Vulnerability Summary for the Week of November 29, 2010
Released
Dec 06, 2010
Document ID
SB10-340
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apple -- iphone_os | Networking in Apple iOS before 4.2 accesses an invalid pointer during the processing of packet filter rules, which allows local users to gain privileges via unspecified vectors. | 2010-11-26 | 7.2 | CVE-2010-3830 CONFIRM APPLE |
| artica -- pandora_fms | operation/agentes/networkmap.php in Pandora FMS before 3.1.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the layout parameter in an operation/agentes/networkmap action to index.php. | 2010-12-02 | 9.0 | CVE-2010-4278 BID CONFIRM BUGTRAQ EXPLOIT-DB |
| artica -- pandora_fms | The default configuration of Pandora FMS 3.1 and earlier specifies an empty string for the loginhash_pwd field, which allows remote attackers to bypass authentication by sending a request to index.php with "admin" in the loginhash_user parameter, in conjunction with the md5 hash of "admin" in the loginhash_data parameter. | 2010-12-02 | 10.0 | CVE-2010-4279 BID MISC BUGTRAQ EXPLOIT-DB |
| artica -- pandora_fms | Multiple SQL injection vulnerabilities in Pandora FMS before 3.1.1 allow remote authenticated users to execute arbitrary SQL commands via (1) the id_group parameter in an operation/agentes/ver_agente action to ajax.php or (2) the group_id parameter in an operation/agentes/estado_agente action to index.php, related to operation/agentes/estado_agente.php. | 2010-12-02 | 7.5 | CVE-2010-4280 CONFIRM BID BUGTRAQ EXPLOIT-DB EXPLOIT-DB |
| artica -- pandora_fms | Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character. | 2010-12-02 | 7.5 | CVE-2010-4281 BID CONFIRM BUGTRAQ EXPLOIT-DB |
| artica -- pandora_fms | Multiple directory traversal vulnerabilities in Pandora FMS before 3.1.1 allow remote attackers to include and execute arbitrary local files via (1) the page parameter to ajax.php or (2) the id parameter to general/pandora_help.php, and allow remote attackers to include and execute, create, modify, or delete arbitrary local files via (3) the layout parameter to operation/agentes/networkmap.php. | 2010-12-02 | 7.5 | CVE-2010-4282 BID CONFIRM BUGTRAQ EXPLOIT-DB |
| artica -- pandora_fms | PHP remote file inclusion vulnerability in extras/pandora_diag.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the argv[1] parameter. | 2010-12-02 | 7.5 | CVE-2010-4283 BID CONFIRM BUGTRAQ EXPLOIT-DB |
| awstats -- awstats | awstats.cgi in AWStats before 7.0 accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located on a (1) WebDAV server or (2) NFS server. | 2010-12-02 | 7.5 | CVE-2010-4367 MISC CONFIRM |
| awstats -- awstats | awstats.cgi in AWStats before 7.0 on Windows accepts a configdir parameter in the URL, which allows remote attackers to execute arbitrary commands via a crafted configuration file located at a UNC share pathname. | 2010-12-02 | 7.5 | CVE-2010-4368 CERT-VN MISC MISC |
| boka -- siteengine | SQL injection vulnerability in announcements.php in SiteEngine 5.x allows remote attackers to execute arbitrary SQL commands via the id parameter. | 2010-12-01 | 7.5 | CVE-2008-7267 BID BUGTRAQ MILW0RM SECUNIA |
| boka -- siteengine | SQL injection vulnerability in comments.php in SiteEngine 7.1 allows remote attackers to execute arbitrary SQL commands via the module parameter. | 2010-12-01 | 7.5 | CVE-2010-4357 BID EXPLOIT-DB SECUNIA |
| dustincowell -- free_simple_software | SQL injection vulnerability in the download module in Free Simple Software 1.0 allows remote attackers to execute arbitrary SQL commands via the downloads_id parameter in a download_now action to index.php. | 2010-11-26 | 7.5 | CVE-2010-4298 MISC BID BUGTRAQ |
