Vulnerability Summary for the Week of September 6, 2010
Released
Sep 13, 2010
Document ID
SB10-256
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe -- shockwave_player | Unspecified vulnerability in Adobe Shockwave Player before 11.5.8.612 allows remote attackers to execute arbitrary code via unknown vectors that trigger memory corruption. NOTE: due to conflicting information and use of the same CVE identifier by the vendor, ZDI, and TippingPoint, it is not clear whether this issue is related to use of an uninitialized pointer, an incorrect pointer offset calculation, or both. | 2010-09-07 | 9.3 | CVE-2010-2874 CONFIRM VUPEN SECTRACK |
| adobe -- acrobat | Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TTF font in a PDF document, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information. | 2010-09-09 | 9.3 | CVE-2010-2883 CONFIRM SECUNIA MISC |
| apple -- webkit | Double free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors related to the rendering of an inline element. | 2010-09-09 | 9.3 | CVE-2010-1781 CONFIRM APPLE |
| apple -- iphone_os | The Accessibility component in Apple iOS before 4.1 on the iPhone and iPod touch does not perform the expected VoiceOver announcement associated with the location services icon, which has unspecified impact and attack vectors. | 2010-09-09 | 10.0 | CVE-2010-1809 CONFIRM APPLE |
| apple -- imageio | ImageIO in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted TIFF file. | 2010-09-09 | 9.3 | CVE-2010-1811 CONFIRM APPLE |
| apple -- webkit | Use-after-free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving selections. | 2010-09-09 | 9.3 | CVE-2010-1812 CONFIRM APPLE |
| apple -- webkit | WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors involving HTML object outlines. | 2010-09-09 | 9.3 | CVE-2010-1813 CONFIRM APPLE |
| apple -- webkit | WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors involving form menus. | 2010-09-09 | 9.3 | CVE-2010-1814 CONFIRM APPLE |
| apple -- webkit | Use-after-free vulnerability in WebKit in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving scrollbars. | 2010-09-09 | 9.3 | CVE-2010-1815 CONFIRM APPLE |
| apple -- imageio | Buffer overflow in ImageIO in Apple iOS before 4.1 on the iPhone and iPod touch allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GIF file. | 2010-09-09 | 9.3 | CVE-2010-1817 CONFIRM APPLE |
| diy-cms -- diy-cms | Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang parameter to modules/guestbook/blocks/control.block.php, (2) main_module parameter to index.php, and (3) getFile parameter to includes/general.functions.php. | 2010-09-03 | 7.5 | CVE-2010-3206 XF EXPLOIT-DB MISC |
| gnome -- power_manager | gnome-power-manager 2.14.0 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. | 2010-09-07 | 7.2 | CVE-2006-7240 CONFIRM |
| gnome -- power_manager | gnome-power-manager 2.27.92 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: this issue exists because of a regression that followed a gnome-power-manager fix a few years earlier. | 2010-09-07 | 7.2 | CVE-2009-4997 CONFIRM CONFIRM |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly implement SVG filters, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors, related to a "stale pointer" issue. | 2010-09-07 | 9.3 | CVE-2010-3249 CONFIRM CONFIRM |
| google -- chrome | Use-after-free vulnerability in the Notifications presenter in Google Chrome before 6.0.472.53 allows attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2010-09-07 | 10.0 | CVE-2010-3252 CONFIRM CONFIRM |
| google -- chrome | The implementation of notification permissions in Google Chrome before 6.0.472.53 allows attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | 2010-09-07 | 10.0 | CVE-2010-3253 CONFIRM CONFIRM |
