======================================================================== The Secunia Weekly Advisory Summary 2009-01-29 - 2009-02-05 This week: 94 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: The best new Windows program of 2008 Secunia Personal Software Inspector has been chosen as one of the best new Windows programs in 2008. Download.com, the world's largest download site, has chosen Secunia Personal Software Inspector as one of "The best new Windows programs of 2008". A total of six programs received this fine predicate which also included Google Chrome. Download.com also awarded Secunia PSI an editorial rating of five stars, which is their highest honors and a remarkable recognition. Read more: http://secunia.com/blog/41/ ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Mozilla Firefox, which potentially can be exploited to compromise a user's system. For more information, refer to: http://secunia.com/advisories/33799/ ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA33799] Mozilla Firefox Multiple Vulnerabilities 2. [SA33632] Apple QuickTime Multiple Vulnerabilities 3. [SA32991] Sun Java JDK / JRE Multiple Vulnerabilities 4. [SA32270] Adobe Flash Player Multiple Security Issues and Vulnerabilities 5. [SA33089] Internet Explorer Data Binding Memory Corruption Vulnerability 6. [SA33729] WebSphere Application Server Unspecified Information Disclosure 7. [SA33773] IBM AIX "rmsock" and "rmsock64" Log File Privilege Escalation 8. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability 9. [SA33754] Google Chrome Cross-Site Scripting and Information Disclosure 10. [SA33765] Sun Solaris OpenSSL "EVP_VerifyFinal()" Spoofing Vulnerability ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA33817] Euphonics Audio Player PLS Parsing Buffer Overflow Vulnerability [SA33796] Nokia PC Suite Multimedia Player Playlist Processing Buffer Overflow [SA33791] MultiMedia Soft Various Components AdjMmsEng.dll PLS Parsing Vulnerability [SA33766] NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities [SA33742] Elecard AVC HD Player Playlist Processing Buffer Overflow [SA33728] Synactis ALL In-The-Box ActiveX Control "SaveDoc()" Arbitrary File Overwrite [SA33851] QIP Message Processing Denial of Service Vulnerability [SA33839] Team Board "team.mdb" Database Disclosure [SA33794] UltraVNC "ClientConnection" Signedness Vulnerabilities [SA33774] ClickCart "txtEmail" and "txtPassword" SQL Injection [SA33771] MyDesign Sayac "user" and "pass" SQL Injection Vulnerabilities [SA33754] Google Chrome Cross-Site Scripting and Information Disclosure [SA33743] SalesCart "name" and "code" SQL Injection Vulnerabilities [SA33788] Kaspersky Products klim5.sys Privilege Escalation Vulnerability UNIX/Linux: [SA33819] SUSE update for amarok [SA33816] Red Hat update for seamonkey [SA33809] Red Hat update for firefox [SA33755] Ubuntu update for moinmoin [SA33827] Fedora update for roundcubemail [SA33822] SUSE update for moodle and phpMyAdmin [SA33820] SUSE update for xterm [SA33801] Debian update for devil [SA33797] HP-UX update for Apache [SA33792] Sun Solaris libxml2 Two Integer Overflow Vulnerabilities [SA33786] HP NonStop Server DNS Cache Poisoning Vulnerability [SA33784] SUSE update for audiofile [SA33765] Sun Solaris OpenSSL "EVP_VerifyFinal()" Spoofing Vulnerability [SA33752] OpenBSD BGP UPDATE Message Denial of Service Vulnerability [SA33746] VMware ESX Server update for net-snmp and libxml2 [SA33745] Debian update for vnc4 [SA33733] 4Site CMS Multiple SQL Injection Vulnerabilities [SA33854] Red Hat update for kernel [SA33828] Fedora update for boinc-client [SA33826] Fedora update for nss [SA33824] Fedora update for libcdaudio [SA33821] SUSE update for net-snmp [SA33818] SUSE update for sudo and avahi [SA33787] HP-UX IPv6 Neighbor Discovery Protocol Neighbor Solicitation Vulnerability [SA33823] Fedora update for gnumeric [SA33773] IBM AIX "rmsock" and "rmsock64" Log File Privilege Escalation [SA33769] Fedora update for gedit [SA33759] GNOME gedit Insecure Python Module Search Path Vulnerability [SA33776] VMware ESX / ESXi VMDK Delta Disk Denial of Service Weakness [SA33825] Fedora update for gpsdrive [SA33795] sblim-sfcb "genSslCert.sh" Insecure Temporary Files [SA33785] Linux Kernel Denial of Service Vulnerabilities [SA33756] Ubuntu update for linux [SA33753] Sudo Privilege Escalation Security Issue [SA33751] Sun Solaris IP Minor Numbers Denial of Service Vulnerability Other: [SA33729] WebSphere Application Server Unspecified Information Disclosure [SA33770] Xerox WorkCentre Web Server Unspecified Command Injection [SA33739] Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery [SA33738] D-Link DVG-2001S Cross-Site Scripting and Cross-Site Request Forgery [SA33779] HP LaserJet / Digital Sender Directory Traversal Vulnerability [SA33749] Cisco Products Denial of Service and Security Bypass Vulnerabilities Cross Platform: [SA33812] GRBoard Multiple File Inclusion Vulnerabilities [SA33808] Mozilla SeaMonkey Multiple Vulnerabilities [SA33802] Mozilla Thunderbird Memory Corruption Vulnerabilities [SA33799] Mozilla Firefox Multiple Vulnerabilities [SA33768] GBook "abspath" File Inclusion Vulnerability [SA33748] Coppermine Photo Gallery Variable Overwrite Vulnerability [SA33744] Novell GroupWise Multiple Vulnerabilities [SA33732] TECHNOTE "shop_this_skin_path" File Inclusion Vulnerability [SA33836] Drupal Views Bulk Operations Module Script Insertion [SA33813] Mahara Unspecified Script Insertion Vulnerability [SA33811] PHPbbBook "l" File Inclusion Vulnerability [SA33807] TightVNC "ClientConnection" Signedness Vulnerabilities [SA33804] ScriptsEz Ez PHP Comment "name" Script Insertion Vulnerability [SA33781] Bugzilla Multiple Vulnerabilities [SA33780] GR Blog Security Bypass Security Issue [SA33778] CMS from Scratch File Upload Vulnerability [SA33777] Whole Hog Software Multiple Products SQL Injection and Security Bypass [SA33775] Moodle Multiple Vulnerabilities [SA33772] PerlSoft Gstebuch "loginname1" Code Execution Vulnerability [SA33767] Online Grades SQL Injection and Information Disclosure [SA33757] Drupal ImageField Module File Upload and Script Insertion [SA33741] ReVou Twitter Clone Script Insertion and SQL Injection [SA33735] AJA "currentlang" and "module_name" Local File Inclusion Vulnerabilities [SA33734] BPAutoSales SQL Injection and Cross-Site Scripting [SA33731] Squid HTTP Version Number Parsing Denial of Service Vulnerability [SA33730] DreamPics Builder "exhibition_id" SQL Injection Vulnerability [SA33834] htmLawed Unspecified Cross-Site Scripting Vulnerability [SA33806] BOINC "RSA_public_decrypt()" Spoofing Vulnerability [SA33790] Simple Machines Forum "[url]" Script Insertion Vulnerability [SA33789] Bugzilla Script Insertion and Cross-Site Request Forgery [SA33782] Bugzilla Cross-Site Request Forgery Vulnerability [SA33764] E-Php B2B Trading Marketplace Script "errmsg" Cross-Site Scripting [SA33763] SMA-DB "startpage.php" Cross-Site Scripting Vulnerability [SA33762] Oracle Forms Cross-Site Scripting Vulnerabilities [SA33761] Oracle Application Server Cross-Site Scripting Vulnerabilities [SA33760] Fedora update for glpi [SA33747] FlatnuX CMS "Job" Script Insertion Vulnerability [SA33740] ManageEngine Firewall Analyzer Cross-Site Request Forgery Vulnerability [SA33805] ESET Remote Administrator Script Insertion Vulnerability ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA33817] Euphonics Audio Player PLS Parsing Buffer Overflow Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-04 A vulnerability has been discovered in Euphonics Audio Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33817/ -- [SA33796] Nokia PC Suite Multimedia Player Playlist Processing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-04 0in has discovered a vulnerability in Nokia PC Suite, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33796/ -- [SA33791] MultiMedia Soft Various Components AdjMmsEng.dll PLS Parsing Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-04 A vulnerability has been discovered in various MultiMedia Soft components for .NET, which potentially can be exploited by malicious people to compromise an application using these components. Full Advisory: http://secunia.com/advisories/33791/ -- [SA33766] NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities Critical: Highly critical Where: From remote Impact: Exposure of sensitive information, DoS, System access Released: 2009-02-04 e.wiZz! has discovered two vulnerabilities in NaviCOPA, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33766/ -- [SA33742] Elecard AVC HD Player Playlist Processing Buffer Overflow Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-03 AlpHaNiX has discovered a vulnerability in Elecard AVC HD Player, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33742/ -- [SA33728] Synactis ALL In-The-Box ActiveX Control "SaveDoc()" Arbitrary File Overwrite Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-02 A vulnerability has been discovered in the Synactis ALL In-The-Box ActiveX control, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33728/ -- [SA33851] QIP Message Processing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-02-05 Maxim Kulakov has discovered a vulnerability in QIP, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33851/ -- [SA33839] Team Board "team.mdb" Database Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2009-02-05 Pouya_Server has reported a security issue in Team Board, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33839/ -- [SA33794] UltraVNC "ClientConnection" Signedness Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2009-02-04 Some vulnerabilities have been reported in UltraVNC, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33794/ -- [SA33774] ClickCart "txtEmail" and "txtPassword" SQL Injection Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-02-03 R3d D3v!L has reported some vulnerabilities in ClickCart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33774/ -- [SA33771] MyDesign Sayac "user" and "pass" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-02-04 Kacak has discovered two vulnerabilities in MyDesign Sayac, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33771/ -- [SA33754] Google Chrome Cross-Site Scripting and Information Disclosure Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2009-02-02 Two vulnerabilities have been reported in Google Chrome, which can be exploited by malicious people to conduct cross-site scripting attacks or to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33754/ -- [SA33743] SalesCart "name" and "code" SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-02-02 ByALBAYX has reported some vulnerabilities in SalesCart, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33743/ -- [SA33788] Kaspersky Products klim5.sys Privilege Escalation Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2009-02-03 Ruben Santamarta has reported a vulnerability in multiple Kaspersky products, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/33788/ UNIX/Linux:-- [SA33819] SUSE update for amarok Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-04 SUSE has issued an update for amarok. This fixes some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33819/ -- [SA33816] Red Hat update for seamonkey Critical: Highly critical Where: From remote Impact: Security Bypass, Exposure of system information, Exposure of sensitive information, System access Released: 2009-02-04 Red Hat has issued an update for seamonkey. This fixes some vulnerabilities, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/33816/ -- [SA33809] Red Hat update for firefox Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2009-02-04 Red Hat has issued an update for firefox. This fixes some vulnerabilities, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/33809/ -- [SA33755] Ubuntu update for moinmoin Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2009-01-30 Ubuntu has issued an update for moinmoin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass security restrictions, manipulate certain data, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33755/ -- [SA33827] Fedora update for roundcubemail Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-05 Fedora has issued an update for roundcubemail. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33827/ -- [SA33822] SUSE update for moodle and phpMyAdmin Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Exposure of sensitive information, System access Released: 2009-02-04 SUSE has issued an update for moodle and phpMyAdmin. This fixes some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information, conduct cross-site scripting attacks, and compromise a vulnerable system, and malicious people to conduct SQL injection, cross-site scripting, and cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33822/ -- [SA33820] SUSE update for xterm Critical: Moderately critical Where: From remote Impact: System access Released: 2009-02-04 SUSE has issued an update for xterm. This fixes a vulnerability, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33820/ -- [SA33801] Debian update for devil Critical: Moderately critical Where: From remote Impact: System access Released: 2009-02-05 Debian has issued an update devil. This fixes some vulnerabilities, which can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/33801/ -- [SA33797] HP-UX update for Apache Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, DoS, System access Released: 2009-02-04 HP has issued an update for Apache. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33797/ -- [SA33792] Sun Solaris libxml2 Two Integer Overflow Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-02-04 Sun has acknowledged two vulnerabilities in libxml2 in Solaris, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise an application using the library. Full Advisory: http://secunia.com/advisories/33792/ -- [SA33786] HP NonStop Server DNS Cache Poisoning Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2009-02-03 HP has acknowledged a vulnerability in HP NonStop Server, which can be exploited by malicious people to poison the DNS cache. Full Advisory: http://secunia.com/advisories/33786/ -- [SA33784] SUSE update for audiofile Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-02-04 SUSE has issued an update for audiofile. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise an application using the library. Full Advisory: http://secunia.com/advisories/33784/ -- [SA33765] Sun Solaris OpenSSL "EVP_VerifyFinal()" Spoofing Vulnerability Critical: Moderately critical Where: From remote Impact: Spoofing Released: 2009-01-30 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33765/ -- [SA33752] OpenBSD BGP UPDATE Message Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-02-02 A vulnerability has been reported in OpenBSD, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33752/ -- [SA33746] VMware ESX Server update for net-snmp and libxml2 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-02-02 VMware has issued an update for VMware ESX Server. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33746/ -- [SA33745] Debian update for vnc4 Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2009-02-02 Debian has issued an update for vnc4. This fixes a vulnerability, which can be exploited by malicious people to potentially compromise a user's system. Full Advisory: http://secunia.com/advisories/33745/ -- [SA33733] 4Site CMS Multiple SQL Injection Vulnerabilities Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-02-05 D.Mortalov has reported some vulnerabilities in 4Site CMS, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33733/ -- [SA33854] Red Hat update for kernel Critical: Less critical Where: From remote Impact: DoS Released: 2009-02-05 Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), and by malicious people to potentially cause a DoS. Full Advisory: http://secunia.com/advisories/33854/ -- [SA33828] Fedora update for boinc-client Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-02-05 Fedora has issued an update for boinc-client. This fixes a vulnerability, which can potentially be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33828/ -- [SA33826] Fedora update for nss Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-02-05 Fedora has issued an update for nss. This fixes a security issue, which potentially can be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33826/ -- [SA33824] Fedora update for libcdaudio Critical: Less critical Where: From remote Impact: System access Released: 2009-02-05 Fedora has issued an update for libcdaudio. This fixes a vulnerability, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33824/ -- [SA33821] SUSE update for net-snmp Critical: Less critical Where: From local network Impact: DoS Released: 2009-02-04 SUSE has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33821/ -- [SA33818] SUSE update for sudo and avahi Critical: Less critical Where: From local network Impact: Privilege escalation, DoS Released: 2009-02-04 SUSE has issued an update for sudo and avahi. This fixes a security issue and a vulnerability, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33818/ -- [SA33787] HP-UX IPv6 Neighbor Discovery Protocol Neighbor Solicitation Vulnerability Critical: Less critical Where: From local network Impact: Spoofing, Exposure of sensitive information, DoS Released: 2009-02-03 A vulnerability has been reported in HP-UX, which can be exploited by malicious people to conduct spoofing attacks, disclose potentially sensitive information, or to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33787/ -- [SA33823] Fedora update for gnumeric Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2009-02-05 Fedora has issued an update for gnumeric. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33823/ -- [SA33773] IBM AIX "rmsock" and "rmsock64" Log File Privilege Escalation Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2009-01-30 IBM has acknowledged a security issue in IBM AIX, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/33773/ -- [SA33769] Fedora update for gedit Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2009-01-30 Fedora has issued an update for gedit. This fixes a vulnerability, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33769/ -- [SA33759] GNOME gedit Insecure Python Module Search Path Vulnerability Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2009-01-30 A vulnerability has been reported in gedit, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33759/ -- [SA33776] VMware ESX / ESXi VMDK Delta Disk Denial of Service Weakness Critical: Not critical Where: From remote Impact: DoS Released: 2009-02-02 A weakness has been reported in VMware ESX / ESXi, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33776/ -- [SA33825] Fedora update for gpsdrive Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2009-02-05 Fedora has issued an update for gpsdrive. This fixes some security issues, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/33825/ -- [SA33795] sblim-sfcb "genSslCert.sh" Insecure Temporary Files Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2009-02-05 A security issue has been reported in sblim-sfcb, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/33795/ -- [SA33785] Linux Kernel Denial of Service Vulnerabilities Critical: Not critical Where: Local system Impact: DoS Released: 2009-02-04 Some vulnerabilities have been reported in the Linux Kernel, which potentially can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33785/ -- [SA33756] Ubuntu update for linux Critical: Not critical Where: Local system Impact: DoS Released: 2009-01-30 Ubuntu has issued an update for linux. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33756/ -- [SA33753] Sudo Privilege Escalation Security Issue Critical: Not critical Where: Local system Impact: Privilege escalation Released: 2009-02-04 A security issue has been reported in sudo, which can be exploited by malicious, local users to gain escalated privileges. Full Advisory: http://secunia.com/advisories/33753/ -- [SA33751] Sun Solaris IP Minor Numbers Denial of Service Vulnerability Critical: Not critical Where: Local system Impact: DoS Released: 2009-02-02 Sun has acknowledged a vulnerability in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33751/ Other:-- [SA33729] WebSphere Application Server Unspecified Information Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2009-01-30 A vulnerability has been reported in WebSphere Application Server, which can potentially be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33729/ -- [SA33770] Xerox WorkCentre Web Server Unspecified Command Injection Critical: Moderately critical Where: From local network Impact: System access Released: 2009-02-02 A vulnerability has been reported in Xerox WorkCentre, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33770/ -- [SA33739] Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-30 Michael Brooks has discovered some vulnerabilities in Profense Web Application Firewall, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33739/ -- [SA33738] D-Link DVG-2001S Cross-Site Scripting and Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-03 Some vulnerabilities have been reported in D-Link DVG-2001S, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33738/ -- [SA33779] HP LaserJet / Digital Sender Directory Traversal Vulnerability Critical: Less critical Where: From local network Impact: Exposure of system information, Exposure of sensitive information Released: 2009-02-05 A vulnerability has been reported in HP LaserJet and Digital Sender products, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33779/ -- [SA33749] Cisco Products Denial of Service and Security Bypass Vulnerabilities Critical: Less critical Where: From local network Impact: Security Bypass, DoS Released: 2009-02-05 Some vulnerabilities have been reported in multiple Cisco Products, which can be exploited by malicious people to cause a DoS (Denial of Service) and by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33749/ Cross Platform:-- [SA33812] GRBoard Multiple File Inclusion Vulnerabilities Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-04 make0day has discovered some vulnerabilities in GRBoard, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33812/ -- [SA33808] Mozilla SeaMonkey Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access, Security Bypass Released: 2009-02-04 Some vulnerabilities have been reported in Mozilla SeaMonkey, which can be exploited by malicious people to bypass certain security restrictions or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/33808/ -- [SA33802] Mozilla Thunderbird Memory Corruption Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2009-02-04 Some vulnerabilities have been reported in Mozilla Thunderbird, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33802/ -- [SA33799] Mozilla Firefox Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access Released: 2009-02-04 Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user's system. Full Advisory: http://secunia.com/advisories/33799/ -- [SA33768] GBook "abspath" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-03 A vulnerability has been discovered in GBook, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33768/ -- [SA33748] Coppermine Photo Gallery Variable Overwrite Vulnerability Critical: Highly critical Where: From remote Impact: Security Bypass, System access Released: 2009-01-30 Michael Brooks has discovered a vulnerability in Coppermine Photo Gallery, which can be exploited by malicious people to bypass certain security restrictions and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33748/ -- [SA33744] Novell GroupWise Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, DoS, System access Released: 2009-02-02 Some vulnerabilities have been reported in Novell GroupWise, which can be exploited by malicious people to conduct cross-site scripting, cross-site request forgery, and script insertion attacks, bypass certain security restrictions, or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33744/ -- [SA33732] TECHNOTE "shop_this_skin_path" File Inclusion Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2009-02-04 make0day has reported a vulnerability in TECHNOTE, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33732/ -- [SA33836] Drupal Views Bulk Operations Module Script Insertion Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-05 A vulnerability has been reported in the Views Bulk Operations module for Drupal, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33836/ -- [SA33813] Mahara Unspecified Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-05 A vulnerability has been reported in Mahara, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33813/ -- [SA33811] PHPbbBook "l" File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2009-02-04 Osirys has discovered a vulnerability in PHPbbBook, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33811/ -- [SA33807] TightVNC "ClientConnection" Signedness Vulnerabilities Critical: Moderately critical Where: From remote Impact: System access Released: 2009-02-04 Some vulnerabilities have been reported in TightVNC, which potentially can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/33807/ -- [SA33804] ScriptsEz Ez PHP Comment "name" Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-04 Cru3l.b0y has reported a vulnerability in ScriptsEz Ez PHP Comment, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33804/ -- [SA33781] Bugzilla Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information Released: 2009-02-03 Some vulnerabilities and a security issue have been reported in Bugzilla, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to potentially disclose sensitive information or to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33781/ -- [SA33780] GR Blog Security Bypass Security Issue Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2009-02-05 JosS has discovered a security issue in GR Blog, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33780/ -- [SA33778] CMS from Scratch File Upload Vulnerability Critical: Moderately critical Where: From remote Impact: Security Bypass Released: 2009-02-03 StAkeR has discovered a vulnerability in CMS from Scratch, which can be exploited by malicious people to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/33778/ -- [SA33777] Whole Hog Software Multiple Products SQL Injection and Security Bypass Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data Released: 2009-02-03 Some vulnerabilities have been reported in multiple Whole Hog Software products, which can be exploited by malicious people to bypass certain security restrictions and conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33777/ -- [SA33775] Moodle Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Exposure of sensitive information, Privilege escalation, System access Released: 2009-02-04 Some vulnerabilities have been reported in Moodle, which can potentially be exploited by malicious, local users to perform certain actions with escalated privileges, by malicious users to conduct script insertion attacks or to compromise a vulnerable system, and by malicious people to conduct cross-site scripting attacks or to disclose sensitive information. Full Advisory: http://secunia.com/advisories/33775/ -- [SA33772] PerlSoft Gstebuch "loginname1" Code Execution Vulnerability Critical: Moderately critical Where: From remote Impact: System access Released: 2009-02-02 Perforin has reported a vulnerability in PerlSoft Gstebuch, which can be exploited by malicious users to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33772/ -- [SA33767] Online Grades SQL Injection and Information Disclosure Critical: Moderately critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information Released: 2009-02-03 Some vulnerabilities and a security issue have been discovered in Online Grades, which can be exploited by malicious people to conduct SQL injection attacks and disclose sensitive information. Full Advisory: http://secunia.com/advisories/33767/ -- [SA33757] Drupal ImageField Module File Upload and Script Insertion Critical: Moderately critical Where: From remote Impact: System access Released: 2009-02-02 Some vulnerabilities have been discovered in the ImageField module for Drupal, which can be exploited by malicious users to conduct script insertion attacks and compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/33757/ -- [SA33741] ReVou Twitter Clone Script Insertion and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2009-02-02 nuclear has reported some vulnerabilities in ReVou Twitter Clone, which