======================================================================== The Secunia Weekly Advisory Summary 2008-10-02 - 2008-10-09 This week: 75 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Do you need accurate and reliable IDS / IPS / AV detection rules? Get in-depth vulnerability details: http://secunia.com/binary_analysis/sample_analysis/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, or potentially compromise a user's system. For more information, refer to: http://secunia.com/advisories/32177/ -- Some vulnerabilities and a security issue have been reported in Cisco Unity, which can be exploited by malicious, local users to disclose potentially sensitive information, and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). For more information, refer to: http://secunia.com/advisories/32187/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA32124] Linux Kernel "vmi_write_ldt_entry()" Privilege Escalation 2. [SA32163] Adobe Flash Player "Clickjacking" Security Bypass Vulnerability 3. [SA17295] phpBB Avatar Script Insertion Vulnerability 4. [SA32177] Opera Multiple Vulnerabilities 5. [SA14362] phpBB Avatar Functions Information Disclosure and Deletion 6. [SA32111] Novell eDirectory Multiple Vulnerabilities 7. [SA13769] Zeroboard Multiple Vulnerabilities 8. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 9. [SA32097] Trend Micro OfficeScan Multiple Vulnerabilities 10. [SA32180] VMware ESX Server Sun Java JDK / JRE Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA32140] iseemedia LPViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities [SA32206] Avaya IP Softphone H.323 Denial of Service Vulnerability [SA32205] Avaya one-X Desktop Edition SIP Denial of Service Vulnerability [SA32154] WinZip GDI+ Multiple Vulnerabilities [SA32150] Serv-U File Renaming Vulnerabilities and STOU Denial of Service [SA32156] Kontiki Delivery Management System "action" Cross-Site Scripting [SA32187] Cisco Unity Multiple Vulnerabilities [SA32207] Cisco Unity Script Insertion Vulnerability UNIX/Linux: [SA32196] SUSE update for MozillaFirefox, MozillaThunderbird, seamonkey, and mozilla [SA32185] Debian update for iceweasel [SA32180] VMware ESX Server Sun Java JDK / JRE Multiple Vulnerabilities [SA32153] Debian update for mplayer [SA32144] SUSE update for MozillaFirefox [SA32204] Avaya Communication Manager Arbitrary Command Execution Vulnerabilities [SA32193] Red Hat update for condor [SA32190] Red Hat update for kernel [SA32189] Condor Multiple Vulnerabilities [SA32188] Avaya Products Wireshark Multiple Denial of Service Vulnerabilities [SA32184] Gentoo update for wordnet [SA32181] SUSE update for openssh [SA32175] Fedora update for libxml2 [SA32151] SUSE update for dovecot and graphicsmagic [SA32148] Debian update for php5 [SA32136] Avaya AES LibTIFF LZW Decoder Buffer Underflow Vulnerability [SA32132] Debian update for lighttpd [SA32130] Libxml2 Predefined Entities Denial of Service Vulnerability [SA32120] Red Hat update for tomcat [SA32182] SUSE update for mercurial [SA32168] AmpJuke "special" SQL Injection Vulnerability [SA32164] Dovecot ACL Plugin Security Bypass Security Issues [SA32128] Fedora update for mediawiki [SA32161] HP-UX NFS/ONCplus Denial of Service Vulnerability [SA32133] OpenBSD IPv6 Neighbor Discovery Protocol Neighbor Solicitation Vulnerability [SA32174] Fedora update for pam_krb5 [SA32170] FreeRADIUS "dialup_admin" Insecure Temporary Files [SA32155] Debian update for feta [SA32135] Red Hat update for pam_krb5 [SA32124] Linux Kernel "vmi_write_ldt_entry()" Privilege Escalation [SA32119] pam_krb5 Credential Cache "exisiting_ticket" Security Bypass [SA32127] D-Bus "_dbus_validate_signature_with_reason()" Denial of Service [SA32125] Avaya CMS Solaris ACL for UFS File Systems Local Denial of Service Other: [SA32121] Apple TV Multiple Vulnerabilities [SA32122] Blue Coat SGOS ICAP Patience Page Cross-Site Scripting Vulnerability [SA32203] Nortel Multimedia Communication Server 5100 Multiple Vulnerabilities Cross Platform: [SA32179] VMware VirtualCenter Multiple Vulnerabilities [SA32177] Opera Multiple Vulnerabilities [SA32198] Drupal Attach File Security Bypass Vulnerability [SA32195] Drupal Multiple Modules Security Bypass Vulnerability [SA32194] Drupal EveryBlog Module Multiple Vulnerabilities [SA32191] Drupal SIOC Module Security Bypass Vulnerability [SA32186] Graphviz "push_subg" Buffer Overflow Vulnerability [SA32171] AdaptCMS "user_name" SQL Injection Vulnerability [SA32169] CMME Information Disclosure Security Issues [SA32162] Hispah Text Links Ads "idcat" / "idtl" SQL Injection Vulnerabilities [SA32160] AdMan "campaignId" SQL Injection Vulnerability [SA32159] YaCy Unspecified Vulnerabilities [SA32158] WebBiscuits FAQ Support "download" File Disclosure Vulnerability [SA32149] PHP Realtor "v_cat" SQL Injection Vulnerability [SA32147] PHP Auto Dealer "v_cat" SQL Injection Vulnerability [SA32145] Kwalbum "UploaditemsPage.php" File Upload Vulnerability [SA32141] JMweb MP3 Script "src" File Inclusion Vulnerabilities [SA32139] PHP Autos "catid" SQL Injection Vulnerability [SA32126] Fastpublish CMS Multiple Vulnerabilities [SA32201] Drupal User and BlogAPI Security Bypass Vulnerabilities [SA32200] Drupal Upload and Node Module API Security Bypass [SA32199] HP System Management Homepage Unspecified Cross Site Scripting Vulnerability [SA32176] Website Directory "keyword" Cross-Site Scripting Vulnerability [SA32172] WOW Raid Manager Unspecified Cross-Site Scripting Vulnerability [SA32167] vbDrupal Multiple Security Bypass Vulnerabilities [SA32163] Adobe Flash Player "Clickjacking" Security Bypass Vulnerability [SA32146] ModSecurity "SecCacheTransformations" Vulnerability [SA32134] XAMPP adodb.php Cross-Site Scripting Vulnerabilities [SA32131] MediaWiki "useskin" Cross-Site Scripting Vulnerability [SA32123] Nucleus EUC-JP Cross-Site Scripting Vulnerability [SA32157] VMware ESX / ESXi "JMP" Privilege Escalation Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA32140] iseemedia LPViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2008-10-07 Will Dormann has reported some vulnerabilities in the iseemedia LPViewer ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32140/ -- [SA32206] Avaya IP Softphone H.323 Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-10-09 A vulnerability has been reported in Avaya IP Softphone, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32206/ -- [SA32205] Avaya one-X Desktop Edition SIP Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-10-09 A vulnerability has been reported in Avaya one-X Desktop Edition, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32205/ -- [SA32154] WinZip GDI+ Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-10-09 Some vulnerabilities have been reported in WinZip, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32154/ -- [SA32150] Serv-U File Renaming Vulnerabilities and STOU Denial of Service Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-10-06 Some vulnerabilities have been reported in Serv-U, which can be exploited by malicious users to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32150/ -- [SA32156] Kontiki Delivery Management System "action" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-06 A vulnerability has been reported in Kontiki Delivery Management System, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32156/ -- [SA32187] Cisco Unity Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2008-10-09 Some vulnerabilities and a security issue have been reported in Cisco Unity, which can be exploited by malicious, local users to disclose potentially sensitive information, and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32187/ -- [SA32207] Cisco Unity Script Insertion Vulnerability Critical: Not critical Where: From local network Impact: Cross Site Scripting Released: 2008-10-09 A vulnerability has been reported in Cisco Unity, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/32207/ UNIX/Linux:-- [SA32196] SUSE update for MozillaFirefox, MozillaThunderbird, seamonkey, and mozilla Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-10-09 SUSE has issued an update for MozillaFirefox, MozillaThunderbird, seamonkey, and mozilla. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32196/ -- [SA32185] Debian update for iceweasel Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-10-09 Debian has issued an update for iceweasel. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32185/ -- [SA32180] VMware ESX Server Sun Java JDK / JRE Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-10-06 VMware has acknowledged some vulnerabilities in VMware ESX Server, which can be exploited by malicious people to bypass certain security restrictions, disclose system information or potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32180/ -- [SA32153] Debian update for mplayer Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-10-06 Debian has issued an update for mplayer. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32153/ -- [SA32144] SUSE update for MozillaFirefox Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-10-07 SUSE has issued an update for MozillaFirefox. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32144/ -- [SA32204] Avaya Communication Manager Arbitrary Command Execution Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2008-10-09 Two vulnerabilities have been reported in Avaya Communication Manager, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32204/ -- [SA32193] Red Hat update for condor Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2008-10-08 Red Hat has issued an update for condor. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system, and by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32193/ -- [SA32190] Red Hat update for kernel Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2008-10-08 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information and cause a DoS (Denial of Service) and malicious people to cause a DoS.. Full Advisory: http://secunia.com/advisories/32190/ -- [SA32189] Condor Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2008-10-08 Some vulnerabilities have been reported Condor, which can be exploited by malicious users to bypass certain security restrictions, cause a DoS (Denial of Service), and potentially compromise a vulnerable system, and by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32189/ -- [SA32188] Avaya Products Wireshark Multiple Denial of Service Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-10-09 Avaya has acknowledged some vulnerabilities in various Avaya products, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32188/ -- [SA32184] Gentoo update for wordnet Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2008-10-08 Gentoo has issued an update for wordnet. This fixes some vulnerabilities, which can potentially be exploited by malicious, local users to gain escalated privileges, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32184/ -- [SA32181] SUSE update for openssh Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-10-07 SUSE has issued an update for openssh. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32181/ -- [SA32175] Fedora update for libxml2 Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-10-06 Fedora has issued an update for libxml2. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32175/ -- [SA32151] SUSE update for dovecot and graphicsmagic Critical: Moderately critical Where: From remote Impact: Security Bypass, DoS Released: 2008-10-07 SUSE has issued an update for dovecot and graphicsmagic. This fixes a security issue and some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32151/ -- [SA32148] Debian update for php5 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-10-07 Debian has issued an update for php5. This fixes some vulnerabilities, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32148/ -- [SA32136] Avaya AES LibTIFF LZW Decoder Buffer Underflow Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-10-09 Avaya has acknowledged a vulnerability in Avaya Application Enablement Services (AES), which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32136/ -- [SA32132] Debian update for lighttpd Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS Released: 2008-10-07 Debian has issued an update for lighttpd. This fixes a weakness and some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32132/ -- [SA32130] Libxml2 Predefined Entities Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-10-03 A vulnerability has been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32130/ -- [SA32120] Red Hat update for tomcat Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information Released: 2008-10-03 Red Hat has issued an update for tomcat. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions, malicious users to disclose potentially sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, or disclose sensitive information. Full Advisory: http://secunia.com/advisories/32120/ -- [SA32182] SUSE update for mercurial Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-10-07 SUSE has issued an update for mercurial. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32182/ -- [SA32168] AmpJuke "special" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2008-10-06 S_DLA_S has discovered a vulnerability in AmpJuke, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32168/ -- [SA32164] Dovecot ACL Plugin Security Bypass Security Issues Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-10-06 Two security issues have been reported in Dovecot, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32164/ -- [SA32128] Fedora update for mediawiki Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-07 Fedora has issued an update for mediawiki. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32128/ -- [SA32161] HP-UX NFS/ONCplus Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2008-10-07 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32161/ -- [SA32133] OpenBSD IPv6 Neighbor Discovery Protocol Neighbor Solicitation Vulnerability Critical: Less critical Where: From local network Impact: Spoofing, Exposure of sensitive information, DoS Released: 2008-10-03 A vulnerability has been reported in OpenBSD, which can be exploited by malicious people to conduct spoofing attacks, disclose potentially sensitive information, or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32133/ -- [SA32174] Fedora update for pam_krb5 Critical: Less critical Where: Local system Impact: Security Bypass Released: 2008-10-06 Fedora has issued an update for pam_krb5. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32174/ -- [SA32170] FreeRADIUS "dialup_admin" Insecure Temporary Files Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-10-08 Some vulnerabilities have been reported in FreeRADIUS, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/32170/ -- [SA32155] Debian update for feta Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-10-06 Debian has issued an update for feta. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/32155/ -- [SA32135] Red Hat update for pam_krb5 Critical: Less critical Where: Local system Impact: Security Bypass Released: 2008-10-03 Red Hat has issued an update for pam_krb5. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32135/ -- [SA32124] Linux Kernel "vmi_write_ldt_entry()" Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2008-10-03 Eugene Teo has reported a vulnerability in the Linux Kernel, which can be exploited by malicious, local users in a VMI guest to cause a DoS (Denial of Service) and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/32124/ -- [SA32119] pam_krb5 Credential Cache "exisiting_ticket" Security Bypass Critical: Less critical Where: Local system Impact: Security Bypass Released: 2008-10-03 A security issue has been reported in pam_krb5, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32119/ -- [SA32127] D-Bus "_dbus_validate_signature_with_reason()" Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2008-10-07 A weakness has been reported in D-Bus, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32127/ -- [SA32125] Avaya CMS Solaris ACL for UFS File Systems Local Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2008-10-03 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32125/ Other:-- [SA32121] Apple TV Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2008-10-03 Some vulnerabilities have been reported in Apple TV, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32121/ -- [SA32122] Blue Coat SGOS ICAP Patience Page Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-03 Juan Pablo Lopez Yacubian has reported a vulnerability in Blue Coat Security Gateway OS (SGOS), which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32122/ -- [SA32203] Nortel Multimedia Communication Server 5100 Multiple Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, Spoofing, DoS Released: 2008-10-09 Some vulnerabilities have been reported in Nortel Multimedia Communication Server 5100, which can be exploited by malicious people to bypass certain security restrictions, conduct spoofing attacks, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32203/ Cross Platform:-- [SA32179] VMware VirtualCenter Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-10-06 VMware has acknowledged a weakness and some vulnerabilities in VMware VirtualCenter, which can be exploited by malicious, local users to disclose sensitive information, and by malicious people to bypass certain security restrictions, disclose system information or potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32179/ -- [SA32177] Opera Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-10-08 Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to bypass certain security restrictions, disclose potentially sensitive information, or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32177/ -- [SA32198] Drupal Attach File Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2008-10-09 A vulnerability has been reported in Drupal, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32198/ -- [SA32195] Drupal Multiple Modules Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2008-10-09 A vulnerability has been reported in various modules for Drupal, which can be exploited by malicious people to bypass certain security restrictions or disclose sensitive information. Full Advisory: http://secunia.com/advisories/32195/ -- [SA32194] Drupal EveryBlog Module Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Manipulation of data, Privilege escalation Released: 2008-10-09 Some vulnerabilities have been reported in the EveryBlog module for Drupal, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, bypass certain security restrictions, and gain escalated privileges. Full Advisory: http://secunia.com/advisories/32194/ -- [SA32191] Drupal SIOC Module Security Bypass Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2008-10-09 A vulnerability has been reported in the SIOC (Semantically-Interconnected Online Communities) module for Drupal, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Full Advisory: http://secunia.com/advisories/32191/ -- [SA32186] Graphviz "push_subg" Buffer Overflow Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2008-10-09 Roee Hay has discovered a vulnerability in Graphviz, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32186/ -- [SA32171] AdaptCMS "user_name" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-10-06 A vulnerability has been reported in AdaptCMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32171/ -- [SA32169] CMME Information Disclosure Security Issues Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2008-10-07 AmnPardaz Security Research & Penetration Testing Group has discovered some security issues in CMME, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32169/ -- [SA32162] Hispah Text Links Ads "idcat" / "idtl" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-10-09 Some vulnerabilities have been reported in Hispah Text Links Ads, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32162/ -- [SA32160] AdMan "campaignId" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-10-09 SuB-ZeRo has reported a vulnerability in AdMan, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32160/ -- [SA32159] YaCy Unspecified Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown Released: 2008-10-09 Some vulnerabilities with unknown impacts have been reported in YaCy. Full Advisory: http://secunia.com/advisories/32159/ -- [SA32158] WebBiscuits FAQ Support "download" File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2008-10-09 Gold_M has discovered a vulnerability in WebBiscuits FAQ Support, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32158/ -- [SA32149] PHP Realtor "v_cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-10-08 Mr.SQL has discovered a vulnerability in PHP Realtor, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32149/ -- [SA32147] PHP Auto Dealer "v_cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-10-08 Mr.SQL has reported a vulnerability in PHP Auto Dealer, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32147/ -- [SA32145] Kwalbum "UploaditemsPage.php" File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2008-10-07 A vulnerability has been discovered in Kwalbum, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32145/ -- [SA32141] JMweb MP3 Script "src" File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2008-10-06 SirGod has discovered some vulnerabilities in JMweb MP3 Music Audio Search and Download Script, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32141/ -- [SA32139] PHP Autos "catid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-10-08 Mr.SQL has reported a vulnerability in PHP Autos, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32139/ -- [SA32126] Fastpublish CMS Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-10-06 Multiple vulnerabilities have been discovered in Fastpublish CMS, which can be exploited by malicious people to conduct SQL injection attacks and gain knowledge of sensitive information. Full Advisory: http://secunia.com/advisories/32126/ -- [SA32201] Drupal User and BlogAPI Security Bypass Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2008-10-09 Two vulnerabilities have been reported in Drupal, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32201/ -- [SA32200] Drupal Upload and Node Module API Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2008-10-09 Two vulnerabilities have been reported in Drupal, which can be exploited by malicious people and users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32200/ -- [SA32199] HP System Management Homepage Unspecified Cross Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-09 A vulnerability has been reported in HP System Management Homepage (SMH), which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32199/ -- [SA32176] Website Directory "keyword" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-06 Ghost Hacker has reported a vulnerability in Website Directory, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32176/ -- [SA32172] WOW Raid Manager Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-09 A vulnerability has been reported in WOW Raid Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32172/ -- [SA32167] vbDrupal Multiple Security Bypass Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of sensitive information Released: 2008-10-09 Some vulnerabilities have been reported in vbDrupal, which can be exploited by malicious people and users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32167/ -- [SA32163] Adobe Flash Player "Clickjacking" Security Bypass Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2008-10-08 A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/32163/ -- [SA32146] ModSecurity "SecCacheTransformations" Vulnerability Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-10-09 A vulnerability has been reported in ModSecurity, which potentially can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32146/ -- [SA32134] XAMPP adodb.php Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-03 Jaykishan Nirmal has discovered some vulnerabilities in XAMPP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32134/ -- [SA32131] MediaWiki "useskin" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-03 A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32131/ -- [SA32123] Nucleus EUC-JP Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-10-06 A vulnerability has been reported in Nucleus EUC-JP, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32123/ -- [SA32157] VMware ESX / ESXi "JMP" Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-10-06 A vulnerability has been reported in VMware ESX / ESXi, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/32157/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Subscribe: http://secunia.com/advisories/weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support_at_private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 __________________________________________________ Register now for HITBSecConf2008 - Malaysia! With a new triple-track conference featuring 4 keynote speakers and over 35 international experts, this is the largest network security event in Asia and the Middle East! http://conference.hackinthebox.org/hitbsecconf2008kl/Received on Fri Oct 10 2008 - 01:37:45 PDT
This archive was generated by hypermail 2.2.0 : Fri Oct 10 2008 - 01:44:30 PDT