| google -- chrome | The WebSockets implementation in Google Chrome before 6.0.472.53 does not properly handle integer values, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2010-09-07 | 10.0 | CVE-2010-3254 CONFIRM CONFIRM CONFIRM |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly handle counter nodes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | 2010-09-07 | 9.3 | CVE-2010-3255 CONFIRM CONFIRM |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly perform focus handling, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors, related to a "stale pointer" issue. | 2010-09-07 | 9.3 | CVE-2010-3257 CONFIRM CONFIRM |
| google -- chrome | The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors. | 2010-09-07 | 9.3 | CVE-2010-3258 CONFIRM CONFIRM |
| hp -- operations_agent | Unspecified vulnerability in HP Operations Agent 7.36 and 8.6 on Windows allows remote attackers to execute arbitrary code via unknown vectors. | 2010-09-08 | 7.5 | CVE-2010-3004 SECUNIA HP HP |
| hp -- data_protector_express | Unspecified vulnerability in HP Data Protector Express, and Data Protector Express Single Server Edition (SSE), 3.x before build 56936 and 4.x before build 56906 allows local users to gain privileges or cause a denial of service via unknown vectors. | 2010-09-09 | 7.2 | CVE-2010-3007 HP HP |
| jextn -- com_jefaqpro | Multiple SQL injection vulnerabilities in the JE FAQ Pro (com_jefaqpro) component 1.5.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via category categorylist operations with (1) the catid parameter or (2) the catid parameter in a lists action. | 2010-09-03 | 7.5 | CVE-2010-3211 XF EXPLOIT-DB SECUNIA |
| linux -- kernel | The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server. | 2010-09-03 | 7.2 | CVE-2010-2240 REDHAT CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM MISC SECTRACK CONFIRM |
| linux -- kernel | fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions. | 2010-09-07 | 7.8 | CVE-2010-2248 BID REDHAT CONFIRM MLIST MLIST CONFIRM SECTRACK CONFIRM |
| linux -- kernel | Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions. | 2010-09-07 | 10.0 | CVE-2010-2521 REDHAT CONFIRM BID MLIST MLIST CONFIRM SECTRACK CONFIRM |
| linux -- kernel | The pppol2tp_xmit function in drivers/net/pppol2tp.c in the L2TP implementation in the Linux kernel before 2.6.34 does not properly validate certain values associated with an interface, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via vectors related to a routing change. | 2010-09-08 | 10.0 | CVE-2010-2495 CONFIRM MLIST MLIST MLIST MLIST CONFIRM CONFIRM |
| linux -- kernel | The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c. | 2010-09-08 | 7.2 | CVE-2010-2798 CONFIRM CONFIRM BID MLIST MLIST CONFIRM SECTRACK |
| linux -- kernel | Integer overflow in net/can/bcm.c in the Controller Area Network (CAN) implementation in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows attackers to execute arbitrary code or cause a denial of service (system crash) via crafted CAN traffic. | 2010-09-08 | 7.2 | CVE-2010-2959 CONFIRM CONFIRM BID MLIST CONFIRM CONFIRM CONFIRM CONFIRM MISC |
| linux -- kernel | The keyctl_session_to_parent function in security/keys/keyctl.c in the Linux kernel 2.6.35.4 and earlier expects that a certain parent session keyring exists, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function. | 2010-09-08 | 7.2 | CVE-2010-2960 CONFIRM XF BID MLIST MISC SECTRACK SECUNIA |
| martin_lee -- multi-lingual_e-commerce_system | Multiple PHP remote file inclusion vulnerabilities in Multi-lingual E-Commerce System 0.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) checkout2-CYM.php, (2) checkout2-EN.php, (3) checkout2-FR.php, (4) cat-FR.php, (5) cat-EN.php, (6) cat-CYM.php, (7) checkout1-CYM.php, (8) checkout1-EN.php, (9) checkout1-FR.php, (10) prod-CYM.php, (11) prod-EN.php, and (12) prod-FR.php in inc/. | 2010-09-03 | 7.5 | CVE-2010-3210 XF EXPLOIT-DB MISC |
| microsoft -- windows_2003_server | Buffer overflow in the CreateDIBPalette function in win32k.sys in Microsoft Windows XP SP3, Server 2003 R2 Enterprise SP2, Vista Business SP1, Windows 7, and Server 2008 SP2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code by performing a clipboard operation (GetClipboardData API function) with a crafted bitmap with a palette that contains a large number of colors. | 2010-09-07 | 7.2 | CVE-2010-2739 VUPEN MISC SECUNIA CONFIRM |