| harmistechnology -- com_jeajaxeventcalendar | SQL injection vulnerability in JE Ajax Event Calendar (com_jeajaxeventcalendar) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the event_id parameter in an alleventlist_more action to index.php. | 2010-12-01 | 7.5 | CVE-2010-4365 BID EXPLOIT-DB SECUNIA MISC |
| jurpo -- jurpopage | SQL injection vulnerability in index.php in Jurpopage 0.2.0 allows remote attackers to execute arbitrary SQL commands via the category parameter. | 2010-12-01 | 7.5 | CVE-2010-4359 VUPEN BID EXPLOIT-DB SECUNIA MISC |
| jurpo -- jurpopage | Multiple SQL injection vulnerabilities in index.php in Jurpopage 0.2.0 allow remote attackers to execute arbitrary SQL commands via the (1) note and (2) pg parameters, different vectors than CVE-2010-4359. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2010-12-01 | 7.5 | CVE-2010-4360 BID SECUNIA |
| linux -- kernel | drivers/gpu/drm/i915/i915_gem.c in the Graphics Execution Manager (GEM) in the Intel i915 driver in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.36 does not properly validate pointers to blocks of memory, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via crafted use of the ioctl interface, related to (1) pwrite and (2) pread operations. | 2010-11-26 | 7.2 | CVE-2010-2962 CONFIRM CONFIRM CONFIRM |
| linux -- kernel | The sctp_auth_asoc_get_hmac function in net/sctp/auth.c in the Linux kernel before 2.6.36 does not properly validate the hmac_ids array of an SCTP peer, which allows remote attackers to cause a denial of service (memory corruption and panic) via a crafted value in the last element of this array. | 2010-11-26 | 8.3 | CVE-2010-3705 MLIST MLIST CONFIRM CONFIRM MLIST CONFIRM |
| micronetsoft -- rv_dealer_website | Multiple SQL injection vulnerabilities in MicroNetsoft RV Dealer Website allow remote attackers to execute arbitrary SQL commands via the (1) selStock parameter to search.asp and the (2) orderBy parameter to showAlllistings.asp. | 2010-12-01 | 7.5 | CVE-2010-4362 EXPLOIT-DB SECUNIA |
| nullsoft -- winamp | Multiple integer overflows in in_nsv.dll in the in_nsv plugin in Winamp before 5.6 allow remote attackers to execute arbitrary code via a crafted Table of Contents (TOC) in a (1) NSV stream or (2) NSV file that triggers a heap-based buffer overflow. | 2010-12-02 | 9.3 | CVE-2010-2586 BUGTRAQ MISC SECUNIA CONFIRM CONFIRM |
| nullsoft -- winamp | Multiple integer overflows in the in_midi plugin in Winamp before 5.6 allow remote attackers to have an unspecified impact via a crafted MIDI file that triggers a buffer overflow. NOTE: some of these details are obtained from third party information. | 2010-12-02 | 9.3 | CVE-2010-4370 SECUNIA CONFIRM CONFIRM |
| nullsoft -- winamp | Buffer overflow in the in_mod plugin in Winamp before 5.6 allows remote attackers to have an unspecified impact via vectors related to the comment box. | 2010-12-02 | 9.3 | CVE-2010-4371 CONFIRM CONFIRM |
| nullsoft -- winamp | Integer overflow in the in_nsv plugin in Winamp before 5.6 allows remote attackers to have an unspecified impact via vectors related to improper allocation of memory for NSV metadata, a different vulnerability than CVE-2010-2586. | 2010-12-02 | 9.3 | CVE-2010-4372 CONFIRM CONFIRM |
| site2nite -- big_truck_broker | SQL injection vulnerability in news_default.asp in Site2Nite Big Truck Broker allows remote attackers to execute arbitrary SQL commands via the txtSiteId parameter. | 2010-12-01 | 7.5 | CVE-2010-4356 EXPLOIT-DB SECUNIA MISC |
| wireshark -- wireshark | Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark 1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an LDSS packet with a long digest line that triggers memory corruption. | 2010-11-26 | 7.5 | CVE-2010-4300 CONFIRM CONFIRM VUPEN SECUNIA OSVDB |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| abk-soft -- chameleon_social_networking | Multiple cross-site scripting (XSS) vulnerabilities in forum_new_topic.php in Chameleon Social Networking allow remote attackers to inject arbitrary web script or HTML via the (1) thread_title and (2) thread_description parameters in a message. | 2010-12-01 | 4.3 | CVE-2010-4366 XF BID OSVDB EXPLOIT-DB SECUNIA |
