Multiple Cisco ONS control cards fail to properly handle malformed UDP packets

Overview A vulnerability exists in multiple control cards used by Cisco ONS devices. This vulnerability could allow a remote attacker to cause a denial-of-service condition. Description Cisco's Optical Networking product line consists of a series of devices designed to offer high-bandwidth data...

Cisco Collaboration Server (CCS) ServletExec allows arbitrary file uploading

Overview There is a vulnerability in the ServletExec subcomponent of the Cisco Collaboration Server CCS that could allow an attacker to upload arbitrary files to the server. Description The Cisco Collaboration Server CCS is designed to provide interactive customer support web page sharing,...

Sun Solaris vulnerable to DoS when the Basic Security Module (BSM) is configured to perform auditing of specific classes

Overview There is a vulnerability in Sun Solaris that could allow local users to cause a denial of service when the Basic Security Module BSM is configured to perform auditing of specific audit classes. Description Sun Microsystems describes the Basic Security Module BSM as a "security auditing...

MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows

Overview MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in code that translates Kerberos principal names to local UNIX account names. An authenticated, remote attacker could execute arbitrary code on a vulnerable system with root privileges. Description MIT Kerberos 5 contai...

Gaim contains a buffer overflow vulnerability in the yahoo_packet_read() function

Overview There is a buffer overflow vulnerability in the Gaim yahoopacketread function, which could allow an unauthenticated, remote attacker to execute arbitrary code. Description Gaim is a multi-protocol instant messenger available for a number of operating systems. It supports a variety of...

Gaim fails to properly parse cookies in Yahoo web connections

Overview There is a buffer overflow vulnerability in the way Gaim parses cookies for Yahoo web connections. Description Gaim is a multi-protocol instant messenger available for a number of operating systems. It supports a variety of instant messaging protocols, including the Yahoo Messenger YMSG...

Cisco WLSE and HSE devices contain hardcoded username and password

Overview A default account with a common username and password exists in two Cisco products. An attacker with knowledge of this account information can compromise any of these devices on the network. Description A default account with a known, fixed username and password combination exists in som...

Apple Mac OS X Safari fails to properly display URLs in the status bar

Overview Apple Mac OS X Safari fails to properly display URLs in the status bar. Description Safari is a web browser for the Macintosh platform. There is an unspecified vulnerability in the way Safari displays URLs in the status bar. --- Impact The complete impact of this vulnerability is not yet...

Microsoft Windows Internet Naming Service (WINS) fails to properly validate the length of specially crafted packets

Overview Microsoft Windows Internet Naming Service WINS fails to properly validate the length of specially crafted packets which could allow an unauthenticated, remote attacker to cause a denial-of-service condition. Description The Windows Internet Naming Service WINS maps IP addresses to NETBIO...

Sun ONE/iPlanet Web Server vulnerable to DoS

Overview A vulnerability in the SunOne/iPlanet Web Server may allow a remote attacker to cause a denial of service. Description The SunOne/iPlanet Web Server contains a vulnerability which may allow a remote attacker to disrupt the normal operation of the web server. This vulnerability is only...

SunOS versions of sendmail use popen to return undeliverable mail

Overview Older versions of sendmail circa 1995 incorrectly used popen to process certain arguments. Description There is a problem with the way that the older circa 1995 versions of Sun Microsystems, Inc. version of sendmail processes the -oR option. This problem has been verified as existing in...

XMMS Remote input validation error

Overview There is an input validation error in the stand-alone SOAP server XMMS Remote which allows unauthorized remote command execution. Description XMMS Remote is a stand-alone XML/SOAP HTTP server implemented in PERL created by X2 Studios. It is used to monitor a running xmms media player...

Alcatel Operating System (AOS) does not require a password for accessing the telnet server

Overview The OmniSwitch 7700/7800 running Alcatel Operating System AOS version 5.1.1 has TCP port 6778 listening as a telnet server. This gives anyone access to the OmniSwitch's Vx-Works operating system without requiring a password. Description During an NMAP audit of the AOS 5.1.1 code that run...

InvokeRegWizard (regwizc.dll) ActiveX control has a buffer overflow

Overview Microsoft Internet Explorer 4.01 and 5 ship with a series of activex controls to aid in its functionality. Regwiz.dll is an safe-for-scripting activex control that contains a remotely exploitable buffer overflow. Description InvokeRegWizard regwizc.dll is a control that ships with...

Microsoft Windows Media Player buffer overflow in Active Stream Redirector (.asx) file parser

Overview There is a buffer overflow in the parsing of Active Stream Redirector .ASX files. This buffer overflow may allow a remote attacker to execute arbitrary code when a user views a malicious web page. Description There is a buffer overflow in the processing of Active Stream Redirector .ASX...

A1Stats multiple CGI scripts fail to adequately validate user input

Overview A1Stats does not properly validate user input, allowing directory traversal and overwriting of files. Description A1Stats is a CGI script that provides reports on web site traffic. A1Stats does not properly filter the CGI query string. An attacker may exploit this vulnerability to traver...

