Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
updated since 11.05.2010
Published:13.05.2010
Source:
SecurityVulns ID:10817
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:CACTI : cacti 0.8
 CLANTIGER : ClanTiger 1.1
 FAMILICMS : Family Connections 2.2
 ADVANCEDPOLL : Advanced Poll 2.08
 ORANGEHRM : OrangeHRM 2.5
 CMSMADESIMPLE : CMS Made Simple 1.7
 JAWS : jaws 0.8
 ECSHOP : ECShop 2.7
 SOURCEFABRIC : Campsite 3.3
 CLANSPHERE : ClanSphere 2009.0
 DELUXEBB : DeluxeBB 1.3
 EFRONTLEARNING : Efront 3.6
 S9Y : Serendipity 1.5
 XINHA : Xinha 0.96
 REZERVI : REZERVI 3.0
CVE:CVE-2010-1482 (Cross-site scripting (XSS) vulnerability in admin/editprefs.php in the backend in CMS Made Simple (CMSMS) before 1.7.1 might allow remote attackers to inject arbitrary web script or HTML via the date_format_string parameter.)
 CVE-2010-1481 (Cross-site scripting (XSS) vulnerability in the table feature in PmWiki 2.2.15 allows remote authenticated users to inject arbitrary web script or HTML via the width attribute.)
 CVE-2010-1431 (SQL injection vulnerability in templates_export.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the export_item_id parameter.)
Original documentdocumentMustLive, Vulnerability in tagcloud for Kasseler CMS (13.05.2010)
 documentVUPEN Security Research, VUPEN Security Research - Adobe Shockwave 3D Blocks Field Code Execution Vulnerability (CVE-2010-1283) (13.05.2010)
 documentVUPEN Security Research, VUPEN Security Research - Adobe Shockwave DIRAPI Multiple Code Execution Vulnerabilities (CVE-2010-1280) (13.05.2010)
 documentVUPEN Security Research, VUPEN Security Research - Adobe Shockwave 3D Two Remote Code Execution Vulnerabilities (CVE-2010-1284) (13.05.2010)
 documentVUPEN Security Research, VUPEN Security Research - Adobe Shockwave IML32 Multiple Code Execution Vulnerabilities (CVE-2010-0129) (13.05.2010)
 documentSECUNIA, Secunia Research: Adobe Shockwave Player Font Processing Buffer Overflow (13.05.2010)
 documentSECUNIA, Secunia Research: Adobe Shockwave Player Asset Entry Parsing Vulnerability (13.05.2010)
 documentSECUNIA, Secunia Research: Adobe Shockwave Player Integer Overflow Vulnerability (13.05.2010)
 documenteidelweiss, 29o3 CMS (LibDir) Multiple Remote File Inclusion Vulnerability (11.05.2010)
 documentHigh-Tech Bridge Security Research, XSS in Saurus CMS (11.05.2010)
 documentHigh-Tech Bridge Security Research, XSS in DynamiXgate Affiliate Store Builder (11.05.2010)
 documentMustLive, Vulnerability in widget Cumulus for BlogEngine.NET (11.05.2010)
 documentMANDRIVA, [ MDVSA-2010:092 ] cacti (11.05.2010)
 documenteidelweiss, REZERVI (root) Remote Command Execution Vulnerability (11.05.2010)
 documentPHP-SECURITY, MOPS-2010-002: Campsite TinyMCE Article Attachment SQL Injection Vulnerability (11.05.2010)
 documentPHP-SECURITY, MOPS-2010-004: ClanSphere Captcha Generator Blind SQL Injection Vulnerability (11.05.2010)
 documentPHP-SECURITY, MOPS-2010-005: ClanSphere MySQL Driver Generic SQL Injection Vulnerability (11.05.2010)
 documentPHP-SECURITY, ClanTiger Shoutbox Module s_email SQL Injection vulnerability (11.05.2010)
 documentPHP-SECURITY, MOPS-2010-011: DeluxeBB newthread SQL Injection Vulnerability (11.05.2010)
 documentPHP-SECURITY, MOPS-2010-018: EFront ask_chat chatrooms_ID SQL Injection Vulnerability (11.05.2010)
 documentPHP-SECURITY, MOPS-2010-019: Serendipity WYSIWYG Editor Plugin Configuration Injection Vulnerability (11.05.2010)
 documentPHP-SECURITY, MOPS-2010-020: Xinha WYSIWYG Plugin Configuration Injection Vulnerability (11.05.2010)
 documentStefan Esser, Month of PHP Security - Summary - 1st May - 10th May (11.05.2010)
 documentvulns_(at)_wintercore.com, [Wintercore Research] Consona Products - Multiple vulnerabilities (11.05.2010)
 documentlis cker, Injection of ECShop apps. (11.05.2010)
 documentHigh-Tech Bridge Security Research, XSS vulnerability in Jaws (11.05.2010)
 documentHanno Bock, pmwiki: persistent cross site scripting (XSS), CVE-2010-1481 (11.05.2010)
 documentHanno Bock, CMS Made Simple: backend cross site scripting (XSS), CVE-2010-1482 (11.05.2010)
 documentZakar Miklуs, SA00001-2010 (11.05.2010)
 documentHigh-Tech Bridge Security Research, XSS vulnerability in EasyPublish CMS (11.05.2010)
 documentHigh-Tech Bridge Security Research, XSS vulnerability in Advanced Poll (11.05.2010)
 documentHigh-Tech Bridge Security Research, XSS vulnerability in EasyPublish CMS (11.05.2010)
 documentBUGTRAQ, XSS vulnerability in Advanced Poll (11.05.2010)
 documentSalvatore "drosophila" Fresta, Family Connections 2.2.3 Multiple Remote Vulnerabilities (11.05.2010)
 documentmd.r00t.defacer_(at)_gmail.com, Turnkey Innovations SQL Injection Vulnerability (11.05.2010)

