Vulnerability Summary for the Week of August 23, 2010

Released
Aug 30, 2010
Document ID
SB10-242

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
3dftp -- 3d-ftp_clientDirectory traversal vulnerability in SiteDesigner Technologies, Inc. 3D-FTP Client 9.0 build 2, and probably earlier versions, allows remote FTP servers to write arbitrary files via a ".." (dot dot backslash) in a filename.2010-08-209.3CVE-2010-3102
MISC
adobe -- photoshopUntrusted search path vulnerability in Adobe PhotoShop CS2 through CS5 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll or Wintab32.dll that is located in the same folder as a PSD or other file that is processed by PhotoShop. NOTE: some of these details are obtained from third party information.2010-08-269.3CVE-2010-3127
VUPEN
SECUNIA
MISC
adobe -- dreamweaverUntrusted search path vulnerability in Adobe Dreamweaver CS5 11.0 build 4916, build 4909, and probably other versions, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) mfc90loc.dll or (2) dwmapi.dll that is located in the same folder as a CSS, PHP, ASP, or other file that automatically launches Dreamweaver.2010-08-269.3CVE-2010-3132
VUPEN
EXPLOIT-DB
SECUNIA
adobe -- shockwave_playerAdobe Shockwave Player before 11.5.8.612 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.2010-08-2610.0CVE-2010-2863
CONFIRM
adobe -- shockwave_playerIML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properly parse .dir files, which allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a malformed file containing an invalid value, as demonstrated by a value at position 0x24C6 of a certain file.2010-08-269.3CVE-2010-2864
CONFIRM
BUGTRAQ
adobe -- shockwave_playerInteger signedness error in the DIRAPI module in Adobe Shockwave Player before 11.5.8.612 allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a count value associated with an "undocumented structure" and the tSAC chunk in a Director movie.2010-08-269.3CVE-2010-2866
CONFIRM
BUGTRAQ
MISC
adobe -- shockwave_playerDIRAPIX.dll in Adobe Shockwave Player before 11.5.8.612 does not properly handle a certain return value associated with the rcsL chunk in a Director movie, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie, related to a "pointer offset vulnerability."2010-08-269.3CVE-2010-2867
CONFIRM
BUGTRAQ
MISC
adobe -- shockwave_playerIML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properly parse .dir files, which allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a malformed file containing an invalid value, as demonstrated by a value at position 0x320D of a certain file.2010-08-269.3CVE-2010-2868
CONFIRM
BUGTRAQ
adobe -- shockwave_playerIML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properly parse .dir files, which allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a malformed file containing an invalid value, as demonstrated by a value at position 0x3712 of a certain file.2010-08-269.3CVE-2010-2869
CONFIRM
BUGTRAQ
adobe -- shockwave_playerDIRAPIX.dll in Adobe Shockwave Player before 11.5.8.612 does not properly validate a certain chunk size in the mmap chunk in a Director movie, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie.2010-08-269.3CVE-2010-2870
CONFIRM
BUGTRAQ
MISC
adobe -- shockwave_playerInteger overflow in the 3D object functionality in Adobe Shockwave Player before 11.5.8.612 allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted size value in a 0xFFFFFF45 RIFF record in a Director movie.2010-08-269.3CVE-2010-2871
CONFIRM
MISC
BUGTRAQ
adobe -- shockwave_playerAdobe Shockwave Player before 11.5.8.612 does not properly validate an offset value in the pami RIFF chunk in a Director movie, which allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted movie.2010-08-269.3CVE-2010-2872
CONFIRM
MISC
BUGTRAQ
adobe -- shockwave_playerAdobe Shockwave Player before 11.5.8.612 does not properly validate offset values in the rcsL RIFF chunks of (1) .DIR and (2) .DCR Director movies, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie.2010-08-269.3CVE-2010-2873
CONFIRM
MISC
BUGTRAQ
adobe -- shockwave_playerInteger signedness error in Adobe Shockwave Player before 11.5.8.612 allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a length value associated with the tSAC chunk in a Director movie.2010-08-269.3CVE-2010-2875
CONFIRM
IDEFENSE
adobe -- shockwave_playerAdobe Shockwave Player before 11.5.8.612 does not properly validate values associated with buffer-size calculation for a 0xFFFFFFF8 record in a (1) .dir or (2) .dcr Director movie, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie.2010-08-269.3CVE-2010-2876
CONFIRM
MISC
BUGTRAQ
adobe -- shockwave_playerAdobe Shockwave Player before 11.5.8.612 does not properly validate a count value in a Director movie, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie, related to IML32X.dll and DIRAPIX.dll.2010-08-269.3CVE-2010-2877
