Vulnerability Summary for the Week of September 24, 2007

Released
Oct 01, 2007
Document ID
SB07-274

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

">

High Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Adam Scheinberg -- Flipaccount.php in Adam Scheinberg Flip 3.0 and earlier allows remote attackers to create administrative accounts via the un parameter in a register action.
unknown
2007-09-24
7.5CVE-2007-5062
MILW0RM
BID
XF
ADOdb Lite -- ADOdb Lite
CMS Made Simple -- CMS Made Simple		Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple 1.1.2, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter.
unknown
2007-09-24
7.5CVE-2007-5056
MILW0RM
VIM
Alexander Palmo -- Simple PHP BlogIncomplete blacklist vulnerability in upload_img_cgi.php in Simple PHP Blog before 0.5.1 allows remote attackers to upload dangerous files, as demonstrated by a .htaccess file, a different vector than CVE-2005-2733. NOTE: the vulnerability was also present in a 0.5.1 download available in the early morning of 20070923. NOTE: the original 20070920 disclosure provided an incorrect filename, img_upload_cgi.php.
unknown
2007-09-24
7.5CVE-2007-5071
BUGTRAQ
OTHER-REF
OTHER-REF
BID
Alexander Palmo -- Simple PHP BlogUnspecified vulnerability in Simple PHP Blog before 0.5.1 has unknown impact and attack vectors, related to "the way themes get their color definitions from the configuration files," aka the user_colors issue, a different vulnerability than CVE-2007-????.
unknown
2007-09-24
7.5CVE-2007-5072
OTHER-REF
OTHER-REF
Apple -- iPhoneApple iPhone 1.1.1, with Bluetooth enabled, allows physically proximate attackers to cause a denial of service (application termination) and execute arbitrary code via crafted Service Discovery Protocol (SDP) packets, related to insufficient input validation.
unknown
2007-09-27
7.5CVE-2007-3753
APPLE
Apple -- SafariSafari in Apple iPhone 1.1.1, when requested to disable Javascript, does not disable it until Safari is restarted, which might leave Safari open to attacks that the user does not expect.
unknown
2007-09-27
7.5CVE-2007-3759
APPLE
ask.com -- Ask ToolbarStack-based buffer overflow in the AskJeevesToolBar.SettingsPlugin.1 ActiveX control in askBar.dll in IAC Search & Media ask.com Ask Toolbar 4.0.2.53 and earlier allows remote attackers to execute arbitrary code via a long ShortFormat property value. NOTE: some of these details are obtained from third party information.
unknown
2007-09-26
9.3CVE-2007-5107
BUGTRAQ
MILW0RM
BID
FRSIRT
SECUNIA
ask.com -- Ask ToolbarUnspecified vulnerability in IAC Search & Media ask.com toolbar has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine. NOTE: this might be the same issue as CVE-2007-5107.
unknown
2007-09-26
10.0CVE-2007-5108
BUGTRAQ
OTHER-REF
bcoos -- bcoosSQL injection vulnerability in index.php in the Arcade module in bcoos 1.0.10 allows remote attackers to execute arbitrary SQL commands via the gid parameter in a play_game action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
unknown
2007-09-26
7.5CVE-2007-5104
SECUNIA
Clansphere -- ClansphereSQL injection vulnerability in mods/banners/navlist.php in Clansphere 2007.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to index.php in a banners action.
unknown
2007-09-24
7.5CVE-2007-5061
MILW0RM
BID
David Watters -- HelplinkPHP remote file inclusion vulnerability in show.php in David Watters Helplink 0.1.0 allows remote attackers to execute arbitrary PHP code via a URL in the file parameter.
unknown
2007-09-26
7.5CVE-2007-5099
MILW0RM
SECUNIA
Dibbler -- DibblerDibbler 0.6.0 on Linux uses weak world-writable permissions for unspecified files in /var/lib/dibbler, which has unknown impact and local attack vectors.
unknown
2007-09-21
7.5CVE-2007-5028
OTHER-REF
EB Design Pty Ltd -- ebCryptAbsolute path traversal vulnerability in the EbCrypt.eb_c_PRNGenerator.1 ActiveX control in EBCRYPT.DLL 2.0.0.2087 and earlier in EB Design ebCrypt allows remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the SaveToFile method. NOTE: some of these details are obtained from third party information.
unknown
2007-09-26
7.5CVE-2007-5110
MILW0RM
OTHER-REF
BID
SECUNIA
Ekke Doerre -- Mods 4 Xoops Contenido eZ publishMultiple PHP remote file inclusion vulnerabilities in Ekke Doerre Contenido 42VariablVersion (42VV10) in contenido_hacks in Mods 4 Xoops Contenido eZ publish (pdf4cms) allow remote attackers to execute arbitrary PHP code via a URL in the cfgPathInc parameter to (1) main_upl.php, (2) main_con_editside.php, (3) main_news_rcp.php, (4) main_mod.php, (5) main_tplinput_edit.php, (6) main_con.php, (7) main_tpl.php, (8) main_con_sidelist.php, (9) main_str.php, (10) main_news.php, (11) main_tplinput.php, (12) main_lang.php, (13) main_mod_edit.php, (14) main_lay.php, (15) main_lay_edit.php, (16) main_news_send.php, (17) main_con_edittpl.php, (18) main_stat.php, (19) main_tpl_edit.php, (20) main_news_edit.php, or (21) inc/upl_show_uploads.inc.php; the (a) cfgPathContenido or (b) cfgPathTpl parameter to (22) con_show_sidelist.inc.php, (23) mod_show_modules.inc.php, (24) con_edit_form.inc.php, (25) lay_show_layouts.inc.php, (26) con_show_tree.inc.php, (27) news_show_newsletters.inc! .php, (28) str_show_tree.inc.php, (29) tpl_show_templates.inc.php, (30) stat_show_tree.inc.php, (31) con_editcontent.inc.php, or (32) news_show_recipients.inc.php in inc/; or the cfgPathTpl parameter to (33) main_user_md5.php3, or (34) actions_mod.php, (35) actions_lay.php, (36) actions_upl.php, (37) actions_stat.php, (38) actions_news.php, (39) actions_str.php, (40) header.php, (41) actions_con_sidelist.php, (42) main_top.inc.php, (43) actions_tpl.php, or (44) actions_con.php in tpl/. NOTE: vectors 21, 24, 26, 27, 32, 34, 35, 36, 37, 38, 39, 40, 41, 43, and 44 are disputed by CVE because PHP encounters a fatal function-call error on a direct request for the file, before reaching the include statement.
