3704 matches found
Microsoft Excel malformed parsing format file memory corruption vulnerability
Overview Microsoft Excel contains a memory corruption vulnerability. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Description Microsoft Excel fails to properly validate parsing format files. When a file with a malformed parsing format files is...
Oracle Database Data Pump Metadata API SQL injection vulnerability
Overview Oracle Database Data Pump Metadata API is vulnerable to SQL injection, which could allow a remote attacker to execute arbitrary SQL commands on a vulnerable Oracle installation. Description The Oracle Database Data Pump Metadata API fails to properly filter user-supplied input. This may...
Oracle Reports arbitrary file reading vulnerability
Overview Oracle Reports fails to validate URI parameters, possibly allowing a remote attacker to read arbitrary files on the Reports Server. Description Oracle Reports is an enterprise reporting tool that extracts data from multiple sources and inserts it into a formatted report. It is a componen...
VMware NAT Service vulnerable to buffer overflow via FTP PORT/EPRT commands
Overview The VMware NAT Service used in multiple VMware products contains a buffer overflow in the way it handles FTP PORT and EPRT commands. An attacker could execute arbitrary code with the privileges of the NAT service or cause a denial of service. Description VMware virtualization software...
Apple Mac OS X Safari vulnerable to arbitrary command execution via URLs in PDF files
Overview Apple Mac OS X WebKit and Safari security controls may be bypassed, possibly allowing remote command execution. Description Mac OS X includes the Safari web browser, which can display Portable Document Format PDF files directly. This functionality is part of the WebKit system framework...
GNOME gedit contains format string vulnerability
Overview gedit has a format string vulnerability in some error dialogs that can occur when a file is opened for editing. Description gedit is the official text editor of the GNOME desktop environment. gedit 2.10.2 has a format string error in some some error dialogs that can occur when a file is...
Mozilla Firefox insecurely handles content from external applications
Overview Mozilla Firefox does not properly enforce domain restrictions on content sent by external applications, allowing a remote attacker to execute code on a vulnerable system. Description Mozilla Firefox can accept links from external applications, such as Flash and Quicktime. When such an...
Apple Terminal fails to properly sanitize input for "x-man-page" URI
Overview Apple Terminal on Mac OS X fails to sanitize x-man-page URIs, allowing an attacker to execute arbitrary commands. Description Mac OS X 10.3 includes a URI handler called x-man-page. It causes Apple Terminal to display a man page by using a URI of this form: x-man-page://command...
Mozilla may execute JavaScript with elevated privileges when defined in site icon tag
Overview Mozilla may execute JavaScript contained within a site icon tag with elevated privileges. This may allow an attacker to execute arbitrary commands on a vulnerable system. Description XPCOMXPCOM is a cross-platform component object model similar to Microsoft COM or CORBA. XPCOM provides t...
Microsoft Client Server Runtime System Vulnerability
Overview The Microsoft Client Server Runtime System CSRSS incorrectly validates certain messages potentially resulting in privilege elevation. Description CSRSS is the user-mode part of the Win32 subsystem. Win32.sys is the kernel-mode portion of the Win32 subsystem. The Win32 subsystem must be...
Microsoft font processing buffer overflow vulnerability
Overview A privilege elevation vulnerability exists in the way that Microsoft Windows processes certain fonts. This vulnerability could allow a logged on user to take complete control of the system. Description Due to an unchecked buffer in the processing of malicious fonts, a locally authenticat...
phpBB vulnerable to file disclosure
Overview The phpBB input validation methods may fail to sanitize user input resulting in a disclosure of arbitrary file data. Description phpBB is a customizable open source bulletin board package. It contains functionality that allows users to specify graphic files for use as "avatars." These...
OpenPGP vulnerable to chosen-ciphertext attacks in cipher feedback (CFB) mode
Overview A vulnerability in OpenPGP may allow attackers to recover partial plaintexts from OpenPGP messages that use symmetric encryption. Description A vulnerability in OpenPGP can be used by attackers to recover partial plaintexts from messages employing symmetric encryption. Researchers Serge...