CONFIRM
BUGTRAQ
MISC
adobe -- shockwave_playerDIRAPIX.dll in Adobe Shockwave Player before 11.5.8.612 does not properly validate a value associated with a buffer seek for a Director movie, which allows remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted movie.2010-08-269.3CVE-2010-2878
CONFIRM
BUGTRAQ
MISC
adobe -- shockwave_playerMultiple integer overflows in the allocator in the TextXtra.x32 module in Adobe Shockwave Player before 11.5.8.612 allow remote attackers to cause a denial of service (heap memory corruption) or execute arbitrary code via a crafted (1) element count or (2) element size value in a file.2010-08-269.3CVE-2010-2879
CONFIRM
BUGTRAQ
MISC
adobe -- shockwave_playerDIRAPI.dll in Adobe Shockwave Player before 11.5.8.612 does not properly parse .dir files, which allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a malformed file containing an invalid value, as demonstrated by a value at position 0x47 of a certain file.2010-08-269.3CVE-2010-2880
CONFIRM
BUGTRAQ
adobe -- shockwave_playerIML32.dll in Adobe Shockwave Player before 11.5.8.612 does not properly parse .dir files, which allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a malformed file containing an invalid value, as demonstrated by a value at position 0x24C0 of a certain file.2010-08-269.3CVE-2010-2881
CONFIRM
BUGTRAQ
adobe -- shockwave_playerDIRAPI.dll in Adobe Shockwave Player before 11.5.8.612 does not properly parse .dir files, which allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a malformed file containing an invalid value, as demonstrated by a value at position 0x3812 of a certain file.2010-08-269.3CVE-2010-2882
CONFIRM
BUGTRAQ
apple -- itunesUntrusted search path vulnerability in Apple iTunes before 9.1, when running on Windows 7, Vista, and XP, allows local users and possibly remote attackers to gain privileges via a Trojan horse DLL in the current working directory.2010-08-209.3CVE-2010-1795
XF
BID
BUGTRAQ
MISC
CONFIRM
artifex -- afpl_ghostscriptOff-by-one error in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document.2010-08-269.3CVE-2009-3743
MISC
CERT-VN
avast -- avast_antivirus_freeUntrusted search path vulnerability in avast! Free Antivirus version 5.0.594 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse mfc90loc.dll that is located in the same folder as an avast license (.avastlic) file.2010-08-269.3CVE-2010-3126
VUPEN
EXPLOIT-DB
SECUNIA
cisco -- packet_tracerUntrusted search path vulnerability in Cisco Packet Tracer 5.2 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll that is located in the same folder as a .pkt or .pkz file.2010-08-269.3CVE-2010-3135
EXPLOIT-DB
cisco -- unified_communications_managerThe SIPStationInit implementation in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.1SU before 6.1(5)SU1, 7.0SU before 7.0(2a)SU3, 7.1SU before 7.1(3b)SU2, 7.1 before 7.1(5), and 8.0 before 8.0(1) allows remote attackers to cause a denial of service (process failure) via a malformed SIP message, aka Bug ID CSCtd17310.2010-08-267.8CVE-2010-2837
CISCO
cisco -- unified_communications_managerThe SendCombinedStatusInfo implementation in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.0SU before 7.0(2a)SU3, 7.1 before 7.1(5), and 8.0 before 8.0(3) allows remote attackers to cause a denial of service (process failure) via a malformed SIP REGISTER message, aka Bug ID CSCtf66305.2010-08-267.8CVE-2010-2838
CISCO
cisco -- unified_presence_serverSIPD in Cisco Unified Presence 6.x before 6.0(7) and 7.x before 7.0(8) allows remote attackers to cause a denial of service (stack memory corruption and process failure) via a malformed SIP message, aka Bug ID CSCtd14474.2010-08-267.8CVE-2010-2839
CISCO
cisco -- unified_presence_serverThe Presence Engine (PE) service in Cisco Unified Presence 6.x before 6.0(7) and 7.x before 7.0(8) does not properly handle an erroneous Contact field in the header of a SIP SUBSCRIBE message, which allows remote attackers to cause a denial of service (process failure) via a malformed message, aka Bug ID CSCtd39629.2010-08-267.8CVE-2010-2840
CISCO
deskshare -- auto_ftp_managerDirectory traversal vulnerability in DeskShare AutoFTP Manager 4.31, and probably earlier versions, allows remote FTP servers to write arbitrary files via a ".." (dot dot backslash) in a filename.2010-08-209.3CVE-2010-3104
MISC
devonit -- thin-client_management_toolBuffer overflow in tm-console-bin in the DevonIT thin-client management tool might allow remote attackers to execute arbitrary code via unspecified vectors.2010-08-257.5CVE-2010-3121
CERT-VN
ftpgetter -- ftpgetterDirectory traversal vulnerability in FTPGetter Team FTPGetter 3.51.0.05, and probably earlier versions, allows remote FTP servers to write arbitrary files via a ".." (dot dot backslash) in a filename.2010-08-209.3CVE-2010-3103
