-SA-2008-2] 30713 ADV-2008-2398 gnutls-gnutlshandshake-code-execution(44486) https://issues.rpath.com/browse/RPL-2650 Untrusted search path vulnerability in hfkernel in hf 0.7.3 and 0.8 allows local users to gain privileges via a Trojan horse killall program in a directory in the PATH, related to improper handling of the -k option. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504182 DSA-1668 32421 hf-hfkernel-privilege-escalation(46806) Cross-site scripting (XSS) vulnerability in SquirrelMail before 1.4.17 allows remote attackers to inject arbitrary web script or HTML via a crafted hyperlink in an HTML part of an e-mail message. APPLE-SA-2009-02-12 SUSE-SR:2008:027 http://security-net.biz/wsw/index.php?p=254&n=190 http://support.apple.com/kb/HT3438 DSA-1682 32603 http://www.squirrelmail.org/index.php ADV-2008-3332 squirrelmail-html-xss(47024) oval:org.mitre.oval:def:9764 FEDORA-2008-10740 FEDORA-2008-10918 SQL injection vulnerability in authpgsqllib.c in Courier-Authlib before 0.62.0, when a non-Latin locale Postgres database is used, allows remote attackers to execute arbitrary SQL commands via query parameters containing apostrophes. GLSA-200903-25 http://www.courier-mta.org/authlib/changelog.html 32926 courier-library-postgres-sql-injection(47494) SQL injection vulnerability in the create function in common/include/GroupJoinRequest.class in GForge 4.5 and 4.6 allows remote attackers to execute arbitrary SQL commands via the comments variable. http://gforge.org/scm/viewvc.php/branches/Branch_4_5/gforge/common/include/GroupJoinRequest.class?root=gforge&r1=4590&r2=6709 http://gforge.org/scm/viewvc.php/branches/Branch_4_5/gforge/common/include/GroupJoinRequest.class?root=gforge&view=log http://security-tracker.debian.net/tracker/CVE-2008-2381 33086 1021510 ADV-2009-0004 gforge-create-sql-injection(47703) The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. SUSE-SR:2009:002 SUSE-SR:2009:008 4803 1021488 1021489 http://www.coresecurity.com/content/vnc-remote-dos 20081222 CORE-2008-1210: Qemu and KVM VNC server remote DoS 32910 USN-776-1 ADV-2008-3488 ADV-2008-3489 qemu-kvm-protocolclientmsg-dos(47561) FEDORA-2008-11705 CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka \n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text file, a related issue to CVE-2003-0063 and CVE-2003-0071. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 APPLE-SA-2009-05-12 SUSE-SR:2009:002 SUSE-SR:2009:003 254208 http://support.apple.com/kb/HT3549 DSA-1694 RHSA-2009:0018 RHSA-2009:0019 33060 1021522 TA09-133A ADV-2009-1297 xterm-decrqss-code-execution(47655) oval:org.mitre.oval:def:9317 USN-703-1 FEDORA-2009-0059 FEDORA-2009-0154 SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x, when configured to use a multibyte character set that allows a \ (backslash) as part of the character encoding, allows remote attackers to execute arbitrary SQL commands via unspecified inputs in a login request. Please note that this describes the software used in debian as mod-auth-mysql (binary name is libapache2-mod-auth-mysql). It is different from the Sourceforge project. http://klecker.debian.org/~white/mod-auth-mysql/CVE-2008-2384_mod-auth-mysql.patch FEDORA-2011-0100 FEDORA-2011-0114 [oss-security] 20090121 mod-auth-mysql: SQL injection RHSA-2009:0259 RHSA-2010:1002 33392 ADV-2009-0226 ADV-2011-0367 https://bugzilla.redhat.com/show_bug.cgi?id=480238 modauthmysql-multibyte-sql-injection(48163) oval:org.mitre.oval:def:10172 Multiple off-by-one errors in opensuse-updater in openSUSE 10.2 have unspecified impact and attack vectors. NOTE: the vendor states that these "can be considered no security problem." SUSE-SR:2008:012 opensuse-updater in openSUSE 10.2 allows local users to access arbitrary files via a symlink attack. SUSE-SR:2008:012 29608 Hpufunction.dll 4.0.0.1 in HP Software Update exposes the unsafe (1) ExecuteAsync and (2) Execute methods, which allows remote attackers to execute arbitrary code via an absolute pathname in the first argument. hp-softwareupdate-hpufunction-code-execution(42249) 5511 SubSonic allows remote attackers to bypass pagesize limits and cause a denial of service (CPU consumption) via a pageindex (aka data page number) of -1. 3898 http://www.codeplex.com/subsonic/WorkItem/View.aspx?WorkItemId=16112 http://www.portcullis-security.com/uplds/wildcard_attacks.pdf 20080519 DoS attacks using SQL Wildcards - White Paper subsonic-pagesize-dos(42562) Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard. 3897 20080519 Wordpress Malicious File Execution Vulnerability 29276 wordpress-writetabs-file-upload(42561) SQL injection vulnerability in play.php in EntertainmentScript 1.4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 29284 entertainmentscript-play-sql-injection(42538) 5654 Multiple SQL injection vulnerabilities in TAGWORX.CMS 3.00.02 allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter to contact.php and the (2) nid parameter to news.php. http://www.tagworx.net/webdesign_seo_muenchen.php?cid=79&pid=5 ADV-2008-1561 tagworx-contact-news-sql-injection(42512) 5642 SQL injection vulnerability in thread.php in AlkalinePHP 0.80.00 beta and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 29281 alkalinephp-thread-sql-injection(42520) 5652 PHP remote file inclusion vulnerability in index.php in Wajox Software microSSys CMS 1.5 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in an arbitrary element of the PAGES array parameter. 29278 microssys-index-file-include(42518) 5651 Cross-site scripting (XSS) vulnerability in search-results.dot in dotCMS 1.x allows remote attackers to inject arbitrary web script or HTML via the search_query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29287 dotcms-searchresultsdot-xss(42525) Cross-site scripting (XSS) vulnerability in index.php in AppServ Open Project 2.5.10 and earlier allows remote attackers to inject arbitrary web script or HTML via the appservlang parameter. 3896 20080520 AppServ Open Project < = 2.5.10 Remote XSS Vulnerability 29291 appserv-index-xss(42546) Directory traversal vulnerability in the FireFTP add-on before 0.98.20080518 for Firefox allows remote FTP servers to create or overwrite arbitrary files via ..\ (dot dot backslash) sequences in responses to (1) MLSD and (2) LIST commands, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder. http://vuln.sg/fireftp0971-en.html VU#906907 http://www.mozdev.org/source/browse/fireftp/src/content/js/connection/controlSocket.js.in.diff?r1=1.58;r2=1.59;f=h 29289 ADV-2008-1596 fireftp-mlsd-list-directory-traversal(42516) Unspecified vulnerability in stunnel before 4.23, when running as a service on Windows, allows local users to gain privileges via unknown attack vectors. [stunnel-announce] 20080503 stunnel 4.23 released 29285 1020049 ADV-2008-1568 stunnel-windows-privilege-escalation(42526) The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to append to arbitrary new or existing files via the first argument to a certain file that is included by multiple unspecified ASP applications. 20080603 Sun Java System Active Server Pages File Creation Vulnerability 238184 1020186 ADV-2008-1742 sunjava-file-creation-code-execution(42832) The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read password hashes and configuration data via direct requests for unspecified documents. 20080603 Sun Java System Active Server Pages Information Disclosure Vulnerability 238184 29540 1020187 ADV-2008-1742 sunjava-active-password-info-disclosure(42828) Multiple directory traversal vulnerabilities in unspecified ASP applications in Sun Java Active Server Pages (ASP) Server before 4.0.3 allow remote attackers to read or delete arbitrary files via a .. (dot dot) in the Path parameter to the MapPath method. 20080603 Sun Java System Active Server Pages Multiple Directory Traversal Vulnerabilities 238184 29538 1020188 ADV-2008-1742 sun-jsasp-directory-traversal(42831) Stack-based buffer overflow in the request handling implementation in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to execute arbitrary code via an unspecified string field. 20080603 Sun Java System Active Server Pages Buffer Overflow Vulnerability 238184 1020189 ADV-2008-1742 sunjavasystem-asp-server-bo(42830) Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in HTTP requests to unspecified ASP applications. 20080603 Sun Java System Active Server Pages Multiple Command Injection Vulnerabilities 238184 1020190 ADV-2008-1742 sun-jsasp-command-execution(42829) The administration application server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to bypass authentication via direct requests on TCP port 5102. 20080603 Sun Java System Active Server Pages Authorization Bypass Vulnerability 238184 29539 1020191 ADV-2008-1742 sun-jsasp-admin-auth-bypass(42833) Stack-based buffer overflow in AIM.DLL in Cerulean Studios Trillian before 3.1.10.0 allows user-assisted remote attackers to execute arbitrary code via a long attribute value in a FONT tag in a message. 1020104 20080521 ZDI-08-029: Trillian AIM.DLL Long HTML Font Parameter Stack Overflow Vulnerability 29330 ADV-2008-1622 http://www.zerodayinitiative.com/advisories/ZDI-08-029/ trillian-aimdll-bo(42582) Heap-based buffer overflow in the XML parsing functionality in talk.dll in Cerulean Studios Trillian Pro before 3.1.10.0 allows remote attackers to execute arbitrary code via a malformed attribute in an IMG tag. 20080521 ZDI-08-030: Trillian Multiple Protocol XML Parsing Memory Corruption Vulnerability 1020105 29330 ADV-2008-1622 http://www.zerodayinitiative.com/advisories/ZDI-08-030/ trillian-talk-bo(42581) Stack-based buffer overflow in Cerulean Studios Trillian before 3.1.10.0 allows remote attackers to execute arbitrary code via unspecified attributes in the X-MMS-IM-FORMAT header in an MSN message. 20080521 ZDI-08-031: Trillian MSN MIME Header Stack-Based Overflow Vulnerability 1020106 29330 ADV-2008-1622 http://www.zerodayinitiative.com/advisories/ZDI-08-031/ trillian-msn-protocol-bo(42576) Cross-site scripting (XSS) vulnerability in the servlet engine and Web container in the Web Server service in IBM Lotus Domino before 7.0.3 FP1, and 8.x before 8.0.1, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. 29311 ADV-2008-1597 http://www-1.ibm.com/support/docview.wss?uid=swg21303296 ibm-lotusdomino-servlet-web-xss(42553) SQL injection vulnerability in index.php in SazCart 1.5.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the prodid parameter in a details action. 3900 20080509 SazCart <= 1.5.1 (prodid) Remote SQL Injection Exploit 29129 sazcart-prodid-sql-injection(42542) 5576 SQL injection vulnerability in glossaire.php in ACGV News 0.9.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. 29253 http://www.z0rlu.ownspace.org/index.php?/archives/84-ACGV-News-v0.9.1-2003-SQL-inj.-XSS.html acgvnews-glossaire-sql-injection(42490) Cross-site scripting (XSS) vulnerability in glossaire.php in ACGV News 0.9.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. 29253 http://www.z0rlu.ownspace.org/index.php?/archives/84-ACGV-News-v0.9.1-2003-SQL-inj.-XSS.html acgvnews-glossaire-xss(42491) Cross-site scripting (XSS) vulnerability in send_email.php in AN Guestbook (ANG) 0.4 allows remote attackers to inject arbitrary web script or HTML via the postid parameter. 29254 http://www.z0rlu.ownspace.org/index.php?/archives/86-ANG-AN-Guestbook-version-0.4-xss.html anguestbook-sendemail-xss(42489) Directory traversal vulnerability in template/purpletech/base_include.php in DigitalHive (aka hive) 2.0 RC2 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter. 29255 http://www.z0rlu.ownspace.org/index.php?/archives/85-hive-v2.0-RC2-LFi.html digitalhive-baseinclude-file-include(42495) SQL injection vulnerability in index.php in FicHive 1.0 allows remote attackers to execute arbitrary SQL commands via the category parameter in a Fiction action, possibly related to sources/fiction.class.php. 29265 ADV-2008-1564 fichive-index-sql-injection(42515) 5639 SQL injection vulnerability in showQAnswer.asp in How2ASP.net Webboard 4.1 allows remote attackers to execute arbitrary SQL commands via the qNo parameter. 29263 ADV-2008-1565 webboard-showqanswer-sql-injection(42496) 5638 Race condition in the STREAMS Administrative Driver (sad) in Sun Solaris 10 allows local users to cause a denial of service (panic) via unknown vectors. 237584 29326 1020096 ADV-2008-1606 solaris-sad-dos(42587) oval:org.mitre.oval:def:5346 Mozilla Firefox 2.0.0.14 allows remote attackers to cause a denial of service (heap corruption and application crash) or possibly execute arbitrary code by triggering an error condition during certain Iframe operations between a JSframe write and a JSframe close, as demonstrated by an error in loading an empty Java applet defined by a 'src="javascript:"' sequence. http://www.0x000000.com/?i=576 29318 mozilla-firefox-jsframe-code-execution(42589) The OCSP functionality in stunnel before 4.24 does not properly search certificate revocation lists (CRL), which allows remote attackers to bypass intended access restrictions by using revoked certificates. GLSA-200808-08 [stunnel-announce] 20080519 stunnel 4.24 released MDVSA-2008:168 29309 ADV-2008-1569 stunnel-ocsp-security-bypass(42528) FEDORA-2008-4531 FEDORA-2008-4579 FEDORA-2008-4606 Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under bc/gui/sap/its/webgui/. 20080521 [DSECRG-08-023] SAP Web Application Server XSS Security Vulnerability 29317 1020097 ADV-2008-1599 sap-sapbcguisapitswebgui-xss(42724) SQL injection vulnerability in index.php in Web Slider 0.6 allows remote attackers to execute arbitrary SQL commands via the slide parameter in a slides action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29296 webslider-index-sql-injection(42555) Unspecified vulnerability in Interchange before 5.6.0 and before 5.5.2 allows remote attackers to cause a denial of service via crafted HTTP requests. NOTE: this might overlap CVE-2007-2635. http://ftp.icdevgroup.org/interchange/5.6/ANNOUNCEMENT-5.6.0.txt http://ftp.icdevgroup.org/pub/interchange/5.5/ANNOUNCEMENT-5.5.2.txt 28987 29334 ADV-2008-1621 interchange-unspecified-dos(42120) interchange-http-post-dos(42580) interchange-unspec-dos(42801) Unspecified vulnerability in the 404 error page for the "Standard demo" in Interchange before 5.6.0 and before 5.5.2 has unknown impact and attack vectors. http://ftp.icdevgroup.org/interchange/5.6/ANNOUNCEMENT-5.6.0.txt http://ftp.icdevgroup.org/pub/interchange/5.5/ANNOUNCEMENT-5.5.2.txt ADV-2008-1621 interchange-404-security-bypass(42583) SQL injection vulnerability in index.php in FicHive 1.0 allows remote attackers to execute arbitrary SQL commands via the letter parameter in a Search action, a different vector than CVE-2008-2416. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. fichive-letter-sql-injection(42800) Multiple stack-based buffer overflows in Imlib 2 (aka imlib2) 1.4.0 allow user-assisted remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) a PNM image with a crafted header, related to the load function in src/modules/loaders/loader_pnm.c; or (2) a crafted XPM image, related to the load function in src/modules/loader_xpm.c. SUSE-SR:2008:018 1020146 DSA-1594 GLSA-200806-03 MDVSA-2008:123 20080529 Secunia Research: imlib2 PNM and XPM Buffer Overflow 29417 USN-697-1 ADV-2008-1700 imlib2-pnm-xpm-bo(42732) FEDORA-2008-4842 FEDORA-2008-4871 FEDORA-2008-4950 Stack-based buffer overflow in NConvert 4.92, GFL SDK 2.82, and XnView 1.93.6 on Windows and 1.70 on Linux and FreeBSD allows user-assisted remote attackers to execute arbitrary code via a crafted format keyword in a Sun TAAC file. 3956 1020340 20080620 Secunia Research: XnView, NConvert, and GFL SDK Sun TAAC Buffer Overflow 29851 ADV-2008-1896 ADV-2008-1897 5951 Multiple SQL injection vulnerabilities in TorrentTrader 1.08 Classic allow remote attackers to execute arbitrary SQL commands via the (1) email or (2) wantusername parameter to account-signup.php, or the (3) receiver parameter to account-inbox.php in a msg action. http://sourceforge.net/project/shownotes.php?group_id=98584&release_id=545219 20080618 Secunia Research: TorrentTrader Multiple SQL Injection Vulnerabilities 29787 http://www.torrenttrader.org/index.php?showtopic=8879 torrenttrader-multiple-sql-injection(43165) Multiple SQL injection vulnerabilities in Calendarix Basic 0.8.20071118 allow remote attackers to execute arbitrary SQL commands via (1) the catsearch parameter to cal_search.php or (2) the catview parameter to cal_cat.php. NOTE: vector 1 might overlap CVE-2007-3183.3, and vector 2 might overlap CVE-2005-1865.2. Integer overflow in the Open function in modules/demux/wav.c in VLC Media Player 0.8.6h on Windows allows remote attackers to execute arbitrary code via a large fmt chunk in a WAV file. GLSA-200807-13 3976 20080702 Secunia Research: VLC Media Player WAV Processing Integer Overflow 30058 1020429 http://www.videolan.org/developers/vlc/NEWS ADV-2008-1995 oval:org.mitre.oval:def:14344 oval:org.mitre.oval:def:14769 Multiple buffer overflows in Novell iPrint Client before 5.06 allow remote attackers to execute arbitrary code by calling the Novell iPrint ActiveX control (aka ienipp.ocx) with (1) a long third argument to the GetDriverFile method; a long first argument to the (2) GetPrinterURLList or (3) GetPrinterURLList2 method; (4) a long argument to the GetFileList method; a long argument to the (5) GetServerVersion, (6) GetResourceList, or (7) DeleteResource method, related to nipplib.dll; a long uploadPath argument to the (8) UploadPrinterDriver or (9) UploadResource method, related to URIs; (10) a long seventh argument to the UploadResource method; a long string in the (11) second, (12) third, or (13) fourth argument to the GetDriverSettings method, related to the IppGetDriverSettings function in nipplib.dll; or (14) a long eighth argument to the UploadResourceToRMS method. 30813 novell-iprint-getdriverfile-bo(44616) Insecure method vulnerability in the GetFileList method in an unspecified ActiveX control in Novell iPrint Client before 5.06 allows remote attackers to list the image files in an arbitrary directory via a directory name in the argument. 30813 The web management console in Trend Micro OfficeScan 7.0 through 8.0, Worry-Free Business Security 5.0, and Client/Server/Messaging Suite 3.5 and 3.6 creates a random session token based only on the login time, which makes it easier for remote attackers to hijack sessions via brute-force attacks. NOTE: this can be leveraged for code execution through an unspecified "manipulation of the configuration." 