Vulnerability Summary for the Week of January 2, 2012
Released
Jan 09, 2012
Document ID
SB12-009
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| hitcode -- hitappoint | SQL injection vulnerability in hitCode hitAppoint 4.5.17 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the username parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2011-12-30 | 7.5 | CVE-2011-5038 |
| infoproject -- biznis_heroj | Multiple SQL injection vulnerabilities in Infoproject Biznis Heroj allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to login.php, (3) the filter parameter to widget.dokumenti_lista.php, and (4) the fin_nalog_id parameter to nalozi_naslov.php. | 2011-12-30 | 7.5 | CVE-2011-5039 |
| microsoft -- windows_7 | win32k.sys in the kernel-mode drivers in Microsoft Windows 7 Professional 64-bit, when using Apple Safari, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via a large height attribute in an IFRAME. | 2011-12-30 | 9.3 | CVE-2011-5046 |
| mysql -- mysql | MySQL 5.5.8, when running on Windows, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted packet to TCP port 3306. | 2012-01-04 | 7.8 | CVE-2011-5049 |
| novell -- xtier_framework | Multiple integer overflows in the HTTP server in the Novell XTier framework 3.1.8 allow remote attackers to cause a denial of service (service crash) or possibly execute arbitrary code via crafted header length variables. | 2011-12-30 | 7.5 | CVE-2011-1710 |
| openssl -- openssl | Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. | 2012-01-05 | 9.3 | CVE-2011-4109 |
| pfsense -- pfsense | etc/inc/certs.inc in the PKI implementation in pfSense before 2.0.1 creates each X.509 certificate with a true value for the CA basic constraint, which allows remote attackers to create sub-certificates for arbitrary subjects by leveraging the private key. | 2012-01-03 | 7.5 | CVE-2011-4197 |
| sopcast -- sopcast | SopCast 3.4.7.45585 uses weak permissions (Everyone:Full Control) for Diagnose.exe, which allows local users to execute arbitrary code by replacing Diagnose.exe with a Trojan horse program. | 2011-12-30 | 7.2 | CVE-2011-5044 |
| splunk -- splunk | Splunk 4.2.5 and earlier, when free mode is used, does not perform authentication, which allows remote attackers to (1) read arbitrary files via a management-console session that leverages the ability to create crafted data sources, or (2) execute restricted commands via an HTTP request. | 2012-01-03 | 9.3 | CVE-2011-4644 |
| steve_j_baker -- plib | Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB 1.8.5, as used in TORCS 1.3.1 and other products, allows user-assisted remote attackers to execute arbitrary code via vectors involving a long error message, as demonstrated by a crafted acc file for TORCS. NOTE: some of these details are obtained from third party information. | 2011-12-30 | 9.3 | CVE-2011-4620 |
| wpsymposium -- wp_symposium | Multiple unrestricted file upload vulnerabilities in the WP Symposium plugin before 11.12.24 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension using (1) uploadify/upload_admin_avatar.php or (2) uploadify/upload_profile_avatar.php, then accessing it via a direct request to the file in an unspecified directory inside the webroot. | 2012-01-04 | 7.5 | CVE-2011-5051 |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apache -- tomcat | Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. | 2012-01-05 | 5.0 | CVE-2011-4858 |
| apache -- activemq | Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests. | 2012-01-05 | 5.0 | CVE-2011-4905 |
| cocsoft -- stream_down | Stack-based buffer overflow in CoCSoft Stream Down 6.8.0 allows remote web servers to execute arbitrary code via a long response to a download request. | 2012-01-04 | 6.8 | CVE-2011-5052 |
| cpan -- html-template-pro | Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module before 0.9507 for Perl allows remote attackers to inject arbitrary web script or HTML via template parameters, related to improper handling of > (greater than) and < (less than) characters. | 2012-01-05 | 4.3 | CVE-2011-4616 |
| e107 -- e107 | Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, and other versions before 1.0.0, allow remote attackers to inject arbitrary web script or HTML via the URL to (1) e107_images/thumb.php or (2) rate.php, (3) resend_name parameter to e107_admin/users.php, and (4) link BBCode in user signatures. | 2012-01-04 | 4.3 | CVE-2011-4920 |
| e107 -- e107 | SQL injection vulnerability in usersettings.php in e107 0.7.26, and possibly other versions before 1.0.0, allows remote attackers to execute arbitrary SQL commands via the username parameter. | 2012-01-04 | 5.1 | CVE-2011-4921 |
| eeye -- digital_security_audits | eEye Audit ID 2499 in eEye Digital Security Audits 2406 through 2423 for eEye Retina Network Security Scanner on HP-UX, IRIX, and Solaris allows local users to gain privileges via a Trojan horse gauntlet program in an arbitrary directory under /usr/local/. | 2012-01-03 | 6.9 | CVE-2011-3337 |
| elitecore -- cyberoam_unified_threat_management | SQL injection vulnerability in corporate/Controller in Elitecore Technologies Cyberoam UTM before 10.01.2 build 059 allows remote authenticated administrators to execute arbitrary SQL commands via the tableid parameter. NOTE: some of these details are obtained from third party information. | 2012-01-04 | 6.0 | CVE-2011-5050 |
| gnu -- gnutls | The DTLS implementation in GnuTLS 3.0.10 and earlier executes certain error-handling code only if there is a specific relationship between a padding length and the ciphertext size, which makes it easier for remote attackers to recover partial plaintext via a timing side-channel attack, a related issue to CVE-2011-4108. | 2012-01-05 | 4.3 | CVE-2012-0390 |
| gphemsley -- sasha | Cross-site scripting (XSS) vulnerability in inc/lib/lib.base.php in SASHA 0.2.0 allows remote attackers to inject arbitrary web script or HTML via the instructors parameter. NOTE: the original disclosure also mentions the section_title parameter, but this was disputed by the vendor and retracted by the original researcher. | 2011-12-30 | 4.3 | CVE-2011-5042 |
| h-fj -- mailform_plugin | Cross-site scripting (XSS) vulnerability in the MailForm plugin before 1.20 for Movable Type allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2012-01-04 | 4.3 | CVE-2007-6751 |
| ibm -- invscout.rte | The (1) bin/invscoutClient_VPD_Survey and (2) sbin/invscout_lsvpd programs in invscout.rte before 2.2.0.19 on IBM AIX 7.1, 6.1, 5.3, and earlier allow local users to delete arbitrary files, or trigger inventory scout operations on arbitrary files, via a symlink attack on an unspecified file. | 2012-01-03 | 4.0 | CVE-2011-1384 |
| ibm -- tivoli_federated_identity_manager | IBM Tivoli Federated Identity Manager (TFIM) and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.1.1, 6.2.0, and 6.2.1 do not properly handle signature validations based on SAML 1.0, 1.1, and 2.0, which allows remote attackers to bypass intended authentication or authorization requirements via a non-conforming SAML signature. | 2012-01-03 | 4.3 | CVE-2011-1386 |
| ibm -- web_experience_factory | Multiple cross-site scripting (XSS) vulnerabilities in IBM Web Experience Factory (aka WEF, formerly WebSphere Portlet Factory) 7.0 and 7.0.1 allow remote attackers to inject arbitrary web script or HTML via a (1) text INPUT element or (2) TEXTAREA element, related to an interaction between Smart Refresh and Dojo. | 2012-01-03 | 4.3 | CVE-2011-5048 |
| infoproject -- biznis_heroj | Multiple cross-site scripting (XSS) vulnerabilities in Infoproject Biznis Heroj allow remote attackers to inject arbitrary web script or HTML via the config parameter to (1) nalozi_naslov.php and (2) widget.dokumenti_lista.php. | 2011-12-30 | 4.3 | CVE-2011-5040 |
| jjwdesign -- php_booking_calendar | Cross-site scripting (XSS) vulnerability in details_view.php in PHP Booking Calendar 10e allows remote attackers to inject arbitrary web script or HTML via the page_info_message parameter. | 2011-12-30 | 4.3 | CVE-2011-5045 |