unknown
2007-09-26
7.5CVE-2007-5115
OTHER-REF
furquim -- ChironFSChironFS before 1.0 RC7 sets user/group ownership to the mounter account instead of the creator account when files are created, which allows local users to gain privileges.
unknown
2007-09-26
7.2CVE-2007-5101
OTHER-REF
OTHER-REF
SECUNIA
guanxiCRM -- guanxiCRM Business SolutionPHP remote file inclusion vulnerability in modules/webmail2/inc/rfc822.php in guanxiCRM Business Solution 0.9.1 allows remote attackers to execute arbitrary PHP code via a URL in the webmail2_inc_dir parameter.
unknown
2007-09-26
7.5CVE-2007-5096
OTHER-REF
IBM -- Tivoli Storage Manager ClientBuffer overflow in the Client Acceptor Daemon (CAD), dsmcad.exe, in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via crafted HTTP headers, aka IC52905.
unknown
2007-09-27
10.0CVE-2007-4880
BUGTRAQ
OTHER-REF
OTHER-REF
AIXAPAR
BID
FRSIRT
SECTRACK
SECUNIA
XF
IBM -- Tivoli Storage Manager ClientBuffer overflow in the Client Acceptor Daemon (CAD) in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2 allows remote attackers to execute arbitrary code via unspecified vectors, aka IC52905.
unknown
2007-09-21
10.0CVE-2007-5021
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
XF
IBM -- DB2
Microsoft -- SQL Server
IBM -- Rational ClearQuest		Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors.
unknown
2007-09-26
7.5CVE-2007-5090
OTHER-REF
FRSIRT
SECUNIA
ImageMagick -- ImageMagickMultiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow.
unknown
2007-09-24
7.5CVE-2007-4986
IDEFENSE
MLIST
BID
ImageMagick -- ImageMagickOff-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address.
unknown
2007-09-24
9.3CVE-2007-4987
IDEFENSE
MLIST
BID
Imatix -- XitamiMultiple buffer overflows in iMatix Xitami Web Server 2.5c2 allow remote attackers to execute arbitrary code via a long If-Modified-Since header to (1) xigui32.exe or (2) xitami.exe.
unknown
2007-09-24
7.5CVE-2007-5067
MILW0RM
BID
SECUNIA
Interspire -- ActiveKBSQL injection vulnerability in index.php in Interspire ActiveKB NX 2.x allows remote attackers to execute arbitrary SQL commands via the catId parameter in a browse action.
unknown
2007-09-27
7.5CVE-2007-5131
MILW0RM
BID
Ipswitch -- IMailHeap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string "MIME" by itself on a line in the header, and a long Content-Transfer-Encoding header line.
unknown
2007-09-26
7.5CVE-2007-5094
MILW0RM
OTHER-REF
BID
iziContents -- iziContentsMultiple incomplete blacklist vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in (1) the admin_home parameter to modules/poll/poll_summary.php or (2) the rootdp parameter to include/db.php; or a URL in the language_home parameter to (3) search/search.php, (4) poll/inlinepoll.php, (5) poll/showpoll.php, (6) links/showlinks.php, or (7) links/submit_links.php in modules/; related to missing checks in (a) modules/moduleSec.php and (b) include/includeSec.php for inclusion of certain URLs, as demonstrated by an ftps:// URL.
unknown
2007-09-24
7.5CVE-2007-5053
MILW0RM
iziContents -- iziContentsMultiple PHP remote file inclusion vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the gsLanguage parameter to (1) search/search.php, (2) poll/inlinepoll.php, (3) poll/showpoll.php, (4) links/showlinks.php, or (5) links/submit_links.php in modules/.
unknown
2007-09-24
7.5CVE-2007-5054
MILW0RM
iziContents -- iziContentsMultiple directory traversal vulnerabilities in iziContents 1 RC6 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in (1) the admin_home parameter to modules/poll/poll_summary.php or (2) the rootdp parameter to include/db.php.
unknown
2007-09-24
7.5CVE-2007-5055
MILW0RM
Lhaplus -- LhaplusHeap-based buffer overflow in Lhaplus before 1.55 allows remote attackers to execute arbitrary code via a long filename in an ARJ archive.
unknown
2007-09-23
7.5CVE-2007-5048
OTHER-REF
OTHER-REF
OTHER-REF
BID
SECUNIA
Linux -- KernelThe IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register.
unknown
2007-09-24
7.2CVE-2007-4573
FULLDISC
MLIST
MLIST
OTHER-REF
Microsoft -- Windows Media PlayerMicrosoft Windows Media Player (WMP) 9 on Windows XP SP2 invokes Internet Explorer to render HTML documents contained inside some media files, regardless of what default web browser is configured, which might allow remote attackers to exploit vulnerabilities in software that the user does not expect to run, as demonstrated by the HTMLView parameter in an .asx file.
unknown
2007-09-26
7.5CVE-2007-5095
BUGTRAQ
BUGTRAQ
BUGTRAQ
BUGTRAQ
OTHER-REF
Microsoft -- windows-nt
3ware -- 3DM Disk Management Software		Microsoft Windows Explorer (explorer.exe) allows user-assisted remote attackers to cause a denial of service (CPU consumption) via a certain PNG file with a large tEXt chunk that possibly triggers an integer overflow in PNG chunk size handling, as demonstrated by badlycrafted.png.
