Bulletin (SB07-288)
Vulnerability Summary for the Week of October 8, 2007
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
- Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
- Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| High Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Adobe -- Pagemaker | Stack-based buffer overflow in MAIPM6.dll in Adobe PageMaker 7.0.1 and 7.0.2 on Windows allows user-assisted remote attackers to execute arbitrary code via a long font name in a .PMD file. |
| 9.3 | CVE-2007-5169 OTHER-REF OTHER-REF BID SECTRACK | AfterLogic -- MailBee WebMail | Multiple cross-site scripting (XSS) vulnerabilities in MailBee WebMail Pro 3.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) mode parameter to login.php and the (2) mode2 parameter to default.asp in an advanced_login mode. |
| 7.5 | CVE-2007-5290 BUGTRAQ BID | Alcatel -- SpeedTouch 7G router BT -- Home Hub | The Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub, allows remote attackers on an intranet to bypass authentication and gain administrative access via unspecified vectors, probably involving an HTTP session on port 80. NOTE: remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. NOTE: SpeedTouch 780 might also be affected by some of these issues. |
| 9.3 | CVE-2007-5383 BUGTRAQ OTHER-REF OTHER-REF BID | AppFuse -- AppFuse | Multiple cross-site scripting (XSS) vulnerabilities in messages.jsp in AppFuse before 2.0 Final allow remote attackers to inject arbitrary web script or HTML via unspecified input that is recorded in (1) success or (2) error messages. |
| 7.5 | CVE-2007-5280 OTHER-REF OTHER-REF BID SECUNIA | AppFuse -- AppFuse | Multiple cross-site scripting (XSS) vulnerabilities in messages.jsp in AppFuse before 2.0 Final allow remote attackers to inject arbitrary web script or HTML via unspecified input that is recorded in (1) success or (2) error messages. |
| 7.5 | CVE-2007-5285 OTHER-REF OTHER-REF BID SECUNIA | Battlefront -- Dropteam | Multiple format string vulnerabilities in Battlefront Dropteam 1.3.3 and earlier allow remote attackers to execute arbitrary code via format string specifiers in the (1) username, (2) password, and (3) nickname fields in a "0x01" packet. |
| 7.5 | CVE-2007-5262 BUGTRAQ OTHER-REF BID SECUNIA | Battlefront -- Dropteam | Multiple buffer overflows in Battlefront Dropteam 1.3.3 and earlier allow remote attackers to execute arbitrary code via (1) a crafted "0x5c" packet or (2) many 32-bit numbers in a "0x18" packet, or cause a denial of service (crash) via (3) a large "0x4b" packet. |
| 7.5 | CVE-2007-5263 BUGTRAQ OTHER-REF BID SECUNIA | bendiken -- Boost module for Drupal | Unspecified vulnerability in the Boost module before 4.7.x-1.0, and 5.x before 5.x-1.0, for Drupal allows remote attackers to create or overwrite arbitrary files, and conduct cross-site scripting attacks (XSS) via unspecified vectors. |
| 7.5 | CVE-2007-5270 OTHER-REF XF | Cisco -- IOS | Stack-based buffer overflow in the Line Printer Daemon (LPD) in Cisco IOS before 12.2(18)SXF11, 12.4(16a), and 12.4(2)T6 allow remote attackers to execute arbitrary code by setting a long hostname on the target system, then causing an error message to be printed, as demonstrated by a telnet session to the LPD from a source port other than 515. |
| 7.6 | CVE-2007-5381 OTHER-REF CISCO BID FRSIRT SECUNIA XF | Cisco -- Wireless LAN Solution Engine Cisco -- Wireless Control System | The conversion utility for converting CiscoWorks Wireless LAN Solution Engine (WLSE) 4.1.91.0 and earlier to Cisco Wireless Control System (WCS) creates administrator accounts with default usernames and passwords, which allows remote attackers to gain privileges. |
| 10.0 | CVE-2007-5382 CISCO BID FRSIRT | ConeXware -- PowerArchiver | Heap-based buffer overflow in ConeXware PowerArchiver before 10.20.21 might allow remote attackers to execute arbitrary code via a long filename in a BlackHole archive. |
| 7.6 | CVE-2007-5279 OTHER-REF OTHER-REF OTHER-REF FRSIRT SECUNIA | ConeXware -- PowerArchiver | Heap-based buffer overflow in ConeXware PowerArchiver before 10.20.21 might allow remote attackers to execute arbitrary code via a long filename in a BlackHole archive. |