Allaire Forums does not verify user information stored in hidden form fields

Overview Allaire Forums does not verify user information submitted in hidden fields on a web form, allowing attackers to impersonate other users. Description Allaire Forums is a web-based bulletin board system that runs on Cold Fusion. When a user wishes to post a message, Allaire Forums...

TDForum does not adequately validate user input thereby allowing users to embed malicious script code in messages

Overview TDForum does not properly filter HTML scripting tags from user input, allowing users to post malicious scripts that may be executed unwittingly by other users. Description TDForum is a commercial software package providing dynamic web forum capabilities. Versions 1.2 and earlier of TDFor...

Directory-traversal vulnerability in Mike Spice's My Classifieds CGI script

Overview Some versions of My Classifieds contain a directory-traversal vulnerability that allows attackers to overwrite files. Description My Classifieds is a Perl CGI script, maintained by Mike Spice, that produces dynamic ad listings on a web server and allows users to edit their ads remotely...

Microsoft SQL Server contains buffer overflows in several Database Consistency Checkers

Overview Microsoft SQL Server ships with several administrative tools that allow database users to elevate their administrative privileges from a single database to all databases on the server. Description Microsoft SQL Server ships with several utilities known as Database Consistency Checkers...

Taskpads ActiveX Control incorrectly marked safe-for-scripting

Overview The taskpads ActiveX control included with some resource kit products circa February 1999 was incorrectly marked safe-for-scripting. Description The taskpads ActiveX control included with the Microsoft Windows 98 resource kit, the Microsoft Windows 98 resource kit sampler, and the Back...

Oracle9i Application Server allows unauthenticated access to PL/SQL applications via alternate Database Access Descriptor

Overview A vulnerability exists in the Apache Procedural Language/Structured Query Language PL/SQL module used by Oracle9i Application Server iAS. By specifying the Database Access Descriptor DAD used to access a PL/SQL application, an attacker could gain unauthorized access to the application...

Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via help page request

Overview A buffer overflow vulnerability exists in the Apache Procedural Language/Structured Query Language PL/SQL module used by Oracle9i Application Server iAS. This vulnerability could allow an unauthenticated remote attacker to cause a denial of service or execute arbitrary code on the system...

OpenSSH does not initialize PAM session thereby allowing PAM restrictions to be bypassed

Overview OpenSSH is an implementation of the Secure Shell SSH protocol. It can be configured to use Linux Pluggable Authentication Modules PAM for added authentication. A vulnerability exists in OpenSSH, and perhaps other implementations of SSH, which can allow to potentially bypass PAM...

XMCD vulnerable to arbitrary file overwriting via symlink redirection of temporary file

Overview xmcd is an x11/motif CD playing utility, in the public domain. cda, the command line interface to xmcd, executes with system administrator privileges. It is vulnerable to a symbolic link attack that may allow a local user to obtain administrator privileges. Description cda, the command...

getty_ps creates temporary files insecurely

Overview gettyps is an open-source software package designed to support logons to the console and terminals. Some implementations create temporary files insecurely with predictable names, leading to corruption of arbitrary files via symbolic link attack. Description Under certain circumstances,...

McAfee ASaP VirusScan service does not adequately validate input

Overview A vulnerability exists in McAfee ASaP VirusScan that permits intruders to access files outside of the web root. Description Quoting from the McAfee ASaP VirusScan FAQ, McAfee ASaP VirusScan is "a web-based, managed and updated anti-virus service for the entire desktop environment." McAfe...

Allaire JRun Java Application Server vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Overview Web Servers that use the Allaire JRun Java Servlet Container are vulnerable to a cross-site scripting vulnerability. A web site may inadvertently include malicious HTML tags or scriptJavaScript, VBScript, Java, etc. in a dynamically generated page based on unvalidated input from...

Caucho Technologies Resin vulnerable to Cross-Site Scripting via passing of user input directly to default error page

Overview Web servers that use the Resin Java Servlet Container, versions 1.2.3 and earlier, are vulnerable to a cross-site scripting vulnerability. A web site may inadvertently include malicious HTML tags or scriptJavaScript, VBScript, Java, etc. in a dynamically generated page based on unvalidat...

IBM SecureWay Directory is vulnerable to denial-of-service attacks via LDAP handling code

Overview The IBM SecureWay Directory contains vulnerabilities that may allow denial-of-service attacks, unauthorized privileged access, or both. These vulnerabilities were revealed using the PROTOS LDAPv3 test suite and are documented in CERT Advisory CA-2001-18. If your site uses this product, t...

Lotus Domino vulnerable to DoS via many large connects sent to 63148/TCP

Overview The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service. Description A continuous stream of "connect" requests with a payload of 10K of data to TCP port 63148 DIIOP - CORBA will result in 100% CPU usage, the hard disk constantly being written to,...

SSH1 may generate weak passphrase when using Secure RPC

Overview The secure-RPC feature of the SSH1 client in Solaris sometimes encrypts the SSH private key file with a weak passphrase, which can be determined by an attacker and used to recover the SSH private keys. Other versions of the SSH client running on non-Solaris platforms are not affected by...

ADK flaw in recent versions of PGP

Overview Additional Decryption Keys ADKs is a feature introduced into PGP Pretty Good Privacy versions 5.5.x through 6.5.3 that allows authorized extra decryption keys to be added to a user's public key certificate. However, an implementation flaw in PGP allows unsigned ADKs which have been...

Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards

Overview A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU. Although the firmware indicates that DMA protection is active, it fails to correctly initialize the IOMMU...

Multiple deserialization vulnerabilities in PyTorch Lightning 2.4.0 and earlier versions

Overview PyTorch Lightning versions 2.4.0 and earlier do not use any verification mechanisms to ensure that model files are safe to load before loading them. Users of PyTorch Lightning should use caution when loading models from unknown or unmanaged sources. Description PyTorch Lightning, a...

Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting

Overview The Versiant LYNX Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript. Description The Versiant LYNX Customer Service Portal CSP is a "full-service customer portal that provide...

Microsoft Windows MsiAdvertiseProduct function vulnerable to privilege escalation via race condition

Overview The Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files. Description The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to...

Cisco Prime Infrastructure contains SUID root binaries

Overview The Cisco Prime Infrastructure version 2.2 contains two binaries with SUID root world-executable privileges, allowing any local user to execute arbitrary commands as root. Description CWE-276: Incorrect Default Permissions Two binaries are included in Cisco Prime version 2.2 that run as...

Kaseya's agent driver contains NULL pointer dereference

Overview Kaseya's agent driver, kapfa.sys, is vulnerable to a NULL pointer dereference. Description CWE-476: NULL Pointer Dereference Kaseya's agent driver, kapfa.sys, is vulnerable to a NULL pointer dereference. --- Impact A local authenticated attacker may be able to cause a denial-of-service...

Lookout Mobile Security contains a denial-of-service vulnerability

Overview Lookout Mobile Security version 8.14.1-7fe5f1, and possibly earlier versions, contains a denial-of-service vulnerability. Description Lookout Mobile Security version 8.14.1-7fe5f1 crashes if an intent is sent to com.lookout.security.ScanTell with no arguments. --- Impact A malicious...

Proofpoint Protection Server contains multiple vulnerabilities

Overview Proofpoint Protection Server contains multiple vulnerabilities including authentication bypass, insufficient authorization checks, command injection, SQL injection, and directory traversal. Description Clear Skies Security's advisory states:"Enduser Authentication Bypass User-level acces...

Symantec AppStream and Workspace Streaming vulnerable to arbitrary code download and execution

Overview The Symantec AppStream and Workspace Streaming clients fail to properly validate downloads, which can allow a remote, unauthenticated attacker to download and execute arbitrary code on a vulnerable system. Description Symantec Workspace Streaming is a software distribution solution that...

eBay Enhanced Picture Uploader ActiveX control vulnerable to arbitrary command execution

Overview The eBay Enhanced Picture Uploader ActiveX control allows arbitrary commands to be executed. Description The eBay Enhanced Picture Uploader ActiveX control is used by the eBay web site to give Internet Explorer users additional functionality when uploading pictures to an auction. This...

NuPoint Messenger server transmits authentication credentials in plain text

Overview NuPoint Messenger is a unified communications product that connects to a Microsoft Exchange server. When communicating with the mail server, the NuPoint Messenger server transmits Exchange usernames and passwords in cleartext. Description The NuPoint Messenger server can connect to a...

Intercepting proxy servers may incorrectly rely on HTTP headers to make connections

Overview Proxy servers running in interception mode "transparent" proxies that make connection decisions based on HTTP header values may be used by an attacker to relay connections. Description HTTP Host Headers are defined in RFC 2616 and are often used to by web servers to allow multiple websit...

Motorola Surfboard cable modem cross-site request forgery vulnerability

Overview Motorola Surfboard cable modems may contain a cross-site request forgery vulnerability that allows an attacker to cause an affected modem to reboot or reload its configuration. Description Cable modems are designed to deliver broadband Internet access via unused bandwidth on a cable...

C compilers may silently discard some wraparound checks

Overview Some C compilers optimize away pointer arithmetic overflow tests that depend on undefined behavior without providing a diagnostic a warning. Applications containing these tests may be vulnerable to buffer overflows if compiled with these compilers. Description In the C language, given th...

UPnP enabled by default in multiple devices

Overview Multiple vendors ship devices with UPnP enabled by default. By convincing a user to open a malicious URL, an attacker may be able to remotely control or configure UPnP enabled devices. Description Universal Plug and Play UPnP is a collection of protocols maintained and distributed by the...

Yahoo! Messenger webcam stream heap overflow

Overview Yahoo! Messenger fails to properly handle webcam streams, which may allow a remote attacker to execute arbitrary code. Description Yahoo! Messenger is an instant messaging application that is available for Windows, Mac, Unix, web, and mobile systems. Some version of Yahoo! Messenger, suc...

British Telecommunications Business Connect webhelper ActiveX control buffer overflows

Overview The British Telecommunications Business Connect webhelper ActiveX control contains multiple buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description The registration process for British Telecommunications BT intern...