HP Performance Center Agent / HP Load Runner Agent code execution
Published:13.05.2010
Source:
SecurityVulns ID:10830
Type:remote
Threat Level:
5/10
Description:Code execution via TCP/54345 service.
CVE:CVE-2010-1549 (Unspecified vulnerability in the Agent in HP LoadRunner before 9.50 and HP Performance Center before 9.50 allows remote attackers to execute arbitrary code via unknown vectors.)
Original documentdocumentHP, [security bulletin] HPSBMA02201 SSRT071328 rev.1 - HP LoadRunner Agent on Windows, Remote Unauthenticated Arbitrary Code Execution (13.05.2010)
 documentZDI, ZDI-10-080: HP Mercury LoadRunner Agent Trusted Input Remote Code Execution Vulnerability (13.05.2010)
 documentHP, [security bulletin] HPSBMA02528 SSRT100106 rev.1 - HP Performance Center Agent on Windows, Remote Unauthenticated Arbitrary Code Execution (13.05.2010)

IrfanView buffer overflow
Published:13.05.2010
Source:
SecurityVulns ID:10832
Type:client
Threat Level:
5/10
Description:Buffer overflow and integer overflow on PSD parsing.
Affected:IRFANVIEW : IrfanView 4.25
CVE:CVE-2010-1510 (Heap-based buffer overflow in IrfanView before 4.27 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PSD image with RLE compression.)
 CVE-2010-1509 (IrfanView before 4.27 does not properly handle an unspecified integer variable during processing of PSD images, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow, related to a "sign-extension error.")
Original documentdocumentSECUNIA, Secunia Research: IrfanView PSD RLE Decompression Buffer Overflow (13.05.2010)
 documentSECUNIA, Secunia Research: IrfanView PSD Image Parsing Sign-Extension Vulnerability (13.05.2010)

