======================================================================== The Secunia Weekly Advisory Summary 2008-11-20 - 2008-11-27 This week: 60 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia PSI 1.0 (Final) has been released The first official version of the Secunia PSI v1.0! The PSI has been a long time in the making and it has been revamped quite a bit compared to the first beta version released on a hot summer day some 17 months ago. Though the PSI so far has been in beta, it has received a huge amount of praising words like these from ZDNet in a review of 10 essential security tools: "Number one is the Secunia Personal Software Inspector, quite possibly the most useful and important free application you can have running on your Windows machine". Click here to learn more: http://secunia.com/blog/35/ ======================================================================== 2) This Week in Brief: ProTeuS has discovered a vulnerability in BitDefender Antivirus, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. For more information, refer to: http://secunia.com/advisories/32789/ -- Some weaknesses, security issues, and vulnerabilities have been reported in Apple iPhone and iPod touch, which can be exploited by malicious people to bypass certain security restrictions, disclose potential sensitive information, conduct spoofing attacks, to cause a DoS (Denial of Service), or potentially compromise a user's system. For more information, refer to: http://secunia.com/advisories/32756/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA31010] Sun Java JDK / JRE Multiple Vulnerabilities 2. [SA32270] Adobe Flash Player Multiple Security Issues and Vulnerabilities 3. [SA32756] Apple iPhone / iPod touch Multiple Vulnerabilities 4. [SA32713] Mozilla Firefox 3 Multiple Vulnerabilities 5. [SA32772] Adobe AIR Multiple Vulnerabilities 6. [SA29773] Adobe Acrobat/Reader Multiple Vulnerabilities 7. [SA32789] BitDefender Antivirus PDF Processing Memory Corruption Vulnerability 8. [SA31821] Apple QuickTime Multiple Vulnerabilities 9. [SA32728] Checkpoint VPN-1 Information Disclosure Vulnerability 10. [SA32810] Symantec Backup Exec for Windows Servers Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA32881] K-Lite Codec Pack ffdshow URL Processing Buffer Overflow [SA32850] Nero ShowTime M3U Processing Buffer Overflow Vulnerability [SA32846] ffdshow URL Processing Buffer Overflow Vulnerability [SA32829] FlexCell Grid ActiveX Control "HttpDownloadFile()" Arbitrary File Overwrite [SA32823] Quicksilver Forums "lang" File Inclusion Vulnerability [SA32852] iPhone Configuration Web Utility for Windows Directory Traversal UNIX/Linux: [SA32878] Ubuntu update for thunderbird [SA32876] SUSE Update for Mozilla Products [SA32872] SUSE Update for Multiple Packages [SA32860] Ubuntu update for webkit [SA32856] Ubuntu update for openoffice.org [SA32853] Debian update for iceweasel [SA32845] Debian update for xulrunner [SA32843] Fedora update for imlib2 [SA32835] Slackware update for mozilla-thunderbird [SA32884] HP Secure Web Server/Internet Express for Tru64 UNIX PHP Vulnerability [SA32879] Ubuntu update for GnuTLS [SA32864] Red Hat update for vim [SA32863] Red Hat update for vim [SA32861] Ubuntu update for gaim [SA32859] Ubuntu update for pidgin [SA32858] Red Hat update for vim [SA32854] Debian update for enscript [SA32839] rPath update for vim, vim-minimal, and gvim [SA32834] SUSE update for phpMyAdmin and lighttpd [SA32871] FreeBSD "arc4random()" Insufficient Entropy Sources Security Issue [SA32838] rPath update for httpd [SA32862] Red Hat update for tog-pegasus [SA32916] IBM AIX Multiple Privilege Escalation Vulnerabilities [SA32855] Debian update for hf [SA32832] SUSE update for yast2-backup [SA32831] hf "hfkernel" Privilege Escalation Security Issue [SA32875] Fedora update for geda-gnetlist [SA32851] VirtualBox "AcquireDaemonLock()" Insecure Temporary Files Other: [SA32827] Siemens C450IP / C475IP Denial of Service Vulnerability [SA32836] I-O DATA HDL-F Series Cross-Site Request Forgery Cross Platform: [SA32848] Amaya Two Buffer Overflow Vulnerabilities [SA32825] LoveCMS Download Manager Module File Upload Vulnerability [SA32824] MODx CMS "reflect_base" File Inclusion Vulnerability [SA32887] Star Articles "subcatid" and "artid" SQL Injection Vulnerabilities [SA32874] WebStudio eHotel "pageid" SQL Injection Vulnerability [SA32873] WebStudio eCatalogue "pageid" SQL Injection Vulnerability [SA32868] FAQ Manager SQL Injection and File Inclusion Vulnerabilities [SA32866] Clean CMS "id" Cross-Site Scripting and SQL Injection [SA32865] fuzzylime (cms) "p" File Inclusion Vulnerability [SA32844] Cars Portal "id" SQL Injection Vulnerability [SA32841] PG Multiple Products "login_lg" SQL Injection Vulnerability [SA32840] Wireshark SMTP Processing Denial of Service Vulnerability [SA32837] PG Job Site Pro "poll_view_id" SQL Injection Vulnerability [SA32830] xt:Commerce SQL Injection Vulnerability [SA32826] Red Hat update for java-1.4.2-ibm [SA32822] Easyedit CMS Multiple SQL Injection Vulnerabilities [SA32905] Drupal Comment Mail Module Cross-Site Request Forgery [SA32904] Drupal User Karma Module Cross-Site Scripting and SQL Injection [SA32898] Post Affiliate Pro "umprof_status" SQL Injection Vulnerability [SA32882] WordPress "Host" Header RSS Feed Script Insertion Vulnerability [SA32880] MyBB "Referer" Header "my_post_key" Token Disclosure [SA32867] COMS "q" Cross-Site Scripting Vulnerability [SA32828] Softbiz Classifieds Script "msg" Cross-Site Scripting Vulnerability [SA32833] Attachmate Products SSH CBC Mode Plaintext Recovery Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA32881] K-Lite Codec Pack ffdshow URL Processing Buffer Overflow Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-11-26 A vulnerability has been reported in K-Lite Codec Pack, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32881/ -- [SA32850] Nero ShowTime M3U Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-11-27 Gjoko 'LiquidWorm' Krstic has reported a vulnerability in Nero ShowTime, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32850/ -- [SA32846] ffdshow URL Processing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-11-24 A vulnerability has been reported in ffdshow, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32846/ -- [SA32829] FlexCell Grid ActiveX Control "HttpDownloadFile()" Arbitrary File Overwrite Critical: Highly critical Where: From remote Impact: System access Released: 2008-11-24 Alfons Luja has discovered a vulnerability in the FlexCell Grid ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32829/ -- [SA32823] Quicksilver Forums "lang" File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, Exposure of system information Released: 2008-11-25 __GiReX__ has reported a vulnerability in Quicksilver Forums, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32823/ -- [SA32852] iPhone Configuration Web Utility for Windows Directory Traversal Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2008-11-24 A vulnerability has been discovered in iPhone Configuration Web Utility for Windows, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32852/ UNIX/Linux:-- [SA32878] Ubuntu update for thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, System access Released: 2008-11-26 Ubuntu has issued an update for mozilla-thunderbird and thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. Full Advisory: http://secunia.com/advisories/32878/ -- [SA32876] SUSE Update for Mozilla Products Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, System access Released: 2008-11-26 SUSE has issued an update for MozillaFirefox, MozillaThunderbird, and seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. Full Advisory: http://secunia.com/advisories/32876/ -- [SA32872] SUSE Update for Multiple Packages Critical: Highly critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2008-11-25 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32872/ -- [SA32860] Ubuntu update for webkit Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-11-25 Ubuntu has issued an update for webkit. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32860/ -- [SA32856] Ubuntu update for openoffice.org Critical: Highly critical Where: From remote Impact: Privilege escalation, System access Released: 2008-11-25 Ubuntu has issued an update for openoffice.org and openoffice.org-amd64. This fixes some vulnerabilities and a security issue, which potentially can be exploited by malicious people to compromise a user's system, and by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/32856/ -- [SA32853] Debian update for iceweasel Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, System access Released: 2008-11-25 Debian has issued an update for iceweasel. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. Full Advisory: http://secunia.com/advisories/32853/ -- [SA32845] Debian update for xulrunner Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2008-11-24 Debian has issued an update for xulrunner. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32845/ -- [SA32843] Fedora update for imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-11-26 Fedora has issued an update for imlib2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/32843/ -- [SA32835] Slackware update for mozilla-thunderbird Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, System access Released: 2008-11-24 Slackware has issued an update for mozilla-thunderbird. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. Full Advisory: http://secunia.com/advisories/32835/ -- [SA32884] HP Secure Web Server/Internet Express for Tru64 UNIX PHP Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-11-26 HP has acknowledged a vulnerability in Secure Web Server for Tru64 UNIX and Internet Express for Tru64 UNIX, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32884/ -- [SA32879] Ubuntu update for GnuTLS Critical: Moderately critical Where: From remote Impact: Security Bypass, Spoofing Released: 2008-11-26 Ubuntu has issued an update for gnutls12, gnutls13, and gnutls26. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32879/ -- [SA32864] Red Hat update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2008-11-25 Red Hat has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32864/ -- [SA32863] Red Hat update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2008-11-25 Red Hat has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32863/ -- [SA32861] Ubuntu update for gaim Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-11-25 Ubuntu has issued an update for gaim. This fixes some vulnerabilities, which can be exploited by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32861/ -- [SA32859] Ubuntu update for pidgin Critical: Moderately critical Where: From remote Impact: Spoofing, DoS, System access Released: 2008-11-25 Ubuntu has issued an update for pidgin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct spoofing attacks and potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/32859/ -- [SA32858] Red Hat update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2008-11-25 Red Hat has issued an update for vim. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32858/ -- [SA32854] Debian update for enscript Critical: Moderately critical Where: From remote Impact: System access Released: 2008-11-25 Debian has issued an update for enscript. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32854/ -- [SA32839] rPath update for vim, vim-minimal, and gvim Critical: Moderately critical Where: From remote Impact: System access Released: 2008-11-25 rPath has issued an update for vim, vim-minimal, and gvim. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32839/ -- [SA32834] SUSE update for phpMyAdmin and lighttpd Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Spoofing, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS Released: 2008-11-25 SUSE has issued an update for phpMyAdmin and lighttpd. This fixes some vulnerabilities, which can be exploited by malicious, local users to conduct cross-site scripting attacks, and by malicious users to disclose system and potentially sensitive information, and by malicious people to conduct spoofing attacks, conduct SQL injection attacks, disclose system and potentially sensitive information, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32834/ -- [SA32871] FreeBSD "arc4random()" Insufficient Entropy Sources Security Issue Critical: Less critical Where: From remote Impact: Brute force Released: 2008-11-25 FreeBSD has acknowledged a security issue, which can be exploited by malicious people to conduct brute force attacks. Full Advisory: http://secunia.com/advisories/32871/ -- [SA32838] rPath update for httpd Critical: Less critical Where: From remote Impact: Cross Site Scripting, DoS Released: 2008-11-24 rPath has issued an update for httpd. This fixes some vulnerabilities, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32838/ -- [SA32862] Red Hat update for tog-pegasus Critical: Less critical Where: From local network Impact: Security Bypass, Brute force Released: 2008-11-25 Red Hat has issued an update for tog-pegasus. This fixes a security issues and a weakness, which can be exploited by people to conduct brute force attacks and malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32862/ -- [SA32916] IBM AIX Multiple Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-11-27 Some vulnerabilities have been reported in IBM AIX, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/32916/ -- [SA32855] Debian update for hf Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-11-24 Debian has issued an update for hf. This fixes a security issue, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/32855/ -- [SA32832] SUSE update for yast2-backup Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-11-25 SUSE has issued an update for yast2-backup. This fixes a security issue, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/32832/ -- [SA32831] hf "hfkernel" Privilege Escalation Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-11-24 Steve Kemp has reported a security issue in hf, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/32831/ -- [SA32875] Fedora update for geda-gnetlist Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2008-11-25 Fedora has issued an update for geda-gnetlist. This fixes a security issue, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/32875/ -- [SA32851] VirtualBox "AcquireDaemonLock()" Insecure Temporary Files Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2008-11-25 A security issue has been reported in VirtualBox, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/32851/ Other:-- [SA32827] Siemens C450IP / C475IP Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-11-27 A vulnerability has been reported in Siemens C450IP / C475IP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32827/ -- [SA32836] I-O DATA HDL-F Series Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-11-26 A vulnerability has been reported in I-O DATA HDL-F series, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/32836/ Cross Platform:-- [SA32848] Amaya Two Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2008-11-25 r0ut3r has discovered two vulnerabilities in Amaya, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/32848/ -- [SA32825] LoveCMS Download Manager Module File Upload Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2008-11-26 cOndemned has discovered a vulnerability in the Download Manager module for LoveCMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32825/ -- [SA32824] MODx CMS "reflect_base" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2008-11-24 RoMaNcYxHaCkEr has discovered a vulnerability in MODx CMS, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/32824/ -- [SA32887] Star Articles "subcatid" and "artid" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-11-27 b3hz4d has reported some vulnerabilities in Star Articles, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32887/ -- [SA32874] WebStudio eHotel "pageid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-11-26 Hussin X has reported a vulnerability in WebStudio eHotel, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32874/ -- [SA32873] WebStudio eCatalogue "pageid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-11-26 Hussin X has reported a vulnerability in WebStudio eCatalogue, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32873/ -- [SA32868] FAQ Manager SQL Injection and File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of system information, Exposure of sensitive information Released: 2008-11-26 Some vulnerabilities have been discovered in FAQ Manager, which can be exploited by malicious people to disclose sensitive information and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32868/ -- [SA32866] Clean CMS "id" Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2008-11-26 ZoRLu has discovered a vulnerability in Clean CMS, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/32866/ -- [SA32865] fuzzylime (cms) "p" File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-11-26 Alfons Luja has discovered a vulnerability in Fuzzylime CMS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32865/ -- [SA32844] Cars Portal "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-11-26 Snakespc has reported a vulnerability in Cars Portal, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32844/ -- [SA32841] PG Multiple Products "login_lg" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2008-11-24 ZoRLu has reported a vulnerability in multiple PG products, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32841/ -- [SA32840] Wireshark SMTP Processing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-11-24 A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/32840/ -- [SA32837] PG Job Site Pro "poll_view_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-11-24 ZoRLu has reported a vulnerability in PG Job Site Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32837/ -- [SA32830] xt:Commerce SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-11-21 A vulnerability has been reported in xt:Commerce, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32830/ -- [SA32826] Red Hat update for java-1.4.2-ibm Critical: Moderately critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2008-11-25 Red Hat has issued an update for java-1.4.2-ibm. This fixes some vulnerabilities, which can be exploited by malicious people to disclose system and potentially sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/32826/ -- [SA32822] Easyedit CMS Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-11-21 d3v1l has reported some vulnerabilities in Easyedit CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32822/ -- [SA32905] Drupal Comment Mail Module Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-11-27 A vulnerability has been reported in the Comment Mail module for Drupal, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/32905/ -- [SA32904] Drupal User Karma Module Cross-Site Scripting and SQL Injection Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2008-11-27 Some vulnerabilities have been reported in the User Karma module for Drupal, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32904/ -- [SA32898] Post Affiliate Pro "umprof_status" SQL Injection Vulnerability Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2008-11-27 XaDoS has reported a vulnerability in Post Affiliate Pro, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/32898/ -- [SA32882] WordPress "Host" Header RSS Feed Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-11-26 Jeremias Reith has reported a vulnerability in WordPress, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/32882/ -- [SA32880] MyBB "Referer" Header "my_post_key" Token Disclosure Critical: Less critical Where: From remote Impact: Hijacking, Cross Site Scripting, Exposure of sensitive information Released: 2008-11-26 NBBN has discovered some vulnerabilities in MyBB, which can be exploited can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32880/ -- [SA32867] COMS "q" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-11-25 Pouya_Server has reported a vulnerability in COMS, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32867/ -- [SA32828] Softbiz Classifieds Script "msg" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-11-21 Vahid Ezraeil has reported a vulnerability in Softbiz Classifieds Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/32828/ -- [SA32833] Attachmate Products SSH CBC Mode Plaintext Recovery Vulnerability Critical: Less critical Where: From local network Impact: Exposure of sensitive information Released: 2008-11-24 A vulnerability has been reported in various Attachmate products, which potentially can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/32833/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Subscribe: http://secunia.com/advisories/weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support_at_private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _______________________________________________ Help InfoSecNews.org with a donation! http://www.infosecnews.org/donate.htmlReceived on Mon Dec 01 2008 - 01:08:49 PST
This archive was generated by hypermail 2.2.0 : Mon Dec 01 2008 - 01:22:43 PST