Microsoft ASP.NET fails to perform proper canonicalization
Overview Microsoft ASP.NET contains a canonicalization vulnerability that may allow a remote unauthenticated attacker to gain access to secure contents. Description Microsoft ASP.NET is a programming framework for creating web applications. The canonicalization routine used by ASP.NET fails to...
Microsoft Internet Explorer contains a Channel Definition Format (CDF) cross-domain vulnerability
Overview Microsoft Internet Explorer contains a vulnerability that may allow unintended information disclosure or remote code execution due to a flaw in handling Channel Definition Format CDF files. Description From the Microsoft Channel Definition Format description:Channel Definition Format CDF...
Opera may insecurely execute binary data encoded in a URI
Overview The Opera web browser fails to validate data encoded using the RFC 2397 scheme. A remote attacker may be able to execute arbitrary code on a vulnerable system. Description The Opera web browser fails to properly handle binary data encoded following the RFC 2397 specification for sending...
Microsoft Windows kernel vulnerable to denial-of-service condition via animated cursor (.ani) rate number
Overview A vulnerability exists in the way the Microsoft Windows kernel processes animated cursor .ani files with a rate number set to zero. Exploitation of this vulnerability may allow a remote attacker to cause a denial-of-service condition. Description A vulnerability exists in the way the...
Microsoft Internet Explorer HTML Help control bypasses Local Machine Zone Lockdown
Overview The Microsoft Internet Explorer HTML Help ActiveX control is not restricted by the Local Machine Zone Lockdown feature. This can allow an attacker to execute script in the Local Machine Zone. Description Windows XP SP2 introduces a feature called Local Machine Zone Lockdown. This feature...
Mozilla status elements can be disabled via JavaScript
Overview Mozilla allows websites to disable various browser status elements. This allows websites to create spoofed dialogs using XUL. Description Certain Mozilla web browser status elements, such as the address bar, status bar, and navigation controls, can be disabled remotely by web sites using...
GdkPixbuf XPM parser contains a stack overflow vulnerability
Overview A stack overflow vulnerability exists in the XPM handling of GdkPixbuf. This vulnerability can lead to a denial-of-service condition or execution of arbitrary code. Description GdkPixbuf is a library used by GTK+ 2 for loading and rendering images. GTK+ is a multi-platform toolkit for...
Ethereal fails to properly handle malformed iSNS packets
Overview Ethereal contains a vulnerability in the way it processes Internet Storage Name Service iSNS packets. Description The Internet Storage Name Service iSNS protocol is used to automate the discovery, management, and configuration of iSCSI and Fibre Channel devices in an IP network. Ethereal...
isakmpd fails to handle ISAKMP packets with "Payload Length" of zero
Overview A vulnerability exists in the isakmpd that could allow a remote attacker to cause a denial of service. Description The OpenBSD isakmpd establishes security associations for encrypted and authenticated IPsec network traffic. It implements the Internet Security Association and Key Manageme...
Mozilla fails to validate the DN of X.509 certificates
Overview Mozilla fails to verify that the Distinguished Name DN of an X.509 certificate is unique when importing it. A denial of service occurs when Mozilla imports a specially crafted, self-signed certificate that has the same DN as an existing Certificate Authority CA root certificate...
Microsoft Internet Explorer contains an integer overflow in the processing of bitmap files
Overview A vulnerability in Microsoft Internet Explorer could allow a remote attacker to execute arbitrary code on a vulnerable system. Description Microsoft Internet Explorer IE is a web browser. An integer overflow vulnerability has been discovered in the way that Internet Explorer processes...
Apple Mac OS X help system may interpret inappropriate local script files
Overview A vulnerability has been reported in the default URI protocol handler in Apple's Mac OS X help system. Exploitation of this vulnerability may permit a remote attacker to execute arbitrary scripts on the local system. Description A vulnerability has been reported in Apple's Mac OS X...
