Bulletin (SB07-274)
Vulnerability Summary for the Week of September 24, 2007
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
- Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
- Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Adam Scheinberg -- Flip | account.php in Adam Scheinberg Flip 3.0 and earlier allows remote attackers to create administrative accounts via the un parameter in a register action. |
| 7.5 | CVE-2007-5062 MILW0RM BID XF | ADOdb Lite -- ADOdb Lite CMS Made Simple -- CMS Made Simple | Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple 1.1.2, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter. |
| 7.5 | CVE-2007-5056 MILW0RM VIM | Alexander Palmo -- Simple PHP Blog | Incomplete blacklist vulnerability in upload_img_cgi.php in Simple PHP Blog before 0.5.1 allows remote attackers to upload dangerous files, as demonstrated by a .htaccess file, a different vector than CVE-2005-2733. NOTE: the vulnerability was also present in a 0.5.1 download available in the early morning of 20070923. NOTE: the original 20070920 disclosure provided an incorrect filename, img_upload_cgi.php. |
| 7.5 | CVE-2007-5071 BUGTRAQ OTHER-REF OTHER-REF BID | Alexander Palmo -- Simple PHP Blog | Unspecified vulnerability in Simple PHP Blog before 0.5.1 has unknown impact and attack vectors, related to "the way themes get their color definitions from the configuration files," aka the user_colors issue, a different vulnerability than CVE-2007-????. |
| 7.5 | CVE-2007-5072 OTHER-REF OTHER-REF | Apple -- iPhone | Apple iPhone 1.1.1, with Bluetooth enabled, allows physically proximate attackers to cause a denial of service (application termination) and execute arbitrary code via crafted Service Discovery Protocol (SDP) packets, related to insufficient input validation. |
| 7.5 | CVE-2007-3753 APPLE | Apple -- Safari | Safari in Apple iPhone 1.1.1, when requested to disable Javascript, does not disable it until Safari is restarted, which might leave Safari open to attacks that the user does not expect. |
| 7.5 | CVE-2007-3759 APPLE | ask.com -- Ask Toolbar | Stack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and earlier allows remote attackers to execute arbitrary code via a long ShortFormat property value. NOTE: some of these details are obtained from third party information. |
| 9.3 | CVE-2007-5107 BUGTRAQ MILW0RM BID FRSIRT SECUNIA | ask.com -- Ask Toolbar | Unspecified vulnerability in IAC Search & Media ask.com toolbar has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine. NOTE: this might be the same issue as CVE-2007-5107. |
| 10.0 | CVE-2007-5108 BUGTRAQ OTHER-REF | bcoos -- bcoos | SQL injection vulnerability in index.php in the Arcade module in bcoos 1.0.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a play_game action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 7.5 | CVE-2007-5104 SECUNIA | Clansphere -- Clansphere | SQL injection vulnerability in mods/banners/navlist.php in Clansphere 2007.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php in a banners action. |
| 7.5 | CVE-2007-5061 MILW0RM BID | David Watters -- Helplink | PHP remote file inclusion vulnerability in show.php in David Watters Helplink 0.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter. |
| 7.5 | CVE-2007-5099 MILW0RM SECUNIA | Dibbler -- Dibbler | Dibbler 0.6.0 on Linux uses weak world-writable permissions for unspecified files in /var/lib/dibbler, which has unknown impact and local attack vectors. |
| 7.5 | CVE-2007-5028 OTHER-REF | EB Design Pty Ltd -- ebCrypt | Absolute path traversal vulnerability in the EbCrypt.eb_c_PRNGenerator.1 ActiveX control in EBCRYPT.DLL 2.0.0.2087 and earlier in EB Design ebCrypt allows remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the SaveToFile method. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2007-5110 MILW0RM OTHER-REF BID SECUNIA | Ekke Doerre -- Mods 4 Xoops Contenido eZ publish | Multiple PHP remote file inclusion vulnerabilities in Ekke Doerre Contenido 42VariablVersion (42VV10) in contenido_hacks in Mods 4 Xoops Contenido eZ publish (pdf4cms) allow remote attackers to execute arbitrary PHP code via a URL in the cfgPathInc parameter to (1) main_upl.php, (2) main_con_editside.php, (3) main_news_rcp.php, (4) main_mod.php, (5) main_tplinput_edit.php, (6) main_con.php, (7) main_tpl.php, (8) main_con_sidelist.php, (9) main_str.php, (10) main_news.php, (11) main_tplinput.php, (12) main_lang.php, (13) main_mod_edit.php, (14) main_lay.php, (15) main_lay_edit.php, (16) main_news_send.php, (17) main_con_edittpl.php, (18) main_stat.php, (19) main_tpl_edit.php, (20) main_news_edit.php, or (21) inc/upl_show_uploads.inc.php; the (a) cfgPathContenido or (b) cfgPathTpl parameter to (22) con_show_sidelist.inc.php, (23) mod_show_modules.inc.php, (24) con_edit_form.inc.php, (25) lay_show_layouts.inc.php, (26) con_show_tree.inc.php, (27) news_show_newsletters.inc! .php, (28) str_show_tree.inc.php, (29) tpl_show_templates.inc.php, (30) stat_show_tree.inc.php, (31) con_editcontent.inc.php, or (32) news_show_recipients.inc.php in inc/; or the cfgPathTpl parameter to (33) main_user_md5.php3, or (34) actions_mod.php, (35) actions_lay.php, (36) actions_upl.php, (37) actions_stat.php, (38) actions_news.php, (39) actions_str.php, (40) header.php, (41) actions_con_sidelist.php, (42) main_top.inc.php, (43) actions_tpl.php, or (44) actions_con.php in tpl/. NOTE: vectors 21, 24, 26, 27, 32, 34, 35, 36, 37, 38, 39, 40, 41, 43, and 44 are disputed by CVE because PHP encounters a fatal function-call error on a direct request for the file, before reaching the include statement. |
