Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize
National Cyber Alert System
Cyber Security Bulletin SB07-099 archive

Vulnerability Summary for the Week of April 2, 2007

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.


High Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Aardvark -- Topsites PHP
Multiple PHP remote file inclusion vulnerabilities in Aardvark Topsites PHP 5 allow remote attackers to execute arbitrary PHP code via a URL in the path parameter to (1) button/settings_sql.php, (2) settings_sql.php, and (3) sources/misc/new_day.php.
unknown
2007-04-03
7.0CVE-2007-1844
BUGTRAQ
Alcatel-Lucent -- Lucent Technologies Voice
Alcatel-Lucent Lucent Technologies voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).
unknown
2007-04-02
10.0CVE-2007-1822
CERT-VN
Alexscriptengine -- Picture-Engine
SQL injection vulnerability in wall.php in Picture-Engine 1.2.0 and earlier allows remote attackers to execute arbitrary SQL commands via the cat parameter.
unknown
2007-03-31
7.0CVE-2007-1791
MILW0RM
BID
AOL -- AOL
The LinkSBIcons method in the SuperBuddy ActiveX control (Sb.SuperBuddy.1) in America Online 9.0 Security Edition dereferences an arbitrary function pointer, which allows remote attackers to execute arbitrary code via a modified pointer value.
unknown
2007-04-02
8.0CVE-2006-5820
BUGTRAQ
OTHER-REF
ben3w -- 2Bgal
Multiple PHP remote file inclusion vulnerabilities in 2BGal 3.1.1 allow remote attackers to execute arbitrary PHP code via a URL in the lang_filename parameter to (1) index.php or (2) backupdb.inc.php in admin/, or other unspecified files, different vectors than CVE-2006-5505.
unknown
2007-04-03
10.0CVE-2007-1852
BUGTRAQ
BT-Sondage -- BT-Sondage
PHP remote file inclusion vulnerability in utilitaires/gestion_sondage.php in BT-Sondage 112 allows remote attackers to execute arbitrary PHP code via a URL in the repertoire_visiteur parameter.
unknown
2007-04-02
7.0CVE-2007-1812
MILW0RM
VIM
Camportail -- Camportail
SQL injection vulnerability in show.php in the Camportail 1.1 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the camid parameter in a showcam action.
unknown
2007-04-02
7.0CVE-2007-1808
MILW0RM
Chapi -- Tiny Event
SQL injection vulnerability in index.php in the Tiny Event (tinyevent) 1.01 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action.
unknown
2007-04-02
7.0CVE-2007-1811
MILW0RM
Cisco -- Trust Agent
Cisco Secure ACS does not require authentication when Cisco Trust Agent (CTA) transmits posture information, which might allow remote attackers to gain network access via a spoofed Network Endpoint Assessment posture, aka "NACATTACK." NOTE: this attack might be limited to authenticated users and devices.
unknown
2007-04-02
7.0CVE-2007-1800
OTHER-REF
CISCO
CMSmelborp -- CMSmelborp
PHP remote file inclusion vulnerability in includes/user_standard.php in CMSmelborp Beta allows remote attackers to execute arbitrary PHP code via a URL in the relative_root parameter.
unknown
2007-03-30
8.0CVE-2006-7185
MILW0RM
XF
CodeBB -- CodeBB
Multiple PHP remote file inclusion vulnerabilities in CodeBB 1.1b3 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) pass_code.php or (2) lang_select.
unknown
2007-04-02
7.0CVE-2007-1839
MILW0RM
dproxy -- dproxy
Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than CVE-2007-1465.
unknown
2007-04-04
10.0CVE-2007-1866
FULLDISC
FULLDISC
OTHER-REF
FRSIRT
SECUNIA
Drake Team -- Drake CMS
Directory traversal vulnerability in 404.php in Drake CMS allows remote attackers to include and execute arbitrary local arbitrary files via a .. (dot dot) in the d_private parameter. NOTE: some of these details are obtained from third party information. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS."
unknown
2007-04-03
7.0CVE-2007-1849
BUGTRAQ
BID
XF
Forum picture and META tags -- Forum picture and META tags
PHP remote file inclusion vulnerability in MOD_forum_fields_parse.php in the Forum picture and META tags 1.7 module for phpBB allows remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter.
