Vulnerability Summary for the Week of August 16, 2010
Released
Aug 23, 2010
Document ID
SB10-235
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apache -- couchdb | Cross-site request forgery (CSRF) vulnerability in Apache CouchDB 0.8.0 through 0.11.0 allows remote attackers to hijack the authentication of administrators for direct requests to an installation URL. | 2010-08-19 | 7.5 | CVE-2010-2234 CONFIRM BID BUGTRAQ FULLDISC |
| apple -- iphone_os | Multiple stack-based buffer overflows in the cff_decoder_parse_charstrings function in the CFF Type2 CharStrings interpreter in cff/cffgload.c in FreeType before 2.4.2, as used in Apple iOS before 4.0.2 on the iPhone and iPod touch and before 3.2.2 on the iPad, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted CFF opcodes in embedded fonts in a PDF document, as demonstrated by JailbreakMe. NOTE: some of these details are obtained from third party information. | 2010-08-16 | 9.3 | CVE-2010-1797 CONFIRM CONFIRM XF VUPEN VUPEN UBUNTU BID MISC EXPLOIT-DB CONFIRM CONFIRM CONFIRM SECUNIA SECUNIA SECUNIA OSVDB APPLE APPLE CONFIRM CONFIRM CONFIRM |
| apple -- quicktime | Stack-based buffer overflow in the error-logging functionality in Apple QuickTime before 7.6.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file. | 2010-08-16 | 9.3 | CVE-2010-1799 BID CONFIRM OVAL APPLE |
| autonomy -- keyview_export_sdk | Heap-based buffer overflow in an unspecified library in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted compound file, as demonstrated using a Quattro Pro file, which is not properly handled by the Quattro speed reader (qpssr.dll). | 2010-08-17 | 9.3 | CVE-2010-0126 CONFIRM BID CONFIRM MISC |
| autonomy -- keyview_export_sdk | Stack-based buffer overflow in the SpreadSheet Lotus 123 reader (wkssr.dll), as used in Autonomy KeyView 10.4 and 10.9, Symantec Mail Security, and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to floating point conversion in unknown record types. | 2010-08-17 | 9.3 | CVE-2010-0131 CONFIRM BID CONFIRM MISC MISC |
| autonomy -- keyview_export_sdk | Multiple stack-based buffer overflows in the SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allow remote attackers to execute arbitrary code via unspecified vectors related to "certain records." | 2010-08-17 | 9.3 | CVE-2010-0133 CONFIRM BID CONFIRM MISC |
| autonomy -- keyview_export_sdk | Integer signedness error in rtfsr.dll in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via a crafted ls keyword in a list override table entry in an RTF file, which triggers a buffer overflow. | 2010-08-17 | 10.0 | CVE-2010-0134 CONFIRM BID CONFIRM MISC |
| autonomy -- keyview_export_sdk | Heap-based buffer overflow in the WordPerfect 5.x reader (wosr.dll), as used in Autonomy KeyView 10.4 and 10.9 and possibly other products, allows remote attackers to execute arbitrary code via unspecified vectors related to "data blocks." | 2010-08-17 | 9.3 | CVE-2010-0135 CONFIRM BID CONFIRM MISC |
| autonomy -- keyview_export_sdk | The SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to execute arbitrary code via unspecified vectors related to allocation of an array of pointers and "string indexing," which triggers memory corruption. | 2010-08-17 | 9.3 | CVE-2010-1524 CONFIRM BID CONFIRM MISC |
| autonomy -- keyview_export_sdk | Integer underflow in the SpreadSheet Lotus 123 reader (wkssr.dll) in Autonomy KeyView 10.4 and 10.9, as used in multiple IBM, Symantec, and other products, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted size for an unspecified record type, which triggers a heap-based buffer overflow. | 2010-08-17 | 9.3 | CVE-2010-1525 CONFIRM BID CONFIRM MISC |
| cisco -- ios | Cisco IOS 15.1(2)T allows remote attackers to cause a denial of service (resource consumption and TCP outage) via spoofed TCP packets, related to embryonic TCP connections that remain in the SYN_RCVD or SYN_SENT state, aka Bug ID CSCti18193. | 2010-08-16 | 7.8 | CVE-2010-2827 BID CISCO |