| 7.5 | CVE-2007-5115 OTHER-REF | furquim -- ChironFS | ChironFS before 1.0 RC7 sets user/group ownership to the mounter account instead of the creator account when files are created, which allows local users to gain privileges. |
| 7.2 | CVE-2007-5101 OTHER-REF OTHER-REF SECUNIA | guanxiCRM -- guanxiCRM Business Solution | PHP remote file inclusion vulnerability in modules/webmail2/inc/rfc822.php in guanxiCRM Business Solution 0.9.1 allows remote attackers to execute arbitrary PHP code via a URL in the webmail2_inc_dir parameter. |
| 7.5 | CVE-2007-5096 OTHER-REF | IBM -- Tivoli Storage Manager Client | Buffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via crafted HTTP headers, aka IC52905. |
| 10.0 | CVE-2007-4880 BUGTRAQ OTHER-REF OTHER-REF AIXAPAR BID FRSIRT SECTRACK SECUNIA XF | IBM -- Tivoli Storage Manager Client | Buffer overflow in the Client Acceptor Daemon (CAD) in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via unspecified vectors, aka IC52905. |
| 10.0 | CVE-2007-5021 OTHER-REF AIXAPAR BID FRSIRT SECUNIA XF | IBM -- DB2 Microsoft -- SQL Server IBM -- Rational ClearQuest | Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors. |
| 7.5 | CVE-2007-5090 OTHER-REF FRSIRT SECUNIA | ImageMagick -- ImageMagick | Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow. |
| 7.5 | CVE-2007-4986 IDEFENSE MLIST BID | ImageMagick -- ImageMagick | Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address. |
| 9.3 | CVE-2007-4987 IDEFENSE MLIST BID | Imatix -- Xitami | Multiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1) xigui32.exe or (2) xitami.exe. |
| 7.5 | CVE-2007-5067 MILW0RM BID SECUNIA | Interspire -- ActiveKB | SQL injection vulnerability in index.php in Interspire ActiveKB NX 2.x allows remote attackers to execute arbitrary SQL commands via the catId parameter in a browse action. |
| 7.5 | CVE-2007-5131 MILW0RM BID | Ipswitch -- IMail | Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string "MIME" by itself on a line in the header, and a long Content-Transfer-Encoding header line. |
| 7.5 | CVE-2007-5094 MILW0RM OTHER-REF BID | iziContents -- iziContents | Multiple incomplete blacklist vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in (1) the admin_home parameter to modules/poll/poll_summary.php or (2) the rootdp parameter to include/db.php; or a URL in the language_home parameter to (3) search/search.php, (4) poll/inlinepoll.php, (5) poll/showpoll.php, (6) links/showlinks.php, or (7) links/submit_links.php in modules/; related to missing checks in (a) modules/moduleSec.php and (b) include/includeSec.php for inclusion of certain URLs, as demonstrated by an ftps:// URL. |
| 7.5 | CVE-2007-5053 MILW0RM | iziContents -- iziContents | Multiple PHP remote file inclusion vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the gsLanguage parameter to (1) search/search.php, (2) poll/inlinepoll.php, (3) poll/showpoll.php, (4) links/showlinks.php, or (5) links/submit_links.php in modules/. |
| 7.5 | CVE-2007-5054 MILW0RM | iziContents -- iziContents | Multiple directory traversal vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the admin_home parameter to modules/poll/poll_summary.php or (2) the rootdp parameter to include/db.php. |
| 7.5 | CVE-2007-5055 MILW0RM | Lhaplus -- Lhaplus | Heap-based buffer overflow in Lhaplus before 1.55 allows remote attackers to execute arbitrary code via a long filename in an ARJ archive. |
| 7.5 | CVE-2007-5048 OTHER-REF OTHER-REF OTHER-REF BID SECUNIA | Linux -- Kernel | The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register. |
| 7.2 | CVE-2007-4573 FULLDISC MLIST MLIST OTHER-REF | Microsoft -- Windows Media Player | Microsoft Windows Media Player (WMP) 9 on Windows XP SP2 invokes Internet Explorer to render HTML documents contained inside some media files, regardless of what default web browser is configured, which might allow remote attackers to exploit vulnerabilities in software that the user does not expect to run, as demonstrated by the HTMLView parameter in an .asx file. |
| 7.5 | CVE-2007-5095 BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ OTHER-REF | Microsoft -- windows-nt 3ware -- 3DM Disk Management Software | Microsoft Windows Explorer (explorer.exe) allows user-assisted remote attackers to cause a denial of service (CPU consumption) via a certain PNG file with a large tEXt chunk that possibly triggers an integer overflow in PNG chunk size handling, as demonstrated by badlycrafted.png. |