| apache -- tomcat | Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications. | 2010-11-26 | 4.3 | CVE-2010-4172 CONFIRM CONFIRM VUPEN BID BUGTRAQ CONFIRM CONFIRM CONFIRM SECTRACK SECUNIA FULLDISC |
| apache -- tomcat | The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. | 2010-11-26 | 6.4 | CVE-2010-4312 BUGTRAQ |
| apple -- iphone_os | Apple iOS before 4.2 does not properly validate signatures before displaying a configuration profile in the configuration installation utility, which allows remote attackers to spoof profiles via unspecified vectors. | 2010-11-26 | 4.3 | CVE-2010-3827 CONFIRM APPLE |
| apple -- iphone_os | iAd Content Display in Apple iOS before 4.2 allows man-in-the-middle attackers to make calls via a crafted URL in an ad. | 2010-11-26 | 4.3 | CVE-2010-3828 CONFIRM APPLE |
| apple -- iphone_os | WebKit in Apple iOS before 4.2 allows remote attackers to bypass the remote image loading setting in Mail via an HTML LINK element with a DNS prefetching property, as demonstrated by an HTML e-mail message that uses a LINK element for X-Confirm-Reading-To functionality, a related issue to CVE-2010-3813. | 2010-11-26 | 5.8 | CVE-2010-3829 CONFIRM APPLE |
| apple -- iphone_os | Photos in Apple iOS before 4.2 enables support for HTTP Basic Authentication over an unencrypted connection, which allows man-in-the-middle attackers to read MobileMe account passwords by spoofing a MobileMe Gallery server during a "Send to MobileMe" action. | 2010-11-26 | 4.3 | CVE-2010-3831 CONFIRM APPLE |
| apple -- iphone_os | Heap-based buffer overflow in the GSM mobility management implementation in Telephony in Apple iOS before 4.2 on the iPhone and iPad allows remote attackers to execute arbitrary code on the baseband processor via a crafted Temporary Mobile Subscriber Identity (TMSI) field. | 2010-11-26 | 6.8 | CVE-2010-3832 CONFIRM APPLE |
| awstats -- awstats | Open redirect vulnerability in awredir.pl in AWStats before 6.95 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2010-12-02 | 5.8 | CVE-2009-5020 CONFIRM |
| awstats -- awstats | Directory traversal vulnerability in AWStats before 7.0 allows remote attackers to have an unspecified impact via a crafted LoadPlugin directory. | 2010-12-02 | 6.4 | CVE-2010-4369 CONFIRM |
| boka -- siteengine | The phpinfo function in SiteEngine 5.x allows remote attackers to obtain system information by setting the action parameter to php_info in misc.php. | 2010-12-01 | 5.0 | CVE-2008-7268 XF BUGTRAQ MILW0RM SECUNIA |
| boka -- siteengine | Open redirect vulnerability in api.php in SiteEngine 5.x allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter in a logout action. | 2010-12-01 | 5.8 | CVE-2008-7269 BID BUGTRAQ MILW0RM |
| cisco -- asa_5500 | The remote-access IPSec VPN implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices, PIX Security Appliances 500 series devices, and VPN Concentrators 3000 series devices responds to an Aggressive Mode IKE Phase I message only when the group name is configured on the device, which allows remote attackers to enumerate valid group names via a series of IKE negotiation attempts, aka Bug ID CSCtj96108, a different vulnerability than CVE-2005-2025. | 2010-11-30 | 5.0 | CVE-2010-4354 CISCO |