| mozilla -- firefox | Use-after-free vulnerability in the nsTreeSelection function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow remote attackers to execute arbitrary code via vectors involving a XUL tree selection, related to a "dangling pointer vulnerability." NOTE: this issue exists because of an incomplete fix for CVE-2010-2753. | 2010-09-09 | 9.3 | CVE-2010-2760 CONFIRM CONFIRM |
| mozilla -- firefox | Integer overflow in the FRAMESET element implementation in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow remote attackers to execute arbitrary code via a large number of values in the cols (aka columns) attribute, leading to a heap-based buffer overflow. | 2010-09-09 | 9.3 | CVE-2010-2765 CONFIRM CONFIRM |
| mozilla -- firefox | The normalizeDocument function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle the removal of DOM nodes during normalization, which might allow remote attackers to execute arbitrary code via vectors involving access to a deleted object. | 2010-09-09 | 9.3 | CVE-2010-2766 CONFIRM CONFIRM |
| mozilla -- firefox | The navigator.plugins implementation in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle destruction of the DOM plugin array, which might allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via crafted access to the navigator object, related to a "dangling pointer vulnerability." | 2010-09-09 | 9.3 | CVE-2010-2767 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 on Mac OS X allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted font in a data: URL. | 2010-09-09 | 9.3 | CVE-2010-2770 CONFIRM CONFIRM |
| mozilla -- firefox | Heap-based buffer overflow in the nsTextFrameUtils::TransformText function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might allow remote attackers to execute arbitrary code via a bidirectional text run. | 2010-09-09 | 9.3 | CVE-2010-3166 CONFIRM CONFIRM |
| mozilla -- firefox | The nsTreeContentView function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly handle node removal in XUL trees, which allows remote attackers to execute arbitrary code via vectors involving access to deleted memory, related to a "dangling pointer vulnerability." | 2010-09-09 | 9.3 | CVE-2010-3167 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict the role of property changes in triggering XUL tree removal, which allows remote attackers to cause a denial of service (deleted memory access and application crash) or possibly execute arbitrary code by setting unspecified properties. | 2010-09-09 | 9.3 | CVE-2010-3168 CONFIRM CONFIRM |
| mozilla -- firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2010-09-09 | 9.3 | CVE-2010-3169 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| novell -- opensuse | ** DISPUTED ** lxsession-logout in lxsession in LXDE, as used on SUSE openSUSE 11.3 and other platforms, does not lock the screen when the Suspend or Hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action. NOTE: there is no general agreement that this is a vulnerability, because separate control over locking can be an equally secure, or more secure, behavior in some threat environments. | 2010-09-03 | 7.2 | CVE-2010-2532 CONFIRM MISC CONFIRM MLIST MLIST SUSE |
| pecio-cms -- pecio_cms | Multiple PHP remote file inclusion vulnerabilities in Pecio CMS 2.0.5 allow remote attackers to execute arbitrary PHP code via a URL in the template parameter to (1) post.php, (2) article.php, (3) blog.php, or (4) home.php in pec_templates/nova-blue/. | 2010-09-03 | 7.5 | CVE-2010-3204 XF EXPLOIT-DB MISC MISC |
| seagullproject.org -- seagull | Multiple PHP remote file inclusion vulnerabilities in Seagull 0.6.7 allow remote attackers to execute arbitrary PHP code via a URL in the includeFile parameter to (1) Config/Container.php and (2) HTML/QuickForm.php in fog/lib/pear/, the (3) driverpath parameter to fog/lib/pear/DB/NestedSet.php, and the (4) path parameter to fog/lib/pear/DB/NestedSet/Output.php. | 2010-09-03 | 7.5 | CVE-2010-3209 XF EXPLOIT-DB MISC |