| 7.1 | CVE-2007-5133 BUGTRAQ BUGTRAQ BID | Mozilla -- Bugzilla | The offer_account_by_email function in User.pm in the WebService for Bugzilla before 3.0.2, and 3.1.x before 3.1.2, does not check the value of the createemailregexp parameter, which allows remote attackers to bypass intended restrictions on account creation. |
| 7.5 | CVE-2007-5038 OTHER-REF OTHER-REF FRSIRT SECUNIA | Mozilla -- Firefox Apple -- Quicktime | Argument injection vulnerability in Apple QuickTime 7.1.5 and earlier, when running on systems with Mozilla Firefox before 2.0.0.7 installed, allows remote attackers to execute arbitrary commands via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter containing the Firefox "-chrome" argument. NOTE: this is a related issue to CVE-2006-4965 and the result of an incomplete fix for CVE-2007-3670. |
| 9.3 | CVE-2007-5045 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF FRSIRT SECUNIA | NetSupport -- NetSupport Manager Client | NetSupport Manager Client before 10.20.0004 allows remote attackers to bypass the (1) basic and (2) authentication schemes by spoofing the NetSupport Manager. |
| 10.0 | CVE-2007-5057 BUGTRAQ OTHER-REF BID | Neuron News -- Neuron News | Directory traversal vulnerability in index.php in Neuron News 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the q parameter. |
| 7.5 | CVE-2007-5050 MILW0RM | NukeScripts -- NukeSentinel | SQL injection vulnerability in includes/nsbypass.php in NukeSentinel 2.5.11 allows remote attackers to execute arbitrary SQL commands via base64-encoded data in an admin cookie. |
| 7.5 | CVE-2007-5125 BUGTRAQ OTHER-REF BID | Online Fantasy Football League -- OFFL | ** DISPUTED ** PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (OFFL) 0.2.6 allows remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter. NOTE: this issue is disputed by CVE because a __FILE__ test protects offl_nflteam.php against direct requests. |
| 7.5 | CVE-2007-5097 OTHER-REF | openEngine -- openEngine | ** DISPUTED ** PHP remote file inclusion vulnerability in html/modules/extranet_profile/main.php in openEngine 1.9 beta1 allows remote attackers to execute arbitrary PHP code via a URL in the this_module_path parameter. NOTE: this issue is disputed by CVE because PHP encounters a fatal function-call error on a direct request for the file, before reaching the include statement. |
| 7.5 | CVE-2007-5035 OTHER-REF BID | OpenSSL Project -- OpenSSL | Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. |
| 7.5 | CVE-2007-5135 BUGTRAQ | PHP-Nuke -- Mobile Entertainment module | Directory traversal vulnerability in data/compatible.php in the Nuke Mobile Entertainment 1 addon for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module_name parameter. |
| 7.5 | CVE-2007-5069 MILW0RM | phpFullAnnu -- phpFullAnnu | SQL injection vulnerability in index.php in phpFullAnnu (PFA) 6.0 allows remote attackers to execute arbitrary SQL commands via the mod parameter. |
| 7.5 | CVE-2007-5068 MILW0RM | Quiksoft -- EasyMail MessagePrinter Object | Heap-based buffer overflow in the EasyMailMessagePrinter ActiveX control in emprint.DLL 6.0.1.0 in the Quiksoft EasyMail MessagePrinter Object allows remote attackers to execute arbitrary code via a long string in the first argument to the SetFont method. |
| 10.0 | CVE-2007-5070 MILW0RM | redhat -- linux | Red Hat Enterprise Linux 4 does not properly compile and link gdm with tcp_wrappers on x86_64 platforms, which might allow remote attackers to bypass intended access restrictions. |
| 10.0 | CVE-2007-5079 OTHER-REF | sk.log -- sk.log | PHP remote file inclusion vulnerability in php-inc/log.inc.php in sk.log 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the SKIN_URL parameter. |
| 7.5 | CVE-2007-5089 BUGTRAQ VIM MILW0RM BID FRSIRT | softbizscripts -- classifieds plus script | SQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| 7.5 | CVE-2007-5122 MILW0RM | Solidweb -- Novus | SQL injection vulnerability in notas.asp in Novus 1.0 allows remote attackers to execute arbitrary SQL commands via the nota_id parameter. |
| 7.5 | CVE-2007-5123 MILW0RM BID | Symantec -- Norton Internet Security | Norton Internet Security 2008 15.0.0.60 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the NtOpenSection kernel SSDT hook. NOTE: the NtCreateMutant and NtOpenEvent function hooks are already covered by CVE-2007-1793. |
| 7.2 | CVE-2007-5047 BUGTRAQ OTHER-REF OTHER-REF | Symantec -- Veritas Backup Exec | Unspecified vulnerability in the client in Symantec Veritas Backup Exec for Windows Servers 11d has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine. |
| 10.0 | CVE-2007-5126 OTHER-REF BID | VMWare -- VMWare Player VMWare -- ACE VMWare -- ACE 2 VMWare -- VMware Server VMWare -- VMWare Player 2 VMWare -- VMWare Workstation | The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed packet that triggers "corrupt stack memory." |
| 10.0 | CVE-2007-0061 ISS OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID XF | VMWare -- VMWare Workstation VMWare -- ACE VMWare -- VMware Server VMWare -- Player | Integer overflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow. |
| 10.0 | CVE-2007-0062 ISS OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID XF | VMWare -- VMWare Player VMWare -- ESX Server VMWare -- ACE VMWare -- ACE 2 VMWare -- VMware Server VMWare -- VMWare Player 2 VMWare -- VMWare Workstation | Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow. |
| 10.0 | CVE-2007-0063 ISS OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID XF | VMWare -- ACE | Unspecified vulnerability in EMC VMware ACE before 1.0.3 Build 54075 allows attackers to have an unknown impact via an unspecified manipulation of "images stored in virtual machines downloaded by the user." |
| 9.3 | CVE-2007-5025 OTHER-REF | webmaster-tips -- Flash Slide Show Joomla -- Joomla | PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. |
| 7.5 | CVE-2007-5065 MILW0RM BID | Xpdf -- Xpdf | Stack-based buffer overflow in the StreamPredictor::getNextLine function in xpdf, as used in (1) poppler before 0.5.91, (2) gpdf, (3) kpdf, (4) kdegraphics, (5) CUPS, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file, a different vulnerability than CVE-2007-3387. |
| 7.5 | CVE-2007-5049 GENTOO FRSIRT |
|---|
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Adam Scheinberg -- Flip | Adam Scheinberg Flip 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing login credentials via a direct request for var/users.txt. |
| 5.0 | CVE-2007-5063 MILW0RM | Adobe -- Acrobat Adobe -- Reader | Unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this information is based upon a vague pre-advisory by a reliable researcher. |
| 6.8 | CVE-2007-5020 BUGTRAQ OTHER-REF | Agnitum -- Outpost Firewall | Outpost Firewall Pro 4.0.1025.7828 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteFile, (3) NtLoadDriver, (4) NtOpenProcess, (5) NtOpenSection, (6) NtOpenThread, and (7) NtUnloadDriver kernel SSDT hooks, a partial regression of CVE-2006-7160. |
| 4.6 | CVE-2007-5042 BUGTRAQ OTHER-REF OTHER-REF | AirDefense -- Airsensor | Multiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter." |
| 5.0 | CVE-2007-5036 MILW0RM OTHER-REF BID SECUNIA | AOL -- Instant Messenger | The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.5.3.12 and earlier allows remote attackers to execute arbitrary code via unspecified web script or HTML in an instant message, related to AIM's filtering of "specific tags and attributes" and the lack of Local Machine Zone lockdown. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4901. |
| 6.8 | CVE-2007-5124 BUGTRAQ OTHER-REF | Apache Software Foundation -- Geronimo | Unspecified vulnerability in the management EJB (MEJB) in Apache Geronimo before 2.0.2 allows remote attackers to bypass authentication and obtain "access to Geronimo internals" via unspecified vectors. |
| 5.0 | CVE-2007-5085 OTHER-REF OTHER-REF SECUNIA | Apple -- iPhone | Mail in Apple iPhone 1.1.1, when using SSL, does not warn the user when the mail server changes or is not trusted, which might allow remote attackers to steal credentials and read email via a man-in-the-middle (MITM) attack. |
| 4.3 | CVE-2007-3754 APPLE | Apple -- iPhone | Mail in Apple iPhone 1.1.1 allows remote user-assisted attackers to force the iPhone user to make calls to arbitrary telephone numbers via a "tel:" link, which does not prompt the user before dialing the number. |
| 4.3 | CVE-2007-3755 APPLE | Apple -- Safari | Safari in Apple iPhone 1.1.1 allows remote attackers to obtain sensitive information via a crafted web page that identifies the URL of the parent window, even when the parent window is in a different domain. |
| 4.3 | CVE-2007-3756 APPLE | Apple -- Safari | Safari in Apple iPhone 1.1.1 allows remote user-assisted attackers to trick the iPhone user into making calls to arbitrary telephone numbers via a crafted "tel:" link that causes iPhone to display a different number than the number that will be dialed. |
| 4.3 | CVE-2007-3757 APPLE | Apple -- Safari | Safari in Apple iPhone 1.1.1 allows remote attackers to set Javascript window properties for web pages that are in a different domain, which can be leveraged to conduct cross-site scripting (XSS) attacks. |
| 4.3 | CVE-2007-3758 APPLE | Apple -- Safari | Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML via frame tags. |
| 4.3 | CVE-2007-3760 APPLE | Apple -- Safari | Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML by causing Javascript events to be applied to a frame in another domain. |
| 4.3 | CVE-2007-3761 APPLE | Apple -- Safari | Unspecified vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages from the same domain. |
| 6.8 | CVE-2007-4671 APPLE | Barracuda Networks -- Barracuda Spam Firewall | Cross-site scripting (XSS) vulnerability in the Monitor Web Syslog screen in the Web administration interface in Barracuda Spam Firewall before firmware 3.5.10.016 allows remote attackers to inject arbitrary web script or HTML via the username field in a login attempt, related to the Monitor Web Syslog component. |
| 4.3 | CVE-2007-5058 BUGTRAQ OTHER-REF BID XF | boesch-it -- SimpNews | Multiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.03 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to admin/layout2b.php, and the (2) backurl parameter to comment.php. |
| 4.3 | CVE-2007-4874 BUGTRAQ OTHER-REF OTHER-REF | boesch-it -- SimpNews PHP -- PHP | SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows remote attackers to obtain sensitive information via an certain link_date parameter to events.php, which reveals the path in an error message due to an unsupported argument type for the mktime function on Windows. |
| 5.0 | CVE-2007-5128 BUGTRAQ OTHER-REF OTHER-REF | boesch-it -- SimpGB | SimpGB 1.46.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) obtain sensitive configuration information via a direct request for admin/cfginfo.php; and (2) download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc. |
| 6.4 | CVE-2007-5129 BUGTRAQ BUGTRAQ OTHER-REF OTHER-REF OTHER-REF SECUNIA XF XF | boesch-it -- SimpGB | SimpGB 1.46.02 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php or (2) a direct request to admin/trailer.php, which reveals the path in various error messages. |
| 5.0 | CVE-2007-5130 BUGTRAQ OTHER-REF OTHER-REF XF | Cisco -- Catalyst 7600 Cisco -- Catalyst 6500 | Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP addresses for Ethernet Out-of-Band Channel (EOBC) internal communication, which might allow remote attackers to send packets to an interface for which network exposure was unintended. |
| 5.0 | CVE-2007-5134 FULLDISC CISCO BID SECTRACK | dBlog -- dBlog CMS | dBlog CMS, probably 2.0, stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing an admin password hash via a direct request for dblog.mdb. |
| 5.0 | CVE-2007-5026 BUGTRAQ OTHER-REF | Dibbler -- Dibbler | Dibbler 0.6.0 does not verify that certain length parameters are appropriate for buffer sizes, which allows remote attackers to trigger a buffer over-read and cause a denial of service (daemon crash), as demonstrated by incorrect behavior of the TSrvMsg constructor in SrvMessages/SrvMsg.cpp when (1) reading the option code and option length and (2) parsing options. |
| 5.0 | CVE-2007-5029 FULLDISC OTHER-REF BID SECUNIA | Dibbler -- Dibbler | Multiple integer overflows in Dibbler 0.6.0 allow remote attackers to cause a denial of service (daemon crash) via packets containing options with large lengths, which trigger attempts at excessive memory allocation, as demonstrated by (1) the TSrvMsg constructor in SrvMessages/SrvMsg.cpp; the (2) TClntMsg, (3) TClntOptIAAddress, (4) TClntOptIAPrefix, (5) TOptVendorSpecInfo, and (6) TOptOptionRequest constructors; and the (7) TRelIfaceMgr::decodeRelayRepl, (8) TRelMsg::decodeOpts, and (9) TSrvIfaceMgr::decodeRelayForw methods. |
| 5.0 | CVE-2007-5030 FULLDISC OTHER-REF BID SECUNIA | Dibbler -- Dibbler | The TSrvOptIA_NA::rebind method in SrvOptions/SrvOptIA_NA.cpp in Dibbler 0.6.0 allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via an invalid IA_NA option in a REBIND message. |
| 5.0 | CVE-2007-5031 FULLDISC OTHER-REF BID SECUNIA | dragonfrugal -- DFD Cart | Multiple PHP remote file inclusion vulnerabilities in DFD Cart 1.1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the set_depth parameter to (1) app.lib/product.control/core.php/product.control.config.php, or (2) customer.browse.list.php or (3) customer.browse.search.php in app.lib/product.control/core.php/customer.area/. |
| 6.8 | CVE-2007-5098 MILW0RM SECUNIA | EB Design Pty Ltd -- ebCrypt | A certain ActiveX control in EBCRYPT.DLL 2.0 in EB Design ebCrypt allows remote attackers to cause a denial of service (crash) via a string argument to the AddString method. |
| 4.3 | CVE-2007-5111 MILW0RM OTHER-REF BID | eGroupWare -- eGroupWare | Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.4.001 allow remote attackers to inject arbitrary web script or HTML via the cat_data[color] parameter to (1) preferences/inc/class.uicategories.inc.php and (2) admin/inc/class.uicategories.inc.php. |
| 4.3 | CVE-2007-5091 OTHER-REF OTHER-REF OTHER-REF SECUNIA | Elinks -- Elinks | ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https. |
| 4.3 | CVE-2007-5034 OTHER-REF OTHER-REF | FlatNuke -- FlatNuke | Cross-site request forgery (CSRF) vulnerability in index.php in FlatNuke 2.6, and possibly 3, allows remote attackers to change the password and privilege level of arbitrary accounts via the user parameter and modified (1) regpass and (2) level parameters in a none_Login action, as demonstrated by using a Flash object to automatically make the request. |
| 4.3 | CVE-2007-5109 BUGTRAQ | Francisco Burzi -- PHP-Nuke | Cross-site request forgery (CSRF) vulnerability in admin.php in Francisco Burzi PHP-Nuke allows remote attackers to add administrative accounts via an AddAuthor action with modified add_name and add_radminsuper parameters. |
| 5.1 | CVE-2007-5032 BUGTRAQ | FrontAccounting -- FrontAccounting | Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13., when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279. |
| 6.8 | CVE-2007-5117 MILW0RM BID SECUNIA | gdata -- InternetSecurity 2007 | G DATA InternetSecurity 2007 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey and (2) NtOpenProcess kernel SSDT hooks. |
| 4.6 | CVE-2007-5041 BUGTRAQ OTHER-REF OTHER-REF | GreenSQL -- GreenSQL | Multiple cross-site scripting (XSS) vulnerabilities in GreenSQL allow remote attackers to inject arbitrary web script or HTML via several vectors, as demonstrated by the (1) uname and (2) pass parameters in a login form, and (3) an unspecified "url value," leading to storage of XSS sequences in the database and display of these sequences in the alert section of the admin panel. |
| 4.3 | CVE-2007-5059 BUGTRAQ BID | IBM -- Tivoli Storage Manager Client | Unspecified vulnerability in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2, when using "server-initiated prompted scheduling," allows remote attackers to read a client's data, aka IC53616. |
| 5.0 | CVE-2007-5022 OTHER-REF AIXAPAR BID FRSIRT SECUNIA XF | IceWarp -- Merak Mail Server | Cross-site scripting (XSS) vulnerability in the Webmail interface for IceWarp Merak Mail Server before 9.0.0 allows remote attackers to inject arbitrary JavaScript via a javascript: URI in an attribute of an element in an email message body, as demonstrated by the onload attribute in a BODY element. |
| 4.3 | CVE-2007-5046 OTHER-REF BID SECUNIA | ImageMagick -- ImageMagick | ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls. |
| 4.3 | CVE-2007-4985 IDEFENSE MLIST BID | ImageMagick -- ImageMagick | Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. |
| 6.8 | CVE-2007-4988 IDEFENSE MLIST BID | Inotify -- Inotify-tools | Buffer overflow in the inotifytools_snprintf function in src/inotifytools.c in the inotify-tools library before 3.11 allows context-dependent attackers to execute arbitrary code via a long filename. |
| 6.8 | CVE-2007-5037 OTHER-REF SECUNIA | JSPWiki -- JSPWiki | JSPWiki 2.4.103 and 2.5.139-beta allows remote attackers to obtain sensitive information (full path) via an invalid integer in the version parameter to the default URI under attach/Main/. |
| 4.3 | CVE-2007-5119 BUGTRAQ FULLDISC OTHER-REF SECUNIA XF | JSPWiki -- JSPWiki | Multiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 and 2.5.139-beta allow remote attackers to inject arbitrary web script or HTML via the (1) group and (2) members parameters in (a) NewGroup.jsp; the (3) edittime parameter in (b) Edit.jsp; the (4) edittime, (5) author, and (6) link parameters in (c) Comment.jsp; the (7) loginname, (8) wikiname, (9) fullname, and (10) email parameters in (d) UserPreferences.jsp and (e) Login.jsp; the (11) r1 and (12) r2 parameters in (f) Diff.jsp; and the (13) changenote parameter in (g) PageInfo.jsp. |
| 4.3 | CVE-2007-5120 BUGTRAQ FULLDISC OTHER-REF BID SECUNIA XF | JSPWiki -- JSPWiki | Cross-site scripting (XSS) vulnerability in JSPWiki 2.5.139-beta allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to wiki-3/Login.jsp and unspecified other components. |
| 4.3 | CVE-2007-5121 BUGTRAQ FULLDISC OTHER-REF BID SECUNIA XF | Kaspersky Lab -- Kaspersky Internet Security | Kaspersky Internet Security 7.0.0.125 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to (1) cause a denial of service (crash) and possibly gain privileges via the NtCreateSection kernel SSDT hook or (2) cause a denial of service (avp.exe service outage) via the NtLoadDriver kernel SSDT hook. NOTE: this issue may partially overlap CVE-2006-3074. |
| 4.4 | CVE-2007-5043 BUGTRAQ OTHER-REF OTHER-REF | KDE -- KDE | backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors. |
| 6.8 | CVE-2007-4569 OTHER-REF BID | Level One -- WBR3404TX | Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/ddns in the web management panel for the WBR3404TX broadband router with firmware R1.94p0vTIG allow remote attackers to inject arbitrary web script or HTML via the (1) DD or (2) DU parameter. |
| 4.3 | CVE-2007-5027 BUGTRAQ | Linux -- Kernel | The ATM module in the Linux kernel before 2.4.35.3, when CLIP support is enabled, allows local users to cause a denial of service (kernel panic) by reading /proc/net/atm/arp before the CLIP module has been loaded. |
| 4.9 | CVE-2007-5087 OTHER-REF OTHER-REF OTHER-REF FRSIRT | Linux -- Kernel | The disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 "relies on user space to close the device," which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device. |
| 4.0 | CVE-2007-5093 MLIST MLIST OTHER-REF BID | Microsoft -- ISA Server | The SOCKS4 Proxy in Microsoft Internet Security and Acceleration (ISA) Server 2004 SP1 and SP2 allows remote attackers to obtain potentially sensitive information (the destination IP address of another user's session) via an empty packet. |
