======================================================================== The Secunia Weekly Advisory Summary 2006-12-14 - 2006-12-21 This week: 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Be sure to check your own system: http://secunia.com/software_inspector/ Feature Overview - The Secunia Software Inspector: * Detects insecure versions of applications installed * Verifies that all Microsoft patches are applied * Assists you in updating your system and applications * Runs through your browser. No installation or download is required. Read more in our blog: http: //secunia.com/blog/4/ http: //secunia.com/blog/3/ ======================================================================== 2) This Week in Brief: Yahoo! reported a vulnerability in its instant messaging client for versions obtained prior to November 2, 2006. The vulnerability is caused by an unspecified error in Yahoo! Messenger's ActiveX control, which potentially can be exploited by malicious people to compromise a user's system. Users are advised to upgrade to the latest version of Yahoo! Messenger. Please refer to the Secunia advisory for more information: http://secunia.com/advisories/23401/ You can also use the Secunia Software Inspector to check if your version of Yahoo! Messenger is secure: http://secunia.com/software_inspector/ -- Nine vulnerabilities were reported in Mozilla Firefox 1.x and 2.x this week, with impacts ranging from exposure of sensitive information to system access. Users are advised to upgrade to either version 1.5.0.9 or 2.0.0.1 to avoid falling victim to any of these vulnerabilities. Please refer to the following Secunia advisory for more information: http://secunia.com/advisories/23282/ You can also use the Secunia Software Inspector to check if your version of Firefox is secure: http://secunia.com/software_inspector/ -- Three vulnerabilities were reported in IBM Websphere Application Server this week, one affecting version 5.x, and the others affecting version 6.x. IBM Websphere Application Server 5.x has an unspecified error in the Websphere Utility class. No further information is available. This vulnerability was reported by the vendor, and can be fixed by applying Cumulative Fix 13 (5.1.1.13). IBM Websphere Application Server 6.x has an unspecified vulnerability in the Servlet Engine /Web Container that can potentially be used to disclose JSP source code. An unspecified error in a General component amounts to another vulnerability. No other information is available. This vulnerability was also reported by the vendor, and can be fixed by updating to version 6.0.2 Fix Pack 17. Please refer to the following Secunia advisories for more information: http: //secunia.com/advisories/23414/ http: //secunia.com/advisories/23386/ -- VIRUS ALERTS: During the past week Secunia collected 212 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA23282] Mozilla Firefox Multiple Vulnerabilities 2. [SA23401] Yahoo! Messenger Unspecified ActiveX Control Buffer Overflow 3. [SA23232] Microsoft Word Memory Corruption Vulnerabilities 4. [SA20807] Internet Explorer Script Error Handling Memory Corruption Vulnerability 5. [SA22477] Internet Explorer 7 "mhtml:" Redirection Information Disclosure 6. [SA23205] Microsoft Word Unspecified Code Execution Vulnerability 7. [SA23386] IBM WebSphere Application Server Unspecified Vulnerability 8. [SA23402] torrentflux-b4rt "path" Directory Traversal Vulnerability 9. [SA23378] CA Anti-Virus Drivers Denial of Service Vulnerabilities 10. [SA23400] Avaya CMS / IR Sun Solaris libXfont Integer Overflow Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA23401] Yahoo! Messenger Unspecified ActiveX Control Buffer Overflow [SA23447] Burak Yilmaz Download Portal "id" SQL Injection Vulnerability [SA23412] WinFtp Server Data Handling Denial of Service Vulnerability [SA23403] Nortel CallPilot Server Unspecified Vulnerability [SA23426] CA Portal Technology Session Handling Vulnerability [SA23393] Mandiant First Response Multiple Vulnerabilities [SA23391] Microsoft Project Server Information Disclosure Security Issue UNIX/Linux: [SA23458] TextSend "ROOT_PATH" File Inclusion Vulnerability [SA23441] Gentoo update for imlib2 [SA23440] Red Hat update for firefox [SA23439] Red Hat update for thunderbird [SA23434] cwmVote "abs" File Inclusion Vulnerability [SA23433] Red Hat update for seamonkey [SA23423] phpProfiles Multiple File Inclusion Vulnerabilities [SA23419] Debian update for sql-ledger [SA23416] Azucar CMS "_VIEW" File Inclusion Vulnerability [SA23409] SUSE Update for Multiple Packages [SA23407] PHP-Update blog.php Multiple Vulnerabilities [SA23394] MxBB Portal mx_meeting Module "module_root_path" File Inclusion [SA23443] Red Hat update for tar [SA23429] Gentoo vlnx Insecure DT_RPATH Vulnerability [SA23417] Trustix update for clamav [SA23411] SUSE update for clamav [SA23404] Gentoo update for clamav [SA23400] Avaya CMS / IR Sun Solaris libXfont Integer Overflow Vulnerability [SA23395] Debian update for kernel-source-2.4.27 [SA23389] Gentoo update for links [SA23454] Gentoo update for ruby [SA23449] Mini Web Shop "catname" Cross-Site Scripting [SA23438] Apple Mac OS X Quicktime/Quartz Composer Information Disclosure [SA23428] Gentoo update for pam_ldap [SA23427] Linux Kernel Bluetooth CAPI Messages Denial of Service [SA23413] HyperVM "frm_action" Cross-Site