4191 20080822 Secunia Research: Trend Micro Products Web Management Authentication Bypass 30792 1020732 http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2402_readme.txt http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5%200_EN_CriticalPatch1404.txt ADV-2008-2421 trend-micro-token-security-bypass(44597) The Trend Micro HouseCall ActiveX control 6.51.0.1028 and 6.6.0.1278 in Housecall_ActiveX.dll allows remote attackers to download an arbitrary library file onto a client system via a "custom update server" argument. NOTE: this can be leveraged for code execution by writing to a Startup folder. Per http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646 To resolve the issue: Request the HouseCall 6.6 Hot Fix Build 1285 file from Trend Micro Technical Support. http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646 4802 VU#541025 20081222 Secunia Research: Trend Micro HouseCall ActiveX Control Arbitrary Code Execution 32965 ADV-2008-3464 housecall-library-code-execution(47524) Use-after-free vulnerability in the Trend Micro HouseCall ActiveX control 6.51.0.1028 and 6.6.0.1278 in Housecall_ActiveX.dll allows remote attackers to execute arbitrary code via a crafted notifyOnLoadNative callback function. http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646 1021481 VU#702628 20081221 Secunia Research: Trend Micro HouseCall "notifyOnLoadNative()" Vulnerability 32950 ADV-2008-3464 housecall-notifyonloadnative-code-execution(47523) Multiple heap-based buffer overflows in the IppCreateServerRef function in nipplib.dll in Novell iPrint Client 4.x before 4.38 and 5.x before 5.08 allow remote attackers to execute arbitrary code via a long argument to the (1) GetPrinterURLList, (2) GetPrinterURLList2, or (3) GetFileList2 function in the Novell iPrint ActiveX control in ienipp.ocx. 4228 20080903 Secunia Research: Novell iPrint Client nipplib.dll "IppCreateServerRef()" Buffer Overflow 30986 1020806 ADV-2008-2481 novell-iprint-ippcreateserverref-bo(44853) Stack-based buffer overflow in cgiRecvFile.exe in Trend Micro OfficeScan 7.3 patch 4 build 1362 and other builds, OfficeScan 8.0 and 8.0 SP1, and Client Server Messaging Security 3.6 allows remote attackers to execute arbitrary code via an HTTP request containing a long ComputerName parameter. 4263 20080912 Secunia Research: Trend Micro OfficeScan "cgiRecvFile.exe" Buffer Overflow 31139 1020860 http://www.trendmicro.com/ftp/documentation/readme/CSM_3.6_OSCE_7.6_Win_EN_CriticalPatch_B1195_readme.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1367_readme.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Patch1_Win_EN_CriticalPatch_B3060_readme.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2424_readme.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_Win_EN_CriticalPatch_B1361_readme.txt ADV-2008-2555 trendmicro-cgirecvfile-bo(45072) Integer overflow in ovalarmsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a crafted command to TCP port 2954, which triggers a heap-based buffer overflow. HPSBMA02424 20090428 Secunia Research: HP OpenView Network Node Manager "ovalarmsrv" Integer Overflow 34738 ADV-2009-1187 Directory traversal vulnerability in the UpdateAgent function in TmListen.exe in the OfficeScanNT Listener service in the client in Trend Micro OfficeScan 7.3 Patch 4 build 1367 and other builds before 1372, OfficeScan 8.0 SP1 before build 1222, OfficeScan 8.0 SP1 Patch 1 before build 3087, and Worry-Free Business Security 5.0 before build 1220 allows remote attackers to read arbitrary files via directory traversal sequences in an HTTP request. NOTE: some of these details are obtained from third party information. 20081003 Secunia Research: Trend Micro OfficeScan Directory Traversal Vulnerability 31531 1020975 http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_8.0_SP1_Win_EN_CriticalPatch_B2439_Readme.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE8.0_SP1_Patch1_CriticalPatch_3087_Readme.txt http://www.trendmicro.com/ftp/documentation/readme/Readme_WFBS5.0_EN_CriticalPatch1414.txt ADV-2008-2711 ADV-2008-2712 trendmicro-tmlisten-directory-traversal(45597) Cisco Secure ACS 3.x before 3.3(4) Build 12 patch 7, 4.0.x, 4.1.x before 4.1(4) Build 13 Patch 11, and 4.2.x before 4.2(0) Build 124 Patch 4 does not properly handle an EAP Response packet in which the value of the length field exceeds the actual packet length, which allows remote authenticated users to cause a denial of service (CSRadius and CSAuth service crash) or possibly execute arbitrary code via a crafted RADIUS (1) EAP-Response/Identity, (2) EAP-Response/MD5, or (3) EAP-Response/TLS Message Attribute packet. 4216 20080903 Cisco Security Response: Cisco Secure ACS Denial Of Service Vulnerability 20080903 Cisco Secure ACS EAP Parsing Vulnerability 30997 1020814 cisco-sacs-eap-dos(44871) SQL injection vulnerability in dpage.php in The Real Estate Script allows remote attackers to execute arbitrary SQL commands via the docID parameter. 29200 ADV-2008-1524 therealestatescript-docid-sql-injection(42399) 5610 SQL injection vulnerability in userreg.php in CaLogic Calendars 1.2.2 allows remote attackers to execute arbitrary SQL commands via the langsel parameter. 29193 calogic-calendars-userreg-sql-injection(42391) 5607 Cross-site scripting (XSS) vulnerability in profile.php in Web Group Communication Center (WGCC) 1.0.3 PreRelease 1 and earlier allows remote attackers to inject arbitrary web script or HTML via the userid parameter in a show action. 29188 wgcc-profile-xss(42383) 5606 Multiple SQL injection vulnerabilities in Web Group Communication Center (WGCC) 1.0.3 PreRelease 1 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) userid parameter to (a) profile.php in a "show moreinfo" action; the (2) bildid parameter to (b) picturegallery.php in a shownext action; the (3) id parameter to (c) filebase.php in a freigeben action, (d) schedule.php in a del action, and (e) profile.php in an observe action; and the (4) pmid parameter in a delete action and (5) folderid parameter in a showfolder action to (f) message.php. 29188 wgcc-multiple-sql-injection(42385) 5606 SQL injection vulnerability in products.php in the Mytipper ZoGo-shop plugin 1.15.5 and 1.16 Beta 13 for e107 allows remote attackers to execute arbitrary SQL commands via the cat parameter. 29185 zogoshop-products-sql-injection(42384) 5605 Multiple SQL injection vulnerabilities in Meto Forum 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to (a) admin/duzenle.asp and (b) admin_oku.asp; the (2) kid parameter to (c) kategori.asp and (d) admin_kategori.asp; and unspecified parameters to (e) uye.asp and (f) oku.asp. 29189 29192 metoforum-multiple-sql-injection(42390) metoforum-kategori-sql-injection(42398) 5608 Multiple cross-site scripting (XSS) vulnerabilities in Isaac McGowan phpInstantGallery 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) gallery parameter to (a) index.php and (b) image.php, and the (2) imgnum parameter to image.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29152 phpinstantgallery-index-image-xss(42374) Multiple cross-site scripting (XSS) vulnerabilities in the Statistics (aka ke_stats) extension 0.1.2 and earlier for TYPO3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080513-4 kestats-unspecified-xss(42366) Multiple SQL injection vulnerabilities in the Statistics (aka ke_stats) extension 0.1.2 and earlier for TYPO3 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080513-4 kestats-unspecified-sql-injection(42368) Cross-site scripting (XSS) vulnerability in the Questionaire (aka pbsurvey) extension 1.2.0 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080513-2 pbsurvey-unspecified-xss(42365) Multiple SQL injection vulnerabilities in PHP Classifieds Script allow remote attackers to execute arbitrary SQL commands via the fatherID parameter to (1) browse.php and (2) search.php. 29169 phpclassifiedsscript-fatherid-sql-injection(42380) 5599 SQL injection vulnerability in the xsstream-dm (com_xsstream-dm) component 0.01 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the movie parameter to index.php. 20080511 Joomla Component xsstream-dm 0.01 Beta SQL Injection 29144 xsstreamdm-movie-sql-injection(42323) 5587 SQL injection vulnerability in comment.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the rid parameter. 29181 blogengine-comment-sql-injection(42386) 5604 SQL injection vulnerability in index.php in ComicShout 2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the comic_id parameter. http://www.comicshout.com/ 29301 ADV-2008-1594 comicshout-index-sql-injection(42547) 5658 SQL injection vulnerability in jokes_category.php in PHP-Jokesite 2.0 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 29308 ADV-2008-1592 phpjokesite-jokescategory-sql-injection(42554) 5660 Cross-site scripting (XSS) vulnerability in index.php in Starsgames Control Panel 4.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the st parameter. 20080520 Starsgames Control Panel <= 4.6.2 Remote XSS Vulnerability 29295 starsgamescontrolpanel-index-xss(42544) Directory traversal vulnerability in page.php in EntertainmentScript 1.4.0 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page parameter. 29306 entertainmentscript-page-file-include(42540) 5655 SQL injection vulnerability in faq.php in vBulletin 3.7.0 Gold allows remote attackers to execute arbitrary SQL commands via the q parameter in a search action. 20080520 Vbulletin 3.7.0 Gold >> Sql injection on faq.php 29293 vbulletin-faq-sql-injection(42541) SQL injection vulnerability in index.php in Netious CMS 0.4 allows remote attackers to execute arbitrary SQL commands via the pageid parameter, a different vector than CVE-2006-4047. 29319 ADV-2008-1591 netiouscms-pageid-sql-injection(42726) 5661 Cross-site scripting (XSS) vulnerability in the viewfile documentation command in Caucho Resin before 3.0.25, and 3.1.x before 3.1.4, allows remote attackers to inject arbitrary web script or HTML via the file parameter. http://www.caucho.com/resin/changes/changes-31.xtp#3.1.4%20-%20Dec%205,%202007 VU#305208 29948 1020372 ADV-2008-1930 caucho-resin-file-xss(43367) The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx 10.0.5529.0, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message, probably involving use of the SnapshotPath and CompressedPath properties and the PrintSnapshot method. NOTE: this can be leveraged for code execution by writing to a Startup folder. HPSBST02360 6124 VU#837785 http://www.microsoft.com/technet/security/advisory/955179.mspx 30114 1020433 TA08-189A TA08-225A ADV-2008-2012 microsoft-snapshotviewer-code-execution(43613) oval:org.mitre.oval:def:6120 The mld_input function in sys/netinet6/mld6.c in the kernel in NetBSD 4.0, FreeBSD, and KAME, when INET6 is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ICMPv6 Multicast Listener Discovery (MLD) query with a certain Maximum Response Delay value. http://cert.fi/haavoittuvuudet/2008/advisory-netbsd.html http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/mld6.c http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet6/mld6.c.diff?r1=1.46&r2=1.47&f=h NetBSD-SA2008-011 1020822 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/mld6.c http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet6/mld6.c.diff?r1=1.34;r2=1.35;f=h VU#817940 31026 Multiple buffer overflows in the QIP Server Service (aka qipsrvr.exe) in LANDesk Management Suite, Security Suite, and Server Manager 8.8 and earlier allow remote attackers to execute arbitrary code via a crafted heal request, related to the StringToMap and StringSize arguments. http://community.landesk.com/support/docs/DOC-3276 http://dvlabs.tippingpoint.com/advisory/TPTI-08-06 4269 VU#538011 20080915 TPTI-08-06: Landesk QIP Server Service Heal Packet Buffer Overflow 31193 1020888 ADV-2008-2588 landesk-qip-bo(45154) Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field. http://bugs.gentoo.org/show_bug.cgi?format=multiple&id=242254 GLSA-200810-03 4487 http://up2date.astaro.com/2008/11/up2date_7305_released.html DSA-1659 http://www.doxpara.com/?p=1263 http://www.doxpara.com/?page_id=1256 VU#183657 31881 ADV-2008-2896 https://answers.launchpad.net/ubuntu/gutsy/+source/libspf2/1.2.5.dfsg-4ubuntu0.7.10.1 https://bugs.launchpad.net/ubuntu/feisty/+source/libspf2/+bug/271025 libspf2-dnstxtrecord-bo(46055) 6805 The InstallShield Update Service Agent ActiveX control in isusweb.dll allows remote attackers to cause a denial of service (memory corruption and browser crash) and possibly execute arbitrary code via a call to ExecuteRemote with a URL that results in a 404 error response. http://support.installshield.com/kb/view.asp?articleid=Q113020 VU#630017 31235 ADV-2008-2625 installshield-updateservice-bo(45248) Buffer overflow in x87 before 3.5.5 in ABB Process Communication Unit 400 (PCU400) 4.4 through 4.6 allows remote attackers to execute arbitrary code via a crafted packet using the (1) IEC60870-5-101 or (2) IEC60870-5-104 communication protocol to the X87 web interface. This issue is corrected in version 3.5.5 of the x87 executable. To obtain a patch or upgrade software please contact your vendor. The x87 executable is considered obsolete in newer versions of the PCU 400 and should be replaced by the newer x88 or x89 executable where applicable. Link to contact information: http://www.abb.com/industries/db0003db004333/c12573e7003305cbc1257074003d0702.aspx?productLanguage=us&country=US&tabKey=Contacts 4320 VU#343971 http://www.kb.cert.org/vuls/id/CTAR-7JTNRX 20080925 C4 Security Advisory - ABB PCU400 4.4-4.6 Remote Buffer Overflow 31391 eBay Enhanced Picture Uploader ActiveX control (EPUWALcontrol.dll) before 1.0.27 allows remote attackers to execute arbitrary commands via the PictureUrls property. Per http://www.kb.cert.org/vuls/id/983731 This update is addressed in version 1.0.27 of the Ebay Enhanced Picture Control software. http://pages.ebay.com/securitycenter/activex/index.html VU#983731 35248 The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before E7.7.1.1, (5) Juniper JUNOS, and (6) Wind River VxWorks 5.x through 6.4 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB). NetBSD-SA2008-013 FreeBSD-SA-08:10 1020968 http://support.apple.com/kb/HT3467 VU#472363 http://www.kb.cert.org/vuls/id/MAPG-7H2RY7 http://www.kb.cert.org/vuls/id/MAPG-7H2S68 [4.2] 015: SECURITY FIX: October 2, 2008 [4.3] 006: SECURITY FIX: October 2, 2008 31529 1021109 1021132 ADV-2008-2750 ADV-2008-2751 ADV-2008-2752 ADV-2009-0633 multiple-vendors-ndp-dos(45601) oval:org.mitre.oval:def:5670 https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2008-09-036&viewMode=view SQL injection vulnerability in index.php in MxBB (aka MX-System) Portal 2.7.3 allows remote attackers to execute arbitrary SQL commands via the page parameter. 29307 ADV-2008-1593 mxsystem-index-sql-injection(42551) 5659 ** DISPUTED ** scripts/wwwacct in cPanel 11.18.6 STABLE and earlier and 11.23.1 CURRENT and earlier allows remote authenticated users with reseller privileges to execute arbitrary code via shell metacharacters in the Email address field (aka Email text box). NOTE: the vendor disputes this, stating "I'm unable to reproduce such an issue on multiple servers running different versions of cPanel." 20080518 Cpanel all version >> root access with a reseller account. 20080519 Re: Cpanel all version >> root access with a reseller account. 29277 1020042 cpanel-wwwact-privilege-escalation(42529) Multiple SQL injection vulnerabilities in phpFix 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) kind parameter to fix/browse.php and the (2) account parameter to auth/00_pass.php. 20080526 phpFix v2 Multiple SQL Injection Vulnerability 29371 phpfix-browse-sql-injection(42636) phpfix-00pass-sql-injection(42637) PHP remote file inclusion vulnerability in plus.php in plusPHP Short URL Multi-User Script 1.6 allows remote attackers to execute arbitrary PHP code via a URL in the _pages_dir parameter. 29357 ADV-2008-1645 plusphp-plus-file-include(42623) 5672 PHP remote file inclusion vulnerability in authentication/phpbb3/phpbb3.functions.php in phpRaider 1.0.7 and 1.0.7a, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the pConfig_auth[phpbb_path] parameter. http://forums.phpraider.com/showthread.php?t=1087#v1_0_7b_-_May_29__2008 29356 ADV-2008-1646 phpraider-phpbb3functions-file-include(42622) 5671 Directory traversal vulnerability in install_mod.php in insanevisions OneCMS 2.5 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the load parameter in a go action. 20080523 [DSECRG-08-025] Local File Include in OneCMS 2.5 29374 ADV-2008-1648 onecms-installmod-file-include(42600) 5669 Directory traversal vulnerability in index.php in Xomol CMS 1.20071213 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the op parameter. 29359 ADV-2008-1644 xomolcms-index-file-include(42632) 5673 SQL injection vulnerability in index.php in Xomol CMS 1.20071213, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the email parameter. 29358 ADV-2008-1644 xomolcms-index-sql-injection(42631) 5673 Cross-site scripting (XSS) vulnerability in the URL redirection script (inc/url_redirection.inc.php) in PCPIN Chat before 6.11 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. http://community.pcpin.com/?include=700&thread_id=6918 20080524 PCPIN Chat 6: potential XSS vulnerability in URL redirection script 29363 pcpinchat-urlredirection-xss(42627) Unspecified vulnerability in eMule Plus before 1.2d has unknown impact and attack vectors related to "staticservers.dat processing." http://sourceforge.net/project/shownotes.php?release_id=600155 29361 ADV-2008-1651 emuleplus-staticservers-unspecified(42620) SQL injection vulnerability in index.php in MAXSITE 1.10 and earlier allows remote attackers to execute arbitrary SQL commands via the category parameter in a webboard action. ADV-2008-1656 maxsite-index-sql-injection(42634) 5676 admin/userform.php in RoomPHPlanning 1.5 does not require administrative credentials, which allows remote authenticated users to create new admin accounts. 29377 roomphplanning-userform-security-bypass(42629) 5674 SQL injection vulnerability in the Library for Frontend Plugins (aka sg_zfelib) extension 1.1.512 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified "user input." http://typo3.org/teams/security/security-bulletins/typo3-20080527-2/ ADV-2008-1665 sqzfelib-unspecified-sql-injection(42625) Cross-site scripting (XSS) vulnerability in the KJ Image Lightbox 2 (aka kj_imagelightbox2) extension 1.4.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified "user input." http://typo3.org/teams/security/security-bulletins/typo3-20080527-1/ ADV-2008-1666 kjimagelightbox2-unspecified-xss(42628) SQL injection vulnerability in adv_cat.php in AbleSpace 1.0 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 20080525 Ablespace 1.0 'cat_id' Parameter SQL Injection Vulnerability 29369 ablespace-advcat-sql-injection(42635) Multiple SQL injection vulnerabilities in Campus Bulletin Board 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to post3/view.asp and the (2) review parameter to post3/book.asp. 20080526 Campus Bulletin Board v3.4 Multiple Remote Vulnerabilities 29375 campusbulletinboard-multiple-sql-injection(42660) Cross-site scripting (XSS) vulnerability in post3/Book.asp in Campus Bulletin Board 3.4 allows remote attackers to inject arbitrary web script or HTML via the review parameter. 20080526 Campus Bulletin Board v3.4 Multiple Remote Vulnerabilities 29375 campusbulletinboard-book-xss(42661) Cross-site scripting (XSS) vulnerability in index.php in Zina 1.0 RC3 allows remote attackers to inject arbitrary web script or HTML via the l parameter. 20080525 Zina 1.0rc3 Remote Directory Traversal Vulnerability & XSS Vulnerability 29367 zina-index-xss(42642) Directory traversal vulnerability in index.php in Zina 1.0 RC3 allows remote attackers to have an unknown impact via a .. (dot dot) in the p parameter. 20080525 Zina 1.0rc3 Remote Directory Traversal Vulnerability & XSS Vulnerability 29367 zina-index-file-include(42641) Multiple cross-site scripting (XSS) vulnerabilities in Quate CMS 0.3.4 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) login.php, and (3) credits.php in admin/, and (4) upgrade/index.php. 29348 quate-multiple-xss(42603) 5668 CRLF injection vulnerability in Mambo before 4.6.