| cisco -- ace_4710 | Unspecified vulnerability in the RTSP inspection feature on the Cisco Application Control Engine (ACE) Module with software before A2(3.2) for Catalyst 6500 series switches and 7600 series routers, and the Cisco Application Control Engine (ACE) 4710 appliance with software before A3(2.6), allows remote attackers to cause a denial of service (device reload) via crafted RTSP packets over TCP, aka Bug IDs CSCta85227 and CSCtg14858. | 2010-08-17 | 7.8 | CVE-2010-2822 CISCO |
| cisco -- ace_4710 | Unspecified vulnerability in the deep packet inspection feature on the Cisco Application Control Engine (ACE) 4710 appliance with software before A3(2.6) allows remote attackers to cause a denial of service (device reload) via crafted HTTP packets, related to HTTP, RTSP, and SIP inspection, aka Bug ID CSCtb54493. | 2010-08-17 | 7.8 | CVE-2010-2823 CISCO |
| cisco -- ace_module | Unspecified vulnerability on the Cisco Application Control Engine (ACE) Module with software A2(1.x) before A2(1.6), A2(2.x) before A2(2.3), and A2(3.x) before A2(3.1) for Catalyst 6500 series switches and 7600 series routers allows remote attackers to cause a denial of service (device reload) via a sequence of SSL packets, aka Bug ID CSCta20756. | 2010-08-17 | 7.8 | CVE-2010-2824 CISCO |
| cisco -- ace_4710 | Unspecified vulnerability in the SIP inspection feature on the Cisco Application Control Engine (ACE) Module with software A2(1.x) before A2(1.6), A2(2.x) before A2(2.3), and A2(3.x) before A2(3.1) for Catalyst 6500 series switches and 7600 series routers, and the Cisco Application Control Engine (ACE) 4710 appliance with software before A3(2.4), allows remote attackers to cause a denial of service (device reload) via crafted SIP packets over (1) TCP or (2) UDP, aka Bug IDs CSCta65603 and CSCta71569. | 2010-08-17 | 7.8 | CVE-2010-2825 CISCO |
| cisco -- wireless_control_system_software | SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0.x before 6.0.196.0 allows remote authenticated users to execute arbitrary SQL commands via vectors related to the ORDER BY clause of the Client List screens, aka Bug ID CSCtf37019. | 2010-08-17 | 9.0 | CVE-2010-2826 CISCO |
| freetype -- freetype | The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation. | 2010-08-19 | 9.3 | CVE-2010-2498 MLIST CONFIRM CONFIRM UBUNTU REDHAT MANDRIVA DEBIAN SECTRACK MLIST MLIST CONFIRM |
| freetype -- freetype | Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment. | 2010-08-19 | 9.3 | CVE-2010-2499 MLIST CONFIRM CONFIRM CONFIRM UBUNTU REDHAT MANDRIVA DEBIAN SECTRACK MLIST MLIST CONFIRM CONFIRM |
| freetype -- freetype | Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. | 2010-08-19 | 9.3 | CVE-2010-2500 CONFIRM CONFIRM UBUNTU REDHAT REDHAT MANDRIVA DEBIAN SECTRACK MLIST MLIST MLIST CONFIRM |
| freetype -- freetype | Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file. | 2010-08-19 | 9.3 | CVE-2010-2519 MLIST CONFIRM CONFIRM UBUNTU REDHAT MANDRIVA DEBIAN SECTRACK MLIST MLIST CONFIRM CONFIRM |
| freetype -- freetype | FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. | 2010-08-19 | 9.3 | CVE-2010-2807 CONFIRM CONFIRM CONFIRM VUPEN VUPEN UBUNTU BID CONFIRM SECUNIA SECUNIA MLIST CONFIRM |
| opera -- opera | Heap-based buffer overflow in Opera before 10.61 allows remote attackers to execute arbitrary code or cause a denial of service (application crash or hang) via vectors related to HTML5 canvas painting operations that occur during the application of transformations. | 2010-08-16 | 9.3 | CVE-2010-3019 CONFIRM CONFIRM CONFIRM CONFIRM |
| oracle -- siebel_option_pack_ie_activex_control | The Oracle Siebel Option Pack for IE ActiveX control does not properly initialize memory that is used by the NewBusObj method, which allows remote attackers to execute arbitrary code via a crafted HTML document. | 2010-08-17 | 9.3 | CVE-2009-3737 CERT-VN VUPEN OSVDB SECUNIA |
