======================================================================== The Secunia Weekly Advisory Summary 2009-01-22 - 2009-01-29 This week: 152 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Monthly Binary Analysis Update (December) A new month and year has begun and it is therefore time for me to wrap up the old year with a December update on our binary analysis shenanigans. Read more: http://secunia.com/blog/40/ -- The best new Windows program of 2008 Secunia Personal Software Inspector has been chosen as one of the best new Windows programs in 2008. Download.com, the world's largest download site, has chosen Secunia Personal Software Inspector as one of "The best new Windows programs of 2008". A total of six programs received this fine predicate which also included Google Chrome. Download.com also awarded Secunia PSI an editorial rating of five stars, which is their highest honors and a remarkable recognition. Read more: http://secunia.com/blog/41/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. For more information, refer to: http://secunia.com/advisories/33632/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA33632] Apple QuickTime Multiple Vulnerabilities 2. [SA31883] Microsoft Windows SMB Packet Handling Vulnerabilities 3. [SA32270] Adobe Flash Player Multiple Security Issues and Vulnerabilities 4. [SA32991] Sun Java JDK / JRE Multiple Vulnerabilities 5. [SA33534] BlackBerry Products PDF Distiller Multiple Vulnerabilities 6. [SA33478] Winamp AIFF Processing Buffer Overflow Vulnerability 7. [SA29773] Adobe Acrobat/Reader Multiple Vulnerabilities 8. [SA31821] Apple QuickTime Multiple Vulnerabilities 9. [SA33616] Sony Ericsson Phones WAP Push Denial of Service Vulnerability 10. [SA33310] PGP Desktop PGPwded.sys Driver Denial of Service ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA33663] MW6 Technologies Barcode ActiveX "Supplement" Buffer Overflow [SA33645] Merak Media Player ToolTip Buffer Overflow Vulnerability [SA33642] Apple QuickTime MPEG-2 Playback Component Input Validation Vulnerability [SA33582] Symantec AppStream Client LaunchObj ActiveX Control Insecure Methods [SA33574] MetaProducts MetaTreeX ActiveX Control Insecure Methods [SA33673] VooDoo cIRCle OpenSSL DSA / ECDSA "EVP_VerifyFinal()" Vulnerability [SA33647] ClickAuction "txtEmail" and "txtPassword" SQL Injection Vulnerabilities [SA33629] Web-Calendar Lite Multiple SQL Injection Vulnerabilities [SA33604] cwRsync OpenSSL DSA / ECDSA "EVP_VerifyFinal()" Spoofing Vulnerability [SA33602] Digital Sales IPN Database Disclosure Vulnerability [SA33601] Blog Manager SQL Injection and Cross Site Scripting [SA33596] ActionCalendar "pass" SQL Injection Vulnerability [SA33594] Fujitsu SystemcastWizard Lite Multiple Vulnerabilities [SA33579] eFAQ "str_Login" and "str_Password" SQL Injection [SA33578] eReservations "Login" and "Password" SQL Injection [SA33575] Ping IP "txtUserName" and "txtPassword" SQL Injection [SA33572] BlogIt! Multiple Vulnerabilities [SA33633] Cisco Security Manager Security Bypass Vulnerability [SA33664] FlexCell Grid ActiveX Control "SaveFile()" and "ExportToXML()" Insecure Methods [SA33598] Microsoft Windows Mobile Bluetooth Stack OBEX Directory Traversal [SA33597] FTPShell Server License Key Buffer Overflow Vulnerability [SA33591] SmartVMD ActiveX Control Multiple Insecure Methods [SA33588] Cisco Unified Communications Manager CAPF Denial of Service [SA33566] Syslserve UDP Request Denial of Service Vulnerability [SA33609] Trend Micro OfficeScan Client Firewall Multiple Vulnerabilities UNIX/Linux: [SA33710] SUSE update for IBMJava5-JRE and java-1_5_0-ibm [SA33709] Ubuntu update for openjdk-6 [SA33696] Sun Solaris Samba "receive_smb_raw()" Buffer Overflow Vulnerability [SA33679] Debian update for typo3-src [SA33676] Ubuntu update for xine-lib [SA33640] Fedora update for amarok [SA33613] Debian update for git [SA33607] GIT "gitweb" Command Injection Vulnerabilities [SA33568] SUSE Update for Multiple Packages [SA33722] Sun Solaris "libxml2" XML Processing Vulnerability [SA33715] Avaya CMS Solaris "libxml2" XML Processing Vulnerability [SA33714] HP MPE/iX DNS Cache Poisoning Vulnerability [SA33702] Avaya CMS Solaris "libike" Library Denial of Service [SA33699] Debian update for rt2400, rt2500, and rt2570 [SA33689] Fedora update for vnc [SA33677] Fedora update for tor [SA33675] Ubuntu update for ktorrent [SA33659] SUSE update for openssl [SA33653] Debian update for ganglia-monitor-core [SA33644] Sun Solaris "libike" Library Denial of Service [SA33637] Fedora update for DevIL [SA33636] Ubuntu update for vim [SA33627] mod-auth-mysql SQL Injection Vulnerability [SA33621] rPath update for perl [SA33618] rPath update for openssl [SA33614] Gentoo update for pidgin [SA33608] SCMS Simple Content Management System "p" Local File Inclusion [SA33605] Sun Solaris IPv6 Denial of Service Vulnerability [SA33581] DKIM-MILTER "p" Revoked Keys Denial of Service [SA33723] Sun Solaris mod_perl Denial of Service Vulnerability [SA33720] Sun Solaris mod_perl Denial of Service Vulnerability [SA33716] Debian update for moin [SA33687] No-IP Dynamic Update Client Information Disclosure [SA33685] SAP NetWeaver Cross-Site Scripting Vulnerability [SA33683] Sun Solaris BIND "EVP_VerifyFinal()" and "DSA_do_verify()" Spoofing Vulnerability [SA33678] Fedora update for ntp [SA33674] Fedora update for kernel [SA33651] Web Help Desk Cross-Site Scripting Vulnerability [SA33648] Red Hat update for ntp [SA33641] SUSE update for kernel [SA33638] Fedora update for uw-imap [SA33624] Red Hat update for dovecot [SA33620] rPath update for bind [SA33619] rPath update for ntp [SA33615] SUSE update for kernel [SA33611] Red Hat update for squirrelmail [SA33610] Gentoo update for noip-updater [SA33600] SUSE update for bind [SA33631] Gentoo update for net-snmp [SA33706] Ubuntu update for kernel [SA33703] Fedora update for dia [SA33693] Red Hat Certificate Server Information Disclosure and Security Bypass [SA33672] Dia Insecure Python Module Search Path Vulnerability [SA33665] Sun Solaris "autofs" Kernel Module Denial of Service and Privilege Escalation [SA33630] Gentoo