Vulnerability Summary for the Week of August 4, 2014

Released
Aug 11, 2014
Document ID
SB14-223

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
all_video_gallery_plugin_project -- all_video_gallery_pluginUnspecified vulnerability in the All Video Gallery (all-video-gallery) plugin before 1.2.0 for WordPress has unspecified impact and attack vectors.2014-08-067.5CVE-2012-6653
ayatana_project -- unityUnity before 7.2.3 and 7.3.x before 7.3.1, as used in Ubuntu, does not properly take focus of the keyboard when switching to the lock screen, which allows physically proximate attackers to bypass the lock screen by (1) leveraging a machine that had text selected when locking or (2) resuming from a suspension.2014-08-077.2CVE-2014-5195
CONFIRM
UBUNTU
ctdb_project -- ctdbctdb before 2.3 in OpenSUSE 12.3 and 13.1 does not create temporary files securely, which has unspecified impact related to "several temp file vulnerabilities" in (1) tcp/tcp_connect.c, (2) server/eventscript.c, (3) tools/ctdb_diagnostics, (4) config/gdb_backtrace, and (5) include/ctdb_private.h.2014-08-067.5CVE-2013-4159
CONFIRM
MLIST
MISC
lead_octopus -- lead_octopusSQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.2014-08-077.5CVE-2014-5189
BID
MISC
OSVDB
rocketsoftware -- rocket_servergraphDirectory traversal vulnerability in the Admin Center for Tivoli Storage Manager (TSM) in Rocket ServerGraph 1.2 allows remote attackers to (1) create arbitrary files via a .. (dot dot) in the query parameter in a writeDataFile action to the fileRequestor servlet, execute arbitrary files via a .. (dot dot) in the query parameter in a (2) run or (3) runClear action to the fileRequestor servlet, (4) read arbitrary files via a readDataFile action to the fileRequestor servlet, (5) execute arbitrary code via a save_server_groups action to the userRequest servlet, or (6) delete arbitrary files via a del action in the fileRequestServlet servlet.2014-08-0710.0CVE-2014-3914
MISC
MISC
MISC
MISC
MISC
EXPLOIT-DB
samba -- sambaNetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h.2014-08-067.9CVE-2014-3560
CONFIRM
UBUNTU
SECTRACK
sphider -- sphiderMultiple SQL injection vulnerabilities in admin/admin.php in Sphider 1.3.6 and earlier, Sphider Pro, and Spider-plus allow remote attackers to execute arbitrary SQL commands via the (1) site_id or (2) url parameter.2014-08-067.5CVE-2014-5082
MISC
sphider -- sphiderSQL injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to execute arbitrary SQL commands via the filter parameter.2014-08-077.5CVE-2014-5192
XF
EXPLOIT-DB
splunk -- splunkDirectory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitrary commands via a .. (dot dot) in the file parameter. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2013-7394 is for the issue in the "runshellscript echo.sh" script.2014-08-079.3CVE-2013-6771
MISC
splunk -- splunkThe "runshellscript echo.sh" script in Splunk before 5.0.5 allows remote authenticated users to execute arbitrary commands via a crafted string. NOTE: this issue was SPLIT from CVE-2013-6771 per ADT2 due to different vulnerability types.2014-08-079.0CVE-2013-7394
MISC
status2k -- status2kSQL injection vulnerability in admin/options/logs.php in Status2k allows remote authenticated administrators to execute arbitrary SQL commands via the log parameter.2014-08-067.5CVE-2014-5089
MISC
teampass -- teampassTeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php.2014-08-077.5CVE-2014-3771
MLIST
MLIST
teampass -- teampassTeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php.2014-08-077.5CVE-2014-3772
MLIST
MLIST
teampass -- teampassMultiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3) datatable.logs.php or (4) a file in source/datatable/; or iDisplayLength parameter to (5) datatable.logs.php or (6) a file in source/datatable/; or allow remote authenticated users to execute arbitrary SQL commands via a sSortDir_ parameter to (7) datatable.logs.php or (8) a file in source/datatable/.2014-08-077.5CVE-2014-3773
MLIST
MLIST
yealink -- sip-t38gcgi-bin/cgiServer.exx in Yealink VoIP Phone SIP-T38G allows remote authenticated users to execute arbitrary commands by calling the system method in the body of a request, as demonstrated by running unauthorized services, changing directory permissions, and modifying files.2014-08-039.0CVE-2013-5758
OSVDB
EXPLOIT-DB
EXPLOIT-DB
MISC
MISC

