Computer Security
[EN] securityvulns.ru no-pyccku


Apache Tomcat crossite scripting
Published:24.11.2010
Source:
SecurityVulns ID:11269
Type:remote
Threat Level:
5/10
Description:Crossite srcripting in Manager application.
Affected:APACHE : Tomcat 6.0
 APACHE : Tomcat 7.0
CVE:CVE-2010-4172 (Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.)
Original documentdocumentAPACHE, [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability (24.11.2010)

Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:24.11.2010
Source:
SecurityVulns ID:11266
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:VBULLETIN : vBulletin 4.0
 SIMPLISTIC : SimpLISTic 2.0
 MCGGUESTBOOK : MCG GuestBook 1.0
 HOTLINKSLITE : Hot Links Lite 1.0
 HOTLINKSSQL : Hot Links SQL 3.2
 AXSCRIPTS : AxsLinks 0.3
 CHCOUNTER : chCounter 3.1
 COMPACTCMS : CompactCMS 1.4
 VTIGER : vTiger CRM 5.2
 FREESIMPLESOFT : Free Simple Software 1.0
CVE:CVE-2010-4298 (SQL injection vulnerability in the download module in Free Simple Software 1.0 allows remote attackers to execute arbitrary SQL commands via the downloads_id parameter in a download_now action to index.php.)
Original documentdocumentMark Stanislav, 'Free Simple Software' SQL Injection Vulnerability (CVE-2010-4298) (24.11.2010)
 documentadvisories_(at)_intern0t.net, vBulletin 4.0.8 PL1 - XSS Filter Bypass within Profile Customization (24.11.2010)
 documentascii, Vtiger CRM 5.2.0 Multiple Vulnerabilities (24.11.2010)
 documentHigh-Tech Bridge Security Research, XSS in CompactCMS (24.11.2010)
 documentHigh-Tech Bridge Security Research, XSS in CompactCMS (24.11.2010)
 documentSoporte CERT, Multiple vulnerabilities in chCounter <= 3.1.3 (24.11.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] Cookie Auth Bypass in Hot Links SQL (24.11.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] URL and Title XSS in AxsLinks (24.11.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] report.cgi SQL inj in Hot Links SQL (CGI version) (24.11.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] url XSS in Hot Links Lite (24.11.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] sitename XSS in Hot Links Lite (24.11.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] Multiple XSS in MCG GuestBook (24.11.2010)
 documentAliaksandr Hartsuyeu, [eVuln.com] email XSS in SimpLISTic (24.11.2010)

Juniper VPN client unauthorized access
Published:24.11.2010
Source:
SecurityVulns ID:11267
Type:remote
Threat Level:
7/10
Description:It's possible to execute Internet Explorer with System rights before authentication via remote session.
Original documentdocumentniekt0, Juniper VPN client rdesktop clickhack (24.11.2010)

ZyXEL P-660R-T1 crossite scripting
Published:24.11.2010
Source:
SecurityVulns ID:11268
Type:remote
Threat Level:
5/10
Description:Crossite scripting via Web interface.
Affected:ZYXEL : ZyXEL P-660R-T1
Original documentdocumentusman, ZyXEL P-660R-T1 V2 XSS (24.11.2010)

PHP multiple security vulnerabilities
updated since 02.11.2010
Published:24.11.2010
Source:
SecurityVulns ID:11225
Type:library
Threat Level:
5/10
Description:DoS, base_dir protection bypass, crossite scripting.
Affected:PHP : PHP 5.2
 PHP : PHP 5.3
CVE:CVE-2010-4150 (Double free vulnerability in the imap_do_open function in the IMAP extension (ext/imap/php_imap.c) in PHP 5.2 before 5.2.15 and 5.3 before 5.3.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors.)
 CVE-2010-3870 (The utf8_decode function in PHP before 5.3.4 does not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which makes it easier for remote attackers to bypass cross-site scripting (XSS) and SQL injection protection mechanisms via a crafted string.)
 CVE-2010-3710 (Stack consumption vulnerability in the filter_var function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3, when FILTER_VALIDATE_EMAIL mode is used, allows remote attackers to cause a denial of service (memory consumption and application crash) via a long e-mail address string.)
 CVE-2010-3709 (The ZipArchive::getArchiveComment function in PHP 5.2.x through 5.2.14 and 5.3.x through 5.3.3 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted ZIP archive.)
 CVE-2010-3436 (fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.)
Original documentdocumentMANDRIVA, [ MDVSA-2010:239 ] php (24.11.2010)
 documentMANDRIVA, [ MDVSA-2010:224 ] php (10.11.2010)
 documentMANDRIVA, [ MDVSA-2010:218 ] php (02.11.2010)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod