Eye of Gnome contains format string vulnerability in the file name handling of command line arguments

Overview Eye of Gnome contains a format string vulnerability that may allow remote attackers to execute arbitrary code with the privileges of the user running the application, typically an unprivileged system user. Description Eye of Gnome EOG is an image viewing application that is part of the...

HP Tru64 UNIX "su" command vulnerable to buffer overflow

Overview The Hewlett Packard Tru64 "su" command contains a locally exploitable buffer overflow. An exploit for this vulnerability is known to exist and may be circulating. Description The Hewlett Packard Tru64 operating system contains a command, known as "su," that allows users to assume the...

Automatic File Content Type Recognition Tool contains memory allocation problem

Overview A memory allocation problem exists in the "Automatic File Content Type Recognition Tool" versions of the file1 package prior to 3.41. Description According to an OpenPKG advisory, a memory allocation problem exists in the "Automatic File Content Type Recognition Tool" AFCTR tool versions...

Buffer overflow in Microsoft Windows Shell

Overview A remotely exploitable buffer overflow exists in the Microsoft Windows Shell. This buffer overflow is present in all versions of Windows XP, but it is not present in other versions of Windows. Description There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the...

Multiple IPsec implementations do not adequately validate authentication data

Overview IPsec implementations from multiple vendors do not adequately validate the authentication data in IPsec packets, exposing vulnerable systems to a denial of service. Description For background: RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC...

Microsoft Java implementation JDBC functions do not properly validate parameters

Overview The Java Database Connectivity JDBC classes of Microsoft's Java virtual machine VM contain functions that do not properly validate parameters. A malicious Java applet can exploit this vulnerability to crash programs on the client system. Description Microsoft's Java VM is installed on...

SetupCtl 1.0 Type Library contains a buffer overflow

Overview SetupCtl 1.0 Type Library is a safe-for-scripting ActiveX control that contains a remotely exploitable buffer overflow. This control ships with Microsoft Internet Explorer 4.01 and 5. Description SetupCtl 1.0 Type Library is a safe-for-scripting ActiveX control that contains a remotely...

Talentsoft Web+ contains buffer overflow in "webpsvc.exe"

Overview Talentsoft's Web+ development platform contains a buffer overflow in a component that also installs by default into all web sites produced by Web+. Description Talentsoft Web+ is a set of tools for accelerated web site development. A component of Web+ named "webpsvc.exe" contains a buffe...

Microsoft SQL Server contains SQL injection vulnerability in replication stored procedures

Overview Microsoft SQL Server contains multiple SQL injection vulnerabilities that allow database users to leverage administrative privileges on a single database to execute SQL queries or operating system commands with greater privileges. Description Microsoft SQL Server provides a scripting...

Network Associates PGP Outlook Plug-in contains buffer overflow in decoding mechanism

Overview A remotely exploitable buffer overflow exists in the Network Associates PGP Outlook Plug-in. Description As reported in eEye Digital Security Advisory AD20020710, a remotely exploitable buffer overflow exists in the PGP Outlook Plug-in. By sending a specially crafted message to a victim,...

Chunked encoding post can consume excessive memory on IIS 4.0 webserver

Overview Microsoft IIS 4.0, circa March 2000, contained a vulnerability that allowed an intruder to consume unlimited memory on a vulnerable server. Description Older versions of IIS 4.0, circa March 2000, contained a vulnerability in the chunked-encoding transfer mechanism that permitted an...

Microsoft Exchange 2000 exhausts server resources while attempting to process malformed mail attributes

Overview Microsoft Exchange 2000 contains a vulnerability that allows remote attackers to conduct a denial-of-service attack that once begun, cannot be stopped until the crafted message has been completely processed. Description Microsoft Exchange 2000 contains a vulnerability in its handling of...

Apache HTTP Server on Win32 systems does not securely handle input passed to CGI programs

Overview A vulnerability in the Apache HTTP Server running on Win32 systems Windows 9x/Me, Windows NT/2000/XP could allow an attacker to execute commands with the privileges of the web server process. Description The Apache HTTP Server is a freely available web server that runs on a variety of...

Lotus Notes does not adequately secure databases thereby permitting arbitrary user to extract file attachments via NSFDbReadObject function call

Overview Lotus Domino Servers 5.x, 4.6x, and 4.5x allow users to associate objects with documents in a database. While these objects appear to be a part of the document, they are actually stored as separate files. A vulnerability exist by which an intruder could view these objects regardless of t...

Oracle 9iAS contains cross-site scripting vulnerability in "htp.print"

Overview Oracle 9i Application Servers are vulnerable to a cross-site scripting vulnerability. The server may inadvertently include malicious HTML tags or scriptJavaScript, VBScript, Java, etc. in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a...

Oracle 9iAS XSQL Servlet ignores file permissions allowing arbitrary users to view sensitive configuration files

Overview It is possible to read the sensitive configuration files from an Oracle 9i Application Server without any authorization. This can lead to an intruder gaining access to sensitive information about the server and potentially compromising it. Description Default installation of the Oracle 9...