| 7.6 | CVE-2007-5284 OTHER-REF OTHER-REF OTHER-REF FRSIRT SECUNIA | Daniel Broadbent -- DB Manager | Cross-site scripting (XSS) vulnerability in Edit.asp in DB Manager 2.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. |
| 7.5 | CVE-2007-5291 OTHER-REF | dawnoftime -- Dawn of Time | Multiple format string vulnerabilities in websrv.cpp in Dawn of Time 1.69s beta4 and earlier allow remote attackers to execute arbitrary code via format string specifiers in the (1) username or (2) password fields when accessing certain "restricted zones", which are not properly handled by the (a) processWebHeader and (b) filterWebRequest functions. |
| 7.5 | CVE-2007-5265 BUGTRAQ OTHER-REF OTHER-REF BID SECUNIA | EMC -- Replistor | The RepliStor Server Service in EMC Replistor 6.1.3 allows remote attackers to execute arbitrary code via a size value that causes RepliStor to create a smaller buffer than expected, which triggers a buffer overflow when that buffer is used in a recv function call. |
| 10.0 | CVE-2007-5323 OTHER-REF | Firebird Project -- Firebird | Stack-based buffer overflow in the process_packet function in fbserver.exe in Firebird SQL 2.0.2 allows remote attackers to execute arbitrary code via a long request to TCP port 3050. |
| 10.0 | CVE-2007-4992 OTHER-REF | Furkan Tastan Blog -- Furkan Tastan Blog | SQL injection vulnerability in kategori.asp in Furkan Tastan Blog allows remote attackers to execute arbitrary SQL commands via the id parameter in a goster kat action. |
| 7.5 | CVE-2007-5272 MILW0RM | HP -- HP-UX | Multiple cross-site scripting (XSS) vulnerabilities in HP System Management Homepage (SMH) in HP-UX B.11.11, B.11.23, and B.11.31, and SMH fcor Linux and Windows, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 7.5 | CVE-2007-5302 HP HP FRSIRT SECUNIA | HP -- Select Identity | Unspecified vulnerability in HP Select Identity 4.01 through 4.01.010 and 4.10 through 4.13.001 allows remote attackers to obtain unspecified access via unknown vectors. |
| 10.0 | CVE-2007-5391 HP BID | IDMOS -- IDMOS | Multiple cross-site scripting (XSS) vulnerabilities in IDMOS 1.0-beta (aka Phoenix) allow remote attackers to inject arbitrary web script or HTML via the (1) err_msg parameter to error.php and the (2) content parameter to templates/simple/ia.php. |
| 7.5 | CVE-2007-5293 BUGTRAQ MILW0RM BID | IDMOS -- IDMOS | PHP remote file inclusion vulnerability in core/aural.php in IDMOS 1.0-beta (aka Phoenix) allows remote attackers to execute arbitrary PHP code via a URL in the site_absolute_path parameter. |
| 7.5 | CVE-2007-5294 BUGTRAQ MILW0RM | LedgerSMB -- LedgerSMB DWS Systems Inc. -- SQL-Ledger | Multiple SQL injection vulnerabilities in (a) LedgerSMB 1.0.0 through 1.2.7 and (b) DWS Systems SQL-Ledger 2.x allow remote attackers to execute arbitrary SQL commands via (1) the invoice quantity field or (2) the sort field. |
| 10.0 | CVE-2007-5372 BUGTRAQ | Livio Siri -- dbList | Multiple cross-site scripting (XSS) vulnerabilities in dblisttest.asp in dbList 8.1 allow remote attackers to inject arbitrary web script or HTML via the (1) db, (2) pagesize, (3) sort, (4) strKeyWords, and (5) table parameters. NOTE: some of these details are obtained from third party information. |
| 7.5 | CVE-2007-5296 OTHER-REF SECUNIA | Microsoft -- windows | Unspecified vulnerability in the remote procedure call (RPC) component in Microsoft Windows XP SP2, XP Professional x64 Edition, Server 2003 SP1 and SP2, Server 2003 x64 Edition and x64 Edition SP2, and Vista and Vista x64 Edition allows remote attackers to cause a denial of service (RPCSS service stop and system restart) via a crafted RPC NTLMSSP authentication request. NOTE: this also affects Windows 2000 SP4, although the impact is an information leak. |
| 7.8 | CVE-2007-2228 MS | Microsoft -- ie | Microsoft Internet Explorer 5.01 through 7 allows remote attackers to spoof the URL address bar and other "trust UI" components via unspecified vectors, a different issue than CVE-2007-1091 and CVE-2007-3826. |
| 7.5 | CVE-2007-3892 MS | Microsoft -- ie | The URL handling in Windows XP and Windows Server 2003, with Windows Internet Explorer 7 installed, allows remote attackers to execute arbitrary programs via invalid "%" sequences in a mailto: or other URI handler, as demonstrated using mIRC, Outlook, Firefox, Adobe, Skype, and other applications. NOTE: this issue might be related to other involving URL handlers in Windows systems, such as CVE-2007-3845. |