Scripting Vulnerability [SA23408] Linux Kernel Bluetooth CAPI Messages Denial of Service [SA23402] torrentflux-b4rt "path" Directory Traversal Vulnerability [SA23385] Ubuntu update for gdm [SA23387] GNOME Foundation Display Manager "gdmchooser" Vulnerability [SA23430] NeoScale Systems CryptoStor 700 Series Security Bypass Weakness [SA23436] Linux Kernel "mincore()" Deadlock Denial of Service [SA23392] Mandriva update for proftpd [SA23390] Mandriva update for dbus Other: [SA23406] Novell NetWare Welcome web-app Cross-Site Scripting Vulnerability [SA23396] HP FTP Print Server LIST Denial of Service Vulnerability Cross Platform: [SA23445] Sun Java JRE Multiple Vulnerabilities [SA23442] cwmCounter "path" File Inclusion Vulnerability [SA23425] CuteNews AJ-Fork "cutepath" File Inclusion Vulnerability [SA23422] Mozilla SeaMonkey Multiple Vulnerabilities [SA23420] Mozilla Thunderbird Multiple Vulnerabilities [SA23415] BitDefender AntiVirus Engine PE File Parsing Buffer Overflow [SA23388] eyeOS File Upload Vulnerability [SA23418] VerliAdmin "q" File Inclusion Vulnerability [SA23414] IBM WebSphere Application Server Multiple Vulnerabilities [SA23398] Sun Java JRE Applet Security Bypass [SA23386] IBM WebSphere Application Server Unspecified Vulnerability [SA23421] Hitachi Directory Server LDAP Multiple Vulnerabilities [SA23410] Drupal Project / Project issue tracking Module Script Insertion [SA23405] Drupal MySite Module "Title" Script Insertion Vulnerability [SA23397] DB2 Universal Database Denial of Service Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA23401] Yahoo! Messenger Unspecified ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-15 A vulnerability has been reported in Yahoo! Messenger, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/23401/ -- [SA23447] Burak Yilmaz Download Portal "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-12-20 ShaFuck31 has discovered a vulnerability in Burk Yilmaz Download Portal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/23447/ -- [SA23412] WinFtp Server Data Handling Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-12-20 shinnai has discovered a vulnerability in WinFtp Server, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23412/ -- [SA23403] Nortel CallPilot Server Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-12-19 A vulnerability with unknown impact has been reported in Nortel CallPilot. Full Advisory: http://secunia.com/advisories/23403/ -- [SA23426] CA Portal Technology Session Handling Vulnerability Critical: Less critical Where: From local network Impact: Security Bypass Released: 2006-12-20 A vulnerability has been reported in CA's Portal technology, which potentially can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/23426/ -- [SA23393] Mandiant First Response Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Hijacking, DoS Released: 2006-12-19 Some vulnerabilities have been reported in Mandiant First Response, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and manipulate data, and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/23393/ -- [SA23391] Microsoft Project Server Information Disclosure Security Issue Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2006-12-18 Brett Moore has reported a security Issue in Microsoft Project Server, which can be exploited by malicious users to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/23391/ UNIX/Linux:-- [SA23458] TextSend "ROOT_PATH" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-21 nuffsaid has discovered a vulnerability in TextSend, which can be exploited by malicious people to compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/23458/ -- [SA23441] Gentoo update for imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2006-12-21 Gentoo has issued an update for imlib2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/23441/ -- [SA23440] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: Cross Site Scripting, System access Released: 2006-12-20 Red Hat has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/23440/ -- [SA23439] Red Hat update for thunderbird Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-12-20 Red Hat has issued an update for thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/23439/ -- [SA23434] cwmVote "abs" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-20 bd0rk has discovered a vulnerability in cwmVote, which can be exploited by malicious people to compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/23434/ -- [SA23433] Red Hat update for seamonkey Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-12-20 Red Hat has issued an update for seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/23433/ -- [SA23423] phpProfiles Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-20 nuffsaid has discovered several vulnerabilities in phpProfiles, which can be exploited by malicious people to compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/23423/ -- [SA23419] Debian update for sql-ledger Critical: Highly critical Where: From remote Impact: Hijacking, System access Released: 2006-12-18 Debian has issued an update for sql-ledger. This fixes some vulnerabilities, which can be exploited by malicious people to hijack user sessions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23419/ -- [SA23416] Azucar CMS "_VIEW" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-19 