| dadabik -- dadabik | DaDaBIK 4.3 beta3, when running in a case-sensitive environment, does not include the htmLawed library, which allows remote attackers to bypass the protection mechanism for CVE-2010-4355 and conduct cross-site scripting (XSS) attacks via the (1) html content and (2) rich_editor fields. NOTE: some of these details are obtained from third party information. | 2010-12-01 | 4.3 | CVE-2010-4364 XF BID CONFIRM SECUNIA OSVDB |
| dustincowell -- free_simple_software | Free Simple Software 1.0 stores passwords in cleartext, which allows context-dependent attackers to obtain sensitive information. | 2010-11-26 | 5.0 | CVE-2010-4311 MISC BUGTRAQ |
| freetype -- freetype | Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font. | 2010-11-26 | 6.8 | CVE-2010-3814 CONFIRM CONFIRM APPLE CONFIRM CONFIRM |
| freetype -- freetype | Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font. | 2010-11-26 | 6.8 | CVE-2010-3855 CONFIRM CONFIRM CONFIRM |
| ifdefined -- bugtracker.net | Multiple SQL injection vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the qu_id parameter to bugs.aspx, (2) the row_id parameter to delete_query.aspx, the (3) new_project or (4) us_id parameter to edit_bug.aspx, or (5) the bug_list parameter to massedit.aspx. NOTE: some of these details are obtained from third party information. | 2010-12-02 | 6.5 | CVE-2010-3267 MISC SECUNIA CONFIRM |
| jurpo -- jurpopage | Cross-site scripting (XSS) vulnerability in url-gateway.php in Jurpopage 0.2.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2010-12-01 | 4.3 | CVE-2010-4361 BID SECUNIA |
| linux -- kernel | drivers/media/video/v4l2-compat-ioctl32.c in the Video4Linux (V4L) implementation in the Linux kernel before 2.6.36 on 64-bit platforms does not validate the destination of a memory copy operation, which allows local users to write to arbitrary kernel memory locations, and consequently gain privileges, via a VIDIOCSTUNER ioctl call on a /dev/video device, followed by a VIDIOCSMICROCODE ioctl call on this device. | 2010-11-26 | 6.2 | CVE-2010-2963 CONFIRM CONFIRM MISC CONFIRM |
| linux -- kernel | The KVM implementation in the Linux kernel before 2.6.36 does not properly reload the FS and GS segment registers, which allows host OS users to cause a denial of service (host OS crash) via a KVM_RUN ioctl call in conjunction with a modified Local Descriptor Table (LDT). | 2010-11-26 | 4.6 | CVE-2010-3698 CONFIRM CONFIRM CONFIRM |
| linux -- kernel | The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets. | 2010-11-29 | 4.9 | CVE-2010-4249 CONFIRM MLIST CONFIRM MLIST MLIST CONFIRM BID MLIST EXPLOIT-DB MLIST MLIST |
| linux -- kernel | The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240. | 2010-11-30 | 4.9 | CVE-2010-3858 CONFIRM MLIST MLIST CONFIRM BID CONFIRM EXPLOIT-DB MISC |
| linux -- kernel | Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c. | 2010-11-30 | 4.7 | CVE-2010-4248 CONFIRM MLIST MLIST CONFIRM BID CONFIRM |
| mit -- kerberos | MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key. | 2010-12-02 | 4.3 | CVE-2010-1324 BUGTRAQ CONFIRM |
| mrcgiguy -- guestbook | Multiple cross-site scripting (XSS) vulnerabilities in gb.cgi in MRCGIGUY (MCG) Guestbook 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, (3) website, and (4) message parameters. | 2010-12-01 | 4.3 | CVE-2010-4358 BID BUGTRAQ SECUNIA MISC MISC |
| mrcgiguy -- freeticket | Multiple SQL injection vulnerabilities in contact.php in MRCGIGUY (MCG) FreeTicket 1.0.0, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) email parameters in a showtickets action. | 2010-12-01 | 6.8 | CVE-2010-4363 BID BUGTRAQ OSVDB SECUNIA MISC MISC |
| novo-ws -- orbis_cms | Unrestricted file upload vulnerability in fileman_file_upload.php in Orbis CMS 1.0.2 allows remote authenticated users to execute arbitrary code by uploading a .php file, and then accessing it via a direct request to the file in uploads/. | 2010-12-02 | 6.0 | CVE-2010-4313 MISC BID BUGTRAQ EXPLOIT-DB |