unknown
2007-09-27
7.1CVE-2007-5133
BUGTRAQ
BUGTRAQ
BID
Mozilla -- BugzillaThe offer_account_by_email function in User.pm in the WebService for Bugzilla before 3.0.2, and 3.1.x before 3.1.2, does not check the value of the createemailregexp parameter, which allows remote attackers to bypass intended restrictions on account creation.
unknown
2007-09-23
7.5CVE-2007-5038
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Mozilla -- Firefox
Apple -- Quicktime		Argument injection vulnerability in Apple QuickTime 7.1.5 and earlier, when running on systems with Mozilla Firefox before 2.0.0.7 installed, allows remote attackers to execute arbitrary commands via a QuickTime Media Link (QTL) file with an embed XML element and a qtnext parameter containing the Firefox "-chrome" argument. NOTE: this is a related issue to CVE-2006-4965 and the result of an incomplete fix for CVE-2007-3670.
unknown
2007-09-23
9.3CVE-2007-5045
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
NetSupport -- NetSupport Manager ClientNetSupport Manager Client before 10.20.0004 allows remote attackers to bypass the (1) basic and (2) authentication schemes by spoofing the NetSupport Manager.
unknown
2007-09-24
10.0CVE-2007-5057
BUGTRAQ
OTHER-REF
BID
Neuron News -- Neuron NewsDirectory traversal vulnerability in index.php in Neuron News 1.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the q parameter.
unknown
2007-09-23
7.5CVE-2007-5050
MILW0RM
NukeScripts -- NukeSentinelSQL injection vulnerability in includes/nsbypass.php in NukeSentinel 2.5.11 allows remote attackers to execute arbitrary SQL commands via base64-encoded data in an admin cookie.
unknown
2007-09-27
7.5CVE-2007-5125
BUGTRAQ
OTHER-REF
BID
Online Fantasy Football League -- OFFL** DISPUTED ** PHP remote file inclusion vulnerability in lib/classes/offl_nflteam.php in Online Fantasy Football League (OFFL) 0.2.6 allows remote attackers to execute arbitrary PHP code via a URL in the DOC_ROOT parameter. NOTE: this issue is disputed by CVE because a __FILE__ test protects offl_nflteam.php against direct requests.
unknown
2007-09-26
7.5CVE-2007-5097
OTHER-REF
openEngine -- openEngine** DISPUTED ** PHP remote file inclusion vulnerability in html/modules/extranet_profile/main.php in openEngine 1.9 beta1 allows remote attackers to execute arbitrary PHP code via a URL in the this_module_path parameter. NOTE: this issue is disputed by CVE because PHP encounters a fatal function-call error on a direct request for the file, before reaching the include statement.
unknown
2007-09-23
7.5CVE-2007-5035
OTHER-REF
BID
OpenSSL Project -- OpenSSLOff-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7l and 0.9.8d might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow.
unknown
2007-09-27
7.5CVE-2007-5135
BUGTRAQ
PHP-Nuke -- Mobile Entertainment moduleDirectory traversal vulnerability in data/compatible.php in the Nuke Mobile Entertainment 1 addon for PHP-Nuke allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module_name parameter.
unknown
2007-09-24
7.5CVE-2007-5069
MILW0RM
phpFullAnnu -- phpFullAnnuSQL injection vulnerability in index.php in phpFullAnnu (PFA) 6.0 allows remote attackers to execute arbitrary SQL commands via the mod parameter.
unknown
2007-09-24
7.5CVE-2007-5068
MILW0RM
Quiksoft -- EasyMail MessagePrinter ObjectHeap-based buffer overflow in the EasyMailMessagePrinter ActiveX control in emprint.DLL 6.0.1.0 in the Quiksoft EasyMail MessagePrinter Object allows remote attackers to execute arbitrary code via a long string in the first argument to the SetFont method.
unknown
2007-09-24
10.0CVE-2007-5070
MILW0RM
redhat -- linuxRed Hat Enterprise Linux 4 does not properly compile and link gdm with tcp_wrappers on x86_64 platforms, which might allow remote attackers to bypass intended access restrictions.
unknown
2007-09-24
10.0CVE-2007-5079
OTHER-REF
sk.log -- sk.logPHP remote file inclusion vulnerability in php-inc/log.inc.php in sk.log 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the SKIN_URL parameter.
unknown
2007-09-26
7.5CVE-2007-5089
BUGTRAQ
VIM
MILW0RM
BID
FRSIRT
softbizscripts -- classifieds plus scriptSQL injection vulnerability in store_info.php in SoftBiz Classifieds PLUS allows remote attackers to execute arbitrary SQL commands via the id parameter.
unknown
2007-09-27
7.5CVE-2007-5122
MILW0RM
Solidweb -- NovusSQL injection vulnerability in notas.asp in Novus 1.0 allows remote attackers to execute arbitrary SQL commands via the nota_id parameter.
unknown
2007-09-27
7.5CVE-2007-5123
MILW0RM
BID
Symantec -- Norton Internet SecurityNorton Internet Security 2008 15.0.0.60 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the NtOpenSection kernel SSDT hook. NOTE: the NtCreateMutant and NtOpenEvent function hooks are already covered by CVE-2007-1793.
unknown
2007-09-23
7.2CVE-2007-5047
BUGTRAQ
OTHER-REF
OTHER-REF
Symantec -- Veritas Backup ExecUnspecified vulnerability in the client in Symantec Veritas Backup Exec for Windows Servers 11d has unknown impact and remote attack vectors. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.
unknown
2007-09-27
10.0CVE-2007-5126
OTHER-REF
BID
VMWare -- VMWare Player
VMWare -- ACE
VMWare -- ACE 2
VMWare -- VMware Server
VMWare -- VMWare Player 2
VMWare -- VMWare Workstation		The DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed packet that triggers "corrupt stack memory."
unknown
2007-09-21
10.0CVE-2007-0061
ISS
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
XF
VMWare -- VMWare Workstation
VMWare -- ACE
VMWare -- VMware Server
VMWare -- Player		Integer overflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.