| 5.0 | CVE-2007-4991 OTHER-REF BID | multimedia -- Dance Music module for phpNuke | Directory traversal vulnerability in index.php in the Dance Music module for phpNuke, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in an ACCEPT_FILE array parameter to modules.php. |
| 6.8 | CVE-2007-5092 BUGTRAQ OTHER-REF | phpBB -- phpBB Plus | Multiple PHP remote file inclusion vulnerabilities in phpBB Plus 1.53, and 1.53a before 20070922, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) language/lang_german/lang_admin_album.php, (2) language/lang_english/lang_main_album.php, and (3) language/lang_english/lang_admin_album.php, different vectors than CVE-2007-5009. |
| 6.8 | CVE-2007-5100 OTHER-REF FRSIRT SECUNIA | phpBB XS -- phpBB XS | Cross-site scripting (XSS) vulnerability in profile.php in phpBB XS 2 allows remote attackers to inject arbitrary web script or HTML via the selfdes parameter in a profile_info editprofile action. |
| 6.8 | CVE-2007-5033 BUGTRAQ BID XF | phpMyProfiler -- phpMyProfiler | ** DISPUTED ** PHP remote file inclusion vulnerability in include/plugin/block.t.php in Peter Schmidt phpmyProfiler 0.9.6b allows remote attackers to execute arbitrary PHP code via a URL in the pmp_rel_path parameter. NOTE: this issue is disputed by CVE because the applicable require_once is in a function that is not called on a direct request. |
| 6.8 | CVE-2007-5114 OTHER-REF | ROI Revolution -- Urchin | Cross-site scripting (XSS) vulnerability in session.cgi (aka the login page) in Google Urchin 5 5.7.03 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string, a different vulnerability than CVE-2007-4713. NOTE: this can be leveraged to capture login credentials in some browsers that support remembered (auto-completed) passwords. |
| 4.3 | CVE-2007-5112 BUGTRAQ OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID | ROI Revolution -- Urchin | report.cgi in Google Urchin allows remote attackers to bypass authentication and obtain sensitive information (web server logs) via certain modified query parameters, as demonstrated using the profile, rid, prefs, n, vid, bd, ed, dt, and gtype parameters, a different vulnerability than CVE-2007-5112. |
| 5.0 | CVE-2007-5113 OTHER-REF OTHER-REF | SimpGB -- SimpGB | Multiple cross-site scripting (XSS) vulnerabilities in SimpGB 1.46.02 allow remote attackers to inject arbitrary web script or HTML via (1) the l_username parameter to the default URI under admin/ or (2) the l_emoticonlist parameter to admin/emoticonlist.php. |
| 4.3 | CVE-2007-5127 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA XF | SimpleNews -- SimpleNews | SimpNews 2.41.03 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php; or a direct request to (2) admin/dbg_infos.php, (3) admin/heading.php, or (4) evsearch.php; which reveals the path in various error messages. |
| 5.0 | CVE-2007-4872 BUGTRAQ OTHER-REF OTHER-REF | SimpleNews -- SimpleNews | SimpNews 2.41.03 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc. |
| 5.0 | CVE-2007-4873 BUGTRAQ OTHER-REF OTHER-REF | sisd -- Freeside | Cross-site scripting (XSS) vulnerability in search/cust_bill_event.cgi in Freeside 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the failed parameter. |
| 4.3 | CVE-2007-5088 OTHER-REF | Sun -- Solaris | Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors related to "the handling of thread contexts." |
| 4.9 | CVE-2007-5132 SUNALERT BID | VMWare -- VMWare Player VMWare -- ESX Server VMWare -- ACE VMWare -- ACE 2 VMWare -- VMware Server VMWare -- VMWare Player 2 VMWare -- VMWare Workstation | Unspecified vulnerability in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows authenticated users with administrative privileges on a guest operating system to corrupt memory and possibly execute arbitrary code on the host operating system via unspecified vectors. |
| 6.5 | CVE-2007-4496 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID | VMWare -- VMWare Player VMWare -- ESX Server VMWare -- ACE VMWare -- ACE 2 VMWare -- VMware Server VMWare -- VMWare Player 2 VMWare -- VMWare Workstation | Unspecified vulnerability in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows users with login access to a guest operating system to cause a denial of service (guest outage and host process crash or hang) via unspecified vectors. |
| 5.5 | CVE-2007-4497 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID | VMWare -- VMWare Player VMWare -- ACE VMWare -- ACE 2 VMWare -- VMware Server VMWare -- VMWare Player 2 VMWare -- VMWare Workstation | Unquoted Windows search path vulnerability in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075, and Server before 1.0.4 Build 56528 allows local users to gain privileges unspecified vectors, possibly involving a malicious "program.exe" file in the C: folder. |