Microsoft Internet Explorer download dialog may not display complete filenames

Overview There is a vulnerability in the download dialog box in Internet Explorer versions 5.5 and 6.0. The vulnerability allows an attacker to mislead users, causing them to inadvertently execute arbitrary code on the user's system. Description When downloading files included in web pages, users...

HP-UX vulnerable to buffer overflow in line printer daemon (rlpdaemon) via crafted print request

Overview The line printer daemon rlpdaemon on HP-UX systems enable various clients to share printers over a network. There exists a buffer overflow vulnerability in this daemon that permits remote execution of arbitrary commands with elevated privileges. Description A buffer overflow exists in...

Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2) module permits telnet access when no password has been set

Overview The Cisco 6400 Access Concentrator Node Route Processor 2 NRP2 module permits unauthenticated telnet access when no password has been set. Description The Access Concentrator Node Route Processor is a router blade for the Cisco 6400. It's purpose is to aggregate and terminate incoming...

FreeBSD can be compromised locally via signal handlers

Overview The FreeBSD operating system does not adequately clear signal handlers subsequent to a process calling exec on a setuid program. This vulnerability can allow a local attacker to execute arbitrary code as root. Description The unix fork function's purpose is to create a new process from a...

BSD Line Printer Daemon vulnerable to buffer overflow via crafted print request

Overview The line printer daemon enables various clients to share printers over a network. There exists a buffer overflow vulnerability in this daemon that permits remote execution of arbitrary commands with elevated privileges. Description There is a buffer overflow in several implementations of...

Lotus Domino vulnerable to DoS via crafted HTTP header requests

Overview The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service. Description HTTP requests with uniquely crafted headers using "Accept", "Accept-Charset", "Accept-Encoding", "Accept-Language" or "Content-Type" are not freed properly. This means that...

SGI IRIX Embedded Support Partner (ESP) service rpc.espd contains buffer overflow

Overview There is a remotely-accessible buffer overflow in SGI IRIX systems running rpc.espd that may allow remote attackers to execute arbitrary code. The Embedded Support Partner daemon rpc.espd is enabled by default on all IRIX versions since 6.5.5. Description The Embedded Support Partner...

Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE

Overview The sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access. Description The sadmind program is installed by...

Seagate Crystal Reports exposes cleartext username/password pairs when embedded in URL or HTTP request

Overview The Seagate Crystal Reports product exposes passwords to back-end databases in certain configurations. In particular, the username and password are transmitted in plaintext from the client browser to the server as part of the URL when using technologies other than Active Server Pages ASP...

BSD-derived ftpd replydirname() in ftpd.c contains one-byte overflow

Overview There is a off-by-one vulnerability in several BSD-derived ftpd servers. Description The ftp server in several BSD distributions contains a defect which allows one byte of the program memory allocated within a stack frame to be overwritten with a NUL byte '\0'. The byte in question is...

KTH Kerberos environment variables krb4proxy and KRBCONFDIR may be used insecurely

Overview The environment variables krb4proxy and KRBCONFDIR may be respected by client programs such as login or su, in such a way that local or remote intruders can cause the client program to accept authentication requests from a malicious KDC. The vulnerabilites may be exploited remotely by...

SGI IRIX df buffer overflow in directory argument

Overview Description The df program is used to display statistics about the amount of used and free disc space on a set of mounted file systems. Alternately, it can be used to check on the amount of space available on unmounted block devices which may be specified by some path. Due to insufficien...

LPRng can pass user-supplied input as a format string parameter to syslog() calls

Overview A popular replacement software package to the BSD lpd printing service called LPRng contains at least one software defect known as a "format string vulnerability" which may allow remote users to execute arbitrary code on vulnerable systems. The privileges of such code will probably be...

ISC BIND 8.2.2-P6 vulnerable to DoS via compressed zone transfer, aka the "zxfr bug"

Overview There is a denial-of-service vulnerability in several versions of the Internet Software Consortium's ISC BIND software. This vulnerability is referred to by the ISC as the "zxfr bug." It affects ISC BIND version 8.2.2, patch levels 1 through 6. Description Using this vulnerability,...

Format string vulnerability in libutil pw_error(3) function

Overview There is an input validation vulnerability in the OpenBSD libutil system library that allows local users to gain superuser access via the chpass utility. Description On June 30, 2000, the OpenBSD development team repaired an input validation vulnerability in the pwerror function of the...

Wang/Kodak Image Admin ActiveX Control

Overview Description The Image Admin control is incorrectly marked safe for scripting. This control is sometimes identified as from "Kodak" and other times as from "Wang". The Image Admin control is one of several controls used to provide image editting services through a web site. Because the...

Insecure Platform Key (PK) used in UEFI system firmware signature

Overview A vulnerability in the user of hard-coded Platform Keys PK within the UEFI framework, known as PKfail, has been discovered. This flaw allows attackers to bypass critical UEFI security mechanisms like Secure Boot, compromising the trust between the platform owner and firmware and enabling...