| seagullproject.org -- seagull | SQL injection vulnerability in index.php in Seagull 0.6.7 and earlier allows remote attackers to execute arbitrary SQL commands via the frmQuestion parameter in a retrieve action, in conjunction with a user/password PATH_INFO. | 2010-09-03 | 7.5 | CVE-2010-3212 XF EXPLOIT-DB SECUNIA MISC OSVDB |
| textpattern -- textpattern | PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter. | 2010-09-03 | 7.5 | CVE-2010-3205 XF EXPLOIT-DB MISC |
| xfce -- xfce | ** DISPUTED ** Xfce4-session 4.5.91 in Xfce does not lock the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532. NOTE: there is no general agreement that this is a vulnerability, because separate control over locking can be an equally secure, or more secure, behavior in some threat environments. | 2010-09-07 | 7.2 | CVE-2009-4996 MISC MISC MISC MISC |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apple -- iphone_os | FaceTime in Apple iOS before 4.1 on the iPhone and iPod touch does not properly handle invalid X.509 certificates, which allows man-in-the-middle attackers to redirect calls via a crafted certificate. | 2010-09-09 | 5.8 | CVE-2010-1810 CONFIRM APPLE |
| blackboard -- transact_suite | BbtsConnection_Edit.exe in Blackboard Transact Suite (formerly Blackboard Commerce Suite) before 3.6.0.2 relies on field names when determining whether it is appropriate to decrypt a connection.xml field value, which allows local users to discover the database password via a modified connection.xml file that contains an encrypted password in the <Server> field. | 2010-09-07 | 4.6 | CVE-2010-3244 CERT-VN MISC |
| galeriashqip -- galeriashqip | SQL injection vulnerability in index.php in GaleriaSHQIP 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the album_id parameter. NOTE: some of these details are obtained from third party information. | 2010-09-03 | 6.8 | CVE-2010-3207 XF MISC EXPLOIT-DB SECUNIA MISC OSVDB |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly handle the _blank value for the target attribute of unspecified elements, which allows remote attackers to bypass the pop-up blocker via unknown vectors. | 2010-09-07 | 4.3 | CVE-2010-3246 CONFIRM CONFIRM |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly restrict the characters in URLs, which allows remote attackers to spoof the appearance of the URL bar via homographic sequences. | 2010-09-07 | 4.3 | CVE-2010-3247 CONFIRM CONFIRM |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly restrict copying to the clipboard, which has unspecified impact and attack vectors. | 2010-09-07 | 5.0 | CVE-2010-3248 CONFIRM CONFIRM |
| google -- chrome | Unspecified vulnerability in Google Chrome before 6.0.472.53 allows remote attackers to enumerate the set of installed extensions via unknown vectors. | 2010-09-07 | 5.0 | CVE-2010-3250 CONFIRM CONFIRM |
| google -- chrome | The WebSockets implementation in Google Chrome before 6.0.472.53 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors. | 2010-09-07 | 4.3 | CVE-2010-3251 CONFIRM CONFIRM CONFIRM |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly restrict read access to images, which allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive information via unspecified vectors. | 2010-09-07 | 4.3 | CVE-2010-3259 CONFIRM CONFIRM |
| hp -- operations_agent | Unspecified vulnerability in HP Operations Agent 7.36 and 8.6 on Windows allows local users to gain privileges via unknown vectors. | 2010-09-08 | 6.8 | CVE-2010-3005 SECUNIA HP HP |
| linux -- kernel | The irda_bind function in net/irda/af_irda.c in the Linux kernel before 2.6.36-rc3-next-20100901 does not properly handle failure of the irda_open_tsap function, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via multiple unsuccessful calls to bind on an AF_IRDA (aka PF_IRDA) socket. | 2010-09-03 | 4.9 | CVE-2010-2954 CONFIRM XF VUPEN MLIST CONFIRM MISC SECUNIA MLIST CONFIRM |
| linux -- kernel | Race condition in the tty_fasync function in drivers/char/tty_io.c in the Linux kernel before 2.6.32.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via unknown vectors, related to the put_tty_queue and __f_setown functions. NOTE: the vulnerability was addressed in a different way in 2.6.32.9. | 2010-09-08 | 4.7 | CVE-2009-4895 CONFIRM CONFIRM MLIST MLIST MLIST MLIST CONFIRM CONFIRM |