unknown
2007-04-02
7.0CVE-2007-1818
MILW0RM
GraFX Software -- Company Website Builder
Multiple PHP remote file inclusion vulnerabilities in GraFX Company WebSite Builder (CWB) PRO 1.5 allow remote attackers to execute arbitrary PHP code via a URL in the INCLUDE_PATH parameter to (1) cls_headline_prod.php, (2) cls_listorders.php, or (3) cls_viewpastorders.php in include/, different vectors than CVE-2007-1513.
unknown
2007-04-02
7.0CVE-2007-1809
MILW0RM
VIM
HP -- Mercury Quality Center
Unspecified vulnerability in a certain ActiveX control in TestDirector (TD) for Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32, allows remote attackers to execute arbitrary code via unspecified vectors.
unknown
2007-04-02
10.0CVE-2007-1819
OTHER-REF
OTHER-REF
HP
CERT-VN
SECTRACK
IBM -- Lotus Notes Sametime
IBM -- Lotus Notes Sametime STJNILoader.ocx
The JNILoader ActiveX control (STJNILoader.ocx) 3.1.0.26 in IBM Lotus Notes Sametime before 7.5 allows remote attackers to load arbitrary DLL libraries and execute arbitrary code via arbitrary arguments to the loadLibrary function.
unknown
2007-03-30
8.0CVE-2007-1784
IDEFENSE
OTHER-REF
BID
SECTRACK
IBM -- AIX
Buffer overflow in the drmgr command for IBM AIX 5.2 and 5.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long path name.
unknown
2007-04-02
7.0CVE-2007-1798
AIXAPAR
AIXAPAR
AIXAPAR
FRSIRT
XF
IBM -- Tivoli Provisioning Manager OS Deployment
The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST requests, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via crafted POST requests to port 8080/tcp or 443/tcp.
unknown
2007-04-04
10.0CVE-2007-1868
IDEFENSE
OTHER-REF
BID
FRSIRT
SECUNIA
ImageMagick -- ImageMagick
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
unknown
2007-04-02
10.0CVE-2007-1797
IDEFENSE
OTHER-REF
Inconnueteam -- eCal
SQL injection vulnerability in display.php in the eCal 2.24 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the katid parameter.
unknown
2007-04-02
7.0CVE-2007-1813
MILW0RM
IrfanView -- IrfanView
Buffer overflow in IrfanView 3.99 allows remote attackers to execute arbitrary code via a crafted animated cursor (ANI) file.
unknown
2007-04-04
10.0CVE-2007-1867
MILW0RM
BID
FRSIRT
SECUNIA
JCcorp -- URLshrink
JCcorp URLshrink 1.3.1 allows remote attackers to execute arbitrary PHP code via the email address field in an HTML link. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-04-02
10.0CVE-2007-1795
OTHER-REF
BID
XF
JCcorp -- URLshrink
Multiple unspecified vulnerabilities in JCcorp URLshrink before 1.3.2 have unspecified attack vectors and impact.
unknown
2007-04-02
7.0CVE-2007-1796
OTHER-REF
JSBoard -- JSBoard
Directory traversal vulnerability in login.php in JSBoard before 2.0.12 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the table parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, a related issue to CVE-2006-2019.
unknown
2007-04-03
7.0CVE-2007-1842
MILW0RM
OTHER-REF
BID
FRSIRT
Kaotik -- Kshop
SQL injection vulnerability in product_details.php in the Kshop 1.17 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2007-04-02
7.0CVE-2007-1810
MILW0RM
Kaqoo -- Kaqoo Auction Software
Multiple PHP remote file inclusion vulnerabilities in Kaqoo Auction Software Free Edition allow remote attackers to execute arbitrary PHP code via a URL in the install_root parameter to (1) support.inc.php, (2) function.inc.php, (3) rdal_object.inc.php, (4) rdal_editor.inc.php. (5) login.inc.php, (6) request.inc.php, and (7) categories.inc.php in include/core/; (8) save.inc.php, (9) preview.inc.php, (10) edit_item.inc.php, (11) new_item.inc.php, and (12) item_info.inc.php in include/display/item/; (13) search.inc.php, (14) item_edit.inc.php, (15) register_succsess.inc.php, (16) context_menu.inc.php, (17) item_repost.inc.php, (18) balance.inc.php, (19) featured.inc.php, (20) user.inc.php, (21) buynow.inc.php, (22) install_complete.inc.php, (23) fees_info.inc.php, (24) user_feedback.inc.php, (25) admin_balance.inc.php, (26) activate.inc.php, (27) user_info.inc.php, (28) member.inc.php, (29) add_bid.inc.php, (30) items_filter.inc.php, (31) my_info.inc.php, (32) register.i! nc.php, (33) leave_feedback.inc.php, and (34) user_auctions.inc.php in include/display/; and (35) design/form.inc.php, (36) processor.inc.php, (37) interfaces.inc.php (38) left_menu.inc.php, (39) login.inc.php, and (40) categories.inc.php in include/.
