zlib "gzprintf()" function vulnerable to buffer overflow

Overview A buffer overflow exists in one of the functions included with the zlib compression library. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial of service. An exploit for this vulnerability is publicly available. Description The zlib website...

MIT Kerberos V5 ASN.1 decoder fails to perform bounds checking on data element length fields

Overview The MIT Kerberos V5 implementation contains an ASN.1 decoding flaw that may allow remote attackers to crash affected Kerberos applications. Description Kerberos V5 protocol messages are defined using Abstract Syntax Notation One ASN.1, a formal language that allows protocol specification...

MIT Kerberos V5 KDC logging routines use unsafe format strings

Overview Early releases of the MIT Kerberos V5 KDC contain format string vulnerabilities that can be used by unauthenticated remote attackers to conduct denial of service attacks on KDC servers. Description Logging routines in some unspecified versions of the MIT Kerberos V5 Key Distribution Cent...

Microsoft Internet Explorer contains cross-site scripting vulnerabilities in local HTML resources

Overview Microsoft Internet Explorer IE includes several local HTML resources that contain cross-site scripting vulnerabilities. These resources use the dialogArguments property of dialog frames insecurely, allowing an attacker to execute arbitrary script in the Local Machine Zone. Description...

Microsoft SQLXML ISAPI filter vulnerable to buffer overflow via contenttype parameter

Overview A buffer overflow vulnerability exists in the Microsoft SQLXML Internet Services Application Programming Interface ISAPI extension for Internet Information Server IIS. This vulnerability could allow a remote attacker to cause a denial of service or execute arbitrary code with LocalSystem...

Microsoft Internet Information Server (IIS) contains remote buffer overflow in chunked encoding data transfer mechanism for HTR

Overview A buffer overflow vulnerability in IIS 4.0 and 5.0 could allow an intruder to execute arbitrary code on an IIS server with the privileges of the HTR ISAPI extension. Description Chunked encoding is a means to transfer variable-sized units of data called chunks from a web client to a web...

Sun Solaris cachefsd vulnerable to stack overflow in fscache_setup() function

Overview Sun's NFS/RPC cachefs daemon cachefsd is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 SPARC and Intel architectures. Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in...

HP-UX kernel specifies incorrect arguments for setrlimit()

Overview A problem exists in some versions of the HP-UX kernel allowing an intruder to cause kernel panics. Description Certain versions of HP-UX setrlimit system call contain a vulnerability that permits an intruder to cause kernel panics or compromise the system. Quoting from HP Security Bullet...

OpenSSH contains a one-off overflow of an array in the channel handling code

Overview OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server. Description OpenSSH versions 2.0 - 3.0.2 contain a one-off overflow of an array in the code that handl...

Oracle9i Application Server Apache PL/SQL module does not properly handle HTTP Authorization header

Overview A vulnerability exists in the way the Apache Procedural Language/Structured Query Language PL/SQL module used by Oracle9i Application Server iAS handles HTTP Authorization headers. This vulnerability could allow an unauthenticated remote attacker to crash the Apache service. Description...

Oracle9i Application Server Apache PL/SQL module does not properly decode URL

Overview A vulnerability exists in the Apache Procedural Language/Structured Query Language PL/SQL module used by Oracle9i Application Server iAS in which the module does not properly decode double URL encoded strings. This vulnerability could allow an intruder to read files outside the web...

IBM AIX digest buffer overflow in filename argument to command

Overview There is a buffer overflow in the digest command that may allow a local attacker to gain root privileges. Description The digest command is intended to be run by the qdaemon to generate a binary version of the queue configuration daemon information stored in /etc/qconfig. The digest...

Debian glibc 2 symlink issue could allow arbitrary file overwriting

Overview Some versions of ld.so, the loader for shared libraries in UNIX/LINUX, do not properly clear risky environment variables, allowing a symlink attack to overwrite arbitrary files. Description LDDEBUGOUTPUT specifies a directory in which ld.so creates a file with a predictable name based on...

Various shells create temporary files insecurely when using << operator

Overview sh uses /tmp files of a predictable name in creating files for input redirection using the operator. Description When performing the "" redirection, /bin/sh creates a temporary file in /tmp with a name based on the process id, writes subsequent input out to that file, and then closes the...

tcpdump vulnerable to buffer overflow via parsing of AFS ACL packets

Overview Tcpdump version 3.5 contains a buffer overflow vulnerability permitting unauthorized remote root access. Description Tcpdump version 3.5 added support for handling AFS packets. Unfortunately the code responsible for printing AFS access control lists contains an unchecked buffer that can ...

phf CGI Script fails to guard against newline characters

Overview This document describes a vulnerability in a CGI script known as phf which was widely exploited in 1996 and 1997. Description The phf CGI script constructs a partial command line consisting of the ph command and appropriate arguments, and completes the command line based on the input fro...

Netscape Java Security Manager fails to prevent URLConnections through netscape.net.URLConnection Class

Overview Netscape Communicator and Navigator ship with Java classes that allow an unsigned Java applet to access local and remote resources in violation of the security policies for applets. Description Failures in the netscape.net package permit a Java applet to read files from the local file...

telnet and rlogin URLs disclose sensitive information, including Environment variables

Overview Some telnet clients may disclose sensitive information in environment variables Description Web browsers can be configured to respond to certian protocol types through the use of a helper application. In this case, web browsers can respond to telnet: URLs with the use of a helper...

Various GPT services are vulnerable to two systemic jailbreaks, allows for bypass of safety guardrails

Overview Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. The first jailbreak, called “Inception,” ...

CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions

Overview A Speculative Race Condition SRC vulnerability that impacts modern CPU architectures supporting speculative execution has been discovered. CPU hardware utilizing speculative execution that are vulnerable to Spectre v1 are likely affected. An unauthenticated attacker can exploit this...

EpubCheck 4.0.1 contains a XML external entity processing vulnerability

Overview EpubCheck 4.0.1 is vulnerable to external XML entity processing attacks. Description EpubCheck is a tool to validate that EPUB files follow the proper format. It can be used as a stand alone command line utility, or included in a project most commonly being epub readers as a...

IPSwitch WhatsUp Gold does not validate commands when deserializing XML objects

Overview IPSwitch WhatsUp Gold version 16.3 does not properly validate data when deserializing XML objects sent over SOAP requests. Description CWE-502: Deserialization of Untrusted Data - CVE-2015-8261 WhatsUp Gold version 16.3 contains a SOAP request handler named DroneDeleteOldMeasurements...

EPSON Network Utility installs EpsonBidirectionalService with insecure permissions

Overview EPSON Network Utility contains a local privilege escalation vulnerability, which allows a local attacker to execute arbitrary code with SYSTEM privileges. Description CWE-276: Incorrect Default Permissions - CVE-2015-6034EPSON Network Utility v4.10 is an application that checks the print...

HP ArcSight Logger contains multiple vulnerabilities

Overview HP ArcSight Logger contains multiple vulnerabilities, allowing authentication bypass and privilege escalation in certain scenarios. Description CWE-285: Improper Authorization- CVE-2015-2136A remote authenticated user without Logger Search permissions may be able to bypass authorization...

Retrospect Backup Client uses weak password hashing

Overview Retrospect Backup Client is a client to a network-based backup utility. This client stores passwords in a hashed format that is weak and susceptible to collision, allowing an attacker to generate a password hash collision and gain access to the target's backup files. Description CWE-916:...

SerVision HVG Video Gateway web interface contains multiple vulnerabilities

Overview SerVision HVG Video Gateway web interface contains multiple vulnerabilities affecting multiple firmware versions. Description CWE-288: Authentication Bypass Using an Alternate Path or Channel, andCWE-284: Improper Access Control - CVE-2015-0929By visiting time.htm, a user is issued a...

Tianocore UEFI implementation reclaim function vulnerable to buffer overflow

Overview The reclaim function in the Tianocore open source implementation of UEFI contains a buffer overflow vulnerability. Description The open source Tianocore project provides a reference implementation of the Unified Extensible Firmware Interface UEFI. Some commercial UEFI implementations...

Symantec Endpoint Protection Client contains a kernel pool overflow vulnerability

Overview Symantec Endpoint Protection Client 11.x and 12.x contains a kernel pool overflow vulnerability. Description CWE-788: Access of Memory Location After End of Buffer An attacker logged into a Windows XP, Vista, 7, or 8 system as an unprivileged user is able to cause a kernel pool overflow ...

Caldera 9.20 contains multiple vulnerabilities

Overview Caldera 9.20, and possibly earlier versions, contains multiple vulnerabilities. Description CWE-22 - Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' - CVE-2014-2933Caldera 9.20 and possibly earlier versions contains a path traversal vulnerability due to the...

libpng 1.6.1 through 1.6.7 contain a null-pointer dereference vulnerability

Overview libpng versions 1.6.1 through 1.6.7 fail to reject colormapped images with empty palettes, leading to a null-pointer dereference crash in pngdoexpandpalette. Description The PNG Development Group has reported that "libpng versions 1.6.1 through 1.6.7 fail to reject colormapped images wit...

CA ARCserve Backup authentication service denial-of-service vulnerability

Overview The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a denial-of-service vulnerability. CA ARCserve Backup r16 SP1 was reported to be vulnerable. Description The Offensive Security advisory states:By specifying an invalid field size for the encrypted username or...

Symantec Web Gateway contains multiple vulnerabilities

Overview The Symantec Web Gateway management console is vulnerable to remote command execution, local file inclusion, arbitrary password changes, and SQL injection. Description The Symantec SYM12-011 advisory states:"Symantec's Web Gateway management console is susceptible to multiple security...