unknown
2007-09-21
10.0CVE-2007-0062
ISS
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
XF
VMWare -- VMWare Player
VMWare -- ESX Server
VMWare -- ACE
VMWare -- ACE 2
VMWare -- VMware Server
VMWare -- VMWare Player 2
VMWare -- VMWare Workstation		Integer underflow in the DHCP server in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows remote attackers to execute arbitrary code via a malformed DHCP packet that triggers a stack-based buffer overflow.
unknown
2007-09-21
10.0CVE-2007-0063
ISS
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
XF
VMWare -- ACEUnspecified vulnerability in EMC VMware ACE before 1.0.3 Build 54075 allows attackers to have an unknown impact via an unspecified manipulation of "images stored in virtual machines downloaded by the user."
unknown
2007-09-21
9.3CVE-2007-5025
OTHER-REF
webmaster-tips -- Flash Slide Show
Joomla -- Joomla		PHP remote file inclusion vulnerability in admin.slideshow1.php in the Flash Slide Show (com_slideshow) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
unknown
2007-09-24
7.5CVE-2007-5065
MILW0RM
BID
Xpdf -- XpdfStack-based buffer overflow in the StreamPredictor::getNextLine function in xpdf, as used in (1) poppler before 0.5.91, (2) gpdf, (3) kpdf, (4) kdegraphics, (5) CUPS, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file, a different vulnerability than CVE-2007-3387.
unknown
2007-09-23
7.5CVE-2007-5049
GENTOO
FRSIRT

Back to top

Medium Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
Adam Scheinberg -- FlipAdam Scheinberg Flip 3.0 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a file containing login credentials via a direct request for var/users.txt.
unknown
2007-09-24
5.0CVE-2007-5063
MILW0RM
Adobe -- Acrobat
Adobe -- Reader		Unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this information is based upon a vague pre-advisory by a reliable researcher.
unknown
2007-09-21
6.8CVE-2007-5020
BUGTRAQ
OTHER-REF
Agnitum -- Outpost FirewallOutpost Firewall Pro 4.0.1025.7828 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteFile, (3) NtLoadDriver, (4) NtOpenProcess, (5) NtOpenSection, (6) NtOpenThread, and (7) NtUnloadDriver kernel SSDT hooks, a partial regression of CVE-2006-7160.
unknown
2007-09-23
4.6CVE-2007-5042
BUGTRAQ
OTHER-REF
OTHER-REF
AirDefense -- AirsensorMultiple buffer overflows in the AirDefense Airsensor M520 with firmware 4.3.1.1 and 4.4.1.4 allow remote authenticated users to cause a denial of service (HTTPS service outage) via a crafted query string in an HTTPS request to (1) adLog.cgi, (2) post.cgi, or (3) ad.cgi, related to the "files filter."
unknown
2007-09-23
5.0CVE-2007-5036
MILW0RM
OTHER-REF
BID
SECUNIA
AOL -- Instant MessengerThe embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.5.3.12 and earlier allows remote attackers to execute arbitrary code via unspecified web script or HTML in an instant message, related to AIM's filtering of "specific tags and attributes" and the lack of Local Machine Zone lockdown. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-4901.
unknown
2007-09-27
6.8CVE-2007-5124
BUGTRAQ
OTHER-REF
Apache Software Foundation -- GeronimoUnspecified vulnerability in the management EJB (MEJB) in Apache Geronimo before 2.0.2 allows remote attackers to bypass authentication and obtain "access to Geronimo internals" via unspecified vectors.
unknown
2007-09-26
5.0CVE-2007-5085
OTHER-REF
OTHER-REF
SECUNIA
Apple -- iPhoneMail in Apple iPhone 1.1.1, when using SSL, does not warn the user when the mail server changes or is not trusted, which might allow remote attackers to steal credentials and read email via a man-in-the-middle (MITM) attack.
unknown
2007-09-27
4.3CVE-2007-3754
APPLE
Apple -- iPhoneMail in Apple iPhone 1.1.1 allows remote user-assisted attackers to force the iPhone user to make calls to arbitrary telephone numbers via a "tel:" link, which does not prompt the user before dialing the number.
unknown
2007-09-27
4.3CVE-2007-3755
APPLE
Apple -- SafariSafari in Apple iPhone 1.1.1 allows remote attackers to obtain sensitive information via a crafted web page that identifies the URL of the parent window, even when the parent window is in a different domain.
unknown
2007-09-27
4.3CVE-2007-3756
APPLE
Apple -- SafariSafari in Apple iPhone 1.1.1 allows remote user-assisted attackers to trick the iPhone user into making calls to arbitrary telephone numbers via a crafted "tel:" link that causes iPhone to display a different number than the number that will be dialed.
unknown
2007-09-27
4.3CVE-2007-3757
APPLE
Apple -- SafariSafari in Apple iPhone 1.1.1 allows remote attackers to set Javascript window properties for web pages that are in a different domain, which can be leveraged to conduct cross-site scripting (XSS) attacks.
unknown
2007-09-27
4.3CVE-2007-3758
APPLE
Apple -- SafariCross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML via frame tags.
unknown
2007-09-27
4.3CVE-2007-3760
APPLE
Apple -- SafariCross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML by causing Javascript events to be applied to a frame in another domain.
unknown
2007-09-27
4.3CVE-2007-3761
APPLE
Apple -- SafariUnspecified vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages from the same domain.
unknown
2007-09-27
6.8CVE-2007-4671
APPLE
Barracuda Networks -- Barracuda Spam FirewallCross-site scripting (XSS) vulnerability in the Monitor Web Syslog screen in the Web administration interface in Barracuda Spam Firewall before firmware 3.5.10.016 allows remote attackers to inject arbitrary web script or HTML via the username field in a login attempt, related to the Monitor Web Syslog component.
unknown
2007-09-24
4.3CVE-2007-5058
BUGTRAQ
OTHER-REF
BID
XF
boesch-it -- SimpNewsMultiple cross-site scripting (XSS) vulnerabilities in SimpNews 2.41.03 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to admin/layout2b.php, and the (2) backurl parameter to comment.php.
unknown
2007-09-26
4.3CVE-2007-4874
BUGTRAQ
OTHER-REF
OTHER-REF
boesch-it -- SimpNews
PHP -- PHP		SimpNews 2.41.03 on Windows, when PHP before 5.0.0 is used, allows remote attackers to obtain sensitive information via an certain link_date parameter to events.php, which reveals the path in an error message due to an unsupported argument type for the mktime function on Windows.
unknown
2007-09-27
5.0CVE-2007-5128
BUGTRAQ
OTHER-REF
OTHER-REF
boesch-it -- SimpGBSimpGB 1.46.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to (1) obtain sensitive configuration information via a direct request for admin/cfginfo.php; and (2) download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc.
unknown
2007-09-27
6.4CVE-2007-5129
BUGTRAQ
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
SECUNIA
XF
XF
boesch-it -- SimpGBSimpGB 1.46.02 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php or (2) a direct request to admin/trailer.php, which reveals the path in various error messages.
unknown
2007-09-27
5.0CVE-2007-5130
BUGTRAQ
OTHER-REF
OTHER-REF
XF
Cisco -- Catalyst 7600
Cisco -- Catalyst 6500		Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP addresses for Ethernet Out-of-Band Channel (EOBC) internal communication, which might allow remote attackers to send packets to an interface for which network exposure was unintended.
unknown
2007-09-27
5.0CVE-2007-5134
FULLDISC
CISCO
BID
SECTRACK
dBlog -- dBlog CMSdBlog CMS, probably 2.0, stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing an admin password hash via a direct request for dblog.mdb.
unknown
2007-09-21
5.0CVE-2007-5026
BUGTRAQ
OTHER-REF
Dibbler -- DibblerDibbler 0.6.0 does not verify that certain length parameters are appropriate for buffer sizes, which allows remote attackers to trigger a buffer over-read and cause a denial of service (daemon crash), as demonstrated by incorrect behavior of the TSrvMsg constructor in SrvMessages/SrvMsg.cpp when (1) reading the option code and option length and (2) parsing options.
unknown
2007-09-21
5.0CVE-2007-5029
FULLDISC
OTHER-REF
BID
SECUNIA
Dibbler -- DibblerMultiple integer overflows in Dibbler 0.6.0 allow remote attackers to cause a denial of service (daemon crash) via packets containing options with large lengths, which trigger attempts at excessive memory allocation, as demonstrated by (1) the TSrvMsg constructor in SrvMessages/SrvMsg.cpp; the (2) TClntMsg, (3) TClntOptIAAddress, (4) TClntOptIAPrefix, (5) TOptVendorSpecInfo, and (6) TOptOptionRequest constructors; and the (7) TRelIfaceMgr::decodeRelayRepl, (8) TRelMsg::decodeOpts, and (9) TSrvIfaceMgr::decodeRelayForw methods.
unknown
2007-09-21
5.0CVE-2007-5030
FULLDISC
OTHER-REF
BID
SECUNIA
Dibbler -- DibblerThe TSrvOptIA_NA::rebind method in SrvOptions/SrvOptIA_NA.cpp in Dibbler 0.6.0 allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via an invalid IA_NA option in a REBIND message.
unknown
2007-09-21
5.0CVE-2007-5031
FULLDISC
OTHER-REF
BID
SECUNIA
dragonfrugal -- DFD CartMultiple PHP remote file inclusion vulnerabilities in DFD Cart 1.1.4 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the set_depth parameter to (1) app.lib/product.control/core.php/product.control.config.php, or (2) customer.browse.list.php or (3) customer.browse.search.php in app.lib/product.control/core.php/customer.area/.
unknown
2007-09-26
6.8CVE-2007-5098
MILW0RM
SECUNIA
EB Design Pty Ltd -- ebCryptA certain ActiveX control in EBCRYPT.DLL 2.0 in EB Design ebCrypt allows remote attackers to cause a denial of service (crash) via a string argument to the AddString method.
unknown
2007-09-26
4.3CVE-2007-5111
MILW0RM
OTHER-REF
BID
eGroupWare -- eGroupWareMultiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.4.001 allow remote attackers to inject arbitrary web script or HTML via the cat_data[color] parameter to (1) preferences/inc/class.uicategories.inc.php and (2) admin/inc/class.uicategories.inc.php.
unknown
2007-09-26
4.3CVE-2007-5091
OTHER-REF
OTHER-REF
OTHER-REF
SECUNIA
Elinks -- ElinksELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to sniff sensitive data that would have been protected by TLS. NOTE: this issue only occurs when a proxy is defined for https.
unknown
2007-09-21
4.3CVE-2007-5034
OTHER-REF
OTHER-REF
FlatNuke -- FlatNukeCross-site request forgery (CSRF) vulnerability in index.php in FlatNuke 2.6, and possibly 3, allows remote attackers to change the password and privilege level of arbitrary accounts via the user parameter and modified (1) regpass and (2) level parameters in a none_Login action, as demonstrated by using a Flash object to automatically make the request.
unknown
2007-09-26
4.3CVE-2007-5109
BUGTRAQ
Francisco Burzi -- PHP-NukeCross-site request forgery (CSRF) vulnerability in admin.php in Francisco Burzi PHP-Nuke allows remote attackers to add administrative accounts via an AddAuthor action with modified add_name and add_radminsuper parameters.
unknown
2007-09-21
5.1CVE-2007-5032
BUGTRAQ
FrontAccounting -- FrontAccountingMultiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.13., when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/login.php and (2) includes/lang/language.php, different vectors than CVE-2007-4279.
unknown
2007-09-27
6.8CVE-2007-5117
MILW0RM
BID
SECUNIA
gdata -- InternetSecurity 2007G DATA InternetSecurity 2007 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey and (2) NtOpenProcess kernel SSDT hooks.
unknown
2007-09-23
4.6CVE-2007-5041
BUGTRAQ
OTHER-REF
OTHER-REF
GreenSQL -- GreenSQLMultiple cross-site scripting (XSS) vulnerabilities in GreenSQL allow remote attackers to inject arbitrary web script or HTML via several vectors, as demonstrated by the (1) uname and (2) pass parameters in a login form, and (3) an unspecified "url value," leading to storage of XSS sequences in the database and display of these sequences in the alert section of the admin panel.
unknown
2007-09-24
4.3CVE-2007-5059
BUGTRAQ
BID
IBM -- Tivoli Storage Manager ClientUnspecified vulnerability in certain IBM Tivoli Storage Manager (TSM) clients 5.1 before 5.1.8.1, 5.2 before 5.2.5.2, 5.3 before 5.3.5.3, and 5.4 before 5.4.1.2, when using "server-initiated prompted scheduling," allows remote attackers to read a client's data, aka IC53616.
unknown
2007-09-21
5.0CVE-2007-5022
OTHER-REF
AIXAPAR
BID
FRSIRT
SECUNIA
XF
IceWarp -- Merak Mail ServerCross-site scripting (XSS) vulnerability in the Webmail interface for IceWarp Merak Mail Server before 9.0.0 allows remote attackers to inject arbitrary JavaScript via a javascript: URI in an attribute of an element in an email message body, as demonstrated by the onload attribute in a BODY element.
unknown
2007-09-23
4.3CVE-2007-5046
OTHER-REF
BID
SECUNIA
ImageMagick -- ImageMagickImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls.
unknown
2007-09-24
4.3CVE-2007-4985
IDEFENSE
MLIST
BID
ImageMagick -- ImageMagickSign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.
unknown
2007-09-24
6.8CVE-2007-4988
IDEFENSE
MLIST
BID
Inotify -- Inotify-toolsBuffer overflow in the inotifytools_snprintf function in src/inotifytools.c in the inotify-tools library before 3.11 allows context-dependent attackers to execute arbitrary code via a long filename.
unknown
2007-09-23
6.8CVE-2007-5037
OTHER-REF
SECUNIA
JSPWiki -- JSPWikiJSPWiki 2.4.103 and 2.5.139-beta allows remote attackers to obtain sensitive information (full path) via an invalid integer in the version parameter to the default URI under attach/Main/.
unknown
2007-09-27
4.3CVE-2007-5119
BUGTRAQ
FULLDISC
OTHER-REF
SECUNIA
XF
JSPWiki -- JSPWikiMultiple cross-site scripting (XSS) vulnerabilities in JSPWiki 2.4.103 and 2.5.139-beta allow remote attackers to inject arbitrary web script or HTML via the (1) group and (2) members parameters in (a) NewGroup.jsp; the (3) edittime parameter in (b) Edit.jsp; the (4) edittime, (5) author, and (6) link parameters in (c) Comment.jsp; the (7) loginname, (8) wikiname, (9) fullname, and (10) email parameters in (d) UserPreferences.jsp and (e) Login.jsp; the (11) r1 and (12) r2 parameters in (f) Diff.jsp; and the (13) changenote parameter in (g) PageInfo.jsp.
unknown
2007-09-27
4.3CVE-2007-5120
BUGTRAQ
FULLDISC
OTHER-REF
BID
SECUNIA
XF
JSPWiki -- JSPWikiCross-site scripting (XSS) vulnerability in JSPWiki 2.5.139-beta allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to wiki-3/Login.jsp and unspecified other components.
unknown
2007-09-27
4.3CVE-2007-5121
BUGTRAQ
FULLDISC
OTHER-REF
BID
SECUNIA
XF
Kaspersky Lab -- Kaspersky Internet SecurityKaspersky Internet Security 7.0.0.125 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to (1) cause a denial of service (crash) and possibly gain privileges via the NtCreateSection kernel SSDT hook or (2) cause a denial of service (avp.exe service outage) via the NtLoadDriver kernel SSDT hook. NOTE: this issue may partially overlap CVE-2006-3074.
unknown
2007-09-23
4.4CVE-2007-5043
BUGTRAQ
OTHER-REF
OTHER-REF
KDE -- KDEbackend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors.
unknown
2007-09-21
6.8CVE-2007-4569
OTHER-REF
BID
Level One -- WBR3404TXMultiple cross-site scripting (XSS) vulnerabilities in cgi-bin/ddns in the web management panel for the WBR3404TX broadband router with firmware R1.94p0vTIG allow remote attackers to inject arbitrary web script or HTML via the (1) DD or (2) DU parameter.
unknown
2007-09-21
4.3CVE-2007-5027
BUGTRAQ
Linux -- KernelThe ATM module in the Linux kernel before 2.4.35.3, when CLIP support is enabled, allows local users to cause a denial of service (kernel panic) by reading /proc/net/atm/arp before the CLIP module has been loaded.
unknown
2007-09-26
4.9CVE-2007-5087
OTHER-REF
OTHER-REF
OTHER-REF
FRSIRT
Linux -- KernelThe disconnect method in the Philips USB Webcam (pwc) driver in Linux kernel 2.6.x before 2.6.22.6 "relies on user space to close the device," which allows user-assisted local attackers to cause a denial of service (USB subsystem hang and CPU consumption in khubd) by not closing the device after the disconnect is invoked. NOTE: this rarely crosses privilege boundaries, unless the attacker can convince the victim to unplug the affected device.
unknown
2007-09-26
4.0CVE-2007-5093
MLIST
MLIST
OTHER-REF
BID
Microsoft -- ISA ServerThe SOCKS4 Proxy in Microsoft Internet Security and Acceleration (ISA) Server 2004 SP1 and SP2 allows remote attackers to obtain potentially sensitive information (the destination IP address of another user's session) via an empty packet.
unknown
2007-09-21
5.0CVE-2007-4991
OTHER-REF
BID
multimedia -- Dance Music module for phpNukeDirectory traversal vulnerability in index.php in the Dance Music module for phpNuke, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in an ACCEPT_FILE array parameter to modules.php.
unknown
2007-09-26
6.8CVE-2007-5092
BUGTRAQ
OTHER-REF
phpBB -- phpBB PlusMultiple PHP remote file inclusion vulnerabilities in phpBB Plus 1.53, and 1.53a before 20070922, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the phpbb_root_path parameter to (1) language/lang_german/lang_admin_album.php, (2) language/lang_english/lang_main_album.php, and (3) language/lang_english/lang_admin_album.php, different vectors than CVE-2007-5009.
unknown
2007-09-26
6.8CVE-2007-5100
OTHER-REF
FRSIRT
SECUNIA
phpBB XS -- phpBB XSCross-site scripting (XSS) vulnerability in profile.php in phpBB XS 2 allows remote attackers to inject arbitrary web script or HTML via the selfdes parameter in a profile_info editprofile action.
unknown
2007-09-21
6.8CVE-2007-5033
BUGTRAQ
BID
XF
phpMyProfiler -- phpMyProfiler** DISPUTED ** PHP remote file inclusion vulnerability in include/plugin/block.t.php in Peter Schmidt phpmyProfiler 0.9.6b allows remote attackers to execute arbitrary PHP code via a URL in the pmp_rel_path parameter. NOTE: this issue is disputed by CVE because the applicable require_once is in a function that is not called on a direct request.
unknown
2007-09-26
6.8CVE-2007-5114
OTHER-REF
ROI Revolution -- UrchinCross-site scripting (XSS) vulnerability in session.cgi (aka the login page) in Google Urchin 5 5.7.03 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string, a different vulnerability than CVE-2007-4713. NOTE: this can be leveraged to capture login credentials in some browsers that support remembered (auto-completed) passwords.
unknown
2007-09-26
4.3CVE-2007-5112
BUGTRAQ
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
ROI Revolution -- Urchinreport.cgi in Google Urchin allows remote attackers to bypass authentication and obtain sensitive information (web server logs) via certain modified query parameters, as demonstrated using the profile, rid, prefs, n, vid, bd, ed, dt, and gtype parameters, a different vulnerability than CVE-2007-5112.
unknown
2007-09-26
5.0CVE-2007-5113
OTHER-REF
OTHER-REF
SimpGB -- SimpGBMultiple cross-site scripting (XSS) vulnerabilities in SimpGB 1.46.02 allow remote attackers to inject arbitrary web script or HTML via (1) the l_username parameter to the default URI under admin/ or (2) the l_emoticonlist parameter to admin/emoticonlist.php.
unknown
2007-09-27
4.3CVE-2007-5127
BUGTRAQ
OTHER-REF
OTHER-REF
BID
SECUNIA
XF
SimpleNews -- SimpleNewsSimpNews 2.41.03 allows remote attackers to obtain sensitive information via (1) an invalid lang parameter to admin/index.php; or a direct request to (2) admin/dbg_infos.php, (3) admin/heading.php, or (4) evsearch.php; which reveals the path in various error messages.
unknown
2007-09-27
5.0CVE-2007-4872
BUGTRAQ
OTHER-REF
OTHER-REF
SimpleNews -- SimpleNewsSimpNews 2.41.03 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download arbitrary .inc files via a direct request, as demonstrated by admin/includes/dbtables.inc.
unknown
2007-09-27
5.0CVE-2007-4873
BUGTRAQ
OTHER-REF
OTHER-REF
sisd -- FreesideCross-site scripting (XSS) vulnerability in search/cust_bill_event.cgi in Freeside 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the failed parameter.
unknown
2007-09-26
4.3CVE-2007-5088
OTHER-REF
Sun -- SolarisRace condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors related to "the handling of thread contexts."
unknown
2007-09-27
4.9CVE-2007-5132
SUNALERT
BID
VMWare -- VMWare Player
VMWare -- ESX Server
VMWare -- ACE
VMWare -- ACE 2
VMWare -- VMware Server
VMWare -- VMWare Player 2
VMWare -- VMWare Workstation		Unspecified vulnerability in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows authenticated users with administrative privileges on a guest operating system to corrupt memory and possibly execute arbitrary code on the host operating system via unspecified vectors.
unknown
2007-09-21
6.5CVE-2007-4496
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
VMWare -- VMWare Player
VMWare -- ESX Server
VMWare -- ACE
VMWare -- ACE 2
VMWare -- VMware Server
VMWare -- VMWare Player 2
VMWare -- VMWare Workstation		Unspecified vulnerability in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075 and ACE 2 before 2.0.1 Build 55017, and Server before 1.0.4 Build 56528 allows users with login access to a guest operating system to cause a denial of service (guest outage and host process crash or hang) via unspecified vectors.
unknown
2007-09-21
5.5CVE-2007-4497
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
VMWare -- VMWare Player
VMWare -- ACE
VMWare -- ACE 2
VMWare -- VMware Server
VMWare -- VMWare Player 2
VMWare -- VMWare Workstation		Unquoted Windows search path vulnerability in EMC VMware Workstation before 5.5.5 Build 56455 and 6.x before 6.0.1 Build 55017, Player before 1.0.5 Build 56455 and Player 2 before 2.0.1 Build 55017, ACE before 1.0.3 Build 54075, and Server before 1.0.4 Build 56528 allows local users to gain privileges unspecified vectors, possibly involving a malicious "program.exe" file in the C: folder.
unknown
2007-09-21
6.9CVE-2007-5023
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
BID
Webmin -- WebminUnspecified vulnerability in Webmin before 1.370 on Windows allows remote authenticated users to execute arbitrary commands via a crafted URL.
unknown
2007-09-24
6.5CVE-2007-5066
OTHER-REF
FRSIRT
SECUNIA
WordPress -- WordPressCross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 and 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the user_email parameter.
unknown
2007-09-26
4.3CVE-2007-5105
BUGTRAQ
OTHER-REF
BID
WordPress -- WordPressCross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter.
unknown
2007-09-26
4.3CVE-2007-5106
BUGTRAQ
OTHER-REF
BID
Wordsmith -- WordsmithPHP remote file inclusion vulnerability in config.inc.php in Wordsmith 1.0 RC1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the _path parameter.