unknown
2007-03-31
8.0CVE-2007-1790
MILW0RM
SECUNIA
Kaspersky Lab -- Kaspersky Internet Security
Kaspersky Lab -- Kaspersky Anti-Virus
Heap-based buffer overflow in the arj.ppl module in the OnDemand Scanner in Kaspersky Anti-Virus, Anti-Virus for Workstations, and Anti-Virus for File Servers 6.0, and Internet Security 6.0 before Maintenance Pack 2 build 6.0.2.614 allows remote attackers to execute arbitrary code via crafted ARJ archives.
unknown
2007-04-05
10.0CVE-2007-0445
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Kaspersky Lab -- Kaspersky Internet Security
Kaspersky Lab -- Kaspersky Anti-Virus
Kaspersky Anti-Virus 6.0 and Internet Security 6.0 exposes unsafe methods in the (a) AXKLPROD60Lib.KAV60Info (AxKLProd60.dll) and (b) AXKLSYSINFOLib.SysInfo (AxKLSysInfo.dll) ActiveX controls, which allows remote attackers to "download" or delete arbitrary files via crafted arguments to the (1) DeleteFile, (2) StartBatchUploading, (3) StartStrBatchUploading, or (4) StartUploading methods.
unknown
2007-04-05
10.0CVE-2007-1112
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Lykoszine -- Lykos Reviews Module
SQL injection vulnerability in index.php in the Lykos Reviews (lykos_reviews) 1.00 module for Xoops allows remote attackers to execute arbitrary SQL commands via the uid parameter in a u action.
unknown
2007-04-02
7.0CVE-2007-1817
MILW0RM
MailDwarf -- MailDwarf
Cross-site scripting (XSS) vulnerability in MailDwarf 3.01 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
unknown
2007-04-02
7.0CVE-2007-1802
OTHER-REF
BID
FRSIRT
SECUNIA
XF
MangoBery CMS -- MangoBery CMS
Multiple PHP remote file inclusion vulnerabilities in MangoBery CMS 0.5.5 allow remote attackers to execute arbitrary PHP code via a URL in the Site_Path parameter to (1) boxes/quotes.php or (2) templates/mangobery/footer.sample.php.
unknown
2007-04-02
7.0CVE-2007-1837
MILW0RM
OTHER-REF
SECUNIA
Microsoft -- Windows 2000
Microsoft -- Windows XP
The Graphics Rendering Engine in Microsoft Windows 2000 SP4 and XP SP2 allows local users to gain privileges via "invalid application window sizes" in layered application windows, aka the "GDI Invalid Window Size Elevation of Privilege Vulnerability."
unknown
2007-04-04
7.0CVE-2006-5586
MS
Microsoft -- Windows 2000
The TrueType Fonts rasterizer in Microsoft Windows 2000 SP4 allows local users to gain privileges via crafted TrueType fonts, which result in an uninitialized function pointer.
unknown
2007-04-04
7.0CVE-2007-1213
MS
Microsoft -- Windows 2000
Microsoft -- Windows Server 2003
Microsoft -- Windows Vista
Microsoft -- Windows XP
Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via certain "color-related parameters" in crafted images.
unknown
2007-04-04
7.0CVE-2007-1215
MS
Mozilla -- Mozilla
The Javascript engine in Mozilla 1.7 and earlier on Sun Solaris 8, 9, and 10 might allow remote attackers to execute arbitrary code via vectors involving garbage collection that causes deletion of a temporary object that is still being used. NOTE: this issue might be related to CVE-2006-3805.