| 9.3 | CVE-2007-3896 OTHER-REF OTHER-REF OTHER-REF BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ BUGTRAQ FULLDISC FULLDISC FULLDISC FULLDISC FULLDISC FULLDISC MSKB CERT-VN SECUNIA | Microsoft -- Office Microsoft -- Word | Unspecified vulnerability in Microsoft Word 2000 SP3, Word 2002 SP3, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via a malformed string in a Word file, aka "Word Memory Corruption Vulnerability." |
| 9.3 | CVE-2007-3899 MS | Microsoft -- Visual Fox Pro | The FPOLE.OCX 6.0.8450.0 ActiveX control in Microsoft Visual FoxPro 6.0 allows remote attackers to execute arbitrary programs by specifying them as an argument to the FoxDoCmd function. |
| 7.5 | CVE-2007-5322 OTHER-REF BID | Minki -- Minki | Cross-site scripting (XSS) vulnerability in index.php in Minki 1.30 allows remote attackers to inject arbitrary web script or HTML via the page parameter. |
| 7.5 | CVE-2007-5297 OTHER-REF | OpenBSD -- OpenBSD | Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU. |
| 10.0 | CVE-2007-5365 OTHER-REF OPENBSD OPENBSD OPENBSD BID SECUNIA | Script-solution.de -- Picturesolution | PHP remote file inclusion vulnerability in install/config.php in Picturesolution 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter. |
| 7.5 | CVE-2007-5313 MILW0RM BID XF | SnewsCMS -- SnewsCMS Rus | Cross-site scripting (XSS) vulnerability in news_page.php in SnewsCMS Rus 2.1 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter. |
| 7.5 | CVE-2007-5303 BUGTRAQ | splitside -- Directory Image Gallery | Cross-site scripting (XSS) vulnerability in photos.cfm in Directory Image Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the backwardDirectory parameter. |
| 7.5 | CVE-2007-5292 OTHER-REF | TorrentTrader -- TorrentTrader | Directory traversal vulnerability in backend/admin-functions.php in TorrentTrader Classic Edition 1.07 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ss_uri parameter. |
| 7.5 | CVE-2007-5311 BUGTRAQ MILW0RM SECUNIA XF | ViArt -- Shopping Cart | ** DISPUTED ** Directory traversal vulnerability in payments/ideal_process.php in the iDEAL transaction handler in ViArt Shopping Cart allows remote attackers to have an unknown impact via directory traversal sequences in the filename parameter to the createCertFingerprint function. NOTE: this issue is disputed by CVE because PHP encounters a fatal function-call error on a direct request for payments/ideal_process.php. |
| 10.0 | CVE-2007-5364 BUGTRAQ | WikePage -- Opus | Multiple cross-site scripting (XSS) vulnerabilities in index.php in (a) Wikepage Opus 13 2007.2 and (b) TipiWiki 2 allow remote attackers to inject arbitrary web script or HTML via the (1) PageContent and (2) PageName parameters. |
| 7.5 | CVE-2007-5295 OTHER-REF | Yannick Tanguy -- Else If CMS | Multiple cross-site scripting (XSS) vulnerabilities in ELSEIF CMS Beta 0.6 allow remote attackers to inject arbitrary web script or HTML via the (1) repertimage parameter to utilisateurs/vousetesbannis.php, the (2) elseifvotetxtresultatduvote parameter to utilisateurs/votesresultats.php, and the (3) elseifforumtxtmenugeneraleduforum parameter to moduleajouter/depot/adminforum.php. |
| 7.5 | CVE-2007-5304 BUGTRAQ BID |
|---|
| Medium Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | Adobe -- Macromedia Shockwave Player | The Adobe Macromedia Flash 9 plug-in allows remote attackers to cause a victim machine to establish TCP sessions with arbitrary hosts via a Flash (SWF) movie, related to lack of pinning of a hostname to a single IP address after receiving an allow-access-from element in a cross-domain-policy XML document, and the availability of a Flash Socket class that does not use the browser's DNS pins, aka DNS rebinding attacks, a different issue than CVE-2002-1467 and CVE-2007-4324. |
| 5.0 | CVE-2007-5275 OTHER-REF | ag-solutions -- MOSMedia Lite | Multiple PHP remote file inclusion vulnerabilities in the Avant-Garde Solutions MOSMedia Lite (com_mosmedia) 4.5.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) credits.html.php, (2) info.html.php, (3) media.divs.php, (4) media.divs.js.php, (5) purchase.html.php, or (6) support.html.php in includes/. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: vector 3 may be the same as CVE-2007-2043.2. |
| 6.8 | CVE-2007-5362 BID | Alcatel -- SpeedTouch 7G router BT -- Home Hub | Multiple cross-site request forgery (CSRF) vulnerabilities in the Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub, allow remote attackers to perform actions as administrators via unspecified POST requests, as demonstrated by enabling an inbound remote-assistance HTTPS session on TCP port 51003. NOTE: an authentication bypass can be leveraged to exploit this in the absence of an existing administrative session. NOTE: SpeedTouch 780 might also be affected by some of these issues. |
| 4.3 | CVE-2007-5384 BUGTRAQ OTHER-REF OTHER-REF BID | Alcatel -- SpeedTouch 7G router BT -- Home Hub | Multiple cross-site scripting (XSS) vulnerabilities in the Thomson/Alcatel SpeedTouch 7G router, as used for the BT Home Hub, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| 4.3 | CVE-2007-5385 BUGTRAQ OTHER-REF OTHER-REF BID | Alsaplayer -- Alsaplayer | Buffer overflow in the vorbis_stream_info function in input/vorbis/vorbis_engine.c (aka the vorbis input plugin) in AlsaPlayer before 0.99.80-rc3 allows remote attackers to execute arbitrary code via a .OGG file with long comments. |
| 6.8 | CVE-2007-5301 OTHER-REF OTHER-REF FRSIRT SECUNIA | Battlefront -- Dropteam | Battlefront Dropteam 1.3.3 and earlier sends the client's online account name and password to the game server, which allows malicious game servers to steal account information. |
| 5.0 | CVE-2007-5264 BUGTRAQ OTHER-REF BID SECUNIA | Creamotion -- Creamotion | Multiple PHP remote file inclusion vulnerabilities in CMS Creamotion allow remote attackers to execute arbitrary PHP code via a URL in the cfg[document_uri] parameter to (1) _administration/securite.php and (2) _administration/gestion_configurations/save_config.php. |
| 6.4 | CVE-2007-5298 BUGTRAQ MILW0RM | Electronic Arts -- SnoopyCtrl | Multiple stack-based buffer overflows in Electronic Arts (EA) SnoopyCtrl ActiveX control (NPSnpy.dll) allow remote attackers to execute arbitrary code via unspecified methods and parameters. |
| 6.8 | CVE-2007-4466 CERT-VN BID FRSIRT SECUNIA | Fujitsu -- Interstage Apworks Fujitsu -- Interstage Studio Fujitsu -- Interstage Application Server | The Tomcat 4.1-based Servlet Service in Fujitsu Interstage Application Server 7.0 through 9.0.0 and Interstage Apworks/Studio 7.0 through 9.0.0 allows remote attackers to obtain sensitive information (web root path) via unspecified vectors that trigger an error message, probably related to enabling the useCanonCaches Java Virtual Machine (JVM) option. |
| 5.0 | CVE-2007-5366 OTHER-REF BID SECUNIA | GNU -- TRAMP | The (1) tramp-make-temp-file and (2) tramp-make-tramp-temp-file functions in Tramp 2.1.10 extension for Emacs, and possibly earlier 2.1.x versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. |
| 6.9 | CVE-2007-5377 OTHER-REF MLIST MLIST | Hitachi -- uCosminexus Service Architect Hitachi -- uCosminexus Application Server Standard Hitachi -- uCosminexus Application Server Enterprise Hitachi -- uCosminexus Client Hitachi -- uCosminexus Developer Standard Hitachi -- uCosminexus Developer Professional Hitachi -- uCosminexus Operator Hitachi -- uCosminexus Service Platform | The Java Secure Socket Extension (JSSE) in the Hitachi Cosminexus Developer's Kit for Java in various Hitachi Cosminexus 7.5 products before 07-50-01, when using JSSE for SSL/TLS support, allows remote attackers to cause a denial of service via certain SSL/TLS handshake requests. NOTE: this may be the same as CVE-2007-3698. |
| 5.0 | CVE-2007-5281 OTHER-REF FRSIRT SECUNIA | Hitachi -- Cosminexus Library Standard Hitachi -- Cosminexus Agent Hitachi -- Cosminexus Library Web | Hitachi Cosminexus Agent 03-00 through 03-05, and Cosminexus Library Standard and Web Edition 04-00 and 04-01, might allow remote attackers to cause a denial of service (agent process crash) via invalid data from clients other than Cosminexus Manager. |