MISC
ftprush -- ftprushDirectory traversal vulnerability in IoRush Software FTP Rush 1.1.3 and possibly earlier allows remote FTP servers to overwrite arbitrary files via a ".." (dot dot backslash) in a filename.2010-08-209.3CVE-2010-3098
MISC
SECUNIA
ftpx -- ftp_explorerDirectory traversal vulnerability in FTPx Corp FTP Explorer 10.5.19.1 for Windows, and probably earlier versions, allows remote FTP servers to write arbitrary files via a ".." (dot dot backslash) in a filename.2010-08-209.3CVE-2010-3101
MISC
SECUNIA
google -- chromeGoogle Chrome before 5.0.375.127 does not properly mitigate an unspecified flaw in the Windows kernel, which has unknown impact and attack vectors, a different vulnerability than CVE-2010-2897.2010-08-2410.0CVE-2010-3111
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 5.0.375.127 does not properly implement file dialogs, which allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.2010-08-2410.0CVE-2010-3112
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 5.0.375.127 does not properly handle SVG documents, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.2010-08-2410.0CVE-2010-3113
CONFIRM
CONFIRM
google -- chromeThe text-editing implementation in Google Chrome before 5.0.375.127 does not properly perform casts, which has unspecified impact and attack vectors.2010-08-2410.0CVE-2010-3114
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 5.0.375.127 does not properly implement the history feature, which might allow remote attackers to spoof the address bar via unspecified vectors.2010-08-2410.0CVE-2010-3115
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 5.0.375.127 does not properly process MIME types, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.2010-08-2410.0CVE-2010-3116
CONFIRM
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 5.0.375.127 does not properly implement the notifications feature, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via unknown vectors.2010-08-2410.0CVE-2010-3117
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 5.0.375.127 does not properly support the Ruby language, which allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.2010-08-2410.0CVE-2010-3119
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 5.0.375.127 does not properly implement the Geolocation feature, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.2010-08-2410.0CVE-2010-3120
CONFIRM
CONFIRM
google -- earthUntrusted search path vulnerability in Google Earth 5.1.3535.3218 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse quserex.dll that is located in the same folder as a .kmz file.2010-08-269.3CVE-2010-3134
EXPLOIT-DB
hp -- openview_network_node_managerUnspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unknown vectors.2010-08-2010.0CVE-2010-2710
HP
ibm -- tivoli_storage_manager_fastbackThe Mount service in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, establishes an open UDP port, which might allow remote attackers to overwrite memory locations and execute arbitrary code, or cause a denial of service (application hang), via unspecified vectors.2010-08-207.5CVE-2010-3058
BID
CONFIRM
SECUNIA
ibm -- tivoli_storage_manager_fastbackBuffer overflow in the message-protocol implementation in the Server in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, allows remote attackers to read and modify data, and possibly have other impact, via an unspecified command.2010-08-207.5CVE-2010-3059
BID
CONFIRM
SECUNIA
isamu_kaneko -- winnyMultiple buffer overflows in Winny 2.0b7.1 and earlier might allow remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2006-2007.2010-08-257.5CVE-2010-2360
XF
XF
JVNDB
JVNDB
JVN
JVN
jan_engelhardt -- libhxHeap-based buffer overflow in the HX_split function in string.c in libHX before 3.6 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a string that is inconsistent with the expected number of fields.2010-08-2410.0CVE-2010-2947
CONFIRM
BID
MLIST
MLIST
CONFIRM
jens_vagelpohl -- zope-ldapuserfolderThe authenticate function in LDAPUserFolder/LDAPUserFolder.py in zope-ldapuserfolder 2.9-1 does not verify the password for the emergency account, which allows remote attackers to gain privileges.2010-08-207.5CVE-2010-2944
CONFIRM
MLIST
MLIST
SECUNIA
keil-software -- photokorn_galleryMultiple SQL injection vulnerabilities in search.php in Photokorn Gallery 1.81 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) where[], (2) sort, (3) order, and (4) Match parameters.2010-08-257.5CVE-2009-4979
BID
SECUNIA
MISC
mozilla -- firefoxUntrusted search path vulnerability in Mozilla Firefox 3.6.8 and earlier, and Thunderbird 3.1.2, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .htm, .html, .jtx, .mfp, or .eml file.2010-08-269.3CVE-2010-3131
VUPEN
BUGTRAQ
EXPLOIT-DB
SECUNIA