unknown
2007-04-02
10.0CVE-2007-1794
SUNALERT
FRSIRT
SECUNIA
myXOOPS -- debaser
SQL injection vulnerability in genre.php in the debaser 0.92 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the genreid parameter.
unknown
2007-04-02
7.0CVE-2007-1805
MILW0RM
Nortel -- Meridian Mail
Nortel -- CallPilot
Nortel Networks CallPilot and Meridian Mail voicemail systems, when a mailbox has auto logon enabled, allow remote attackers to retrieve or remove messages, or reconfigure the mailbox, by spoofing Calling Number Identification (CNID, aka Caller ID).
unknown
2007-04-02
8.0CVE-2007-1820
OTHER-REF
CERT-VN
PEAK XOOPS -- myAlbum-P
SQL injection vulnerability in modules/myalbum/viewcat.php in the myAlbum-P 2.0 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.
unknown
2007-04-02
7.0CVE-2007-1807
MILW0RM
Photography-on-the-net -- Exhibit Engine 2
Multiple PHP remote file inclusion vulnerabilities in Exhibit Engine (EE) 1.22, and possibly earlier, allow remote attackers to execute arbitrary PHP code via a URL in the toroot parameter to (1) fetchsettings.php or (2) fstyles.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-03-30
10.0CVE-2006-7184
BID
PHP -- PHP
Multiple integer overflows in the (1) createwbmp and (2) readwbmp functions in wbmp.c in the GD library (libgd) in PHP 4.0.0 through 4.4.6 and 5.0.0 through 5.2.1 allow context-dependent attackers to execute arbitrary code via crafted Wireless Bitmap (WBMP) images.
unknown
2007-04-05
8.0CVE-2007-1001
OTHER-REF
OTHER-REF
FRSIRT
XF
PHP -- PHP
Buffer overflow in the imap_mail_compose function in PHP 5 before 5.2.1, and PHP 4 before 4.4.5, allows remote attackers to execute arbitrary code via a long boundary string in a type.parameters field.
unknown
2007-04-02
7.0CVE-2007-1825
OTHER-REF
BID
PHP-Fusion -- Expanded Calendar Module
SQL injection vulnerability in show_event.php in the Expanded Calendar (calendar_panel) 2.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the m_month parameter.
unknown
2007-04-03
7.0CVE-2007-1845
BUGTRAQ
BID
SECUNIA
Really Simple PHP and Ajax -- Really Simple PHP and Ajax
Multiple directory traversal vulnerabilities in Really Simple PHP and Ajax (RSPA) 2007-03-23 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the __class parameter to (1) Controller_v4.php or (2) Controller_v5.php.
unknown
2007-04-03
7.0CVE-2007-1851
MILW0RM
OTHER-REF
FRSIRT
SECUNIA
Red Mexico -- RM+Soft Gallery
SQL injection vulnerability in categos.php in the RM+Soft Gallery (rmgallery) 1.0 module for Xoops allows remote attackers to execute arbitrary SQL commands via the idcat parameter.
unknown
2007-04-02
7.0CVE-2007-1806
MILW0RM
sBLOG -- sBLOG
Directory traversal vulnerability in inc/lang.php in sBLOG 0.7.3 Beta allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the conf_lang_default parameter, as demonstrated by injecting PHP sequences into an Apache HTTP Server log file, which is then included by inc/lang.php.
unknown
2007-04-02
7.0CVE-2007-1801
MILW0RM
BID
XF
Softerra -- Time-Assistant
Multiple PHP remote file inclusion vulnerabilities in lib/timesheet.class.php in Softerra Time-Assistant 6.2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) inc_dir or (2) lib_dir parameter.
unknown
2007-03-31
8.0CVE-2007-1787
MILW0RM
OTHER-REF
BID
Sprint -- Sprint Voice
Sprint Nextel Sprint voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).
unknown
2007-04-02
10.0CVE-2007-1821
CERT-VN
Symantec -- Norton Personal Firewall
SPBBCDrv.sys in Symantec Norton Personal Firewall 2006 9.1.0.33 and 9.1.1.7 does not validate certain arguments before being passed to hooked SSDT function handlers, which allows local users to cause a denial of service (crash) or possibly execute arbitrary code via crafted arguments to the (1) NtCreateMutant and (2) NtOpenEvent functions.
unknown
2007-04-02
7.0CVE-2007-1793
OTHER-REF
SECUNIA
T-Mobile -- Voice Mail Systems
T-Mobile voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID).
unknown
2007-04-02
10.0CVE-2007-1823
CERT-VN
Web-APP.net -- Web-APP.net
Cross-site scripting (XSS) vulnerability in cgi-bin/admin/logs.cgi in web-app.net WebAPP before 20060403 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the Statistics Log Viewer.
unknown
2007-04-02
7.0CVE-2006-7189
OTHER-REF
OTHER-REF
Web-APP.net -- Web-APP.net
Cross-site scripting (XSS) vulnerability in cgi-bin/user-lib/topics.pl in web-app.net WebAPP before 20060515 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in the viewnews function, related to use of doubbctopic instead of doubbc.
unknown
2007-04-02
7.0CVE-2006-7190
OTHER-REF
OTHER-REF
Web-APP.net -- WebAPP
Multiple unspecified vulnerabilities in web-app.net WebAPP have unknown impact and attack vectors, described as "[having] other [security] issues too, not as bad as letting users take over your admin account, but bad too."
unknown
2007-04-02
7.0CVE-2007-1829
OTHER-REF
Web-APP.org -- WebAPP
Unspecified vulnerability in the Username Hijacking Patch 20070312 for web-app.org WebAPP 0.9.9.6 allows remote attackers to obtain administrative access via unknown vectors, related to "something overlooked in the original that was still overlooked in the patch", and possibly related to copying files to the user-lib and the "XSS and cookies exploit."
unknown
2007-04-02
7.0CVE-2007-1830
OTHER-REF
WebAsyst LLC -- Shop-Script
Multiple PHP remote file inclusion vulnerabilities in smarty/smarty_class.php in Shop-Script FREE allow remote attackers to execute arbitrary PHP code via a URL in the (1) _smarty_compile_path, (2) smarty_compile_path, (3) get_plugin_filepath, (4) smarty_dir, and (5) filename parameters. NOTE: this issue might be related to CVE-2006-7105.
unknown
2007-04-03
7.0CVE-2007-1855
BUGTRAQ
Xoops -- Core Module
SQL injection vulnerability in viewcat.php in the Core module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, a different vector than CVE-2007-0377.
unknown
2007-04-02
7.0CVE-2007-1814
MILW0RM
Xoops -- Library Module
SQL injection vulnerability in viewcat.php in the Library module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.
unknown
2007-04-02
7.0CVE-2007-1815
MILW0RM
Xoops -- Tutoriais Module
SQL injection vulnerability in viewcat.php in the Tutoriais module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.
unknown
2007-04-02
7.0CVE-2007-1816
MILW0RM
Xoops -- FriendFinder Module
SQL injection vulnerability in view.php in the Friendfinder 3.3 and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2007-04-02
7.0CVE-2007-1838
MILW0RM
BID
Xoops -- Malaika System MyAds Module
SQL injection vulnerability in index.php in the MyAds 2.04jp and earlier module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter, different vectors than CVE-2006-3341.
unknown
2007-04-03
7.0CVE-2007-1846
MILW0RM
BID
XF
Xoops -- Repository Module
SQL injection vulnerability in viewcat.php in the Repository module for Xoops allows remote attackers to execute arbitrary SQL commands via the cid parameter.
unknown
2007-04-03
7.0CVE-2007-1847
MILW0RM
BID
Back to top

Medium Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Computer Associates -- BrightStor ARCServe Backup
The RPC service in mediasvr.exe in CA BrightStor ARCserve Backup 11.5 SP2 build 4237 allows remote attackers to execute arbitrary code via crafted xdr_handle_t data in RPC packets, which is used in calculating an address for a function call, as demonstrated using the 191 (0xbf) RPC request.
