ID SECURITYVULNS:VULN:12819
Type securityvulns
Reporter
Modified 2013-01-10T00:00:00
Description
PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
{"id": "SECURITYVULNS:VULN:12819", "bulletinFamily": "software", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "published": "2013-01-10T00:00:00", "modified": "2013-01-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12819", "reporter": " ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:28944", "https://vulners.com/securityvulns/securityvulns:doc:28934", "https://vulners.com/securityvulns/securityvulns:doc:28935", "https://vulners.com/securityvulns/securityvulns:doc:28937", "https://vulners.com/securityvulns/securityvulns:doc:28936"], "cvelist": ["CVE-2012-6497", "CVE-2012-6430", "CVE-2012-5534", "CVE-2012-6496", "CVE-2011-1428", "CVE-2012-5657", "CVE-2012-5664"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:50", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "cb9452378b5fcf142b3a0c594604809b"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "54973fe7f35f5419fc889270b90a0e26"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "c61e5d59aa5c4e535b518cca44e00a6f"}, {"key": "href", "hash": "18c21ce42db30cca210b4e6f14766542"}, {"key": "modified", "hash": "27c882e649d50f41ad692f5bdcec3402"}, {"key": "published", "hash": "27c882e649d50f41ad692f5bdcec3402"}, {"key": "references", "hash": "930a5bd76f06af87d22240036f051a8c"}, {"key": "reporter", "hash": "7215ee9c7d9dc229d2921a40e899ec5f"}, {"key": "title", "hash": "9caff91e9ebcf551c6d0d9d96b286138"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "ebf0ee1533726d5cc3cbb468fe93307affd4a6f0e7a93b8314f43f0ef6055047", "viewCount": 1, "enchantments": {"score": {"value": 4.3, "vector": "NONE", "modified": "2018-08-31T11:09:50"}, "vulnersScore": 4.3}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Quick.Cart", "operator": "eq", "version": "6.0"}, {"name": "Quick.Cms", "operator": "eq", "version": "5.0"}, {"name": "TomatoCart", "operator": "eq", "version": "1.1"}, {"name": "Ruby on Rails", "operator": "eq", "version": "3.2"}, {"name": "Ruby on Rails", "operator": "eq", "version": "3.0"}, {"name": "WeeChat", "operator": "eq", "version": "0.3"}, {"name": "Ruby on Rails", "operator": "eq", "version": "3.1"}, {"name": "Zend", "operator": "eq", "version": "1.11"}]}
{"cve": [{"lastseen": "2016-09-03T17:17:53", "references": ["http://openwall.com/lists/oss-security/2012/12/20/2", "http://openwall.com/lists/oss-security/2012/12/20/4", "http://www.mandriva.com/security/advisories?name=MDVSA-2013:115", "http://www.debian.org/security/2012/dsa-2602", "http://framework.zend.com/security/advisory/ZF2012-05"], "edition": 1, "description": "The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.", "reporter": "NVD", "published": "2013-05-02T10:55:05", "title": "CVE-2012-5657", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-5657"], "scanner": [], "modified": "2013-05-03T00:00:00", "cpe": ["cpe:/a:zend:zend_framework:1.11.3", "cpe:/a:zend:zend_framework:1.11.2", "cpe:/a:zend:zend_framework:1.11.13", "cpe:/a:zend:zend_framework:1.11.12", "cpe:/a:zend:zend_framework:1.11.9", "cpe:/a:zend:zend_framework:1.11.7", "cpe:/a:zend:zend_framework:1.11.6", "cpe:/a:zend:zend_framework:1.11.4", "cpe:/a:zend:zend_framework:1.11.11", "cpe:/a:zend:zend_framework:1.11.10", "cpe:/a:zend:zend_framework:1.11.8", "cpe:/a:zend:zend_framework:1.11.0", "cpe:/a:zend:zend_framework:1.11.5", "cpe:/a:zend:zend_framework:1.11.1", "cpe:/a:zend:zend_framework:1.12.0"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5657", "id": "CVE-2012-5657", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-04-18T15:53:35", "references": ["https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain", "http://www.securityfocus.com/bid/57084", "http://security.gentoo.org/glsa/glsa-201401-22.xml", "https://bugzilla.redhat.com/show_bug.cgi?id=889649", "http://rhn.redhat.com/errata/RHSA-2013-0220.html", "http://rhn.redhat.com/errata/RHSA-2013-0155.html", "http://rhn.redhat.com/errata/RHSA-2013-0154.html", "http://rhn.redhat.com/errata/RHSA-2013-0544.html", "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"], "edition": 2, "description": "SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.", "reporter": "NVD", "published": "2013-01-03T23:46:02", "title": "CVE-2012-6496", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-6496"], "scanner": [], "modified": "2016-12-07T22:02:49", "cpe": ["cpe:/a:rubyonrails:ruby_on_rails:3.1.2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc", "cpe:/a:rubyonrails:ruby_on_rails:3.0.12:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.17", "cpe:/a:rubyonrails:ruby_on_rails:3.0.6", "cpe:/a:rubyonrails:ruby_on_rails:3.1.8", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc3", "cpe:/a:rubyonrails:ruby_on_rails:3.2.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.10:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.5:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.4:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.10", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.7", "cpe:/a:rubyonrails:ruby_on_rails:3.2.2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9", "cpe:/a:rubyonrails:ruby_on_rails:3.2.5", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8", "cpe:/a:rubyonrails:ruby_on_rails:3.1.5", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1", "cpe:/a:rubyonrails:ruby_on_rails:3.2.4:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.5", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:beta1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.13:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.2.8", "cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc8", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4", "cpe:/a:rubyonrails:ruby_on_rails:3.2.4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.16", "cpe:/a:rubyonrails:ruby_on_rails:3.2.6", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc6", "cpe:/a:rubyonrails:ruby_on_rails:3.2.2:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc3", "cpe:/a:rubyonrails:ruby_on_rails:3.1.7", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.14", "cpe:/a:rubyonrails:ruby_on_rails:3.0.12", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta3", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc5", "cpe:/a:rubyonrails:ruby_on_rails:3.0.13", "cpe:/a:rubyonrails:ruby_on_rails:3.1.6", "cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc5", "cpe:/a:rubyonrails:ruby_on_rails:3.0.2:pre", "cpe:/a:rubyonrails:ruby_on_rails:3.1.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.11", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc7", "cpe:/a:rubyonrails:ruby_on_rails:3.2.9", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.2.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.2.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.5:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.1:pre", "cpe:/a:rubyonrails:ruby_on_rails:3.2.7"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6496", "id": "CVE-2012-6496", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-03T17:16:31", "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093495.html", "http://weechat.org/security/", "http://lists.opensuse.org/opensuse-updates/2012-11/msg00087.html", "http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commitdiff_plain;h=efb795c74fe954b9544074aafcebb1be4452b03a", "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00018.html", "http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093516.html", "https://savannah.nongnu.org/bugs/?37764", "http://www.securityfocus.com/bid/56584", "http://www.mandriva.com/security/advisories?name=MDVSA-2013:136", "http://lists.fedoraproject.org/pipermail/package-announce/2012-November/093260.html", "http://www.openwall.com/lists/oss-security/2012/11/19/4", "https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0347"], "edition": 1, "description": "The hook_process function in the plugin API for WeeChat 0.3.0 through 0.3.9.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a command from a plugin, related to \"shell expansion.\"", "reporter": "NVD", "published": "2012-12-03T16:55:01", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "cve", "title": "CVE-2012-5534", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-5534"], "scanner": [], "modified": "2014-02-06T23:43:30", "cpe": ["cpe:/a:flashtux:weechat:0.3.8", "cpe:/a:flashtux:weechat:0.3.2", "cpe:/a:flashtux:weechat:0.3.4", "cpe:/a:flashtux:weechat:0.3.1.1", "cpe:/a:flashtux:weechat:0.3.9", "cpe:/a:flashtux:weechat:0.3.7", "cpe:/a:flashtux:weechat:0.3.9.1", "cpe:/a:flashtux:weechat:0.3.6", "cpe:/a:flashtux:weechat:0.3.0", "cpe:/a:flashtux:weechat:0.3.1", "cpe:/a:flashtux:weechat:0.3.3"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5534", "id": "CVE-2012-5534", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-18T15:53:35", "references": ["http://www.securityfocus.com/bid/57084", "http://openwall.com/lists/oss-security/2013/01/03/12", "http://phenoelit.org/blog/archives/2012/12/21/let_me_github_that_for_you/index.html", "http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/"], "edition": 2, "description": "The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.", "reporter": "NVD", "published": "2013-01-03T23:46:02", "title": "CVE-2012-6497", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-6497"], "scanner": [], "modified": "2016-12-07T22:02:50", "cpe": ["cpe:/a:rubyonrails:ruby_on_rails:3.1.2", "cpe:/a:rubyonrails:ruby_on_rails:1.1.4", "cpe:/a:rubyonrails:ruby_on_rails:2.0.2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc", "cpe:/a:rubyonrails:ruby_on_rails:0.5.7", "cpe:/a:rubyonrails:ruby_on_rails:3.0.12:rc1", "cpe:/a:rubyonrails:ruby_on_rails:2.0.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.17", "cpe:/a:rubyonrails:ruby_on_rails:3.0.6", "cpe:/a:rubyonrails:ruby_on_rails:1.1.2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.8", "cpe:/a:rubyonrails:ruby_on_rails:2.2.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc3", "cpe:/a:rubyonrails:ruby_on_rails:3.2.1", "cpe:/a:rubyonrails:ruby_on_rails:0.8.0", "cpe:/a:rubyonrails:ruby_on_rails:0.6.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.10:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.5:rc1", "cpe:/a:rubyonrails:ruby_on_rails:1.2.6", "cpe:/a:rubyonrails:ruby_on_rails:0.5.5", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc2", "cpe:/a:rubyonrails:ruby_on_rails:1.2.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc2", "cpe:/a:rubyonrails:ruby_on_rails:0.14.1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0", "cpe:/a:rubyonrails:ruby_on_rails:2.1", "cpe:/a:rubyonrails:ruby_on_rails:2.0.0:rc1", "cpe:/a:rubyonrails:ruby_on_rails:0.8.5", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc2", "cpe:/a:rubyonrails:ruby_on_rails:1.1.0", "cpe:/a:rubyonrails:ruby_on_rails:3.1.4:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.10", "cpe:/a:rubyonrails:ruby_on_rails:0.9.0", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc2", "cpe:/a:rubyonrails:ruby_on_rails:2.0.0", "cpe:/a:rubyonrails:ruby_on_rails:0.6.5", "cpe:/a:rubyonrails:ruby_on_rails:3.0.6:rc1", "cpe:/a:rubyonrails:ruby_on_rails:0.7.0", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.7", "cpe:/a:rubyonrails:ruby_on_rails:3.2.2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9", "cpe:/a:rubyonrails:ruby_on_rails:0.14.4", "cpe:/a:rubyonrails:ruby_on_rails:2.3.11", "cpe:/a:rubyonrails:ruby_on_rails:3.2.5", "cpe:/a:rubyonrails:ruby_on_rails:0.13.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8", "cpe:/a:rubyonrails:ruby_on_rails:1.2.1", "cpe:/a:rubyonrails:ruby_on_rails:1.1.6", "cpe:/a:rubyonrails:ruby_on_rails:0.12.1", "cpe:/a:rubyonrails:ruby_on_rails:0.10.0", "cpe:/a:rubyonrails:ruby_on_rails:1.0.0", "cpe:/a:rubyonrails:ruby_on_rails:0.9.3", "cpe:/a:rubyonrails:ruby_on_rails:3.1.5", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1", "cpe:/a:rubyonrails:ruby_on_rails:2.2.2", "cpe:/a:rubyonrails:ruby_on_rails:2.3.10", "cpe:/a:rubyonrails:ruby_on_rails:3.2.4:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.5", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:beta1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc3", "cpe:/a:rubyonrails:ruby_on_rails:2.0.0:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.13:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.2.8", "cpe:/a:rubyonrails:ruby_on_rails:1.2.4", "cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.2", "cpe:/a:rubyonrails:ruby_on_rails:0.14.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc8", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4", "cpe:/a:rubyonrails:ruby_on_rails:3.2.4", "cpe:/a:rubyonrails:ruby_on_rails:1.1.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.16", "cpe:/a:rubyonrails:ruby_on_rails:3.2.6", "cpe:/a:rubyonrails:ruby_on_rails:0.9.4.1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc6", "cpe:/a:rubyonrails:ruby_on_rails:3.2.2:rc1", "cpe:/a:rubyonrails:ruby_on_rails:3.1.4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc3", "cpe:/a:rubyonrails:ruby_on_rails:3.1.7", "cpe:/a:rubyonrails:ruby_on_rails:1.9.5", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:rc", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4:rc1", "cpe:/a:rubyonrails:ruby_on_rails:0.14.2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.8:rc4", "cpe:/a:rubyonrails:ruby_on_rails:0.10.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.14", "cpe:/a:rubyonrails:ruby_on_rails:2.3.2", "cpe:/a:rubyonrails:ruby_on_rails:3.0.12", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta3", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc5", "cpe:/a:rubyonrails:ruby_on_rails:3.0.13", "cpe:/a:rubyonrails:ruby_on_rails:3.1.6", "cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc1", "cpe:/a:rubyonrails:ruby_on_rails:2.1.2", "cpe:/a:rubyonrails:ruby_on_rails:2.1.1", "cpe:/a:rubyonrails:ruby_on_rails:3.2.3:rc2", "cpe:/a:rubyonrails:ruby_on_rails:1.2.2", "cpe:/a:rubyonrails:ruby_on_rails:0.11.0", "cpe:/a:rubyonrails:ruby_on_rails:3.2.0:rc2", "cpe:/a:rubyonrails:ruby_on_rails:0.12.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc5", "cpe:/a:rubyonrails:ruby_on_rails:2.3.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.2:pre", "cpe:/a:rubyonrails:ruby_on_rails:3.1.3", "cpe:/a:rubyonrails:ruby_on_rails:1.2.5", "cpe:/a:rubyonrails:ruby_on_rails:1.1.5", "cpe:/a:rubyonrails:ruby_on_rails:2.3.12", "cpe:/a:rubyonrails:ruby_on_rails:3.0.11", "cpe:/a:rubyonrails:ruby_on_rails:1.2.0", "cpe:/a:rubyonrails:ruby_on_rails:2.1.0", "cpe:/a:rubyonrails:ruby_on_rails:2.2.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0", "cpe:/a:rubyonrails:ruby_on_rails:1.1.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.1", "cpe:/a:rubyonrails:ruby_on_rails:2.3.4", "cpe:/a:rubyonrails:ruby_on_rails:0.11.1", "cpe:/a:rubyonrails:ruby_on_rails:3.0.0:beta2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.0:rc7", "cpe:/a:rubyonrails:ruby_on_rails:0.5.6", "cpe:/a:rubyonrails:ruby_on_rails:3.2.9", "cpe:/a:rubyonrails:ruby_on_rails:0.5.0", "cpe:/a:rubyonrails:ruby_on_rails:3.1.1:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.2.3", "cpe:/a:rubyonrails:ruby_on_rails:3.0.7:rc2", "cpe:/a:rubyonrails:ruby_on_rails:3.2.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.9:rc1", "cpe:/a:rubyonrails:ruby_on_rails:0.13.0", "cpe:/a:rubyonrails:ruby_on_rails:0.9.4", "cpe:/a:rubyonrails:ruby_on_rails:2.3.9", "cpe:/a:rubyonrails:ruby_on_rails:3.1.5:rc1", "cpe:/a:rubyonrails:ruby_on_rails:0.9.2", "cpe:/a:rubyonrails:ruby_on_rails:3.1.2:rc2", "cpe:/a:rubyonrails:ruby_on_rails:0.9.1", "cpe:/a:rubyonrails:ruby_on_rails:2.0.4", "cpe:/a:rubyonrails:ruby_on_rails:3.0.1:pre", "cpe:/a:rubyonrails:ruby_on_rails:3.2.7"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6497", "id": "CVE-2012-6497", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-09-03T17:18:01", "references": [], "edition": 1, "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-6496, CVE-2012-6497. Reason: this candidate was intended for one issue, but the candidate was publicly used to label concerns about multiple products. Notes: All CVE users should consult CVE-2012-6496 and CVE-2012-6497 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "reporter": "NVD", "published": "2012-12-26T15:55:01", "title": "CVE-2012-5664", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-5664"], "scanner": [], "modified": "2013-01-08T00:08:45", "cpe": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5664", "id": "CVE-2012-5664", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-08-29T12:17:54", "references": ["https://www.htbridge.com/advisory/HTB23135", "http://archives.neohapsis.com/archives/bugtraq/2013-01/0035.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/81169", "http://packetstormsecurity.com/files/119422/Quick.Cms-5.0-Quick.Cart-6.0-Cross-Site-Scripting.html"], "edition": 2, "description": "Cross-site scripting (XSS) vulnerability in Open Solution Quick.Cms 5.0 and Quick.Cart 6.0, possibly as downloaded before December 19, 2012, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to admin.php. NOTE: this might be a duplicate of CVE-2008-4140.", "reporter": "NVD", "published": "2014-03-24T12:43:01", "title": "CVE-2012-6430", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-6430"], "scanner": [], "cpe": ["cpe:/a:opensolution:quick_cms:5.0", "cpe:/a:opensolution:quick_cart:6.0"], "modified": "2017-08-28T21:32:56", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6430", "id": "CVE-2012-6430", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-03T15:12:52", "references": ["http://www.securityfocus.com/bid/46612", "http://savannah.nongnu.org/patch/index.php?7459", "http://git.savannah.gnu.org/gitweb/?p=weechat.git;a=commit;h=c265cad1c95b84abfd4e8d861f25926ef13b5d91", "http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0671.html"], "edition": 1, "description": "Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API.", "reporter": "NVD", "published": "2011-03-16T18:55:04", "title": "CVE-2011-1428", "type": "cve", "enchantments": {"score": {"modified": "2016-09-03T15:12:52", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2011-1428"], "scanner": [], "modified": "2011-03-22T00:00:00", "cpe": ["cpe:/a:flashtux:weechat:0.0.4", "cpe:/a:flashtux:weechat:0.0.5", "cpe:/a:flashtux:weechat:0.1.1", "cpe:/a:flashtux:weechat:0.3.2", "cpe:/a:flashtux:weechat:0.3.4", "cpe:/a:flashtux:weechat:0.1.0", "cpe:/a:flashtux:weechat:0.3.1.1", "cpe:/a:flashtux:weechat:0.0.1", "cpe:/a:flashtux:weechat:0.2.2", "cpe:/a:flashtux:weechat:0.2.0", "cpe:/a:flashtux:weechat:0.0.9", "cpe:/a:flashtux:weechat:0.1.6", "cpe:/a:flashtux:weechat:0.1.8", "cpe:/a:flashtux:weechat:0.1.5", "cpe:/a:flashtux:weechat:0.2.4", "cpe:/a:flashtux:weechat:0.1.4", "cpe:/a:flashtux:weechat:0.0.8", "cpe:/a:flashtux:weechat:0.1.3", "cpe:/a:flashtux:weechat:0.2.6.3", "cpe:/a:flashtux:weechat:0.3.0", "cpe:/a:flashtux:weechat:0.2.3", "cpe:/a:flashtux:weechat:0.2.6.1", "cpe:/a:flashtux:weechat:0.2.5", "cpe:/a:flashtux:weechat:0.3.1", "cpe:/a:flashtux:weechat:0.0.3", "cpe:/a:flashtux:weechat:0.2.6.2", "cpe:/a:flashtux:weechat:0.2.6", "cpe:/a:flashtux:weechat:0.0.7", "cpe:/a:flashtux:weechat:0.1.7", "cpe:/a:flashtux:weechat:0.2.1", "cpe:/a:flashtux:weechat:0.1.2", "cpe:/a:flashtux:weechat:0.1.9", "cpe:/a:flashtux:weechat:0.3.3", "cpe:/a:flashtux:weechat:0.0.2", "cpe:/a:flashtux:weechat:0.0.6"], "id": "CVE-2011-1428", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1428", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-09-01T23:57:05", "references": ["http://www.debian.org/security/2013/dsa-2598.html"], "pluginID": "1361412562310892598", "description": "Two security issues have been discovered in WeeChat, a fast, light and\nextensible chat client:\n\nCVE-2011-1428 \nX.509 certificates were incorrectly validated.\n\nCVE-2012-5534 \nThe hook_process function in the plugin API allowed the execution\nof arbitrary shell commands.", "edition": 3, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "published": "2013-01-05T00:00:00", "title": "Debian Security Advisory DSA 2598-1 (weechat - several vulnerabilities)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5534", "CVE-2011-1428"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310892598", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892598", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2598.nasl 9353 2018-04-06 07:14:20Z cfischer $\n# Auto-generated from advisory DSA 2598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"weechat on Debian Linux\";\ntag_insight = \"WeeChat (Wee Enhanced Environment for Chat) is a fast and light chat client\nfor many operating systems. Everything can be done with a keyboard.\nIt is customizable and extensible with plugins/scripts, and includes:\n\n- nicklist\n- smart hotlist\n- infobar with highlight notification\n- horizontal and vertical split\n- double charset support (decode/encode)\n- FIFO pipe for remote control\n- and much more!\";\ntag_solution = \"For the stable distribution (squeeze), these problems have been fixed in\nversion 0.3.2-1+squeeze1.\n\nFor the testing distribution (wheezy), these problems have been fixed in\nversion 0.3.8-1+deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 0.3.9.2-1.\n\nWe recommend that you upgrade your weechat packages.\";\ntag_summary = \"Two security issues have been discovered in WeeChat, a fast, light and\nextensible chat client:\n\nCVE-2011-1428 \nX.509 certificates were incorrectly validated.\n\nCVE-2012-5534 \nThe hook_process function in the plugin API allowed the execution\nof arbitrary shell commands.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892598\");\n script_version(\"$Revision: 9353 $\");\n script_cve_id(\"CVE-2011-1428\", \"CVE-2012-5534\");\n script_name(\"Debian Security Advisory DSA 2598-1 (weechat - several vulnerabilities)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value:\"2013-01-05 00:00:00 +0100 (Sat, 05 Jan 2013)\");\n script_tag(name: \"cvss_base\", value:\"7.5\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2598.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"weechat\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-core\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-curses\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dbg\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dev\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-doc\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-plugins\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-core\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-curses\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dbg\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dev\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-doc\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-plugins\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:51:32", "references": ["http://www.debian.org/security/2013/dsa-2598.html"], "pluginID": "892598", "description": "Two security issues have been discovered in WeeChat, a fast, light and\nextensible chat client:\n\nCVE-2011-1428 \nX.509 certificates were incorrectly validated.\n\nCVE-2012-5534 \nThe hook_process function in the plugin API allowed the execution\nof arbitrary shell commands.", "edition": 2, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "published": "2013-01-05T00:00:00", "title": "Debian Security Advisory DSA 2598-1 (weechat - several vulnerabilities)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5534", "CVE-2011-1428"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=892598", "id": "OPENVAS:892598", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2598.nasl 6611 2017-07-07 12:07:20Z cfischer $\n# Auto-generated from advisory DSA 2598-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"weechat on Debian Linux\";\ntag_insight = \"WeeChat (Wee Enhanced Environment for Chat) is a fast and light chat client\nfor many operating systems. Everything can be done with a keyboard.\nIt is customizable and extensible with plugins/scripts, and includes:\n\n- nicklist\n- smart hotlist\n- infobar with highlight notification\n- horizontal and vertical split\n- double charset support (decode/encode)\n- FIFO pipe for remote control\n- and much more!\";\ntag_solution = \"For the stable distribution (squeeze), these problems have been fixed in\nversion 0.3.2-1+squeeze1.\n\nFor the testing distribution (wheezy), these problems have been fixed in\nversion 0.3.8-1+deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 0.3.9.2-1.\n\nWe recommend that you upgrade your weechat packages.\";\ntag_summary = \"Two security issues have been discovered in WeeChat, a fast, light and\nextensible chat client:\n\nCVE-2011-1428 \nX.509 certificates were incorrectly validated.\n\nCVE-2012-5534 \nThe hook_process function in the plugin API allowed the execution\nof arbitrary shell commands.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892598);\n script_version(\"$Revision: 6611 $\");\n script_cve_id(\"CVE-2011-1428\", \"CVE-2012-5534\");\n script_name(\"Debian Security Advisory DSA 2598-1 (weechat - several vulnerabilities)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-01-05 00:00:00 +0100 (Sat, 05 Jan 2013)\");\n script_tag(name: \"cvss_base\", value:\"7.5\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2598.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"weechat\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-core\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-curses\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dbg\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dev\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-doc\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-plugins\", ver:\"0.3.2-1+squeeze1\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-core\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-curses\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dbg\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-dev\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-doc\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"weechat-plugins\", ver:\"0.3.8-1+deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:56:25", "references": ["http://www.debian.org/security/2013/dsa-2597.html"], "pluginID": "1361412562310892597", "description": "joernchen of Phenoelit discovered that rails, an MVC ruby based framework\ngeared for web application development, is not properly treating\nuser-supplied input to find_by_* \nmethods. Depending on how the\nruby on rails application is using these methods, this allows an attacker\nto perform SQL injection attacks, e.g., to bypass authentication if\nAuthlogic is used and the session secret token is known.", "edition": 3, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "published": "2013-01-04T00:00:00", "title": "Debian Security Advisory DSA 2597-1 (rails - input validation error)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6497", "CVE-2012-6496"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310892597", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892597", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2597.nasl 9353 2018-04-06 07:14:20Z cfischer $\n# Auto-generated from advisory DSA 2597-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rails on Debian Linux\";\ntag_insight = \"Rails is a full-stack, open-source web framework in Ruby for writing\nreal-world applications.\";\ntag_solution = \"For the stable distribution (squeeze), this problem has been fixed in\nversion 2.3.5-1.2+squeeze4.\n\nFor the testing distribution (wheezy), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nruby-activerecord-2.3 version 2.3.14-3.\n\nWe recommend that you upgrade your rails/ruby-activerecord-2.3 packages.\";\ntag_summary = \"joernchen of Phenoelit discovered that rails, an MVC ruby based framework\ngeared for web application development, is not properly treating\nuser-supplied input to find_by_* \nmethods. Depending on how the\nruby on rails application is using these methods, this allows an attacker\nto perform SQL injection attacks, e.g., to bypass authentication if\nAuthlogic is used and the session secret token is known.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892597\");\n script_version(\"$Revision: 9353 $\");\n script_cve_id(\"CVE-2012-6497\", \"CVE-2012-6496\");\n script_name(\"Debian Security Advisory DSA 2597-1 (rails - input validation error)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value:\"2013-01-04 00:00:00 +0100 (Fri, 04 Jan 2013)\");\n script_tag(name: \"cvss_base\", value:\"7.5\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2597.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libactionmailer-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactionmailer-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactionpack-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactionpack-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiverecord-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiverecord-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiverecord-ruby1.9.1\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiveresource-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiveresource-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactivesupport-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactivesupport-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactivesupport-ruby1.9.1\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"rails\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"rails-doc\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"rails-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:51:45", "references": ["http://www.debian.org/security/2013/dsa-2597.html"], "pluginID": "892597", "description": "joernchen of Phenoelit discovered that rails, an MVC ruby based framework\ngeared for web application development, is not properly treating\nuser-supplied input to find_by_* \nmethods. Depending on how the\nruby on rails application is using these methods, this allows an attacker\nto perform SQL injection attacks, e.g., to bypass authentication if\nAuthlogic is used and the session secret token is known.", "edition": 2, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "published": "2013-01-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Debian Security Advisory DSA 2597-1 (rails - input validation error)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6497", "CVE-2012-6496"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=892597", "id": "OPENVAS:892597", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2597.nasl 6611 2017-07-07 12:07:20Z cfischer $\n# Auto-generated from advisory DSA 2597-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rails on Debian Linux\";\ntag_insight = \"Rails is a full-stack, open-source web framework in Ruby for writing\nreal-world applications.\";\ntag_solution = \"For the stable distribution (squeeze), this problem has been fixed in\nversion 2.3.5-1.2+squeeze4.\n\nFor the testing distribution (wheezy), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nruby-activerecord-2.3 version 2.3.14-3.\n\nWe recommend that you upgrade your rails/ruby-activerecord-2.3 packages.\";\ntag_summary = \"joernchen of Phenoelit discovered that rails, an MVC ruby based framework\ngeared for web application development, is not properly treating\nuser-supplied input to find_by_* \nmethods. Depending on how the\nruby on rails application is using these methods, this allows an attacker\nto perform SQL injection attacks, e.g., to bypass authentication if\nAuthlogic is used and the session secret token is known.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892597);\n script_version(\"$Revision: 6611 $\");\n script_cve_id(\"CVE-2012-6497\", \"CVE-2012-6496\");\n script_name(\"Debian Security Advisory DSA 2597-1 (rails - input validation error)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-01-04 00:00:00 +0100 (Fri, 04 Jan 2013)\");\n script_tag(name: \"cvss_base\", value:\"7.5\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2597.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libactionmailer-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactionmailer-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactionpack-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactionpack-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiverecord-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiverecord-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiverecord-ruby1.9.1\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiveresource-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactiveresource-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactivesupport-ruby\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactivesupport-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libactivesupport-ruby1.9.1\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"rails\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"rails-doc\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"rails-ruby1.8\", ver:\"2.3.5-1.2+squeeze4\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:56:14", "references": ["2013-0057", "http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097136.html"], "pluginID": "1361412562310865042", "description": "Check for the Version of php-ZendFramework", "edition": 4, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "published": "2013-01-21T00:00:00", "title": "Fedora Update for php-ZendFramework FEDORA-2013-0057", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310865042", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865042", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2013-0057\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"php-ZendFramework on Fedora 17\";\ntag_insight = \"Extending the art & spirit of PHP, Zend Framework is based on simplicity,\n object-oriented best practices, corporate friendly licensing, and a rigorously\n tested agile code base. Zend Framework is focused on building more secure,\n reliable, and modern Web 2.0 applications & web services, and consuming widely\n available APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as\n well as API providers and catalogers like StrikeIron and ProgrammableWeb.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097136.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865042\");\n script_version(\"$Revision: 9372 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:56:37 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:26:36 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-5657\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-0057\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2013-0057\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of php-ZendFramework\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.1~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:56:02", "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097117.html", "2013-0063"], "pluginID": "1361412562310865036", "description": "Check for the Version of php-ZendFramework", "edition": 4, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "published": "2013-01-21T00:00:00", "title": "Fedora Update for php-ZendFramework FEDORA-2013-0063", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310865036", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865036", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2013-0063\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"php-ZendFramework on Fedora 18\";\ntag_insight = \"Extending the art & spirit of PHP, Zend Framework is based on simplicity,\n object-oriented best practices, corporate friendly licensing, and a rigorously\n tested agile code base. Zend Framework is focused on building more secure,\n reliable, and modern Web 2.0 applications & web services, and consuming widely\n available APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as\n well as API providers and catalogers like StrikeIron and ProgrammableWeb.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097117.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865036\");\n script_version(\"$Revision: 9372 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:56:37 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:26:26 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-5657\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-0063\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2013-0063\");\n\n script_tag(name:\"summary\", value:\"Check for the Version of php-ZendFramework\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.1~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-02T14:33:30", "references": ["https://alas.aws.amazon.com/ALAS-2013-153.html"], "pluginID": "1361412562310120231", "description": "Amazon Linux Local Security Checks", "edition": 5, "reporter": "Eero Volotinen", "published": "2015-09-08T00:00:00", "title": "Amazon Linux Local Check: ALAS-2013-153", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2018-10-01T00:00:00", "id": "OPENVAS:1361412562310120231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120231", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2013-153.nasl 6577 2017-07-06 13:43:46Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120231\");\n script_version(\"$Revision: 11703 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-08 13:20:58 +0200 (Tue, 08 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 10:05:31 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: ALAS-2013-153\");\n script_tag(name:\"insight\", value:\"The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.\");\n script_tag(name:\"solution\", value:\"Run yum update php-ZendFramework to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2013-153.html\");\n script_cve_id(\"CVE-2012-5657\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Serializer-Adapter-Igbinary\", rpm:\"php-ZendFramework-Serializer-Adapter-Igbinary~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo-Mysql\", rpm:\"php-ZendFramework-Db-Adapter-Pdo-Mysql~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-demos\", rpm:\"php-ZendFramework-demos~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Cache-Backend-Memcached\", rpm:\"php-ZendFramework-Cache-Backend-Memcached~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Search-Lucene\", rpm:\"php-ZendFramework-Search-Lucene~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Pdf\", rpm:\"php-ZendFramework-Pdf~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Captcha\", rpm:\"php-ZendFramework-Captcha~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Services\", rpm:\"php-ZendFramework-Services~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Ldap\", rpm:\"php-ZendFramework-Ldap~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Cache-Backend-Apc\", rpm:\"php-ZendFramework-Cache-Backend-Apc~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Auth-Adapter-Ldap\", rpm:\"php-ZendFramework-Auth-Adapter-Ldap~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-extras\", rpm:\"php-ZendFramework-extras~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Feed\", rpm:\"php-ZendFramework-Feed~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo-Pgsql\", rpm:\"php-ZendFramework-Db-Adapter-Pdo-Pgsql~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Soap\", rpm:\"php-ZendFramework-Soap~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-full\", rpm:\"php-ZendFramework-full~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Dojo\", rpm:\"php-ZendFramework-Dojo~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Mysqli\", rpm:\"php-ZendFramework-Db-Adapter-Mysqli~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Cache-Backend-Libmemcached\", rpm:\"php-ZendFramework-Cache-Backend-Libmemcached~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo-Mssql\", rpm:\"php-ZendFramework-Db-Adapter-Pdo-Mssql~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework-Db-Adapter-Pdo\", rpm:\"php-ZendFramework-Db-Adapter-Pdo~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.1~1.6.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-23T13:09:55", "references": ["2013-0061", "http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097131.html"], "pluginID": "865017", "description": "Check for the Version of php-ZendFramework", "edition": 3, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "published": "2013-01-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for php-ZendFramework FEDORA-2013-0061", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2018-01-23T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=865017", "id": "OPENVAS:865017", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2013-0061\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"php-ZendFramework on Fedora 16\";\ntag_insight = \"Extending the art & spirit of PHP, Zend Framework is based on simplicity,\n object-oriented best practices, corporate friendly licensing, and a rigorously\n tested agile code base. Zend Framework is focused on building more secure,\n reliable, and modern Web 2.0 applications & web services, and consuming widely\n available APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as\n well as API providers and catalogers like StrikeIron and ProgrammableWeb.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097131.html\");\n script_id(865017);\n script_version(\"$Revision: 8494 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-23 07:57:55 +0100 (Tue, 23 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:25:52 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-5657\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-0061\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2013-0061\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of php-ZendFramework\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.1~1.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:52:13", "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097117.html", "2013-0063"], "pluginID": "865036", "description": "Check for the Version of php-ZendFramework", "edition": 2, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "published": "2013-01-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for php-ZendFramework FEDORA-2013-0063", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2017-07-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=865036", "id": "OPENVAS:865036", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for php-ZendFramework FEDORA-2013-0063\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"php-ZendFramework on Fedora 18\";\ntag_insight = \"Extending the art & spirit of PHP, Zend Framework is based on simplicity,\n object-oriented best practices, corporate friendly licensing, and a rigorously\n tested agile code base. Zend Framework is focused on building more secure,\n reliable, and modern Web 2.0 applications & web services, and consuming widely\n available APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as\n well as API providers and catalogers like StrikeIron and ProgrammableWeb.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/097117.html\");\n script_id(865036);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-21 09:26:26 +0530 (Mon, 21 Jan 2013)\");\n script_cve_id(\"CVE-2012-5657\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-0063\");\n script_name(\"Fedora Update for php-ZendFramework FEDORA-2013-0063\");\n\n script_summary(\"Check for the Version of php-ZendFramework\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-ZendFramework\", rpm:\"php-ZendFramework~1.12.1~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-24T12:51:31", "references": ["http://www.debian.org/security/2013/dsa-2602.html"], "pluginID": "892602", "description": "Yury Dyachenko discovered that Zend Framework uses the PHP XML parser\nin an insecure way, allowing attackers to open files and trigger HTTP\nrequests, potentially accessing restricted information.", "edition": 2, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "published": "2013-01-08T00:00:00", "title": "Debian Security Advisory DSA 2602-1 (zendframework - XML external entity inclusion)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=892602", "id": "OPENVAS:892602", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2602.nasl 6611 2017-07-07 12:07:20Z cfischer $\n# Auto-generated from advisory DSA 2602-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"zendframework on Debian Linux\";\ntag_insight = \"Extending the art & spirit of PHP, Zend Framework is based on simplicity,\nobject-oriented best practices, corporate friendly licensing, and a rigorously\ntested agile codebase. Zend Framework is focused on building more secure,\nreliable, and modern Web 2.0 applications & web services, and consuming widely\navailable APIs from leading vendors like Google, Amazon, Yahoo!, Flickr, as\nwell as API providers and cataloguers like StrikeIron and ProgrammableWeb.\";\ntag_solution = \"For the stable distribution (squeeze), this problem has been fixed in\nversion 1.10.6-1squeeze2.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1.11.13-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.11.13-1.1.\n\nWe recommend that you upgrade your zendframework packages.\";\ntag_summary = \"Yury Dyachenko discovered that Zend Framework uses the PHP XML parser\nin an insecure way, allowing attackers to open files and trigger HTTP\nrequests, potentially accessing restricted information.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892602);\n script_version(\"$Revision: 6611 $\");\n script_cve_id(\"CVE-2012-5657\");\n script_name(\"Debian Security Advisory DSA 2602-1 (zendframework - XML external entity inclusion)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-01-08 00:00:00 +0100 (Tue, 08 Jan 2013)\");\n script_tag(name: \"cvss_base\", value:\"5.0\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2602.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"zendframework\", ver:\"1.10.6-1squeeze2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"zendframework-bin\", ver:\"1.10.6-1squeeze2\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"zendframework\", ver:\"1.11.13-1.1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"zendframework-bin\", ver:\"1.11.13-1.1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"zendframework-resources\", ver:\"1.11.13-1.1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "debian": [{"lastseen": "2018-10-16T22:12:56", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "0.3.2-1+squeeze1", "arch": "all", "packageFilename": "weechat-dev_0.3.2-1+squeeze1_all.deb", "packageName": "weechat-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "0.3.2-1+squeeze1", "arch": "all", "packageFilename": "weechat-dbg_0.3.2-1+squeeze1_all.deb", "packageName": "weechat-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "0.3.2-1+squeeze1", "arch": "all", "packageFilename": "weechat_0.3.2-1+squeeze1_all.deb", "packageName": "weechat", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "0.3.2-1+squeeze1", "arch": "all", "packageFilename": "weechat-doc_0.3.2-1+squeeze1_all.deb", "packageName": "weechat-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "0.3.2-1+squeeze1", "arch": "all", "packageFilename": "weechat-core_0.3.2-1+squeeze1_all.deb", "packageName": "weechat-core", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "0.3.2-1+squeeze1", "arch": "all", "packageFilename": "weechat-curses_0.3.2-1+squeeze1_all.deb", "packageName": "weechat-curses", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "0.3.2-1+squeeze1", "arch": "all", "packageFilename": "weechat-plugins_0.3.2-1+squeeze1_all.deb", "packageName": "weechat-plugins", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2598-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nJanuary 05, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : weechat\nVulnerability : several\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2011-1428 CVE-2012-5534\n\nTwo security issues have been discovered in Weechat a, fast, light and \nextensible chat client:\n\nCVE-2011-1428\n\n X.509 certificates were incorrectly validated.\n\nCVE-2012-5534\n\n The hook_process function in the plugin API allowed the execution\n of arbitrary shell commands.\n\nFor the stable distribution (squeeze), these problems have been fixed in\nversion 0.3.2-1+squeeze1.\n\nFor the testing distribution (wheezy), these problems have been fixed in\nversion 0.3.8-1+deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 0.3.9.2-1.\n\nWe recommend that you upgrade your weechat packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "reporter": "Debian", "published": "2013-01-05T12:40:34", "title": "[SECURITY] [DSA 2598-1] weechat security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:12:56", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-5534", "CVE-2011-1428"], "modified": "2013-01-05T12:40:34", "id": "DEBIAN:DSA-2598-1:5B348", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00001.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-16T22:13:12", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "1.10.6-1squeeze2", "arch": "all", "packageFilename": "zendframework_1.10.6-1squeeze2_all.deb", "packageName": "zendframework", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.10.6-1squeeze2", "arch": "all", "packageFilename": "zendframework-bin_1.10.6-1squeeze2_all.deb", "packageName": "zendframework-bin", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2602-1 security@debian.org\nhttp://www.debian.org/security/ Florian Weimer\nJanuary 08, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : zendframework\nVulnerability : XML external entity inclusion\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-5657\nDebian Bug : 696483\n\nYury Dyachenko discovered that Zend Framework uses the PHP XML parser\nin an insecure way, allowing attackers to open files and trigger HTTP\nrequests, potentially accessing restricted information.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.10.6-1squeeze2.\n\nFor the testing distribution (wheezy), this problem has been fixed in\nversion 1.11.13-1.1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.11.13-1.1.\n\nWe recommend that you upgrade your zendframework packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "reporter": "Debian", "published": "2013-01-08T18:23:26", "title": "[SECURITY] [DSA 2602-1] zendframework security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:12", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-5657"], "modified": "2013-01-08T18:23:26", "id": "DEBIAN:DSA-2602-1:CCA6F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00005.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-16T22:13:26", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "rails_2.3.5-1.2+squeeze4_all.deb", "packageName": "rails", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "rails-ruby1.8_2.3.5-1.2+squeeze4_all.deb", "packageName": "rails-ruby1.8", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "rails-doc_2.3.5-1.2+squeeze4_all.deb", "packageName": "rails-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactionpack-ruby1.8_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactionpack-ruby1.8", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactiverecord-ruby1.8_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactiverecord-ruby1.8", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactionmailer-ruby_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactionmailer-ruby", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactionmailer-ruby1.8_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactionmailer-ruby1.8", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactiveresource-ruby_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactiveresource-ruby", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactionpack-ruby_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactionpack-ruby", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactivesupport-ruby1.9.1", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactiverecord-ruby_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactiverecord-ruby", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactiveresource-ruby1.8_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactiveresource-ruby1.8", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactivesupport-ruby_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactivesupport-ruby", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactivesupport-ruby1.8_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactivesupport-ruby1.8", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "2.3.5-1.2+squeeze4", "arch": "all", "packageFilename": "libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze4_all.deb", "packageName": "libactiverecord-ruby1.9.1", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2597-1 security@debian.org\nhttp://www.debian.org/security/ Nico Golde\nJanuary 04, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : rails\nVulnerability : input validation error\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-5664\n\njoernchen of Phenoelit discovered that rails, an MVC ruby based framework\ngeared for web application development, is not properly treating\nuser-supplied input to "find_by_*" methods. Depending on how the ruby\non rails application is using these methods, this allows an attacker\nto perform SQL injection attacks, e.g., to bypass authentication if\nAuthlogic is used and the session secret token is known.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.3.5-1.2+squeeze4.\n\nFor the testing distribution (wheezy), this problem will be fixed soon.\n\nFor the unstable distribution (sid), this problem has been fixed in\nruby-activerecord-2.3 version 2.3.14-3.\n\n\nWe recommend that you upgrade your rails/ruby-activerecord-2.3 packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n\n", "edition": 1, "reporter": "Debian", "published": "2013-01-04T22:17:32", "title": "[SECURITY] [DSA 2597-1] rails security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:26", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-5664"], "modified": "2013-01-04T22:17:32", "id": "DEBIAN:DSA-2597-1:BA1DE", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00000.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-16T22:13:04", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "1.10.6-1squeeze4", "arch": "all", "packageFilename": "zendframework_1.10.6-1squeeze4_all.deb", "packageName": "zendframework", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.10.6-1squeeze4", "arch": "all", "packageFilename": "zendframework-bin_1.10.6-1squeeze4_all.deb", "packageName": "zendframework-bin", "operator": "lt"}], "description": "Package : zendframework\nVersion : 1.10.6-1squeeze4\nCVE ID : CVE-2012-6531 CVE-2012-6532 CVE-2014-2681 CVE-2014-2682\n CVE-2014-2683 CVE-2014-2684 CVE-2014-2685 CVE-2014-4914\n CVE-2014-8088 CVE-2014-8089 CVE-2015-3154\nDebian Bug : 743175 754201\n\nThe previous zendframework upload incorrectly fixes CVE-2015-3154,\ncausing a regression. This update corrects this problem. Thanks to\n\u0415\u0432\u0433\u0435\u043d\u0438\u0439 \u0421\u043c\u043e\u043b\u0438\u043d (Evgeny Smolin) <esmolin@inbox.ru>.\n\nCVE-2012-6531\n\n P\u00e1draic Brady identified a weakness to handle the SimpleXMLElement\n zendframework class, allowing to remote attackers to read arbitrary\n files or create TCP connections via an XML external entity (XXE)\n injection attack.\n\nCVE-2012-6532\n\n P\u00e1draic Brady found that remote attackers could cause a denial of\n service by CPU consumption, via recursive or circular references\n through an XML entity expansion (XEE) attack.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00f6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n", "edition": 1, "reporter": "Debian", "published": "2015-06-23T20:27:21", "title": "[SECURITY] [DLA 251-2] zendframework regression update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:13:04", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-3154", "CVE-2014-8088", "CVE-2012-6532", "CVE-2014-2685", "CVE-2014-2682", "CVE-2012-6531", "CVE-2014-8089", "CVE-2014-2684", "CVE-2014-4914", "CVE-2012-5657", "CVE-2014-2683", "CVE-2014-2681"], "modified": "2015-06-23T20:27:21", "id": "DEBIAN:DLA-251-2:CDAD6", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201506/msg00019.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-18T13:49:25", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "1.11.13-1.1+deb7u2", "arch": "all", "packageFilename": "zendframework_1.11.13-1.1+deb7u2_all.deb", "packageName": "zendframework", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.12.9+dfsg-2+deb8u2", "arch": "all", "packageFilename": "zendframework-resources_1.12.9+dfsg-2+deb8u2_all.deb", "packageName": "zendframework-resources", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.12.9+dfsg-2+deb8u2", "arch": "all", "packageFilename": "zendframework-bin_1.12.9+dfsg-2+deb8u2_all.deb", "packageName": "zendframework-bin", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.12.9+dfsg-2+deb8u2", "arch": "all", "packageFilename": "zendframework_1.12.9+dfsg-2+deb8u2_all.deb", "packageName": "zendframework", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3265-2 security@debian.org\nhttp://www.debian.org/security/ Alessandro Ghedini\nMay 24, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : zendframework\n\nThe update for zendframework issued as DSA-3265-1 introduced a regression\npreventing the use of non-string or non-stringable objects as header\nvalues. A fix for this problem is now applied, along with the final patch\nfor CVE-2015-3154. For reference the original advisory text follows.\n\nMultiple vulnerabilities were discovered in Zend Framework, a PHP\nframework. Except for CVE-2015-3154, all these issues were already fixed\nin the version initially shipped with Jessie.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00c3\u00b6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n\nFor the oldstable distribution (wheezy), this problem has been fixed\nin version 1.11.13-1.1+deb7u2.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.12.9+dfsg-2+deb8u2.\n\nFor the testing distribution (stretch), this problem has been fixed\nin version 1.12.13+dfsg-1.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 1.12.13+dfsg-1.\n\nWe recommend that you upgrade your zendframework packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-05-24T11:55:45", "title": "[SECURITY] [DSA 3265-2] zendframework regression update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:49:25", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-3154", "CVE-2014-8088", "CVE-2012-6532", "CVE-2014-2685", "CVE-2014-2682", "CVE-2014-8089", "CVE-2014-2684", "CVE-2014-4914", "CVE-2012-5657", "CVE-2014-2683", "CVE-2014-2681"], "modified": "2015-05-24T11:55:45", "id": "DEBIAN:DSA-3265-2:03C60", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00164.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-16T22:14:52", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "1.10.6-1squeeze3", "arch": "all", "packageFilename": "zendframework-bin_1.10.6-1squeeze3_all.deb", "packageName": "zendframework-bin", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "1.10.6-1squeeze3", "arch": "all", "packageFilename": "zendframework_1.10.6-1squeeze3_all.deb", "packageName": "zendframework", "operator": "lt"}], "description": "Package : zendframework\nVersion : 1.10.6-1squeeze3\nCVE ID : CVE-2012-6531 CVE-2012-6532 CVE-2014-2681 CVE-2014-2682\n CVE-2014-2683 CVE-2014-2684 CVE-2014-2685 CVE-2014-4914\n CVE-2014-8088 CVE-2014-8089 CVE-2015-3154\nDebian Bug : 743175 754201\n\nSeveral vulnerabilities were found in the Zend PHP framework:\n\nCVE-2012-6531\n\n P\u00e1draic Brady identified a weakness to handle the SimpleXMLElement\n zendframework class, allowing to remote attackers to read arbitrary\n files or create TCP connections via an XML external entity (XXE)\n injection attack.\n\nCVE-2012-6532\n\n P\u00e1draic Brady found that remote attackers could cause a denial of\n service by CPU consumption, via recursive or circular references\n through an XML entity expansion (XEE) attack.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00f6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n\nFor Debian 6 "Squeeze", these issues have been fixed in zendframework\nversion 1.10.6-1squeeze3.\n", "edition": 1, "reporter": "Debian", "published": "2015-06-20T18:41:19", "title": "[SECURITY] [DLA 251-1] zendframework security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:52", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-3154", "CVE-2014-8088", "CVE-2012-6532", "CVE-2014-2685", "CVE-2014-2682", "CVE-2012-6531", "CVE-2014-8089", "CVE-2014-2684", "CVE-2014-4914", "CVE-2012-5657", "CVE-2014-2683", "CVE-2014-2681"], "modified": "2015-06-20T18:41:19", "id": "DEBIAN:DLA-251-1:7D839", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201506/msg00017.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-18T13:49:38", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "1.11.13-1.1+deb7u1", "arch": "all", "packageFilename": "zendframework_1.11.13-1.1+deb7u1_all.deb", "packageName": "zendframework", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3265-1 security@debian.org\nhttp://www.debian.org/security/ David Pr\u00c3\u00a9vot\nMay 20, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : zendframework\nCVE ID : CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 CVE-2014-2684 \n CVE-2014-2685 CVE-2014-4914 CVE-2014-8088 CVE-2014-8089 \n CVE-2015-3154\nDebian Bug : 743175 754201\n\nMultiple vulnerabilities were discovered in Zend Framework, a PHP\nframework. Except for CVE-2015-3154, all these issues were already fixed\nin the version initially shipped with Jessie.\n\nCVE-2014-2681\n\n Lukas Reschke reported a lack of protection against XML External\n Entity injection attacks in some functions. This fix extends the\n incomplete one from CVE-2012-5657.\n\nCVE-2014-2682\n\n Lukas Reschke reported a failure to consider that the\n libxml_disable_entity_loader setting is shared among threads in the\n PHP-FPM case. This fix extends the incomplete one from\n CVE-2012-5657.\n\nCVE-2014-2683\n\n Lukas Reschke reported a lack of protection against XML Entity\n Expansion attacks in some functions. This fix extends the incomplete\n one from CVE-2012-6532.\n\nCVE-2014-2684\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported an error in the consumer's verify method that lead\n to acceptance of wrongly sourced tokens.\n\nCVE-2014-2685\n\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\n Bochum reported a specification violation in which signing of a\n single parameter is incorrectly considered sufficient.\n\nCVE-2014-4914\n\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\n BY SQL statement in Zend_Db_Select contains a potential SQL\n injection when the query string passed contains parentheses.\n\nCVE-2014-8088\n\n Yury Dyachenko at Positive Research Center identified potential XML\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\n extension.\n\nCVE-2014-8089\n\n Jonas Sandstr\u00c3\u00b6m discovered an SQL injection vector when manually\n quoting value for sqlsrv extension, using null byte.\n\nCVE-2015-3154\n\n Filippo Tessarotto and Maks3w reported potential CRLF injection\n attacks in mail and HTTP headers.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1.11.13-1.1+deb7u1.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.12.9+dfsg-2+deb8u1.\n\nFor the testing distribution (stretch), these problems will be fixed\nin version 1.12.12+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1.12.12+dfsg-1.\n\nWe recommend that you upgrade your zendframework packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2015-05-20T09:37:45", "title": "[SECURITY] [DSA 3265-1] zendframework security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:49:38", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-3154", "CVE-2014-8088", "CVE-2012-6532", "CVE-2014-2685", "CVE-2014-2682", "CVE-2014-8089", "CVE-2014-2684", "CVE-2014-4914", "CVE-2012-5657", "CVE-2014-2683", "CVE-2014-2681"], "modified": "2015-05-20T09:37:45", "id": "DEBIAN:DSA-3265-1:1C648", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00155.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T17:47:12", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "CVE ID:CVE-2012-6496\r\n\r\nRuby on Rails\u662f\u4e00\u6b3eWeb\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\uff0c\u6784\u5efa\u5728Ruby\u8bed\u8a00\u4e4b\u4e0a\u3002\r\nRuby on Rails Active Record\u7ec4\u4ef6\u5b58\u5728\u4e00\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u5229\u7528"find_by_*"\u65b9\u6cd5\u8fdb\u884cSQL\u6ce8\u5165\u653b\u51fb\uff0c\u53ef\u83b7\u5f97\u654f\u611f\u4fe1\u606f\u6216\u63a7\u5236\u5e94\u7528\u7cfb\u7edf\u3002\r\n0\r\nRuby on Rails 3.0.x\r\nRuby on Rails 3.1.x\r\nRuby on Rails 3.2.x\r\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\r\nRuby on Rails 3.0.18\uff0c3.1.9\u548c3.2.10\u5df2\u7ecf\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.ruby-lang.org", "reporter": "Root", "published": "2013-01-05T00:00:00", "title": "Ruby on Rails Active Record\u7ec4\u4ef6SQL\u6ce8\u5165\u6f0f\u6d1e(CVE-2012-6496)", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6496"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2013-01-05T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60557", "id": "SSV:60557", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "", "status": "cve,details"}, {"lastseen": "2017-11-19T17:47:22", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "CVE ID: CVE-2012-5664\r\n\r\nRuby on Rails\u662f\u4e00\u6b3eWeb\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\uff0c\u6784\u5efa\u5728Ruby\u8bed\u8a00\u4e4b\u4e0a\r\n\r\nAuthLogic gem\u5b9e\u73b0\u5b58\u5728\u4e00\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u5982\u679cRuby on Rails\u5e94\u7528\u4f7f\u7528AuthLogic gem\u8fdb\u884c\u9a8c\u8bc1\uff0c\u5e76\u4e14\u653b\u51fb\u8005\u5728\u80fd\u8bbf\u95eeRails\u5e94\u7528\u7684\u79c1\u94a5\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u8fdb\u884c\u672a\u6388\u6743\u8bbf\u95ee\r\n0\r\nRuby on Rails\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nRuby on Rails\r\n----------\r\n\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u89e3\u51b3\u65b9\u6848\u63d0\u4f9b\uff1a\r\nhttp://rubygems.org/gems/authlogic", "reporter": "Root", "published": "2012-12-28T00:00:00", "title": "Ruby on Rails Authlogic gem SQL\u6ce8\u5165\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5664"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2012-12-28T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60546", "id": "SSV:60546", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "", "status": "cve,details"}], "nessus": [{"lastseen": "2018-11-11T13:08:15", "references": ["https://packages.debian.org/source/squeeze/weechat", "https://security-tracker.debian.org/tracker/CVE-2012-5534", "https://security-tracker.debian.org/tracker/CVE-2011-1428", "https://www.debian.org/security/2013/dsa-2598"], "pluginID": "63383", "description": "Two security issues have been discovered in WeeChat, a fast, light and extensible chat client :\n\n - CVE-2011-1428 X.509 certificates were incorrectly validated.\n\n - CVE-2012-5534 The hook_process function in the plugin API allowed the execution of arbitrary shell commands.", "edition": 7, "reporter": "Tenable", "published": "2013-01-07T00:00:00", "title": "Debian DSA-2598-1 : weechat - several vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5534", "CVE-2011-1428"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:weechat"], "id": "DEBIAN_DSA-2598.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63383", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2598. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63383);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/10 11:49:35\");\n\n script_cve_id(\"CVE-2011-1428\", \"CVE-2012-5534\");\n script_bugtraq_id(46612, 56584);\n script_xref(name:\"DSA\", value:\"2598\");\n\n script_name(english:\"Debian DSA-2598-1 : weechat - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two security issues have been discovered in WeeChat, a fast, light and\nextensible chat client :\n\n - CVE-2011-1428\n X.509 certificates were incorrectly validated.\n\n - CVE-2012-5534\n The hook_process function in the plugin API allowed the\n execution of arbitrary shell commands.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2011-1428\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2012-5534\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/weechat\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2598\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the weechat packages.\n\nFor the stable distribution (squeeze), these problems have been fixed\nin version 0.3.2-1+squeeze1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:weechat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"weechat\", reference:\"0.3.2-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"weechat-core\", reference:\"0.3.2-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"weechat-curses\", reference:\"0.3.2-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"weechat-dbg\", reference:\"0.3.2-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"weechat-dev\", reference:\"0.3.2-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"weechat-doc\", reference:\"0.3.2-1+squeeze1\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"weechat-plugins\", reference:\"0.3.2-1+squeeze1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-11T12:47:09", "references": ["https://packages.debian.org/source/squeeze/rails", "https://www.debian.org/security/2013/dsa-2597"], "pluginID": "63382", "description": "joernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to 'find_by_*' methods. Depending on how the ruby on rails application is using these methods, this allows an attacker to perform SQL injection attacks, e.g., to bypass authentication if Authlogic is used and the session secret token is known.", "edition": 7, "reporter": "Tenable", "published": "2013-01-07T00:00:00", "title": "Debian DSA-2597-1 : rails - input validation error", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-6497", "CVE-2012-6496"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:rails"], "id": "DEBIAN_DSA-2597.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63382", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2597. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63382);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/10 11:49:35\");\n\n script_cve_id(\"CVE-2012-6496\", \"CVE-2012-6497\");\n script_bugtraq_id(57084);\n script_xref(name:\"DSA\", value:\"2597\");\n\n script_name(english:\"Debian DSA-2597-1 : rails - input validation error\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"joernchen of Phenoelit discovered that rails, an MVC ruby based\nframework geared for web application development, is not properly\ntreating user-supplied input to 'find_by_*' methods. Depending on how\nthe ruby on rails application is using these methods, this allows an\nattacker to perform SQL injection attacks, e.g., to bypass\nauthentication if Authlogic is used and the session secret token is\nknown.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/rails\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2597\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the rails/ruby-activerecord-2.3 packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 2.3.5-1.2+squeeze4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:rails\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libactionmailer-ruby\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactionmailer-ruby1.8\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactionpack-ruby\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactionpack-ruby1.8\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactiverecord-ruby\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactiverecord-ruby1.8\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactiverecord-ruby1.9.1\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactiveresource-ruby\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactiveresource-ruby1.8\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactivesupport-ruby\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactivesupport-ruby1.8\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libactivesupport-ruby1.9.1\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"rails\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"rails-doc\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"rails-ruby1.8\", reference:\"2.3.5-1.2+squeeze4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-29T19:32:49", "references": ["http://www.nessus.org/u?47b96b2d", "https://bugzilla.redhat.com/show_bug.cgi?id=878025"], "pluginID": "63086", "description": "Fix arbitrary code execution due to call of shell when executing command within hook_process\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2012-11-29T00:00:00", "title": "Fedora 17 : weechat-0.3.8-4.fc17 (2012-18526)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5534"], "modified": "2018-11-28T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:weechat"], "id": "FEDORA_2012-18526.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63086", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-18526.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63086);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/28 22:47:44\");\n\n script_cve_id(\"CVE-2012-5534\");\n script_bugtraq_id(56584);\n script_xref(name:\"FEDORA\", value:\"2012-18526\");\n\n script_name(english:\"Fedora 17 : weechat-0.3.8-4.fc17 (2012-18526)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix arbitrary code execution due to call of shell when executing\ncommand within hook_process\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=878025\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-November/093495.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?47b96b2d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected weechat package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:weechat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"weechat-0.3.8-4.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"weechat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-29T19:30:48", "references": ["http://www.nessus.org/u?fa45376d", "https://bugzilla.redhat.com/show_bug.cgi?id=878025"], "pluginID": "63052", "description": "Fix arbitrary code execution due to call of shell when executing command within hook_process\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2012-11-27T00:00:00", "title": "Fedora 18 : weechat-0.3.8-4.fc18 (2012-18494)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5534"], "modified": "2018-11-28T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:weechat"], "id": "FEDORA_2012-18494.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63052", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-18494.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63052);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/28 22:47:44\");\n\n script_cve_id(\"CVE-2012-5534\");\n script_bugtraq_id(56584);\n script_xref(name:\"FEDORA\", value:\"2012-18494\");\n\n script_name(english:\"Fedora 18 : weechat-0.3.8-4.fc18 (2012-18494)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix arbitrary code execution due to call of shell when executing\ncommand within hook_process\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=878025\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-November/093260.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fa45376d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected weechat package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:weechat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/11/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"weechat-0.3.8-4.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"weechat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:32:52", "references": ["https://alas.aws.amazon.com/ALAS-2013-153.html"], "pluginID": "69712", "description": "The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.", "edition": 5, "reporter": "Tenable", "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : php-ZendFramework (ALAS-2013-153)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Libmemcached", "p-cpe:/a:amazon:linux:php-ZendFramework-extras", "p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Pgsql", "p-cpe:/a:amazon:linux:php-ZendFramework-Pdf", "p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Memcached", "p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mssql", "p-cpe:/a:amazon:linux:php-ZendFramework-demos", "p-cpe:/a:amazon:linux:php-ZendFramework-Ldap", "p-cpe:/a:amazon:linux:php-ZendFramework-Auth-Adapter-Ldap", "p-cpe:/a:amazon:linux:php-ZendFramework-Search-Lucene", "p-cpe:/a:amazon:linux:php-ZendFramework-Soap", "p-cpe:/a:amazon:linux:php-ZendFramework-Captcha", "p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Apc", "p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Mysqli", "p-cpe:/a:amazon:linux:php-ZendFramework-Services", "p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mysql", "p-cpe:/a:amazon:linux:php-ZendFramework-full", "p-cpe:/a:amazon:linux:php-ZendFramework-Serializer-Adapter-Igbinary", "p-cpe:/a:amazon:linux:php-ZendFramework", "p-cpe:/a:amazon:linux:php-ZendFramework-Dojo", "p-cpe:/a:amazon:linux:php-ZendFramework-Feed", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo"], "id": "ALA_ALAS-2013-153.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69712", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-153.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69712);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2012-5657\");\n script_xref(name:\"ALAS\", value:\"2013-153\");\n\n script_name(english:\"Amazon Linux AMI : php-ZendFramework (ALAS-2013-153)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in\nZend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow\nremote attackers to read arbitrary files, send HTTP requests to\nintranet servers, and possibly cause a denial of service (CPU and\nmemory consumption) via an XML External Entity (XXE) attack.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-153.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update php-ZendFramework' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Auth-Adapter-Ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Apc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Libmemcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Cache-Backend-Memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Captcha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Mysqli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mssql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Db-Adapter-Pdo-Pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Dojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Feed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Search-Lucene\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Serializer-Adapter-Igbinary\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-Soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-demos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-extras\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ZendFramework-full\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Auth-Adapter-Ldap-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Cache-Backend-Apc-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Cache-Backend-Libmemcached-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Captcha-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Mysqli-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Dojo-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Feed-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Ldap-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Pdf-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Search-Lucene-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Serializer-Adapter-Igbinary-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Services-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-Soap-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-demos-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-extras-1.12.1-1.6.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"php-ZendFramework-full-1.12.1-1.6.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework / php-ZendFramework-Auth-Adapter-Ldap / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:08:27", "references": ["http://www.nessus.org/u?2b8eb4d2", "https://bugzilla.redhat.com/show_bug.cgi?id=889037"], "pluginID": "63629", "description": "Fixes for security relevant issue CVE-2012-5657\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2013-01-21T00:00:00", "title": "Fedora 18 : php-ZendFramework-1.12.1-1.fc18 (2013-0063)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:php-ZendFramework"], "id": "FEDORA_2013-0063.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63629", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0063.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63629);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:02:55 $\");\n\n script_cve_id(\"CVE-2012-5657\");\n script_xref(name:\"FEDORA\", value:\"2013-0063\");\n\n script_name(english:\"Fedora 18 : php-ZendFramework-1.12.1-1.fc18 (2013-0063)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for security relevant issue CVE-2012-5657\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=889037\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097117.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2b8eb4d2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"php-ZendFramework-1.12.1-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:55:37", "references": ["http://www.nessus.org/u?d8b54d4d", "https://bugzilla.redhat.com/show_bug.cgi?id=889037"], "pluginID": "63627", "description": "Fixes for security relevant issue CVE-2012-5657\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2013-01-21T00:00:00", "title": "Fedora 17 : php-ZendFramework-1.12.1-1.fc17 (2013-0057)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:php-ZendFramework"], "id": "FEDORA_2013-0057.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63627", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0057.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63627);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:02:55 $\");\n\n script_cve_id(\"CVE-2012-5657\");\n script_xref(name:\"FEDORA\", value:\"2013-0057\");\n\n script_name(english:\"Fedora 17 : php-ZendFramework-1.12.1-1.fc17 (2013-0057)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for security relevant issue CVE-2012-5657\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=889037\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097136.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d8b54d4d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"php-ZendFramework-1.12.1-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:29", "references": ["http://www.nessus.org/u?a74a61b9", "https://bugzilla.redhat.com/show_bug.cgi?id=889037"], "pluginID": "63628", "description": "Fixes for security relevant issue CVE-2012-5657\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2013-01-21T00:00:00", "title": "Fedora 16 : php-ZendFramework-1.12.1-1.fc16 (2013-0061)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2015-10-19T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-ZendFramework", "cpe:/o:fedoraproject:fedora:16"], "id": "FEDORA_2013-0061.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63628", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-0061.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63628);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:02:55 $\");\n\n script_cve_id(\"CVE-2012-5657\");\n script_xref(name:\"FEDORA\", value:\"2013-0061\");\n\n script_name(english:\"Fedora 16 : php-ZendFramework-1.12.1-1.fc16 (2013-0061)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fixes for security relevant issue CVE-2012-5657\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=889037\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/097131.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a74a61b9\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-ZendFramework package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"php-ZendFramework-1.12.1-1.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-ZendFramework\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-09-02T00:02:44", "references": [], "pluginID": "66127", "description": "Updated php-ZendFramework packages fix security vulnerabilities :\n\nZend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc in Zend Framework before 1.11.13 and 1.12.0 are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement (ZF2012-02).\n\nA vulnerability was reported in Zend Framework versions prior to 1.11.15 and 1.12.1, which can be exploited to disclose certain sensitive information. This flaw is caused due to an error in the Zend_Feed_Rss and Zend_Feed_Atom classes of the Zend_Feed component, when processing XML data. It can be used to disclose the contents of certain local files by sending specially crafted XML data including external entity references (CVE-2012-5657, ZF2012-05).", "edition": 5, "reporter": "Tenable", "published": "2013-04-20T00:00:00", "title": "Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2013:115)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2018-07-19T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:php-ZendFramework-Captcha", "p-cpe:/a:mandriva:linux:php-ZendFramework-demos", "p-cpe:/a:mandriva:linux:php-ZendFramework-Services", "p-cpe:/a:mandriva:linux:php-ZendFramework-Pdf", "p-cpe:/a:mandriva:linux:php-ZendFramework-Search-Lucene", "p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Apc", "p-cpe:/a:mandriva:linux:php-ZendFramework", "p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Memcached", "p-cpe:/a:mandriva:linux:php-ZendFramework-Dojo", "p-cpe:/a:mandriva:linux:php-ZendFramework-Gdata", "p-cpe:/a:mandriva:linux:php-ZendFramework-Feed", "p-cpe:/a:mandriva:linux:php-ZendFramework-tests", "p-cpe:/a:mandriva:linux:php-ZendFramework-extras"], "id": "MANDRIVA_MDVSA-2013-115.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66127", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:115. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66127);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2018/07/19 20:59:18\");\n\n script_cve_id(\"CVE-2012-5657\");\n script_bugtraq_id(56982);\n script_xref(name:\"MDVSA\", value:\"2013:115\");\n script_xref(name:\"MGASA\", value:\"2012-0367\");\n\n script_name(english:\"Mandriva Linux Security Advisory : php-ZendFramework (MDVSA-2013:115)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated php-ZendFramework packages fix security vulnerabilities :\n\nZend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc in Zend Framework\nbefore 1.11.13 and 1.12.0 are vulnerable to XML Entity Expansion (XEE)\nvectors, leading to Denial of Service vectors. XEE attacks occur when\nthe XML DOCTYPE declaration includes XML entity definitions that\ncontain either recursive or circular references; this leads to CPU and\nmemory consumption, making Denial of Service exploits trivial to\nimplement (ZF2012-02).\n\nA vulnerability was reported in Zend Framework versions prior to\n1.11.15 and 1.12.1, which can be exploited to disclose certain\nsensitive information. This flaw is caused due to an error in the\nZend_Feed_Rss and Zend_Feed_Atom classes of the Zend_Feed component,\nwhen processing XML data. It can be used to disclose the contents of\ncertain local files by sending specially crafted XML data including\nexternal entity references (CVE-2012-5657, ZF2012-05).\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Apc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Cache-Backend-Memcached\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Captcha\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Dojo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Feed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Gdata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Pdf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Search-Lucene\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-Services\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-demos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-extras\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:php-ZendFramework-tests\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Cache-Backend-Apc-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Captcha-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Dojo-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Feed-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Gdata-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Pdf-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Search-Lucene-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-Services-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-demos-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-extras-1.12.1-1.1.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", reference:\"php-ZendFramework-tests-1.12.1-1.1.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-11-11T12:43:54", "references": ["https://www.debian.org/security/2013/dsa-2602", "https://packages.debian.org/source/squeeze/zendframework", "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696483"], "pluginID": "63433", "description": "Yury Dyachenko discovered that Zend Framework uses the PHP XML parser in an insecure way, allowing attackers to open files and trigger HTTP requests, potentially accessing restricted information.", "edition": 7, "reporter": "Tenable", "published": "2013-01-09T00:00:00", "title": "Debian DSA-2602-1 : zendframework - XML external entity inclusion", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5657"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:zendframework"], "id": "DEBIAN_DSA-2602.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=63433", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2602. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(63433);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/10 11:49:35\");\n\n script_cve_id(\"CVE-2012-5657\");\n script_bugtraq_id(56982);\n script_xref(name:\"DSA\", value:\"2602\");\n\n script_name(english:\"Debian DSA-2602-1 : zendframework - XML external entity inclusion\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Yury Dyachenko discovered that Zend Framework uses the PHP XML parser\nin an insecure way, allowing attackers to open files and trigger HTTP\nrequests, potentially accessing restricted information.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696483\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/zendframework\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2602\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the zendframework packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 1.10.6-1squeeze2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:zendframework\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"zendframework\", reference:\"1.10.6-1squeeze2\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"zendframework-bin\", reference:\"1.10.6-1squeeze2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-2602-1 security@debian.org\r\nhttp://www.debian.org/security/ Florian Weimer\r\nJanuary 08, 2013 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : zendframework\r\nVulnerability : XML external entity inclusion\r\nProblem type : remote\r\nDebian-specific: no\r\nCVE ID : CVE-2012-5657\r\nDebian Bug : 696483\r\n\r\nYury Dyachenko discovered that Zend Framework uses the PHP XML parser\r\nin an insecure way, allowing attackers to open files and trigger HTTP\r\nrequests, potentially accessing restricted information.\r\n\r\nFor the stable distribution (squeeze), this problem has been fixed in\r\nversion 1.10.6-1squeeze2.\r\n\r\nFor the testing distribution (wheezy), this problem has been fixed in\r\nversion 1.11.13-1.1.\r\n\r\nFor the unstable distribution (sid), this problem has been fixed in\r\nversion 1.11.13-1.1.\r\n\r\nWe recommend that you upgrade your zendframework packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: http://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niQEcBAEBAgAGBQJQ7Gb6AAoJEL97/wQC1SS+4U0H/2jTQI7RX2qiMTouR63726zq\r\napXl7/MH+DkXGxTzm+0gHAE5oPGv9xoSNw+TN9QS9ltGOnSJywEphDc5B3IthbSd\r\naD4lHXlFdu4EZqKTUrCKcWcxFQxoPbHdCkt/yCujkUF+KljHVLdx5mm7/+416NBV\r\nKrZHr7ni9Cekp6wWMj3zYE+mSGeBhgElvBBWAdDudMbtS7RlpqMqO3UhSdbM1mXz\r\n6sOzXCBWDEtCwrJM7LgCNZyJT8ZZPv/8A3l23r0uhA5Nw2sUs3k9GSUMd6aylJTe\r\nBgBKYYUiZRGoMxgBWyCgogTMh27G37A535haUUZGv93M0GyivlBVTkezZKwvzQs=\r\n=I6pV\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-01-10T00:00:00", "title": "[SECURITY] [DSA 2602-1] zendframework security update", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2012-5657"], "modified": "2013-01-10T00:00:00", "id": "SECURITYVULNS:DOC:28944", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28944", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\nAdvisory ID: HTB23135\r\nProduct: Quick.Cms, Quick.Cart\r\nVendor: OpenSolution team\r\nVulnerable Version(s): Quick.Cms 5.0, Quick.Cart 6.0 and probably prior\r\nTested Version: Quick.Cms 5.0, Quick.Cart 6.0\r\nVendor Notification: December 19, 2012 \r\nVendor Patch: December 20, 2012 \r\nPublic Disclosure: January 9, 2013 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2012-6430\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: Medium \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered XSS vulnerability in Quick.Cms and Quick.Cart - two products developed by OpenSolution team, which can be exploited to perform cross-site scripting attacks.\r\n\r\n\r\n1. Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart: CVE-2012-6430\r\n\r\nThe vulnerability exists due to insufficient filtration of user-supplied data in URI in the "admin.php" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the "alert()" JavaScript function to display administrator's cookies: \r\n\r\n\r\nhttp://[host]/admin.php/')"></select><script>alert(document.cookie);</script>/\r\n\r\n\r\nNevertheless, a remote attacker can create an exploit for this vulnerability to bypass application's CSRF protection mechanism based on the HTTP Referer header and get access to privileged functions of the application. To do so he have to trick a logged-in administrator to click on a malicious link with XSS exploit.\r\n\r\nPoC (Prof-of-Concept) code below will change administrator's password to "password":\r\n\r\nhttp://[host]/admin.php/')"></select><form action="http://[host]/admin.php%3fp=tools-config" method="post"><input type="hidden" name="login" value="login"><input type="hidden" name="pass" value="password"><input type="submit" id="btn" name="sOption"></form><script>document.getElementById('btn').click();</script>/\r\n\r\nSuccessful exploitation of the vulnerability requires that Apache directive "AcceptPathInfo" is set to "on" or "default" (default value is "default").\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor fixed the vulnerabilities without adding information to Changelog. \r\nUpgrade to Quick.Cms 5.0 and Quick.Cart 6.0 released after December 19, 2012\r\n\r\nMore Information:\r\nhttp://opensolution.org/download,en,18.html?sDir=Quick.Cart\r\nhttp://opensolution.org/download,en,18.html?sDir=Quick.Cms\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23135 - https://www.htbridge.com/advisory/HTB23135 - Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart.\r\n[2] Quick.Cms and Quick.Cart - http://opensolution.org/ - Simple and easy to use or modify content management system (CMS) and shopping cart.\r\n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-01-10T00:00:00", "title": "Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2012-6430"], "modified": "2013-01-10T00:00:00", "id": "SECURITYVULNS:DOC:28937", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28937", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:59", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3265-1 security@debian.org\r\nhttp://www.debian.org/security/ David PrA\u00a9vot\r\nMay 20, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : zendframework\r\nCVE ID : CVE-2014-2681 CVE-2014-2682 CVE-2014-2683 CVE-2014-2684 \r\n CVE-2014-2685 CVE-2014-4914 CVE-2014-8088 CVE-2014-8089 \r\n CVE-2015-3154\r\nDebian Bug : 743175 754201\r\n\r\nMultiple vulnerabilities were discovered in Zend Framework, a PHP\r\nframework. Except for CVE-2015-3154, all these issues were already fixed\r\nin the version initially shipped with Jessie.\r\n\r\nCVE-2014-2681\r\n\r\n Lukas Reschke reported a lack of protection against XML External\r\n Entity injection attacks in some functions. This fix extends the\r\n incomplete one from CVE-2012-5657.\r\n\r\nCVE-2014-2682\r\n\r\n Lukas Reschke reported a failure to consider that the\r\n libxml_disable_entity_loader setting is shared among threads in the\r\n PHP-FPM case. This fix extends the incomplete one from\r\n CVE-2012-5657.\r\n\r\nCVE-2014-2683\r\n\r\n Lukas Reschke reported a lack of protection against XML Entity\r\n Expansion attacks in some functions. This fix extends the incomplete\r\n one from CVE-2012-6532.\r\n\r\nCVE-2014-2684\r\n\r\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\r\n Bochum reported an error in the consumer's verify method that lead\r\n to acceptance of wrongly sourced tokens.\r\n\r\nCVE-2014-2685\r\n\r\n Christian Mainka and Vladislav Mladenov from the Ruhr-University\r\n Bochum reported a specification violation in which signing of a\r\n single parameter is incorrectly considered sufficient.\r\n\r\nCVE-2014-4914\r\n\r\n Cassiano Dal Pizzol discovered that the implementation of the ORDER\r\n BY SQL statement in Zend_Db_Select contains a potential SQL\r\n injection when the query string passed contains parentheses.\r\n\r\nCVE-2014-8088\r\n\r\n Yury Dyachenko at Positive Research Center identified potential XML\r\n eXternal Entity injection vectors due to insecure usage of PHP's DOM\r\n extension.\r\n\r\nCVE-2014-8089\r\n\r\n Jonas SandstrA\u00b6m discovered an SQL injection vector when manually\r\n quoting value for sqlsrv extension, using null byte.\r\n\r\nCVE-2015-3154\r\n\r\n Filippo Tessarotto and Maks3w reported potential CRLF injection\r\n attacks in mail and HTTP headers.\r\n\r\nFor the oldstable distribution (wheezy), these problems have been fixed\r\nin version 1.11.13-1.1+deb7u1.\r\n\r\nFor the stable distribution (jessie), these problems have been fixed in\r\nversion 1.12.9+dfsg-2+deb8u1.\r\n\r\nFor the testing distribution (stretch), these problems will be fixed\r\nin version 1.12.12+dfsg-1.\r\n\r\nFor the unstable distribution (sid), these problems have been fixed in\r\nversion 1.12.12+dfsg-1.\r\n\r\nWe recommend that you upgrade your zendframework packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBCgAGBQJVXFXVAAoJEK+lG9bN5XPLIDIP/1ebw6gwJq+uzc/FNeGben3Q\r\nZqbp2akoh4wVVaLBUUWlUSohzpoW48GgTje2eRxBAIasneZHmOwcwjzdpgAdwFhe\r\nh0Xj3Pi0PMvdo9jQIBLWD/GQe8bD9YXlaEvq1D6OayEE0h27k6mrplfG7rwWsmdS\r\nG1o7P8Tnh27PifkVCzSyB43bHTgInRGfmrjoid9AWmOOYnTjuq47oexOaqgE/mQh\r\nXKKKtxlv6ru4ac+XRv06aUJmYQG4LQZJpL3wJ+d0CqIlCsSVP7pDP2X/1/Pqmdms\r\nWLBX4C4N/AM7+C/7P54rPn6uHBemhLBwJLH78cM+3kcEJ6wDuuWk7NYovv4hzXkz\r\n7CDC6nGgi5+YUaUzaiWM+VuwMWDckFAzGIg22wP/moJzSeqG/GfwVpA5AAD0XosV\r\nWW7iPgwnJFj/WWr5doBZ7LVBj/Pd56eAUJY9q4aY7GeDIFf65VD2Zd2jMIleVjSW\r\nq4I/hCElJgMiBza/066ToIfa7TB+Cutj/Fofpdq+Um7mP2GCdYPsMcxPzz6QRbt8\r\nBqcNWVKgktp/9T/yaTkPKkSWn9o1lSSV1urVWCNPg7pgrh9OVC8Ov0fqD0qOvnd4\r\nN4xAuKWnOtyn7Zwbz+vDwBzc47cbAlhx/y1M0v10D2Kf32kXdgC3C0PzK8wUcYvY\r\nXBGbffEaDb86ez3TbNmy\r\n=T2BR\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-06-08T00:00:00", "title": "[SECURITY] [DSA 3265-1] zendframework security update", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:59", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-3154", "CVE-2014-8088", "CVE-2012-6532", "CVE-2014-2685", "CVE-2014-2682", "CVE-2014-8089", "CVE-2014-2684", "CVE-2014-4914", "CVE-2012-5657", "CVE-2014-2683", "CVE-2014-2681"], "modified": "2015-06-08T00:00:00", "id": "SECURITYVULNS:DOC:32176", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32176", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:09", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Dojo-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Dojo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Ldap-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Ldap", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Cache-Backend-Apc-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Cache-Backend-Apc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Search-Lucene-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Search-Lucene", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Pdf-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Pdf", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Db-Adapter-Mysqli-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Db-Adapter-Mysqli", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-extras-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-extras", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Db-Adapter-Pdo-Mysql", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Cache-Backend-Libmemcached-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Cache-Backend-Libmemcached", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-demos-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-demos", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Db-Adapter-Pdo-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Db-Adapter-Pdo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Services-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Services", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-full-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-full", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Soap-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Soap", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Cache-Backend-Memcached", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "src", "packageFilename": "php-ZendFramework-1.12.1-1.6.amzn1.src.rpm", "packageName": "php-ZendFramework", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Feed-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Feed", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Serializer-Adapter-Igbinary-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Serializer-Adapter-Igbinary", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Db-Adapter-Pdo-Mssql", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Captcha-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Captcha", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Auth-Adapter-Ldap-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Auth-Adapter-Ldap", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.12.1-1.6.amzn1", "arch": "noarch", "packageFilename": "php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.1-1.6.amzn1.noarch.rpm", "packageName": "php-ZendFramework-Db-Adapter-Pdo-Pgsql", "operator": "lt"}], "description": "**Issue Overview:**\n\nThe (1) Zend_Feed_Rss and (2) Zend_Feed_Atom classes in Zend_Feed in Zend Framework 1.11.x before 1.11.15 and 1.12.x before 1.12.1 allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service (CPU and memory consumption) via an XML External Entity (XXE) attack.\n\n \n**Affected Packages:** \n\n\nphp-ZendFramework\n\n \n**Issue Correction:** \nRun _yum update php-ZendFramework_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n noarch: \n php-ZendFramework-Serializer-Adapter-Igbinary-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-demos-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Cache-Backend-Memcached-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Search-Lucene-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Pdf-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Captcha-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Services-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Ldap-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Cache-Backend-Apc-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Auth-Adapter-Ldap-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-extras-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Feed-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Soap-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-full-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Dojo-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Db-Adapter-Mysqli-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Cache-Backend-Libmemcached-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.1-1.6.amzn1.noarch \n php-ZendFramework-Db-Adapter-Pdo-1.12.1-1.6.amzn1.noarch \n \n src: \n php-ZendFramework-1.12.1-1.6.amzn1.src \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2014-09-15T22:24:00", "title": "Medium: php-ZendFramework", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:09", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-5657"], "modified": "2014-09-15T22:24:00", "id": "ALAS-2013-153", "href": "https://alas.aws.amazon.com/ALAS-2013-153.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-04T07:33:47", "osvdbidlist": ["89120"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Quick.Cms/Quick.Cart Cross Site Scripting Vulnerability. CVE-2012-6430. Webapps exploit for php platform", "reporter": "High-Tech Bridge", "published": "2013-01-09T00:00:00", "type": "exploitdb", "title": "Quick.Cms/Quick.Cart Cross Site Scripting Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6430"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2013-01-09T00:00:00", "id": "EDB-ID:38207", "href": "https://www.exploit-db.com/exploits/38207/", "sourceData": "source: http://www.securityfocus.com/bid/57254/info\r\n\r\nQuick.Cms and Quick.Cart are prone to a cross-site scripting vulnerability because they fail to sanitize user-supplied input.\r\n\r\nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.\r\n\r\nThe following products are vulnerable:\r\n\r\nQuick.Cms 5.0\r\nQuick.Cart 6.0 \r\n\r\nhttp://www.example.com/admin.php/')\"></select><script>alert(document.cookie);</script>/ ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/38207/"}], "gentoo": [{"lastseen": "2016-09-06T19:46:00", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=449826", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6496"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.3.14-r1", "packageName": "dev-ruby/activerecord", "packageFilename": "UNKNOWN", "arch": "all", "operator": "lt"}], "description": "### Background\n\nActive Record is a Ruby gem that allows database entries to be manipulated as objects. \n\n### Description\n\nAn Active Record method parameter can mistakenly be used as a scope.\n\n### Impact\n\nA remote attacker could use specially crafted input to execute arbitrary SQL statements. \n\n### Workaround\n\nThe vulnerability may be mitigated by converting the input to an expected value. This is accomplished by changing instances of \u2018Post.find_by_id(params[:id])\u2019 in code using Active Record to \u2018Post.find_by_id(params[:id].to_s)\u2019 \n\n### Resolution\n\nAll Active Record users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-ruby/activerecord-2.3.14-r1\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2014-01-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "Active Record: SQL injection", "bulletinFamily": "unix", "cvelist": ["CVE-2012-6496"], "modified": "2014-01-21T00:00:00", "id": "GLSA-201401-22", "href": "https://security.gentoo.org/glsa/201401-22", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-06T19:46:58", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=442600", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5534", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5854"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "0.3.9.2", "packageName": "net-irc/weechat", "packageFilename": "UNKNOWN", "arch": "all", "operator": "lt"}], "description": "### Background\n\nWee Enhanced Environment for Chat (WeeChat) is a light and extensible console IRC client. \n\n### Description\n\nTwo vulnerabilities have been discovered in WeeChat:\n\n * The hook_process() function does not properly handle shell expansions (CVE-2012-5534). \n * WeeChat does not properly decode colors which could cause a heap-based buffer overflow (CVE-2012-5854). \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted script or send messages with specially crafted colors, possibly resulting in execution of arbitrary code with the privileges of the process, or a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll WeeChat users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-irc/weechat-0.3.9.2\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2014-05-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "WeeChat: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5854", "CVE-2012-5534"], "modified": "2014-05-03T00:00:00", "id": "GLSA-201405-03", "href": "https://security.gentoo.org/glsa/201405-03", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-01-10T11:18:55", "references": [], "edition": 2, "description": "Quick.Cms version 5.0 and Quick.Cart version 6.0 suffer from a cross site scripting vulnerability.", "reporter": "High-Tech Bridge", "published": "2013-01-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "zdt", "title": "Quick.Cms 5.0 / Quick.Cart 6.0 Cross Site Scripting Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6430"], "modified": "2013-01-10T00:00:00", "id": "1337DAY-ID-20141", "href": "https://0day.today/exploit/description/20141", "sourceData": "Product: Quick.Cms, Quick.Cart\r\nVendor: OpenSolution team\r\nVulnerable Version(s): Quick.Cms 5.0, Quick.Cart 6.0 and probably prior\r\nTested Version: Quick.Cms 5.0, Quick.Cart 6.0\r\nVendor Notification: December 19, 2012 \r\nVendor Patch: December 20, 2012 \r\nPublic Disclosure: January 9, 2013 \r\nVulnerability Type: Cross-Site Scripting [CWE-79]\r\nCVE Reference: CVE-2012-6430\r\nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)\r\nSolution Status: Fixed by Vendor\r\nRisk Level: Medium \r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered XSS vulnerability in Quick.Cms and Quick.Cart - two products developed by OpenSolution team, which can be exploited to perform cross-site scripting attacks.\r\n\r\n\r\n1. Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart: CVE-2012-6430\r\n\r\nThe vulnerability exists due to insufficient filtration of user-supplied data in URI in the \"admin.php\" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.\r\n\r\nThe exploitation example below uses the \"alert()\" JavaScript function to display administrator's cookies: \r\n\r\n\r\nhttp://[host]/admin.php/')\"></select><script>alert(document.cookie);</script>/\r\n\r\n\r\nNevertheless, a remote attacker can create an exploit for this vulnerability to bypass application's CSRF protection mechanism based on the HTTP Referer header and get access to privileged functions of the application. To do so he have to trick a logged-in administrator to click on a malicious link with XSS exploit.\r\n\r\nPoC (Prof-of-Concept) code below will change administrator's password to \"password\":\r\n\r\nhttp://[host]/admin.php/')\"></select><form action=\"http://[host]/admin.php%3fp=tools-config\" method=\"post\"><input type=\"hidden\" name=\"login\" value=\"login\"><input type=\"hidden\" name=\"pass\" value=\"password\"><input type=\"submit\" id=\"btn\" name=\"sOption\"></form><script>document.getElementById('btn').click();</script>/\r\n\r\nSuccessful exploitation of the vulnerability requires that Apache directive \"AcceptPathInfo\" is set to \"on\" or \"default\" (default value is \"default\").\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nVendor fixed the vulnerabilities without adding information to Changelog. \r\nUpgrade to Quick.Cms 5.0 and Quick.Cart 6.0 released after December 19, 2012\r\n\r\nMore Information:\r\nhttp://opensolution.org/download,en,18.html?sDir=Quick.Cart\r\nhttp://opensolution.org/download,en,18.html?sDir=Quick.Cms\r\n\r\n-----------------------------------------------------------------------------------------------\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/20141"}], "freebsd": [{"lastseen": "2016-09-26T17:24:33", "references": ["https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "3.2.10", "packageName": "rubygem-rails", "arch": "noarch", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "\nRuby on Rails team reports:\n\nThere is a SQL injection vulnerability in Active Record in ALL\n\t versions. Due to the way dynamic finders in Active Record extract\n\t options from method parameters, a method parameter can mistakenly\n\t be used as a scope. Carefully crafted requests can use the scope\n\t to inject arbitrary SQL.\n\n", "reporter": "FreeBSD", "published": "2013-01-02T00:00:00", "title": "rubygem-rails -- SQL injection vulnerability", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-5664"], "modified": "2013-01-02T00:00:00", "href": "https://vuxml.freebsd.org/freebsd/b4051b52-58fa-11e2-853b-00262d5ed8ee.html", "id": "B4051B52-58FA-11E2-853B-00262D5ED8EE", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:56", "references": [], "edition": 1, "description": "", "reporter": "High-Tech Bridge SA", "published": "2013-01-10T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "type": "packetstorm", "title": "Quick.Cms 5.0 / Quick.Cart 6.0 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-6430"], "modified": "2013-01-10T00:00:00", "href": "https://packetstormsecurity.com/files/119422/Quick.Cms-5.0-Quick.Cart-6.0-Cross-Site-Scripting.html", "id": "PACKETSTORM:119422", "sourceData": "`Advisory ID: HTB23135 \nProduct: Quick.Cms, Quick.Cart \nVendor: OpenSolution team \nVulnerable Version(s): Quick.Cms 5.0, Quick.Cart 6.0 and probably prior \nTested Version: Quick.Cms 5.0, Quick.Cart 6.0 \nVendor Notification: December 19, 2012 \nVendor Patch: December 20, 2012 \nPublic Disclosure: January 9, 2013 \nVulnerability Type: Cross-Site Scripting [CWE-79] \nCVE Reference: CVE-2012-6430 \nCVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \nSolution Status: Fixed by Vendor \nRisk Level: Medium \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered XSS vulnerability in Quick.Cms and Quick.Cart - two products developed by OpenSolution team, which can be exploited to perform cross-site scripting attacks. \n \n \n1. Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart: CVE-2012-6430 \n \nThe vulnerability exists due to insufficient filtration of user-supplied data in URI in the \"admin.php\" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \n \nThe exploitation example below uses the \"alert()\" JavaScript function to display administrator's cookies: \n \n \nhttp://[host]/admin.php/')\"></select><script>alert(document.cookie);</script>/ \n \n \nNevertheless, a remote attacker can create an exploit for this vulnerability to bypass application's CSRF protection mechanism based on the HTTP Referer header and get access to privileged functions of the application. To do so he have to trick a logged-in administrator to click on a malicious link with XSS exploit. \n \nPoC (Prof-of-Concept) code below will change administrator's password to \"password\": \n \nhttp://[host]/admin.php/')\"></select><form action=\"http://[host]/admin.php%3fp=tools-config\" method=\"post\"><input type=\"hidden\" name=\"login\" value=\"login\"><input type=\"hidden\" name=\"pass\" value=\"password\"><input type=\"submit\" id=\"btn\" name=\"sOption\"></form><script>document.getElementById('btn').click();</script>/ \n \nSuccessful exploitation of the vulnerability requires that Apache directive \"AcceptPathInfo\" is set to \"on\" or \"default\" (default value is \"default\"). \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nVendor fixed the vulnerabilities without adding information to Changelog. \nUpgrade to Quick.Cms 5.0 and Quick.Cart 6.0 released after December 19, 2012 \n \nMore Information: \nhttp://opensolution.org/download,en,18.html?sDir=Quick.Cart \nhttp://opensolution.org/download,en,18.html?sDir=Quick.Cms \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23135 - https://www.htbridge.com/advisory/HTB23135 - Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart. \n[2] Quick.Cms and Quick.Cart - http://opensolution.org/ - Simple and easy to use or modify content management system (CMS) and shopping cart. \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119422/quickcmscart-xss.txt", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "htbridge": [{"lastseen": "2017-06-23T23:08:16", "_object_types": ["robots.models.base.Bulletin", "robots.models.htbridge.HTBridgeBulletin"], "references": [], "description": "High-Tech Bridge Security Research Lab discovered XSS vulnerability in Quick.Cms and Quick.Cart - two products developed by OpenSolution team, which can be exploited to perform cross-site scripting attacks. \n \n1\\. Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart: CVE-2012-6430 \nThe vulnerability exists due to insufficient filtration of user-supplied data in URI in the \"admin.php\" script. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website. \nThe exploitation example below uses the \"alert()\" JavaScript function to display administrator's cookies: \nhttp://[host]/admin.php/')\"></select><script>alert(document.cookie);</script >/ \nNevertheless, a remote attacker can create an exploit for this vulnerability to bypass application's CSRF protection mechanism based on the HTTP Referer header and get access to privileged functions of the application. To do so he have to trick a logged-in administrator to click on a malicious link with XSS exploit. \nPoC (Prof-of-Concept) code below will change administrator's password to \"password\": \nhttp://[host]/admin.php/')\"></select><form action=\"http://[host]/admin.php%3fp=tools-config\" method=\"post\"><input type=\"hidden\" name=\"login\" value=\"login\"><input type=\"hidden\" name=\"pass\" value=\"password\"><input type=\"submit\" id=\"btn\" name=\"sOption\"></form><script>document.getElementById('btn').click();</scrip t>/ \nSuccessful exploitation of the vulnerability requires that Apache directive \"AcceptPathInfo\" is set to \"on\" or \"default\" (default value is \"default\").\n", "reporter": "High-Tech Bridge", "published": "2012-12-19T00:00:00", "type": "htbridge", "title": "Cross-Site Scripting (XSS) vulnerability in Quick.Cms and Quick.Cart", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Quick.Cms, Quick.Cart", "version": "6.0", "operator": "le"}, {"name": "Quick.Cms, Quick.Cart", "version": "5.0", "operator": "le"}], "cvelist": ["CVE-2012-6430"], "_object_type": "robots.models.htbridge.HTBridgeBulletin", "modified": "2012-12-20T00:00:00", "id": "HTB23135", "href": "https://www.htbridge.com/advisory/HTB23135", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N/"}}], "suse": [{"lastseen": "2016-09-04T11:28:41", "references": ["https://bugzilla.novell.com/789146", "https://bugzilla.novell.com/790217"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat", "packageFilename": "weechat-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-debuginfo", "packageFilename": "weechat-debuginfo-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-python-debuginfo", "packageFilename": "weechat-python-debuginfo-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-aspell", "packageFilename": "weechat-aspell-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-perl-debuginfo", "packageFilename": "weechat-perl-debuginfo-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-lang", "packageFilename": "weechat-lang-0.3.3-7.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-perl", "packageFilename": "weechat-perl-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat", "packageFilename": "weechat-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-python-debuginfo", "packageFilename": "weechat-python-debuginfo-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-ruby-debuginfo", "packageFilename": "weechat-ruby-debuginfo-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-aspell-debuginfo", "packageFilename": "weechat-aspell-debuginfo-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-perl-debuginfo", "packageFilename": "weechat-perl-debuginfo-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-devel", "packageFilename": "weechat-devel-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-perl", "packageFilename": "weechat-perl-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-ruby", "packageFilename": "weechat-ruby-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-aspell-debuginfo", "packageFilename": "weechat-aspell-debuginfo-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-tcl", "packageFilename": "weechat-tcl-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-lua", "packageFilename": "weechat-lua-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-ruby-debuginfo", "packageFilename": "weechat-ruby-debuginfo-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-tcl", "packageFilename": "weechat-tcl-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-ruby", "packageFilename": "weechat-ruby-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-lua-debuginfo", "packageFilename": "weechat-lua-debuginfo-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-debugsource", "packageFilename": "weechat-debugsource-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-aspell", "packageFilename": "weechat-aspell-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-devel", "packageFilename": "weechat-devel-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-tcl-debuginfo", "packageFilename": "weechat-tcl-debuginfo-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-python", "packageFilename": "weechat-python-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-debugsource", "packageFilename": "weechat-debugsource-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-python", "packageFilename": "weechat-python-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-tcl-debuginfo", "packageFilename": "weechat-tcl-debuginfo-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-lua-debuginfo", "packageFilename": "weechat-lua-debuginfo-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-debuginfo", "packageFilename": "weechat-debuginfo-0.3.3-7.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "0.3.3-7.1", "packageName": "weechat-lua", "packageFilename": "weechat-lua-0.3.3-7.1.i586.rpm", "arch": "i586", "operator": "lt"}], "description": "- added weechat-fix-hook_process-shell-injection.patch\n which fixes a shell injection vulnerability in the\n hook_process function (bnc#790217, CVE-2012-5534)\n - added\n weechat-fix-buffer-overflow-in-irc-color-decoding.patch\n which fixes a heap-based overflow when decoding IRC\n colors in strings (bnc#789146, CVE-2012-5854)\n\n", "edition": 1, "reporter": "Suse", "published": "2013-01-23T14:05:56", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "weechat (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2012-5854", "CVE-2012-5534"], "modified": "2013-01-23T14:05:56", "id": "OPENSUSE-SU-2013:0150-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00018.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:47:49", "references": ["https://bugzilla.novell.com/800320", "https://bugzilla.novell.com/766792", "https://bugzilla.novell.com/775653", "https://bugzilla.novell.com/796712", "https://bugzilla.novell.com/797449", "https://bugzilla.novell.com/797452", "https://bugzilla.novell.com/775649", "https://bugzilla.novell.com/798458", "https://bugzilla.novell.com/798452"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activeresource-2_3-testsuite", "packageFilename": "rubygem-activeresource-2_3-testsuite-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.19.1", "packageName": "rubygem-activerecord-2_3-testsuite", "packageFilename": "rubygem-activerecord-2_3-testsuite-2.3.16-0.19.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.23.1", "packageName": "rubygem-actionpack-2_3-doc", "packageFilename": "rubygem-actionpack-2_3-doc-2.3.16-0.23.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.6.1", "packageName": "rubygem-activesupport", "packageFilename": "rubygem-activesupport-2.3.16-0.6.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activeresource-2_3-doc", "packageFilename": "rubygem-activeresource-2_3-doc-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.6.1", "packageName": "rubygem-rails", "packageFilename": "rubygem-rails-2.3.16-0.6.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.19.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.16-0.19.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-actionmailer-2_3-doc", "packageFilename": "rubygem-actionmailer-2_3-doc-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.6.1", "packageName": "rubygem-actionmailer", "packageFilename": "rubygem-actionmailer-2.3.16-0.6.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.23.1", "packageName": "rubygem-actionpack-2_3-testsuite", "packageFilename": "rubygem-actionpack-2_3-testsuite-2.3.16-0.23.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-actionmailer-2_3-doc", "packageFilename": "rubygem-actionmailer-2_3-doc-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.6.1", "packageName": "rubygem-actionpack", "packageFilename": "rubygem-actionpack-2.3.16-0.6.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.12.1", "packageName": "rubygem-rails-2_3-doc", "packageFilename": "rubygem-rails-2_3-doc-2.3.16-0.12.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.12.1", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.16-0.12.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.19.1", "packageName": "rubygem-activerecord-2_3-testsuite", "packageFilename": "rubygem-activerecord-2_3-testsuite-2.3.16-0.19.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-actionmailer-2_3-testsuite", "packageFilename": "rubygem-actionmailer-2_3-testsuite-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activesupport-2_3-doc", "packageFilename": "rubygem-activesupport-2_3-doc-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.19.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.16-0.19.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-actionmailer-2_3-testsuite", "packageFilename": "rubygem-actionmailer-2_3-testsuite-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.16-0.16.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.19.1", "packageName": "rubygem-activerecord-2_3-doc", "packageFilename": "rubygem-activerecord-2_3-doc-2.3.16-0.19.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "1.1.5-0.8.1", "packageName": "rubygem-rack", "packageFilename": "rubygem-rack-1.1.5-0.8.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activeresource-2_3-testsuite", "packageFilename": "rubygem-activeresource-2_3-testsuite-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activeresource-2_3-doc", "packageFilename": "rubygem-activeresource-2_3-doc-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.12.1", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.16-0.12.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.23.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.16-0.23.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.12.1", "packageName": "rubygem-rails-2_3-doc", "packageFilename": "rubygem-rails-2_3-doc-2.3.16-0.12.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.23.1", "packageName": "rubygem-actionpack-2_3-testsuite", "packageFilename": "rubygem-actionpack-2_3-testsuite-2.3.16-0.23.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.6.1", "packageName": "rubygem-activerecord", "packageFilename": "rubygem-activerecord-2.3.16-0.6.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.23.1", "packageName": "rubygem-actionpack-2_3-doc", "packageFilename": "rubygem-actionpack-2_3-doc-2.3.16-0.23.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "1.1.5-0.8.1", "packageName": "rubygem-rack", "packageFilename": "rubygem-rack-1.1.5-0.8.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.16.1", "packageName": "rubygem-activesupport-2_3-doc", "packageFilename": "rubygem-activesupport-2_3-doc-2.3.16-0.16.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.19.1", "packageName": "rubygem-activerecord-2_3-doc", "packageFilename": "rubygem-activerecord-2_3-doc-2.3.16-0.19.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.6.1", "packageName": "rubygem-activeresource", "packageFilename": "rubygem-activeresource-2.3.16-0.6.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "11.4", "packageVersion": "2.3.16-0.23.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.16-0.23.1.i586.rpm", "arch": "i586", "operator": "lt"}], "description": "This update updates the RubyOnRails 2.3 stack to 2.3.16.\n\n Security and bugfixes were done, foremost: CVE-2013-0333: A\n JSON sql/code injection problem was fixed. CVE-2012-5664: A\n SQL Injection Vulnerability in Active Record was fixed.\n CVE-2012-2695: A SQL injection via nested hashes in\n conditions was fixed. CVE-2013-0155: Unsafe Query\n Generation Risk in Ruby on Rails was fixed. CVE-2013-0156:\n Multiple vulnerabilities in parameter parsing in Action\n Pack were fixed. CVE-2012-5664: options hashes should only\n be extracted if there are extra parameters CVE-2012-2695:\n Fix SQL injection via nested hashes in conditions\n CVE-2013-0156: Hash.from_xml raises when it encounters\n type="symbol" or type="yaml". Use Hash.from_trusted_xml to\n parse this XM\n\n", "edition": 1, "reporter": "Suse", "published": "2013-02-12T11:04:29", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "ruby on rails to 2.3.16 (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2013-0156", "CVE-2013-0155", "CVE-2013-0333", "CVE-2012-5664"], "modified": "2013-02-12T11:04:29", "id": "OPENSUSE-SU-2013:0280-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00005.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:59:55", "references": ["https://bugzilla.novell.com/800320", "https://bugzilla.novell.com/766792", "https://bugzilla.novell.com/775653", "https://bugzilla.novell.com/796712", "https://bugzilla.novell.com/797449", "https://bugzilla.novell.com/797452", "https://bugzilla.novell.com/775649", "https://bugzilla.novell.com/798458", "https://bugzilla.novell.com/798452"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.3", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-2.3.16-3.9.3.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.1.5-6.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_1-1.1.5-6.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_1", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-railties-3_2-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-railties-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-activerecord-3_2-doc-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-activerecord-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-2.7.1", "arch": "noarch", "packageFilename": "rubygem-rails-2.3.16-2.7.1.noarch.rpm", "packageName": "rubygem-rails", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-activesupport-3_2-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-activesupport-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-activeresource-3_2-doc-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-activeresource-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.16.2", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-2.3.16-3.16.2.x86_64.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.4.1-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_4-testsuite-1.4.1-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_4-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-2.7.1", "arch": "noarch", "packageFilename": "rubygem-actionpack-2.3.16-2.7.1.noarch.rpm", "packageName": "rubygem-actionpack", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.9.1", "arch": "i586", "packageFilename": "rubygem-activesupport-2_3-2.3.16-3.9.1.i586.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.4.1-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_4-1.4.1-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "1.1.5-3.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_1-doc-1.1.5-3.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_1-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-3.9.4", "arch": "x86_64", "packageFilename": "rubygem-actionpack-3_2-doc-3.2.11-3.9.4.x86_64.rpm", "packageName": "rubygem-actionpack-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.3", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-doc-2.3.16-3.9.3.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.12.2", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-doc-2.3.16-3.12.2.x86_64.rpm", "packageName": "rubygem-activerecord-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-rails-3_2-doc-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-rails-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-3_2-doc-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-activesupport-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.5", "arch": "i586", "packageFilename": "rubygem-actionmailer-3_2-3.2.11-2.9.5.i586.rpm", "packageName": "rubygem-actionmailer-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.3", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-testsuite-2.3.16-2.5.3.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-2.7.1", "arch": "noarch", "packageFilename": "rubygem-activerecord-2.3.16-2.7.1.noarch.rpm", "packageName": "rubygem-activerecord", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.2", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-testsuite-2.3.16-2.5.2.x86_64.rpm", "packageName": "rubygem-activeresource-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.1.5-6.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_1-testsuite-1.1.5-6.5.1.i586.rpm", "packageName": "rubygem-rack-1_1-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.9.2", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-testsuite-2.3.16-2.9.2.x86_64.rpm", "packageName": "rubygem-activerecord-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-activeresource-3_2-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-activeresource-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "1.1.5-3.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_1-doc-1.1.5-3.5.1.i586.rpm", "packageName": "rubygem-rack-1_1-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.2", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-2.3.16-2.5.2.x86_64.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "x86_64", "packageFilename": "rubygem-rails-2_3-doc-2.3.16-3.5.1.x86_64.rpm", "packageName": "rubygem-rails-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.13.3", "arch": "i586", "packageFilename": "rubygem-actionpack-2_3-doc-2.3.16-2.13.3.i586.rpm", "packageName": "rubygem-actionpack-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.9.2", "arch": "i586", "packageFilename": "rubygem-activerecord-2_3-doc-2.3.16-2.9.2.i586.rpm", "packageName": "rubygem-activerecord-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-activeresource-3_2-doc-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-activeresource-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.2", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-2.3.16-3.9.2.x86_64.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.13.1", "arch": "i586", "packageFilename": "rubygem-activesupport-2_3-doc-2.3.16-3.13.1.i586.rpm", "packageName": "rubygem-activesupport-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "x86_64", "packageFilename": "rubygem-rails-2_3-2.3.16-3.5.1.x86_64.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.2", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-doc-2.3.16-2.5.2.x86_64.rpm", "packageName": "rubygem-activeresource-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.3", "arch": "i586", "packageFilename": "rubygem-actionmailer-2_3-testsuite-2.3.16-2.5.3.i586.rpm", "packageName": "rubygem-actionmailer-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.1.5-6.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_1-testsuite-1.1.5-6.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_1-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "noarch", "packageFilename": "rubygem-activeresource-2.3.16-3.5.1.noarch.rpm", "packageName": "rubygem-activeresource", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.2", "arch": "x86_64", "packageFilename": "rubygem-activemodel-3_2-3.2.11-2.9.2.x86_64.rpm", "packageName": "rubygem-activemodel-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.9.2", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-doc-2.3.16-2.9.2.x86_64.rpm", "packageName": "rubygem-activerecord-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.13.1", "arch": "i586", "packageFilename": "rubygem-activesupport-2_3-2.3.16-3.13.1.i586.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.3.9-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_3-doc-1.3.9-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-2.7.1", "arch": "noarch", "packageFilename": "rubygem-actionmailer-2.3.16-2.7.1.noarch.rpm", "packageName": "rubygem-actionmailer", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "i586", "packageFilename": "rubygem-rails-2_3-doc-2.3.16-3.5.1.i586.rpm", "packageName": "rubygem-rails-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.9.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-2_3-2.3.16-3.9.1.x86_64.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-3_2-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-activesupport-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.5", "arch": "i586", "packageFilename": "rubygem-actionmailer-3_2-doc-3.2.11-2.9.5.i586.rpm", "packageName": "rubygem-actionmailer-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-railties-3_2-doc-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-railties-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.2", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-doc-2.3.16-3.9.2.x86_64.rpm", "packageName": "rubygem-activeresource-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-railties-3_2-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-railties-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.12.2", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-2.3.16-3.12.2.x86_64.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.16.2", "arch": "i586", "packageFilename": "rubygem-actionpack-2_3-testsuite-2.3.16-3.16.2.i586.rpm", "packageName": "rubygem-actionpack-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.2.7-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_2-doc-1.2.7-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.16.2", "arch": "i586", "packageFilename": "rubygem-actionpack-2_3-2.3.16-3.16.2.i586.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.4.1-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_4-testsuite-1.4.1-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_4-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.16.2", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-doc-2.3.16-3.16.2.x86_64.rpm", "packageName": "rubygem-actionpack-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.13.3", "arch": "i586", "packageFilename": "rubygem-actionpack-2_3-2.3.16-2.13.3.i586.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.3", "arch": "i586", "packageFilename": "rubygem-actionmailer-2_3-2.3.16-2.5.3.i586.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.5", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-3_2-doc-3.2.11-2.9.5.x86_64.rpm", "packageName": "rubygem-actionmailer-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.2.2-2.2", "arch": "x86_64", "packageFilename": "rubygem-sprockets-2_2-2.2.2-2.2.x86_64.rpm", "packageName": "rubygem-sprockets-2_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "1.1.5-3.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_1-1.1.5-3.5.1.i586.rpm", "packageName": "rubygem-rack-1_1", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-activeresource-3_2-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-activeresource-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.2", "arch": "x86_64", "packageFilename": "rubygem-activemodel-3_2-doc-3.2.11-2.9.2.x86_64.rpm", "packageName": "rubygem-activemodel-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-3.9.4", "arch": "i586", "packageFilename": "rubygem-actionpack-3_2-3.2.11-3.9.4.i586.rpm", "packageName": "rubygem-actionpack-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.9.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-2_3-doc-2.3.16-3.9.1.x86_64.rpm", "packageName": "rubygem-activesupport-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.2.7-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_2-1.2.7-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.2", "arch": "i586", "packageFilename": "rubygem-activemodel-3_2-doc-3.2.11-2.9.2.i586.rpm", "packageName": "rubygem-activemodel-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.13.3", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-testsuite-2.3.16-2.13.3.x86_64.rpm", "packageName": "rubygem-actionpack-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.1.5-6.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_1-doc-1.1.5-6.5.1.i586.rpm", "packageName": "rubygem-rack-1_1-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "i586", "packageFilename": "rubygem-rails-2_3-2.3.16-3.5.1.i586.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.3", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-2.3.16-2.5.3.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-3.9.4", "arch": "x86_64", "packageFilename": "rubygem-actionpack-3_2-3.2.11-3.9.4.x86_64.rpm", "packageName": "rubygem-actionpack-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.4.1-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_4-doc-1.4.1-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_4-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.3", "arch": "i586", "packageFilename": "rubygem-actionmailer-2_3-doc-2.3.16-3.9.3.i586.rpm", "packageName": "rubygem-actionmailer-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.2.7-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_2-doc-1.2.7-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.2", "arch": "i586", "packageFilename": "rubygem-activeresource-2_3-testsuite-2.3.16-2.5.2.i586.rpm", "packageName": "rubygem-activeresource-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.13.3", "arch": "i586", "packageFilename": "rubygem-actionpack-2_3-testsuite-2.3.16-2.13.3.i586.rpm", "packageName": "rubygem-actionpack-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.2", "arch": "i586", "packageFilename": "rubygem-activemodel-3_2-3.2.11-2.9.2.i586.rpm", "packageName": "rubygem-activemodel-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.1.5-6.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_1-doc-1.1.5-6.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_1-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-rails-3_2-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-rails-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "noarch", "packageFilename": "rubygem-activesupport-2.3.16-3.5.1.noarch.rpm", "packageName": "rubygem-activesupport", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.3.9-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_3-doc-1.3.9-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-activesupport-3_2-doc-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-activesupport-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.3", "arch": "i586", "packageFilename": "rubygem-actionmailer-2_3-testsuite-2.3.16-3.9.3.i586.rpm", "packageName": "rubygem-actionmailer-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.2.7-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_2-testsuite-1.2.7-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_2-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.9.2", "arch": "i586", "packageFilename": "rubygem-activerecord-2_3-2.3.16-2.9.2.i586.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.9.2", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-2.3.16-2.9.2.x86_64.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.1", "arch": "noarch", "packageFilename": "rubygem-actionpack-2.3.16-2.5.1.noarch.rpm", "packageName": "rubygem-actionpack", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.3", "arch": "i586", "packageFilename": "rubygem-actionmailer-2_3-2.3.16-3.9.3.i586.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "noarch", "packageFilename": "rubygem-rails-2.3.16-3.5.1.noarch.rpm", "packageName": "rubygem-rails", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-activerecord-3_2-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-activerecord-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.1", "arch": "x86_64", "packageFilename": "rubygem-rails-2_3-2.3.16-3.9.1.x86_64.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.13.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-2_3-doc-2.3.16-3.13.1.x86_64.rpm", "packageName": "rubygem-activesupport-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.2", "arch": "i586", "packageFilename": "rubygem-activeresource-2_3-testsuite-2.3.16-3.9.2.i586.rpm", "packageName": "rubygem-activeresource-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.4.1-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_4-doc-1.4.1-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_4-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-2.7.1", "arch": "noarch", "packageFilename": "rubygem-activesupport-2.3.16-2.7.1.noarch.rpm", "packageName": "rubygem-activesupport", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.16.2", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-testsuite-2.3.16-3.16.2.x86_64.rpm", "packageName": "rubygem-actionpack-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-3.9.4", "arch": "i586", "packageFilename": "rubygem-actionpack-3_2-doc-3.2.11-3.9.4.i586.rpm", "packageName": "rubygem-actionpack-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.9.2", "arch": "i586", "packageFilename": "rubygem-activerecord-2_3-testsuite-2.3.16-2.9.2.i586.rpm", "packageName": "rubygem-activerecord-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-rails-3_2-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-rails-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.16.2", "arch": "i586", "packageFilename": "rubygem-actionpack-2_3-doc-2.3.16-3.16.2.i586.rpm", "packageName": "rubygem-actionpack-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.2.2-2.2", "arch": "x86_64", "packageFilename": "rubygem-sprockets-2_2-doc-2.2.2-2.2.x86_64.rpm", "packageName": "rubygem-sprockets-2_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-activerecord-3_2-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-activerecord-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.3.9-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_3-testsuite-1.3.9-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.2", "arch": "i586", "packageFilename": "rubygem-activeresource-2_3-doc-2.3.16-2.5.2.i586.rpm", "packageName": "rubygem-activeresource-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.13.3", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-doc-2.3.16-2.13.3.x86_64.rpm", "packageName": "rubygem-actionpack-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.3", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-testsuite-2.3.16-3.9.3.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "1.1.5-3.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_1-testsuite-1.1.5-3.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_1-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.12.2", "arch": "i586", "packageFilename": "rubygem-activerecord-2_3-2.3.16-3.12.2.i586.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.2", "arch": "i586", "packageFilename": "rubygem-activeresource-2_3-2.3.16-3.9.2.i586.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.3.9-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_3-1.3.9-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-railties-3_2-doc-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-railties-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "1.1.5-3.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_1-testsuite-1.1.5-3.5.1.i586.rpm", "packageName": "rubygem-rack-1_1-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.3.9-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_3-testsuite-1.3.9-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.13.3", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-2.3.16-2.13.3.x86_64.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.12.2", "arch": "i586", "packageFilename": "rubygem-activerecord-2_3-testsuite-2.3.16-3.12.2.i586.rpm", "packageName": "rubygem-activerecord-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.1", "arch": "i586", "packageFilename": "rubygem-rails-2_3-2.3.16-3.9.1.i586.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.3.9-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_3-1.3.9-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.2", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-testsuite-2.3.16-3.9.2.x86_64.rpm", "packageName": "rubygem-activeresource-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.5", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-3_2-3.2.11-2.9.5.x86_64.rpm", "packageName": "rubygem-actionmailer-3_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "i586", "packageFilename": "rubygem-rails-3_2-doc-3.2.11-2.9.1.i586.rpm", "packageName": "rubygem-rails-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.3", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-doc-2.3.16-2.5.3.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.2.7-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_2-1.2.7-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.2.2-2.2", "arch": "i586", "packageFilename": "rubygem-sprockets-2_2-2.2.2-2.2.i586.rpm", "packageName": "rubygem-sprockets-2_2", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.1.5-6.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_1-1.1.5-6.5.1.i586.rpm", "packageName": "rubygem-rack-1_1", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.4.1-2.5.1", "arch": "i586", "packageFilename": "rubygem-rack-1_4-1.4.1-2.5.1.i586.rpm", "packageName": "rubygem-rack-1_4", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "1.2.7-2.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_2-testsuite-1.2.7-2.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_2-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.12.2", "arch": "i586", "packageFilename": "rubygem-activerecord-2_3-doc-2.3.16-3.12.2.i586.rpm", "packageName": "rubygem-activerecord-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.12.2", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-testsuite-2.3.16-3.12.2.x86_64.rpm", "packageName": "rubygem-activerecord-2_3-testsuite", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.3", "arch": "i586", "packageFilename": "rubygem-actionmailer-2_3-doc-2.3.16-2.5.3.i586.rpm", "packageName": "rubygem-actionmailer-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.13.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-2_3-2.3.16-3.13.1.x86_64.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "3.2.11-2.9.1", "arch": "x86_64", "packageFilename": "rubygem-activerecord-3_2-doc-3.2.11-2.9.1.x86_64.rpm", "packageName": "rubygem-activerecord-3_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-2.7.1", "arch": "noarch", "packageFilename": "rubygem-activeresource-2.3.16-2.7.1.noarch.rpm", "packageName": "rubygem-activeresource", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.1", "arch": "x86_64", "packageFilename": "rubygem-rails-2_3-doc-2.3.16-3.9.1.x86_64.rpm", "packageName": "rubygem-rails-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "1.1.5-3.5.1", "arch": "x86_64", "packageFilename": "rubygem-rack-1_1-1.1.5-3.5.1.x86_64.rpm", "packageName": "rubygem-rack-1_1", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.5.1", "arch": "noarch", "packageFilename": "rubygem-activerecord-2.3.16-3.5.1.noarch.rpm", "packageName": "rubygem-activerecord", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.1", "arch": "noarch", "packageFilename": "rubygem-actionmailer-2.3.16-2.5.1.noarch.rpm", "packageName": "rubygem-actionmailer", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.2.2-2.2", "arch": "i586", "packageFilename": "rubygem-sprockets-2_2-doc-2.2.2-2.2.i586.rpm", "packageName": "rubygem-sprockets-2_2-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-2.5.2", "arch": "i586", "packageFilename": "rubygem-activeresource-2_3-2.3.16-2.5.2.i586.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.1", "arch": "i586", "packageFilename": "rubygem-rails-2_3-doc-2.3.16-3.9.1.i586.rpm", "packageName": "rubygem-rails-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.2", "packageVersion": "2.3.16-3.9.1", "arch": "i586", "packageFilename": "rubygem-activesupport-2_3-doc-2.3.16-3.9.1.i586.rpm", "packageName": "rubygem-activesupport-2_3-doc", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "12.1", "packageVersion": "2.3.16-3.9.2", "arch": "i586", "packageFilename": "rubygem-activeresource-2_3-doc-2.3.16-3.9.2.i586.rpm", "packageName": "rubygem-activeresource-2_3-doc", "operator": "lt"}], "description": "This update updates the RubyOnRails 2.3 stack to 2.3.16,\n also this update updates the RubyOnRails 3.2 stack to\n 3.2.11.\n\n Security and bugfixes were done, foremost: CVE-2013-0333: A\n JSON sql/code injection problem was fixed. CVE-2012-5664: A\n SQL Injection Vulnerability in Active Record was fixed.\n CVE-2012-2695: A SQL injection via nested hashes in\n conditions was fixed. CVE-2013-0155: Unsafe Query\n Generation Risk in Ruby on Rails was fixed. CVE-2013-0156:\n Multiple vulnerabilities in parameter parsing in Action\n Pack were fixed.\n\n", "edition": 1, "reporter": "Suse", "published": "2013-02-12T10:10:39", "title": "ruby on rails to 2.3.16 (important)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2013-0156", "CVE-2013-0155", "CVE-2013-0333", "CVE-2012-5664"], "modified": "2013-02-12T10:10:39", "id": "OPENSUSE-SU-2013:0278-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00003.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:13:40", "references": ["https://bugzilla.novell.com/803339", "https://bugzilla.novell.com/800320", "http://download.novell.com/patch/finder/?keywords=262e345a7ecb482ffca687eedd6b610a", "https://bugzilla.novell.com/796712", "https://bugzilla.novell.com/797449", "https://bugzilla.novell.com/797452", "https://bugzilla.novell.com/803336"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ppc64", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.9.1.ppc64.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ppc64", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.9.1.ppc64.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "s390x", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.9.1.s390x.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "SUSE Cloud", "OSVersion": "1.0", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-rails-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "s390x", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.9.1.s390x.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ia64", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.9.1.ia64.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ppc64", "packageFilename": "rubygem-rails-2_3-2.3.17-0.9.1.ppc64.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "SUSE Cloud", "OSVersion": "1.0", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ia64", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.9.1.ia64.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ia64", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.9.1.ia64.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "s390x", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.9.1.s390x.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ppc64", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.9.1.ppc64.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "SUSE Cloud", "OSVersion": "1.0", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-rails-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.8.1", "arch": "noarch", "packageFilename": "rubygem-rails-2.3.17-0.8.1.noarch.rpm", "packageName": "rubygem-rails", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "s390x", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.9.1.s390x.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "SUSE Cloud", "OSVersion": "1.0", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "i586", "packageFilename": "rubygem-rails-2_3-2.3.17-0.9.1.i586.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ppc64", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.9.1.ppc64.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "i586", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.9.1.i586.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "i586", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.9.1.i586.rpm", "packageName": "rubygem-activerecord-2_3", "operator": "lt"}, {"OS": "SUSE Cloud", "OSVersion": "1.0", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "SUSE Cloud", "OSVersion": "1.0", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "s390x", "packageFilename": "rubygem-rails-2_3-2.3.17-0.9.1.s390x.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "s390x", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.9.1.s390x.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "x86_64", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.9.1.x86_64.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ia64", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.9.1.ia64.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "i586", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.9.1.i586.rpm", "packageName": "rubygem-actionpack-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ppc64", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.9.1.ppc64.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ia64", "packageFilename": "rubygem-rails-2_3-2.3.17-0.9.1.ia64.rpm", "packageName": "rubygem-rails-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "ia64", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.9.1.ia64.rpm", "packageName": "rubygem-activeresource-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "i586", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.9.1.i586.rpm", "packageName": "rubygem-actionmailer-2_3", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.2", "packageVersion": "2.3.17-0.9.1", "arch": "i586", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.9.1.i586.rpm", "packageName": "rubygem-activesupport-2_3", "operator": "lt"}], "description": "The Ruby on Rails stack has been updated to 2.3.17 to fix\n various security issues and bugs.\n\n The rails gems have been updated to fix:\n\n * Unsafe Query Generation Risk in Ruby on Rails\n (CVE-2013-0155)\n * Multiple vulnerabilities in parameter parsing in\n Action Pack (CVE-2013-0156)\n * activerecord: SQL Injection (CVE-2012-5664)\n * rails: Vulnerability in JSON Parser in Ruby on Rails\n 3.0 and 2.3 (CVE-2013-0333)\n * activerecord: Circumvention of attr_protected\n (CVE-2013-0276)\n * activerecord: Serialized Attributes YAML\n Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277)\n", "edition": 1, "reporter": "Suse", "published": "2013-03-19T18:04:46", "title": "Security update for Ruby On Rails (important)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0276", "CVE-2013-0156", "CVE-2013-0277", "CVE-2013-0155", "CVE-2013-0333", "CVE-2012-5664"], "modified": "2013-03-19T18:04:46", "id": "SUSE-SU-2013:0486-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00035.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:49:16", "references": ["https://bugzilla.novell.com/803339", "https://bugzilla.novell.com/800320", "https://bugzilla.novell.com/796712", "https://bugzilla.novell.com/797449", "http://download.novell.com/patch/finder/?keywords=dfb687aafb848ceb562a7f371bb1ccf7", "https://bugzilla.novell.com/797452", "https://bugzilla.novell.com/803336"], "affectedPackage": [{"OS": "SUSE Studio Extension for System z", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Studio Extension for System z", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.ppc64.rpm", "arch": "ppc64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Studio Extension for System z", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Studio Standard Edition", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Studio Onsite", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.ppc64.rpm", "arch": "ppc64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.ppc64.rpm", "arch": "ppc64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Studio Extension for System z", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Studio Onsite", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Studio Onsite", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.ppc64.rpm", "arch": "ppc64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Studio Extension for System z", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Studio Standard Edition", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Studio Onsite", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Studio Standard Edition", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Studio Standard Edition", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Studio Standard Edition", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Studio Standard Edition", "OSVersion": "1.2", "packageVersion": "2.3.17-0.4.6.1", "packageName": "rubygem-rails", "packageFilename": "rubygem-rails-2.3.17-0.4.6.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "SUSE Studio Extension for System z", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.ppc64.rpm", "arch": "ppc64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Studio Onsite", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activesupport-2_3", "packageFilename": "rubygem-activesupport-2_3-2.3.17-0.6.1.ppc64.rpm", "arch": "ppc64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activerecord-2_3", "packageFilename": "rubygem-activerecord-2_3-2.3.17-0.6.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Studio Standard Edition", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.2", "packageName": "rubygem-rails-2_3", "packageFilename": "rubygem-rails-2_3-2.3.17-0.6.2.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-activeresource-2_3", "packageFilename": "rubygem-activeresource-2_3-2.3.17-0.6.1.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "SUSE Studio Onsite", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionmailer-2_3", "packageFilename": "rubygem-actionmailer-2_3-2.3.17-0.6.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "WebYaST", "OSVersion": "1.2", "packageVersion": "2.3.17-0.6.1", "packageName": "rubygem-actionpack-2_3", "packageFilename": "rubygem-actionpack-2_3-2.3.17-0.6.1.s390x.rpm", "arch": "s390x", "operator": "lt"}], "description": "The Ruby on Rails stack has been updated to 2.3.17 to fix\n various security issues and bugs.\n\n The rails gems were updated to fix:\n\n * Unsafe Query Generation Risk in Ruby on Rails\n (CVE-2013-0155)\n * Multiple vulnerabilities in parameter parsing in\n Action Pack (CVE-2013-0156)\n * SQL Injection Vulnerability in Active Record\n (CVE-2012-5664)\n * rails: Vulnerability in JSON Parser in Ruby on Rails\n 3.0 and 2.3 (CVE-2013-0333)\n * activerecord: Circumvention of attr_protected\n (CVE-2013-0276)\n * activerecord: Serialized Attributes YAML\n Vulnerability with Rails 2.3 and 3.0 (CVE-2013-0277)\n", "edition": 1, "reporter": "Suse", "published": "2013-04-03T20:06:19", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "Security update for Ruby on Rails (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0276", "CVE-2013-0156", "CVE-2013-0277", "CVE-2013-0155", "CVE-2013-0333", "CVE-2012-5664"], "modified": "2013-04-03T20:06:19", "id": "SUSE-SU-2013:0606-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00000.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:31:56", "references": ["http://download.novell.com/patch/finder/?keywords=fe3baf16da4284805596caf983f71fcc", "https://bugzilla.novell.com/805759"], "affectedPackage": [{"OS": "SUSE Cloud", "OSVersion": "1.0", "packageVersion": "1.1.3-0.9.1", "packageFilename": "rubygem-merb-core-1.1.3-0.9.1.x86_64.rpm", "packageName": "rubygem-merb-core", "arch": "x86_64", "operator": "lt"}], "description": "rubygem-merb-core has been updated to change the rack\n version dependency. Now any rack 1.1 version is accepted.\n\n This update needs to be installed in parallel with the\n 2.3.17 rails update.\n", "edition": 1, "reporter": "Suse", "published": "2013-03-20T17:04:42", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Security update for rubygem-merb-core (important)", "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2012-6109", "CVE-2013-0156", "CVE-2013-0183", "CVE-2013-0155", "CVE-2013-0184", "CVE-2012-5664"], "modified": "2013-03-20T17:04:42", "id": "SUSE-SU-2013:0508-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00040.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-12-11T19:43:24", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.0.2-6.el6op", "arch": "x86_64", "packageName": "mongodb-debuginfo", "packageFilename": "mongodb-debuginfo-2.0.2-6.el6op.x86_64.rpm", "operator": "lt"}], "description": "Red Hat OpenShift Enterprise is a cloud computing Platform-as-a-Service\n(PaaS) solution designed for on-premise or private cloud deployments.\n\nRefer to the Red Hat OpenShift Enterprise 1.1 Release Notes for information\nabout the changes in this release. The Release Notes will be available\nshortly from https://access.redhat.com/knowledge/docs/\n\nThis update also fixes the following security issues:\n\nIt was found that the master cryptographic key of Jenkins could be\nretrieved via the HTTP server that is hosting Jenkins. A remote attacker\ncould use this flaw to access the server and execute arbitrary code with\nthe privileges of the user running Jenkins. Note that this issue only\naffected Jenkins instances that had slaves attached and that also allowed\nanonymous read access (not the default configuration). Manual action is\nalso required to correct this issue. Refer to \"Jenkins Security Advisory\n2013-01-04\", linked to in the References, for further information.\n(CVE-2013-0158)\n\nWhen the rhc-chk script was run in debug mode, its output included\nsensitive information, such as database passwords, in plain text. As this\nscript is commonly used when troubleshooting, this flaw could lead to users\nunintentionally exposing sensitive information in support channels (for\nexample, a Bugzilla report). This update removes the rhc-chk script.\n(CVE-2012-5658)\n\nMultiple flaws in the Jenkins web interface could allow a remote attacker\nto perform HTTP response splitting and cross-site scripting (XSS) attacks,\nas well as redirecting a victim to an arbitrary page by utilizing an open\nredirect flaw. (CVE-2012-6072, CVE-2012-6074, CVE-2012-6073)\n\nA flaw was found in the way rubygem-activerecord dynamic finders extracted\noptions from method parameters. A remote attacker could possibly use this\nflaw to perform SQL injection attacks against applications using the Active\nRecord dynamic finder methods. (CVE-2012-6496)\n\nThe openshift-port-proxy-cfg program created a temporary file in an\ninsecure way. A local attacker could use this flaw to perform a symbolic\nlink attack, overwriting an arbitrary file accessible to the root user with\na \"0\" or a \"1\", which could lead to a denial of service. By default,\nOpenShift uses polyinstantiation (per user) for the /tmp/ directory,\nminimizing the risk of exploitation by local attackers. (CVE-2013-0164)\n\nThe CVE-2013-0164 issue was discovered by Michael Scherer of the Red Hat\nRegional IT team.\n\nUsers of Red Hat OpenShift Enterprise 1.0 are advised to upgrade to Red Hat\nOpenShift Enterprise 1.1.\n", "reporter": "RedHat", "published": "2013-01-31T05:00:00", "type": "redhat", "title": "(RHSA-2013:0220) Important: Red Hat OpenShift Enterprise 1.1 update", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-5658", "CVE-2012-6072", "CVE-2012-6073", "CVE-2012-6074", "CVE-2012-6496", "CVE-2013-0158", "CVE-2013-0164"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-09T14:17:11", "id": "RHSA-2013:0220", "href": "https://access.redhat.com/errata/RHSA-2013:0220", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T19:42:20", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "3.0.10-8.el6cf", "arch": "noarch", "packageName": "rubygem-activerecord", "packageFilename": "rubygem-activerecord-3.0.10-8.el6cf.noarch.rpm", "operator": "lt"}], "description": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Action Pack implements the controller and the view\ncomponents. Active Record implements object-relational mapping for\naccessing database entries using objects. Active Support provides support\nand utility classes used by the Ruby on Rails framework.\n\nMultiple flaws were found in the way Ruby on Rails performed XML parameter\nparsing in HTTP requests. A remote attacker could use these flaws to\nexecute arbitrary code with the privileges of a Ruby on Rails application,\nperform SQL injection attacks, or bypass the authentication using a\nspecially-created HTTP request. (CVE-2013-0156)\n\nRed Hat is aware that a public exploit for the CVE-2013-0156 issues is\navailable that allows remote code execution in applications using Ruby on\nRails.\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-activerecord. A remote attacker could possibly use these flaws to\nperform an SQL injection attack against an application using\nrubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496,\nCVE-2013-0155)\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-actionpack. A remote attacker could possibly use these flaws to\nperform an SQL injection attack against an application using\nrubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)\n\nMultiple cross-site scripting (XSS) flaws were found in rubygem-actionpack.\nA remote attacker could use these flaws to conduct XSS attacks against\nusers of an application using rubygem-actionpack. (CVE-2012-3463,\nCVE-2012-3464, CVE-2012-3465)\n\nA flaw was found in the HTTP digest authentication implementation in\nrubygem-actionpack. A remote attacker could use this flaw to cause a\ndenial of service of an application using rubygem-actionpack and digest\nauthentication. (CVE-2012-3424)\n\nUsers are advised to upgrade to these updated rubygem-actionpack,\nrubygem-activesupport, and rubygem-activerecord packages, which resolve\nthese issues. Katello must be restarted (\"service katello restart\") for\nthis update to take effect.", "reporter": "RedHat", "published": "2013-01-11T01:37:00", "type": "redhat", "title": "(RHSA-2013:0154) Critical: Ruby on Rails security update", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694", "CVE-2012-2695", "CVE-2012-3424", "CVE-2012-3463", "CVE-2012-3464", "CVE-2012-3465", "CVE-2012-6496", "CVE-2013-0155", "CVE-2013-0156"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T09:00:59", "id": "RHSA-2013:0154", "href": "https://access.redhat.com/errata/RHSA-2013:0154", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
