======================================================================== The Secunia Weekly Advisory Summary 2008-12-18 - 2008-12-25 This week: 66 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia PSI: Habla espaol! The Secunia PSI 1.0 - now available in Spanish! Remember; installing the latest security patches for your programs is just as important as having an anti-virus program and being behind a firewall. Read more: http://secunia.com/blog/39/ -- Internet Explorer Data Binding 0-Day Clarifications As everyone using Internet Explorer hopefully are aware of, then there's a new 0-day circulating. There has been a lot of confusion as to both the problem cause and the browser versions affected, but in this blog, I should be able to sort it all out. Basically, this vulnerability was initially reported by everyone (including ourselves) as an XML processing vulnerability in Internet Explorer 7. PoCs and working exploits were immediately made publicly available by various sources and security vendors were quick to report that their products were successfully detecting attacks. But were they really? Read more: http://secunia.com/blog/38/ ======================================================================== 2) This Week in Brief: Secunia Research has discovered a vulnerability in Trend Micro HouseCall, which can be exploited by malicious people to compromise a user's system. For more information, refer to: http://secunia.com/advisories/31583/ -- Secunia Research has discovered a vulnerability in Trend Micro HouseCall, which can be exploited by malicious people to compromise a user's system. For more information, refer to: http://secunia.com/advisories/31337/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA33089] Internet Explorer Data Binding Memory Corruption Vulnerability 2. [SA33203] Mozilla Firefox 3 Multiple Vulnerabilities 3. [SA32991] Sun Java JDK / JRE Multiple Vulnerabilities 4. [SA32270] Adobe Flash Player Multiple Security Issues and Vulnerabilities 5. [SA31583] Trend Micro HouseCall ActiveX Control "notifyOnLoadNative()" Vulnerability 6. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 7. [SA33034] Microsoft SQL Server "sp_replwritetovarbin()" Buffer Overflow 8. [SA31610] LibTIFF LZW Decoder Buffer Underflow Vulnerability 9. [SA33240] BitDefender Antivirus Scanner for Unices PE File Parsing Integer Overflows 10. [SA29773] Adobe Acrobat/Reader Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA33257] webcamXP Directory Traversal Vulnerability [SA33245] Emefa Guestbook Database Disclosure [SA33281] Hitachi GroupMax Workflow Development Kit Cross-Site Scripting Vulnerability [SA33249] PowerStrip "pstrip.sys" IOCTL Handling Privilege Escalation [SA33310] PGP Desktop PGPwded.sys Driver Denial of Service UNIX/Linux: [SA33323] Gentoo update for imlib2 [SA33315] Gentoo update for vlc [SA33297] Fedora update for firefox and xulrunner [SA33294] SUSE update for flash-player [SA33291] Fedora update for moodle [SA33285] Fedora update for firefox [SA33284] Fedora update for seamonkey [SA33267] Red Hat update for flash-plugin [SA33241] Ubuntu update for imlib2 [SA33240] BitDefender Antivirus Scanner for Unices PE File Parsing Integer Overflows [SA33238] Red Hat update for java-1.6.0-bea [SA33237] Red Hat update for java-1.5.0-bea [SA33236] Red Hat update for java-1.4.2-bea [SA33317] Gentoo update for clamav [SA33314] Ubuntu update for perl [SA33290] Fedora update for roundcubemail [SA33287] Fedora update for rsyslog [SA33286] Fedora update for phpPgAdmin [SA33264] Gentoo update for pdns [SA33259] Debian update for courier-authlib [SA33258] Gentoo phpCollab Multiple Vulnerabilities [SA33243] Ubuntu update for blender [SA33235] Courier Authentication Library Postgres SQL Injection Vulnerability [SA33260] rPath update for cups [SA33320] Ubuntu update for nagios2 [SA33299] rPath update for dovecot [SA33275] UW-imapd c-client Library Off-by-one Vulnerability [SA33261] Debian update for proftpd-dfsg [SA33242] Avaya CMS / IR Java JRE Zip Archive Parsing Vulnerability [SA33239] Debian update for moodle [SA33234] Ubuntu update for nagios3 [SA33288] Fedora update for openvpn [SA33279] Debian update for avahi [SA33292] Fedora update for libvirt [SA33282] Fedora update for git [SA33278] PDFjam Insecure Temporary Files [SA33270] GIT "gitweb" Privilege Escalation Security Issue [SA33316] Gentoo update for ampache [SA33303] KVM VNC "protocol_client_msg()" Denial of Service Other: Cross Platform: [SA33272] Yourplace Security Issue and Multiple Vulnerabilities [SA33247] ReVou Twitter Clone Multiple Vulnerabilities [SA33302] TYPO3 WEBERkommunal Facilities Extension SQL Injection [SA33301] TYPO3 Simple File Browser Extension Information Disclosure [SA33277] KnowledgeTree Cross-Site Scripting and Privilege Escalation [SA33276] Text Lines Rearrange Script "filename" File Disclosure Vulnerability [SA33274] Wordpress Page Flip Image Gallery Plugin "book_id" File Disclosure [SA33271] Joomla Volunteer Management System Component "job_id" SQL Injection [SA33269] SolarCMS Forum Component "cat" SQL Injection Vulnerability [SA33266] MySQL Calendar "username" SQL Injection Vulnerability [SA33255] Emetrix Multiple Products "filename" File Disclosure [SA33254] TYPO3 WEC Discussion Forum Extension Multiple Vulnerabilities [SA33253] myPHPscripts Login Session Cross-Site Scripting and Information Disclosure [SA33252] FreeLyrics "p" File Disclosure Security Issue [SA33250] Constructr CMS "show_page" SQL Injection Vulnerability [SA33248] REDPEACH CMS "zv" SQL Injection Vulnerabilities [SA33246] TYPO3 phpMyAdmin Extension Cross-Site Request Forgery [SA33311] Psi File Transfer Service Packet Parsing Vulnerabilities [SA33289] Fedora update for drupal-views [SA33262] TYPO3 Vox populi Extension Cross-Site Scripting [SA33256] TYPO3 DR Wiki Extension Cross-Site Scripting [SA33293] QEMU VNC "protocol_client_msg()" Denial of Service ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA33257] webcamXP Directory Traversal Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-12-22 nicx0 has discovered a vulnerability in webcamXP, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33257/ -- [SA33245] Emefa Guestbook Database Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2008-12-22 Cyber.Zer0 has discovered a security issue in Emefa Guestbook, which cab be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33245/ -- [SA33281] Hitachi GroupMax Workflow Development Kit Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-12-22 A vulnerability has been reported in Groupmax Web Workflow SDK Set for Active Server Pages and Groupmax Workflow Development Kit for Active Server Pages, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33281/ -- [SA33249] PowerStrip "pstrip.sys" IOCTL Handling Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-12-22 alex has discovered a vulnerability in PowerStrip, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33249/ -- [SA33310] PGP Desktop PGPwded.sys Driver Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2008-12-24 A vulnerability has been discovered in PGP Desktop, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33310/ UNIX/Linux:-- [SA33323] Gentoo update for imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-12-24 Gentoo has issued an update for imlib2. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/33323/ -- [SA33315] Gentoo update for vlc Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-12-24 Gentoo has issued an update for vlc. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33315/ -- [SA33297] Fedora update for firefox and xulrunner Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access Released: 2008-12-22 Fedora has issued an update for firefox and xulrunner. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/33297/ -- [SA33294] SUSE update for flash-player Critical: Highly critical Where: From remote Impact: System access Released: 2008-12-22 SUSE has issued an update for flash-player. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33294/ -- [SA33291] Fedora update for moodle Critical: Highly critical Where: From remote Impact: System access Released: 2008-12-22 Fedora has issued an update for moodle. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33291/ -- [SA33285] Fedora update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access Released: 2008-12-22 Fedora has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/33285/ -- [SA33284] Fedora update for seamonkey Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access Released: 2008-12-22 Fedora has issued an update for seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/33284/ -- [SA33267] Red Hat update for flash-plugin Critical: Highly critical Where: From remote Impact: System access Released: 2008-12-22 Red Hat has issued an update for flash-plugin. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33267/ -- [SA33241] Ubuntu update for imlib2 Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-12-22 Ubuntu has issued an update for imlib2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library. Full Advisory: http://secunia.com/advisories/33241/ -- [SA33240] BitDefender Antivirus Scanner for Unices PE File Parsing Integer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2008-12-19 Some vulnerabilities have been reported in BitDefender, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33240/ -- [SA33238] Red Hat update for java-1.6.0-bea Critical: Highly critical Where: From remote Impact: System access, DoS, Exposure of sensitive information, Exposure of system information, Security Bypass Released: 2008-12-19 Red Hat has issued an update for java-1.6.0-bea. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose system information or potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33238/ -- [SA33237] Red Hat update for java-1.5.0-bea Critical: Highly critical Where: From remote Impact: Security Bypass, DoS, System access Released: 2008-12-19 Red Hat has issued an update for java-1.5.0-bea. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33237/ -- [SA33236] Red Hat update for java-1.4.2-bea Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2008-12-19 Red Hat has issued an update for java-1.4.2-bea. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33236/ -- [SA33317] Gentoo update for clamav Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-12-24 Gentoo has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33317/ -- [SA33314] Ubuntu update for perl Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2008-12-24 Ubuntu has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33314/ -- [SA33290] Fedora update for roundcubemail Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-12-22 Fedora has issued an update for roundcubemail. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33290/ -- [SA33287] Fedora update for rsyslog Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2008-12-22 Fedora has issued an update for rsyslog. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33287/ -- [SA33286] Fedora update for phpPgAdmin Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-12-22 Fedora has issued an update for phpPgAdmin. This fixes a vulnerability, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33286/ -- [SA33264] Gentoo update for pdns Critical: Moderately critical Where: From remote Impact: Spoofing, DoS Released: 2008-12-22 Gentoo has issued an update for pdns. This fixes a weakness and a vulnerability, which can be exploited by malicious people to conduct spoofing attacks or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33264/ -- [SA33259] Debian update for courier-authlib Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-22 Debian has issued an update for courier-authlib. This fixes some vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33259/ -- [SA33258] Gentoo phpCollab Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-22 Gentoo has acknowledged some vulnerabilities in phpCollab, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33258/ -- [SA33243] Ubuntu update for blender Critical: Moderately critical Where: From remote Impact: Privilege escalation, System access Released: 2008-12-22 Ubuntu has issued an update for blender. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33243/ -- [SA33235] Courier Authentication Library Postgres SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-19 A vulnerability has been reported in the Courier Authentication Library, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33235/ -- [SA33260] rPath update for cups Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2008-12-22 rPath has issued an update for cups. This fixes some vulnerabilities, which can potentially be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33260/ -- [SA33320] Ubuntu update for nagios2 Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2008-12-24 Ubuntu has issued an update for nagios2. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions or by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33320/ -- [SA33299] rPath update for dovecot Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-12-23 rPath has issued an update for dovecot. This fixes a security issue, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33299/ -- [SA33275] UW-imapd c-client Library Off-by-one Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2008-12-22 A vulnerability has been reported in UW-imapd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33275/ -- [SA33261] Debian update for proftpd-dfsg Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-12-22 Debian has issued an update for proftpd-dfsg. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33261/ -- [SA33242] Avaya CMS / IR Java JRE Zip Archive Parsing Vulnerability Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2008-12-22 Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33242/ -- [SA33239] Debian update for moodle Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2008-12-22 Debian has issued an update for moodle. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks, and by malicious people to bypass certain security restrictions or conduct cross-site request forgery and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33239/ -- [SA33234] Ubuntu update for nagios3 Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting Released: 2008-12-23 Ubuntu has issued an update for nagios3. This fixes some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions or by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33234/ -- [SA33288] Fedora update for openvpn Critical: Less critical Where: From local network Impact: System access Released: 2008-12-22 Fedora has issued an update for openvpn. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33288/ -- [SA33279] Debian update for avahi Critical: Less critical Where: From local network Impact: DoS Released: 2008-12-22 Debian has issued an update for avahi. This fixes a security issue and a vulnerability, which can be exploited by malicious, local users and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33279/ -- [SA33292] Fedora update for libvirt Critical: Less critical Where: Local system Impact: Security Bypass Released: 2008-12-22 Fedora has issued an update for libvirt. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33292/ -- [SA33282] Fedora update for git Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-12-22 Fedora has issued an update for git. This fixes a security issue, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33282/ -- [SA33278] PDFjam Insecure Temporary Files Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-12-22 Some security issues have been reported in PDFjam, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/33278/ -- [SA33270] GIT "gitweb" Privilege Escalation Security Issue Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-12-22 A security issue has been reported in GIT, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33270/ -- [SA33316] Gentoo update for ampache Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2008-12-24 Gentoo has issued an update for ampache. This fixes a security issue, which can be exploited by malicious local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/33316/ -- [SA33303] KVM VNC "protocol_client_msg()" Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2008-12-23 A security issue has been reported in KVM, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33303/ Other: Cross Platform:-- [SA33272] Yourplace Security Issue and Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of sensitive information, DoS, System access Released: 2008-12-23 Some vulnerabilities and a security issue have been discovered in Yourplace, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33272/ -- [SA33247] ReVou Twitter Clone Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2008-12-22 Some vulnerabilities have been reported in ReVou Twitter Clone, which can be exploited by malicious people to bypass certain security restrictions and by malicious users