unknown
2007-09-26
6.8CVE-2007-5102
MILW0RM
SECUNIA
Wordsmith -- WordsmithDirectory traversal vulnerability in config.inc.php in Wordsmith 1.0 RC1, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the _path parameter.
unknown
2007-09-26
6.8CVE-2007-5103
MILW0RM
SECUNIA
xcms -- xcmsCross-site request forgery (CSRF) vulnerability in the cpass functionality in an admin action in index.php in XCMS allows remote attackers to change arbitrary passwords via certain password_ and rpassword_ parameters, possibly related to timestamp values.
unknown
2007-09-24
4.3CVE-2007-5060
BUGTRAQ
XenSource Inc -- Xenpygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.
unknown
2007-09-27
4.4CVE-2007-4993
OTHER-REF
SECUNIA
Xiph.Org -- libvorbislib/vorbisfile.c in libvorbisfile in Xiph.Org libvorbis before 1.2.0 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted OGG file, aka trac Changeset 13217.
unknown
2007-09-21
4.3CVE-2007-4065
OTHER-REF
OTHER-REF
OTHER-REF
REDHAT
SECTRACK
SECUNIA
Xiph.Org -- libvorbisMultiple buffer overflows in Xiph.Org libvorbis before 1.2.0 allow context-dependent attackers to cause a denial of service or have other unspecified impact via a crafted OGG file, aka trac Changesets 13162, 13168, 13169, 13170, 13172, 13211, and 13215, as demonstrated by an overflow in oggenc.exe related to the _psy_noiseguards_8 array.
unknown
2007-09-21
4.3CVE-2007-4066
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
OTHER-REF
REDHAT
SECTRACK
SECUNIA
Xunlei -- Web ThunderBuffer overflow in a certain ActiveX control in Xunlei Web Thunder 5.6.9.344 allows remote attackers to execute arbitrary code via a long first argument to the DownURL2 method. NOTE: some of these details are obtained from third party information.
unknown
2007-09-24
6.8CVE-2007-5064
OTHER-REF
BID
Zone Labs -- ZoneAlarm ProZoneAlarm Pro 7.0.362.000 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreatePort and (2) NtDeleteFile kernel SSDT hooks, a partial regression of CVE-2007-2083.
unknown
2007-09-23
6.9CVE-2007-5044
BUGTRAQ
OTHER-REF
OTHER-REF

Back to top

Low Vulnerabilities
Primary
Vendor -- Product		Description
Discovered
Published
CVSS ScoreSource & Patch Info
EMC -- VMware ServerEMC VMware Server before 1.0.4 Build 56528 writes passwords in cleartext to unspecified log files, which allows local users to obtain sensitive information by reading these files, a different vulnerability than CVE-2005-3620.
unknown
2007-09-21
2.1CVE-2007-5024
OTHER-REF
ghostsecurity -- Ghost Security SuiteGhost Security Suite beta 1.110 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtDeleteValueKey, (3) NtQueryValueKey, (4) NtSetSystemInformation, and (5) NtSetValueKey kernel SSDT hooks.
unknown
2007-09-23
2.1CVE-2007-5039
BUGTRAQ
OTHER-REF
OTHER-REF
ghostsecurity -- Ghost Security SuiteGhost Security Suite alpha 1.200 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to cause a denial of service (crash) and possibly gain privileges via the (1) NtCreateKey, (2) NtCreateThread, (3) NtDeleteValueKey, (4) NtQueryValueKey, (5) NtSetSystemInformation, and (6) NtSetValueKey kernel SSDT hooks.
unknown
2007-09-23
2.1CVE-2007-5040
BUGTRAQ
OTHER-REF
OTHER-REF
Kaspersky Lab -- Kaspersky Internet Security
Kaspersky Lab -- Kaspersky Anti-Virus		Kaspersky Anti-Virus (KAV) and Internet Security 7.0 build 125 do not properly validate certain parameters to System Service Descriptor Table (SSDT) and Shadow SSDT function handlers, which allows local users to cause a denial of service (crash) via the (1) NtUserSendInput, (2) LoadLibraryA, (3) NtOpenProcess, (4) NtOpenThread, (5) NtTerminateProcess, (6) NtUserFindWindowEx, and (7) NtUserBuildHwndList kernel SSDT hooks in kylif.sys; the (8) NtDuplicateObject (DuplicateHandle) kernel SSDT hook; and possibly other kernel SSDT hooks. NOTE: the NtCreateSection vector is covered by CVE-2007-5043.1. NOTE: the vendor disputes that the DuplicateHandle vector is a vulnerability in their code, stating that "it is not an error in our code, but an obscure method for manipulating standard Windows routines to circumvent our self-defense mechanisms."
unknown
2007-09-26
2.1CVE-2007-5086
OTHER-REF
OTHER-REF
FRSIRT
SECUNIA
Linux -- KernelThe snd_mem_proc_read function in sound/core/memalloc.c in the Advanced Linux Sound Architecture (ALSA) in the Linux kernel before 2.6.22.8 does not return the correct write size, which allows local users to obtain sensitive information (kernel memory contents) via a small count argument, as demonstrated by multiple reads of /proc/driver/snd-page-alloc.
unknown
2007-09-26
2.1CVE-2007-4571
IDEFENSE
OTHER-REF
OTHER-REF
SKK Openlab -- SKK ToolsThe main function in skkdic-expr.c in SKK Tools 1.2 allows local users to overwrite or delete arbitrary files via a symlink attack on an unspecified temporary file. NOTE: some of these details are obtained from third party information.
unknown
2007-09-23
1.2CVE-2007-3916
OTHER-REF
SECUNIA
Sun -- SolarisUnspecified vulnerability in the HID (Human Interface Device) class driver in Sun Solaris 8, 9, and 10 before 20070925 allows local users to cause a denial of service (panic) via unspecified vectors.
unknown
2007-09-27
1.9CVE-2007-5118
SUNALERT
SECUNIA

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.