| phpkick -- phpkick | SQL injection vulnerability in statistics.php in PHPKick 0.8 allows remote attackers to execute arbitrary SQL commands via the gameday parameter in an overview action. | 2010-08-16 | 7.5 | CVE-2010-3029 EXPLOIT-DB |
| pligg -- pligg_cms | Multiple SQL injection vulnerabilities in Pligg before 1.1.1 allow remote attackers to execute arbitrary SQL commands via the title parameter to (1) storyrss.php or (2) story.php. | 2010-08-16 | 7.5 | CVE-2010-2577 BID CONFIRM OSVDB OSVDB MISC SECUNIA |
| pligg -- pligg_cms | SQL injection vulnerability in groupadmin.php in Pligg before 1.1.1 allows remote attackers to execute arbitrary SQL commands via the role parameter, a different vulnerability than CVE-2010-2577. | 2010-08-16 | 7.5 | CVE-2010-3013 BID CONFIRM OSVDB SECUNIA CONFIRM CONFIRM |
| sap -- crystal_reports | Integer overflow in the OBGIOPServerWorker::extractHeader function in the ebus-3-3-2-6.dll module in SAP Crystal Reports 2008 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GIOP packet with a crafted size, which triggers a heap-based buffer overflow. | 2010-08-17 | 9.3 | CVE-2010-3032 MISC XF VUPEN SECTRACK BID BUGTRAQ BUGTRAQ BUGTRAQ SECUNIA OSVDB MISC |
| swftools -- swftools | Multiple integer overflows in SWFTools 0.9.1 allow remote attackers to execute arbitrary code via (1) a crafted PNG file, related to the getPNG function in lib/png.c; or (2) a crafted JPEG file, related to the jpeg_load function in lib/jpeg.c. | 2010-08-17 | 9.3 | CVE-2010-1516 BUGTRAQ MISC SECUNIA |
| tycoon -- baseball_script | SQL injection vulnerability in index.php in Tycoon Baseball Script 1.0.9 allows remote attackers to execute arbitrary SQL commands via the game_id parameter in a game_player action. | 2010-08-16 | 7.5 | CVE-2010-3027 EXPLOIT-DB SECUNIA MISC |
| webkit -- webkit | page/Geolocation.cpp in WebCore in WebKit before r56188 does not properly restrict access to the lastPosition function, which has unspecified impact and remote attack vectors, aka rdar problem 7746357. | 2010-08-19 | 10.0 | CVE-2010-1386 CONFIRM CONFIRM CONFIRM |
| webkit -- webkit | loader/DocumentThreadableLoader.cpp in the XMLHttpRequest implementation in WebCore in WebKit before r58409 does not properly handle credentials during a cross-origin synchronous request, which has unspecified impact and remote attack vectors, aka rdar problem 7905150. | 2010-08-19 | 10.0 | CVE-2010-1760 CONFIRM BID CONFIRM CONFIRM |
| wireshark -- wireshark | Stack-based buffer overflow in the ASN.1 BER dissector in Wireshark 0.10.13 through 1.0.14 and 1.2.0 through 1.2.9 has unknown impact and remote attack vectors. NOTE: this issue exists because of a CVE-2010-2284 regression. | 2010-08-13 | 10.0 | CVE-2010-2994 CONFIRM OVAL |
| wireshark -- wireshark | The SigComp Universal Decompressor Virtual Machine (UDVM) in Wireshark 0.10.8 through 1.0.14 and 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to sigcomp-udvm.c and an off-by-one error, which triggers a buffer overflow, different vulnerabilities than CVE-2010-2287. | 2010-08-13 | 10.0 | CVE-2010-2995 CONFIRM CONFIRM OVAL |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apache -- struts | The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. | 2010-08-17 | 5.0 | CVE-2010-1870 BID OSVDB EXPLOIT-DB CONFIRM FULLDISC CONFIRM MISC |
| apache -- cxf | Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632. | 2010-08-19 | 6.4 | CVE-2010-2076 CONFIRM BID MLIST CONFIRM SECUNIA SECUNIA SECUNIA CONFIRM CONFIRM CONFIRM |
| ehulihanapplications -- diamondlist | Multiple cross-site scripting (XSS) vulnerabilities in DiamondList 0.1.6, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) category[description] parameter to user/main/update_category, which is not properly handled by _app/views/categories/index.html.erb; and the (2) setting[site_title] parameter to user/main/update_settings, which is not properly handled by _app/views/settings/_list_settings.rhtml. | 2010-08-16 | 4.3 | CVE-2010-3023 VUPEN BID BUGTRAQ BUGTRAQ MISC MISC SECUNIA MISC CONFIRM CONFIRM |