| 6.9 | CVE-2007-5023 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF BID | Webmin -- Webmin | Unspecified vulnerability in Webmin before 1.370 on Windows allows remote authenticated users to execute arbitrary commands via a crafted URL. |
| 6.5 | CVE-2007-5066 OTHER-REF FRSIRT SECUNIA | WordPress -- WordPress | Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter. |
| 4.3 | CVE-2007-5105 BUGTRAQ OTHER-REF BID | WordPress -- WordPress | Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter. |
| 4.3 | CVE-2007-5106 BUGTRAQ OTHER-REF BID | Wordsmith -- Wordsmith | PHP remote file inclusion vulnerability in config.inc.php in Wordsmith 1.0 RC1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the _path parameter. |
| 6.8 | CVE-2007-5102 MILW0RM SECUNIA | Wordsmith -- Wordsmith | Directory traversal vulnerability in config.inc.php in Wordsmith 1.0 RC1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the _path parameter. |
| 6.8 | CVE-2007-5103 MILW0RM SECUNIA | xcms -- xcms | Cross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index.php in XCMS allows remote attackers to change arbitrary passwords via certain password_ and rpassword_ parameters, possibly related to timestamp values. |
| 4.3 | CVE-2007-5060 BUGTRAQ | XenSource Inc -- Xen | pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements. |
| 4.4 | CVE-2007-4993 OTHER-REF SECUNIA | Xiph.Org -- libvorbis | lib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted OGG file, aka trac Changeset 13217. |
| 4.3 | CVE-2007-4065 OTHER-REF OTHER-REF OTHER-REF REDHAT SECTRACK SECUNIA | Xiph.Org -- libvorbis | Multiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array. |
| 4.3 | CVE-2007-4066 OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF OTHER-REF REDHAT SECTRACK SECUNIA | Xunlei -- Web Thunder | Buffer overflow in a certain ActiveX control in Xunlei Web Thunder 5.6.9.344 allows remote attackers to execute arbitrary code via a long first argument to the DownURL2 method. NOTE: some of these details are obtained from third party information. |
| 6.8 | CVE-2007-5064 OTHER-REF BID | Zone Labs -- ZoneAlarm Pro | ZoneAlarm Pro 7.0.362.000 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreatePort and (2) NtDeleteFile kernel SSDT hooks, a partial regression of CVE-2007-2083. |
| 6.9 | CVE-2007-5044 BUGTRAQ OTHER-REF OTHER-REF |
|---|
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | EMC -- VMware Server | EMC VMware Server before 1.0.4 Build 56528 writes passwords in cleartext to unspecified log files, which allows local users to obtain sensitive information by reading these files, a different vulnerability than CVE-2005-3620. |
| 2.1 | CVE-2007-5024 OTHER-REF | ghostsecurity -- Ghost Security Suite | Ghost Security Suite beta 1.110 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteValueKey, (3) NtQueryValueKey, (4) NtSetSystemInformation, and (5) NtSetValueKey kernel SSDT hooks. |
| 2.1 | CVE-2007-5039 BUGTRAQ OTHER-REF OTHER-REF | ghostsecurity -- Ghost Security Suite | Ghost Security Suite alpha 1.200 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtCreateThread, (3) NtDeleteValueKey, (4) NtQueryValueKey, (5) NtSetSystemInformation, and (6) NtSetValueKey kernel SSDT hooks. |
| 2.1 | CVE-2007-5040 BUGTRAQ OTHER-REF OTHER-REF | Kaspersky Lab -- Kaspersky Internet Security Kaspersky Lab -- Kaspersky Anti-Virus | Kaspersky Anti-Virus (KAV) and Internet Security 7.0 build 125 do not properly validate certain parameters to System Service Descriptor Table (SSDT) and Shadow SSDT function handlers, which allows local users to cause a denial of service (crash) via the (1) NtUserSendInput, (2) LoadLibraryA, (3) NtOpenProcess, (4) NtOpenThread, (5) NtTerminateProcess, (6) NtUserFindWindowEx, and (7) NtUserBuildHwndList kernel SSDT hooks in kylif.sys; the (8) NtDuplicateObject (DuplicateHandle) kernel SSDT hook; and possibly other kernel SSDT hooks. NOTE: the NtCreateSection vector is covered by CVE-2007-5043.1. NOTE: the vendor disputes that the DuplicateHandle vector is a vulnerability in their code, stating that "it is not an error in our code, but an obscure method for manipulating standard Windows routines to circumvent our self-defense mechanisms." |
| 2.1 | CVE-2007-5086 OTHER-REF OTHER-REF FRSIRT SECUNIA | Linux -- Kernel | The snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc. |
| 2.1 | CVE-2007-4571 IDEFENSE OTHER-REF OTHER-REF | SKK Openlab -- SKK Tools | The main function in skkdic-expr.c in SKK Tools 1.2 allows local users to overwrite or delete arbitrary files via a symlink attack on an unspecified temporary file. NOTE: some of these details are obtained from third party information. |
| 1.2 | CVE-2007-3916 OTHER-REF SECUNIA | Sun -- Solaris | Unspecified vulnerability in the HID (Human Interface Device) class driver in Sun Solaris 8, 9, and 10 before 20070925 allows local users to cause a denial of service (panic) via unspecified vectors. |
| 1.9 | CVE-2007-5118 SUNALERT SECUNIA |
|---|
This product is provided subject to this Notification and this Privacy & Use policy.