Cisco PGW Softswitch multiple security vulnerabilities
Published:13.05.2010
Source:
SecurityVulns ID:10833
Type:remote
Threat Level:
5/10
Description:Multiple DoS conditions.
Affected:CISCO : Cisco PGW 2200
CVE:CVE-2010-1567 (The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.8(1)S5 allows remote attackers to cause a denial of service (device crash) via a malformed header, aka Bug ID CSCsz13590.)
 CVE-2010-1565 (Unspecified vulnerability in the SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (TCP socket exhaustion) via unknown vectors, aka Bug ID CSCsk13561.)
 CVE-2010-1563 (The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (device crash) via a malformed header, aka Bug ID CSCsk04588.)
 CVE-2010-1562 (The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S9 and 9.7(3)P before 9.7(3)P9 allows remote attackers to cause a denial of service (device crash) via a malformed Contact header, aka Bug ID CSCsj98521.)
 CVE-2010-1561 (The SIP implementation on the Cisco PGW 2200 Softswitch with software 9.7(3)S before 9.7(3)S11 and 9.7(3)P before 9.7(3)P11 allows remote attackers to cause a denial of service (device crash) via a long message, aka Bug ID CSCsk44115.)
 CVE-2010-0604 (Unspecified vulnerability in the SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S10 allows remote attackers to cause a denial of service (device crash) via unknown SIP traffic, as demonstrated by "SIP testing," aka Bug ID CSCsk38165.)
 CVE-2010-0603 (The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S10 allows remote attackers to cause a denial of service (device crash) via a malformed session attribute, aka Bug ID CSCsk40030.)
 CVE-2010-0602 (The SIP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S11 allows remote attackers to cause a denial of service (device crash) via a malformed packet, aka Bug ID CSCsk32606.)
 CVE-2010-0601 (The MGCP implementation on the Cisco PGW 2200 Softswitch with software before 9.7(3)S11 allows remote attackers to cause a denial of service (device crash) via a malformed packet, aka Bug ID CSCsl39126.)
Original documentdocumentCISCO, Cisco Security Advisory: Multiple vulnerabilities in Cisco PGW Softswitch (13.05.2010)

Linux iSCSI DoS
Published:13.05.2010
Source:
SecurityVulns ID:10834
Type:remote
Threat Level:
5/10
Description:ietd daemon DoS via iSNS request.
Affected:ISCSITARGET : iscsitarget 0.4
CVE:CVE-2010-0743 (Multiple format string vulnerabilities in isns.c in (1) Linux SCSI target framework (aka tgt or scsi-target-utils) 1.0.3, 0.9.5, and earlier and (2) iSCSI Enterprise Target (aka iscsitarget) 0.4.16 allow remote attackers to cause a denial of service (tgtd daemon crash) or possibly have unspecified other impact via vectors that involve the isns_attr_query and qry_rsp_handle functions, and are related to (a) client appearance and (b) client disappearance messages.)
Original documentdocumentDEBIAN, [SECURITY] [DSA 2042-1] New iscsitarget packages fix arbitrary code execution (13.05.2010)

BaoFeng Storm media player buffer overflow
Published:13.05.2010
Source:
SecurityVulns ID:10835
Type:local
Threat Level:
5/10
Description:Buffer overflow on .m3u playlists parsing.
Affected:BAOFENG : Storm2012 3.10
Original documentdocumentlilf, BaoFeng Storm M3U File Processing Buffer Overflow Vulnerability (13.05.2010)

VMware View crossite scripting
Published:13.05.2010
Source:
SecurityVulns ID:10836
Type:remote
Threat Level:
5/10
Affected:VMWARE : VMware View 3.1
CVE:CVE-2010-1143 (Cross-site scripting (XSS) vulnerability in VMware View (formerly Virtual Desktop Manager or VDM) 3.1.x before 3.1.3 build 252693 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Original documentdocumentVMWARE, VMSA-2010-0008 VMware View 3.1.3 addresses an important cross-site scripting vulnerability (13.05.2010)

HP Insight Control Server Migration crossite scripting
Published:13.05.2010
Source:
SecurityVulns ID:10837
Type:remote
Threat Level:
5/10
Affected:HP : Insight Control server migration 6.0
CVE:CVE-2010-1557 (Multiple cross-site scripting (XSS) vulnerabilities in HP Insight Control Server Migration before 6.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
Original documentdocumentHP, [security bulletin] HPSBMA02522 SSRT100086 rev.1 - HP Insight Control Server Migration for Windows, Remote Cross Site Scripting (XSS) (13.05.2010)

HP Systems Insight Manager crossite scripting
Published:13.05.2010
Source:
SecurityVulns ID:10838
Type:remote
Threat Level:
5/10
Affected:HP : Systems Insight Manager 5.3
 HP : Systems Insight Manager 6.0
CVE:CVE-2010-1556 (Unspecified vulnerability in HP Systems Insight Manager (SIM) 5.3, 5.3 Update 1, and 6.0 allows remote attackers to obtain sensitive information and modify data via unknown vectors.)
Original documentdocumentHP, [security bulletin] HPSBMA02520 SSRT100071 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Unauthorized Access to Data (13.05.2010)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod