Vulnerability Summary for the Week of September 27, 2010
Released
Oct 04, 2010
Document ID
SB10-277
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| alex_kellner -- powermail | SQL injection vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2010-09-24 | 7.5 | CVE-2010-3604 CONFIRM CONFIRM SECUNIA |
| google -- chrome | Use-after-free vulnerability in page/Geolocation.cpp in WebCore in WebKit before r59859, as used in Google Chrome before 5.0.375.70, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted web site, related to failure to stop timers associated with geolocation upon deletion of a document. | 2010-09-24 | 9.3 | CVE-2010-1772 CONFIRM CONFIRM VUPEN CONFIRM SECUNIA SECUNIA FEDORA FEDORA CONFIRM CONFIRM |
| google -- chrome | Off-by-one error in the toAlphabetic function in rendering/RenderListMarker.cpp in WebCore in WebKit before r39508, as used in Google Chrome before 5.0.375.70, allows remote attackers to obtain sensitive information, cause a denial of service (memory corruption and application crash), or possibly execute arbitrary code via vectors related to list markers for HTML lists, aka rdar problem 8009118. | 2010-09-24 | 9.3 | CVE-2010-1773 CONFIRM CONFIRM VUPEN CONFIRM SECUNIA SECUNIA FEDORA FEDORA CONFIRM CONFIRM |
| google -- chrome | Use-after-free vulnerability in WebKit before r65958, as used in Google Chrome before 6.0.472.59, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger use of document APIs such as document.close during parsing, as demonstrated by a Cascading Style Sheets (CSS) file referencing an invalid SVG font, aka rdar problem 8442098. | 2010-09-24 | 9.3 | CVE-2010-1823 CONFIRM CONFIRM CONFIRM CONFIRM |
| google -- chrome | Use-after-free vulnerability in WebKit, as used in Google Chrome before 6.0.472.59, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to SVG styles. | 2010-09-24 | 9.3 | CVE-2010-1824 CONFIRM CONFIRM CONFIRM |
| google -- chrome | Use-after-free vulnerability in WebKit, as used in Google Chrome before 6.0.472.59, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to nested SVG elements. | 2010-09-24 | 9.3 | CVE-2010-1825 CONFIRM CONFIRM CONFIRM |
| invisionpower -- ibphotohost | SQL injection vulnerability in index.php in ibPhotohost 1.1.2 allows remote attackers to execute arbitrary SQL commands via the img parameter. | 2010-09-24 | 7.5 | CVE-2010-3601 VUPEN BID EXPLOIT-DB MISC |
| linux -- kernel | The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010. | 2010-09-24 | 7.2 | CVE-2010-3081 CONFIRM CONFIRM CONFIRM MISC MLIST SUSE MISC CONFIRM MISC FULLDISC FULLDISC |
| wire_plastic_design -- wpquiz | Multiple SQL injection vulnerabilities in wpQuiz 2.7 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) password (pw) parameters to (a) admin.php or (b) user.php. | 2010-09-24 | 7.5 | CVE-2010-3608 BID EXPLOIT-DB MISC |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| alex_kellner -- powermail | Cross-site scripting (XSS) vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2010-09-24 | 4.3 | CVE-2010-3605 CONFIRM CONFIRM SECUNIA |
| bzip -- bzip2 | Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file. | 2010-09-28 | 5.1 | CVE-2010-0405 CONFIRM CONFIRM UBUNTU UBUNTU UBUNTU REDHAT CONFIRM SECUNIA SECUNIA MLIST |
| dietrich_ayala -- nusoap | Cross-site scripting (XSS) vulnerability in NuSOAP 0.9.5, as used in MantisBT and other products, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to an arbitrary PHP script that uses NuSOAP classes. | 2010-09-28 | 4.3 | CVE-2010-3070 CONFIRM CONFIRM BID MLIST MLIST CONFIRM CONFIRM MLIST FEDORA FEDORA CONFIRM CONFIRM CONFIRM CONFIRM |
| dovecot -- dovecot | The ACL plugin in Dovecot 1.2.x before 1.2.13 propagates INBOX ACLs to newly created mailboxes in certain configurations, which might allow remote attackers to read mailboxes that have unintended weak ACLs. | 2010-09-24 | 6.4 | CVE-2010-3304 MLIST BID MLIST MLIST SUSE |
| freepbx -- freepbx | Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a .. (dot dot) in the usersnum parameter to admin/config.php, as demonstrated by creating a .php file under the web root. | 2010-09-28 | 6.5 | CVE-2010-3490 MISC BID BUGTRAQ MISC EXPLOIT-DB |
| google -- chrome | Cross-site request forgery (CSRF) vulnerability in loader/DocumentThreadableLoader.cpp in WebCore in WebKit before r57041, as used in Google Chrome before 4.1.249.1059, allows remote attackers to hijack the authentication of unspecified victims via a crafted synchronous preflight XMLHttpRequest operation. | 2010-09-24 | 6.8 | CVE-2010-1767 CONFIRM BID CONFIRM CONFIRM SECUNIA OSVDB CONFIRM CONFIRM |
| hp -- system_management_homepage | Open redirect vulnerability in HP System Management Homepage (SMH) before 6.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2010-09-24 | 4.3 | CVE-2010-3283 HP HP |
| hp -- system_management_homepage | Unspecified vulnerability in HP System Management Homepage (SMH) before 6.2 allows remote attackers to obtain sensitive information via unknown vectors. | 2010-09-24 | 4.3 | CVE-2010-3284 HP HP |
| hp -- openview_network_node_manager | Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to cause a denial of service via unknown vectors. | 2010-09-24 | 5.0 | CVE-2010-3285 HP HP |
| libtiff -- libtiff | LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF image. | 2010-09-28 | 6.8 | CVE-2010-3087 CONFIRM CONFIRM SUSE |
| netartmedia -- real_estate_portal | Multiple directory traversal vulnerabilities in AGENTS/index.php in NetArt MEDIA Real Estate Portal 2.0 allow remote emote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) folder and (2) action parameters. | 2010-09-24 | 6.8 | CVE-2010-3606 XF BID SECUNIA MISC OSVDB |
| netartmedia -- real_estate_portal | Cross-site scripting (XSS) vulnerability in AGENTS/index.php in NetArt MEDIA Real Estate Portal 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the id parameter. | 2010-09-24 | 4.3 | CVE-2010-3607 XF BID SECUNIA MISC OSVDB |
| pecl-php -- alternative_php_cache | Cross-site scripting (XSS) vulnerability in apc.php in the Alternative PHP Cache (APC) extension before 3.1.4 for PHP allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2010-09-24 | 4.3 | CVE-2010-3294 VUPEN MLIST MLIST MLIST CONFIRM |
| php -- php | Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094. | 2010-09-28 | 6.8 | CVE-2010-2950 CONFIRM CONFIRM CONFIRM MISC SUSE |
| roundup -- roundup | Cross-site scripting (XSS) vulnerability in cgi/client.py in Roundup before 1.4.14 allows remote attackers to inject arbitrary web script or HTML via the template argument to the /issue program. | 2010-09-24 | 4.3 | CVE-2010-2491 CONFIRM BID MLIST MLIST MLIST SECUNIA SECUNIA CONFIRM CONFIRM FEDORA FEDORA FEDORA CONFIRM CONFIRM |
| rsa -- authentication_agent_for_web | Directory traversal vulnerability in RSA Authentication Agent 7.0 before P2 for Web allows remote attackers to read unspecified data via unknown vectors. | 2010-09-24 | 5.0 | CVE-2010-3261 BID BUGTRAQ |
| salvo_g._tomaselli -- weborf | Directory traversal vulnerability in the modURL function in instance.c in Weborf before 0.12.3 allows remote attackers to read arbitrary files via ..%2f sequences in a URI. | 2010-09-24 | 5.0 | CVE-2010-3306 CONFIRM OSVDB MLIST MLIST EXPLOIT-DB SECUNIA CONFIRM |
| sourcetreesolutions -- mojoportal | Cross-site scripting (XSS) vulnerability in ProfileView.aspx in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to inject arbitrary web script or HTML via the User ID parameter. NOTE: some of these details are obtained from third party information. | 2010-09-24 | 4.3 | CVE-2010-3602 CONFIRM XF BID EXPLOIT-DB SECUNIA MISC MISC OSVDB |
| sourcetreesolutions -- mojoportal | Cross-site request forgery (CSRF) vulnerability in the file manager service (Services/FileService.ashx) in mojoPortal 2.3.4.3 and 2.3.5.1 allows remote attackers to hijack the authentication of administrators for requests that rename arbitrary files, as demonstrated by causing the user.config file to be moved, leading to a denial of service (service stop) and possibly the exposure of sensitive information. | 2010-09-24 | 6.8 | CVE-2010-3603 CONFIRM XF EXPLOIT-DB SECUNIA MISC MISC OSVDB |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| vmware -- player | The installer in VMware Workstation 7.x before 7.1.2 build 301548 and VMware Player 3.x before 3.1.2 build 301548 renders an index.htm file if present in the installation directory, which might allow local users to trigger unintended interpretation of web script or HTML by creating this file. | 2010-09-28 | 2.1 | CVE-2010-3277 VUPEN CONFIRM SECTRACK SECUNIA MLIST |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.