| nullsoft -- winamp | The in_mp4 plugin in Winamp before 5.6 allows remote attackers to cause a denial of service (application crash) via crafted (1) metadata or (2) albumart in an invalid MP4 file. | 2010-12-02 | 4.3 | CVE-2010-4373 CONFIRM CONFIRM |
| nullsoft -- winamp | The in_mkv plugin in Winamp before 5.6 allows remote attackers to cause a denial of service (application crash) via a Matroska Video (MKV) file containing a string with a crafted length. | 2010-12-02 | 4.3 | CVE-2010-4374 CONFIRM CONFIRM |
| phpmyadmin -- phpmyadmin | Cross-site scripting (XSS) vulnerability in the PMA_linkOrButton function in libraries/common.lib.php in the database (db) search script in phpMyAdmin 2.11.x before 2.11.11.1 and 3.x before 3.3.8.1 allows remote attackers to inject arbitrary web script or HTML via a crafted request. | 2010-12-02 | 4.3 | CVE-2010-4329 CONFIRM CONFIRM CONFIRM VUPEN BID OSVDB SECUNIA |
| rsa -- adaptive_authentication | Cross-site scripting (XSS) vulnerability in an unspecified Shockwave Flash file in RSA Adaptive Authentication 2.x and 5.7.x allows remote attackers to inject arbitrary web script or HTML via unknown vectors. | 2010-11-26 | 4.3 | CVE-2008-7266 CONFIRM VUPEN SECTRACK BUGTRAQ SECUNIA |
| vtiger -- vtiger_crm | Incomplete blacklist vulnerability in config.template.php in vtiger CRM before 5.2.1 allows remote authenticated users to execute arbitrary code by using the draft save feature in the Compose Mail component to upload a file with a .phtml extension, and then accessing this file via a direct request to the file in the storage/ directory tree. | 2010-11-26 | 6.0 | CVE-2010-3909 MISC BUGTRAQ MISC MISC SECUNIA |
| vtiger -- vtiger_crm | Multiple directory traversal vulnerabilities in the return_application_language function in include/utils/utils.php in vtiger CRM before 5.2.1 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the lang_crm parameter to phprint.php or (2) the current_language parameter in an Accounts Import action to graph.php. | 2010-11-26 | 6.8 | CVE-2010-3910 MISC BUGTRAQ MISC MISC SECUNIA |
| vtiger -- vtiger_crm | Multiple cross-site scripting (XSS) vulnerabilities in vtiger CRM before 5.2.1 allow remote attackers to inject arbitrary web script or HTML via (1) the username (aka default_user_name) field or (2) the password field in a Users Login action to index.php, or (3) the label parameter in a Settings GetFieldInfo action to index.php, related to modules/Settings/GetFieldInfo.php. | 2010-11-26 | 4.3 | CVE-2010-3911 MISC BUGTRAQ MISC MISC SECUNIA |
| webwiz -- web_wiz_newspad | Web Wiz NewsPad stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for database/NewsPad.mdb. | 2010-12-01 | 5.0 | CVE-2009-5019 XF EXPLOIT-DB EXPLOIT-DB MISC |
| wireshark -- wireshark | Stack consumption vulnerability in the dissect_ber_unknown function in epan/dissectors/packet-ber.c in the BER dissector in Wireshark 1.4.x before 1.4.1 and 1.2.x before 1.2.12 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a long string in an unknown ASN.1/BER encoded packet, as demonstrated using SNMP. | 2010-11-26 | 5.0 | CVE-2010-3445 CONFIRM CONFIRM MISC MLIST MLIST MANDRIVA BUGTRAQ |
| wireshark -- wireshark | epan/dissectors/packet-zbee-zcl.c in the ZigBee ZCL dissector in Wireshark 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted ZCL packet, related to Discover Attributes. | 2010-11-26 | 5.0 | CVE-2010-4301 CONFIRM MISC CONFIRM VUPEN SECUNIA OSVDB |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| dadabik -- dadabik | Cross-site scripting (XSS) vulnerability in DaDaBIK before 4.3 beta2, when the insert or edit feature is enabled, allows remote authenticated users to inject arbitrary web script or HTML via the select_single parameter. | 2010-12-01 | 3.5 | CVE-2010-4355 XF BID CONFIRM SECUNIA |