nuffsaid has reported a vulnerability in Azucar CMS, which can be exploited by malicious people to compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/23416/ -- [SA23409] SUSE Update for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Privilege escalation, System access Released: 2006-12-20 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and malicious people to conduct cross-site scripting and script insertion attacks, bypass certain security restrictions, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23409/ -- [SA23407] PHP-Update blog.php Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, System access Released: 2006-12-20 rgod has discovered some vulnerabilities in PHP-Update, which can be exploited by malicious people to bypass certain security restrictions and by malicious users to compromise vulnerable systems and manipulate data. Full Advisory: http://secunia.com/advisories/23407/ -- [SA23394] MxBB Portal mx_meeting Module "module_root_path" File Inclusion Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-18 ajann has discovered a vulnerability in the mx_meeting module for MxBB Portal, which can be exploited by malicious people to compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/23394/ -- [SA23443] Red Hat update for tar Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2006-12-20 Red Hat has issued an update for tar. This fixes a weakness, which can be exploited by malicious people to overwrite arbitrary files. Full Advisory: http://secunia.com/advisories/23443/ -- [SA23429] Gentoo vlnx Insecure DT_RPATH Vulnerability Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2006-12-18 Gentoo has acknowledged a vulnerability, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23429/ -- [SA23417] Trustix update for clamav Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-12-18 Trustix has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23417/ -- [SA23411] SUSE update for clamav Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-12-18 SUSE has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23411/ -- [SA23404] Gentoo update for clamav Critical: Moderately critical Where: From remote Impact: DoS Released: 2006-12-19 Gentoo has issued an update for clamav. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23404/ -- [SA23400] Avaya CMS / IR Sun Solaris libXfont Integer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2006-12-15 Avaya has acknowledged a vulnerability in Avaya CMS / IR, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23400/ -- [SA23395] Debian update for kernel-source-2.4.27 Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2006-12-18 Debian has issued an update for kernel-source-2.4.27. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain knowledge of potentially sensitive information or cause a DoS (Denial of Service), and by malicious people to cause a DoS. Full Advisory: http://secunia.com/advisories/23395/ -- [SA23389] Gentoo update for links Critical: Moderately critical Where: From local network Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2006-12-15 Gentoo has issued an update for links. This fixes a vulnerability, which can be exploited by malicious people to expose sensitive information and manipulate data. Full Advisory: http://secunia.com/advisories/23389/ -- [SA23454] Gentoo update for ruby Critical: Less critical Where: From remote Impact: DoS Released: 2006-12-21 Gentoo has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23454/ -- [SA23449] Mini Web Shop "catname" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-12-20 Linux_Drox has discovered a vulnerability in Mini Web Shop, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/23449/ -- [SA23438] Apple Mac OS X Quicktime/Quartz Composer Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2006-12-20 A vulnerability has been reported in Mac OS X, which can be exploited by malicious people to gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/23438/ -- [SA23428] Gentoo update for pam_ldap Critical: Less critical Where: From remote Impact: Security Bypass Released: 2006-12-21 Gentoo has issued an update for pam_ldap. This fixes a security issue, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/23428/ -- [SA23427] Linux Kernel Bluetooth CAPI Messages Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-12-18 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23427/ -- [SA23413] HyperVM "frm_action" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-12-19 Aria Security has reported a vulnerability in HyperVM, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/23413/ -- [SA23408] Linux Kernel Bluetooth CAPI Messages Denial of Service Critical: Less critical Where: From remote Impact: DoS Released: 2006-12-18 A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23408/ -- [SA23402] torrentflux-b4rt "path" Directory Traversal Vulnerability Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2006-12-15 r0ut3r has discovered a vulnerability in torrentflux-b4rt, which can be exploited by malicious users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/23402/ -- [SA23385] Ubuntu update for gdm Critical: Less critical Where: From remote Impact: Privilege escalation Released: 2006-12-15 Ubuntu has issued an update for gdm. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/23385/ -- [SA23387] GNOME Foundation Display Manager "gdmchooser" Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2006-12-15 A vulnerability has been reported in the gdmchooser application of the GNOME Display Manager, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/23387/ -- [SA23430] NeoScale Systems CryptoStor 700 Series Security Bypass Weakness Critical: Not critical Where: From local network Impact: Security Bypass Released: 2006-12-19 A weakness has been reported in NeoScale Systems CryptoStor 700 Series, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/23430/ -- [SA23436] Linux Kernel "mincore()" Deadlock Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2006-12-20 Doug Chapman has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23436/ -- [SA23392] Mandriva update for proftpd Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2006-12-19 Mandriva has issued an update for proftpd. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/23392/ -- [SA23390] Mandriva update for dbus Critical: Not critical Where: Local system Impact: DoS Released: 2006-12-19 Mandriva has issued an update for dbus. This fixes a weakness, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23390/ Other:-- [SA23406] Novell NetWare Welcome web-app Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-12-20 A vulnerability has been reported in Novell NetWare, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/23406/ -- [SA23396] HP FTP Print Server LIST Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-12-20 Joxean Koret has reported a vulnerability in HP FTP Print Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23396/ Cross Platform:-- [SA23445] Sun Java JRE Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2006-12-20 Some vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/23445/ -- [SA23442] cwmCounter "path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-21 bd0rk has discovered a vulnerability in cwmCounter, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23442/ -- [SA23425] CuteNews AJ-Fork "cutepath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-18 DeltahackingTEAM have discovered a vulnerability in CuteNews AJ-Fork, which can be exploited by malicious people to compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/23425/ -- [SA23422] Mozilla SeaMonkey Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-12-19 Multiple vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/23422/ -- [SA23420] Mozilla Thunderbird Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2006-12-19 Multiple vulnerabilities have been reported in Mozilla Thunderbird, which can be exploited by malicious people to conduct cross-site scripting attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/23420/ -- [SA23415] BitDefender AntiVirus Engine PE File Parsing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-18 Sergio Alvarez has reported a vulnerability in BitDefender Anti-Virus, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23415/ -- [SA23388] eyeOS File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2006-12-18 A vulnerability has been discovered in eyeOS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23388/ -- [SA23418] VerliAdmin "q" File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2006-12-19 Kacper has discovered a vulnerability in VerliAdmin, which can be exploited by malicious users to compromise vulnerable systems. Full Advisory: http://secunia.com/advisories/23418/ -- [SA23414] IBM WebSphere Application Server Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, Exposure of system information, Exposure of sensitive information Released: 2006-12-18 Some vulnerabilities have been reported in IBM WebSphere Application Server, where some have unknown impacts and others can potentially be exploited to disclose certain sensitive information. Full Advisory: http://secunia.com/advisories/23414/ -- [SA23398] Sun Java JRE Applet Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2006-12-20 Two vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/23398/ -- [SA23386] IBM WebSphere Application Server Unspecified Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2006-12-15 A vulnerability with unknown impact has been reported in IBM WebSphere Application Server. Full Advisory: http://secunia.com/advisories/23386/ -- [SA23421] Hitachi Directory Server LDAP Multiple Vulnerabilities Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2006-12-21 Some vulnerabilities have been reported in Hitachi Directory Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/23421/ -- [SA23410] Drupal Project / Project issue tracking Module Script Insertion Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-12-18 Some vulnerabilities have been reported in the Project and Project issue tracking modules for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/23410/ -- [SA23405] Drupal MySite Module "Title" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2006-12-18 A vulnerability has been reported in the MySite module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/23405/ -- [SA23397] DB2 Universal Database Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2006-12-17 Vivek Rathod has reported a vulnerability in DB2, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/23397/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Dec 21 2006 - 22:17:23 PST