Information Security News mailing list archives
Secunia Weekly Summary - Issue: 2008-8
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 22 Feb 2008 05:27:48 -0600 (CST)
======================================================================== The Secunia Weekly Advisory Summary 2008-02-14 - 2008-02-21 This week: 60 advisories ======================================================================== Table of Contents: 1.....................................................Word From Secunia 2....................................................This Week In Brief 3...............................This Weeks Top Ten Most Read Advisories 4.......................................Vulnerabilities Summary Listing 5.......................................Vulnerabilities Content Listing ======================================================================== 1) Word From Secunia: Secunia invites you to join us in the biggest IT Expo event of the year - the RSA Conference in the Moscone Center, San Francisco, California from 7 to 11 April 2008. If you are interested in going to the expo exhibit and meeting us, please contact your Secunia Account Executive for a FREE EXPO PASS! ======================================================================== 2) This Week in Brief: Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, or bypass certain security restrictions. A security issue caused by a design error when handling input to file form fields, which can potentially be exploited to trick a user into uploading arbitrary files. This is related to a previously reported issue in Mozilla Firefox. An error within the handling of custom comments in image properties can be exploited to execute arbitrary script code in the wrong security context when comments of a malicious image are displayed. An error in the handling of attribute values when importing XML into a document can be exploited to bypass filters and conduct cross-site scripting attacks if these values are used as document content. The vendor has released Opera version 9.26 to fix these issues. Users are urged to download the secure version as soon as possible. For more information, refer to: http://secunia.com/advisories/29029/ To find out if your home computer is vulnerable to any of these security problems, scan using the free Personal Software Inspector: https://psi.secunia.com/ Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector: http://secunia.com/network_software_inspector/ -- Some vulnerabilities, security issues, and a weakness have been reported in various BEA WebLogic products, which can be exploited by malicious users to conduct script insertion attacks, and by malicious people to conduct session fixation, cross-site scripting, or brute force attacks, disclose sensitive information, or to bypass certain security restrictions. Some of the vulnerabilities are related to previously-known issues in prior versions of various BEA products. The vulnerabilities are reported in various versions of BEA WebLogic Express, WebLogic Portal, WebLogic Server, and Workshop for WebLogic. The vendor has released updates for all issues. For more information, refer to: http://secunia.com/advisories/29041/ -- A highly critical vulnerability has been reported in IBM Lotus Notes, which can be exploited by malicious people to compromise a user's system. The vulnerability is due to an issue in Java, and is related to a vulnerability in Sun Java, which has been known since 2004. Successful exploitation requires that the "Enable Java access from JavaScript" option is enabled. The vulnerability is reported in versions 6.5.6 and 7.0, and has reportedly been fixed in version 7.0.2. For more information, refer to: http://secunia.com/advisories/29035/ -- VIRUS ALERTS: During the past week Secunia collected 163 virus descriptions from the Antivirus vendors. However, none were deemed MEDIUM risk or higher according to the Secunia assessment scale. ======================================================================== 3) This Weeks Top Ten Most Read Advisories: 1. [SA28935] Cisco Unified IP Phone Multiple Vulnerabilities 2. [SA28980] Joomla! Quiz Component "tid" SQL Injection 3. [SA28940] Joomla! McQuiz Component "tid" SQL Injection 4. [SA28962] Joomla! mediaslide Component "albumnum" SQL Injection 5. [SA28972] freePHPgallery "lang" Local File Inclusion 6. [SA28835] Linux Kernel "vmsplice()" System Call Vulnerabilities 7. [SA28923] PCRE Character Class Buffer Overflow 8. [SA28979] FreeBSD update for ipsec 9. [SA28928] FreeBSD "sendfile" Information Disclosure Security Issue 10. [SA28903] Microsoft Internet Explorer Multiple Vulnerabilities ======================================================================== 4) Vulnerabilities Summary Listing Windows: [SA29035] IBM Lotus Notes Java Plug-in Sandbox Security Bypass [SA29003] Now SMS/MMS Gateway HTTP/SMPP Handling Buffer Overflows [SA29024] SmarterMail Subject Script Insertion Vulnerability [SA29021] Kerio MailServer Multiple Vulnerabilities [SA29007] webcamXP Denial of Service and Information Disclosure [SA29002] freeSSHd SSH Server Denial of Service Vulnerability [SA29011] EMC RepliStor Data Decompression Buffer Overflows [SA29031] IBM Lotus Notes Java Applet Signature Execution Control List Security Bypass [SA28984] StatCounteX "admin.asp" Security Bypass [SA29033] Symantec Veritas Storage Foundation Scheduler Service Denial of Service [SA29030] Hitachi EUR Print Manager Unspecified Denial of Service Vulnerability [SA29005] DESlock+ DLMFDISK.sys/DLMFENC.sys Privilege Escalation Vulnerabilities UNIX/Linux: [SA29026] Kolab Server ClamAV Multiple Vulnerabilities [SA29012] SWORD diatheke.pl Shell Command Injection Vulnerability [SA29001] SUSE update for clamav [SA28989] Mandriva update for xine-lib [SA28983] SUSE update for acroread [SA29017] LightBlog "username" Local File Inclusion [SA28996] Fedora update for pcre [SA28993] HP Tru64 UNIX Perl Regular Expressions Vulnerability [SA28985] GNOME GLib PCRE Character Class Buffer Overflow [SA28994] CUPS "process_browse_data()" Double Free Vulnerability [SA29004] Lotus Quickr Unspecified Cross-Site Scripting Vulnerability [SA28987] Fedora update for moin [SA28982] Multiple Horde Products Security Bypass [SA29028] Hitachi SEWB3/PLATFORM Unspecified Denial of Service [SA29009] wyrd Insecure Temporary File [SA28995] Linux Kernel Multiple Vulnerabilities [SA28981] Fedora update for scponly [SA28997] Avaya CMS Solaris X Window System Information Disclosure [SA28990] Sun Solaris vuidmice STREAMS Modules Local Denial of Service Other: Cross Platform: [SA29049] Netscape Multiple Vulnerabilities [SA29047] Globsy "globsy_edit.php" Vulnerability [SA29042] BEA JRockit Multiple Vulnerabilities [SA29010] MoinMoin Multiple Vulnerabilities [SA29044] Joomla hwdVideoShare Component "cat_id" SQL Injection [SA29041] BEA WebLogic Products Multiple Vulnerabilities [SA29034] Schoolwires Academic Portal browse.asp Cross-Site Scripting and SQL Injection [SA29029] Opera Multiple Vulnerabilities [SA29022] IBM DB2 Multiple Vulnerabilities [SA29018] iScripts MultiCart "productid" SQL Injection Vulnerability [SA29008] Joomla astatsPRO Component "id" SQL Injection Vulnerability [SA29006] XPWeb "Download.php" Arbitrary File Download [SA28998] Joomla! jooget Component "id" SQL Injection [SA28992] BanPro-DMS "action" Local File Inclusion Vulnerability [SA28991] BEA Products Information Disclosure Vulnerability [SA28988] WordPress WP Photo Album Plugin "photo" SQL Injection [SA28986] Joomla! Quran Component "surano" SQL Injection [SA28980] Joomla! Quiz Component "tid" SQL Injection [SA29050] Symantec Veritas Storage Foundation Administrator Service Buffer Overflow [SA29045] Sybase SQL Anywhere MobiLink Buffer Overflow Vulnerability [SA29055] Invision Power Board BBCodes Script Insertion Vulnerability [SA29043] PunBB Password Change and Cross-Site Scripting [SA29040] BEA Products "name" Cross-Site Scripting Vulnerability [SA29039] Tor World CGI Scripts Multiple Unspecified Cross-Site Scripting Vulnerabilities [SA29023] Jinzora Multiple Vulnerabilities [SA29020] WoltLab Burning Board "sortOrder" SQL Injection [SA29019] Lyris ListManager Security Bypass Vulnerabilities [SA29016] ProjectPier Multiple Vulnerabilities [SA29015] ATutor Script Insertion Vulnerabilities ======================================================================== 5) Vulnerabilities Content Listing Windows:-- [SA29035] IBM Lotus Notes Java Plug-in Sandbox Security Bypass Critical: Highly critical Where: From remote Impact: System access Released: 2008-02-20 A vulnerability has been reported in IBM Lotus Notes, which can be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/29035/ -- [SA29003] Now SMS/MMS Gateway HTTP/SMPP Handling Buffer Overflows Critical: Highly critical Where: From remote Impact: System access Released: 2008-02-20 Luigi Auriemma has discovered some vulnerabilities in Now SMS/MMS Gateway, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29003/ -- [SA29024] SmarterMail Subject Script Insertion Vulnerability Critical: Moderately critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-20 Juan Pablo Lopez Yacubian has discovered a vulnerability in SmarterMail, which can be exploited by malicious people to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/29024/ -- [SA29021] Kerio MailServer Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-02-19 Some vulnerabilities have been reported in Kerio MailServer, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29021/ -- [SA29007] webcamXP Denial of Service and Information Disclosure Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information, DoS Released: 2008-02-19 Luigi Auriemma has discovered a vulnerability in webcamXP, which can be exploited by malicious people to cause a DoS (Denial of Service) or to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/29007/ -- [SA29002] freeSSHd SSH Server Denial of Service Vulnerability Critical: Moderately critical Where: From remote Impact: DoS Released: 2008-02-18 Luigi Auriemma has discovered a vulnerability in freeSSHd, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29002/ -- [SA29011] EMC RepliStor Data Decompression Buffer Overflows Critical: Moderately critical Where: From local network Impact: System access Released: 2008-02-21 Some vulnerabilities have been reported in EMC RepliStor, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29011/ -- [SA29031] IBM Lotus Notes Java Applet Signature Execution Control List Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-02-20 A security issue has been reported in IBM Lotus Notes, which can be exploited by malicious people to bypass certain security mechanisms. Full Advisory: http://secunia.com/advisories/29031/ -- [SA28984] StatCounteX "admin.asp" Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass, Exposure of sensitive information Released: 2008-02-18 SekoMirza has discovered a security issue in StatCounteX, which can be exploited by malicious people to bypass certain security restrictions and to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/28984/ -- [SA29033] Symantec Veritas Storage Foundation Scheduler Service Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2008-02-21 A vulnerability has been reported in Symantec Veritas Storage Foundation, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29033/ -- [SA29030] Hitachi EUR Print Manager Unspecified Denial of Service Vulnerability Critical: Less critical Where: From local network Impact: DoS Released: 2008-02-20 A vulnerability has been reported in Hitachi EUR Print Manager, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29030/ -- [SA29005] DESlock+ DLMFDISK.sys/DLMFENC.sys Privilege Escalation Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2008-02-19 mu-b has reported some vulnerabilities in DESlock+, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges. Full Advisory: http://secunia.com/advisories/29005/ UNIX/Linux:-- [SA29026] Kolab Server ClamAV Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-02-19 Some vulnerabilities have been reported in Kolab Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29026/ -- [SA29012] SWORD diatheke.pl Shell Command Injection Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2008-02-19 A vulnerability has been discovered in SWORD, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29012/ -- [SA29001] SUSE update for clamav Critical: Highly critical Where: From remote Impact: DoS, System access Released: 2008-02-18 SUSE has issued an update for clamav. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29001/ -- [SA28989] Mandriva update for xine-lib Critical: Highly critical Where: From remote Impact: System access Released: 2008-02-18 Mandriva has issued an update for xine-lib. This fixes a vulnerability, which can potentially be exploited by malicious people to compromise a user's system. Full Advisory: http://secunia.com/advisories/28989/ -- [SA28983] SUSE update for acroread Critical: Highly critical Where: From remote Impact: Unknown, DoS, System access Released: 2008-02-19 SUSE has issued an update for acroread. This fixes some vulnerabilities, some of which have unknown impacts while others can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system. Full Advisory: http://secunia.com/advisories/28983/ -- [SA29017] LightBlog "username" Local File Inclusion Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-02-19 muuratsalo has discovered a vulnerability in LightBlog, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/29017/ -- [SA28996] Fedora update for pcre Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-02-19 Fedora has issued an update for pcre. This fixes a vulnerability, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library. Full Advisory: http://secunia.com/advisories/28996/ -- [SA28993] HP Tru64 UNIX Perl Regular Expressions Vulnerability Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-02-21 HP has acknowledged a vulnerability in HP Tru64 UNIX, which potentially can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28993/ -- [SA28985] GNOME GLib PCRE Character Class Buffer Overflow Critical: Moderately critical Where: From remote Impact: DoS, System access Released: 2008-02-18 A vulnerability has been reported in GNOME GLib, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library. Full Advisory: http://secunia.com/advisories/28985/ -- [SA28994] CUPS "process_browse_data()" Double Free Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2008-02-20 A vulnerability has been discovered in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/28994/ -- [SA29004] Lotus Quickr Unspecified Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-18 A vulnerability has been reported in Lotus Quickr, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/29004/ -- [SA28987] Fedora update for moin Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-21 Fedora has issued an update for moin. This fixes some vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/28987/ -- [SA28982] Multiple Horde Products Security Bypass Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-02-18 A security issue has been reported in multiple Horde products, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28982/ -- [SA29028] Hitachi SEWB3/PLATFORM Unspecified Denial of Service Critical: Less critical Where: From local network Impact: DoS Released: 2008-02-20 A vulnerability has been reported in Hitachi SEWB3/PLATFORM, which can be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29028/ -- [SA29009] wyrd Insecure Temporary File Critical: Less critical Where: Local system Impact: Privilege escalation Released: 2008-02-18 A vulnerability has been discovered in wyrd, which can be exploited by malicious, local users to perform certain actions with escalated privileges. Full Advisory: http://secunia.com/advisories/29009/ -- [SA28995] Linux Kernel Multiple Vulnerabilities Critical: Less critical Where: Local system Impact: Privilege escalation, DoS Released: 2008-02-19 Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges. Full Advisory: http://secunia.com/advisories/28995/ -- [SA28981] Fedora update for scponly Critical: Less critical Where: Local system Impact: Security Bypass Released: 2008-02-18 Fedora has issued an update for scponly. This fixes a security issue, which can be exploited by malicious, local users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/28981/ -- [SA28997] Avaya CMS Solaris X Window System Information Disclosure Critical: Not critical Where: Local system Impact: Exposure of sensitive information Released: 2008-02-19 Avaya has acknowledged a vulnerability in Avaya CMS, which can be exploited by malicious, local users to disclose potentially sensitive information. Full Advisory: http://secunia.com/advisories/28997/ -- [SA28990] Sun Solaris vuidmice STREAMS Modules Local Denial of Service Critical: Not critical Where: Local system Impact: DoS Released: 2008-02-18 A vulnerability has been reported in Sun Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/28990/ Other: Cross Platform:-- [SA29049] Netscape Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of sensitive information, DoS, System access Released: 2008-02-21 Netscape has acknowledged some weaknesses, a security issue, and some vulnerabilities in Netscape Navigator, which can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, conduct spoofing attacks, or to compromise a user's system. Full Advisory: http://secunia.com/advisories/29049/ -- [SA29047] Globsy "globsy_edit.php" Vulnerability Critical: Highly critical Where: From remote Impact: System access Released: 2008-02-21 A vulnerability has been discovered an Globsy, which can be exploited by malicious people to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29047/ -- [SA29042] BEA JRockit Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, System access Released: 2008-02-20 Some vulnerabilities have been reported in BEA JRockit, which can be exploited by malicious people to bypass certain security restrictions, manipulate data, disclose sensitive/system information, or potentially compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29042/ -- [SA29010] MoinMoin Multiple Vulnerabilities Critical: Highly critical Where: From remote Impact: Cross Site Scripting, DoS, System access Released: 2008-02-20 Some vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks, to manipulate certain data, or potentially to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29010/ -- [SA29044] Joomla hwdVideoShare Component "cat_id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-02-21 S@BUN has discovered a vulnerability in the hwdVideoShare component for Joomla, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29044/ -- [SA29041] BEA WebLogic Products Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Hijacking, Security Bypass, Cross Site Scripting, Brute force, Exposure of system information, Exposure of sensitive information Released: 2008-02-20 Some vulnerabilities, security issues, and a weakness have been reported in various BEA WebLogic products, which can be exploited by malicious users to conduct script insertion attacks, and by malicious people to conduct session fixation, cross-site scripting, or brute force attacks, disclose sensitive information, or to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29041/ -- [SA29034] Schoolwires Academic Portal browse.asp Cross-Site Scripting and SQL Injection Critical: Moderately critical Where: From remote Impact: Cross Site Scripting, Manipulation of data Released: 2008-02-20 Russ McRee has reported two vulnerabilities in Schoolwires Academic Portal, which can be exploited by malicious people to conduct cross-site scripting or SQL injection attacks. Full Advisory: http://secunia.com/advisories/29034/ -- [SA29029] Opera Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information Released: 2008-02-20 Some vulnerabilities have been reported in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, or to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29029/ -- [SA29022] IBM DB2 Multiple Vulnerabilities Critical: Moderately critical Where: From remote Impact: Unknown, DoS Released: 2008-02-19 Some vulnerabilities have been reported in IBM DB2, some of which have unknown impacts, while one can potentially be exploited by malicious people to cause a DoS (Denial of Service). Full Advisory: http://secunia.com/advisories/29022/ -- [SA29018] iScripts MultiCart "productid" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-02-21 t0pP8uZz and xprog have reported a vulnerability in iScripts MultiCart, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29018/ -- [SA29008] Joomla astatsPRO Component "id" SQL Injection Vulnerability Critical: Moderately critical Where: From remote Impact: Manipulation of data, Cross Site Scripting Released: 2008-02-21 A vulnerability has been reported in the astatsPRO component for Joomla, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. Full Advisory: http://secunia.com/advisories/29008/ -- [SA29006] XPWeb "Download.php" Arbitrary File Download Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-02-18 GoLd_M has discovered a vulnerability in XPWeb, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/29006/ -- [SA28998] Joomla! jooget Component "id" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-02-18 S@BUN has discovered a vulnerability in the jooget component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28998/ -- [SA28992] BanPro-DMS "action" Local File Inclusion Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of system information, Exposure of sensitive information Released: 2008-02-18 muuratsalo has discovered a vulnerability in BanPro-DMS, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28992/ -- [SA28991] BEA Products Information Disclosure Vulnerability Critical: Moderately critical Where: From remote Impact: Exposure of sensitive information Released: 2008-02-20 A vulnerability has been reported in some BEA Plumtree Collaboration and BEA AquaLogic Interaction, which can be exploited by malicious people to disclose sensitive information. Full Advisory: http://secunia.com/advisories/28991/ -- [SA28988] WordPress WP Photo Album Plugin "photo" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data Released: 2008-02-20 A vulnerability has been reported in the WP Photo Album (WPPA) plugin for WordPress, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28988/ -- [SA28986] Joomla! Quran Component "surano" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-02-18 breaker_unit and Don have discovered a vulnerability in the Quran component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28986/ -- [SA28980] Joomla! Quiz Component "tid" SQL Injection Critical: Moderately critical Where: From remote Impact: Manipulation of data, Exposure of sensitive information Released: 2008-02-15 S@BUN has discovered a vulnerability in the Quiz component for Joomla!, which can be exploited by malicious people to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/28980/ -- [SA29050] Symantec Veritas Storage Foundation Administrator Service Buffer Overflow Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2008-02-21 A vulnerability has been reported in Symantec Veritas Storage Foundation, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29050/ -- [SA29045] Sybase SQL Anywhere MobiLink Buffer Overflow Vulnerability Critical: Moderately critical Where: From local network Impact: DoS, System access Released: 2008-02-21 Luigi Auriemma has discovered a vulnerability in Sybase MobiLink, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Full Advisory: http://secunia.com/advisories/29045/ -- [SA29055] Invision Power Board BBCodes Script Insertion Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-21 A vulnerability has been reported in Invision Power Board, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/29055/ -- [SA29043] PunBB Password Change and Cross-Site Scripting Critical: Less critical Where: From remote Impact: Cross Site Scripting, Manipulation of data, Brute force Released: 2008-02-21 A vulnerability and a weakness have been discovered in PunBB, which can be exploited by malicious users to manipulate data and by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/29043/ -- [SA29040] BEA Products "name" Cross-Site Scripting Vulnerability Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-20 Jan Fry and Adrian Pastor have reported a vulnerability in BEA AquaLogic Interaction and BEA Plumtree Foundation, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/29040/ -- [SA29039] Tor World CGI Scripts Multiple Unspecified Cross-Site Scripting Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-21 Some vulnerabilities have been reported in various Tor World CGI Scripts, which can be exploited by malicious people to conduct cross-site scripting attacks. Full Advisory: http://secunia.com/advisories/29039/ -- [SA29023] Jinzora Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-20 Alexandr Polyakov and Stas Svistunovich have discovered some vulnerabilities in Jinzora, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks. Full Advisory: http://secunia.com/advisories/29023/ -- [SA29020] WoltLab Burning Board "sortOrder" SQL Injection Critical: Less critical Where: From remote Impact: Manipulation of data Released: 2008-02-20 NBBN has reported a vulnerability in WoltLab Burning Board, which can be exploited by malicious users to conduct SQL injection attacks. Full Advisory: http://secunia.com/advisories/29020/ -- [SA29019] Lyris ListManager Security Bypass Vulnerabilities Critical: Less critical Where: From remote Impact: Security Bypass Released: 2008-02-20 Tyler Shields has reported some vulnerabilities in Lyris ListManager, which can be exploited by malicious users to bypass certain security restrictions. Full Advisory: http://secunia.com/advisories/29019/ -- [SA29016] ProjectPier Multiple Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-19 L4teral has reported some vulnerabilities in ProjectPier, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks, and by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/29016/ -- [SA29015] ATutor Script Insertion Vulnerabilities Critical: Less critical Where: From remote Impact: Cross Site Scripting Released: 2008-02-19 L4teral has discovered some vulnerabilities in ATutor, which can be exploited by malicious users to conduct script insertion attacks. Full Advisory: http://secunia.com/advisories/29015/ ======================================================================== Secunia recommends that you verify all advisories you receive, by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Subscribe: http://secunia.com/secunia_weekly_summary/ Contact details: Web : http://secunia.com/ E-mail : support () secunia com Tel : +45 70 20 51 44 Fax : +45 70 20 51 45 ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- Secunia Weekly Summary - Issue: 2008-8 InfoSec News (Feb 22)