| ifdefined -- bugtracker.net | Multiple cross-site scripting (XSS) vulnerabilities in BugTracker.NET before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via (1) the pcd parameter to edit_bug.aspx, (2) the bug_id parameter to edit_comment.aspx, (3) the id parameter to edit_user_permissions2.aspx, or (4) the default_name parameter to edit_customfield.aspx. NOTE: some of these details are obtained from third party information. | 2010-12-02 | 3.5 | CVE-2010-3266 MISC SECUNIA CONFIRM |
| linux -- kernel | The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface." | 2010-11-29 | 1.9 | CVE-2010-4072 MLIST CONFIRM CONFIRM MLIST MLIST CONFIRM |
| linux -- kernel | The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c. | 2010-11-29 | 1.9 | CVE-2010-4073 CONFIRM MLIST MLIST MLIST CONFIRM CONFIRM |
| linux -- kernel | The USB subsystem in the Linux kernel before 2.6.36-rc5 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to TIOCGICOUNT ioctl calls, and the (1) mos7720_ioctl function in drivers/usb/serial/mos7720.c and (2) mos7840_ioctl function in drivers/usb/serial/mos7840.c. | 2010-11-29 | 1.9 | CVE-2010-4074 CONFIRM MLIST MLIST MLIST MLIST CONFIRM MLIST CONFIRM |
| linux -- kernel | The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. | 2010-11-29 | 1.9 | CVE-2010-4075 CONFIRM MLIST MLIST MLIST CONFIRM MLIST CONFIRM MLIST |
| linux -- kernel | The rs_ioctl function in drivers/char/amiserial.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. | 2010-11-29 | 1.9 | CVE-2010-4076 CONFIRM MLIST MLIST MLIST MLIST MISC MLIST |
| linux -- kernel | The ntty_ioctl_tiocgicount function in drivers/char/nozomi.c in the Linux kernel 2.6.36.1 and earlier does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call. | 2010-11-29 | 1.9 | CVE-2010-4077 CONFIRM MLIST MLIST MLIST MISC MLIST MLIST |
| linux -- kernel | The sisfb_ioctl function in drivers/video/sis/sis_main.c in the Linux kernel before 2.6.36-rc6 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call. | 2010-11-29 | 1.9 | CVE-2010-4078 CONFIRM MLIST MLIST MLIST CONFIRM MLIST CONFIRM |
| linux -- kernel | The ivtvfb_ioctl function in drivers/media/video/ivtv/ivtvfb.c in the Linux kernel before 2.6.36-rc8 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FBIOGET_VBLANK ioctl call. | 2010-11-29 | 1.9 | CVE-2010-4079 CONFIRM MLIST MLIST MLIST MLIST CONFIRM MLIST CONFIRM |
| linux -- kernel | The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call. | 2010-11-30 | 1.9 | CVE-2010-4080 CONFIRM MLIST MLIST MLIST MLIST CONFIRM MLIST CONFIRM |
| linux -- kernel | The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call. | 2010-11-30 | 1.9 | CVE-2010-4081 CONFIRM MLIST MLIST MLIST MLIST CONFIRM MLIST CONFIRM |
| linux -- kernel | The viafb_ioctl_get_viafb_info function in drivers/video/via/ioctl.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a VIAFB_GET_INFO ioctl call. | 2010-11-30 | 1.9 | CVE-2010-4082 CONFIRM MLIST MLIST MLIST CONFIRM MLIST MLIST CONFIRM |
| linux -- kernel | The copy_semid_to_user function in ipc/sem.c in the Linux kernel before 2.6.36 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via a (1) IPC_INFO, (2) SEM_INFO, (3) IPC_STAT, or (4) SEM_STAT command in a semctl system call. | 2010-11-30 | 1.9 | CVE-2010-4083 CONFIRM MLIST MLIST MLIST MLIST CONFIRM MLIST CONFIRM |
| mit -- kerberos | MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys. | 2010-12-02 | 2.6 | CVE-2010-1323 BUGTRAQ CONFIRM |
| mit -- kerberos | MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations. | 2010-12-02 | 3.5 | CVE-2010-4020 BUGTRAQ CONFIRM |
| mit -- kerberos | The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue." | 2010-12-02 | 2.1 | CVE-2010-4021 BUGTRAQ CONFIRM |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.