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
all_video_gallery_plugin_project -- all-video-gallerySQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page to wp-admin/admin.php.2014-08-066.5CVE-2014-5186
MISC
canonical -- reportbugreportbug before 6.4.4+deb7u1 and 6.5.x before 6.5.0+nmu1 allows remote attackers to execute arbitrary commands via vectors related to compare_versions and reportbug/checkversions.py.2014-08-066.8CVE-2014-0479
CONFIRM
BID
DEBIAN
ckeditor -- ckeditorCross-site scripting (XSS) vulnerability in the Preview plugin before 4.4.3 in CKEditor allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2014-08-074.3CVE-2014-5191
SECUNIA
efssoft -- easy_file_sharing_web_serverMultiple cross-site scripting (XSS) vulnerabilities in Easy File Sharing (EFS) Web Server 6.8 allow remote authenticated users to inject arbitrary web script or HTML via the content parameter when (1) creating a topic or (2) posting an answer. NOTE: some of these details are obtained from third party information.2014-08-064.3CVE-2014-5178
XF
BUGTRAQ
SECUNIA
MISC
embarcadero -- er/studio_data_architectStack-based buffer overflow in the loadExtensionFactory method in the TSVisualization ActiveX control in Embarcadero ER/Studio Data Architect allows remote attackers to execute arbitrary code via unspecified vectors.2014-08-076.8CVE-2014-4647
MISC
XF
BID
freelinking_for_case_tracker_project -- freelinking_for_case_trackerThe freelinking module for Drupal, as used in the Freelinking for Case Tracker module, does not properly check access permissions for (1) nodes or (2) users, which allows remote attackers to obtain sensitive information via a crafted link.2014-08-064.3CVE-2014-5179
XF
BID
hdwplayer -- hdw-player-video-player-video-gallerySQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php.2014-08-066.5CVE-2014-5180
MISC
ipython -- ipython_notebookIPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.2014-08-076.8CVE-2014-3429
CONFIRM
CONFIRM
XF
MLIST
MLIST
CONFIRM
last.fm_rotation_plugin_project -- lastfm-rotation_pluginDirectory traversal vulnerability in lastfm-proxy.php in the Last.fm Rotation (lastfm-rotation) plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the snode parameter.2014-08-065.0CVE-2014-5181
MISC
lyris -- list_managerCross-site scripting (XSS) vulnerability in doemailpassword.tml in Lyris ListManager (LM) 8.95a allows remote attackers to inject arbitrary web script or HTML via the EmailAddr parameter.2014-08-074.3CVE-2014-5188
MISC
BID
MISC
openstack -- computeapi/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.2014-08-074.3CVE-2014-3517
CONFIRM
ostenta -- yawppMultiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php, as demonstrated by the id parameter in the update action to wp-admin/admin.php.2014-08-066.0CVE-2014-5182
MISC
pyplate -- pyplatePyplate 0.08 does not include the HTTPOnly flag in a Set-Cookie header for the id cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.2014-08-075.0CVE-2014-3852
MLIST
MLIST
pyplate -- pyplatePyplate 0.08 does not set the secure flag for the id cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.2014-08-075.0CVE-2014-3853
MLIST
MLIST
pyplate -- pyplateCross-site request forgery (CSRF) vulnerability in admin/addScript.py in Pyplate 0.08 allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the title parameter.2014-08-076.8CVE-2014-3854
MLIST
MLIST
pyplate -- pyplateDirectory traversal vulnerability in download.py in Pyplate 0.08 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter.2014-08-075.0CVE-2014-3855
MLIST
MLIST
quartz_plugin_project -- quartz_pluginSQL injection vulnerability in the Quartz plugin 1.01.1 for WordPress allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands via the quote parameter in an edit action in the quartz/quote_form.php page to wp-admin/edit.php.2014-08-066.0CVE-2014-5185
MISC
si_captcha_anti-spam_project -- si_captcha_anti-spamCross-site scripting (XSS) vulnerability in captcha-secureimage/test/index.php in the SI CAPTCHA Anti-Spam plugin 2.7.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.2014-08-074.3CVE-2014-5190
BID
MISC
simple_retail_menus_plugin_project -- simple-retail-menusSQL injection vulnerability in includes/mode-edit.php in the Simple Retail Menus (simple-retail-menus) plugin before 4.1 for WordPress allows remote authenticated editors to execute arbitrary SQL commands via the targetmenu parameter in an edit action to wp-admin/admin.php.2014-08-066.5CVE-2014-5183
MISC
solarwinds -- network_configuration_managerHeap-based buffer overflow in SolarWinds Network Configuration Manager (NCM) before 7.3 allows remote attackers to execute arbitrary code via the PEstrarg1 property.2014-08-076.8CVE-2014-3459
MISC
sphider -- sphiderCross-site scripting (XSS) vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to inject arbitrary web script or HTML via the category parameter. NOTE: the url parameter vector is already covered by CVE-2014-5082.2014-08-074.3CVE-2014-5193
EXPLOIT-DB
sphider -- sphiderStatic code injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the _word_upper_bound parameter.2014-08-076.5CVE-2014-5194
EXPLOIT-DB
status2k -- status2kCross-site scripting (XSS) vulnerability in Status2k allows remote attackers to inject arbitrary web script or HTML via the username to login.php.2014-08-064.3CVE-2014-5088
MISC
status2k -- status2kadmin/options/logs.php in Status2k allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the Location field in Add Logs in the Admin Panel.2014-08-066.5CVE-2014-5090
MISC
stripshow_plugin_project -- stripshowSQL injection vulnerability in the stripshow-storylines page in the stripShow plugin 2.5.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the story parameter in an edit action to wp-admin/admin.php.2014-08-066.5CVE-2014-5184
MISC
symantec -- endpoint_protectionBuffer overflow in the sysplant driver in Symantec Endpoint Protection (SEP) Client 11.x and 12.x before 12.1 RU4 MP1b, and Small Business Edition before SEP 12.1, allows local users to execute arbitrary code via a long argument to a 0x00222084 IOCTL call.2014-08-066.9CVE-2014-3434
CERT-VN
BID
EXPLOIT-DB
teampass -- teampassMultiple cross-site scripting (XSS) vulnerabilities in items.php in TeamPass before 2.1.20 allow remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid_cat or (2) open_folder form element, or (3) id parameter, which is not properly handled in the open_id form element.2014-08-074.3CVE-2014-3774
MLIST
MLIST
tom_m8te_plugin_project -- tom-m8te_pluginDirectory traversal vulnerability in the Tom M8te (tom-m8te) plugin 1.5.3 for WordPress allows remote attackers to read arbitrary files via the file parameter to tom-download-file.php.2014-08-065.0CVE-2014-5187
MISC
yealink -- sip-t38gDirectory traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to cgi-bin/cgiServer.exx.2014-08-034.0CVE-2013-5756
EXPLOIT-DB
yealink -- sip-t38gAbsolute path traversal vulnerability in Yealink VoIP Phone SIP-T38G allows remote authenticated users to read arbitrary files via a full pathname in the dumpConfigFile function in the command parameter to cgi-bin/cgiServer.exx.2014-08-034.0CVE-2013-5757
EXPLOIT-DB

Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
pyplate -- pyplateusr/lib/cgi-bin/create_passwd_file.py in Pyplate 0.08 uses world-readable permissions for passwd.db, which allows local users to obtain the administrator password by reading this file.2014-08-072.1CVE-2014-3851
MLIST
MLIST
redhat -- enterprise_virtualizationlibvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virConnectCompareCPU or (2) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT per ADT3 due to different affected versions of some vectors. CVE-2014-5177 is used for other API methods.2014-08-031.9CVE-2014-0179
SUSE
SUSE
CONFIRM
redhat -- enterprise_virtualizationThe oVirt storage backend in Red Hat Enterprise Virtualization 3.4 does not wipe memory snapshots when deleting a VM, even when wipe-after-delete (WAD) is configured for the VM's disk, which allows remote authenticated users with certain credentials to read portions of the deleted VM's memory and obtain sensitive information via an uninitialized storage volume.2014-08-063.5CVE-2014-3559
redhat -- enterprise_virtualizationlibvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors.2014-08-031.2CVE-2014-5177
REDHAT
SUSE
SUSE
CONFIRM
xbmc -- xbmcXBMC 13.0 uses world-readable permissions for .xbmc/userdata/sources.xml, which allows local users to obtain user names and passwords by reading this file.2014-08-072.1CVE-2014-3800
MISC
MLIST
MLIST
MISC

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.