novell -- iprintStack-based buffer overflow in Novell iPrint Client before 5.44 allows remote attackers to execute arbitrary code via a long call-back-url parameter in an op-client-interface-version action.2010-08-239.3CVE-2010-1527
XF
BID
CONFIRM
MISC
SECUNIA
novell -- iprintThe PluginGetDriverFile function in Novell iPrint Client before 5.44 interprets an uninitialized memory location as a pointer value, which allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2010-08-239.3CVE-2010-3105
BID
SECUNIA
novell -- iprintThe ienipp.ocx ActiveX control in the browser plugin in Novell iPrint Client before 5.42 does not properly validate the debug parameter, which allows remote attackers to execute arbitrary code or cause a denial of service (stack memory corruption) via a parameter value with a crafted length, related to the ExecuteRequest method.2010-08-239.3CVE-2010-3106
MISC
CONFIRM
novell -- iprintA certain ActiveX control in ienipp.ocx in the browser plugin in Novell iPrint Client before 5.42 does not properly restrict the set of files to be deleted, which allows remote attackers to cause a denial of service (recursive file deletion) via unspecified vectors related to a "logic flaw" in the CleanUploadFiles method in the nipplib.dll module.2010-08-237.1CVE-2010-3107
MISC
CONFIRM
novell -- iprintBuffer overflow in the browser plugin in Novell iPrint Client before 5.42 allows remote attackers to execute arbitrary code by using EMBED elements to pass parameters with long names.2010-08-239.3CVE-2010-3108
MISC
CONFIRM
novell -- iprintStack-based buffer overflow in the browser plugin in Novell iPrint Client before 5.42 allows remote attackers to execute arbitrary code via a long operation parameter.2010-08-239.3CVE-2010-3109
MISC
CONFIRM
nullsoft -- winampUntrusted search path vulnerability in Nullsoft Winamp 5.581, and probably other versions, allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wnaspi32.dll that is located in the same folder as a .669, .aac, .aiff, .amf, .au, .avr, .b4s, .caf or .cda file.2010-08-269.3CVE-2010-3137
EXPLOIT-DB
openoffice -- openoffice.orgsimpress.bin in the Impress module in OpenOffice.org (OOo) 3.2.1 on Windows does not properly handle integer values associated with dictionary property items, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PowerPoint document that triggers a heap-based buffer overflow, related to an "integer truncation error."2010-08-259.3CVE-2010-2935
CONFIRM
VUPEN
VUPEN
REDHAT
MLIST
MLIST
MLIST
MISC
SECUNIA
SECUNIA
openoffice -- openoffice.orgInteger overflow in simpress.bin in the Impress module in OpenOffice.org (OOo) 3.2.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted polygons in a PowerPoint document that triggers a heap-based buffer overflow.2010-08-259.3CVE-2010-2936
CONFIRM
CONFIRM
VUPEN
VUPEN
REDHAT
MLIST
MLIST
MLIST
MISC
SECUNIA
SECUNIA
phpmyadmin -- phpmyadminThe configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request.2010-08-247.5CVE-2010-3055
BID
CONFIRM
CONFIRM
CONFIRM
SECUNIA
portaplus -- porta+_ftp_clientDirectory traversal vulnerability in Porta+ FTP Client 4.1, and possibly other versions, allows remote FTP servers to overwrite arbitrary files via a directory traversal sequences in a filename.2010-08-209.3CVE-2010-3100
OSVDB
SECUNIA
sap -- business_one_2005-aStack-based buffer overflow in NT_Naming_Service.exe in SAP Business One 2005 A 6.80.123 and 6.80.320 allows remote attackers to execute arbitrary code via a long GIOP request to TCP port 30000.2010-08-2510.0CVE-2009-4988
XF
VUPEN
SECTRACK
BID
BUGTRAQ
SECUNIA
script-shop24 -- lm_starmail_paidmailSQL injection vulnerability in paidbanner.php in LM Starmail Paidmail 2.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter.2010-08-257.5CVE-2009-4992
MILW0RM
script-shop24 -- lm_starmail_paidmailPHP remote file inclusion vulnerability in home.php in LM Starmail Paidmail 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.2010-08-257.5CVE-2009-4993
MILW0RM
scripteen -- free_image_hosting_scriptadmin/header.php in Scripteen Free Image Hosting Script 2.3 allows remote attackers to bypass authentication and gain administrative access by setting the cookgid cookie value to 1, a different vector than CVE-2008-3211.2010-08-257.5CVE-2009-4987
XF
BID
OSVDB
SECUNIA
skype -- skypeUntrusted search path vulnerability in Skype 4.2.0.169 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wab32.dll that is located in the same folder as a .skype file.2010-08-269.3CVE-2010-3136
EXPLOIT-DB
smartftp -- smartftpDirectory traversal vulnerability in SmartSoft Ltd SmartFTP Client 4.0.1124.0, and possibly other versions before 4.0 Build 1133, allows remote FTP servers to overwrite arbitrary files via a ".." (dot dot backslash) in a filename. NOTE: some of these details are obtained from third party information.2010-08-209.3CVE-2010-3099
MISC
MISC
SECUNIA
softx -- ftp_clientDirectory traversal vulnerability in SoftX FTP Client 3.3 and possibly earlier allows remote FTP servers to write arbitrary files via ".." (dot dot backslash) sequences in a filename.2010-08-209.3CVE-2010-3096
BUGTRAQ
MISC
SECUNIA
strongswan -- strongswanThe IKE daemon in strongSwan 4.3.x before 4.3.7 and 4.4.x before 4.4.1 does not properly check the return values of snprintf calls, which allows remote attackers to execute arbitrary code via crafted (1) certificate or (2) identity data that triggers buffer overflows.2010-08-207.5CVE-2010-2628
MLIST
VUPEN
BID
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
VUPEN
SECTRACK
CONFIRM
SECUNIA
MLIST
teamviewer -- teamviewerUntrusted search path vulnerability in TeamViewer 5.0.8703 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .tvs or .tvc file.2010-08-269.3CVE-2010-3128
VUPEN
BUGTRAQ
EXPLOIT-DB
SECUNIA
techsmith -- snagitUntrusted search path vulnerability in TechSmith Snagit 10 (Build 788) allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a snag, snagcc, or snagprof file.2010-08-269.3CVE-2010-3130
EXPLOIT-DB
SECUNIA
utorrent -- utorrentUntrusted search path vulnerability in uTorrent 2.0.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse plugin_dll.dll that is located in the same folder as a .torrent or .btsearch file.2010-08-269.3CVE-2010-3129
VUPEN
EXPLOIT-DB
SECUNIA
videolan -- vlc_media_playerUntrusted search path vulnerability in bin/winvlc.c in VLC Media Player 1.1.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll that is located in the same folder as a .mp3 file.2010-08-269.3CVE-2010-3124
MLIST
CONFIRM
VUPEN
MLIST
EXPLOIT-DB
SECUNIA
websitesrus -- accessories_me_php_affiliate_scriptSQL injection vulnerability in browse.php in Accessories Me PHP Affiliate Script 1.4 allows remote attackers to execute arbitrary SQL commands via the Go parameter.2010-08-257.5CVE-2009-4985
MILW0RM
winfrigate -- frigate_3Directory traversal vulnerability in WinFrigate Frigate 3 FTP client 3.36 and earlier allows remote FTP servers to overwrite arbitrary files via a ".." (dot dot backslash) in a filename.2010-08-209.3CVE-2010-3097
MISC
SECUNIA
winny -- winnyWinny 2.0b7.1 and earlier does not properly process BBS information, which has unspecified impact and remote attack vectors that might lead to use of the product's host for DDoS attacks.2010-08-2510.0CVE-2010-2361
XF
JVNDB
JVN
winny -- winnyWinny 2.0b7.1 and earlier does not properly process node information, which has unspecified impact and remote attack vectors that might lead to use of the product's host for DDoS attacks.2010-08-2510.0CVE-2010-2362
XF
JVNDB
JVN
wireshark -- wiresharkUntrusted search path vulnerability in Wireshark 1.2.10 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse airpcap.dll, and possibly other DLLs, that is located in the same folder as a file that automatically launches Wireshark.2010-08-269.3CVE-2010-3133
VUPEN
EXPLOIT-DB
SECUNIA
wolterskluwer -- teammate_audit_management_software_suiteUntrusted search path vulnerability in TeamMate Audit Management Software Suite 8.0 patch 2 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse mfc71enu.dll that is located in the same folder as a .tmx file.2010-08-269.3CVE-2010-3125
EXPLOIT-DB

Back to top


Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
adobe -- shockwave_playerUnspecified vulnerability in Adobe Shockwave Player before 11.5.8.612 allows attackers to cause a denial of service via unknown vectors.2010-08-265.0CVE-2010-2865
CONFIRM
ajsquare -- aj_auction_pro-oopdCross-site scripting (XSS) vulnerability in index.php in AJ Auction Pro OOPD 3.0 allows remote attackers to inject arbitrary web script or HTML via the txtkeyword parameter in a search action.2010-08-254.3CVE-2009-4989
BID
SECUNIA
MISC
apple -- itunesUnspecified vulnerability in Apple iTunes before 9.1 allows local users to gain console privileges via vectors related to log files, "insecure file operation," and syncing an iPhone, iPad, or iPod touch.2010-08-206.9CVE-2010-1768
XF
BID
CONFIRM
apple -- cfnetworkCFNetwork in Apple Mac OS X 10.6.3 and 10.6.4 supports anonymous SSL and TLS connections, which allows man-in-the-middle attackers to redirect a connection and obtain sensitive information via crafted responses.2010-08-255.0CVE-2010-1800
CONFIRM
SECTRACK
APPLE
apple -- coregraphicsHeap-based buffer overflow in CoreGraphics in Apple Mac OS X 10.5.8 and 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF file.2010-08-256.8CVE-2010-1801
CONFIRM
SECTRACK
APPLE
apple -- libsecuritylibsecurity in Apple Mac OS X 10.5.8 and 10.6.4 does not properly perform comparisons to domain-name strings in X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a certificate associated with a similar domain name, as demonstrated by use of a www.example.con certificate to spoof www.example.com.2010-08-256.4CVE-2010-1802