| linux -- kernel | Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors. | 2010-09-08 | 4.9 | CVE-2010-2492 CONFIRM CONFIRM CONFIRM |
| linux -- kernel | The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals. | 2010-09-08 | 4.4 | CVE-2010-2524 CONFIRM CONFIRM CONFIRM MLIST MLIST MLIST |
| microsoft -- outlook_web_access | Cross-site request forgery (CSRF) vulnerability in Microsoft Outlook Web Access (owa/ev.owa) 2007 through SP2 allows remote attackers to hijack the authentication of e-mail users for requests that perform Outlook requests, as demonstrated by setting the auto-forward rule. | 2010-09-07 | 6.8 | CVE-2010-3213 XF BID EXPLOIT-DB MISC |
| mozilla -- firefox | The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) implementation in Mozilla Firefox 3.6.x before 3.6.9 and Thunderbird 3.1.x before 3.1.3 does not properly restrict objects at the end of scope chains, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via vectors related to a chrome privileged object and a chain ending in an outer object. | 2010-09-09 | 6.8 | CVE-2010-2762 CONFIRM CONFIRM |
| mozilla -- firefox | The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) implementation in Mozilla Firefox before 3.5.12, Thunderbird before 3.0.7, and SeaMonkey before 2.0.7 does not properly restrict scripted functions, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted function. | 2010-09-09 | 4.3 | CVE-2010-2763 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict read access to the statusText property of XMLHttpRequest objects, which allows remote attackers to discover the existence of intranet web servers via cross-origin requests. | 2010-09-09 | 4.3 | CVE-2010-2764 CONFIRM CONFIRM |
| mozilla -- firefox | Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset, which allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms via UTF-7 encoding. | 2010-09-09 | 4.3 | CVE-2010-2768 CONFIRM CONFIRM |
| mozilla -- firefox | Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allows user-assisted remote attackers to inject arbitrary web script or HTML via a selection that is added to a document in which the designMode property is enabled. | 2010-09-09 | 4.3 | CVE-2010-2769 CONFIRM CONFIRM |
| novell -- suse_lifecycle_management_server | Cross-site request forgery (CSRF) vulnerability in the apache2-slms package in SUSE Lifecycle Management Server (SLMS) 1.0 on SUSE Linux Enterprise (SLE) 11 allows remote attackers to hijack the authentication of unspecified victims via vectors related to improper parameter quoting. NOTE: some sources report that this is a vulnerability in a product named "Apache SLMS," but that is incorrect. | 2010-09-03 | 4.3 | CVE-2010-1325 CONFIRM XF BID CONFIRM SUSE |
| novell -- suse_linux | WebYaST in yast2-webclient in SUSE Linux Enterprise (SLE) 11 on the WebYaST appliance uses a fixed secret key that is embedded in the appliance's image, which allows remote attackers to spoof session cookies by leveraging knowledge of this key. | 2010-09-03 | 5.0 | CVE-2010-1507 CONFIRM CONFIRM BID CONFIRM SUSE |
| phpmyadmin -- phpmyadmin | Cross-site scripting (XSS) vulnerability in libraries/Error.class.php in phpMyAdmin 3.x before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via vectors related to a PHP backtrace and error messages (aka debugging messages), a different vulnerability than CVE-2010-3056. | 2010-09-08 | 4.3 | CVE-2010-2958 VUPEN CONFIRM CONFIRM MLIST SECUNIA |
| rsa -- access_manager_agent | Unspecified vulnerability in RSA Access Manager Agent 4.7.1 before 4.7.1.7, when RSA Adaptive Authentication Integration is enabled, allows remote attackers to bypass authentication and obtain sensitive information via unknown vectors. | 2010-09-09 | 5.7 | CVE-2010-3017 BUGTRAQ |