Ethereal ISUP protocol dissector fails to properly decode ISUP packets
Overview Ethereal fails to properly decode ISDN User Part ISUP packets containing an overly long Interworking Function Address IWFA value. Description Ethereal is a network traffic analysis package. It includes the ability to decode packets containing ISUP data. There is a vulnerability in the wa...
Oracle Application Server Web Cache contains heap overflow vulnerability
Overview Oracle Application Server Web Cache contains a heap overflow vulnerability in the handling of client requests that could result in arbitrary code execution. Description The Oracle Web Cache acts as a reverse proxy, caching static and dynamic content generated from Oracle Application web...
Apple Mac OS X "cd9660.util" buffer overflow
Overview A component utility in Apple's Mac OS X operating system suffers from a buffer overflow vulnerability in its handling of command-line arguments. This vulnerability could allow a local attacker to gain elevated privileges on the vulnerable system. Description Apple's Mac OS X operating...
Red Hat Enterprise Linux kernel-2.4.21 does not perform adequate checking of eflags when in 32-bit ptrace emulation mode
Overview Red Hat Enterprise Linux kernel prior to version 2.4.21 does not perform adequate checking of eflags when in 32-bit ptrace emulation mode. This could allow a local user to gain elevated or root privileges. Description The Linux kernel handles the basic functionality of the operating...
Microsoft Authenticode mechanism installs ActiveX controls without prompting user
Overview A vulnerability in Microsoft's Authenticode could allow a remote attacker to install an untrusted ActiveX control on the victim's system. Description According to Microsoft Security Bulletin MS03-041:ActiveX is a technology that allows programmers to develop self-contained software modul...
Sun Solstice AdminSuite ships with insecure default configuration
Overview The sadmind service provided on many Solaris and SunOS systems ships with an insecure default configuration that allows remote users to execute arbitrary commands with superuser root privileges. Description The Sun Microsystems Solstice AdminSuite is a graphical tool that allows Solaris...
Linux NFS utils package "rpc.mountd" contains off-by-one buffer overflow in xlog() function
Overview A vulnerability in the Linux NFS network File System could permit an attacker to cause a denial of service, or potentially execute arbitrary code on the system. Description The Linux NFS network File System was developed to allow machines to mount a disk partition on a remote machine as ...
gtop daemon contains buffer overflow
Overview A buffer overflow exists in the gtop daemon. Description A buffer overflow in gtopd, specifically permitted, may allow a remote attacker to execute arbitrary code. For more detailed information, please see Flavio Veloso's analysis.gtop background information Many Unix systems allow only...
Postfix vulnerable to DoS by supplying a remote SMTP listener with a malformed envelope address
Overview A denial-of-service vulnerability exists in all versions of Postfix prior to 2.0. This vulnerability may allow a remote attacker to cause mail service interruption. Description Postfix is a very popular mail transfer agent MTA. Michal Zalewski has discovered a denial-of-service...
Microsoft Windows RPC service vulnerable to denial of service
Overview A vulnerability exists in Microsoft's Remote Procedure Call RPC implementation. A remote attacker could exploit this vulnerability to cause a denial of service. An exploit for this vulnerability is publicly available. Description Microsoft has released MS03-039 to address a vulnerability...
Microsoft SQL Server contains flaw in checking method for the named pipe
Overview A vulnerability in Microsoft SQL Server may allow an attacker to hijack a named pipe. An attacker may be able to leverage this vulnerability to gain elevated privileges. Description Microsoft describes a named pipe as, "a specifically named one-way or two-way channel for communication...
SSH Secure Shell for Servers fails to remove child process from master process group
Overview A locally exploitable privilege escalation vulnerability exists in SSH Secure Shell versions 2.0.13 - 3.2.1. Description Secure Shell for Servers, developed by SSH Communications Security, does not properly remove the child process from the master process group after non-interactive...
The default NTFS permissions are not applied to a converted boot partition on Microsoft Windows 2000 and Windows XP systems when CONVERT.EXE is used
Overview Several commercial desktops and laptops from OEM distributors ship with insecure permissions set on files and directories. It has been confirmed that this is due to the use of Microsoft's CONVERT.EXE utility. Description Microsoft's CONVERT.EXE program is used to convert FAT32 file syste...