CONFIRM
SECTRACK
APPLE
apple -- apple_type_servicesStack-based buffer overflow in Apple Type Services (ATS) in Apple Mac OS X 10.5.8 and 10.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted embedded font in a document.2010-08-256.8CVE-2010-1808
CONFIRM
SECTRACK
APPLE
cacti -- cactiMultiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) hostname or (2) description parameter to host.php, or (3) the host_id parameter to data_sources.php.2010-08-234.3CVE-2010-1644
VUPEN
REDHAT
CONFIRM
BID
BUGTRAQ
CONFIRM
CONFIRM
SECUNIA
cacti -- cactiCacti before 0.8.7f, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in (1) the FQDN field of a Device or (2) the Vertical Label field of a Graph Template.2010-08-236.5CVE-2010-1645
REDHAT
CONFIRM
CONFIRM
MISC
CONFIRM
CONFIRM
CONFIRM
SECUNIA
cacti -- cactiCross-site scripting (XSS) vulnerability in include/top_graph_header.php in Cacti before 0.8.7g allows remote attackers to inject arbitrary web script or HTML via the graph_start parameter to graph.php. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-4032.2.b.2010-08-234.3CVE-2010-2543
CONFIRM
CONFIRM
CONFIRM
MLIST
MLIST
CONFIRM
cacti -- cactiCross-site scripting (XSS) vulnerability in utilities.php in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allows remote attackers to inject arbitrary web script or HTML via the filter parameter.2010-08-234.3CVE-2010-2544
REDHAT
CONFIRM
XF
BID
CONFIRM
CONFIRM
SECUNIA
MLIST
MLIST
CONFIRM
cacti -- cactiMultiple cross-site scripting (XSS) vulnerabilities in Cacti before 0.8.7g, as used in Red Hat High Performance Computing (HPC) Solution and other products, allow remote attackers to inject arbitrary web script or HTML via (1) the name element in an XML template to templates_import.php; and allow remote authenticated administrators to inject arbitrary web script or HTML via vectors related to (2) cdef.php, (3) data_input.php, (4) data_queries.php, (5) data_sources.php, (6) data_templates.php, (7) gprint_presets.php, (8) graph.php, (9) graphs_new.php, (10) graphs.php, (11) graph_templates_inputs.php, (12) graph_templates_items.php, (13) graph_templates.php, (14) graph_view.php, (15) host.php, (16) host_templates.php, (17) lib/functions.php, (18) lib/html_form.php, (19) lib/html_form_template.php, (20) lib/html.php, (21) lib/html_tree.php, (22) lib/rrd.php, (23) rra.php, (24) tree.php, and (25) user_admin.php.2010-08-234.3CVE-2010-2545
REDHAT
CONFIRM
BID
CONFIRM
CONFIRM
CONFIRM
CONFIRM
SECUNIA
MLIST
MLIST
CONFIRM
devonit -- thin-client_management_toolThe DevonIT thin-client management tool relies on a shared secret for authentication but transmits the secret in cleartext, which makes it easier for remote attackers to discover the secret value, and consequently obtain administrative control over client machines, by sniffing the network.2010-08-255.0CVE-2010-3122
CERT-VN
google -- chromeThe autosuggest feature in the Omnibox implementation in Google Chrome before 5.0.375.127 does not anticipate entry of passwords, which might allow remote attackers to obtain sensitive information by reading the network traffic generated by this feature.2010-08-245.0CVE-2010-3118
CONFIRM
CONFIRM
hp -- magcloudUnspecified vulnerability in the HP MagCloud app before 1.0.5 for the iPad allows remote attackers to read and modify MagCloud application data via unknown vectors.2010-08-256.4CVE-2010-2711
XF
SECTRACK
SECUNIA
HP
HP
ibm -- tivoli_storage_manager_fastbackUnspecified vulnerability in the message-protocol implementation in the Server in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, allows remote attackers to cause a denial of service (daemon outage) via unknown vectors.2010-08-205.0CVE-2010-3060
BID
CONFIRM
SECUNIA
ibm -- tivoli_storage_manager_fastbackUnspecified vulnerability in the message-protocol implementation in the Mount service in IBM Tivoli Storage Manager (TSM) FastBack 5.x.x before 5.5.7, and 6.1.0.0, allows remote attackers to cause a denial of service (recovery failure), and possibly trigger loss of data, via unknown vectors.2010-08-205.0CVE-2010-3061
BID
CONFIRM
AIXAPAR
SECUNIA
in-portal -- in-portalDirectory traversal vulnerability in index.php in In-Portal 4.3.1, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the env parameter.2010-08-256.8CVE-2009-4986
VUPEN
SECUNIA
irokez -- irokez_cmsSQL injection vulnerability in the select function in Irokez CMS 0.7.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to the default URI.2010-08-256.8CVE-2009-4982
VUPEN
BID
SECUNIA
jrbcs -- webform_reportCross-site scripting (XSS) vulnerability in the Webform report module 5.x and 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via a submission.2010-08-254.3CVE-2009-4990
BID
SECUNIA
CONFIRM