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. http://forum.mambo-foundation.org/showthread.php?t=11799 29373 ADV-2008-1660 mambo-unspecified-response-splitting(42645) Multiple SQL injection vulnerabilities in index.php in Mambo before 4.6.4, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) articleid and (2) mcname parameters. NOTE: some of these details are obtained from third party information. http://forum.mambo-foundation.org/showthread.php?t=11799 29373 ADV-2008-1660 mambo-index-sql-injection(42644) Stack-based buffer overflow in the Community Services Multiplexer (aka MUX or StMux.exe) in IBM Lotus Sametime 7.5.1 CF1 and earlier, and 8.x before 8.0.1, allows remote attackers to execute arbitrary code via a crafted URL. 29328 1020093 ADV-2008-1595 http://www.zerodayinitiative.com/advisories/ZDI-08-028/ http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21303920 sametime-stmux-bo(42575) Cross-site scripting (XSS) vulnerability in the MOStlyContent Editor (MOStlyCE) component before 3.0 for Mambo allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://forum.mambo-foundation.org/showthread.php?t=11799 mostlyce-unspecified-xss(42749) Multiple SQL injection vulnerabilities in PHPhotoalbum 0.5 allow remote attackers to execute arbitrary SQL commands via the (1) album parameter to thumbnails.php and the (2) pid parameter to displayimage.php. phphotoalbum-multiple-sql-injection(42670) 5683 Unspecified vulnerability in the web server in eMule X-Ray before 1.4 allows remote attackers to trigger memory corruption via unknown attack vectors. http://sourceforge.net/project/shownotes.php?release_id=599894 ADV-2008-1685 emule-xray-unspecified-code-execution(42686) Buffer overflow in Uploadlist in eMule X-Ray before 1.4 has unknown impact and remote attack vectors. http://sourceforge.net/project/shownotes.php?release_id=599894 ADV-2008-1685 emule-xray-unspecified-bo(42687) Multiple SQL injection vulnerabilities in Simpel Side Netbutik 1 through 4 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to netbutik.php and the (2) id parameter to product.php. 29333 ADV-2008-1658 netbutik-netbutik-product-sql-injection(42572) 5665 Cross-site scripting (XSS) vulnerability in result.php in Simpel Side Weblosning 1 through 4 allows remote attackers to inject arbitrary web script or HTML via the search parameter. 29332 weblosning-result-xss(42574) 5664 Multiple SQL injection vulnerabilities in Simpel Side Weblosning 1 through 4 allow remote attackers to execute arbitrary SQL commands via the (1) mainid and (2) id parameters to index2.php. 29332 weblosning-index2-sql-injection(42573) 5664 Cross-site scripting (XSS) vulnerability in Calcium40.pl in Brown Bear Software Calcium 3.10 and 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the CalendarName parameter in a ShowIt action. 20080528 Calcium web calendar: Reflected XSS 29411 calcium-calcium40-xss(42704) Cross-site scripting (XSS) vulnerability in news.php in Tr Script News 2.1 allows remote attackers to inject arbitrary web script or HTML via the "nb" parameter in voir mode. 29388 http://www.z0rlu.ownspace.org/index.php?/archives/91-TR-News-v2.1-xss.html trscriptnews-news-xss(42648) SQL injection vulnerability in pwd.asp in Excuse Online allows remote attackers to execute arbitrary SQL commands via the pID parameter. http://www.chroot.org/exploits/chroot_uu_002 20080526 Excuse Online (pwd) SQL Injection Vulnerability 29370 excuseonline-pwd-sql-injection(42643) SQL injection vulnerability in wp-uploadfile.php in the Upload File plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the f_id parameter. 20080524 vuln in WordPress plugin Upload File(UP) 29352 uploadfile-wpuploadfile-sql-injection(42659) Directory traversal vulnerability in the UmxEventCli.CachedAuditDataList.1 (aka UmxEventCliLib) ActiveX control in UmxEventCli.dll in CA Internet Security Suite 2008 allows remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the argument to the SaveToFile method. NOTE: this can be leveraged for code execution by writing to a Startup folder. NOTE: some of these details are obtained from third party information. http://retrogod.altervista.org/9sg_CA_poc.html 20080528 [NSG_28-5-08] CA Internet Security Suite 2008 (UmxEventCli.dll/SaveToFile()) remote file corruption poc 1020129 ADV-2008-1696 internet-security-umxeventcli-file-overwrite(42712) 5682 Directory traversal vulnerability in Symantec Backup Exec System Recovery Manager 7.x before 7.0.4 and 8.x before 8.0.2 allows remote attackers to read arbitrary files via unspecified vectors. http://securityresponse.symantec.com/avcenter/security/Content/2008.05.28c.html 29350 1020128 ADV-2008-1686 recoverymanager-unspecified-dir-traversal(42714) Buffer overflow in the kernel in IBM AIX 5.2, 5.3, and 6.1 allows local users to execute arbitrary code in kernel mode via unknown attack vectors. http://aix.software.ibm.com/aix/efixes/security/unix_advisory.asc 1020083 IZ19911 IZ21481 IZ22368 IZ22369 IZ22370 29329 ADV-2008-1626 ibm-aix-aix-bo(42577) oval:org.mitre.oval:def:5684 Buffer overflow in errpt in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via unknown attack vectors. http://aix.software.ibm.com/aix/efixes/security/errpt_advisory.asc 1020084 IZ19905 IZ21494 IZ22346 IZ22347 IZ22348 29323 ADV-2008-1626 ibm-aix-setuidroot-errpt-bo(42578) oval:org.mitre.oval:def:5629 Unspecified vulnerability in iostat in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via unknown vectors related to an "environment variable handling error." http://aix.software.ibm.com/aix/efixes/security/iostat_advisory.asc 1020085 IZ20635 IZ21506 IZ22349 IZ22350 IZ22351 29325 ADV-2008-1626 ibm-aix-setuidroot-iostat-bo(42579) oval:org.mitre.oval:def:5424 pam_sm_authenticate in pam_pgsql.c in libpam-pgsql 0.6.3 does not properly consider operator precedence when evaluating the success of a pam_get_pass function call, which allows local users to gain privileges via a SIGINT signal when this function is executing, as demonstrated by a CTRL-C sequence at a sudo password prompt in an "auth sufficient pam_pgsql.so" configuration. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=481970 http://sourceforge.net/project/shownotes.php?release_id=601775 29360 1020111 ADV-2008-1654 libpampgsql-pamsm-security-bypass(42653) The sarab.sh script in SaraB before 0.2.4 places the dar program's encryption key on the command line, which allows local users to obtain sensitive information by listing the process. http://sarab.svn.sourceforge.net/viewvc/sarab/sarab/sarab.sh?r1=34&r2=36 http://sarab.svn.sourceforge.net/viewvc/sarab/sarab/sarab.sh?view=log http://sourceforge.net/project/shownotes.php?release_id=601603&group_id=91804 29364 ADV-2008-1659 sarab-ciphers-information-disclosure(42621) Cross-site scripting (XSS) vulnerability in the advanced search mechanism (webapps/search/advanced.jsp) in Sun Java System Web Server 6.1 before SP9 and 7.0 before Update 3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably related to the next parameter. 236481 29355 1020110 ADV-2008-1649 javasystem-advancedsearch-xss(42624) Directory traversal vulnerability in Core FTP client 2.1 Build 1565 allows remote FTP servers to create or overwrite arbitrary files via .. (dot dot) sequences in responses to LIST commands, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder. http://vuln.sg/coreftp211565-en.html http://www.coreftp.com/forums/viewtopic.php?t=6078 29362 ADV-2008-1643 coreftp-list-directory-traversal(42605) Multiple PHP remote file inclusion vulnerabilities in BigACE 2.4, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[_BIGACE][DIR][addon] parameter to (a) addon/smarty/plugins/function.captcha.php and (b) system/classes/sql/AdoDBConnection.php; and the (2) GLOBALS[_BIGACE][DIR][admin] parameter to (c) item_information.php and (d) jstree.php in system/application/util/, and (e) system/admin/plugins/menu/menuTree/plugin.php, different vectors than CVE-2006-4423. 29157 bigace-multiple-file-include(42343) 5596 SQL injection vulnerability in members.php in YABSoft Mega File Hosting Script (aka MFH or MFHS) 1.2 allows remote authenticated users to execute arbitrary SQL commands via the fid parameter. 29167 megafile-members-sql-injection(42355) 5598 SQL injection vulnerability in members.php in Battle.net Clan Script for PHP 1.5.3 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the showmember parameter in a members action. 29166 battlenetclanscript-members-sql-injection(42354) 5597 SQL injection vulnerability in the Autopatcher server plugin in RakNet before 3.23 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. http://www.jenkinssoftware.com/raknet/forum/index.php?topic=1787.0 29178 raknet-autopatcher-sql-injection(42352) BlogPHP 2.0 allows remote attackers to bypass authentication, and post (1) messages or (2) comments as an arbitrary user, via a modified blogphp_username field in a cookie. http://www.davidsopas.com/soapbox/blogphp.txt 29133 blogphp-blogphpusername-security-bypass(42372) Cross-site scripting (XSS) vulnerability in the Event Database (aka rlmp_eventdb) extension before 1.1.2 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080513-3/ 29180 rlmpeventdb-unspecified-xss(42361) Cross-site scripting (XSS) vulnerability in the WT Gallery (aka wt_gallery) extension 2.6.2 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://typo3.org/teams/security/security-bulletins/typo3-20080513-1/ 29182 wtgallery-unspecified-xss(42363) Cross-site scripting (XSS) vulnerability in view.php in ActualScripts ActualAnalyzer Server 8.37 and earlier, ActualAnalyzer Gold 7.74 and earlier, ActualAnalyzer Pro 6.95 and earlier, and ActualAnalyzer Lite 2.78 and earlier allows remote attackers to inject arbitrary web script or HTML via the language parameter. http://www.majorsecurity.de/index_2.php?major_rls=major_rls52 20080512 [MajorSecurity Advisory #52]ActualAnalyzer family - Cross Site Scripting Issues 29177 actualanalyzer-view-xss(42367) Unspecified vulnerability in Citrix Access Gateway Standard Edition 4.5.7 and earlier and Advanced Edition 4.5 HF2 and earlier allows attackers to bypass authentication and gain "access to network resources" via unspecified vectors. http://support.citrix.com/article/CTX116930 29174 1020025 ADV-2008-1474 citrix-access-unspecified-auth-bypass(42356) SQL injection vulnerability in read.php in Advanced Links Management (ALM) 1.5.2 allows remote attackers to execute arbitrary SQL commands via the catId parameter. 29137 alm-read-sql-injection(42320) 5581 Multiple SQL injection vulnerabilities in Concepts & Solutions QuickUpCMS allow remote attackers to execute arbitrary SQL commands via the (1) nr parameter to (a) frontend/news.php, the (2) id parameter to (b) events3.php and (c) videos2.php in frontend/, the (3) y parameter to (d) frontend/events2.php, and the (4) ser parameter to (e) frontend/fotos2.php. 29145 quickupcms-news-sql-injection(42325) 5588 Cross-site scripting (XSS) vulnerability in the search script in Build A Niche Store (BANS) 3.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter. http://holisticinfosec.org/content/view/64/45/ 29187 bans-search-xss(42373) SQL injection vulnerability in forum/topic_detail.php in AJ Square aj-hyip (aka AJ HYIP Acme) allows remote attackers to execute arbitrary SQL commands via the id parameter. 29173 ajhyipacme-topicdetail-sql-injection(42382) 5602 Multiple cross-site scripting (XSS) vulnerabilities in Phoenix View CMS Pre Alpha2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ltarget parameter to (a) admin/admin_frame.php and the (2) conf parameter to (b) gbuch.admin.php, (c) links.admin.php, (d) menue.admin.php, (e) news.admin.php, and (f) todo.admin.php in admin/module/. 29130 phoenixview-adminframe-xss(42314) 5578 Directory traversal vulnerability in admin/admin_frame.php in Phoenix View CMS Pre Alpha2 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ltarget parameter. phoenixview-adminframe-file-include(42315) 5578 Multiple SQL injection vulnerabilities in Phoenix View CMS Pre Alpha2 and earlier allow remote attackers to execute arbitrary SQL commands via the del parameter to (1) gbuch.admin.php, (2) links.admin.php, (3) menue.admin.php, (4) news.admin.php, and (5) todo.admin.php in admin/module/. phoenixview-del-sql-injection(42316) 5578 SQL injection vulnerability in out.php in YABSoft Advanced Image Hosting (AIH) Script 2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the t parameter. 29172 advancedimagehosting-out-sql-injection(42405) 5601 SQL injection vulnerability in cat.php in HispaH Model Search allows remote attackers to execute arbitrary SQL commands via the cat parameter. 29128 modelsearch-cat-sql-injection(42312) 5577 Unspecified vulnerability in crontab on Sun Solaris 8 through 10, and OpenSolaris before snv_93, allows local users to insert cron jobs into the crontab files of arbitrary users via unspecified vectors. 1020151 237864 http://support.avaya.com/elmodocs2/security/ASA-2008-222.htm ADV-2008-1714 solaris-crontab-code-execution(42763) oval:org.mitre.oval:def:4725 The Sun Cluster Global File System in Sun Cluster 3.1 on Sun Solaris 8 through 10, when an underlying ufs filesystem is used, might allow local users to read data from arbitrary deleted files, or corrupt files in global filesystems, via unspecified vectors. 201341 29458 1020152 ADV-2008-1713 suncluster-unspecified-info-disclosure(42762) Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X. http://aviv.raffon.net/2008/05/31/SafariPwnsInternetExplorer.aspx http://blogs.zdnet.com/security/?p=1230 APPLE-SA-2008-06-19 1020150 http://support.avaya.com/elmodocs2/security/ASA-2009-133.htm http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=871138 http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html http://www.microsoft.com/technet/security/advisory/953818.mspx 29445 1022047 TA09-104A ADV-2008-1706 ADV-2009-1028 ADV-2009-1029 MS09-014 MS09-015 apple-safari-windows-code-execution(42765) oval:org.mitre.oval:def:5782 oval:org.mitre.oval:def:6108 oval:org.mitre.oval:def:8509 Multiple stack-based buffer overflows in the HTTP Gateway Service (icihttp.exe) in CA eTrust Secure Content Manager 8.0 allow remote attackers to execute arbitrary code or cause a denial of service via long FTP responses, related to (1) the file month field in a LIST command; (2) the PASV command; and (3) directories, files, and links in a LIST command. http://dvlabs.tippingpoint.com/advisory/TPTI-08-05 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=36408 20080604 ZDI-08-036: CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow 20080604 ZDI-08-035: CA ETrust Secure Content Manager Gateway FTP PASV Stack Overflow Vulnerability 20080604 TPTI-08-05: CA ETrust Secure Content Manager Gateway FTP LIST Stack Overflow Vulnerability 20080604 CA Secure Content Manager HTTP Gateway Service FTP Request Vulnerabilities 29528 1020167 ADV-2008-1741 http://www.zerodayinitiative.com/advisories/ZDI-08-035/ http://www.zerodayinitiative.com/advisories/ZDI-08-036 ca-etrust-scm-ftp-bo(42821) https://support.ca.com/irj/portal/anonymous/SolutionResults?aparNo=QO99987&os=NT&actionID=3 Stack-based buffer overflow in the getline function in Ppm/ppm.C in NASA Ames Research Center BigView 1.8 allows user-assisted remote attackers to execute arbitrary code via a crafted PNM file. 3924 http://www.coresecurity.com/?action=item&id=2304 20080604 CORE-2008-0425 - NASA BigView Stack Buffer Overflow ADV-2008-1745 bigview-getline-bo(42847) The ooh323 channel driver in Asterisk Addons 1.2.x before 1.2.9 and Asterisk-Addons 1.4.x before 1.4.7 creates a remotely accessible TCP port that is intended solely for localhost communication, and interprets some TCP application-data fields as addresses of memory to free, which allows remote attackers to cause a denial of service (daemon crash) via crafted TCP packets. http://downloads.digium.com/pub/security/AST-2008-009.html 1020202 20080604 AST-2008-009: AST-2008-007 Cryptographic keys generated by OpenSSL on Debian-based systems compromised 20080604 AST-2008-009: (Corrected subject) Remote crash vulnerability in ooh323 channel driver 29567 ADV-2008-1747 asterisk-addons-ooh323-dos(42869) Skype 3.6.0.248, and other versions before 3.8.0.139, uses a case-sensitive comparison when checking for dangerous extensions, which allows user-assisted remote attackers to bypass warning dialogs and possibly execute arbitrary code via a file: URI with a dangerous extension that uses a different case. 20080604 Skype File URI Security Bypass Code Execution Vulnerability 29553 1020201 http://www.skype.com/security/skype-sb-2008-003.html ADV-2008-1749 skype-fileuri-case-security-bypass(43044) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1805. Reason: This candidate is a reservation duplicate of CVE-2008-1805. Notes: All CVE users should reference CVE-2008-1805 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Stack-based buffer overflow in msiexec.exe 3.1.4000.1823 and 4.5.6001.22159 in Microsoft Windows Installer allows context-dependent attackers to execute arbitrary code via a long GUID value for the /x (aka /uninstall) option. NOTE: this issue might cross privilege boundaries if msiexec.exe is reachable via components such as ActiveX controls, and might additionally require a separate vulnerability in the control. http://www.aushack.com/200806-msiexec.txt 20080603 Windows Installer msiexec GUID Buffer Overflow 20080603 Re: Windows Installer msiexec GUID Buffer Overflow 20080603 RE: Windows Installer msiexec GUID Buffer Overflow win-msiexec-bo(42887) Stack-based buffer overflow in the JPEG thumbprint component in the EXIF parser on Motorola cell phones with RAZR firmware allows user-assisted remote attackers to execute arbitrary code via an MMS transmission of a malformed JPEG image, which triggers memory corruption. 20080527 ZDI-08-033: Motorola RAZR JPG Processing Stack Overflow Vulnerability 1020117 ADV-2008-1671 razr-jpeg-bo(42656) Adobe Acrobat Reader 8.1.2 and earlier, and before 7.1.1, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed PDF document, as demonstrated by 2008-HI2.pdf. 249366 SUSE-SR:2008:026 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=800801 http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=909609 http://www.adobe.com/support/security/bulletins/apsb08-19.html http://www.adobe.com/support/security/bulletins/apsb09-04.html RHSA-2008:0974 29420 1021140 TA08-309A ADV-2008-3001 ADV-2009-0098 acrobatreader-pdf-dos(42886) 5687 Unspecified vulnerability in the Web Services Security component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.17 has unknown impact and attack vectors related to an attribute in the SOAP security header. 1020168 ADV-2008-1734 http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27007951 websphere-soap-information-disclosure(42822) The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to "run." 3926 20080603 [NSG 03-06-2008] C6 Messenger Installation Url DownloaderActiveX Control Remote Download & Execute Exploit 29519 ADV-2008-1733 iconaspa-downloaderactivex-code-execution(42825) 5732 Unspecified vulnerability in the Service Tag Registry on Sun Solaris 10, and Sun Service Tag before 1.1.3, allows local users to cause a denial of service (disk consumption) via unspecified vectors. 