| mozilla -- bugzilla | Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2.x and 3.x before 3.4.13; 3.5.x and 3.6.x before 3.6.7; 3.7.x and 4.0.x before 4.0.3; and 4.1.x through 4.1.3, when debug mode is used, allow remote attackers to inject arbitrary web script or HTML via vectors involving a (1) tabular report, (2) graphical report, or (3) new chart. | 2012-01-02 | 4.3 | CVE-2011-3657 |
| mozilla -- bugzilla | The User.offer_account_by_email WebService method in Bugzilla 2.x and 3.x before 3.4.13; 3.5.x and 3.6.x before 3.6.7; 3.7.x and 4.0.x before 4.0.3; and 4.1.x through 4.1.3, when createemailregexp is not empty, does not properly handle user_can_create_account settings, which allows remote attackers to create user accounts by leveraging a token contained in an e-mail message. | 2012-01-02 | 6.8 | CVE-2011-3667 |
| mozilla -- bugzilla | Cross-site request forgery (CSRF) vulnerability in post_bug.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that create bug reports. | 2012-01-02 | 6.8 | CVE-2011-3668 |
| mozilla -- bugzilla | Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.x before 4.2rc1 allows remote attackers to hijack the authentication of arbitrary users for requests that upload attachments. | 2012-01-02 | 6.8 | CVE-2011-3669 |
| openssl -- openssl | The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. | 2012-01-05 | 4.3 | CVE-2011-4108 |
| openssl -- openssl | The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. | 2012-01-05 | 5.0 | CVE-2011-4576 |
| openssl -- openssl | OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers. | 2012-01-05 | 4.3 | CVE-2011-4577 |
| openssl -- openssl | The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. | 2012-01-05 | 5.0 | CVE-2011-4619 |
| openssl -- openssl | The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client. | 2012-01-05 | 5.0 | CVE-2012-0027 |
| pfsense -- pfsense | Cross-site scripting (XSS) vulnerability in status_rrd_graph.php in pfSense before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via the style parameter. | 2012-01-03 | 4.3 | CVE-2011-5047 |
| pulsecms -- pulse_cms | Multiple cross-site scripting (XSS) vulnerabilities in Pulse Pro CMS 1.7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) d parameter in a blocks action and (2) post_id parameter in an edit-post action to index.php. | 2011-12-30 | 4.3 | CVE-2011-5041 |
| splunk -- splunk | mappy.py in Splunk Web in Splunk 4.2.x before 4.2.5 does not properly restrict use of the mappy command to access Python classes, which allows remote authenticated administrators to execute arbitrary code by leveraging the sys module in a request to the search application, as demonstrated by a cross-site request forgery (CSRF) attack, aka SPL-45172. | 2012-01-03 | 4.6 | CVE-2011-4642 |
| splunk -- splunk | Multiple directory traversal vulnerabilities in Splunk 4.x before 4.2.5 allow remote authenticated users to read arbitrary files via a .. (dot dot) in a URI to (1) Splunk Web or (2) the Splunkd HTTP Server, aka SPL-45243. | 2012-01-03 | 4.0 | CVE-2011-4643 |
| splunk -- splunk | Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 4.2.x before 4.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka SPL-44614. | 2012-01-03 | 4.3 | CVE-2011-4778 |
| textpattern -- textpattern | Cross-site scripting (XSS) vulnerability in setup/index.php in Textpattern CMS 4.4.1, when the product is incompletely installed, allows remote attackers to inject arbitrary web script or HTML via the ddb parameter. | 2012-01-05 | 4.3 | CVE-2011-5019 |
| tomatosoft -- free_mp3_player | TomatoSoft Free Mp3 Player 1.0 allows remote attackers to cause a denial of service (application crash) via a long string in an MP3 file, possibly a buffer overflow. | 2011-12-30 | 4.3 | CVE-2011-5043 |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| python -- virtualenv | virtualenv.py in virtualenv before 1.5 allows local users to overwrite arbitrary files via a symlink attack on a certain file in /tmp/. | 2011-12-30 | 1.2 | CVE-2011-4617 |
| wordpress -- wordpress | Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature. | 2012-01-05 | 2.6 | CVE-2012-0287 |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.