| ehulihanapplications -- diamondlist | Multiple cross-site request forgery (CSRF) vulnerabilities in user/main/update_user in DiamondList 0.1.6, and possibly earlier, allow remote attackers to hijack the authentication of administrators for requests that (1) change the administrative password or (2) change the site's configuration. | 2010-08-16 | 4.3 | CVE-2010-3024 XF MISC EXPLOIT-DB SECUNIA MISC OSVDB BUGTRAQ CONFIRM |
| freetype -- freetype | Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. | 2010-08-19 | 6.8 | CVE-2010-2497 MLIST CONFIRM CONFIRM CONFIRM MANDRIVA DEBIAN MLIST MLIST CONFIRM |
| freetype -- freetype | Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. | 2010-08-19 | 5.1 | CVE-2010-2520 MLIST CONFIRM CONFIRM UBUNTU MANDRIVA DEBIAN MLIST MLIST CONFIRM |
| freetype -- freetype | Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. | 2010-08-19 | 5.0 | CVE-2010-2527 MLIST CONFIRM UBUNTU REDHAT REDHAT DEBIAN SECTRACK CONFIRM MLIST CONFIRM |
| freetype -- freetype | Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. | 2010-08-19 | 4.3 | CVE-2010-2541 CONFIRM CONFIRM CONFIRM VUPEN UBUNTU REDHAT REDHAT CONFIRM SECTRACK SECUNIA |
| freetype -- freetype | The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file. | 2010-08-19 | 6.8 | CVE-2010-2805 BID CONFIRM CONFIRM CONFIRM VUPEN VUPEN UBUNTU CONFIRM SECUNIA SECUNIA MLIST CONFIRM |
| freetype -- freetype | Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow. | 2010-08-19 | 6.8 | CVE-2010-2806 CONFIRM CONFIRM CONFIRM CONFIRM VUPEN VUPEN UBUNTU BID SECUNIA SECUNIA MLIST CONFIRM CONFIRM |
| freetype -- freetype | Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font. | 2010-08-19 | 6.8 | CVE-2010-2808 BID CONFIRM CONFIRM CONFIRM VUPEN VUPEN UBUNTU CONFIRM SECUNIA SECUNIA MLIST MLIST CONFIRM CONFIRM |
| freetype -- freetype | bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string. | 2010-08-19 | 4.3 | CVE-2010-3053 CONFIRM |
| freetype -- freetype | Unspecified vulnerability in FreeType 2.3.9, and other versions before 2.4.2, allows remote attackers to cause a denial of service via vectors involving nested Standard Encoding Accented Character (aka seac) calls, related to psaux.h, cffgload.c, cffgload.h, and t1decode.c. | 2010-08-19 | 5.0 | CVE-2010-3054 CONFIRM |
| glpng -- glpng | Multiple integer overflows in glpng.c in glpng 1.45 allow context-dependent attackers to execute arbitrary code via a crafted PNG image, related to (1) the pngLoadRawF function and (2) the pngLoadF function, leading to heap-based buffer overflows. | 2010-08-16 | 6.8 | CVE-2010-1519 BUGTRAQ MISC SECUNIA |
| libvirt -- libvirt | Red Hat libvirt, possibly 0.6.1 through 0.8.2, looks up disk backing stores without referring to the user-defined main disk format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors. | 2010-08-19 | 4.9 | CVE-2010-2237 CONFIRM FEDORA FEDORA MISC |
| microsoft -- windows_2003_server | Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2, and Windows 7 allow local users to gain privileges by leveraging access to a process with NetworkService credentials, as demonstrated by TAPI Server, SQL Server, and IIS processes, and related to the Windows Service Isolation feature. NOTE: the vendor states that privilege escalation from NetworkService to LocalSystem does not cross a "security boundary." | 2010-08-16 | 6.8 | CVE-2010-1886 MSKB MSKB CONFIRM |
| mozilla -- bugzilla | Search.pm in Bugzilla 2.19.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 allows remote attackers to determine the group memberships of arbitrary users via vectors involving the Search interface, boolean charts, and group-based pronouns. | 2010-08-16 | 5.0 | CVE-2010-2756 CONFIRM CONFIRM VUPEN BID CONFIRM SECUNIA |
