Vulnerability Summary for the Week of June 6, 2011
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
cmsmadesimple -- cms_made_simple | Unspecified vulnerability in the News module in CMS Made Simple (CMSMS) before 1.9.1 has unknown impact and attack vectors. | 2011-06-08 | 10.0 | CVE-2010-4663 |
creloaded -- cre_loaded | CRE Loaded before 6.2.14, and possibly other versions before 6.3.x, allows remote attackers to bypass authentication and gain administrator privileges via a request with (1) login.php or (2) password_forgotten.php appended as the PATH_INFO, which bypasses a check that uses PHP_SELF, which is not properly handled by (a) includes/application_top.php and (b) admin/includes/application_top.php, as exploited in the wild in 2009. | 2011-06-08 | 7.5 | CVE-2009-5076 |
creloaded -- cre_loaded | CRE Loaded before 6.2.14 allows remote attackers to bypass authentication and gain administrator privileges via vectors related to a modified PHP_SELF variable, which is not properly handled by (1) includes/application_top.php and (2) admin/includes/application_top.php. | 2011-06-08 | 7.5 | CVE-2009-5077 |
google -- chrome | Use-after-free vulnerability in Google Chrome before 12.0.742.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to incorrect integer calculations during float handling. | 2011-06-09 | 7.5 | CVE-2011-1808 |
google -- chrome | Google Chrome before 12.0.742.91 allows remote attackers to bypass intended access restrictions via vectors related to extensions. | 2011-06-09 | 7.5 | CVE-2011-1812 |
google -- chrome | Google Chrome before 12.0.742.91 does not properly implement the framework for extensions, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." | 2011-06-09 | 7.5 | CVE-2011-1813 |
google -- chrome | Use-after-free vulnerability in the image loader in Google Chrome before 12.0.742.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2011-06-09 | 7.5 | CVE-2011-1818 |
google -- android | The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak. | 2011-06-09 | 7.2 | CVE-2011-1823 |
google -- chrome | Google V8, as used in Google Chrome before 12.0.742.91, allows remote attackers to bypass the Same Origin Policy via unspecified vectors. | 2011-06-09 | 7.5 | CVE-2011-2332 |
google -- chrome | The DOM implementation in Google Chrome before 12.0.742.91 allows remote attackers to bypass the Same Origin Policy via unspecified vectors. | 2011-06-09 | 7.5 | CVE-2011-2342 |
oprofile -- oprofile | utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to conduct eval injection attacks and gain privileges via shell metacharacters in the -e argument. | 2011-06-09 | 7.2 | CVE-2011-1760 |
oprofile -- oprofile | utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to gain privileges via shell metacharacters in the (1) --vmlinux, (2) --session-dir, or (3) --xen argument, related to the daemonrc file and the do_save_setup and do_load_setup functions, a different vulnerability than CVE-2011-1760. | 2011-06-09 | 7.2 | CVE-2011-2471 |
oprofile -- oprofile | Directory traversal vulnerability in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to overwrite arbitrary files via a .. (dot dot) in the --save argument, related to the --session-dir argument, a different vulnerability than CVE-2011-1760. | 2011-06-09 | 7.2 | CVE-2011-2472 |
sybase -- onebridge_mobile_data_suite | Format string vulnerability in ECTrace.dll in the iMailGateway service in the Internet Mail Gateway in OneBridge Server and DMZ Proxy in Sybase OneBridge Mobile Data Suite 5.5 and 5.6 allows remote attackers to execute arbitrary code via format string specifiers in unspecified string fields, related to authentication logging. | 2011-06-09 | 10.0 | CVE-2011-2475 |
tomsawyer -- get_extension_factory | Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document. | 2011-06-06 | 9.3 | CVE-2011-2217 |
visiwave -- site_survey | VisiWaveReport.exe in AZO Technologies, Inc. VisiWave Site Survey before 2.1.9 allows user-assisted remote attackers to execute arbitrary code via a (1) vws and (2) vwr file with an invalid Type property, which triggers an untrusted pointer dereference. | 2011-06-08 | 9.3 | CVE-2011-2386 |
Medium Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
adobe -- acrobat | Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and earlier on Android, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "universal cross-site scripting vulnerability." | 2011-06-08 | 4.3 | CVE-2011-2107 |
anymacro -- anymacro_mail_system | Directory traversal vulnerability in the web interface in AnyMacro Mail System G4X allows remote attackers to read arbitrary files via directory traversal sequences in a request. | 2011-06-08 | 5.0 | CVE-2011-2468 |
apache -- http_server | The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011. | 2011-06-06 | 5.0 | CVE-2011-1752 |
apache -- http_server | The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data. | 2011-06-06 | 4.3 | CVE-2011-1783 |
apache -- subversion | The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation. | 2011-06-06 | 4.3 | CVE-2011-1921 |
cisco -- ios | The Neighbor Discovery (ND) protocol implementation in Cisco IOS on unspecified switches allows remote attackers to bypass the Router Advertisement Guarding functionality via a fragmented IPv6 packet in which the Router Advertisement (RA) message is contained in the second fragment, as demonstrated by (1) a packet in which the first fragment contains a long Destination Options extension header or (2) a packet in which the first fragment contains an ICMPv6 Echo Request message. | 2011-06-08 | 5.0 | CVE-2011-2395 |
digium -- asterisk | reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.2 does not initialize certain strings, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed Contact header. | 2011-06-06 | 5.0 | CVE-2011-2216 |
dotclear -- dotclear | The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter. NOTE: some of these details are obtained from third party information. | 2011-06-08 | 6.5 | CVE-2011-1584 |
gnu -- gimp | Multiple integer overflows in the load_image function in file-pcx.c in the Personal Computer Exchange (PCX) plugin in GIMP 2.6.x and earlier allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PCX image that triggers a heap-based buffer overflow. | 2011-06-06 | 6.8 | CVE-2011-1178 |
google -- android | The Android browser in Android before 2.3.4 allows remote attackers to obtain SD card contents via crafted content:// URIs, related to (1) BrowserActivity.java and (2) BrowserSettings.java in com/android/browser/. | 2011-06-09 | 4.3 | CVE-2010-4804 |
google -- chrome | Use-after-free vulnerability in the accessibility feature in Google Chrome before 12.0.742.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2011-06-09 | 5.0 | CVE-2011-1809 |
google -- chrome | The Cascading Style Sheets (CSS) implementation in Google Chrome before 12.0.742.91 does not properly restrict access to the visit history, which allows remote attackers to obtain sensitive information via unspecified vectors. | 2011-06-09 | 5.0 | CVE-2011-1810 |
google -- chrome | Google Chrome before 12.0.742.91 does not properly handle a large number of form submissions, which allows remote attackers to cause a denial of service (application crash) via unspecified vectors. | 2011-06-09 | 5.0 | CVE-2011-1811 |
google -- chrome | Google Chrome before 12.0.742.91 attempts to read data from an uninitialized pointer, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2011-06-09 | 5.0 | CVE-2011-1814 |
google -- chrome | Google Chrome before 12.0.742.91 allows remote attackers to inject script into a tab page via vectors related to extensions. | 2011-06-09 | 5.0 | CVE-2011-1815 |
google -- chrome | Use-after-free vulnerability in the developer tools in Google Chrome before 12.0.742.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2011-06-09 | 5.0 | CVE-2011-1816 |
google -- chrome | Google Chrome before 12.0.742.91 does not properly implement history deletion, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | 2011-06-09 | 5.0 | CVE-2011-1817 |
google -- chrome | Google Chrome before 12.0.742.91 allows remote attackers to perform unspecified injection into a chrome:// page via vectors related to extensions. | 2011-06-09 | 5.0 | CVE-2011-1819 |
imperva -- securesphere_web_application_firewall | Cross-site scripting (XSS) vulnerability in the management GUI in the MX Management Server in Imperva SecureSphere Web Application Firewall 6.2, 7.x, and 8.x allows remote attackers to inject arbitrary web script or HTML via an HTTP request to a firewalled server, aka Bug ID 31759. | 2011-06-06 | 4.3 | CVE-2011-0767 |
microsoft -- ie | Microsoft Internet Explorer 8 and earlier, and Internet Explorer 9 beta, does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue. | 2011-06-03 | 4.3 | CVE-2011-2382 |
microsoft -- ie | Microsoft Internet Explorer 9 and earlier does not properly restrict cross-zone drag-and-drop actions, which allows user-assisted remote attackers to read cookie files via vectors involving an IFRAME element with a SRC attribute containing an http: URL that redirects to a file: URL, as demonstrated by a Facebook game, related to a "cookiejacking" issue. NOTE: this vulnerability exists because of an incomplete fix in the Internet Explorer 9 release. | 2011-06-03 | 4.3 | CVE-2011-2383 |
mozilla -- firefox | The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server. | 2011-06-06 | 4.3 | CVE-2011-0082 |
novell -- iprint | Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted uri parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1699 |
novell -- iprint | Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted profile-time parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1700 |
novell -- iprint | Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted profile-name parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1701 |
novell -- iprint | Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted file-date-time parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1702 |
novell -- iprint | Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted driver-version parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1703 |
