Microsoft RichEdit vulnerable to remote code execution via malformed embedded OLE object

Overview Microsoft's RichEdit contains a vulnerability that may allow an attacker to execute code. Description From Murray Sargent's MSDN blog:RichEdit 6.0 is a facility for getting plain/rich-text, single/multiline Unicode/ANSI edit controls and combo/list boxes in single world-wide binary that...

gzip contains a .bss buffer overflow in its LZH handling

Overview The gzip program contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code or create a denial-of-service condition. Description The gzip program is used to compress and decompress archived files. Some implementations of gzip include support for the LZH...

Microsoft Internet Explorer fails to properly interpret layout positioning

Overview Microsoft Internet Explorer fails to properly handle certain combinations of layout positioning. This can allow a remote attacker to execute arbitrary code on a vulnerable system. Description Microsoft Internet Explorer contains a vulnerability in the handling of certain combinations of...

Microsoft Server Service may disclose information used to store SMB traffic

Overview A vulnerability in the Microsoft Server service may allow an attacker to view fragments of memory used to store SMB traffic. Description Microsoft Server Service The Microsoft Server service supports file, print, and named-pipe sharing over the network. Server Message Block Server Messag...

Linux Kernel may fail to properly handle SNMP packets

Overview A memory freeing vulnerability in the Linux kernel module ipnatsnmpbasic can be exploited to create a denial-of-service condition. Description ipnatsnmpbasic The ipnatsnmpbasic IP NAT module is intended for use with SNMP network discovery and monitoring applications where target networks...

Mozilla products vulnerable to memory corruption via large regular expression in JavaScript

Overview A vulnerability in the way the JavaScript engine of Mozilla products and derivative programs handles a large regular expression could allow a remote attacker to crash the application or execute arbitrary code on a vulnerable system. Description A regular expression is a special text stri...

RDS.Dataspace ActiveX control bypasses ActiveX security model

Overview The Microsoft RDS.Dataspace ActiveX control bypasses the ActiveX security model, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description ActiveX ActiveX is a technology that allows programmers to create reusable software components...

Sun Java Reflection API security bypass vulnerabilities

Overview Multiple vulnerabilities in the Sun Java Reflection API may allow an untrusted Java applet to bypass security restrictions and execute arbitrary code. Description The Sun Java Reflection API allows Java classes to determine information about other Java classes, such as public methods...

Oracle Database XML Database SQL Injection vulnerability

Overview Oracle Database XML Database XML DB is vulnerable to SQL injection, possibly allowing a remote attacker to execute arbitrary SQL commands on a vulnerable Oracle installation. Description According to Oracle:Oracle XML DB is a feature of the Oracle Database. It provides a high-performance...

VERITAS NetBackup Java Administration Console contains a format string vulnerability in "bpjava-msvc"

Overview The VERITAS NetBackup Java Administration Console contains a format string vulnerability, which may allow an unauthenticated, remote attacker to execute arbitrary code with root or SYSTEM privileges. Description The Java Administration Console is an alternative administrative interface f...

MIT Kerberos 5 ASN.1 decoding function krb5_rd_cred() insecurely deallocates memory (double-free)

Overview The krb5rdcred function in the MIT Kerberos 5 library does not securely deallocate heap memory when decoding ASN.1 structures, resulting in a double-free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an...

MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not properly terminate loop

Overview The asn1bufskiptail function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a Kerberos Distribution Center KDC, application server, or Kerberos client. Description As described on the MIT...

Microsoft contains a buffer overflow in the Local Troubleshooter ActiveX control (Tshoot.ocx)

Overview Microsoft Windows ships with a troubleshooting application to assist users with problems. A vulnerability in this application may permit a remote attacker to execute arbitrary code with the privileges of the current user. Description Microsoft Windows 2000 ships with an ActiveX control...

Microsoft Windows kernel contains stack overflow

Overview A stack overflow vulnerability exists in the Microsoft Windows kernel. Description The kernel is the core or "heart" of any operating system and is responsible for a variety of things, such as managing memory and allocating hardware resources. Entercept's Ricochet Team has discovered a...

MIT Kerberos vulnerable to ticket splicing when using Kerberos4 triple DES service tickets

Overview Several cryptographic vulnerabilities exist in the basic Kerberos version 4 protocol that could allow an attacker to impersonate any user in a Kerberos realm and gain any privilege authorized through that Kerberos realm. Description The MIT Kerberos Development team has discovered a...

Cached malformed SIG record buffer overflow

Overview A vulnerability in BIND allows remote attackers to execute code with the privileges of the process running named. This vulnerability is resolved in BIND versions 4.9.11, 8.2.7, 8.3.4, and BIND 9. Description A remotely exploitable buffer overflow exists in named. An attacker using...

Integer overflow in xdr_array() function when deserializing the XDR stream

Overview There is an integer overflow present in the xdrarray function distributed as part of the Sun Microsystems XDR library. This overflow has been shown to lead to remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library...

Microsoft SQL Server service account registry key has weak permissions that permit privilege escalation

Overview The Microsoft SQL Server contains a vulnerability that allows remote attackers to execute arbitrary commands with system privileges. Description The Microsoft SQL Server typically runs under a dedicated "service account" that is defined by system administrators at installation time. This...

Microsoft SQL Server contains buffer overflow in pwdencrypt() function

Overview The Microsoft SQL Server contains a buffer overflow vulnerability that may allow remote attackers to execute arbitrary code with system privileges. Description The Microsoft SQL Server provides multiple methods for users to authenticate to SQL databases. When SQL Server Authentication is...

Apache Web Server ap_log_rerror() function discloses full path to CGI script

Overview There is a vulnerability in Apache 2.0 through 2.035 that could disclose the real path to a CGI script or other file. Description A vulnerability in the Apache web server could disclose sensitive information. Quoting from the Apache Change Log: Security Added the APLOGTOCLIENT flag to...

Apache web servers fail to handle chunks with a negative size

Overview There is a remotely exploitable vulnerability in the way that Apache web servers or other web servers based on their source code handle data encoded in chunks. This vulnerability is present by default in configurations of Apache web server versions 1.2.2 and above, 1.3 through 1.3.24, an...

Cisco IOS vulnerable to denial of service via Cisco Discovery Protocol

Overview The Cisco IOS contains a denial-of-service vulnerability that allows nearby remote attackers to crash or temporarily disable affected network devices. Description The Cisco Internetwork Operating System IOS contains a vulnerability in its processing of Cisco Discovery Protocol CDP packet...

Microsoft IIS vulnerable to DoS via invalid request for very long WebDAV requests

Overview Intruders can disrupt the normal operation of an IIS 5.0 server using a malicious Web Distributed Authoring and Versioning WebDAV request. Description WebDAV is an extension to HTTP used to manage content on web servers. Quoting from RFC 2518: WebDAV is an extension to the HTTP/1.1...

Microsoft Frontpage Server Remote Application Deployment (RAD) component vulnerable to buffer overflow via malformed packet sent to server component

Overview Microsoft Frontpage Server Remote Application Deployment RAD component contains an unchecked buffer which can allow an intruder to execute arbitrary code with the privileges of IUSRmachinename or system. Description A buffer overflow in the Microsoft Frontpage Server Remote Application...

Cisco IOS vulnerable to DoS via unrecognized transitive attribute in BGP UPDATE

Overview There is a denial-of-service vulnerability in several specific but common configurations of Cisco IOS. Description There is a problem involving BGP updates on Cisco routers with BGP4 Prefix Filtering and Inbound Route Maps enabled. A route update with an unrecognized transitive attribute...

Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models

Overview Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the running application. For example, an attacker could use this feature to trojanize a...

Portrait Displays SDK applications are vulnerable to arbitrary code execution and privilege escalation

Overview Applications developed using the Portrait Display SDK, versions 2.30 through 2.34, default to insecure configurations which allow arbitrary code execution. Description CWE-276: Incorrect Default Permissions - CVE-2017-3210A number of applications developed using the Portrait Displays SDK...

Sungard eTRAKiT3 may be vulnerable to SQL injection

Overview According to the reporter, the Sungard eTRAKiT3 software version 3.2.1.17 may be vulnerable to SQL injection which may allow a remote unauthenticated attacker to run a subset of SQL commands against the back-end database. Description CWE-89: Improper Neutralization of Special Elements us...

iTrack Easy contains multiple vulnerabilities

Overview iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication. Description CWE-200: Information Exposure - CVE-2016-6542The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the...

Intellian Satellite TV t-Series and v-Series firmware contains insecure default credentials

Overview Intellian Satellite TV antennas t-Series and v-Series, firmware version 1.07, uses default credentials. Description CWE-255: Credentials Management- CVE-2016-6551Intellian Satellite TV antennas t-Series and v-Series, firmware version 1.07, uses non-random default credentials of: ftp/ftp ...

Flexera Software FlexNet Publisher lmgrd contains a buffer overflow vulnerability

Overview Flexera Software FlexNet Publisher, including all versions prior to 11.13.1.2, lmgrd and custom vendor daemon servers contain a buffer overflow vulnerability that may be leveraged to gain code execution. Description Flexera Software FlexNet Publisher is a software license manager that...

Adtrustmedia PrivDog fails to validate SSL certificates

Overview Adtrustmedia PrivDog fails to validate SSL certificates, making systems broadly vulnerable to HTTPS spoofing. Description Adtrustmedia PrivDog is a Windows application that advertises "... safer, faster and more private web browsing." Privdog installs a Man-in-the-Middle MITM proxy as we...

IBM WebSphere Application Server contains multiple vulnerabilities

Overview IBM WebSphere Application Server, including the Hypervisor Edition, contains cross-site scripting and cross-site request forgery vulnerabilities. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' - CVE-2014-4770IBM WebSphere Applicatio...

Cobham SATCOM products' web interface contains a weak password recovery vulnerability

Overview Some Cobham products have a web interface that contains a weak password recovery mechanism for the administrator account. Description CWE-640: Weak Password Recovery Mechanism for Forgotten Password IOActive has reported that Cobham SAILOR 900 VSAT, SAILOR FleetBroadBand 150/250/500,...

AVG Safeguard and Secure Search ActiveX controls provides insecure methods

Overview The AVG Secure Search toolbar, also known as AVG Safeguard includes an ActiveX control that provides a number of unsafe methods, which may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user. Description AVG Secure Search is a toolbar add-on...

SpamTitan contains a reflected cross-site scripting (XSS) vulnerability

Overview SpamTitan contains a reflected cross-site scripting XSS vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'SpamTitan contains a reflected cross-site scripting vulnerability in the auth-settings-x.php page of the management...

IBM Notes and Domino on x86 Linux specify an executable stack

Overview IBM Notes and Domino on x86 Linux are incorrectly built requesting an executable stack. This can make it easier for attackers to exploit vulnerabilities in Notes, Domino, and any of the child processes that they may spawn. Description The build environment for the x86 Linux versions of I...

DELL SonicWALL GMS/Analyzer/UMA contains a cross-site scripting (XSS) vulnerability

Overview DELL SonicWALL GMS/Analyzer/UMA version 7.1, and possibly earlier versions, contains a cross-site scripting XSS vulnerability. CWE-79 Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' DELL SonicWALL GMS/Analyzer/UMA version 7.1 contain...

Real Media Player filename handler stack buffer overflow vulnerability

Overview Real Media Player fails to parse filenames correctly, which may allow a remote, unauthenticated attacker to execute arbitrary code in the context of the logged in user. Description CWE-121: Stack-based Buffer Overflow - CVE-2013-4973Real Media Player versions prior to version 16.0.3.51 a...

Dell OpenManage Server Administrator version 7.1.0.1 DOM-based XSS vulnerability

Overview Dell OpenManage Server Administrator version 7.1.0.1 and earlier contains a DOM-based cross-site scripting vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'Dell OpenManage Server Administrator version 7.1.01 and earlier...

Erlang/OTP SSH library uses a weak random number generator

Overview The Erlang/OTP SSH library's random number generator is not cryptographically strong because it relies on predictable seed material. Description Geoff Cant's report states:The Erlang/OTP ssh library implements a number of cryptographic operations that depend on cryptographically strong...

Internet Explorer VBScript Windows Help arbitrary code execution

Overview Microsoft Internet Explorer is vulnerable to arbitrary code execution through the use of VBScript and Windows Help. Description Microsoft Internet Explorer supports the use of VBScript, in addition to the more widely-used JavaScript scripting language. Several VBScript commands allow a...

Wireshark Endace ERF unsigned integer wrap vulnerability

Overview Wireshark contains an unsigned integer wrap vulnerability that may occur when parsing Endace Extensible Record Format ERF files. Description Wireshark is a protocol analyzer that can open or import previously saved files. When processing an Endace ERF file an unsigned integer wrap...

Oracle JInitiator ActiveX control stack buffer overflows

Overview The Oracle JInitiator ActiveX control contains multiple stack buffer overflows, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Oracle JInitiator allows users to run Oracle Developer Server applications within a web...

Microsoft XML Core Services XMLDOM substringData() buffer overflow

Overview Microsoft XML Core Services contains an unspecified memory corruption vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Microsoft XML Core Services MSXML allow developers who use JScript, Visual Basic Scripting...

ISC BIND generates cryptographically weak DNS query IDs

Overview ISC Internet Systems Consortiuim BIND generates cryptographically weak DNS query IDs which could allow a remote attacker to poison DNS caches. Description From the ISC Bind security page:The DNS query id generation is vulnerable to cryptographic analysis which provides a 1 in 8 chance of...

Apache Tomcat SendMailServlet example vulnerable to cross-site scripting via FROM field

Overview The example SendMailServlet page that comes with Apache Tomcat is vulnerable to cross-site scripting via the "From" field. Description Apache Tomcat is an implementation of the Java Servlet and JavaServer Page JSP technologies. Apache Tomcat includes a sample page called SendMailServlet,...

MIT Kerberos kadmind RPC library gssrpc__svcauth_gssapi() uninitialized pointer free vulnerability

Overview The MIT Kerberos administration daemon kadmind can free an uninitialized pointer, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service. Description The gssrpcsvcauthgssapi function used by the Kerberos administration daemon can free an...

Microsoft Office drawing object vulnerability

Overview Microsoft Office fails to properly handle malformed drawing objects. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code. Description Microsoft Office fails to properly handle malformed drawing objects embedded within Office documents. By convincing ...

WordPress fails to properly sanitize input passed to the ix parameter in wp-includes/feed.php

Overview WordPress fails to properly sanitize input to the ix parameter in wp-includes/feed.php, which could allow a remote, unauthenticated attacker to execute arbitrary PHP code. Description WordPress is a blogging application that is written in PHP. WordPress 2.1.1 fails to properly sanitize...