238414 1019316 29561 1020203 ADV-2008-1748 solaris-servicetagregistry-dos(42874) Cross-site scripting (XSS) vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to inject arbitrary web script or HTML via the userfield parameter. http://slashcode.cvs.sourceforge.net/slashcode/slash/Slash/Utility/Environment/Environment.pm?r1=1.223&r2=1.225 DSA-1633 29548 1020207 http://www.slashcode.com/article.pl?sid=08/01/04/1950244&tid=4 http://www.slashcode.com/article.pl?sid=08/01/07/2314232 slash-userfield-xss(42882) Multiple SQL injection vulnerabilities in BP Blog 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to template_permalink.asp and (2) cat parameter to template_archives_cat.asp. 3925 20080601 BP Blog 6.0 (id) Remote Blind SQL Injection Vulnerability 29460 bpblog-id-cat-sql-injection(42894) 5705 SQL injection vulnerability in index.php in EasyWay CMS allows remote attackers to execute arbitrary SQL commands via the mid parameter. Additional resources found during analysis: http://secunia.com/advisories/30494/ easyway-index-sql-injection(42787) 5706 SQL injection vulnerability in read.php in PHP Visit Counter 0.4 and earlier allows remote attackers to execute arbitrary SQL commands via the datespan parameter in a read action. phpvisitcounter-read-sql-injection(42789) 5703 Cross-site scripting (XSS) vulnerability in CRE Loaded 6.2.13.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) Links and (2) Links Submit pages. http://oscommerceuniversity.com/lounge/index.php?topic=249.0 29786 creloaded-links-linkssubmit-xss(42888) CRE Loaded 6.2.13.1 and earlier does not set the "Secure" attribute for cookies that are sent over HTTPS, which might allow remote attackers to sniff the cookies if they are sent over HTTP. http://oscommerceuniversity.com/lounge/index.php?topic=255.0 creloaded-secure-mitm(42889) Integer overflow in Borland Interbase 2007 SP2 (8.1.0.256) allows remote attackers to execute arbitrary code via a malformed packet to TCP port 3050, which triggers a stack-based buffer overflow. NOTE: this issue might be related to CVE-2008-0467. 1020092 http://www.coresecurity.com/?action=item&id=2278 29302 ADV-2008-1590 borland-packet-bo(42558) SQL injection vulnerability in showpost.php in 427BB 2.3.1 allows remote attackers to execute arbitrary SQL commands via the post parameter. 29564 427bb-showpost-sql-injection(42876) 5742 Multiple cross-site scripting (XSS) vulnerabilities in 427BB 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO to (a) register.php, (b) reminder.php, and (c) search.php; the (2) uname, (3) email, and (4) email2 parameters to register.php; the (5) email parameter to reminder.php; and the (6) keywords parameter to search.php. 29564 427bb-multiple-xss(42877) 5742 SQL injection vulnerability in edCss.php in PowerPhlogger 2.2.5 and earlier allows remote authenticated users to execute arbitrary SQL commands via the css_str parameter in an edit action. 29566 powerphlogger-edcss-sql-injection(42870) 5744 Multiple cross-site scripting (XSS) vulnerabilities in (1) dsp_main.php and (2) dsp_task_editor.php in SamTodo 1.1 allow remote attackers to inject arbitrary web script or HTML via the (a) tid parameter in a main.taskeditor edit action, and the (b) completed parameter in a main.default action, to index.php. http://www.davidsopas.com/soapbox/samtodo.txt 29568 29569 samtodo-index-xss(42868) SQL injection vulnerability in the JotLoader (com_jotloader) component 1.2.1.a and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter to index.php. 29554 jotloader-index-sql-injection(42840) 5737 Multiple SQL injection vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.php and (2) edit.php. NOTE: it was later reported that 4.0.x is also affected. http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.html 20090626 MULTIPLE SQL INJECTION VULNERABILITIES --PHP-AddressBook v-4.0.x--> 35511 phpaddressbook-view-edit-sql-injection(42855) phpaddressbook-viewphp-sql-injection(99622) 5739 9023 Multiple cross-site scripting (XSS) vulnerabilities in PHP Address Book 3.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the group parameter to (1) index.php or (2) the default URI. http://packetstormsecurity.com/files/129789/PHP-Address-Book-Cross-Site-Scripting-SQL-Injection.html phpaddressbook-group-xss(42856) phpaddressbook-grouppara-xss(99624) 5739 Cross-site scripting (XSS) vulnerability in Fenriru Sleipnir 2.7.1 Release2 and earlier, Portable Sleipnir 2.7.1 Release2 and earlier, and Grani 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to a history mechanism and favorites search, a different vulnerability than CVE-2007-6002. JVN#25448394 http://www.fenrir.co.jp/sleipnir/note.html 29555 sleipnir-favoritesearch-xss(42827) SQL injection vulnerability in the Simple Shop Galore (com_simpleshop) component 3.4 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter in a browse action to index.php. 29565 simpleshopgalore-index-sql-injection(42871) 5743 5833 SQL injection vulnerability in the EasyBook (com_easybook) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gbid parameter in a deleteentry action to index.php. easybook-gbid-sql-injection(42853) 5740 Multiple unspecified vulnerabilities in LimeSurvey (formerly PHPSurveyor) before 1.71 have unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?group_id=74605&release_id=603922 http://www.limesurvey.org/content/view/102/1/lang,en/ 29506 limesurvey-multiple-unspecified(42806) Cross-site request forgery (CSRF) vulnerability in LimeSurvey (formerly PHPSurveyor) before 1.71 allows remote attackers to change arbitrary quotas as administrators via a "modify quota" action. http://sourceforge.net/project/shownotes.php?group_id=74605&release_id=603922 http://www.limesurvey.org/content/view/102/1/lang,en/ 29506 limesurvey-modifyquotaaction-csrf(42807) SQL injection vulnerability in php/leer_comentarios.php in FlashBlog allows remote attackers to execute arbitrary SQL commands via the articulo_id parameter. 3927 20080529 Flash Blog Sql Injection flashblog-leercomentarios-sql-injection(43040) 5685 Stack-based buffer overflow in SFTP in freeSSHd 1.2.1 allows remote authenticated users to execute arbitrary code via a long directory name in an SSH_FXP_OPENDIR (aka opendir) command. 20080606 FreeSSHD 1.2.1 (Post Auth) Remote Seh Overflow Exploit 29453 1020212 ADV-2008-1711 5709 5751 Unrestricted file upload vulnerability in admin/Editor/imgupload.php in FlashBlog 0.31 beta allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the file in tus_imagenes/. 3928 http://www.dumenci.net/web-action/flashblog-beta0.31-remote-file-upload-vulnerability.html http://www.flashblog.org 20080529 FlashBlog Remote File Upload Vulnerability flashblog-imgupload-file-upload(42820) 5728 cbrPager before 0.9.17 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a (1) ZIP (aka .cbz) or (2) RAR (aka .cbr) archive filename. http://cvs.fedoraproject.org/viewcvs/rpms/cbrpager/devel/cbrpager-0.9.16-filen-shell-escaping.patch?rev=1.2 GLSA-200806-05 http://sourceforge.net/forum/forum.php?forum_id=827120 http://sourceforge.net/project/shownotes.php?release_id=601538&group_id=119647 http://www.jcoppens.com/soft/cbrpager/log.en.php ADV-2008-1693 https://bugzilla.redhat.com/show_bug.cgi?id=448285 cbrpager-archive-command-execution(42741) Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 9.2, 9.1, 9.0, and 8.1 SP6 has unknown impact and local attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020498 ADV-2008-2109 ADV-2008-2115 oracle-weblogic-foreignjms-priv-escalation(43828) Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 9.2 MP1 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020498 ADV-2008-2109 ADV-2008-2115 oracle-weblogic-consolewlst-priv-escalation(43826) Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 and 9.2 MP1 has unknown impact and local attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020498 ADV-2008-2109 ADV-2008-2115 oracle-weblogic-log-priv-escalation(43827) Unspecified vulnerability in the WebLogic Server Plugins for Apache, Sun and IIS web servers component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, and 6.1 SP7 has unknown impact and remote attack vectors. SSRT061201 JVN#81667751 JVNDB-2008-000040 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020498 ADV-2008-2109 ADV-2008-2115 oracle-weblogic-plugins-unauth-access(43823) Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, and 9.0 has unknown impact and remote attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020498 ADV-2008-2109 ADV-2008-2115 oracle-weblogic-jsp-info-disclosure(43829) Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 has unknown impact and remote attack vectors related to UDDI Explorer. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020498 ADV-2008-2109 ADV-2008-2115 oracle-weblogic-uddiexplorer-unauth-access(43824) Unspecified vulnerability in the WebLogic Server component in Oracle BEA Product Suite 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 has unknown impact and remote attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020498 ADV-2008-2109 ADV-2008-2115 oracle-weblogic-dos(43825) Unspecified vulnerability in the sample Discussion Forum Portlet for the Oracle Portal component in Oracle Application Server, as available from OTN before 20080715, has unknown impact and remote attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020494 ADV-2008-2109 ADV-2008-2115 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2008. Notes: none. Unspecified vulnerability in the Oracle Report Manager component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020495 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2606. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020495 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Advanced Replication component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 has unknown impact and local attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle JDeveloper component in Oracle Application Server 10.1.2.2 allows local users to affect confidentiality via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html 1021054 ADV-2008-2825 oracle-jdeveloper-info-disclosure(45877) Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3, 10.1.2.2, and 10.1.4.1 has unknown impact and remote attack vectors. NOTE: the previous information was obtained from the Oracle July 2008 CPU. Oracle has not commented on reliable researcher claims that this issue is a SQL injection vulnerability in the WWV_RENDER_REPORT package that allows remote attackers to execute arbitrary SQL (PL/SQL) commands via the second argument to the SHOW procedure. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 20080715 Oracle Application Server PLSQL injection flaw 1020494 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Instance Management component in Oracle Database 10.1.0.5 and Enterprise Manager 10.1.0.6 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020496 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle Database Vault component in Oracle Database 9.2.0.8DV, 10.2.0.3, and 11.1.0.6 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Advanced Replication component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to SYS.DBMS_DEFER_SYS. NOTE: the previous information was obtained from the Oracle July 2008 CPU. Oracle has not commented on reliable researcher claims that this is a SQL injection vulnerability in the DELETE_TRAN procedure. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 20080804 Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) 20080811 Re: Team SHATTER Security Advisory: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2594. http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020494 Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2593. http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020494 Unspecified vulnerability in the Oracle Internet Directory component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.4.2 has unknown impact and remote attack vectors. NOTE: the previous information was obtained from the Oracle July 2008 CPU. Oracle has not commented on reliable researcher claims that this issue is a denial of service (crash) via a malformed LDAP request that triggers a NULL pointer dereference. SSRT061201 20080715 Oracle Internet Directory Pre-Authentication LDAP DoS Vulnerability http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020494 ADV-2008-2109 ADV-2008-2115 6101 Unspecified vulnerability in the Mobile Application Server component in Oracle E-Business Suite 12.0.3 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020495 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the TimesTen Client/Server component in Oracle Times Ten In-Memory Database 7.0.3.0.0 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2598 and CVE-2008-2599. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020493 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the TimesTen Client/Server component in Oracle Times Ten In-Memory Database 7.0.3.0.0 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2597 and CVE-2008-2599. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020493 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the TimesTen Client/Server component in Oracle Times Ten In-Memory Database 7.0.3.0.0 has unknown impact and remote attack vectors, a different vulnerability than CVE-2008-2597 and CVE-2008-2598. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020493 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to MDSYS.SDO_TOPO_MAP. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020495 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Data Pump component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to the IMP_FULL_DATABASE role. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Resource Manager component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.6, and Database Control in Enterprise Manager, has unknown impact and remote authenticated attack vectors. NOTE: the previous information was obtained from the Oracle July 2008 CPU. Oracle has not commented on reliable researcher claims that this is a cross-site scripting (XSS) issue that allows remote attackers to inject arbitrary web script or HTML via the REFRESHCHOICE parameter in multiple web pages. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 20080804 Team SHATTER Security Advisory: Cross-site scripting in Oracle Enterprise Manager (REFRESHCHOICE Parameter) 1020496 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.6 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2605. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.6 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2604. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2586. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020495 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Advanced Queuing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to SYS.DBMS_AQELM. NOTE: the previous information was obtained from the Oracle July 2008 CPU. Oracle has not commented on reliable researcher claims that this issue is a buffer overflow that allows attackers to cause a denial of service (database corruption) and possibly execute arbitrary code via a long argument to an unspecified procedure. SSRT061201 20080715 Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Data Pump component in Oracle Database 10.1.0.5 and 10.2.0.3 has unknown impact and remote authenticated attack vectors related to SYS.KUPF$FILE_INT. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.4.2 has unknown impact and remote attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020494 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 12.0.4 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020495 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.6 has unknown impact and remote authenticated attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Hyperion BI Plus component in Oracle Application Server 8.3.2.4, 8.5.0.3, 9.2.0.3, 9.2.1.0, and 9.3.1.0 has unknown impact and remote attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020494 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Database Scheduler component in Oracle Database 10.2.0.4 and 11.1.0.6 has unknown impact and local attack vectors. NOTE: the previous information was obtained from the Oracle July 2008 CPU. Oracle has not commented on reliable researcher claims that this is an untrusted search path issue that allows local users to gain privileges via a malicious (1) libclntsh.so or (2) libnnz10.so library. SSRT061201 20080715 Oracle Database Local Untrusted Library Path Vulnerability http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 20080719 Oracle Database Local Untrusted Library Path Vulnerability 1020499 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the Oracle HTTP Server component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.3.3 has unknown impact and remote attack vectors. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020494 ADV-2008-2109 ADV-2008-2115 Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020497 oracle-peoplesoft-peoptools-priv-escalation1(43816) Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020497 oracle-peoplesoft-peoptools-unspecified(43818) Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2618, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020497 oracle-peoplesoft-enterprise-unspecified(43819) Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2620, CVE-2008-2621, and CVE-2008-2622. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020497 oracle-peopletools-privilege-escalation(43820) Unspecified vulnerability in the Oracle Reports Developer component in Oracle Application Server 1.0.2.2, 9.0.4.3, and 10.1.2.2, and E-Business Suite 11.5.10.2, allows remote authenticated users to affect availability via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html 1021054 1021057 ADV-2008-2825 oracle-appserver-reportsdev-dos(45878) Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2621, and CVE-2008-2622. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020497 oracle-peopsoft-peopletools-unspecified(43821) Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, and CVE-2008-2622. SSRT061201 http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020497 oracle-peopsoft-peoptools-unspecified(43822) Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.48.17 and 8.49.11 has unknown impact and remote authenticated attack vectors, a different vulnerability than CVE-2008-2615, CVE-2008-2616, CVE-2008-2617, CVE-2008-2618, CVE-2008-2620, and CVE-2008-2621. http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html 1020497 oracle-peoplesoft-peoptools-priv-escalation2(43817) Unspecified vulnerability in the Oracle JDeveloper component in Oracle Application Server 10.1.2.3 allows local users to affect confidentiality via unknown vectors. Note 2 in Oracle Application Server Risk Matrix states "The versions in the matrix refer to standalone versions of JDeveloper." Therefore, Oracle Application Server was not included in the CPE configuration. http://www.oracle.com/technetwork/topics/security/cpujan2009-097901.html 33177 1021572 ADV-2009-0115 Unspecified vulnerability in the Oracle OLAP component in Oracle Database 10.1.0.5 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html 1021050 ADV-2008-2825 oracle-db-olap-unauth-access(45879) Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.2 allows remote attackers to affect confidentiality and integrity via unknown vectors. NOTE: the previous information was obtained from the Oracle October 2008 CPU. Oracle has not commented on reliable researcher claims that this issue involves an authentication bypass by establishing a TNS connection and impersonating a user session via a crafted authentication message during proxy authentication mode. http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html 20081019 CVE-2008-2625: Oracle DBMS ? Proxy Authentication Vulnerability 1021050 ADV-2008-2825 oracle-db-corerdbms-unauth-access(45880) SQL injection vulnerability in comment.asp in Battle Blog 1.25 and earlier allows remote attackers to execute arbitrary SQL commands via the entry parameter. http://www.davethewebguy.com/battleblog/article.asp?entry=24 29507 ADV-2008-1737 battleblog-comment-sql-injection(42818) 5731 SQL injection vulnerability in the IDoBlog (com_idoblog) component b24 and earlier and 1.0, a component for Joomla!, allows remote attackers to execute arbitrary SQL commands via the userid parameter in a userblog action to index.php. idoblog-index-sql-injection(42819) 5730 SQL injection vulnerability in the eQuotes (com_equotes) component 0.9.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. equotes-index-sql-injection(42805) 5723 SQL injection vulnerability in the LifeType (formerly pLog) module for Drupal allows remote attackers to execute arbitrary SQL commands via the albumId parameter in a ViewAlbum action to index.php. 29495 plog-index-sql-injection(42808) 5724 SQL injection vulnerability in the JooBlog (com_jb2) component 0.1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter in a category action to index.php. ADV-2008-1736 jooblog-index-sql-injection(42838) 5734 The WordClient interface in Alt-N Technologies MDaemon 9.6.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted HTTP POST request. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. worldclient-worldclient-dos(42809) SQL injection vulnerability in the acctexp (com_acctexp) component 0.12.x and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the usage parameter in a subscribe action to index.php. acctexp-index-sql-injection(42794) 5721 Multiple SQL injection vulnerabilities in the EXP JoomRadio (com_joomradio) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the id parameter in a (1) show_radio or (2) show_video action to index.php. http://packetstormsecurity.org/0806-exploits/joomlajoomradio-sql.txt 20090218 Re: [Full-disclosure] Joomla Component com_joomradio SQL Injection 29504 expjoomradio-id-sql-injection(42814) 5729 SQL injection vulnerability in index.asp in I-Pos Internet Pay Online Store 1.3 Beta and earlier allows remote attackers to execute arbitrary SQL commands via the item parameter. ipos-item-sql-injection(42786) 5717 Multiple directory traversal vulnerabilities in BitKinex 2.9.3 allow remote FTP and WebDAV servers to create or overwrite arbitrary files via a .. (dot dot) in (1) a response to a LIST command from the BitKinex FTP client and (2) a response to a PROPFIND command from the BitKinex WebDAV client. NOTE: this can be leveraged for code execution by writing to a Startup folder. http://vuln.sg/bitkinex293-en.html ADV-2008-1738 bitkinex-webdav-ftp-directory-traversal(42842) The HTTP service on the Cisco Linksys WRH54G with firmware 1.01.03 allows remote attackers to cause a denial of service (management interface outage) or possibly execute arbitrary code via a URI that begins with a "/./" sequence, contains many instances of a "front_page" sequence, and ends with a ".asp" sequence. 3929 20080605 Remote DoS vulnerability in Linksys WRH54G 1020237 ADV-2008-1772 linksys-wrh54g-http-dos(42890) Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN 6.0.2 hotfix 3, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via quotes in (1) the css_exceptions parameter in vdesk/admincon/webyfiers.php and (2) the sql_matchscope parameter in vdesk/admincon/index.php. 3931 20080605 F5 FirePass Content Inspection Management XSS 29574 1020205 ADV-2008-1765 firepass-webyfiers-index-xss(42884) Static code injection vulnerability in guestbook.php in 1Book 1.0.1 and earlier allows remote attackers to upload arbitrary PHP code via the message parameter in an HTML webform, which is written to data.php. http://1scripts.net/php-scripts/index.php?p=16 ADV-2008-1735 1book-guestbook-code-execution(42854) 5736 Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222. The vulnerability found in CitectSCADA could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete control of the software. The CitectSCADA and CitectFacilities applications include ODBC server capabilities to provide remote SQL access to a relational database. For that purpose, an ODBC Server component is used to service requests from clients on TCP/IP networks. Requests are serviced over a TCP high-port in which the application layer protocol reads an initial packet that specifies the length of data and then a second packet of data, of the same length is then read. Once the data is read from the network, it is then copied to an internal buffer of fixed size allocated in the stack without previously verifying that the buffer is big enough to store all the read data. The vulnerability is related to a lack of a proper length-checking on data read from the network. A specially crafted combination of length and data packets could be used to exploit the vulnerability allowing an un-authenticated attacker to execute arbitrary code on vulnerable systems. The bug is a texbook example of classic simple stack-based buffer overflow vulnerabilities of the 1990s that can be exploited by overwriting the return address of the currently running thread. Fixes and Workarounds: User organizations should deploy the vendor patch, which is available upon request at http://www.citect.com/ or disable the vulnerable service (ODBC server) if it is not needed in their particular installation. The access complexity for this vulnerability is set at High due to the fact that exploiting this vulnerability requires the SCADA system to be connected to the internet and the client needs to be using ODBC technology. SCADA systems are not typically installed to connect to the internet for security purposes. While the vendor acknowledges that this vulnerability exists and will provide a patch upon request, they point out that this can be easily mitigated by ensuring SCADA systems (not limited to Citect products) are not connected to the internet. Citect will provide a patch upon request to mitigate this vulnerability. Please see the following press release for more information: http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf For further information on properly securing SCADA systems, please see the following whitepaper published by Citect: http://www.citect.com/documents/whitepapers/scada-security-whitepaper.pdf http://isc.sans.org/diary.html?storyid=4556 3944 1020241 http://www.coresecurity.com/?action=item&id=2186 VU#476345 http://www.kb.cert.org/vuls/id/CTAR-7ENQNH 20080611 CORE-2008-0125: CitectSCADA ODBC service vulnerability 29634 ADV-2008-1834 citectscada-odbc-bo(42992) 6387 Multiple cross-site scripting (XSS) vulnerabilities in the Flex 3 History Management feature in Adobe Flex 3.0.1 SDK and Flex Builder 3, and generated applications, allow remote attackers to inject arbitrary web script or HTML via the anchor identifier to (1) client-side-detection-with-history/history/historyFrame.html, (2) express-installation-with-history/history/historyFrame.html, or (3) no-player-detection-with-history/history/historyFrame.html in templates/html-templates/. NOTE: Firefox 2.0 and possibly other browsers prevent exploitation. http://blog.watchfire.com/wfblog/2008/06/javascript-code.html 1020301 http://www.adobe.com/support/security/bulletins/apsb08-14.html 29778 ADV-2008-1862 adobeflex-historymanagement-xss(43150) Unspecified vulnerability in Adobe Reader and Acrobat 7.0.9 and earlier, and 8.0 through 8.1.2, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors, related to an "input validation issue in a JavaScript method." http://isc.sans.org/diary.html?storyid=4616 SUSE-SR:2008:016 240106 http://www.adobe.com/support/security/bulletins/apsb08-15.html GLSA-200808-10 VU#788019 RHSA-2008:0641 29908 1020352 ADV-2008-1906 ADV-2008-2289 adobe-javascript-method-code-execution(43307) SQL injection vulnerability in login.php in OtomiGenX 2.2 allows remote attackers to execute arbitrary SQL commands via the userAccount parameter (aka the User Name field) to index.php. NOTE: some of these details are obtained from third party information. 3932 20080601 OtomiGenX v2.2 Ultimate Authentication bypass Vulnerability otomigenx-login-sql-injection(42795) otomigenx-index-sql-injection(42817) SQL injection vulnerability in the Bible Study (com_biblestudy) component before 6.0.7c for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a mediaplayer action to index.php. http://joomlacode.org/gf/project/biblestudy/news/?action=NewsThreadView&id=1454 biblestudy-index-sql-injection(42788) 5710 Multiple cross-site scripting (XSS) vulnerabilities in SMEWeb 1.4b and 1.4f allow remote attackers to inject arbitrary web script or HTML via the (1) data parameter to catalog.php, the (2) keyword parameter to search.php, the (3) page parameter to bb.php, and the (4) new_s parameter to order.php. 20080605 SMEweb 1.4b (SQL/XSS) Multiple Remote Vulnerabilities 29496 smeweb-multiple-scripts-xss(42813) 5725 Multiple PHP remote file inclusion vulnerabilities in Brim (formerly Booby) 1.0.1 allow remote attackers to execute arbitrary PHP code via a URL in the renderer parameter to template.tpl.php in (1) barrel/, (2) barry/, (3) mylook/, (4) oerdec/, (5) penguin/, (6) sidebar/, (7) slashdot/, and (8) text-only/ in templates/. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences. 29469 ADV-2008-1718 booby-renderer-file-include(42784) 5722 Multiple cross-site scripting (XSS) vulnerabilities in meBiblio 0.4.7 allow remote attackers to inject arbitrary web script or HTML via the (1) sql parameter to dbadd.inc.php, (2) InsertJournal parameter to add_journal_mask.inc.php, (3) InsertBibliography parameter to insert_mask.inc.php, and (4) LabelYear parameter to search_mask.inc.php. 29465 mebiblio-multiple-scripts-xss(42760) 5716 SQL injection vulnerability in admin/journal_change_mask.inc.php in meBiblio 0.4.7 allows remote attackers to execute arbitrary SQL commands via the JID parameter. 29465 mebiblio-journalchangemask-sql-injection(42759) 5716 Unrestricted file upload vulnerability in upload/uploader.html in meBiblio 0.4.7 allows remote attackers to execute arbitrary code by uploading a .php file, then accessing it via a direct request to the files/ directory. 29465 mebiblio-uploader-file-upload(42761) 5716 Multiple PHP remote file inclusion vulnerabilities in DesktopOnNet 3 Beta allow remote attackers to execute arbitrary PHP code via a URL in the app_path parameter to (1) don3_requiem.don3app/don3_requiem.php and (2) frontpage.don3app/frontpage.php. desktoponnet-apppath-file-include(42790) 5715 Directory traversal vulnerability in cmsimple/cms.php in CMSimple 3.1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the sl parameter to index.php. NOTE: this can be leveraged for remote file execution by including adm.php and then invoking the upload action. NOTE: on 20080601, the vendor patched 3.1 without changing the version number. Upgrade requires login when downloads link is clicked from X-Force site. http://www.cmsimple.com/forum/viewtopic.php?f=2&t=17 29450 cmsimple-index-file-include(42792) cmsimple-index-file-upload(42793) 5700 SQL injection vulnerability in the Joomla! Bulletin Board (aka Joo!BB or com_joobb) component 0.5.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the forum parameter in a forum action to index.php. joobb-forum-sql-injection(42791) 5719 Multiple SQL injection vulnerabilities in catalog.php in SMEWeb 1.4b and 1.4f allow remote attackers to execute arbitrary SQL commands via the (1) idp and (2) category parameters. 20080605 SMEweb 1.4b (SQL/XSS) Multiple Remote Vulnerabilities 29496 smeweb-catalog-sql-injection(42811) 5725 Off-by-one error in the read_client function in webhttpd.c in Motion 3.2.10 and earlier might allow remote attackers to execute arbitrary code via a long request to a Motion HTTP Control interface, which triggers a stack-based buffer overflow with some combinations of processor architecture and compiler. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=484572 [oss-security] 20080610 exploitability of off-by-one in motion webserver [oss-security] 20080610 Re: exploitability of off-by-one in motion webserver [oss-security] 20080611 Re: exploitability of off-by-one in motion webserver [oss-security] 20080611 Re: exploitability of off-by-one in motion webserver GLSA-200807-02 http://www.lavrsen.dk/twiki/pub/Motion/ReleaseNoteMotion3x2x10/webhttpd-security.diff http://www.lavrsen.dk/twiki/pub/Motion/ReleaseNoteMotion3x2x9/webhttpd-security-video2-backport.diff 29636 ADV-2008-1796 motion-readclient-bo(42979) Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change. http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/ APPLE-SA-2008-06-30 SUSE-SR:2008:017 GLSA-200812-17 SSA:2008-179-01 http://support.apple.com/kb/HT2163 http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 DSA-1612 DSA-1618 MDVSA-2008:140 MDVSA-2008:141 MDVSA-2008:142 http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ RHSA-2008:0561 http://www.ruby-forum.com/topic/157034 http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ 20080626 rPSA-2008-0206-1 ruby 29903 1020347 USN-621-1 ADV-2008-1907 ADV-2008-1981 http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html ruby-rbstrbufappend-code-execution(43345) https://issues.rpath.com/browse/RPL-2626 oval:org.mitre.oval:def:11601 FEDORA-2008-5649 Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/ APPLE-SA-2008-06-30 SUSE-SR:2008:017 GLSA-200812-17 SSA:2008-179-01 http://support.apple.com/kb/HT2163 http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 DSA-1612 DSA-1618 MDVSA-2008:140 MDVSA-2008:141 MDVSA-2008:142 http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ RHSA-2008:0561 http://www.ruby-forum.com/topic/157034 http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ 20080626 rPSA-2008-0206-1 ruby 29903 1020347 USN-621-1 ADV-2008-1907 ADV-2008-1981 http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html ruby-rbarystore-code-execution(43346) https://issues.rpath.com/browse/RPL-2626 oval:org.mitre.oval:def:10524 FEDORA-2008-5649 The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/ APPLE-SA-2008-06-30 SUSE-SR:2008:017 GLSA-200812-17 SSA:2008-179-01 http://support.apple.com/kb/HT2163 http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 DSA-1612 DSA-1618 MDVSA-2008:140 MDVSA-2008:141 MDVSA-2008:142 http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ RHSA-2008:0561 http://www.ruby-forum.com/topic/157034 http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ 20080626 rPSA-2008-0206-1 ruby 29903 1020347 USN-621-1 ADV-2008-1907 ADV-2008-1981 http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html ruby-rbstrformat-code-execution(43348) https://issues.rpath.com/browse/RPL-2626 oval:org.mitre.oval:def:9646 FEDORA-2008-5649 Directory traversal vulnerability in the posix_access function in PHP 5.2.6 and earlier allows remote attackers to bypass safe_mode restrictions via a .. (dot dot) in an http URL, which results in the URL being canonicalized to a local filename after the safe_mode check has successfully run. APPLE-SA-2009-05-12 SSRT090085 HPSBUX02465 GLSA-200811-05 20080617 PHP 5.2.6 posix_access() (posix ext) safe_mode bypass 3941 http://support.apple.com/kb/HT3549 http://wiki.rpath.com/Advisories:rPSA-2009-0035 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 29797 1020327 TA09-133A ADV-2009-1297 php-posixaccess-security-bypass(43196) Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier allow context-dependent attackers to bypass safe_mode restrictions by creating a subdirectory named http: and then placing ../ (dot dot slash) sequences in an http URL argument to the (1) chdir or (2) ftok function. APPLE-SA-2009-05-12 SSRT090085 HPSBUX02465 GLSA-200811-05 20080617 PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass 3942 http://support.apple.com/kb/HT3549 http://wiki.rpath.com/Advisories:rPSA-2009-0035 20090302 rPSA-2009-0035-1 php php-cgi php-imap php-mcrypt php-mysql php-mysqli php-pgsql php-soap php-xsl php5 php5-cgi php5-imap php5-mcrypt php5-mysql php5-mysqli php5-pear php5-pgsql php5-soap php5-xsl 29796 1020328 TA09-133A ADV-2009-1297 php-chdir-ftoc-security-bypass(43198) SQL injection vulnerability in the Courier Authentication Library (aka courier-authlib) before 0.60.6 on SUSE openSUSE 10.3 and 11.0, and other platforms, when MySQL and a non-Latin character set are used, allows remote attackers to execute arbitrary SQL commands via the username and unspecified other vectors. http://bugs.gentoo.org/show_bug.cgi?id=225407 SUSE-SR:2008:014 GLSA-200809-05 http://www.courier-mta.org/authlib/changelog.html [courier-users] 20080314 Re: [courier-users] [Fwd: Re: authmysql vs apostrophe] [courier-announce] 20080608 courier-authlib 0.60.6 released opensuse-unspecified-sql-injection(43628) Multiple cross-site scripting (XSS) vulnerabilities in yBlog 0.2.2.2 allow remote attackers to inject arbitrary web script or HTML via (1) the q parameter to search.php, or the n parameter to (2) user.php or (3) uss.php. http://chroot.org/exploits/chroot_uu_009 3935 20080610 [web-app] yBlog 0.2.2.2 Multiple Remote Vulnerabilities 29629 yblog-searchuseruss-xss(42958) 5773 Multiple SQL injection vulnerabilities in yBlog 0.2.2.2 allow remote attackers to execute arbitrary SQL commands via (1) the q parameter to search.php, or the n parameter to (2) user.php or (3) uss.php. http://chroot.org/exploits/chroot_uu_009 3935 20080610 [web-app] yBlog 0.2.2.2 Multiple Remote Vulnerabilities 29629 yblog-searchuseruss-sql-injection(42959) 5773 Multiple SQL injection vulnerabilities in index.php in Insanely Simple Blog 0.5 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter, or (2) the term parameter in a search action. NOTE: the current_subsection parameter is already covered by CVE-2007-3889. http://chroot.org/exploits/chroot_uu_010 3938 20080610 [web-app] Insanely Simple Blog 0.5 (index) Remote SQL Injection Vulnerabilities 29630 5774 SQL injection vulnerability in comments.php in DCFM Blog 0.9.4 allows remote attackers to execute arbitrary SQL commands via the id parameter. http://chroot.org/exploits/chroot_uu_008 3939 20080610 [web-app] DCFM Blog 0.9.4 (comments) Remote SQL Injection Vulnerability 29627 dcfmblog-comments-sql-injection(42976) 5772 Multiple directory traversal vulnerabilities in ErfurtWiki R1.02b and earlier, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) ewiki_id and (2) ewiki_action parameters to fragments/css.php, and possibly the (3) id parameter to the default URI. NOTE: the default URI is site-specific but often performs an include_once of ewiki.php. http://chroot.org/exploits/chroot_uu_007 3936 20080610 [web-app] ErfurtWiki <= R1.02b (css) Local File Inclusion Vulnerability 29628 erfurtwiki-css-file-include(42981) 5771 SQL injection vulnerability in index.php in Powie pNews 2.08 and 2.10, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the shownews parameter. 29617 pnews-shownews-sql-injection(42951) 5768 Unspecified vulnerability in the Interstage Management Console, as used in Fujitsu Interstage Application Server 6.0 through 9.0.0A, Apworks Modelers-J 6.0 through 7.0, and Studio 8.0.1 and 9.0.0, allows remote attackers to read or delete arbitrary files via unspecified vectors. http://www.fujitsu.com/global/support/software/security/products-f/interstage-200805e.html 29624 1020235 ADV-2008-1771 fujitsu-console-unspecified-security-bypass(42949) Cross-site scripting (XSS) vulnerability in index.php in PHP Image Gallery allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29643 phpimagegallery-index-xss(42955) SQL injection vulnerability in the iJoomla News Portal (com_news_portal) component 1.0 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the Itemid parameter to index.php. newsportal-index-sql-injection(42936) 5761 Cross-site scripting (XSS) vulnerability in edit1.php in Telephone Directory 2008 allows remote attackers to inject arbitrary web script or HTML via the action parameter. 29614 telephonedirectory2008-edit1-xss(42972) 5764 Multiple SQL injection vulnerabilities in Telephone Directory 2008, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) code parameter in a confirm_data action to edit1.php and the (2) id parameter to view_more.php. 29614 telephonedirectory2008-code-id-sql-injection(42971) 5764 SQL injection vulnerability in the KeyWordsList function in _includes/inc_routines.asp in Realm CMS 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the kwrd parameter in a kwl action to the default URI. http://bugreport.ir/index.php?/40 29616 realm-kwrd-sql-injection(42952) 5766 Multiple cross-site scripting (XSS) vulnerabilities in _db/compact.asp in Realm CMS 2.3 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) CmpctedDB and (2) Boyut parameters. http://bugreport.ir/index.php?/40 29616 realm-compact-xss(42953) 5766 Realm CMS 2.3 and earlier allows remote attackers to obtain sensitive information via a direct request to _db/compact.asp, which reveals the database path in an error message. http://bugreport.ir/index.php?/40 realm-compact-information-disclosure(42956) 5766 _RealmAdmin/login.asp in Realm CMS 2.3 and earlier allows remote attackers to bypass authentication and access admin pages via certain modified cookies, probably including (1) cUserRole, (2) cUserName, and (3) cUserID. http://bugreport.ir/index.php?/40 29616 realm-login-authentication-bypass(42960) 5766 The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to force the download and storage of arbitrary files by specifying the origin URL in the first argument to the DownloadImageFileURL method, and the local filename in the second argument. NOTE: some of these details are obtained from third party information. 8276 8277 17415 ADV-2008-1768 barcode-bidib-file-overwrite(42891) 5750 The BIDIB.BIDIBCtrl.1 ActiveX control in BIDIB.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to execute arbitrary code via long strings in the two arguments to the DownloadImageFileURL method, which trigger memory corruption. NOTE: some of these details are obtained from third party information. 29579 ADV-2008-1768 barcode-bidib-code-execution(42896) 5750 SQL injection vulnerability in article.asp in Battle Blog 1.25 Build 4 and earlier allows remote attackers to execute arbitrary SQL commands via the entry parameter, a different vector than CVE-2008-2626. http://www.davethewebguy.com/battleblog/article.asp?entry=24 ADV-2008-1737 battleblog-article-sql-injection(43018) webinc/bxe/scripts/loadsave.php in Flux CMS 1.5.0 and earlier allows remote attackers to execute arbitrary code by overwriting a PHP file in webinc/bxe/scripts/ via a filename in the XML parameter and PHP sequences in the request body, then making a direct request for this filename. 29618 fluxcms-loadsave-file-overwrite(42961) 5767 Directory traversal vulnerability in inc/config.php in ProManager 0.73 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter. 29613 promanager-language-file-include(42962) 5762 SQL injection vulnerability in pilot.asp in ASPilot Pilot Cart 7.3 allows remote attackers to execute arbitrary SQL commands via the article parameter in a kb action. 29615 pilotcart-article-sql-injection(42946) 5765 PHP remote file inclusion vulnerability in pub/clients.php in BrowserCRM 5.002.00 allows remote attackers to execute arbitrary PHP code via a URL in the bcrm_pub_root parameter. 29598 browsercrm-bcrmpubroot-file-include(42922) 5757 Multiple PHP remote file inclusion vulnerabilities in BrowserCRM 5.002.00, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the bcrm_pub_root parameter to (1) kb.php, (2) login.php, (3) index.php, (4) contact_view.php, and (5) contact.php in pub/, different vectors than CVE-2008-2689. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. browsercrm-bcrmpubroot-file-include(42922) SQL injection vulnerability in read.asp in JiRo's FAQ Manager eXperience 1.0 allows remote attackers to execute arbitrary SQL commands via the fID parameter. 29594 jiro-read-sql-injection(42919) 5753 SQL injection vulnerability in the yvComment (com_yvcomment) component 1.16.0 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the ArticleID parameter in a comment action to index.php. 29596 yvcomment-index-sql-injection(42920) 5755 Stack-based buffer overflow in the BITIFF.BITiffCtrl.1 ActiveX control in BITiff.ocx 10.9.3.0 in Black Ice Barcode SDK 5.01 allows remote attackers to execute arbitrary code via a long first argument to the SetByteOrder method. barcode-bitiff-bo(42897) 5746 5747 Cross-site scripting (XSS) vulnerability in search.php in phpInv 0.8.0 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. 29597 phpinv-search-xss(42928) 5754 Directory traversal vulnerability in entry.php in phpInv 0.8.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter. 29597 phpinv-entry-file-include(42926) 5754 Exiv2 0.16 allows user-assisted remote attackers to cause a denial of service (divide-by-zero and application crash) via a zero value in Nikon lens information in the metadata of an image, related to "pretty printing" and the RationalValue::toLong function. http://bugzilla.gnome.org/show_bug.cgi?id=524715 http://dev.robotbattle.com/bugs/view.php?id=0000546 SUSE-SR:2008:023 http://www.exiv2.org/changelog.html MDVSA-2008:119 29586 USN-655-1 ADV-2008-1766 exiv2-printing-dos(42885) SQL injection vulnerability in the Rapid Recipe (com_rapidrecipe) component 1.6.6 and 1.6.7 for Joomla! allows remote attackers to execute arbitrary SQL commands via the recipe_id parameter in a viewrecipe action to index.php. 29593 rapidrecipe-recipeid-sql-injection(42924) 5759 Multiple cross-site scripting (XSS) vulnerabilities in photo_add-c.php (aka the "add comment" section) in WEBalbum 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) id, or (3) category parameter. 3940 20080605 WEBAlbum <= 2.0 Remote Stored Cross Site Scripting Vulnerability 29580 webalbum-photoaddc-xss(42893) Multiple directory traversal vulnerabilities in Galatolo WebManager (GWM) 1.0 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in (1) the plugin parameter to admin/plugins.php or (2) the com parameter to index.php. 29595 galatolo-index-file-include(42923) 5758 SQL injection vulnerability in view.php in Galatolo WebManager 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. galatolo-view-sql-injection(42934) 5760 SQL injection vulnerability in the GameQ (com_gameq) component 4.0 and earlier for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter in a page action to index.php. http://packetstormsecurity.org/0806-exploits/joomlagameq-sql.txt 20081204 Joomla Component GameQ 20081204 Re: Joomla Component GameQ 29592 32633 gameq-index-sql-injection(42929) 5752 Directory traversal vulnerability in the FTP client in ALTools ESTsoft ALFTP 4.1 beta 2 and 5.0 allows remote FTP servers to create or overwrite arbitrary files via a .. (dot dot) in a response to a LIST command, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder. http://vuln.sg/alftp41b2-en.html 29585 ADV-2008-1763 alftpftp-list-directory-traversal(42900) Multiple stack-based buffer overflows in Novell GroupWise Messenger (GWIM) Client before 2.0.3 HP1 for Windows allow remote attackers to execute arbitrary code via "spoofed server responses" that contain a long string after the NM_A_SZ_TRANSACTION_ID field name. http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5026700.html 20080704 Novell GroupWise Messenger Client (GWIM) Remote Stack Overflow 29602 1020209 ADV-2008-1764 groupwise-messenger-client-bo(42917) Novell GroupWise Messenger (GWIM) before 2.0.3 Hot Patch 1 allows remote attackers to cause a denial of service (crash) via a long user ID, possibly involving a popup alert. NOTE: it is not clear whether this issue crosses privilege boundaries. http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5026700.html 20080704 Novell GroupWise Messenger Client (GWIM) Remote Stack Overflow 29602 1020209 ADV-2008-1764 groupwise-messenger-client-dos(42918) Unspecified vulnerability in Sun Java System Access Manager (AM) 7.1, when used with certain versions and configurations of Sun Directory Server Enterprise Edition (DSEE), allows remote attackers to bypass authentication via unspecified vectors. 238416 29676 1020273 ADV-2008-1806 sun-jsam-unspecified-security-bypass(43004) Unspecified vulnerability in the event port implementation in Sun Solaris 10 allows local users to cause a denial of service (panic) by submitting and retrieving user-defined events, probably related to a NULL dereference. 235122 29680 1020274 ADV-2008-1807 solaris-eventport-dos(43005) oval:org.mitre.oval:def:5762 Unspecified vulnerability in the e1000g driver in Sun Solaris 10 and OpenSolaris before snv_93 allows remote attackers to cause a denial of service (network connectivity loss) via unknown vectors. 1020290 238250 29730 ADV-2008-1835 solaris-e1000ggigabit-dos(43096) Unspecified vulnerability in the Sun (1) UltraSPARC T2 and (2) UltraSPARC T2+ kernel modules in Sun Solaris 10, and OpenSolaris before snv_93, allows local users to cause a denial of service (panic) via unspecified vectors, probably related to core files. 238688 29678 1020275 ADV-2008-1805 solaris-ultrasparc-dos(43003) Buffer overflow in the BrSmRcvAndCheck function in the RCHMGR module on IBM OS/400 V5R4M0, V5R4M5, and V6R1M0 allows local users to cause a denial of service (task halt and main storage dump) via unspecified vectors involving the running of diagnostics on a modem port. NOTE: there might be limited attack scenarios. 29660 ADV-2008-1799 MA36741 os400-brsmrcvandcheck-bo(42984) Integer signedness error in the ip_set_srcfilter function in the IP Multicast Filter in uts/common/inet/ip/ip_multi.c in the kernel in Sun Solaris 10 and OpenSolaris before snv_92 allows local users to execute arbitrary code in other Solaris Zones via an SIOCSIPMSFILTER IOCTL request with a large value of the imsf->imsf_numsrc field, which triggers an out-of-bounds write of kernel memory. NOTE: this was reported as an integer overflow, but the root cause involves the bypass of a signed comparison. 237965 29699 1020283 http://www.trapkit.de/advisories/TKADV2008-003.txt ADV-2008-1832 sun-solaris-ipsetsrcfilter-code-execution(43068) oval:org.mitre.oval:def:5731 fetchmail 6.3.8 and earlier, when running in -v -v (aka verbose) mode, allows remote attackers to cause a denial of service (crash and persistent mail failure) via a malformed mail message with long headers, which triggers an erroneous dereference when using vsnprintf to format log messages. APPLE-SA-2009-02-12 SSA:2008-210-01 http://support.apple.com/kb/HT3438 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0235 http://www.fetchmail.info/fetchmail-SA-2008-01.txt MDVSA-2008:117 [oss-security] 20080613 CVE Id Request: fetchmail <= 6.3.8 DoS when logging long headers in -v -v mode 20080617 fetchmail security announcement fetchmail-SA-2008-01 (CVE-2008-2711) 20080729 rPSA-2008-0235-1 fetchmail fetchmailconf 29705 1020298 ADV-2008-1860 ADV-2009-0422 https://bugzilla.novell.com/show_bug.cgi?id=354291 fetchmail-logmessage-dos(43121) https://issues.rpath.com/browse/RPL-2623 oval:org.mitre.oval:def:10950 FEDORA-2008-5789 FEDORA-2008-5800 Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075. APPLE-SA-2008-10-09 APPLE-SA-2010-03-29-1 SUSE-SR:2009:007 20080701 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 3951 http://support.apple.com/kb/HT3216 http://support.apple.com/kb/HT4077 http://support.avaya.com/elmodocs2/security/ASA-2008-457.htm http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm http://wiki.rpath.com/Advisories:rPSA-2008-0247 MDVSA-2008:236 [oss-security] 20080616 CVE Id request: vim [oss-security] 20081015 Vim CVE issues cleanup (plugins tar.vim, zip.vim) - CVE-2008-3074 and CVE-2008-3075 http://www.rdancer.org/vulnerablevim.html RHSA-2008:0580 RHSA-2008:0617 RHSA-2008:0618 20080613 Collection of Vulnerabilities in Fully Patched Vim 7.1 20080614 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 20080811 rPSA-2008-0247-1 gvim vim vim-minimal 20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim 29715 31681 1020293 USN-712-1 http://www.vmware.com/security/advisories/VMSA-2009-0004.html ADV-2008-1851 ADV-2008-2780 ADV-2009-0033 ADV-2009-0904 vim-scripts-command-execution(43083) https://issues.rpath.com/browse/RPL-2622 oval:org.mitre.oval:def:11109 oval:org.mitre.oval:def:6238 libclamav/petite.c in ClamAV before 0.93.1 allows remote attackers to cause a denial of service via a crafted Petite file that triggers an out-of-bounds read. http://kolab.org/security/kolab-vendor-notice-21.txt APPLE-SA-2008-09-15 SUSE-SR:2008:014 SUSE-SR:2008:015 GLSA-200808-07 http://sourceforge.net/project/shownotes.php?release_id=605577&group_id=86638 http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=/branches/0.93/libclamav/petite.c&rev=3886 http://up2date.astaro.com/2008/08/up2date_asg_v7300_ga_released.html DSA-1616 MDVSA-2008:122 [oss-security] 20080615 CVE id request: Clamav [oss-security] 20080617 Re: CVE id request: Clamav 29750 1020305 TA08-260A ADV-2008-1855 ADV-2008-2584 clamav-petite-dos(43133) FEDORA-2008-6422 FEDORA-2008-5476 https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000 Opera before 9.26 allows remote attackers to misrepresent web page addresses using "certain characters" that "cause the page address text to be misplaced." SUSE-SA:2008:029 http://www.opera.com/docs/changelogs/linux/950/#security http://www.opera.com/docs/changelogs/windows/950/#security http://www.opera.com/support/search/view/878/ 29684 ADV-2008-1812 opera-pageaddress-spoofing(43035) Unspecified vulnerability in Opera before 9.5 allows remote attackers to read cross-domain images via HTML CANVAS elements that use the images as patterns. SUSE-SA:2008:029 http://www.opera.com/docs/changelogs/linux/950/#security http://www.opera.com/docs/changelogs/windows/950/#security http://www.opera.com/support/search/view/883/ 29684 1020291 ADV-2008-1812 opera-html-canvas-info-disclosure(43032) Unspecified vulnerability in Opera before 9.5 allows remote attackers to spoof the contents of trusted frames on the same parent page by modifying the location, which can facilitate phishing attacks. SUSE-SA:2008:029 http://www.opera.com/docs/changelogs/linux/950/#security http://www.opera.com/docs/changelogs/windows/950/#security http://www.opera.com/support/search/view/885/ 29684 1020292 ADV-2008-1812 opera-parentpageframe-weak-security(43033) TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers to bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions. http://buzz.typo3.org/teams/security/article/advice-on-core-security-issue-regarding-filedenypattern/ 3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/ DSA-1596 20080611 TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core 29657 ADV-2008-1802 typo3-filename-file-upload(42988) Cross-site scripting (XSS) vulnerability in fe_adminlib.inc in TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, as used in extensions such as (1) direct_mail_subscription, (2) feuser_admin, and (3) kb_md5fepw, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 3945 http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/ DSA-1596 20080611 TYPO3 Security Bulletin TYPO3-20080611-1: Multiple vulnerabilities in TYPO3 Core 29657 ADV-2008-1802 typo3-feadminlibinc-xss(42986) Off-by-one error in the ppscan function (preproc.c) in Netwide Assembler (NASM) 2.02 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted file that triggers a stack-based buffer overflow. http://repo.or.cz/w/nasm.git?a=commit;h=76ec8e73db16f4cf1453a142d03bcc74d528f72f MDVSA-2008:120 [oss-security] 20080611 CVE id request: nasm off-by-one [oss-security] 20080611 Re: CVE id request: nasm off-by-one 29656 1020259 USN-648-1 ADV-2008-1811 nasm-ppscan-bo(42995) https://sourceforge.net/project/shownotes.php?group_id=6208&release_id=606115 https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_id=6208 Cross-site scripting (XSS) vulnerability in Menalto Gallery before 2.2.5 allows remote attackers to inject arbitrary web script or HTML via the (1) host and (2) path components of a URL. http://gallery.menalto.com/gallery_2.2.5_released 29681 gallery-unspecified-scripts-xss(43024) FEDORA-2008-5479 FEDORA-2008-5576 Unspecified vulnerability in the album-select module in Menalto Gallery before 2.2.5 allows remote attackers to obtain titles of hidden albums by attempting to add a new album to a hidden album. http://gallery.menalto.com/gallery_2.2.5_released 29681 gallery-albumselectmodule-info-disclosure(43025) FEDORA-2008-5479 FEDORA-2008-5576 Menalto Gallery before 2.2.5 allows remote attackers to bypass permissions for sub-albums via a ZIP archive. http://gallery.menalto.com/gallery_2.2.5_released 29681 gallery-zip-archives-security-bypass(43027) FEDORA-2008-5479 FEDORA-2008-5576 embed.php in Menalto Gallery before 2.2.5 allows remote attackers to obtain the full path via unknown vectors related to "spoofing the remote address." http://gallery.menalto.com/gallery_2.2.5_released 29681 gallery-embed-path-disclosure(43028) FEDORA-2008-5479 FEDORA-2008-5576 Menalto Gallery before 2.2.5 does not enforce permissions for non-album items that have been protected by a password, which might allow remote attackers to bypass intended access restrictions. http://gallery.menalto.com/gallery_2.2.5_released 29681 gallery-password-module-security-bypass(43031) FEDORA-2008-5479 FEDORA-2008-5576 Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/ APPLE-SA-2008-06-30 SUSE-SR:2008:017 GLSA-200812-17 SSA:2008-179-01 http://support.apple.com/kb/HT2163 http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 DSA-1612 DSA-1618 MDVSA-2008:140 MDVSA-2008:141 MDVSA-2008:142 http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ [fedora-security-commits] 20080620 fedora-security/audit f10, 1.7, 1.8 f8, 1.225, 1.226 f9, 1.215, 1.216 RHSA-2008:0561 http://www.ruby-forum.com/topic/157034 http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ 20080626 rPSA-2008-0206-1 ruby 29903 1020347 USN-621-1 ADV-2008-1907 ADV-2008-1981 http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2727 ruby-rbarysplice-code-execution(43350) https://issues.rpath.com/browse/RPL-2626 oval:org.mitre.oval:def:9606 FEDORA-2008-5649 Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue/ APPLE-SA-2008-06-30 SUSE-SR:2008:017 GLSA-200812-17 SSA:2008-179-01 http://support.apple.com/kb/HT2163 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=17460 http://weblog.rubyonrails.org/2008/6/21/multiple-ruby-security-vulnerabilities http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0206 DSA-1612 DSA-1618 MDVSA-2008:140 MDVSA-2008:141 MDVSA-2008:142 http://www.matasano.com/log/1070/updates-on-drew-yaos-terrible-ruby-vulnerabilities/ [fedora-security-commits] 20080620 fedora-security/audit f10, 1.7, 1.8 f8, 1.225, 1.226 f9, 1.215, 1.216 RHSA-2008:0561 http://www.ruby-forum.com/topic/157034 http://www.rubyinside.com/june-2008-ruby-security-vulnerabilities-927.html http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ 20080626 rPSA-2008-0206-1 ruby 29903 1020347 USN-621-1 ADV-2008-1907 ADV-2008-1981 http://www.zedshaw.com/rants/the_big_ruby_vulnerabilities.html https://bugs.launchpad.net/ubuntu/+source/ruby1.8/+bug/241657 ruby-rbarysplice-begrlen-code-execution(43351) https://issues.rpath.com/browse/RPL-2626 oval:org.mitre.oval:def:9959 FEDORA-2008-5649 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-2725. Reason: This candidate is a duplicate of CVE-2008-2725. Notes: All CVE users should reference CVE-2008-2725 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-2726. Reason: This candidate is a duplicate of CVE-2008-2726. Notes: All CVE users should reference CVE-2008-2726 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. arch/x86_64/lib/copy_user.S in the Linux kernel before 2.6.19 on some AMD64 systems does not erase destination memory locations after an exception during kernel memory copy, which allows local users to obtain sensitive information. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=3022d734a54cbd2b65eea9a024564821101b4a9a;hp=f0f4c3432e5e1087b3a8c0e6bd4113d3c37497ff RHSA-2008:0508 DSA-1630 MDVSA-2008:174 RHSA-2008:0519 RHSA-2008:0585 29943 1020364 USN-625-1 https://bugzilla.redhat.com/show_bug.cgi?id=451271 linux-kernel-destination-info-disclosure(43558) oval:org.mitre.oval:def:11571 The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsj90843. 20080625 Cisco Unified Communications Manager Denial of Service and Authentication Bypass Vulnerabilities 29935 1020361 ADV-2008-1933 cucm-risdatacollector-info-disclosure(43355) Multiple unspecified vulnerabilities in the SIP inspection functionality in Cisco PIX and Adaptive Security Appliance (ASA) 5500 devices 7.0 before 7.0(7)16, 7.1 before 7.1(2)71, 7.2 before 7.2(4)7, 8.0 before 8.0(3)20, and 8.1 before 8.1(1)8 allow remote attackers to cause a denial of service (device reload) via unknown vectors, aka Bug IDs CSCsq07867, CSCsq57091, CSCsk60581, and CSCsq39315. 20080903 Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 20080903 Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 30998 1020808 1020809 cisco-pix-asa-sipinspection-dos(44866) Cisco PIX and Adaptive Security Appliance (ASA) 5500 devices 7.2 before 7.2(4)2, 8.0 before 8.0(3)14, and 8.1 before 8.1(1)4, when configured as a client VPN endpoint, do not properly process IPSec client authentication, which allows remote attackers to cause a denial of service (device reload) via a crafted authentication attempt, aka Bug ID CSCso69942. 20080903 Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 20080903 Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 30998 1020810 1020811 cisco-pix-asa-ipsecclientauth-dos(44867) Memory leak in the crypto functionality in Cisco Adaptive Security Appliance (ASA) 5500 devices 7.2 before 7.2(4)2, 8.0 before 8.0(3)14, and 8.1 before 8.1(1)4, when configured as a clientless SSL VPN endpoint, allows remote attackers to cause a denial of service (memory consumption and VPN hang) via a crafted SSL or HTTP packet, aka Bug ID CSCso66472. 20080903 Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 20080903 Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 30998 1020812 cisco-asa-sslvpn-dos(44868) The HTTP server in Cisco Adaptive Security Appliance (ASA) 5500 devices 8.0 before 8.0(3)15 and 8.1 before 8.1(1)5, when configured as a clientless SSL VPN endpoint, does not properly process URIs, which allows remote attackers to cause a denial of service (device reload) via a URI in a crafted SSL or HTTP packet, aka Bug ID CSCsq19369. 20080903 Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 20080903 Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 30998 1020812 cisco-asa-uri-dos(44869) Unspecified vulnerability in Cisco Adaptive Security Appliance (ASA) 5500 devices 8.0(3)15, 8.0(3)16, 8.1(1)4, and 8.1(1)5, when configured as a clientless SSL VPN endpoint, allows remote attackers to obtain usernames and passwords via unknown vectors, aka Bug ID CSCsq45636. 20080903 Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA http://www.cisco.com/en/US/docs/security/asa/asa81/release/notes/asarn812.html 20080903 Remote Access VPN and SIP Vulnerabilities in Cisco PIX and Cisco ASA 30998 1020813 cisco-asa-clientlessvpn-info-disclosure(44870) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-3558. Reason: This candidate is a duplicate of CVE-2008-3558. Notes: All CVE users should reference CVE-2008-3558 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The SERVICE.DNS signature engine in the Intrusion Prevention System (IPS) in Cisco IOS 12.3 and 12.4 allows remote attackers to cause a denial of service (device crash or hang) via network traffic that triggers unspecified IPS signatures, a different vulnerability than CVE-2008-1447. 20080924 Cisco IOS IPS Denial of Service Vulnerability ADV-2008-2670 oval:org.mitre.oval:def:6058 Unrestricted file upload in the mcpuk file editor (atk/attributes/fck/editor/filemanager/browser/mcpuk/connectors/php/config.php) in Achievo 1.2.0 through 1.3.2 allows remote attackers to execute arbitrary code by uploading a file with .php followed by a safe extension, then accessing it via a direct request to the file in the Achievo root directory. NOTE: this is only a vulnerability in environments that support multiple extensions, such as Apache with the mod_mime module enabled. http://www.achievo.org/blog/archives/631-Achievo-1.3.3-Security-Release.html 29621 achievo-config-file-upload(42980) 5770 Cross-site scripting (XSS) vulnerability in the embedded web server in Xerox 4110, 4590, and 4595 Copier/Printers allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. 29690 1020282 ADV-2008-1829 http://www.xerox.com/downloads/usa/en/c/cert_XRX08_007.pdf xerox-copierprinter-webserver-xss(43058) Cross-site scripting (XSS) vulnerability in vBulletin 3.6.10 and 3.7.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors and an "obscure method." NOTE: the vector is probably in the redirect parameter to the Admin Control Panel (admincp/index.php). 3946 20080613 Exploit for vBulletin "obscure" XSS (3.7.1 & 3.6.10) 29704 1020322 http://www.vbulletin.com/forum/showthread.php?t=274882 vbulletin-redirect-xss(43090) Stack-based buffer overflow in BiAnno ActiveX Control (BiAnno.ocx) in Black Ice Software Annotation Plugin 10.95 allows remote attackers to execute arbitrary code via a long parameter to the AnnoSaveToTiff method. 29635 ADV-2008-1795 annotationsdk-activex-annosavetotiff-bo(42982) 5777 5778 SQL injection vulnerability in login.php in Gryphon gllcTS2 4.2.4 allows remote attackers to execute arbitrary SQL commands via the detail parameter. 29697 gllcts2-login-sql-injection(43057) 5796 No-IP Dynamic Update Client (DUC) 2.2.1 on Windows uses weak permissions for the HKLM\SOFTWARE\Vitalwerks\DUC registry key, which allows local users to obtain obfuscated passwords and other sensitive information by reading the (1) TrayPassword, (2) Username, (3) Password, and (4) Hosts registry values. 3952 20080616 DUC NO-IP Local Password Information Disclosure Vulnerability 29758 noipduc-duc-info-disclosure(43298) Skulltag 0.97d2-RC2 and earlier allows remote attackers to cause a denial of service (daemon hang) via a series of long, malformed connect packets, related to these packets being "parsed multiple times." http://aluigi.org/poc/skulltagloop.zip 3953 http://skulltag.com/testing/public/Skulltag%20Version%20History.txt 20080616 Server freezed in Skulltag 0.97d2-RC2 29760 skulltag-packet-dos(43125) Unspecified vulnerability in cshttpd in Sun Java System Calendar Server 6 and 6.3, and Sun ONE Calendar Server 6.0, when access logging (aka service.http.commandlog.all) is enabled, allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. 235521 29763 1020299 ADV-2008-1857 sun-java-systemcalendarserver-dos(43127) The pppol2tp_recvmsg function in drivers/net/pppol2tp.c in the Linux kernel 2.6 before 2.6.26-rc6 allows remote attackers to cause a denial of service (kernel heap memory corruption and system crash) and possibly have unspecified other impact via a crafted PPPOL2TP packet that results in a large value for a certain length variable. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6b6707a50c7598a83820077393f8823ab791abf8 http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.26-rc6 SUSE-SA:2008:037 1020297 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0207 MDVSA-2008:167 [oss-security] 20080619 Re: query on a pppol2tp_recvmsg() fix - security relevant? 29747 USN-625-1 ADV-2008-1854 linux-kernel-pppol2tprecvmsg-dos(43111) https://issues.rpath.com/browse/RPL-2629 FEDORA-2008-5893 Multiple cross-site scripting (XSS) vulnerabilities in the Glassfish webadmin interface in Sun Java System Application Server 9.1_01 allow remote attackers to inject arbitrary web script or HTML via the (1) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew, (2) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType, (3) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass, or (4) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc parameter to (a) resourceNode/customResourceNew.jsf; the (5) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiProp:JndiNew, (6) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:resTypeProp:resType, (7) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:factoryClassProp:factoryClass, (8) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:jndiLookupProp:jndiLookup, or (9) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:descProp:desc parameter to (b) resourceNode/externalResourceNew.jsf; the (10) propertyForm:propertySheet:propertSectionTextField:jndiProp:Jndi, (11) propertyForm:propertySheet:propertSectionTextField:nameProp:name, or (12) propertyForm:propertySheet:propertSectionTextField:descProp:desc parameter to (c) resourceNode/jmsDestinationNew.jsf; the (13) propertyForm:propertySheet:generalPropertySheet:jndiProp:Jndi or (14) propertyForm:propertySheet:generalPropertySheet:descProp:cd parameter to (d) resourceNode/jmsConnectionNew.jsf; the (15) propertyForm:propertySheet:propertSectionTextField:jndiProp:jnditext or (16) propertyForm:propertySheet:propertSectionTextField:descProp:desc parameter to (e) resourceNode/jdbcResourceNew.jsf; the (17) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:nameProp:name, (18) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:classNameProp:classname, or (19) propertyForm:propertyContentPage:propertySheet:propertSectionTextField:loadOrderProp:loadOrder parameter to (f) applications/lifecycleModulesNew.jsf; or the (20) propertyForm:propertyContentPage:propertySheet:generalPropertySheet:jndiProp:name, (21) propertyForm:propertyContentPage:propertySheet:generalPropertySheet:resTypeProp:resType, or (22) propertyForm:propertyContentPage:propertySheet:generalPropertySheet:dbProp:db parameter to (g) resourceNode/jdbcConnectionPoolNew1.jsf. 3949 20080614 Muitiple XSS - Glassfish Web Interface (Sun Java System Application Server 9.1_01 (build b09d-fcs) ) 29751 glassfish-multiple-scripts-xss(42989) Microsoft Word 2000 9.0.2812 and 2003 11.8106.8172 does not properly handle unordered lists, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .doc file. NOTE: some of these details are obtained from third party information. 29769 http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-1.doc http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-2.doc http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-3.doc http://www.securityfocus.com/data/vulnerabilities/exploits/crash-word-4.doc microsoft-word-unorderedlist-code-execution(43155) Multiple SQL injection vulnerabilities in Pooya Site Builder (PSB) 6.0 allow remote attackers to execute arbitrary SQL commands via the (1) xslIdn parameter to (a) utils/getXsl.aspx, and the (2) part parameter to (b) getXml.aspx and (c) getXls.aspx in utils/. http://bugreport.ir/index.php?/42 20080611 Pooya Site Builder (PSB) SQL Injection Vulnerabilities 29673 pooyasitebuilder-getxsl-sql-injection(43007) 5788 SQL injection vulnerability in toplists.php in eFiction 3.0 and 3.4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the list parameter. 29658 efiction-toplists-sql-injection(42998) 5785 SQL injection vulnerability in index.php in JAMM CMS allows remote attackers to execute arbitrary SQL commands via the id parameter. 29674 jamm-index-sql-injection(43023) 5789 Cross-site scripting (XSS) vulnerability in admin/users.asp in Xigla Absolute Control Panel XE 1.0 allows remote attackers to inject arbitrary web script or HTML via the name parameter and other unspecified parameters. NOTE: some of these details are obtained from third party information. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutecontrolpanel-users-xss(43048) SQL injection vulnerability in search.asp in Xigla Absolute News Manager XE 3.2 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutenews-search-sql-injection(43043) Multiple cross-site scripting (XSS) vulnerabilities in Xigla Absolute News Manager XE 3.2 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) pblname and (2) text parameters to (a) admin/search.asp, (3) name parameter to (b) admin/publishers.asp, and other unspecified vectors to (c) anmviewer.asp and (d) editarticleX.asp in admin/. NOTE: some of these details are obtained from third party information. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutenews-search-publishers-xss(43042) Multiple cross-site scripting (XSS) vulnerabilities in Xigla Absolute Form Processor XE 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) showfields, (2) text, and (3) submissions parameters to search.asp and the (4) name parameter to users.asp. NOTE: some of these details are obtained from third party information. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absoluteform-search-users-xss(43047) SQL injection vulnerability in searchbanners.asp in Xigla Absolute Banner Manager XE 2.0 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutebanner-searchbanners-sql-injection(43046) Multiple cross-site scripting (XSS) vulnerabilities in Xigla Absolute Banner Manager XE 2.0 allow remote authenticated administrators to inject arbitrary web script or HTML via the text parameter in (1) searchbanners.asp and (2) listadvertisers.asp, and other unspecified fields. NOTE: some of these details are obtained from third party information. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutebanner-searchbanners-xss(43045) SQL injection vulnerability in search.asp in Xigla Absolute Form Processor XE 4.0 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absoluteform-search-sql-injection(43051) SQL injection vulnerability in search.asp in Xigla Absolute Live Support XE 5.1 allows remote authenticated administrators to execute arbitrary SQL commands via the orderby parameter. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutelivesupport-search-sql-injection(43050) Cross-site scripting (XSS) vulnerability in admin/search.asp in Xigla Absolute Live Support XE 5.1 allows remote authenticated administrators to inject arbitrary web script or HTML via unspecified vectors ("all fields"). http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutelivesupport-search-xss(43049) SQL injection vulnerability in gallery.asp in Xigla Absolute Image Gallery XE allows remote attackers to execute arbitrary SQL commands via the categoryid parameter in a viewimage action. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absoluteimage-gallery-sql-injection(43052) Cross-site scripting (XSS) vulnerability in Xigla Absolute Image Gallery XE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) admin/search.asp and (2) gallery.asp. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absoluteimage-gallery-search-xss(43053) SQL injection vulnerability in search.asp in Xigla Poll Manager XE allows remote authenticated users with administrator role privileges to execute arbitrary SQL commands via the orderby parameter. http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutepoll-search-sql-injection(43055) Cross-site scripting (XSS) vulnerability in admin/search.asp in Xigla Poll Manager XE allows remote authenticated users with administrator role privileges to inject arbitrary web script or HTML via unspecified vectors ("all fields"). http://bugreport.ir/index.php?/41 20080611 Xigla Multiple Products - Multiple Vulnerabilities 3950 29672 absolutepoll-search-xss(43054) PHP remote file inclusion vulnerability in authentication/smf/smf.functions.php in Simple Machines phpRaider 1.0.6 and 1.0.7 allows remote attackers to execute arbitrary PHP code via a URL in the pConfig_auth[smf_path] parameter. http://forums.phpraider.com/showthread.php?t=1087#v1_0_7b_-_May_29__2008 3947 20080611 phpRaider <= v1.0.6,7 Maybe Other Versions Remote File include Vulnerable phpraider-smffunctions-file-include(42996) SQL injection vulnerability in index.php in MycroCMS 0.5, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the entry_id parameter. 29671 mycrocms-entryid-sql-injection(43002) 5787 The Node Hierarchy module 5.x before 5.x-1.1 and 6.x before 6.x-1.0 for Drupal does not properly implement access checks, which allows remote attackers with "access content" permissions to bypass restrictions and modify the node hierarchy via unspecified attack vectors. http://drupal.org/node/269473 29675 node-hierarchy-access-security-bypass(43006) The Magic Tabs module 5.x before 5.x-1.1 for Drupal allows remote attackers to execute arbitrary PHP code via unspecified URL arguments, possibly related to a missing "whitelist of callbacks." http://drupal.org/node/269321 29682 magictabs-unspecified-code-execution(43020) Cross-site scripting (XSS) vulnerability in the Taxonomy Image module 5.x before 5.x-1.3 and 6.x before 6.x-1.3, a module for Drupal, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://drupal.org/node/269389 29683 taxonomyimage-unspecified-xss(43013) SQL injection vulnerability in item.php in CartKeeper CKGold Shopping Cart 2.5 and 2.7 allows remote attackers to execute arbitrary SQL commands via the category_id parameter, a different vector than CVE-2007-4736. ADV-2008-1677 ckgold-item-sql-injection(42646) 5678 SQL injection vulnerability in search.asp in DT Centrepiece 4.0 allows remote attackers to execute arbitrary SQL commands via the searchFor parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29403 dtcentrepiece-search-sql-injection(42663) Cross-site scripting (XSS) vulnerability in search.asp in DT Centrepiece 4.0 allows remote attackers to inject arbitrary web script or HTML via the searchFor parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29403 dtcentrepiece-search-xss(42662) Cross-site scripting (XSS) vulnerability in Ortro before 1.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.ortro.net/changelog#release_1.3.1_2008.05.27 ADV-2008-1679 ortro-unspecified-xss(42657) SQL injection vulnerability in inc/class_search.php in the Search System in RevokeBB 1.0 RC11 allows remote attackers to execute arbitrary SQL commands via the search parameter. 29393 ADV-2008-1676 revokebb-search-sql-injection(42647) 5677 Directory traversal vulnerability in GlobalSCAPE CuteFTP Home 8.2.0 Build 02.26.2008.4 and CuteFTP Pro 8.2.0 Build 04.01.2008.1 allows remote FTP servers to create or overwrite arbitrary files via ..\ (dot dot backslash) sequences in responses to LIST commands, a related issue to CVE-2002-1345. NOTE: this can be leveraged for code execution by writing to a Startup folder. http://vuln.sg/cuteftp820-en.html 1020113 ADV-2008-1653 cuteftp-list-directory-traversal(42633) The Anubis (aka Anubis+Ripe160) plugin before 1.3 for encrypt stores the unencrypted file's size in cleartext in the header of the encrypted file, which allows attackers to distinguish between encrypted data and random padding at the end of the encrypted file. ADV-2008-1663 https://albinoloverats.net/index.php?option=com_content&task=view&id=60&Itemid=2 anubis-filesize-information-disclosure(42652) SQL injection vulnerability in index.php in DZOIC Handshakes 3.5 allows remote attackers to execute arbitrary SQL commands via the fname parameter in a members search action. 3954 20080524 dzoic handshakes sql injection >> index.php on $fname 29353 handshakes-index-sql-injection(42639) Multiple directory traversal vulnerabilities in OtomiGenX 2.2 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to (1) library_rss.php and (2) rss.php. http://sourceforge.net/forum/forum.php?forum_id=834373 ADV-2008-1678 otomigenx-lang-file-include(42665) 5680 Multiple cross-site scripting (XSS) vulnerabilities in Horde Groupware, Groupware Webmail Edition, and Kronolith allow remote attackers to inject arbitrary web script or HTML via the timestamp parameter to (1) week.php, (2) workweek.php, and (3) day.php; and (4) the horde parameter in the PATH_INFO to the default URI. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29365 kronolith-groupware-multiple-xss(42640) The smtp_filter function in spamdyke before 3.1.8 does not filter RCPT commands after encountering the first DATA command, which allows remote attackers to use the server as an open mail relay by sending RCPT commands with invalid recipients, followed by a DATA command, followed by arbitrary RCPT commands and a second DATA command. http://www.spamdyke.org/documentation/Changelog.txt ADV-2008-1684 spamdyke-smtpfilter-security-bypass(42658) Mozilla Firefox before 2.0.0.16 and 3.x before 3.0.1, Thunderbird before 2.0.0.16, and SeaMonkey before 1.1.11 use an incorrect integer data type as a CSS object reference counter in the CSSValue array (aka nsCSSValue:Array) data structure, which allows remote attackers to execute arbitrary code via a large number of references to a common CSS object, leading to a counter overflow and a free of in-use memory, aka ZDI-CAN-349. http://blog.mozilla.com/security/2008/06/18/new-security-issue-under-investigation/ http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30 RHSA-2008:0616 GLSA-200808-03 SSA:2008-210-05 256408 http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0238 DSA-1614 DSA-1615 DSA-1621 DSA-1697 MDVSA-2008:148 MDVSA-2008:155 http://www.mozilla.org/security/announce/2008/mfsa2008-34.html http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5031400 RHSA-2008:0597 RHSA-2008:0598 RHSA-2008:0599 20080717 ZDI-08-044: Mozilla Firefox CSSValue Array Memory Corruption Vulnerability 20080729 rPSA-2008-0238-1 firefox 29802 1020336 SSA:2008-198-02 SSA:2008-198-01 USN-623-1 USN-626-1 USN-626-2 USN-629-1 ADV-2008-1873 ADV-2009-0977 http://www.zerodayinitiative.com/advisories/ZDI-08-044/ https://bugzilla.mozilla.org/show_bug.cgi?id=440230 firefox-unspecified-code-execution(43167) https://issues.rpath.com/browse/RPL-2683 oval:org.mitre.oval:def:9900 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6517 FEDORA-2008-6519 Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack vectors. NOTE: due to lack of details as of 20080619, it is not clear whether this is the same issue as CVE-2008-2785. A CVE identifier has been assigned for tracking purposes. 20080618 Coming soon : Firefox 3 Release overflow 29794 mozilla-firefox-unspecified-bo(43317) Cross-site scripting (XSS) vulnerability in out.php in OpenDocMan 1.2.5 allows remote attackers to inject arbitrary web script or HTML via the last_message parameter. 3948 http://www.s21sec.com/avisos/s21sec-044-en.txt 20080617 S21SEC-044-en:OpenDocMan Cross Site Scripting (XSS) 29765 1020300 opendocman-out-xss(43135) Cross-site scripting (XSS) vulnerability in index.php in OpenDocMan 1.2.5 allows remote attackers to inject arbitrary web script or HTML via the redirection parameter. http://sourceforge.net/tracker/index.php?func=detail&aid=1975163&group_id=69505&atid=524753 SQL injection vulnerability in pages/index.php in BASIC-CMS allows remote attackers to execute arbitrary SQL commands via the page_id parameter. http://packetstormsecurity.org/1002-exploits/basiccms-sqlxss.txt 29771 basiccms-index-sql-injection(43140) 5836 SQL injection vulnerability in detail.php in MountainGrafix easyTrade 2.x allows remote attackers to execute arbitrary SQL commands via the id parameter. http://shop.mountaingrafix.at/media/patches/etv_patch_2_3_2.zip 29775 easytrade-detail-sql-injection(43152) 5840 SQL injection vulnerability in product.detail.php in Kalptaru Infotech Comparison Engine Power Script 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. 29768 engine-productdetail-sql-injection(43138) 5834 SQL injection vulnerability in index.php in eroCMS 1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the site parameter. 29781 erocms-index-sql-injection(43157) 5846 SQL injection vulnerability in group_posts.php in ClipShare before 3.0.1 allows remote attackers to execute arbitrary SQL commands via the tid parameter. 29779 clipshare-groupposts-sql-injection(43142) 5839 Unspecified vulnerability in the GUI in Symantec Altiris Notification Server Agent 6.x before 6.0 SP3 R8 allows local users to gain privileges via unknown attack vectors. http://securityresponse.symantec.com/avcenter/security/Content/2008.06.17.html 29708 1020304 ADV-2008-1861 symantec-ans-agent-privilege-escalation(43154) Directory traversal vulnerability in the FTP and SFTP clients in IDM Computer Solutions Inc UltraEdit 14.00b allows remote FTP servers to create or overwrite arbitrary files via a .. (dot dot) or a ..\ (dot dot backslash) in a response to a LIST command. http://vuln.sg/ultraedit1400b-en.html 29784 ADV-2008-1864 ultraedit-list-directory-traversal(43149) SQL injection vulnerability in index.php in FreeCMS 0.2 allows remote attackers to execute arbitrary SQL commands via the page parameter. 3973 29773 freecms-index-sql-injection(43141) 5838 Cross-site scripting (XSS) vulnerability in MainLayout.do in ManageEngine OpUtils 5.0 allows remote attackers to inject arbitrary web script or HTML via the hostName parameter, when viewing an SNMP graph. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 29785 optutils-mainlayout-xss(43158) Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the layout engine. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 SSA:2008-210-05 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1621 DSA-1697 MDVSA-2008:136 MDVSA-2008:155 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-21.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 USN-629-1 ADV-2008-1993 https://bugzilla.mozilla.org/show_bug.cgi?id=378027 https://bugzilla.mozilla.org/show_bug.cgi?id=391178 https://bugzilla.mozilla.org/show_bug.cgi?id=430814 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:10087 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unknown vectors related to the JavaScript engine. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 SSA:2008-210-05 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1621 DSA-1697 MDVSA-2008:136 MDVSA-2008:155 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-21.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 USN-629-1 ADV-2008-1993 https://bugzilla.mozilla.org/show_bug.cgi?id=356378 https://bugzilla.mozilla.org/show_bug.cgi?id=380833 https://bugzilla.mozilla.org/show_bug.cgi?id=418128 https://bugzilla.mozilla.org/show_bug.cgi?id=431409 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:10743 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors involving (1) an event handler attached to an outer window, (2) a SCRIPT element in an unloaded document, or (3) the onreadystatechange handler in conjunction with an XMLHttpRequest. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1697 MDVSA-2008:136 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-22.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=428672 https://bugzilla.mozilla.org/show_bug.cgi?id=432591 https://bugzilla.mozilla.org/show_bug.cgi?id=433328 https://bugzilla.mozilla.org/show_bug.cgi?id=439035 https://bugzilla.mozilla.org/show_bug.cgi?id=440308 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:9386 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1697 MDVSA-2008:136 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-23.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=418996 https://bugzilla.mozilla.org/show_bug.cgi?id=424188 https://bugzilla.mozilla.org/show_bug.cgi?id=424426 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:11810 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allow remote attackers to execute arbitrary code via an XUL document that includes a script from a chrome: URI that points to a fastload file, related to this file's "privilege level." SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 SSA:2008-210-05 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1621 DSA-1697 MDVSA-2008:136 MDVSA-2008:155 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-24.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 USN-629-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=419846 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:11121 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 The mozIJSSubScriptLoader.LoadScript function in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 does not apply XPCNativeWrappers to scripts loaded from (1) file: URIs, (2) data: URIs, or (3) certain non-canonical chrome: URIs, which allows remote attackers to execute arbitrary code via vectors involving third-party add-ons. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 SSA:2008-210-05 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1621 DSA-1697 MDVSA-2008:136 MDVSA-2008:155 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-25.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 USN-629-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=418356 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:10747 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-2800. Reason: This candidate is a reservation duplicate of CVE-2008-2800. Notes: All CVE users should reference CVE-2008-2800 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 allow remote attackers to force the upload of arbitrary local files from a client computer via vectors involving originalTarget and DOM Range. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1697 MDVSA-2008:136 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-27.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=423541 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:10143 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 on Mac OS X allow remote attackers to bypass the Same Origin Policy and create arbitrary socket connections via a crafted Java applet, related to the Java Embedding Plugin (JEP) and Java LiveConnect. SUSE-SA:2008:034 SSA:2008-191-03 SSA:2008-191 http://wiki.rpath.com/Advisories:rPSA-2008-0216 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-28.html 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 ADV-2008-1993 https://bugzilla.mozilla.org/show_bug.cgi?id=408329 https://issues.rpath.com/browse/RPL-2646 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly handle an invalid .properties file for an add-on, which allows remote attackers to read uninitialized memory, as demonstrated by use of ISO 8859 encoding instead of UTF-8 encoding in a French .properties file. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 SSA:2008-210-05 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1621 DSA-1697 MDVSA-2008:136 MDVSA-2008:155 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-29.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 USN-629-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=397093 firefox-propertiesfile-info-disclosure(50656) https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:9432 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly escape HTML in file:// URLs in directory listings, which allows remote attackers to conduct cross-site scripting (XSS) attacks or have unspecified other impact via a crafted filename. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1697 MDVSA-2008:136 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-30.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=411433 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:9668 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla 1.9 M8 and earlier, Mozilla Firefox 2 before 2.0.0.15, SeaMonkey 1.1.5 and other versions before 1.1.10, Netscape 9.0, and other Mozilla-based web browsers, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regard the certificate as also accepted for all domain names in subjectAltName:dNSName fields, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site. SUSE-SA:2008:034 http://nils.toedtmann.net/pub/subjectAltName.txt RHSA-2008:0616 GLSA-200808-03 3498 1018979 SSA:2008-191-03 SSA:2008-191 SSA:2008-210-05 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1621 DSA-1697 MDVSA-2008:136 MDVSA-2008:155 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-31.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20071118 Certificate spoofing issue with Mozilla, Konqueror, Safari 2 20071118 Re: Certificate spoofing issue with Mozilla, Konqueror, Safari 2 20071118 RE: Certificate spoofing issue with Mozilla, Konqueror, Safari 2 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 USN-629-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=240261 https://bugzilla.mozilla.org/show_bug.cgi?id=327181 https://bugzilla.mozilla.org/show_bug.cgi?id=402347 mozilla-altnames-spoofing(43524) https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:10205 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly identify the context of Windows shortcut files, which allows user-assisted remote attackers to bypass the Same Origin Policy via a crafted web site for which the user has previously saved a shortcut. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1697 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-32.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 ADV-2008-1993 https://bugzilla.mozilla.org/show_bug.cgi?id=410156 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:9593 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 The block reflow implementation in Mozilla Firefox before 2.0.0.15, Thunderbird 2.0.0.14 and earlier, and SeaMonkey before 1.1.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image whose display requires more pixels than nscoord_MAX, related to nsBlockFrame::DrainOverflowLines. SUSE-SA:2008:034 RHSA-2008:0616 GLSA-200808-03 SSA:2008-191-03 SSA:2008-191 SSA:2008-210-05 256408 http://wiki.rpath.com/Advisories:rPSA-2008-0216 DSA-1607 DSA-1615 DSA-1621 DSA-1697 VU#607267 MDVSA-2008:136 MDVSA-2008:155 http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.15 http://www.mozilla.org/security/announce/2008/mfsa2008-33.html RHSA-2008:0547 RHSA-2008:0549 RHSA-2008:0569 20080708 rPSA-2008-0216-1 firefox 30038 1020419 USN-619-1 USN-629-1 ADV-2008-1993 ADV-2009-0977 https://bugzilla.mozilla.org/show_bug.cgi?id=439735 https://issues.rpath.com/browse/RPL-2646 oval:org.mitre.oval:def:9865 FEDORA-2008-6737 FEDORA-2008-6706 FEDORA-2008-6127 FEDORA-2008-6193 FEDORA-2008-6196 The Linux kernel before 2.6.25.10 does not properly perform tty operations, which allows local users to cause a denial of service (system crash) or possibly gain privileges via vectors involving NULL pointer dereference of function pointers in (1) hamradio/6pack.c, (2) hamradio/mkiss.c, (3) irda/irtty-sir.c, (4) ppp_async.c, (5) ppp_synctty.c, (6) slip.c, (7) wan/x25_asy.c, and (8) wireless/strip.c in drivers/net/. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.25.y.git;a=commitdiff;h=2a739dd53ad7ee010ae6e155438507f329dce788 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.25.10 SUSE-SA:2008:035 SUSE-SA:2008:037 SUSE-SA:2008:038 SUSE-SA:2008:047 SUSE-SA:2008:049 SUSE-SA:2008:052 SUSE-SR:2008:025 http://support.avaya.com/elmodocs2/security/ASA-2008-365.htm DSA-1630 [oss-security] 20080703 2.6.25.10 security fixes, please assign CVE id RHSA-2008:0612 RHSA-2008:0665 RHSA-2008:0973 30076 ADV-2008-2063 kernel-tty-dos(43687) oval:org.mitre.oval:def:11632 oval:org.mitre.oval:def:6633 USN-637-1 Directory traversal vulnerability in index.php in WallCity-Server Shoutcast Admin Panel 2.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter. 29733 shoutcast-index-file-include(43109) 5813 Cross-site scripting (XSS) vulnerability in WallCity-Server Shoutcast Admin Panel 2.0 allows remote attackers to inject arbitrary web script or HTML via the username parameter to the login interface. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. shoutcast-username-xss(43108) SQL injection vulnerability in shopping/index.php in MyMarket 1.72 allows remote attackers to execute arbitrary SQL commands via the id parameter. 29754 mymarket-index-sql-injection(43117) 5832 SQL injection vulnerability in post.php in Oxygen (aka O2PHP Bulletin Board) 2.0 allows remote attackers to execute arbitrary SQL commands via the repquote parameter in a reply action, a different vector than CVE-2006-1572. 29729 oxygen-repquote-sql-injection(43113) 5828 SQL injection vulnerability in albums.php in NiTrO Web Gallery 1.4.3 and earlier allows remote attackers to execute arbitrary SQL commands via the CatId parameter in a show action. 29753 nitro-albums-sql-injection(43100) 5830 Directory traversal vulnerability in Easy-Clanpage 3.0 b1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the section parameter to the default URI. 29707 easyclanpage-section-file-include(43073) 5801 SQL injection vulnerability in BlognPlus (BURO GUN +) 2.5.4 and earlier MySQL and PostgreSQL editions allows remote attackers to execute arbitrary SQL commands via unspecified vectors. JVN#14072646 http://www.blogn.org/index.php?e=170 29764 blognplus-unspecified-sql-injection(43136)