unknown
2007-03-30
4.8CVE-2007-1785
BUGTRAQ
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
Data Domain -- Data Domain OS
The command line administration interface in Data Domain OS before 4.0.3.6 allows remote authenticated users to execute arbitrary commands via shell metacharacters in certain arguments to various commands, as demonstrated by the interface argument to the (1) ifconfig and (2) ping commands.
unknown
2007-04-02
6.0CVE-2007-1836
BUGTRAQ
BID
Flyspray -- Flyspray
Flyspray 0.9.9, when output_buffering is disabled or "set to a low value," allows remote attackers to bypass authentication via a crafted post request.
unknown
2007-03-31
5.6CVE-2007-1788
OTHER-REF
SECUNIA
Flyspray -- Flyspray
Flyspray 0.9.9 allows remote attackers to obtain sensitive information (private project summaries) via direct requests.
unknown
2007-03-31
5.6CVE-2007-1789
OTHER-REF
SECUNIA
Hitachi -- Groupmax Collaboration Web Client
Hitachi -- Groupmax Collaboration Portal
Hitachi -- Cosminexus Collaboration Portal
Hitachi -- uCosminexus Content Manager
Hitachi -- uCosminexus Collaboration Portal
SQL injection vulnerability in Hitachi Collaboration - Online Community Management 01-00 through 01-30, as used in Groupmax Collaboration Portal, Groupmax Collaboration Web Client, uCosminexus Collaboration Portal, Cosminexus Collaboration Portal, and uCosminexus Content Manager, allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
unknown
2007-03-31
5.6CVE-2007-1786
OTHER-REF
FRSIRT
SECUNIA
Joris Guisson -- KTorrent
Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.3 only checks for the ".." string, which allows remote attackers to overwrite arbitrary files via modified ".." sequences in a torrent filename, as demonstrated by "../" sequences, due to an incomplete fix for CVE-2007-1384.
unknown
2007-04-02
4.7CVE-2007-1799
OTHER-REF
OTHER-REF
LDAP Account Manager -- LDAP Account Manager
Untrusted search path vulnerability in lamdaemon.pl in LDAP Account Manager (LAM) before 1.0.0 allows local users to gain privileges via a modified PATH that points to a malicious rm program.
unknown
2007-04-02
4.9CVE-2006-7191
OTHER-REF
OTHER-REF
OTHER-REF
MailDwarf -- MailDwarf
Unspecified vulnerability in MailDwarf 3.01 and earlier allows remote attackers to send e-mail to addresses different from the configured addresses.
unknown
2007-04-02
5.6CVE-2007-1803
OTHER-REF
BID
FRSIRT
SECUNIA
XF
MapLab -- MapLab
PHP remote file inclusion vulnerability in gmapfactory/params.php in MapLab 2.2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the gszAppPath parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-04-03
5.6CVE-2007-1843
SECUNIA
Parakey Inc. -- Firebug Firefox Extension
Cross-zone scripting vulnerability in the console.log function in the Firebug extension before 1.03 for Mozilla Firefox allows remote attackers to bypass zone restrictions, read arbitrary file:// URIs, or execute arbitrary code in the browser chrome, as demonstrated via the runFile function.
unknown
2007-04-05
5.6CVE-2007-1878
BUGTRAQ
OTHER-REF
OTHER-REF
BID
PHP -- PHP
PHP 4 before 4.4.5 and PHP 5 before 5.2.1, when using an empty session save path (session.save_path), uses the TMPDIR default after checking the restrictions, which allows local users to bypass open_basedir restrictions.
unknown
2007-04-02
4.9CVE-2007-1835
OTHER-REF
BID
VMWare -- ESX Server
Double free vulnerability in VMware ESX Server 3.0.0 and 3.0.1 allows attackers to cause a denial of service (crash), obtain sensitive information, or possibly execute arbitrary code via unspecified vectors.
unknown
2007-04-05
4.9CVE-2007-1270
BUGTRAQ
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Back to top

Low Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Cisco -- Unified Presence Server
Cisco -- Unified CallManager
Unspecified vulnerability in the IPSec Manager Service for Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allows remote attackers to cause a denial of service (loss of cluster services) via a "specific UDP packet" to UDP port 8500, aka bug ID CSCsg60949.