update for scilab [SA33586] Red Hat update for kernel [SA33567] Ubuntu update for tar [SA33628] Avaya CMS Solaris "rpc.metad" Denial of Service Vulnerability [SA33727] Sun Solaris IP-in-IP Processing Denial of Service Vulnerability [SA33708] Avaya CMS Solaris Pseudo-Terminal Driver Denial of Service [SA33705] Avaya CMS Solaris "lpadmin" and "ppdmgr" Denial of Service Vulnerabilities [SA33662] Sun Solaris Pseudo-Terminal Driver Denial of Service [SA33656] Linux Kernel dell_rbu Denial of Service Security Issues [SA33639] Fedora update for moodle [SA33623] Red Hat update for kernel [SA33569] Linux Kernel "keyctl_join_session_keyring()" Denial of Service Other: [SA33616] Sony Ericsson Phones WAP Push Denial of Service Vulnerability [SA33726] Sun Fire X2100 / X2200 Embedded Lights Out Manager Security Bypass [SA33585] Sun SPARC Enterprise M4000 / M5000 Server XSCFU Security Bypass [SA33603] AXIS 70U Network Document Server File Inclusion and Cross-Site Scripting Cross Platform: [SA33711] FFmpeg 4xm Processing Memory Corruption Vulnerability [SA33691] WB News "config[installdir]" Multiple File Inclusion Vulnerabilities [SA33650] GStreamer Good Plug-ins QuickTime Processing Vulnerabilities [SA33632] Apple QuickTime Multiple Vulnerabilities [SA33617] Typo3 Multiple Vulnerabilities [SA33564] GNUBoard "g4_path" File Inclusion Vulnerability [SA33719] IMP Cross-Site Scripting and Script Insertion Vulnerabilities [SA33701] SocialEngine "category_id" SQL Injection Vulnerability [SA33695] Horde / Horde Groupware Cross-Site Scripting and File Inclusion Vulnerability [SA33690] Pixie CMS Multiple Local File Inclusion Vulnerabilities [SA33686] Gazelle CMS "template" Local File Inclusion Vulnerability [SA33671] VirtueMart Multiple SQL Injection Vulnerabilities [SA33669] GameScript Cross-Site Scripting and SQL Injection [SA33666] ITLPoll "id" SQL Injection Vulnerability [SA33661] Script Toko Online "cat_id" SQL Injection Vulnerability [SA33660] SHOP-INET "grid" SQL Injection Vulnerability [SA33658] Max.Blog "username" SQL Injection Vulnerability [SA33654] Wazzum Dating Software "userid" SQL Injection Vulnerability [SA33652] KEEP Toolkit "patUser.php" SQL Injection Vulnerability [SA33649] GLinks "cat" SQL Injection Vulnerability [SA33646] Joomla Flash Magazine Deluxe Component "mag_id" SQL Injection [SA33643] Futomi's CGI Cafe Search CGI Password Reset Vulnerability [SA33635] Tor Unspecified Memory Corruption Vulnerability [SA33626] MemHT Portal Avatar File Upload Vulnerability [SA33625] Flax Article Manager "cat_id" SQL Injection Vulnerability [SA33622] RoundCube Webmail Script Insertion Vulnerability [SA33612] Joomla BazaarBuilder Shopping Cart Component "cid" SQL Injection [SA33606] FhImage PHP Code Execution Vulnerability [SA33595] Free Bible Search PHP Script SQL Injection Vulnerability [SA33592] Ralink Wireless Drivers Probe Request Processing Vulnerability [SA33590] Max.Blog Security Bypass and SQL Injection [SA33589] AJ Auction Pro "id" SQL Injection Vulnerability [SA33587] Dodo's Quiz Script "n" Local File Inclusion Vulnerability [SA33584] RCBlog "password.txt" Information Disclosure Security Issue [SA33583] AV Book Library Multiple SQL Injection Vulnerabilities [SA33580] PHPads Multiple Vulnerabilities [SA33573] Ninja Blog "cat" File Inclusion Vulnerability [SA33570] AJ Classifieds Multiple Products File Upload Vulnerability [SA33563] Joomla Eventing Component "catid" SQL Injection Vulnerability [SA33562] Joomla RD-Autos Component "id" SQL Injection Vulnerability [SA33667] EMC AutoStart Backbone Engine Code Execution Vulnerability [SA33713] HP Select Access Cross-Site Scripting Vulnerability [SA33698] Domain Technologie Control Multiple SQL Injection Vulnerabilities [SA33697] GraphicsMagick DIB and BMP Denial of Service Vulnerabilities [SA33684] ConPresso CMS Session Fixation and Cross-Site Scripting [SA33680] GLPI SQL Injection Vulnerabilities [SA33670] Simple Machines Forum "packages.xml" Cross-Site Scripting [SA33668] CA Cohesion Application Configuration Manager Apache Tomcat Multiple Vulnerabilities [SA33657] Piggydb Cross-Site Scripting Vulnerability [SA33655] htmLawed Unspecified Cross-Site Scripting Vulnerabilities [SA33599] Fedora update for drupal [SA33593] MoinMoin Multiple Cross Site Scripting Vulnerabilities [SA33577] Joomla! WebAmoeba Ticket System Component "catid" SQL Injection [SA33576] Apache Jackrabbit webapp Cross-Site Scripting Vulnerabilities [SA33565] LemonLDAP::NG User Enumeration and Cross-Site Scripting [SA33712] CA Anti-Virus Engine Archive Files Detection Bypass [SA33688] Sun Java System Access Manager User Enumeration Weakness ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA33663] MW6 Technologies Barcode ActiveX "Supplement" Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-27 Houssamix has discovered a vulnerability in the MW6 Technologies Barcode ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33663/ -- [SA33645] Merak Media Player ToolTip Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-26 Houssamix has discovered a vulnerability in Merak Media Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33645/ -- [SA33642] Apple QuickTime MPEG-2 Playback Component Input Validation Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-22 A vulnerability has been reported in the Apple QuickTime MPEG-2 Playback component, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33642/ -- [SA33582] Symantec AppStream Client LaunchObj ActiveX Control Insecure Methods Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-16 A vulnerability has been reported in Symantec AppStream Client, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33582/ -- [SA33574] MetaProducts MetaTreeX ActiveX Control Insecure Methods Critical: Highly critical Where: From remote Impact: Manipulation of data, System access Released: 2009-01-19 Houssamix has discovered two vulnerabilities in MetaProducts MetaTreeX Control, which can be exploited by malicious people to overwrite arbitrary files and compromise a user's system. Full Advisory: http://secunia.com/advisories/33574/ -- [SA33673] VooDoo cIRCle OpenSSL DSA / ECDSA "EVP_VerifyFinal()" Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2009-01-26 A vulnerability has been reported in VooDoo cIRCle, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33673/ -- [SA33647] ClickAuction "txtEmail" and "txtPassword" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-01-27 R3d D3v!L has reported some vulnerabilities in ClickAuction, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33647/ -- [SA33629] Web-Calendar Lite Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-01-26 ByALBAYX has reported some vulnerabilities in Web-Calendar Lite, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33629/ -- [SA33604] cwRsync OpenSSL DSA / ECDSA "EVP_VerifyFinal()" Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2009-01-19 A vulnerability has been reported in cwRsync, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33604/ -- [SA33602] Digital Sales IPN Database Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2009-01-19 Moudi has discovered a vulnerability in Digital Sales IPN, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33602/ -- [SA33601] Blog Manager SQL Injection and Cross Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2009-01-19 Pouya_Server has reported some vulnerabilities in Blog Manager, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33601/ -- [SA33596] ActionCalendar "pass" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-01-19 A vulnerability has been reported in ActionCalendar, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33596/ -- [SA33594] Fujitsu SystemcastWizard Lite Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2009-01-20 Some vulnerabilities have been reported in Fujitsu SystemcastWizard Lite, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33594/ -- [SA33579] eFAQ "str_Login" and "str_Password" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-01-19 ByALBAYX has reported some vulnerabilities in eFAQ, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33579/ -- [SA33578] eReservations "Login" and "Password" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-01-19 ByALBAYX has reported some vulnerabilities in eReservations, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33578/ -- [SA33575] Ping IP "txtUserName" and "txtPassword" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-01-19 ByALBAYX has reported two vulnerabilities in Ping IP, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33575/ -- [SA33572] BlogIt! Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2009-01-19 Some vulnerabilities have been discovered in BlogIt!, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33572/ -- [SA33633] Cisco Security Manager Security Bypass Vulnerability Critical: Moderately critical Where: From local network Impact: Security Bypass, Manipulation of data Released: 2009-01-22 A vulnerability has been reported in Cisco Security Manager, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33633/ -- [SA33664] FlexCell Grid ActiveX Control "SaveFile()" and "ExportToXML()" Insecure Methods Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 Houssamix has discovered two vulnerabilities in the FlexCell Grid ActiveX control, which can be exploited by malicious people to overwrite arbitrary files. Full Advisory: http://secunia.com/advisories/33664/ -- [SA33598] Microsoft Windows Mobile Bluetooth Stack OBEX Directory Traversal Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information Released: 2009-01-27 Alberto Moreno Tablado has reported a vulnerability in Microsoft Windows Mobile, which can be exploited by malicious users to disclose sensitive information and bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33598/ -- [SA33597] FTPShell Server License Key Buffer Overflow Vulnerability Critical: Less critical Where: From remote Impact: System access Released: 2009-01-23 Gjoko 'LiquidWorm' Krstic has discovered a vulnerability in FTPShell Server, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33597/ -- [SA33591] SmartVMD ActiveX Control Multiple Insecure Methods Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2009-01-21 Houssamix has discovered two vulnerabilities in SmartVMD ActiveX Control, which can be exploited by malicious people to overwrite and delete arbitrary files. Full Advisory: http://secunia.com/advisories/33591/ -- [SA33588] Cisco Unified Communications Manager CAPF Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2009-01-22 A vulnerability has been reported in Cisco Unified Communications Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33588/ -- [SA33566] Syslserve UDP Request Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2009-01-16 Rob Kraus has reported a vulnerability in Syslserve, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33566/ -- [SA33609] Trend Micro OfficeScan Client Firewall Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Security Bypass, Privilege escalation, DoS Released: 2009-01-20 Secunia Research has discovered some vulnerabilities in Trend Micro OfficeScan Client, which can be exploited by malicious, local users to cause a DoS (Denial of Service), bypass certain security features, and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/33609/ UNIX/Linux:-- [SA33710] SUSE update for IBMJava5-JRE and java-1_5_0-ibm Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2009-01-29 SUSE has issued an update for IBMJava5-JRE and java-1_5_0-ibm. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33710/ -- [SA33709] Ubuntu update for openjdk-6 Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2009-01-29 Ubuntu has issued an update for openjdk-6. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33709/ -- [SA33696] Sun Solaris Samba "receive_smb_raw()" Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-29 Sun has acknowledged a vulnerability in Samba in Solaris, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33696/ -- [SA33679] Debian update for typo3-src Critical: Highly critical Where: From remote Impact: Hijacking, Security Bypass, Cross Site Scripting, System access Released: 2009-01-27 Debian has issued an update for typo3-src. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33679/ -- [SA33676] Ubuntu update for xine-lib Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2009-01-27 Ubuntu has issued an update for xine-lib. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33676/ -- [SA33640] Fedora update for amarok Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-22 Fedora has issued an update for amarok. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33640/ -- [SA33613] Debian update for git Critical: Highly critical Where: From remote Impact: Privilege escalation Released: 2009-01-20 Debian has issued an update for git. This fixes a security issue and some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges, and by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33613/ -- [SA33607] GIT "gitweb" Command Injection Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-20 Some vulnerabilities have been reported in GIT, which can be exploited by malicious people to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33607/ -- [SA33568] SUSE Update for Multiple Packages Critical: Highly critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2009-01-19 SUSE has issued an update for multiple packages. This fixes some vulnerabilities, which can be exploited by malicious, local users to potentially gain escalated privileges, bypass certain security restrictions, or cause a DoS (Denial of Service), and by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33568/ -- [SA33722] Sun Solaris "libxml2" XML Processing Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-01-29 Sun has acknowledged a vulnerability in libxml2 in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/33722/ -- [SA33715] Avaya CMS Solaris "libxml2" XML Processing Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-01-29 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. Full Advisory: http://secunia.com/advisories/33715/ -- [SA33714] HP MPE/iX DNS Cache Poisoning Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2009-01-29 HP has acknowledged a vulnerability in MPE/iX, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/33714/ -- [SA33702] Avaya CMS Solaris "libike" Library Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-01-29 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33702/ -- [SA33699] Debian update for rt2400, rt2500, and rt2570 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-01-29 Debian has issued an update for rt2400, rt2500, and rt2570. This fixes a vulnerability, which can be exploited to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33699/ -- [SA33689] Fedora update for vnc Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-01-27 Fedora has issued an update for vnc. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33689/ -- [SA33677] Fedora update for tor Critical: Moderately critical Where: From remote Impact: Unknown Released: 2009-01-26 Fedora has issued an update for tor. This fixes a vulnerability with an unknown impact. Full Advisory: http://secunia.com/advisories/33677/ -- [SA33675] Ubuntu update for ktorrent Critical: Moderately critical Where: From remote Impact: Security Bypass, System access Released: 2009-01-27 Ubuntu has issued an update for ktorrent. This fixes some vulnerabilities, which can be exploited by malicious users to compromise a vulnerable system and malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33675/ -- [SA33659] SUSE update for openssl Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2009-01-26 SUSE has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33659/ -- [SA33653] Debian update for ganglia-monitor-core Critical: Moderately critical Where: From remote Impact: System access Released: 2009-01-26 Debian has issued an update for ganglia-monitor-core. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33653/ -- [SA33644] Sun Solaris "libike" Library Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-01-28 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33644/ -- [SA33637] Fedora update for DevIL Critical: Moderately critical Where: From remote Impact: System access Released: 2009-01-22 Fedora has issued an update for DevIL. This fixes some vulnerabilities, which can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/33637/ -- [SA33636] Ubuntu update for vim Critical: Moderately critical Where: From remote Impact: System access Released: 2009-01-27 Ubuntu has issued an update for vim. This fixes a weakness and a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33636/ -- [SA33627] mod-auth-mysql SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-23 A vulnerability has been reported in mod-auth-mysql, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33627/ -- [SA33621] rPath update for perl Critical: Moderately critical Where: From remote Impact: Privilege escalation, DoS, System access Released: 2009-01-21 rPath has issued an update for perl. This fixes some vulnerabilities, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33621/ -- [SA33618] rPath update for openssl Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2009-01-21 rPath has issued an update for openssl. This fixes a vulnerability, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33618/ -- [SA33614] Gentoo update for pidgin Critical: Moderately critical Where: From remote Impact: Spoofing, DoS, System access Released: 2009-01-21 Gentoo has issued an update for pidgin. This fixes some vulnerabilities, which potentially can be exploited by malicious people to conduct spoofing attacks and compromise a user's system. Full Advisory: http://secunia.com/advisories/33614/ -- [SA33608] SCMS Simple Content Management System "p" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2009-01-19 A vulnerability has been discovered in SCMS Simple Content Management System, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/33608/ -- [SA33605] Sun Solaris IPv6 Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-01-26 Kingcope has discovered a vulnerability in Sun Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33605/ -- [SA33581] DKIM-MILTER "p" Revoked Keys Denial of Service Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-01-19 A vulnerability has been reported in DKIM-MILTER, which can be exploited by malicious people to conduct DoS (Denial of Service) attacks. Full Advisory: http://secunia.com/advisories/33581/ -- [SA33723] Sun Solaris mod_perl Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2009-01-29 Sun has acknowledged a vulnerability in Sun Solaris, which can potentially be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33723/ -- [SA33720] Sun Solaris mod_perl Denial of Service Vulnerability Critical: Less critical Where: From remote Impact: DoS Released: 2009-01-29 Sun has acknowledged a vulnerability in Sun Solaris, which can potentially be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33720/ -- [SA33716] Debian update for moin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-29 Debian has issued an update for moin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33716/ -- [SA33687] No-IP Dynamic Update Client Information Disclosure Critical: Less critical Where: From remote Impact: Exposure of sensitive information Released: 2009-01-29 A security issue has been reported in No-IP Dynamic Update Client, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33687/ -- [SA33685] SAP NetWeaver Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-27 A vulnerability has been reported in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33685/ -- [SA33683] Sun Solaris BIND "EVP_VerifyFinal()" and "DSA_do_verify()" Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-01-28 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33683/ -- [SA33678] Fedora update for ntp Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-01-26 Fedora has issued an update for ntp. This fixes a vulnerability, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33678/ -- [SA33674] Fedora update for kernel Critical: Less critical Where: From remote Impact: Privilege escalation, DoS Released: 2009-01-27 Fedora has issued an update for the kernel. This fixes a security issue, which can be exploited by malicious, local users to potentially cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/33674/ -- [SA33651] Web Help Desk Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-26 A vulnerability has been reported in Web Help Desk, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33651/ -- [SA33648] Red Hat update for ntp Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-01-29 Red Hat has issued an update for ntp. This fixes a vulnerability, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33648/ -- [SA33641] SUSE update for kernel Critical: Less critical Where: From remote Impact: DoS Released: 2009-01-22 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), and by malicious people to cause a DoS and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33641/ -- [SA33638] Fedora update for uw-imap Critical: Less critical Where: From remote Impact: DoS Released: 2009-01-22 Fedora has issued an update for uw-imap. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33638/ -- [SA33624] Red Hat update for dovecot Critical: Less critical Where: From remote Impact: Security Bypass Released: 2009-01-21 Red Hat has issued an update for dovecot. This fixes a security issue, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33624/ -- [SA33620] rPath update for bind Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-01-21 rPath has issued an update for bind. This fixes a vulnerability, which can potentially be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33620/ -- [SA33619] rPath update for ntp Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-01-21 rPath has issued an update for ntp. This fixes a vulnerability, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33619/ -- [SA33615] SUSE update for kernel Critical: Less critical Where: From remote Impact: Security Bypass, Privilege escalation, DoS, System access Released: 2009-01-21 SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), bypass certain security restrictions, and potentially gain escalated privileges, and by malicious people to cause a DoS and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33615/ -- [SA33611] Red Hat update for squirrelmail Critical: Less critical Where: From remote Impact: Hijacking Released: 2009-01-20 Red Hat has issued an update for squirrelmail. This fixes a vulnerability, which can be exploited by malicious people to conduct session fixation attacks. Full Advisory: http://secunia.com/advisories/33611/ -- [SA33610] Gentoo update for noip-updater Critical: Less critical Where: From remote Impact: System access Released: 2009-01-19 Gentoo has issued an update for noip-updater. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33610/ -- [SA33600] SUSE update for bind Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-01-22 SUSE has issued an update for bind. This fixes a vulnerability, which potentially can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33600/ -- [SA33631] Gentoo update for net-snmp Critical: Less critical Where: From local network Impact: DoS Released: 2009-01-22 Gentoo has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33631/ -- [SA33706] Ubuntu update for kernel Critical: Less critical Where: Local system Impact: DoS Released: 2009-01-29 Ubuntu has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users and malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33706/ -- [SA33703] Fedora update for dia Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2009-01-27 Fedora has issued an update for dia. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33703/ -- [SA33693] Red Hat Certificate Server Information Disclosure and Security Bypass Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of sensitive information Released: 2009-01-29 Red Hat has acknowledged some security issues in Red Hat Certificate Server, which can be exploited by malicious, local users to bypass certain security restrictions and to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/33693/ -- [SA33672] Dia Insecure Python Module Search Path Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2009-01-27 A vulnerability has been reported in Dia, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33672/ -- [SA33665] Sun Solaris "autofs" Kernel Module Denial of Service and Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2009-01-28 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33665/ -- [SA33630] Gentoo update for scilab Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2009-01-22 Gentoo has issued an update for scilab. This fixes some security issues, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/33630/ -- [SA33586] Red Hat update for kernel Critical: Less critical Where: Local system Impact: Security Bypass, Exposure of sensitive information, Privilege escalation, DoS Released: 2009-01-22 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information, bypass certain security restrictions, potentially gain escalated privileges, and cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33586/ -- [SA33567] Ubuntu update for tar Critical: Not critical Where: From remote Impact: DoS Released: 2009-01-16 Ubuntu has issued an update for tar. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33567/ -- [SA33628] Avaya CMS Solaris "rpc.metad" Denial of Service Vulnerability Critical: Not critical Where: From local network Impact: DoS Released: 2009-01-22 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33628/ -- [SA33727] Sun Solaris IP-in-IP Processing Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-29 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33727/ -- [SA33708] Avaya CMS Solaris Pseudo-Terminal Driver Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-29 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33708/ -- [SA33705] Avaya CMS Solaris "lpadmin" and "ppdmgr" Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-29 Avaya has acknowledged some vulnerabilities in Amaya CMS, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33705/ -- [SA33662] Sun Solaris Pseudo-Terminal Driver Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-28 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33662/ -- [SA33656] Linux Kernel dell_rbu Denial of Service Security Issues Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-26 Two security issues have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33656/ -- [SA33639] Fedora update for moodle Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2009-01-22 Fedora has issued an update for moodle. This fixes some security issues, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/33639/ -- [SA33623] Red Hat update for kernel Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-21 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33623/ -- [SA33569] Linux Kernel "keyctl_join_session_keyring()" Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-19 A vulnerability has been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33569/ Other:-- [SA33616] Sony Ericsson Phones WAP Push Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-01-29 A vulnerability has been reported in various Sony Ericsson phones, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33616/ -- [SA33726] Sun Fire X2100 / X2200 Embedded Lights Out Manager Security Bypass Critical: Moderately critical Where: From local network Impact: Security Bypass Released: 2009-01-29 A vulnerability has been reported in Sun Fire X2100 and X2200 M2 Server, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33726/ -- [SA33585] Sun SPARC Enterprise M4000 / M5000 Server XSCFU Security Bypass Critical: Moderately critical Where: From local network Impact: Security Bypass, System access Released: 2009-01-22 A vulnerability has been reported in Sun SPARC M4000 / M5000 Server, which can be exploited by malicious people to bypass certain security restrictions and potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33585/ -- [SA33603] AXIS 70U Network Document Server File Inclusion and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Privilege escalation Released: 2009-01-22 Some vulnerabilities have been reported in AXIS 70U Network Document Server, which can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33603/ Cross Platform:-- [SA33711] FFmpeg 4xm Processing Memory Corruption Vulnerability Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2009-01-29 Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/33711/ -- [SA33691] WB News "config[installdir]" Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-27 HACKERS PAL has discovered some vulnerabilities in WB News, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33691/ -- [SA33650] GStreamer Good Plug-ins QuickTime Processing Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2009-01-23 Tobias Klein has reported some vulnerabilities in GStreamer Good Plug-ins, which can potentially be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33650/ -- [SA33632] Apple QuickTime Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2009-01-22 Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33632/ -- [SA33617] Typo3 Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Hijacking, Security Bypass, Cross Site Scripting, System access Released: 2009-01-21 Some vulnerabilities have been reported in Typo3, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33617/ -- [SA33564] GNUBoard "g4_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information, System access Released: 2009-01-16 flyh4t has discovered a vulnerability in GNUBoard, which can be exploited by malicious people to disclose sensitive information or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33564/ -- [SA33719] IMP Cross-Site Scripting and Script Insertion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-28 Some vulnerabilities have been reported in IMP, which can be exploited by malicious people to conduct cross-site scripting or script insertion attacks. Full Advisory: http://secunia.com/advisories/33719/ -- [SA33701] SocialEngine "category_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-29 Snakespc has discovered a vulnerability in SocialEngine, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33701/ -- [SA33695] Horde / Horde Groupware Cross-Site Scripting and File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2009-01-28 Some vulnerabilities have been reported in Horde and Horde Groupware, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/33695/ -- [SA33690] Pixie CMS Multiple Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2009-01-28 DSecRG has discovered some vulnerabilities in Pixie CMS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33690/ -- [SA33686] Gazelle CMS "template" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2009-01-28 fuzion has discovered a vulnerability in Gazelle CMS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33686/ -- [SA33671] VirtueMart Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 Some vulnerabilities have been discovered in VirtueMart, which can be exploited by malicious people and users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33671/ -- [SA33669] GameScript Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2009-01-28 Encrypt3d.M!nd has reported some vulnerabilities in GameScript, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/33669/ -- [SA33666] ITLPoll "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 fuzion has discovered a vulnerability in ITLPoll, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33666/ -- [SA33661] Script Toko Online "cat_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 k1n9k0ng has reported a vulnerability in Script Toko Online, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33661/ -- [SA33660] SHOP-INET "grid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 A vulnerability has been reported in SHOP-INET, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33660/ -- [SA33658] Max.Blog "username" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-29 A vulnerability has been discovered in Max.Blog, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33658/ -- [SA33654] Wazzum Dating Software "userid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 nuclear has reported a vulnerability in Wazzum Dating Software, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33654/ -- [SA33652] KEEP Toolkit "patUser.php" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-26 A vulnerability has been reported in KEEP Toolkit, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33652/ -- [SA33649] GLinks "cat" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 nuclear has discovered a vulnerability in GLinks, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33649/ -- [SA33646] Joomla Flash Magazine Deluxe Component "mag_id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 TurkGuvenligi has reported a vulnerability in the Flash Magazine Deluxe component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33646/ -- [SA33643] Futomi's CGI Cafe Search CGI Password Reset Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2009-01-23 A vulnerability has been reported in Futomi's CGI Cafe Search CGI, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33643/ -- [SA33635] Tor Unspecified Memory Corruption Vulnerability Critical: Moderately critical Where: From remote Impact: Unknown Released: 2009-01-22 A vulnerability with an unknown impact has been reported in Tor. Full Advisory: http://secunia.com/advisories/33635/ -- [SA33626] MemHT Portal Avatar File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2009-01-26 A vulnerability has been discovered in MemHT Portal, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33626/ -- [SA33625] Flax Article Manager "cat_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-26 jiko has reported a vulnerability in Flax Article Manager, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33625/ -- [SA33622] RoundCube Webmail Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-21 Julien Cayssol has reported a vulnerability in RoundCube Webmail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33622/ -- [SA33612] Joomla BazaarBuilder Shopping Cart Component "cid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-22 XaDoS has reported a vulnerability in the BazaarBuilder Shopping Cart component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33612/ -- [SA33606] FhImage PHP Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2009-01-21 Osirys has discovered a vulnerability in FhImage, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33606/ -- [SA33595] Free Bible Search PHP Script SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-20 A vulnerability has been reported in Free Bible Search PHP Script, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33595/ -- [SA33592] Ralink Wireless Drivers Probe Request Processing Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-01-23 A vulnerability has been reported in Ralink Technology Wireless Drivers, which can be exploited to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33592/ -- [SA33590] Max.Blog Security Bypass and SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-01-21 Some vulnerabilities have been discovered in Max.Blog, which can be exploited by malicious people to bypass certain security restrictions and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33590/ -- [SA33589] AJ Auction Pro "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-21 Snakespc has reported a vulnerability in AJ Auction Pro, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33589/ -- [SA33587] Dodo's Quiz Script "n" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2009-01-21 cOndemned has discovered a vulnerability in Dodo's Quiz Script, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33587/ -- [SA33584] RCBlog "password.txt" Information Disclosure Security Issue Critical: Moderately critical Where: From remote Impact: Privilege escalation Released: 2009-01-20 Danny Moules has discovered a security issue in RCBlog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33584/ -- [SA33583] AV Book Library Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-19 Some vulnerabilities have been reported in AV Book Library, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33583/ -- [SA33580] PHPads Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information Released: 2009-01-20 Danny Moules has discovered a security issue and a vulnerability in PHPads, which can be exploited by malicious people to disclose sensitive information and by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33580/ -- [SA33573] Ninja Blog "cat" File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2009-01-20 Danny Moules has discovered a vulnerability in Ninja Blog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33573/ -- [SA33570] AJ Classifieds Multiple Products File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2009-01-21 A vulnerability has been reported in multiple AJ Classifieds products, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33570/ -- [SA33563] Joomla Eventing Component "catid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-16 Cyb3R-1st has reported a vulnerability in the Eventing component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33563/ -- [SA33562] Joomla RD-Autos Component "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-01-16 H!tm_at_N has discovered a vulnerability in the RD-Autos component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33562/ -- [SA33667] EMC AutoStart Backbone Engine Code Execution Vulnerability Critical: Moderately critical Where: From local network Impact: System access Released: 2009-01-26 A vulnerability has been reported in EMC AutoStart, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33667/ -- [SA33713] HP Select Access Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-29 A vulnerability has been reported in HP Select Access, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33713/ -- [SA33698] Domain Technologie Control Multiple SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2009-01-28 Some vulnerabilities have been reported in Domain Technologie Control, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33698/ -- [SA33697] GraphicsMagick DIB and BMP Denial of Service Vulnerabilities Critical: Less critical Where: From remote Impact: DoS Released: 2009-01-28 Some vulnerabilities have been reported in GraphicsMagick, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33697/ -- [SA33684] ConPresso CMS Session Fixation and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Hijacking, Cross Site Scripting Released: 2009-01-27 David Vieira-Kurz has discovered some vulnerabilities in ConPresso, which can be exploited by malicious people to conduct session fixation and script insertion attacks. Full Advisory: http://secunia.com/advisories/33684/ -- [SA33680] GLPI SQL Injection Vulnerabilities Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2009-01-27 Some vulnerabilities have been reported in GLPI, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33680/ -- [SA33670] Simple Machines Forum "packages.xml" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-28 Xianur0 has discovered a vulnerability in Simple Machines Forum, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33670/ -- [SA33668] CA Cohesion Application Configuration Manager Apache Tomcat Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS Released: 2009-01-26 CA has acknowledged some vulnerabilities in various CA Cohesion Application Configuration Manager, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33668/ -- [SA33657] Piggydb Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-27 A vulnerability has been reported in Piggydb, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33657/ -- [SA33655] htmLawed Unspecified Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-29 Some vulnerabilities have been reported in htmLawed, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33655/ -- [SA33599] Fedora update for drupal Critical: Less critical Where: From remote Impact: Security Bypass Released: 2009-01-19 Fedora has issued an update for drupal. This fixes a vulnerability, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33599/ -- [SA33593] MoinMoin Multiple Cross Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-21 Some vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33593/ -- [SA33577] Joomla! WebAmoeba Ticket System Component "catid" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2009-01-20 Cyb3R-1st has reported a vulnerability in the WebAmoeba Ticket System component for Joomla!, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33577/ -- [SA33576] Apache Jackrabbit webapp Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-20 Some vulnerabilities have been reported in Apache Jackrabbit, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33576/ -- [SA33565] LemonLDAP::NG User Enumeration and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Exposure of system information, Cross Site Scripting Released: 2009-01-16 A weakness and a vulnerability have been reported in LemonLDAP::NG, which can be exploited by malicious people to identify valid user accounts and conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33565/ -- [SA33712] CA Anti-Virus Engine Archive Files Detection Bypass Critical: Not critical Where: From remote Impact: Security Bypass Released: 2009-01-28 Some weaknesses have been reported in various CA products, which can be exploited by malware to bypass the scanning functionality. Full Advisory: http://secunia.com/advisories/33712/ -- [SA33688] Sun Java System Access Manager User Enumeration Weakness Critical: Not critical Where: From remote Impact: Exposure of system information Released: 2009-01-28 A weakness has been reported in Sun Java System Access Manager, which can be exploited by malicious people to identify valid user accounts. Full Advisory: http://secunia.com/advisories/33688/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Subscribe: http://secunia.com/advisories/weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support_at_private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _______________________________________________ Best Selling Security Books & More! http://www.shopinfosecnews.org/Received on Fri Jan 30 2009 - 02:04:20 PST
This archive was generated by hypermail 2.2.0 : Fri Jan 30 2009 - 02:11:17 PST