| mozilla -- bugzilla | The sudo feature in Bugzilla 2.22rc1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 does not properly send impersonation notifications, which makes it easier for remote authenticated users to impersonate other users without discovery. | 2010-08-16 | 6.5 | CVE-2010-2757 CONFIRM CONFIRM VUPEN BID CONFIRM SECUNIA |
| mozilla -- bugzilla | Bugzilla 2.17.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2 generates different error messages depending on whether a product exists, which makes it easier for remote attackers to guess product names via unspecified use of the (1) Reports or (2) Duplicates page. | 2010-08-16 | 5.0 | CVE-2010-2758 CONFIRM CONFIRM CONFIRM VUPEN BID CONFIRM SECUNIA |
| mozilla -- bugzilla | Bugzilla 2.23.1 through 3.2.7, 3.3.1 through 3.4.7, 3.5.1 through 3.6.1, and 3.7 through 3.7.2, when PostgreSQL is used, does not properly handle large integers in (1) bug and (2) attachment phrases, which allows remote authenticated users to cause a denial of service (bug invisibility) via a crafted comment. | 2010-08-16 | 4.0 | CVE-2010-2759 CONFIRM CONFIRM VUPEN BID CONFIRM SECUNIA |
| openssl -- openssl | Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue. | 2010-08-17 | 4.3 | CVE-2010-2939 VUPEN MLIST MLIST MLIST MLIST SECTRACK SECUNIA FULLDISC |
| opera -- opera | Opera before 10.61 does not properly suppress clicks on download dialogs that became visible after a recent tab change, which allows remote attackers to conduct clickjacking attacks, and consequently execute arbitrary code, via vectors involving (1) closing a tab or (2) hiding a tab, a related issue to CVE-2005-2407. | 2010-08-16 | 6.8 | CVE-2010-2576 BUGTRAQ CONFIRM CONFIRM CONFIRM CONFIRM MISC |
| opera -- opera | The news-feed preview feature in Opera before 10.61 does not properly remove scripts, which allows remote attackers to force subscriptions to arbitrary feeds via crafted content. | 2010-08-16 | 5.0 | CVE-2010-3020 CONFIRM CONFIRM CONFIRM CONFIRM |
| opera -- opera | Unspecified vulnerability in Opera before 10.61 allows remote attackers to cause a denial of service (CPU consumption and application hang) via an animated PNG image. | 2010-08-16 | 4.3 | CVE-2010-3021 CONFIRM CONFIRM CONFIRM |
| squirrelmail -- squirrelmail | functions/imap_general.php in SquirrelMail before 1.4.21 does not properly handle 8-bit characters in passwords, which allows remote attackers to cause a denial of service (disk consumption) by making many IMAP login attempts with different usernames, leading to the creation of many preferences files. | 2010-08-19 | 5.0 | CVE-2010-2813 CONFIRM XF VUPEN VUPEN BID DEBIAN CONFIRM CONFIRM SECUNIA SECUNIA FEDORA FEDORA |
| tomaz-muraus -- open_blog | Multiple cross-site scripting (XSS) vulnerabilities in Tomaz Muraus Open Blog 1.2.1, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) excerpt parameter to application/modules/admin/controllers/posts.php, as reachable by admin/posts/edit; and the (2) content parameter to application/modules/admin/controllers/pages.php, as reachable by admin/posts/edit. | 2010-08-16 | 4.3 | CVE-2010-3025 XF BID BUGTRAQ BUGTRAQ MISC MISC SECUNIA MISC |
| tomaz-muraus -- open_blog | Cross-site request forgery (CSRF) vulnerability in application/modules/admin/controllers/users.php in Tomaz Muraus Open Blog 1.2.1, and possibly earlier, allows remote attackers to hijack the authentication of administrators for requests to admin/users/edit that grant administrative privileges. | 2010-08-16 | 4.3 | CVE-2010-3026 XF BUGTRAQ MISC EXPLOIT-DB SECUNIA MISC OSVDB |
| tomaz-muraus -- open_blog | Cross-site request forgery (CSRF) vulnerability in Tomaz Muraus Open Blog 1.2.1, and possibly earlier, allows remote attackers to hijack the authentication of administrators for requests that change the administrative password. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2010-08-17 | 4.3 | CVE-2010-3030 SECUNIA |
| uzbl -- uzbl | The default configuration of the <Button2> binding in Uzbl before 2010.08.05 does not properly use the @SELECTED_URI feature, which allows user-assisted remote attackers to execute arbitrary commands via a crafted HREF attribute of an A element in an HTML document. | 2010-08-19 | 6.8 | CVE-2010-2809 CONFIRM CONFIRM XF CONFIRM CONFIRM BID MLIST MLIST CONFIRM CONFIRM |
| wireshark -- wireshark | packet-gsm_a_rr.c in the GSM A RR dissector in Wireshark 1.2.2 through 1.2.9 allows remote attackers to cause a denial of service (crash) via unknown vectors that trigger a NULL pointer dereference. | 2010-08-13 | 5.0 | CVE-2010-2992 CONFIRM CONFIRM OVAL |
| wireshark -- wireshark | The IPMI dissector in Wireshark 1.2.0 through 1.2.9 allows remote attackers to cause a denial of service (infinite loop) via unknown vectors. | 2010-08-13 | 5.0 | CVE-2010-2993 CONFIRM OVAL |
| znc -- znc | Client.cpp in ZNC 0.092 allows remote attackers to cause a denial of service (exception and daemon crash) via a PING command that lacks an argument. | 2010-08-17 | 5.0 | CVE-2010-2812 CONFIRM CONFIRM CONFIRM VUPEN BID SECUNIA SECUNIA MLIST MLIST MLIST FEDORA FEDORA |
| znc -- znc | Multiple unspecified vulnerabilities in ZNC 0.092 allow remote attackers to cause a denial of service (exception and daemon crash) via unknown vectors related to "unsafe substr() calls." | 2010-08-17 | 5.0 | CVE-2010-2934 CONFIRM CONFIRM VUPEN BID SECUNIA SECUNIA MLIST MLIST MLIST FEDORA FEDORA |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apache -- derby | The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution. | 2010-08-16 | 2.1 | CVE-2009-4269 CONFIRM MISC CONFIRM MISC |
| drupal -- devel_module | Cross-site scripting (XSS) vulnerability in the Performance logging module in the Devel module 5.x before 5.x-1.3 and 6.x before 6.x-1.21 for Drupal allows remote authenticated users, with add url aliases and report access permissions, to inject arbitrary web script or HTML via crafted node paths in a URL. | 2010-08-16 | 2.6 | CVE-2010-3022 BID CONFIRM CONFIRM XF SECUNIA OSVDB CONFIRM |
| libvirt -- libvirt | Red Hat libvirt, possibly 0.7.2 through 0.8.2, recurses into disk-image backing stores without extracting the defined disk backing-store format, which might allow guest OS users to read arbitrary files on the host OS, and possibly have unspecified other impact, via unknown vectors. | 2010-08-19 | 2.1 | CVE-2010-2238 CONFIRM FEDORA FEDORA MISC |
| libvirt -- libvirt | Red Hat libvirt, possibly 0.6.0 through 0.8.2, creates new images without setting the user-defined backing-store format, which allows guest OS users to read arbitrary files on the host OS via unspecified vectors. | 2010-08-19 | 2.1 | CVE-2010-2239 CONFIRM VUPEN REDHAT FEDORA FEDORA MISC |
| libvirt -- libvirt | Red Hat libvirt 0.2.0 through 0.8.2 creates iptables rules with improper mappings of privileged source ports, which allows guest OS users to bypass intended access restrictions by leveraging IP address and source-port values, as demonstrated by copying and deleting an NFS directory tree. | 2010-08-19 | 2.1 | CVE-2010-2242 CONFIRM CONFIRM VUPEN REDHAT FEDORA FEDORA CONFIRM |
| redhat -- directory_server | The (1) setup-ds.pl and (2) setup-ds-admin.pl setup scripts for Red Hat Directory Server 8 before 8.2 use world-readable permissions when creating cache files, which allows local users to obtain sensitive information including passwords for Directory and Administration Server administrative accounts. | 2010-08-17 | 2.1 | CVE-2010-2241 CONFIRM SECTRACK OSVDB SECUNIA REDHAT |
| simon_philips -- aardvertiser | The Aardvertiser component before 2.2.1 for Joomla! uses insecure permissions (777) in unspecified folders, which allows local users to modify, create, or delete certain files. | 2010-08-16 | 3.6 | CVE-2010-3028 XF BID OSVDB CONFIRM SECUNIA |
| wyse -- thinos | Buffer overflow in Wyse ThinOS HF 4.4.079i, and possibly other versions before ThinOS 6.5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string to the LPD service. | 2010-08-17 | 0.0 | CVE-2010-3031 CERT-VN CONFIRM |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.