keil-software -- photokorn_galleryMultiple cross-site scripting (XSS) vulnerabilities in Photokorn Gallery 1.81 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) where[] parameter to search.php and (2) qc parameter to admin.php.2010-08-254.3CVE-2009-4980
BID
SECUNIA
MISC
keil-software -- photokorn_galleryMultiple cross-site request forgery (CSRF) vulnerabilities in Photokorn Gallery 1.81 allow remote attackers to hijack the authentication of administrators.2010-08-256.8CVE-2009-4981
SECUNIA
MISC
linux -- kernelInteger overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation.2010-08-204.7CVE-2010-3015
MLIST
CONFIRM
CONFIRM
XF
BID
CONFIRM
MLIST
MLIST
lynx -- lynxHeap-based buffer overflow in the convert_to_idna function in WWW/Library/Implementation/HTParse.c in Lynx 2.8.8dev.1 through 2.8.8dev.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed URL containing a % (percent) character in the domain name.2010-08-206.8CVE-2010-2810
CONFIRM
XF
VUPEN
MLIST
MLIST
mono-project -- libgdiplusMultiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow attackers to execute arbitrary code via (1) a crafted TIFF file, related to the gdip_load_tiff_image function in tiffcodec.c; (2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal function in jpegcodec.c; or (3) a crafted BMP file, related to the gdip_read_bmp_image function in bmpcodec.c, leading to heap-based buffer overflows.2010-08-246.8CVE-2010-1526
MISC
SECUNIA
omnistaretools -- omnistar_recruitingCross-site scripting (XSS) vulnerability in users/resume_register.php in Omnistar Recruiting allows remote attackers to inject arbitrary web script or HTML via the job2 parameter.2010-08-254.3CVE-2009-4991
SECUNIA
MISC
php -- phpmysqlnd_wireprotocol.c in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows remote attackers to (1) read sensitive memory via a modified length value, which is not properly handled by the php_mysqlnd_ok_read function; or (2) trigger a heap-based buffer overflow via a modified length value, which is not properly handled by the php_mysqlnd_rset_header_read function.2010-08-205.0CVE-2010-3062
CONFIRM
CONFIRM
MISC
MISC
php -- phpThe php_mysqlnd_read_error_from_line function in the Mysqlnd extension in PHP 5.3 through 5.3.2 does not properly calculate a buffer length, which allows context-dependent attackers to trigger a heap-based buffer overflow via crafted inputs that cause a negative length value to be used.2010-08-205.0CVE-2010-3063
CONFIRM
CONFIRM
MISC
php -- phpStack-based buffer overflow in the php_mysqlnd_auth_write function in the Mysqlnd extension in PHP 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) username or (2) database name argument to the (a) mysql_connect or (b) mysqli_connect function.2010-08-206.8CVE-2010-3064
CONFIRM
CONFIRM
MISC
php -- phpThe default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.2010-08-205.0CVE-2010-3065
DEBIAN
MISC
php -- phpThe strrchr function in PHP 5.2 before 5.2.14 allows context-dependent attackers to obtain sensitive information (memory contents) or trigger memory corruption by causing a userspace interruption of an internal function or handler.2010-08-205.0CVE-2010-2484
CONFIRM
CONFIRM
php -- phpThe var_export function in PHP 5.2 before 5.2.14 and 5.3 before 5.3.3 flushes the output buffer to the user when certain fatal errors occur, even if display_errors is off, which allows remote attackers to obtain sensitive information by causing the application to exceed limits for memory, execution time, or recursion.2010-08-204.3CVE-2010-2531
CONFIRM
CONFIRM
CONFIRM
MLIST
MLIST
CONFIRM
phpmyadmin -- phpmyadminMultiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.11.x before 2.11.10.1 and 3.x before 3.3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) db_search.php, (2) db_sql.php, (3) db_structure.php, (4) js/messages.php, (5) libraries/common.lib.php, (6) libraries/database_interface.lib.php, (7) libraries/dbi/mysql.dbi.lib.php, (8) libraries/dbi/mysqli.dbi.lib.php, (9) libraries/db_info.inc.php, (10) libraries/sanitizing.lib.php, (11) libraries/sqlparser.lib.php, (12) server_databases.php, (13) server_privileges.php, (14) setup/config.php, (15) sql.php, (16) tbl_replace.php, and (17) tbl_sql.php.2010-08-244.3CVE-2010-3056
BID
CONFIRM
CONFIRM
MISC
SECUNIA
FEDORA
FEDORA
redhat -- enterprise_virtualizationlibspice, as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 and qspice 0.3.0, does not properly validate guest QXL driver pointers, which allows guest OS users to cause a denial of service (invalid pointer dereference and guest OS crash) or possibly gain privileges via unspecified vectors.2010-08-246.6CVE-2010-0428
REDHAT
REDHAT
CONFIRM
