======================================================================== The Secunia Weekly Advisory Summary 2008-03-13 - 2008-03-20 This week: 58 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia invites you to join us in the biggest IT Expo event of the year - the RSA Conference in the Moscone Center, San Francisco, California from 7 to 11 April 2008. If you are interested in going to the expo exhibit and meeting us, please contact your Secunia Account Executive for a FREE EXPO PASS! ======================================================================== 2) This Week in Brief: Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. For more information, refer to: http://secunia.com/advisories/29420/ -- Some vulnerabilities have been reported in Kerberos, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information, refer to: http://secunia.com/advisories/29428/ -- Some vulnerabilities have been reported in WinRAR, which potentially can be exploited by malicious people to compromise a vulnerable system. For more information, refer to: http://secunia.com/advisories/29407/ To find out if your home computer is vulnerable to these security problems, scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector. Download the Secunia PSI: https://psi.secunia.com/ -- VIRUS ALERTS: During the past week Secunia collected 221 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA29337] McAfee ePolicy Orchestrator Framework Service Format String Vulnerability 2. [SA29378] Invision Power Board Nested BBCodes Script Insertion 3. [SA29382] MDaemon IMAP Server "FETCH" Command Buffer Overflow 4. [SA29339] Fully Modded phpBB "k" SQL Injection Vulnerability 5. [SA29360] IBM WebSphere MQ for HP NonStop Missing Authentication 6. [SA29368] Sun Solaris JDS XscreenSaver Authentication Bypass 7. [SA29309] Gentoo update for sarg 8. [SA29375] Fedora update for roundup 9. [SA29372] EasyGallery SQL Injection and Cross-Site Scripting 10. [SA29329] Mapbender SQL and PHP Code Injection ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA29437] BusinessObjects "RptViewerAX" ActiveX Control Buffer Overflow Vulnerability [SA29408] CA BrightStor ARCserve Backup "ListCtrl" ActiveX Control Buffer Overflow [SA29407] WinRAR Multiple Unspecified Vulnerabilities [SA29433] KAPhotoservice "albumid" SQL Injection Vulnerability [SA29419] Home FTP Server Passive Mode Denial of Service [SA29382] MDaemon IMAP Server "FETCH" Command Buffer Overflow [SA29404] BootManage TFTP Server Buffer Overflow Vulnerability UNIX/Linux: [SA29451] Red Hat update for krb5 [SA29450] Red Hat update for krb5 [SA29444] Gentoo update for moinmoin [SA29438] Ubuntu update for krb5 [SA29435] Debian update for krb5 [SA29428] Kerberos Multiple Vulnerabilities [SA29426] Asterisk Multiple Vulnerabilities [SA29424] SUSE update for krb5 [SA29423] Red Hat update for krb5 [SA29420] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA29393] Apple Safari Multiple Vulnerabilities [SA29440] Red Hat update for unzip [SA29432] Debian update for unzip [SA29427] Mandriva update for unzip [SA29415] UnZip "inflate_dynamic()" Uninitialized Pointers Vulnerability [SA29400] Debian update for horde3 [SA29396] Gentoo update for dovecot [SA29385] Debian update for dovecot [SA29379] Avaya CMS Solaris Firewall Security Bypass and Denial of Service [SA29448] SUSE update for cups [SA29431] CUPS CGI Buffer Overflow Vulnerability [SA29405] Debian update for smarty [SA29403] Debian update for lighttpd [SA29388] Ubuntu update for mailman [SA29383] ZABBIX "vfs.file.cksum" Denial of Service Vulnerability [SA29387] Red Hat update for kernel [SA29442] HP StorageWorks Library and Tape Tools (LTT) on HP-UX Security Bypass [SA29425] Gentoo update for acroread [SA29395] Debian update for ldapscripts [SA29449] Asterisk Predictable HTTP Manager ID Weakness [SA29418] Sun Solaris "rpc.metad" Denial of Service Other: [SA29394] CheckPoint VPN-1 IP Address Collision Security Issue [SA29401] RaidSonic ICY BOX NAS-4220-B Insecure Storage of Encryption Key Cross Platform: [SA29422] PHPauction GPL "include_path" File Inclusion Vulnerabilities [SA29417] fuzzylime (cms) "admindir" File Inclusion Vulnerability [SA29397] F-Secure Archives Handling Unspecified Vulnerabilities [SA29430] Easy-Clanpage "id" SQL Injection Vulnerability [SA29429] Joomla Acajoom PRO Component "mailingid" SQL Injection [SA29421] MG-SOFT Net Inspector Multiple Vulnerabilities [SA29411] phpBP "id" SQL Injection Vulnerability [SA29398] Serendipity Security Bypass and Script Insertion Vulnerabilities [SA29390] eXV2 WebChat Module "roomid" SQL Injection [SA29389] eXV2 Viso Module "kid" SQL Injection Vulnerability [SA29384] eXV2 myannonces Module "lid" SQL Injection [SA29441] ManageEngine SupportCenter Plus "searchText" Cross-Site Scripting [SA29416] Multiple Time Sheets "tab" Cross-Site Scripting [SA29413] VMware Products Multiple Vulnerabilities [SA29412] VMware Server Multiple Vulnerabilities [SA29409] Novell GroupWise Windows Client API Security Bypass [SA29380] eForum "busca.php" Cross-Site Scripting [SA29378] Invision Power Board Nested BBCodes Script Insertion ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA29437] BusinessObjects "RptViewerAX" ActiveX Control Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2008-03-19 Will Dormann has reported a vulnerability in BusinessObjects, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/29437/ -- [SA29408] CA BrightStor ARCserve Backup "ListCtrl" ActiveX Control Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2008-03-17 Krystian Kloskowski has reported a vulnerability in CA BrightStor ARCserve Backup for Laptops & Desktops, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/29408/ -- [SA29407] WinRAR Multiple Unspecified Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-03-19 Some vulnerabilities have been reported in WinRAR, which can potentially be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29407/ -- [SA29433] KAPhotoservice "albumid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-03-19 JosS has reported a vulnerability in KAPhotoservice, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29433/ -- [SA29419] Home FTP Server Passive Mode Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-03-18 0in has discovered a vulnerability in Home FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29419/ -- [SA29382] MDaemon IMAP Server "FETCH" Command Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-03-14 Matteo Memelli has discovered a vulnerability in MDaemon, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29382/ -- [SA29404] BootManage TFTP Server Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2008-03-17 Luigi Auriemma has discovered a vulnerability in BootManage TFTP Server, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29404/ UNIX/Linux:-- [SA29451] Red Hat update for krb5 Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2008-03-19 Red Hat has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29451/ -- [SA29450] Red Hat update for krb5 Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2008-03-19 Red Hat has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29450/ -- [SA29444] Gentoo update for moinmoin Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2008-03-19 Gentoo has issued an update for moinmoin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass security restrictions, manipulate certain data, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29444/ -- [SA29438] Ubuntu update for krb5 Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2008-03-19 Ubuntu has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29438/ -- [SA29435] Debian update for krb5 Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2008-03-19 Debian has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29435/ -- [SA29428] Kerberos Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2008-03-19 Some vulnerabilities have been reported in Kerberos, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29428/ -- [SA29426] Asterisk Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2008-03-19 Some vulnerabilities have been reported in Asterisk, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29426/ -- [SA29424] SUSE update for krb5 Critical: Highly critical Where: From remote Impact: System access, DoS, Exposure of sensitive information Released: 2008-03-19 SUSE has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29424/ -- [SA29423] Red Hat update for krb5 Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2008-03-19 Red Hat has issued an update for krb5. This fixes some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29423/ -- [SA29420] Mac OS X Security Update Fixes Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Unknown, Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, Privilege escalation, DoS, System access Released: 2008-03-19 Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities. Full Advisory: http://secunia.com/advisories/29420/ -- [SA29393] Apple Safari Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access Released: 2008-03-19 Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29393/ -- [SA29440] Red Hat update for unzip Critical: Moderately critical Where: From remote Impact: System access Released: 2008-03-19 Red Hat has issued an update for unzip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/29440/ -- [SA29432] Debian update for unzip Critical: Moderately critical Where: From remote Impact: System access Released: 2008-03-18 Debian has issued an update for unzip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/29432/ -- [SA29427] Mandriva update for unzip Critical: Moderately critical Where: From remote Impact: System access Released: 2008-03-19 Mandriva has issued an update for unzip. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/29427/ -- [SA29415] UnZip "inflate_dynamic()" Uninitialized Pointers Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2008-03-18 A vulnerability has been reported in UnZip, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/29415/ -- [SA29400] Debian update for horde3 Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2008-03-17 Debian has issued an update for horde3. This fixes a vulnerability, which can be exploited by malicious users to disclose sensitive information and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29400/ -- [SA29396] Gentoo update for dovecot Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2008-03-18 Gentoo has issued an update for dovecot. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29396/ -- [SA29385] Debian update for dovecot Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2008-03-17 Debian has issued an update for dovecot. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29385/ -- [SA29379] Avaya CMS Solaris Firewall Security Bypass and Denial of Service Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2008-03-17 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29379/ -- [SA29448] SUSE update for cups Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2008-03-19 SUSE has issued an update for cups. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29448/ -- [SA29431] CUPS CGI Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2008-03-19 A vulnerability has been reported in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29431/ -- [SA29405] Debian update for smarty Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-03-17 Debian has issued an update for smarty. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29405/ -- [SA29403] Debian update for lighttpd Critical: Less critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-03-17 Debian has issued an update for lighttpd. This fixes a security issue, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/29403/ -- [SA29388] Ubuntu update for mailman Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-03-17 Ubuntu has issued an update for mailman. This fixes a vulnerability, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/29388/ -- [SA29383] ZABBIX "vfs.file.cksum" Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2008-03-14 Milen Rangelov has discovered a vulnerability in ZABBIX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29383/ -- [SA29387] Red Hat update for kernel Critical: Less critical Where: From local network Impact: DoS, System access Released: 2008-03-14 Red Hat has issued an update for the kernel. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29387/ -- [SA29442] HP StorageWorks Library and Tape Tools (LTT) on HP-UX Security Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2008-03-19 HP has acknowledged a vulnerability in HP StorageWorks Library and Tape Tools (LTT), which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29442/ -- [SA29425] Gentoo update for acroread Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-03-19 Gentoo has issued an update for acroread. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/29425/ -- [SA29395] Debian update for ldapscripts Critical: Less critical Where: Local system Impact: Exposure of sensitive information Released: 2008-03-17 Debian has issued an update for ldapscripts. This fixes a security issue, which can be exploited by malicious, local users to disclose sensitive information. Full Advisory: http://secunia.com/advisories/29395/ -- [SA29449] Asterisk Predictable HTTP Manager ID Weakness Critical: Not critical Where: From local network Impact: Hijacking Released: 2008-03-19 Dino A. Dai Zovi has reported a weakness in Asterisk, which can be exploited by malicious people to hijack a user session. Full Advisory: http://secunia.com/advisories/29449/ -- [SA29418] Sun Solaris "rpc.metad" Denial of Service Critical: Not critical Where: From local network Impact: DoS Released: 2008-03-18 Kingcope has reported a vulnerability in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29418/ Other:-- [SA29394] CheckPoint VPN-1 IP Address Collision Security Issue Critical: Less critical Where: From local network Impact: Exposure of sensitive information, DoS Released: 2008-03-18 Robert Mitchell has reported a security issue in CheckPoint VPN-1, which can lead to a DoS (Denial of Service) or disclosure of sensitive information. Full Advisory: http://secunia.com/advisories/29394/ -- [SA29401] RaidSonic ICY BOX NAS-4220-B Insecure Storage of Encryption Key Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2008-03-19 Collin Mulliner has reported a security issue in RaidSonic NAS-4220-B, which can be exploited by malicious people with physical access to the device to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/29401/ Cross Platform:-- [SA29422] PHPauction GPL "include_path" File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2008-03-18 RoMaNcYxHaCkEr has discovered some vulnerabilities in PHPauction GPL, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29422/ -- [SA29417] fuzzylime (cms) "admindir" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2008-03-17 irk4z has discovered a vulnerability in fuzzylime (cms), which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29417/ -- [SA29397] F-Secure Archives Handling Unspecified Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-03-17 Some vulnerabilities have been reported in various F-Secure products, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29397/ -- [SA29430] Easy-Clanpage "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-03-19 n3w7u has discovered a vulnerability in Easy-Clanpage, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29430/ -- [SA29429] Joomla Acajoom PRO Component "mailingid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-03-19 fataku has reported a vulnerability in the Acajoom PRO component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29429/ -- [SA29421] MG-SOFT Net Inspector Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-03-17 Luigi Auriemma has discovered some vulnerabilities in MG-SOFT Net Inspector, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29421/ -- [SA29411] phpBP "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-03-17 irk4z has reported a vulnerability in phpBP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29411/ -- [SA29398] Serendipity Security Bypass and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2008-03-18 Two vulnerabilities have been reported in Serendipity, which can be exploited by malicious people to conduct script insertion attacks and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29398/ -- [SA29390] eXV2 WebChat Module "roomid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-03-17 S@BUN has discovered a vulnerability in the WebChat module for eXV2, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29390/ -- [SA29389] eXV2 Viso Module "kid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-03-17 S@BUN has discovered a vulnerability in the Viso (Industry Book) module for eXV2, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29389/ -- [SA29384] eXV2 myannonces Module "lid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-03-17 S@BUN has discovered a vulnerability in the myannonces module for eXV2, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29384/ -- [SA29441] ManageEngine SupportCenter Plus "searchText" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-03-19 Yogesh Kulkarni has reported a vulnerability in ManageEngine SupportCenter Plus, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/29441/ -- [SA29416] Multiple Time Sheets "tab" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-03-17 JosS has discovered a vulnerability in Multiple Time Sheets (MTS), which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/29416/ -- [SA29413] VMware Products Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2008-03-17 Some vulnerabilities have been reported in VMware products, which can be exploited by malicious, local users to gain escalated privileges or to cause a DoS (Denial of Service), and potentially by malicious people to bypass certain security restrictions or to cause a DoS. Full Advisory: http://secunia.com/advisories/29413/ -- [SA29412] VMware Server Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS Released: 2008-03-17 Some vulnerabilities have been reported in VMware Server, which can be exploited by malicious, local users to gain escalated privileges or to cause a DoS (Denial of Service), and potentially by malicious people to bypass certain security restrictions or to cause a DoS. Full Advisory: http://secunia.com/advisories/29412/ -- [SA29409] Novell GroupWise Windows Client API Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2008-03-17 A vulnerability has been reported in Novell GroupWise, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29409/ -- [SA29380] eForum "busca.php" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-03-18 Omni has discovered two vulnerabilities in eForum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/29380/ -- [SA29378] Invision Power Board Nested BBCodes Script Insertion Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-03-14 A vulnerability has been reported in Invision Power Board, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/29378/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support@private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Fri Mar 21 2008 - 00:21:35 PST