EFTP does not adequately validate user input thereby allowing directory traversal
Overview Encrypted File Transfer Program EFTP does not properly validate CWD commands, allowing authenticated users to read arbitrary directories and files. Description Encrypted File Transfer Program EFTP is an implementation of the FTP protocol using 448-bit Blowfish encryption. EFTP allows...
Microsoft Windows Server Message Block (SMB) fails to properly handle SMB_COM_TRANSACTION packets requesting NetServerEnum2 transaction
Overview Microsoft Server Message Block SMB may crash when it receives a crafted SMBCOMTRANSACTION packet requesting a NetServerEnum2 transaction. Attackers can use this vulnerability to cause a denial of service. Description SMB is a protocol for sharing data and resources between computers. It ...
Novell Netware RCONAG6 fails to validate user password when "Secure IP" is used to establish connection
Overview Novell Netware RCONAG6 allows users to gain access to the server without a password. Description Novell Netware RCONAG6 allows users to remotely administer a Novell host. A vulnerability in RCONAG6 makes it possible for a remote user to connect to the server without supplying a password...
Microsoft Windows SQL Server allows arbitrary queries to be executed via "xp_execresultset" extended procedure
Overview MS SQL Server contains an extended stored procedure with inappropriate permission settings. Description Microsoft SQL Server 7.0 and Microsoft SQL Server 2000 contain an extended stored procedure, xpexecresultset , that permits an unprivileged user of a database to gain administrative...
Cisco CallManager contains memory leak
Overview The Cisco Call Manager contains a vulnerability that could permit an intruder to crash the Call Manager. Description The Cisco Call Manageris software to manage telephone calls in a mixed data and voice environment. Specifically the Cisco Call Manager "extends enterprise telephony featur...
Microsoft SQL Server contains buffer overflow in code used to process "BULK INSERT" queries
Overview The Microsoft SQL Server contains a buffer overflow vulnerability that may allow remote attackers to execute arbitrary code with system privileges. Description The Microsoft SQL Server contains a buffer overflow vulnerability in the code used to process "Bulk Insert" queries. Bulk Insert...
Yahoo! Messenger contains buffer overflow in "message" field
Overview Yahoo! Messenger is an instant messaging client. There is a remotely exploitable buffer overflow vulnerability in the "message" field of Yahoo! Messenger. Description A remotely exploitable buffer overflow exists in the "message" field that may permit a remote attacker to execute arbitra...
Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters
Overview Sun's NFS/RPC cachefs daemon cachefsd is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 SPARC and Intel architectures. Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists i...
Cisco IOS discloses fragments of previous packets when Express Forwarding is enabled
Overview A vulnerability exists in multiple versions of Cisco's Internetworking Operating System IOS software that allows an attacker to collect fragments of previously processed packets. Description Many networking devices running Cisco IOS with Cisco Express Forwarding CEF enabled contain a...
Microsoft Windows 2000 Telnet Service uses named pipes with predictable names
Overview The Microsoft Windows 2000 Telnet Service contains a vulnerability that allows unprivileged local users to execute arbitrary code with elevated privileges. Description The Microsoft Windows 2000 Telnet Service creates a named pipe to share information between the processes that handle ea...
Cisco IOS vulnerable to DoS via crafted PPTP packet sent to port 1723/tcp
Overview Cisco IOS contains a vulnerability that allows an intruder to crash the router. Description By sending a specially crafted PPTP packet to port 1723, an intruder can crash a device running a vulnerable version of IOS. Quoting from the Cisco Advisory: By sending a crafted PPTP packet to a...
RIT Research Labs The Bat! does not properly parse <CR> characters not followed by a <LF> character
Overview Due to a problem parsing carriage return/line feeds in RFC822 format mail messages, The Bat! mail client may permaturely detect the end of a mail message, causing an error to occur. This error may prevent the mail user from retrieving other mail messages until the message with the error ...