| 4.3 | CVE-2007-5282 OTHER-REF FRSIRT SECUNIA | Hitachi -- TPBroker Object Transaction Monitor | The TSC Domain Manager in Hitachi TPBroker Object Transaction Monitor and Cosminexus TPBroker Object Transaction Monitor 01-00 through 03-00 might allow attackers to cause a denial of service (crash) via invalid messages. |
| 5.0 | CVE-2007-5283 OTHER-REF FRSIRT SECUNIA | Hitachi -- uCosminexus Service Architect Hitachi -- uCosminexus Application Server Standard Hitachi -- uCosminexus Application Server Enterprise Hitachi -- uCosminexus Client Hitachi -- uCosminexus Developer Standard Hitachi -- uCosminexus Developer Professional Hitachi -- uCosminexus Operator Hitachi -- uCosminexus Service Platform | The Java Secure Socket Extension (JSSE) in the Hitachi Cosminexus Developer's Kit for Java in various Hitachi Cosminexus 7.5 products before 07-50-01, when using JSSE for SSL/TLS support, allows remote attackers to cause a denial of service via certain SSL/TLS handshake requests. NOTE: this may be the same as CVE-2007-3698. |
| 5.0 | CVE-2007-5286 OTHER-REF FRSIRT SECUNIA | Hitachi -- Cosminexus Library Standard Hitachi -- Cosminexus Agent Hitachi -- Cosminexus Library Web | Hitachi Cosminexus Agent 03-00 through 03-05, and Cosminexus Library Standard and Web Edition 04-00 and 04-01, might allow remote attackers to cause a denial of service (agent process crash) via invalid data from clients other than Cosminexus Manager. |
| 5.0 | CVE-2007-5287 OTHER-REF FRSIRT SECUNIA | Hitachi -- TPBroker Object Transaction Monitor | The TSC Domain Manager in Hitachi TPBroker Object Transaction Monitor and Cosminexus TPBroker Object Transaction Monitor 01-00 through 03-00 might allow attackers to cause a denial of service (crash) via invalid messages. |
| 5.0 | CVE-2007-5288 OTHER-REF FRSIRT SECUNIA | Joomla -- Joomla webmaster-tips.net -- Flash Image Gallery | PHP remote file inclusion vulnerability in admin.wmtgallery.php in the webmaster-tips.net Flash Image Gallery (com_wmtgallery) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. |
| 6.8 | CVE-2007-5309 MILW0RM VIM VIM BID | Joomla -- Joomla webmaster-tips.net -- Flash Image Gallery | PHP remote file inclusion vulnerability in admin.wmtportfolio.php in the webmaster-tips.net wmtportfolio 1.0 (com_wmtportfolio) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. |
| 6.8 | CVE-2007-5310 MILW0RM BID XF | Kodak -- Image Viewer | Unspecified vulnerability in Kodak Image Viewer in Microsoft Windows 2000 SP4, and in some cases XP SP2 and Server 2003 SP1 and SP2, allows remote attackers to execute arbitrary code via crafted image files that trigger memory corruption. |
| 6.8 | CVE-2007-2217 MS | libpng -- libpng | Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.0.29 beta1 and 1.2.x before 1.2.21 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image that prevents a name field from being NULL terminated. |
| 4.3 | CVE-2007-5266 MLIST MLIST | libpng -- libpng | Off-by-one error in ICC profile chunk handling in the png_set_iCCP function in pngset.c in libpng before 1.2.22 beta1 allows remote attackers to cause a denial of service (crash) via a crafted PNG image, due to an incorrect fix for CVE-2007-5266. |
| 4.3 | CVE-2007-5267 MLIST MLIST FRSIRT SECUNIA | libpng -- libpng | pngrtran.c in libpng before 1.0.29 and 1.2.x before 1.2.21 use (1) logical instead of bitwise operations and (2) incorrect comparisons, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG image. |
| 4.3 | CVE-2007-5268 MLIST MLIST MLIST FRSIRT SECUNIA | libpng -- libpng | Certain chunk handlers in libpng before 1.0.29 and 1.2.x before 1.2.21 allow remote attackers to cause a denial of service (crash) via crafted (1) pCAL (png_handle_pCAL), (2) sCAL (png_handle_sCAL), (3) tEXt (png_push_read_tEXt), (4) iTXt (png_handle_iTXt), and (5) ztXT (png_handle_ztXt) chunking in PNG images, which trigger out-of-bounds read operations. |
| 5.0 | CVE-2007-5269 MLIST FRSIRT SECUNIA | LightBlog -- LightBlog | cp_memberedit.php in LightBlog 8.4.1.1 does not check for administrative credentials when processing an admin action, which allows remote authenticated users to increase the privileges of any account. |