novell -- iprint | Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted core-package parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1704 |
novell -- iprint | Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted client-file-name parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1705 |
novell -- iprint | Stack-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted iprint-client-config-info parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1706 |
novell -- iprint | Stack-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted op-printer-list-all-jobs parameter in a printer-url. | 2011-06-09 | 6.8 | CVE-2011-1707 |
novell -- iprint | Stack-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted op-printer-list-all-jobs cookie. | 2011-06-09 | 6.8 | CVE-2011-1708 |
novell -- data_synchronizer | Unspecified vulnerability in the Mobility Pack 1.1.2 and earlier in Novell Data Synchronizer 1.0.x, and 1.1.x through 1.1.1 build 428, allows remote authenticated users to access the accounts of other users via unknown vectors. | 2011-06-08 | 5.5 | CVE-2011-1711 |
oprofile -- oprofile | The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to create or overwrite arbitrary files via a crafted --session-dir argument in conjunction with a symlink attack on the opd_pipe file, a different vulnerability than CVE-2011-1760. | 2011-06-09 | 6.9 | CVE-2011-2473 |
plone -- plone | Cross-site scripting (XSS) vulnerability in Plone 4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 2011-06-06 | 4.3 | CVE-2011-1948 |
plone -- plone | plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011. | 2011-06-06 | 5.5 | CVE-2011-1950 |
postrev -- post_revolution | common.php in Post Revolution before 0.8.0c-2 allows remote attackers to cause a denial of service (infinite loop) via malformed HTML markup, as demonstrated by an a< sequence. | 2011-06-06 | 5.0 | CVE-2011-1952 |
postrev -- post_revolution | Multiple cross-site scripting (XSS) vulnerabilities in common.php in Post Revolution before 0.8.0c-2 allow remote attackers to inject arbitrary web script or HTML via an attribute of a (1) P, a (2) STRONG, a (3) A, a (4) EM, a (5) I, a (6) IMG, a (7) LI, an (8) OL, a (9) VIDEO, or a (10) BLOCKQUOTE element. | 2011-06-06 | 4.3 | CVE-2011-1953 |
postrev -- post_revolution | Multiple cross-site request forgery (CSRF) vulnerabilities in Post Revolution 0.8.0c-2 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests to (1) ajax-weblog-guardar.php, (2) verpost.php, (3) comments.php, or (4) perfil.php. | 2011-06-06 | 6.8 | CVE-2011-1954 |
sybase -- easerver | Directory traversal vulnerability in the HTTP Server in Sybase EAServer 6.3.1 Developer Edition allows remote attackers to read arbitrary files via a /.../../ sequence in a path. | 2011-06-09 | 5.0 | CVE-2011-2474 |
vmware -- esx | Race condition in mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 though 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to gain privileges on the guest OS by mounting a filesystem on top of an arbitrary directory. | 2011-06-06 | 6.9 | CVE-2011-1787 |
vmware -- esx | mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 though 4.1, and VMware ESX 3.0.3 through 4.1, when a Solaris or FreeBSD guest OS is used, allows guest OS users to modify arbitrary guest OS files via unspecified vectors, related to a "procedural error." | 2011-06-06 | 6.3 | CVE-2011-2145 |
wireshark -- wireshark | The bytes_repr_len function in Wireshark 1.4.5 uses an incorrect pointer argument, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via arbitrary TCP traffic. | 2011-06-06 | 4.3 | CVE-2011-1956 |
wireshark -- wireshark | The dissect_dcm_main function in epan/dissectors/packet-dcm.c in the DICOM dissector in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (infinite loop) via an invalid PDU length. | 2011-06-06 | 4.3 | CVE-2011-1957 |
wireshark -- wireshark | Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Diameter dictionary file. | 2011-06-06 | 4.3 | CVE-2011-1958 |
wireshark -- wireshark | The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers, which allows remote attackers to cause a denial of service (application crash) via a large length value in a snoop file that triggers a stack-based buffer over-read. | 2011-06-06 | 4.3 | CVE-2011-1959 |
wireshark -- wireshark | Double free vulnerability in the tvb_uncompress function in epan/tvbuff.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a packet with malformed data that uses zlib compression. | 2011-06-06 | 4.3 | CVE-2011-2174 |
wireshark -- wireshark | Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read. | 2011-06-06 | 4.3 | CVE-2011-2175 |
Low Vulnerabilities
Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
plone -- plone | Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422. | 2011-06-06 | 3.5 | CVE-2011-1949 |
vmware -- esx | mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 though 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to determine the existence of host OS files and directories via unspecified vectors. | 2011-06-06 | 2.1 | CVE-2011-2146 |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.