can be exploited by malicious people to conduct SQL injection attacks and malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33741/ -- [SA33735] AJA "currentlang" and "module_name" Local File Inclusion Vulnerabilities Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2009-02-03 Some vulnerabilities have been discovered in AJA, which can be exploited by malicious people to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/33735/ -- [SA33734] BPAutoSales SQL Injection and Cross-Site Scripting Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2009-02-02 xoron has reported some vulnerabilities in BPAutoSales, which can be exploited by malicious people to conduct SQL injection and cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33734/ -- [SA33731] Squid HTTP Version Number Parsing Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2009-02-04 A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/33731/ -- [SA33730] DreamPics Builder "exhibition_id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2009-02-04 xoron has reported a vulnerability DreamPics Builder, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33730/ -- [SA33834] htmLawed Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-05 A vulnerability has been reported in htmLawed, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33834/ -- [SA33806] BOINC "RSA_public_decrypt()" Spoofing Vulnerability Critical: Less critical Where: From remote Impact: Spoofing Released: 2009-02-05 A vulnerability has been reported in BOINC, which can potentially be exploited by malicious people to conduct spoofing attacks. Full Advisory: http://secunia.com/advisories/33806/ -- [SA33790] Simple Machines Forum "[url]" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-04 Xianur0 has discovered a vulnerability in Simple Machines Forum, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33790/ -- [SA33789] Bugzilla Script Insertion and Cross-Site Request Forgery Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-03 Some vulnerabilities have been reported in Bugzilla, which can be exploited by malicious users to conduct script insertion attacks and malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33789/ -- [SA33782] Bugzilla Cross-Site Request Forgery Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-03 A vulnerability has been reported in Bugzilla, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33782/ -- [SA33764] E-Php B2B Trading Marketplace Script "errmsg" Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-02 SaiedHacker has reported two vulnerabilities in E-Php B2B Trading Marketplace Script, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33764/ -- [SA33763] SMA-DB "startpage.php" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-03 A vulnerability has been discovered in SMA-DB, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33763/ -- [SA33762] Oracle Forms Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-02 Some vulnerabilities have been reported in Oracle Forms, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33762/ -- [SA33761] Oracle Application Server Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-02 Some vulnerabilities have been reported in Oracle Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/33761/ -- [SA33760] Fedora update for glpi Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2009-01-30 Fedora has issued an update for glpi. This fixes some vulnerabilities, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/33760/ -- [SA33747] FlatnuX CMS "Job" Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-02-03 A vulnerability has been discovered in FlatnuX CMS, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33747/ -- [SA33740] ManageEngine Firewall Analyzer Cross-Site Request Forgery Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2009-01-30 A vulnerability has been discovered in ManageEngine Firewall Analyzer, which can be exploited by malicious people to conduct cross-site request forgery attacks. Full Advisory: http://secunia.com/advisories/33740/ -- [SA33805] ESET Remote Administrator Script Insertion Vulnerability Critical: Less critical Where: From local network Impact: Cross Site Scripting Released: 2009-02-05 A vulnerability has been reported in ESET Remote Administrator, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/33805/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Subscribe: http://secunia.com/advisories/weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support_at_private Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 _______________________________________________ Best Selling Security Books & More! http://www.shopinfosecnews.org/Received on Fri Feb 06 2009 - 01:29:42 PST
This archive was generated by hypermail 2.2.0 : Fri Feb 06 2009 - 01:44:36 PST