| 6.5 | CVE-2007-5374 MILW0RM | Massive Entertainment -- World in Conflict | The GetMagicNumberString function in Massive Entertainment World in Conflict 1.000 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a string to the VoIP port (52999/tcp) with an invalid value in the third byte. |
| 5.0 | CVE-2007-5369 BUGTRAQ OTHER-REF BID | Microsoft -- ie | Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 7 allows remote attackers to execute arbitrary code via unspecified vectors involving memory corruption from an unhandled error. |
| 6.8 | CVE-2007-3893 MS | Microsoft -- Outlook Express Microsoft -- Windows Mail | Unspecified vulnerability in Microsoft Outlook Express 6 and earlier, and Windows Mail for Vista allows remote attackers to execute arbitrary code via malformed Network News Transfer Protocol (NNTP) responses that trigger memory corruption. |
| 6.8 | CVE-2007-3897 MS | Microsoft -- Internet Explorer | Microsoft Internet Explorer 6 drops DNS pins based on failed connections to irrelevant TCP ports, which makes it easier for remote attackers to conduct DNS rebinding attacks, as demonstrated by a port 81 URL in an IMG SRC, when the DNS pin had been established for a session on port 80, a different issue than CVE-2006-4560. |
| 4.3 | CVE-2007-5277 OTHER-REF | MODxCMS -- MODxCMS | Multiple SQL injection vulnerabilities in mutate_content.dynamic.php in MODx 0.9.6 allow remote attackers to execute arbitrary SQL commands via the (1) documentDirty or (2) modVariables parameter. |
| 6.8 | CVE-2007-5371 BUGTRAQ | NetWin -- DNewsWeb | Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/dnewsweb.exe in NetWin DNewsWeb (DNews News Server) 57e1 allow remote attackers to inject arbitrary web script or HTML via the (1) group or (2) utag parameter. |
| 4.3 | CVE-2007-5370 BUGTRAQ | Opera Software -- Opera Web Browser | Opera 9 drops DNS pins based on failed connections to irrelevant TCP ports, which makes it easier for remote attackers to conduct DNS rebinding attacks, as demonstrated by a port 81 URL in an IMG SRC, when the DNS pin had been established for a session on port 80. |
| 4.3 | CVE-2007-5276 OTHER-REF | Pegasus Imaging -- ImagXpress | Multiple absolute path traversal vulnerabilities in Pegasus Imaging ImagXpress 8.0 allow remote attackers to (1) delete arbitrary files via the CacheFile attribute in the ThumbnailXpres.1 ActiveX control (PegasusImaging.ActiveX.ThumnailXpress1.dll) or (2) overwrite arbitrary files via the CompactFile function in the ImagXpress.8 ActiveX control (PegasusImaging.ActiveX.ImagXpress8.dll). |
| 4.0 | CVE-2007-5320 OTHER-REF OTHER-REF BID BID FRSIRT SECUNIA | PHP Homepage M -- PHP Homepage M | SQL injection vulnerability in galerie.php in PHP Homepage M (phpHPm) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter in a show action. |
| 6.8 | CVE-2007-5308 MILW0RM | phpMyAdmin -- phpMyAdmin | Cross-site scripting (XSS) vulnerability in scripts/setup.php in phpMyAdmin 2.11.1, when accessed by a browser that does not URL-encode requests, allows remote attackers to inject arbitrary web script or HTML via the query string. NOTE: some of these details are obtained from third party information. |
| 4.3 | CVE-2007-5386 OTHER-REF OTHER-REF OTHER-REF SECUNIA | PicoFlat CMS -- PicoFlat CMS | PHP remote file inclusion vulnerability in index.php in PicoFlat CMS 0.4.14 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the pagina parameter. |
| 6.8 | CVE-2007-5390 MILW0RM | Pindorama -- Pindorama | PHP remote file inclusion vulnerability in active/components/xmlrpc/client.php in Pindorama 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the c[components] parameter. |
| 6.8 | CVE-2007-5387 MILW0RM | SkaDate -- SkaDate Online Dating Software | Multiple directory traversal vulnerabilities in SkaDate 5.0 and 6.0, and possibly later versions such as 6.482, allow remote attackers to read arbitrary files via a .. (dot dot) in the view_mode parameter to (1) featured_list.php and (2) online_list.php in member/. |
| 5.0 | CVE-2007-5299 MILW0RM SECUNIA | softbizscripts -- Softbiz Jobs and Recruitment Script | SQL injection vulnerability in browsecats.php in Softbiz Jobs and Recruitment Script allows remote attackers to execute arbitrary SQL commands via the cid parameter. |
| 5.0 | CVE-2007-5316 MILW0RM SECUNIA | Softpedia -- LiveAlbum | PHP remote file inclusion vulnerability in common.php in LiveAlbum 0.9.0, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the livealbum_dir parameter. |
| 6.8 | CVE-2007-5315 MILW0RM SECUNIA | splitside -- Directory Image Gallery | Cross-site scripting (XSS) vulnerability in photos.cfm in Directory Image Gallery 1.1 allows remote attackers to inject arbitrary web script or HTML via the backwardDirectory parameter. |
| 4.3 | CVE-2007-5317 OTHER-REF XF | Sun -- JRE Sun -- SDK Sun -- JDK | Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections via a DNS rebinding attack. |
| 4.0 | CVE-2007-5232 OTHER-REF OTHER-REF SUNALERT SECTRACK | Sun -- JRE Sun -- SDK Sun -- JDK | Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used, allows remote attackers to violate the security model for an applet's outbound connections via a multi-pin DNS rebinding attack in which the applet download relies on DNS resolution on the proxy server, but the applet's socket operations rely on DNS resolution on the local machine, a different issue than CVE-2007-5274. NOTE: this is similar to CVE-2007-5232, but affects different product versions. |
| 4.0 | CVE-2007-5273 FULLDISC OTHER-REF SUNALERT SECTRACK | Sun -- JRE Sun -- SDK Mozilla -- Firefox Opera Software -- Opera Web Browser Sun -- JDK | Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows remote attackers to violate the security model for JavaScript outbound connections via a multi-pin DNS rebinding attack dependent on the LiveConnect API, in which JavaScript download relies on DNS resolution by the browser, but JavaScript socket operations rely on separate DNS resolution by a Java Virtual Machine (JVM), a different issue than CVE-2007-5273. NOTE: this is similar to CVE-2007-5232, but affects different product versions. |
| 4.0 | CVE-2007-5274 OTHER-REF SUNALERT SECTRACK | Sun -- Solaris | Unspecified vulnerability in the Virtual File System (VFS) in Sun Solaris 10 allows local users to cause a denial of service (kernel memory consumption) via unspecified vectors. |
| 4.9 | CVE-2007-5367 SUNALERT | Sun -- Solaris | Multiple unspecified vulnerabilities in labeld in Trusted Extensions in Sun Solaris 10 allow local users to cause a denial of service (multiple application hang) via unspecified vectors. |
| 4.9 | CVE-2007-5368 SUNALERT | swmenupro -- swMenuFree Joomla -- Joomla | ** DISPUTED ** PHP remote file inclusion vulnerability in preview.php in the swMenuFree (com_swmenufree) 4.6 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: a reliable third party disputes this issue because preview.php tests a certain constant to prevent direct requests. |
| 6.8 | CVE-2007-5389 BUGTRAQ | Tcl_Tk -- tk toolkit | Buffer overflow in the FileReadGIF function in tkImgGIF.c for Tk Toolkit 8.4.12 and earlier, and 8.3.5 and earlier, allows user-assisted attackers to cause a denial of service (segmentation fault) via an animated GIF in which the first subimage is smaller than a subsequent subimage, which triggers the overflow in the ReadImage function, a different vulnerability than CVE-2007-5137. |
| 4.3 | CVE-2007-5378 OTHER-REF | TorrentTrader -- TorrentTrader | Cross-site scripting (XSS) vulnerability in TorrentTrader Classic 1.07 allows remote attackers to inject arbitrary web script or HTML via the (1) color parameter to pjirc/css.php and the (2) cat parameter to browse.php. |
| 4.3 | CVE-2007-5312 BUGTRAQ MILW0RM BID SECUNIA XF | Trionic -- Cite CMS | Multiple PHP remote file inclusion vulnerabilities in Trionic Cite CMS 1.2 rev9 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the bField[bf_data] parameter to (1) interface/editors/-custom.php or (2) interface/editors/custom.php. |
| 6.8 | CVE-2007-5271 MILW0RM | TYPOlight -- TYPOlight webCMS | Unspecified vulnerability in preview.php in TYPOlight webCMS 2.4.6 allows remote attackers to download arbitrary files via the src parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 5.0 | CVE-2007-5318 SECUNIA | Verlihub-Project -- Verlihub Control Panel | Directory traversal vulnerability in index.php in Verlihub Control Panel (VHCP) 1.7 and earlier allows remote attackers to include arbitrary files via a .. (dot dot) in the page parameter. |
| 6.8 | CVE-2007-5321 MILW0RM BID SECUNIA XF | WebDesktop -- WebDesktop | Multiple PHP remote file inclusion vulnerabilities in WebDesktop 0.1 allow remote attackers to execute arbitrary PHP code via a URL in the (1) app parameter to apps/apps.php and the (2) wsk parameter to wsk/wsk.php. |
| 6.8 | CVE-2007-5388 MILW0RM | webmaster-tips -- Panoramic Picture Viewer | PHP remote file inclusion vulnerability in admin.panoramic.php in the Panoramic Picture Viewer (com_panoramic) mambot (plugin) 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| 6.8 | CVE-2007-5363 BID FRSIRT XF | Wesnoth -- Wesnoth | Unspecified vulnerability in the multiplayer engine in Wesnoth before 1.2.7 allows remote servers to cause a denial of service (client application crash) via invalid UTF-8 strings. NOTE: some of these details are obtained from third-party information. |
| 5.0 | CVE-2007-3917 OTHER-REF SECUNIA | wzdftpd -- wzdftpd | Off-by-one error in the do_login_loop function in libwzd-core/wzd_login.c in wzdftpd 0.8.2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a long USER command that triggers a stack-based buffer overflow. NOTE: some of these details are obtained from third party information. |
| 5.0 | CVE-2007-5300 MILW0RM FRSIRT SECUNIA | xKiosk -- xKiosk WEB | PHP remote file inclusion vulnerability in system/funcs/xkurl.php in xKiosk WEB 3.0.1i, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the PEARPATH parameter. |
| 6.8 | CVE-2007-5314 MILW0RM SECUNIA | Yannick Tanguy -- Else If CMS | Multiple PHP remote file inclusion vulnerabilities in ELSEIF CMS Beta 0.6 allow remote attackers to execute arbitrary PHP code via a URL in the (1) contenus parameter to (a) contenus.php; the (2) tpelseifportalrepertoire parameter to (b) votes.php, (c) espaceperso.php, (d) enregistrement.php, (e) commentaire.php, and (f) coeurusr.php in utilisateurs/, and (g) articles/fonctions.php and (h) depot/fonctions.php in moduleajouter/; the (3) corpsdesign parameter to (i) articles/usrarticles.php and (j) depot/usrdepot.php in moduleajouter/; and possibly other files. |
| 6.4 | CVE-2007-5305 BUGTRAQ BID | Yannick Tanguy -- Else If CMS | ELSEIF CMS Beta 0.6 allows remote attackers to obtain sensitive information (full path) via unspecified vectors to utilisateurs/votesresultats.php. |
| 5.0 | CVE-2007-5306 BUGTRAQ BID | Yannick Tanguy -- Else If CMS | ELSEIF CMS Beta 0.6 does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary PHP code by uploading a .php file via externe/swfupload/upload.php. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in ELSEIF CMS. |
| 6.4 | CVE-2007-5307 BUGTRAQ BID | Zomplog -- Zomplog | Zomplog 3.8.1 and earlier stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to download files that were uploaded by users, as demonstrated by obtaining a directory listing via a direct request to /upload and then retrieving individual files. NOTE: in a non-default configuration, the directory listing is denied, but filenames may be predicable. |
| 4.3 | CVE-2007-5278 MILW0RM BID |
|---|
| Low Vulnerabilities |
|---|
| Primary Vendor -- Product | Description |
| CVSS Score | Source & Patch Info | ldapscripts -- ldapscripts | ldapscripts 1.4 and 1.7 sends a password as a command line argument when calling some LDAP programs, which might allow local users to read the password by listing the process and its arguments, as demonstrated by a call to ldappasswd in the _changepassword function. |
| 2.1 | CVE-2007-5373 OTHER-REF SECUNIA | Sun -- Solaris | Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solaris 8, 9, and 10 allows local users with console (/dev/console) access to cause a denial of service ("unusable" system console) via unspecified vectors. |
| 3.5 | CVE-2007-5319 SUNALERT FRSIRT SECTRACK SECUNIA | Sun -- Java Virtual Machine | Interpretation conflict in the Sun Java Virtual Machine (JVM) allows user-assisted remote attackers to conduct a multi-pin DNS rebinding attack and execute arbitrary JavaScript in an intranet context, when an intranet web server has an HTML document that references a "mayscript=true" Java applet through a local relative URI, which may be associated with different IP addresses by the browser and the JVM. |
| 2.6 | CVE-2007-5375 OTHER-REF |
|---|
=
This product is provided subject to this Notification and this Privacy & Use policy.