| rsa -- access_manager_server | RSA Access Manager Server 5.5.3 before 5.5.3.172, 6.0.4 before 6.0.4.53, and 6.1 before 6.1.2.01 does not properly perform cache updates, which allows remote attackers to obtain sensitive information via unspecified vectors. | 2010-09-09 | 4.3 | CVE-2010-3018 BUGTRAQ |
| twiki -- twiki | Cross-site request forgery (CSRF) vulnerability in TWiki before 4.3.2 allows remote attackers to hijack the authentication of arbitrary users for requests that update pages, as demonstrated by a URL for a save script in the ACTION attribute of a FORM element, in conjunction with a call to the submit method in the onload attribute of a BODY element. NOTE: this issue exists because of an insufficient fix for CVE-2009-1339. | 2010-09-07 | 6.8 | CVE-2009-4898 MLIST MLIST CONFIRM |
| wiccle -- wiccle_web_builder | Cross-site scripting (XSS) vulnerability in ajax.php in Wiccle Web Builder (WWB) 1.00 and 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the post_text parameter in a site custom_search action to index.php. NOTE: some of these details are obtained from third party information. | 2010-09-03 | 4.3 | CVE-2010-3208 XF MISC SECUNIA OSVDB |
| xmlswf -- com_picsell | Directory traversal vulnerability in the PicSell (com_picsell) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the dflink parameter in a prevsell dwnfree action to index.php. | 2010-09-03 | 5.0 | CVE-2010-3203 EXPLOIT-DB SECUNIA |
| zope -- zope | ZServer in Zope 2.10.x before 2.10.12 and 2.11.x before 2.11.7 allows remote attackers to cause a denial of service (crash of worker threads) via vectors that trigger uncaught exceptions. | 2010-09-08 | 4.3 | CVE-2010-3198 MLIST CONFIRM CONFIRM CONFIRM VUPEN BID |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| blackboard -- transact_suite | The automated-backup functionality in Blackboard Transact Suite (formerly Blackboard Commerce Suite) stores the (1) database username and (2) database password in cleartext in (a) script and (b) batch (.bat) files, which allows local users to obtain sensitive information by reading a file. | 2010-09-07 | 2.1 | CVE-2010-3245 CERT-VN MISC |
| google -- chrome | Google Chrome before 6.0.472.53 does not properly limit the number of stored autocomplete entries, which has unspecified impact and attack vectors. | 2010-09-07 | 2.6 | CVE-2010-3256 CONFIRM CONFIRM |
| linux -- kernel | The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file. | 2010-09-03 | 1.9 | CVE-2010-2226 CONFIRM BID CONFIRM MLIST MLIST CONFIRM MLIST MLIST |
| linux -- kernel | The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor. | 2010-09-08 | 1.9 | CVE-2010-2066 CONFIRM MLIST MLIST CONFIRM CONFIRM |
| linux -- kernel | The drm_ioctl function in drivers/gpu/drm/drm_drv.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 2.6.27.53, 2.6.32.x before 2.6.32.21, 2.6.34.x before 2.6.34.6, and 2.6.35.x before 2.6.35.4 allows local users to obtain potentially sensitive information from kernel memory by requesting a large memory-allocation amount. | 2010-09-08 | 1.9 | CVE-2010-2803 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| linux -- kernel | The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size. | 2010-09-08 | 3.3 | CVE-2010-2955 CONFIRM MISC CONFIRM MLIST SECUNIA MLIST MLIST MLIST MLIST CONFIRM MISC |
| mantisbt -- mantisbt | Cross-site scripting (XSS) vulnerability in MantisBT before 1.2.2 allows remote authenticated users to inject arbitrary web script or HTML via an HTML document with a .gif filename extension, related to inline attachments. | 2010-09-07 | 3.5 | CVE-2010-2802 CONFIRM CONFIRM MLIST MLIST CONFIRM |
| novell -- identity_manager | The engine installer in Novell Identity Manager (aka IDM) 3.6.1 stores admin tree credentials in /tmp/idmInstall.log, which allows local users to obtain sensitive information by reading this file. | 2010-09-08 | 2.1 | CVE-2010-3264 VUPEN CONFIRM SECUNIA |
| s9y -- serendipity | Cross-site scripting (XSS) vulnerability in Serendipity before 1.5.4, when "Remember me" logins are enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2010-09-10 | 2.6 | CVE-2010-2957 CONFIRM MLIST MLIST MISC |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.