Adobe ColdFusion is vulnerable to privilege escalation due to weak ACLs

Overview Adobe ColdFusion fails to properly set ACLs, which can allow an unprivileged Windows user to be able to run arbitrary code with SYSTEM privileges. Description The Adobe ColdFusion installer fails to set a secure access-control list ACL on the default installation directory, such as...

Periscope BuySpeed is vulnerable to stored cross-site scripting

Overview Periscope BuySpeed version 14.5 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript. Description Periscope BuySpeed is a "tool to automate the full procure-to-pay process efficiently and intelligently". BuySpeed...

Aternity version 9 vulnerable to cross-site scripting and remote code execution

Overview The Aternity webserver, version 9 and prior, is reportedly vulnerable to cross-site scripting XSS on several web pages, and remote code execution via inclusion of untrusted functionality by default due to improper authentication before execution. Description CWE-80: Improper Neutralizati...

Dentsply Sirona CDR DICOM contains multiple hard-coded credentials

Overview The Dentsply Sirona previously known as Shick Technologies CDR DICOM is software for managing medical dental records. CDR DICOM contains several hard-coded credentials allowing administrative or root access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-6530 Dentsply...

MEDHOST Perioperative Information Management System contains hard-coded database credentials

Overview MEDHOST Perioperative Information Management System PIMS versions prior to 2015R1 contain hard-coded credentials that are used for customer database access. Description CWE-798: Use of Hard-coded Credentials - CVE-2016-4328MEDHOST PIMS, previously branded as VPIMS, contains hard-coded...

Allround Automations PL/SQL Developer v11 performs updates over HTTP

Overview Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code. Description CWE-345: Insufficient Verification of Data Authenticity - CVE-2016-2346 According to the...

Dovestones Software AD Self Password Reset fails to properly restrict password reset request to authorized users

Overview Dovestones Software AD Self Password Reset, version 3.0.3.0 and earlier, fails to properly validate users, which enables an unauthenticated attacker to reset passwords for arbitrary accounts. Description CWE-284: Improper Access Control - CVE-2015-8267Dovestones Software AD Self Password...

Up.time agent for Windows contains multiple vulnerabilities

Overview The Up.time client for Windows is vulnerable to an format string attack as well as a buffer overflow, and may allow unauthenticated users to perform certain commands. Description CWE-134: Uncontrolled Format String - CVE-2015-2894For version 6.0 and 7.2, an unauthenticated attacker on th...

Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information

Overview RFC 6265 previously RFC 2965 established HTTP State Management, also known as "cookies". In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information. Description HTTP cookies have long...

Dedicated Micros DVR products use plaintext protocols and require no password by default

Overview Dedicated Micros DVR products, including the DV-IP Express, SD Advanced, SD, EcoSense, and DS2, by default use plaintext protocols and require no password. Description CWE-311: Missing Encryption of Sensitive Data Dedicated Micros DVR products by default use HTTP, telnet, and FTP rather...

Honeywell Tuxedo Touch Controller contains multiple vulnerabilities

Overview All versions of Honeywell Tuxedo Touch Controller are vulnerable to authentication bypass and cross-site request forgery CSRF. Description CWE-603: Use of Client-Side Authentication - CVE-2015-2847The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client...

Barracuda Web Filter insecurely performs SSL inspection

Overview Barracuda Web Filter prior to version 8.1.0.005 does not properly check upstream certificate validity when performing SSL inspection, and delivers one of three default root CA certificates across multiple machines for SSL inspection. Description According to Barracuda Networks, the...

Blue Coat Malware Analysis appliance contains a cross-site scripting (XSS) vulnerability and information disclosure

Overview The Blue Coat Malware Analysis appliance is vulnerable to cross-site scripting XSS and information disclosure. Description The Blue Coat Malware Analysis appliance is a sandboxed appliance that scans for threats in files and downloads on the network.A cross-site scripting vulnerability...

QPR Portal contains multiple vulnerabilities

Overview QPR Portal versions 2014.1.1 and older contain reflected and stored cross-site scripting vulnerabilities, and versions 2012.2.0 and older contain an insecure direct object reference vulnerability. Description CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site...

Multiple Android applications fail to properly validate SSL certificates

Overview Multiple Android applications fail to properly validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle MITM attack. Description When communicating via HTTPS, an application should validate the SSL chain to be sure that the...

Cobham Sailor satellite terminals contain hardcoded credentials

Overview Cobham Sailor 900 and 6000 series satellite terminals contain hardcoded credentials. Description CWE-798: Use of Hard-coded Credentials IOActive reports that Cobham Sailor 900 and 6000 series satellite communication terminals running firmware version: 1.08 MFHF / 2.11 VHF contain hardcod...

Iridium Pilot and OpenPort contain multiple vulnerabilities

Overview Broadband satellite terminals using Iridium Pilot and OpenPort have been found to contain undocumented hardcoded login credentials CWE-798. Additionally, these broadband satellite terminals utilize an insecure proprietary communications protocol that allows unauthenticated users to perfo...