HP ArcSight Connector Appliance XSS vulnerability

Overview ArcSight Connector Appliance v6.0.0.60023.2, and possibly previous versions, contains a module which is vulnerable to cross site scripting XSS. Description Windows Event Log SmartConnector, a component of ArcSight Connector Appliance v6.0.0.60023.2 does not sanitize all input fields. As ...

Samsung Data Management Server vulnerable to SQL injection

Overview The Samsung Integrated Management System DMS is used to manage several air conditioning units. The DMS contains a built-in web server that is susceptible to SQL injection attacks. Description The DMS application's authentication form can be bypassed with SQL injection attacks. Versions...

Invensys Wonderware InBatch and Foxboro I/A Series Batch database lock manager service (lm_tcp) buffer overflow vulnerability

Overview The lmtcp service in Invensys Wonderware InBatch and Foxboro I/A Series Batch contains a buffer overflow vulnerability when coping string data into a buffer in a fixed structure. Description From the Invensys Wonderware website: "InBatch is powerful software that can be used in the most...

Snare Agent web interface cross-site request forgery vulnerabilities

Overview The Snare Agent web interface is susceptible to cross-site request forgery attacks. Description The web interface allows the administrator to manage several agent settings, including changing the listening port and password. These HTTP requests do not perform proper validity checks and a...

IntelliCom NetBiter devices have default HICP passwords

Overview IntelliCom NetBiter devices ship with default passwords for the HICP network configuration service. An attacker with network access could change network settings and prevent legitimate users from accessing the HICP service. Description IntelliCom NetBiter products use the proprietary HIC...

Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method

Overview The Doc.media.newPlayer method in Adobe Acrobat and Reader contains a use-after-free vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Adobe Reader and the Adobe Acrobat family of software are designed to creat...

Clientless SSL VPN products break web browser domain-based security models

Overview Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms. An attacker could use these devices to bypass authentication or conduct other web-based attacks. Description Web browsers enforce the same origin policy to prevent one...

Microsoft Office PowerPoint code execution vulnerability

Overview Microsoft PowerPoint contains a vulnerability. If exploited, this vulnerability could allow an attacker to execute code. Description Microsoft Powerpoint is a component of Microsoft Office. Per Microsoft Security Advisory 969136: The vulnerability is caused when Microsoft Office PowerPoi...

HP Online Support Services ActiveX GetFileTime() buffer overflow

Overview HP Online Support Services contains the function GetFileTime, which can be exploited to cause a buffer overflow. This may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description HP Services provides online product support services including ...

inet_network() off-by-one buffer overflow

Overview The inetnetwork resolver function contains an off-by-one buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description The inetnetwork function takes a character string representation for an internet address and returns...

Apple Safari code execution vulnerability

Overview The Apple Safari web browser contains a vulnerability that may allow an attacker to execute arbitrary code. Description Per Apple Security Update 2007-009:A memory corruption issue exists in Safari's handling of feed: URLs. By enticing a user to access a maliciously crafted URL, an...

Microsoft GDI Windows Metafile AttemptWrite integer overflow

Overview Microsoft Windows GDI contains an integer overflow in the handling of Windows metafiles, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Microsoft Windows GDI Graphics Device Interface enables applications to use graphics a...

Microsoft Windows Active Directory fails to properly validate client sent LDAP requests

Overview Microsoft Windows Active Directory fails to properly validate client-sent LDAP requests and may result in a denial of service condition. Description Microsoft Windows Active Directory contains a vulnerability in the way that the LDAP service validates the number of convertible attributes...

Apple Mac OS X mDNSResponder buffer overflow vulnerability

Overview Apple Mac OS X mDNSresponder contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code. Description mDNS uses IP multicast with DNS to provide the functionality of a DNS server for service discovery in networks that do not have a DNS server...

IncrediMail IMMenuShellExt ActiveX control stack buffer overflow vulnerability

Overview The IncrediMail IMMenuShellExt ActiveX control contains a stack buffer overflow, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description IncrediMail is an email application that includes animations and 1000's of emoticons...

Linux Kernel vulnerable to DoS via the ipv6_getsockopt_sticky() function

Overview The Linux Kernel contains a vulnerability that may allow a remote attacker to create a denial-of-service condition. Description Internet Protocol version 6 IPv6 is a IP standard that is designed to replace the Internet Protocol version 4 IPv4. The Linux kernel provides IPv6 support, and...

Apple QuickTime 3GP integer overflow

Overview A vulnerabilty in the way Apple QuickTime processes 3GP files may allow execution of arbitrary code. Description A vulnerability exists in the way Apple QuickTime handles specially crafted 3GP files. According to Apple QuickTime 7.1.5 security document 305149:An integer overflow exists i...

Microsoft HTML Help ActiveX control fails to properly validate input

Overview The Microsoft HTML Help ActiveX control fails to properly validate input, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description The HTML Help Control HHCtrl Object is a Windows ActiveX control that provides the ability to view...