to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33247/ -- [SA33302] TYPO3 WEBERkommunal Facilities Extension SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-23 A vulnerability has been reported in the WEBERkommunal Facilities (wes_facilities) extension for TYPO3, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33302/ -- [SA33301] TYPO3 Simple File Browser Extension Information Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2008-12-23 A vulnerability has been reported in the Simple File Browser (simplefilebrowser) extension for TYPO3, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33301/ -- [SA33277] KnowledgeTree Cross-Site Scripting and Privilege Escalation Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Privilege escalation Released: 2008-12-22 Some vulnerabilities have been reported in KnowledgeTree, which can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33277/ -- [SA33276] Text Lines Rearrange Script "filename" File Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-12-23 SirGod has discovered a vulnerability in Text Lines Rearrange Script, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33276/ -- [SA33274] Wordpress Page Flip Image Gallery Plugin "book_id" File Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-12-23 GoLd_M has discovered a vulnerability in the Page Flip Image Gallery plugin for Wordpress, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33274/ -- [SA33271] Joomla Volunteer Management System Component "job_id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-23 boom3rang has reported a vulnerability in the Volunteer Management System component for Joomla, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33271/ -- [SA33269] SolarCMS Forum Component "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-23 athos has discovered a vulnerability in the Forum component for SolarCMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33269/ -- [SA33266] MySQL Calendar "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2008-12-23 StAkeR has discovered a vulnerability in MySQL Calendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33266/ -- [SA33255] Emetrix Multiple Products "filename" File Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-12-22 Cold z3ro has reported a vulnerability in multiple Emetrix products, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33255/ -- [SA33254] TYPO3 WEC Discussion Forum Extension Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2008-12-23 Some vulnerabilities have been reported in the WEC Discussion Forum (wec_discussion) extension for TYPO3, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33254/ -- [SA33253] myPHPscripts Login Session Cross-Site Scripting and Information Disclosure Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2008-12-22 Osirys has discovered a security issue and some vulnerabilities in myPHPscripts Login Session, which can be exploited by malicious people to conduct cross-site scripting attacks or disclose sensitive information. Full Advisory: http://secunia.com/advisories/33253/ -- [SA33252] FreeLyrics "p" File Disclosure Security Issue Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-12-22 Piker has discovered a security issue in FreeLyrics, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33252/ -- [SA33250] Constructr CMS "show_page" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-22 A vulnerability has been discovered in Constructr CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33250/ -- [SA33248] REDPEACH CMS "zv" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-12-23 Lidloses_Auge has reported some vulnerabilities in REDPEACH CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33248/ -- [SA33246] TYPO3 phpMyAdmin Extension Cross-Site Request Forgery Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2008-12-23 A vulnerability has been reported in the phpMyAdmin (phpmyadmin) extension for TYPO3, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33246/ -- [SA33311] Psi File Transfer Service Packet Parsing Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2008-12-24 sha0 has discovered some vulnerabilities in Psi, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33311/ -- [SA33289] Fedora update for drupal-views Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2008-12-22 Fedora has issued an update for drupal-views. This fixes some vulnerabilities, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33289/ -- [SA33262] TYPO3 Vox populi Extension Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-12-23 A vulnerability has been reported in the Vox populi (mv_vox_populi) extension for TYPO3, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33262/ -- [SA33256] TYPO3 DR Wiki Extension Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-12-23 A vulnerability has been reported in the DR Wiki (dr_wiki) extension for TYPO3, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33256/ -- [SA33293] QEMU VNC "protocol_client_msg()" Denial of Service Critical: Not critical Where: From local network Impact: DoS Released: 2008-12-23 A security issue has been reported in QEMU, which can be exploited by malicious users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33293/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Subscribe: http://secunia.com/advisories/weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support_at_private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _______________________________________________ Please help InfoSecNews.org with a donation! http://www.infosecnews.org/donate.htmlReceived on Mon Dec 29 2008 - 00:36:19 PST
This archive was generated by hypermail 2.2.0 : Mon Dec 29 2008 - 00:46:28 PST