redhat -- enterprise_virtualizationlibspice, as used in QEMU-KVM in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 and qspice 0.3.0, does not properly restrict the addresses upon which memory-management actions are performed, which allows guest OS users to cause a denial of service (guest OS crash) or possibly gain privileges via unspecified vectors.2010-08-246.6CVE-2010-0429
REDHAT
REDHAT
CONFIRM
redhat -- enterprise_virtualizationQEMU-KVM, as used in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 and KVM 83, does not properly validate guest QXL driver pointers, which allows guest OS users to cause a denial of service (invalid pointer dereference and guest OS crash) or possibly gain privileges via unspecified vectors.2010-08-246.6CVE-2010-0431
REDHAT
CONFIRM
REDHAT
redhat -- enterprise_virtualizationThe Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2, and KVM 83, when the Intel VT-x extension is enabled, allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) via vectors related to instruction emulation.2010-08-244.6CVE-2010-0435
REDHAT
REDHAT
CONFIRM
redhat -- enterprise_virtualizationThe subpage MMIO initialization functionality in the subpage_register function in exec.c in QEMU-KVM, as used in the Hypervisor (aka rhev-hypervisor) in Red Hat Enterprise Virtualization (RHEV) 2.2 and KVM 83, does not properly select the index for access to the callback array, which allows guest OS users to cause a denial of service (guest OS crash) or possibly gain privileges via unspecified vectors.2010-08-246.6CVE-2010-2784
REDHAT
REDHAT
CONFIRM
MLIST
redhat -- enterprise_virtualizationVirtual Desktop Server Manager (VDSM) in Red Hat Enterprise Virtualization (RHEV) 2.2 does not properly accept TCP connections for SSL sessions, which allows remote attackers to cause a denial of service (daemon outage) via crafted SSL traffic.2010-08-245.7CVE-2010-2811
REDHAT
REDHAT
CONFIRM
BID
SECTRACK
smartertools -- smartertrackCross-site scripting (XSS) vulnerability in frmKBSearch.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the search parameter.2010-08-254.3CVE-2009-4994
CONFIRM
SECUNIA
MISC
smartertools -- smartertrackCross-site scripting (XSS) vulnerability in frmTickets.aspx in SmarterTools SmarterTrack before 4.0.3504 allows remote attackers to inject arbitrary web script or HTML via the email address field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2010-08-254.3CVE-2009-4995
SECUNIA
snowhall -- silurus_systemMultiple cross-site scripting (XSS) vulnerabilities in Silurus Classifieds 1.0 allow remote attackers to inject arbitrary web script or HTML via the ID parameter to (1) category.php and (2) wcategory.php, and the (3) keywords parameter to search.php.2010-08-254.3CVE-2009-4983
SECUNIA
MISC
tufat -- mybackupPHP remote file inclusion vulnerability in index.php in MyBackup 1.4.0 allows remote authenticated users to execute arbitrary PHP code via a URL in the main_content parameter.2010-08-256.5CVE-2009-4977
VUPEN
SECUNIA
tufat -- mybackupDirectory traversal vulnerability in down.php in MyBackup 1.4.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter.2010-08-255.0CVE-2009-4978
VUPEN
SECUNIA
videolan -- vlc_media_playerThe ReadMetaFromId3v2 function in taglib.cpp in the TagLib plugin in VideoLAN VLC media player 0.9.0 through 1.1.2 does not properly process ID3v2 tags, which allows remote attackers to cause a denial of service (application crash) via a crafted media file.2010-08-205.0CVE-2010-2937
VUPEN
CONFIRM
BID
CONFIRM
CONFIRM
websitesrus -- accessories_me_php_affiliate_scriptMultiple cross-site scripting (XSS) vulnerabilities in Accessories Me PHP Affiliate Script 1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) Keywords parameter to search.php and (2) SearchIndex parameter to browse.php.2010-08-254.3CVE-2009-4984
SECUNIA

Back to top


Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
anibal_monsalve_salaz -- ssmtp** DISPUTED ** The standardise function in Anibal Monsalve Salazar sSMTP 2.61 and 2.62 allows local users to cause a denial of service (application exit) via an e-mail message containing a long line that begins with a . (dot) character. NOTE: CVE disputes this issue because it is solely a usability problem for senders of messages with certain long lines, and has no security impact.2010-08-202.1CVE-2008-7258
CONFIRM
MISC
CONFIRM
CONFIRM
BID
MLIST
SECUNIA
MLIST
MLIST
MLIST
FEDORA
FEDORA
freebsd -- freebsdThe Coda filesystem kernel module, as used in NetBSD and FreeBSD, when Coda is loaded and Venus is running with /coda mounted, allows local users to read sensitive heap memory via a large out_size value in a ViceIoctl struct to a Coda ioctl, which triggers a buffer over-read.2010-08-201.2CVE-2010-3014
CONFIRM
CONFIRM
MISC
BUGTRAQ
freedesktop -- dbus-glibDBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.2010-08-203.6CVE-2010-1172
CONFIRM
XF
VUPEN
REDHAT
SECUNIA
SECUNIA
CONFIRM

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.