unknown
2007-04-02
3.3CVE-2007-1826
CISCO
BID
SECTRACK
SECUNIA
Cisco -- Unified CallManager
The Skinny Call Control Protocol (SCCP) implementation in Cisco Unified CallManager (CUCM) 3.3 before 3.3(5)SR2a, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3)SR1, and 5.0 before 5.0(4a)SU1 allows remote attackers to cause a denial of service (loss of voice services) by sending crafted packets to the (1) SCCP (2000/tcp) or (2) SCCPS (2443/tcp) port.
unknown
2007-04-02
2.3CVE-2007-1833
CISCO
BID
SECTRACK
SECUNIA
Cisco -- Unified Presence Server
Cisco -- Unified CallManager
Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allow remote attackers to cause a denial of service (loss of voice services) via a flood of ICMP echo requests, aka bug ID CSCsf12698.
unknown
2007-04-02
3.3CVE-2007-1834
CISCO
BID
SECTRACK
SECUNIA
Drake Team -- Drake CMS
Cross-site scripting (XSS) vulnerability in admin/classes/ui.dta.php in Drake CMS allows remote attackers to inject arbitrary web script or HTML via the desc[][title] field. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS."
unknown
2007-04-03
1.9CVE-2007-1848
BUGTRAQ
BID
XF
Drake Team -- Drake CMS
Directory traversal vulnerability in classes/captcha/captcha.jpg.php in Drake CMS allows remote attackers to read arbitrary files or list arbitrary directories, and obtain the installation path, via a .. (dot dot) in the d_private parameter. NOTE: Drake CMS has only a beta version available, and the vendor has previously stated "We do not consider security reports valid until the first official release of Drake CMS."
unknown
2007-04-03
2.3CVE-2007-1850
BUGTRAQ
XF
Hitachi -- JP1-HiCommand Tuning Manager
Hitachi -- JP1-HiCommand Replication Monitor
Hitachi -- JP1-HiCommand DeviceManager
Hitachi -- JP1-HiCommand Global Link Availability Manager
Hitachi -- JP1-HiCommand Tiered Storage Manager
Unspecified vulnerability in Hitachi JP1/HiCommand DeviceManager, Global Link Availability Manager, Replication Monitor, Tiered Storage Manager, and Tuning Manager allows local users to obtain authentication information via unspecified vectors.
unknown
2007-04-03
2.3CVE-2007-1853
OTHER-REF
BID
FRSIRT
SECUNIA
XF
Hitachi -- uCosminexus Service Architect
Hitachi -- uCosminexus Developer
Hitachi -- Electronic Form Workflow
Hitachi -- uCosminexus ERP Integrator
Hitachi -- uCosminexus Application Server
Hitachi -- Cosminexus Component Container
Hitachi -- uCosminexus Service Platform
Unspecified vulnerability in Hitachi Cosminexus Component Container 07-00 through 07-00-10, and 07-10 through 07-10-03, as used in uCosminexus Application Server Enterprise and Standard; uCosminexus Service Platform; uCosminexus Developer Standard and Professional; uCosminexus Service Architect; Electronic Form Workflow Standard Set, Professional Library Set, and Developer Client Set; and uCosminexus ERP Integrator, does not properly manage session information, which has an unspecified impact related to "unintended other requests."
unknown
2007-04-03
2.3CVE-2007-1854
OTHER-REF
BID
FRSIRT
SECUNIA
XF
LDAP Account Manager -- LDAP Account Manager
lib/modules.inc in LDAP Account Manager (LAM) before 1.3.0 does not escape HTML special characters in LDAP data, which allows remote attackers to have an unknown impact, probably cross-site scripting (XSS).
unknown
2007-04-02
1.9CVE-2007-1840
OTHER-REF
OTHER-REF
Microsoft -- Windows 2000
Microsoft -- Windows Server 2003
Microsoft -- Windows XP
Microsoft Windows 2000 SP4; XP SP2; and Server 2003 Gold, SP1, and SP2 allows user-assisted remote attackers to cause a denial of service (system restart) via a crafted Windows Metafile (WMF) image.
unknown
2007-04-04
2.7CVE-2007-1211
MS
XF
Microsoft -- Windows 2000
Microsoft -- Windows Server 2003
Microsoft -- Windows Vista
Microsoft -- Windows XP
Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via a crafted Enhanced Metafile (EMF) image format file.
unknown
2007-04-04
3.4CVE-2007-1212
MS
PHP -- PHP
Buffer overflow in the php_stream_filter_create function in PHP 5 before 5.2.1 allows remote attackers to cause a denial of service (application crash) via a php://filter/ URL that has a name ending in the '.' character.
unknown
2007-04-02
3.3CVE-2007-1824
OTHER-REF
BID
PulseAudio -- PulseAudio
PulseAudio 0.9.5 allows remote attackers to cause a denial of service (daemon crash) via (1) a PA_PSTREAM_DESCRIPTOR_LENGTH value of FRAME_SIZE_MAX_ALLOW sent on TCP port 9875, which triggers a p->export assertion failure in do_read; (2) a PA_PSTREAM_DESCRIPTOR_LENGTH value of 0 sent on TCP port 9875, which triggers a length assertion failure in pa_memblock_new; or (3) an empty packet on UDP port 9875, which triggers a t assertion failure in pa_sdp_parse; and allows remote authenticated users to cause a denial of service (daemon crash) via a crafted packet on TCP port 9875 that (4) triggers a maxlength assertion failure in pa_memblockq_new, (5) triggers a size assertion failure in pa_xmalloc, or (6) plays a certain sound file.
unknown
2007-04-02
3.3CVE-2007-1804
OTHER-REF
OTHER-REF
XF
Qt -- Qt
The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
unknown
2007-04-03
1.9CVE-2007-0242
OTHER-REF
OTHER-REF
VMWare -- ESX Server
Buffer overflow in VMware ESX Server 3.0.0 and 3.0.1 might allow attackers to gain privileges or cause a denial of service (application crash) via unspecified vectors.
unknown
2007-04-05
3.4CVE-2007-1271
BUGTRAQ
OTHER-REF
OTHER-REF
BID
FRSIRT
SECUNIA
Web-APP.net -- WebAPP
cgi-lib/subs.pl in web-app.net WebAPP before 0.9.9.3.5 allows attackers to open list files in "profile and other functions," a different vulnerability than CVE-2005-0927.
unknown
2007-04-02
2.3CVE-2006-7186
OTHER-REF
Web-APP.net -- WebAPP
Cross-site scripting (XSS) vulnerability in the show_recent_searches function in cgi-lib/user-lib/search.pl in web-app.net WebAPP before 20060909 allows remote attackers to inject arbitrary web script or HTML via the srch variable.
unknown
2007-04-02
1.9CVE-2006-7187
OTHER-REF
OTHER-REF
Web-APP.net -- Web-APP.net
The search function in cgi-lib/user-lib/search.pl in web-app.net WebAPP before 20060909 allows remote attackers to read internal forum posts via certain requests, possibly related to the $info{'forum'} variable.
unknown
2007-04-02
3.3CVE-2006-7188
OTHER-REF
OTHER-REF
Web-APP.org -- WebAPP
Multiple unspecified vulnerabilities in form input validation in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to corrupt data files, gain access to private files, and execute arbitrary code via "certain characters."
unknown
2007-04-02
3.4CVE-2007-1827
OTHER-REF
OTHER-REF
VIM
FRSIRT
SECUNIA
Web-APP.org -- WebAPP
Multiple cross-site scripting (XSS) vulnerabilities in web-app.org WebAPP before 0.9.9.6 allow remote authenticated users to inject arbitrary web script or HTML via (1) the QUERY_STRING corresponding to drop downs or (2) various forms.
unknown
2007-04-02
1.1CVE-2007-1828
OTHER-REF
OTHER-REF
VIM
FRSIRT
SECUNIA
Web-APP.org -- WebAPP
web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to open files and write "wrong data" via a crafted QUERY_STRING.
unknown
2007-04-02
3.4CVE-2007-1831
OTHER-REF
OTHER-REF
VIM
FRSIRT
SECUNIA
Web-APP.org -- WebAPP
web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to upload certain files (1) via a crafted filename or (2) by "using percent encoding in forms."
unknown
2007-04-02
1.9CVE-2007-1832
OTHER-REF
OTHER-REF
VIM
FRSIRT
SECUNIA
Back to top



Last updated April 09, 2007