Vulnerability Summary for the Week of November 26, 2012
Released
Dec 03, 2012
Document ID
SB12-338
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| emc -- it_operations_intelligence | The default configuration of EMC Smarts Network Configuration Manager (NCM) before 9.1 does not require authentication for database access, which allows remote attackers to have an unspecified impact via a network session. | 2012-11-27 | 9.3 | CVE-2012-4614 |
| gajim -- gajim | SQL injection vulnerability in the get_last_conversation_lines function in common/logger.py in Gajim before 0.15 allows remote attackers to execute arbitrary SQL commands via the jig parameter. | 2012-11-23 | 7.5 | CVE-2012-2086 |
| google -- android | diagchar_core.c in the Qualcomm Innovation Center (QuIC) Diagnostics (aka DIAG) kernel-mode driver for Android 2.3 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect pointer dereference) via an application that uses crafted arguments in a diagchar_ioctl call. | 2012-11-30 | 7.5 | CVE-2012-4220 |
| google -- android | Integer overflow in diagchar_core.c in the Qualcomm Innovation Center (QuIC) Diagnostics (aka DIAG) kernel-mode driver for Android 2.3 through 4.2 allows remote attackers to execute arbitrary code or cause a denial of service via an application that uses crafted arguments in a diagchar_ioctl call. | 2012-11-30 | 7.5 | CVE-2012-4221 |
| google -- chrome | Google Chrome before 23.0.1271.91 on Mac OS X does not properly mitigate improper rendering behavior in the Intel GPU driver, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2012-11-27 | 7.5 | CVE-2012-5131 |
| google -- chrome | Use-after-free vulnerability in Google Chrome before 23.0.1271.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to SVG filters. | 2012-11-27 | 7.5 | CVE-2012-5133 |
| google -- chrome | Use-after-free vulnerability in Google Chrome before 23.0.1271.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to printing. | 2012-11-27 | 7.5 | CVE-2012-5135 |
| hp -- integrated_lights-out_3_firmware | Unspecified vulnerability on the HP Integrated Lights-Out 3 (aka iLO3) with firmware before 1.50 and Integrated Lights-Out 4 (aka iLO4) with firmware before 1.13 allows remote attackers to obtain sensitive information via unknown vectors. | 2012-11-29 | 9.3 | CVE-2012-3271 |
| ibm -- websphere_datapower_xc10_appliance | The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors. | 2012-11-23 | 7.8 | CVE-2012-5758 |
| joobi -- com_jstore | Directory traversal vulnerability in Jstore (com_jstore) component for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. | 2012-11-26 | 10.0 | CVE-2010-5286 |
| joomla-cbe -- com_cbe | Directory traversal vulnerability in the Community Builder Enhanced (CBE) (com_cbe) component 1.4.8, 1.4.9, and 1.4.10 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tabname parameter in a userProfile action to index.php. NOTE: this can be leveraged to execute arbitrary code by using the file upload feature. | 2012-11-26 | 7.5 | CVE-2010-5280 |
| kyocera -- ah-k3001v | The KYOCERA AH-K3001V, AH-K3002V, WX300K, WX310K, WX320K, and WX320KR devices allow remote attackers to cause a denial of service (persistent reboot) via an e-mail message in an invalid format. | 2012-11-30 | 7.8 | CVE-2012-5174 |
| openvas -- openvas_manager | The send_to_sourcefire function in manage_sql.c in OpenVAS Manager 3.x before 3.0.4 allows remote attackers to execute arbitrary commands via the (1) IP address or (2) port number field in an OMP request. | 2012-11-26 | 7.5 | CVE-2012-5520 |
| phpenter -- php_enter | Static code injection vulnerability in admin/banners.php in PHP Enter allows remote attackers to inject arbitrary PHP code into horad.php via the code parameter. | 2012-11-26 | 10.0 | CVE-2012-6046 |
| ps_project_management_team -- unity-firefox-extension | Unity integration extension (unity-firefox-extension) before 2.4.1 for Firefox does not properly handle callbacks, which allows remote attackers to cause a denial of service (Firefox crash) and possibly execute arbitrary code via a crafted request. | 2012-11-24 | 7.5 | CVE-2012-0960 |
| qemu -- qemu | Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." | 2012-11-23 | 7.2 | CVE-2012-3515 |
| redhat -- jboss_enterprise_application_platform | The (1) JNDI service, (2) HA-JNDI service, and (3) HAJNDIFactory invoker servlet in JBoss Enterprise Application Platform 4.3.0 CP10 and 5.1.2, Web Platform 5.1.2, SOA Platform 4.2.0.CP05 and 4.3.0.CP05, Portal Platform 4.3 CP07 and 5.2.x before 5.2.2, and BRMS Platform before 5.3.0 do not properly restrict write access, which allows remote attackers to add, delete, or modify items in a JNDI tree via unspecified vectors. | 2012-11-23 | 7.5 | CVE-2011-4605 |
| samsung -- printer_firmware | The Samsung printer firmware before 20121031 has a hardcoded read-write SNMP community, which makes it easier for remote attackers to obtain administrative access via an SNMP request. | 2012-11-27 | 7.5 | CVE-2012-4964 |
| sinapsitech -- esolar_duo_photovoltaic_system_monitor | Multiple SQL injection vulnerabilities on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allow remote attackers to execute arbitrary SQL commands via (1) the inverterselect parameter in a primo action to dettagliinverter.php or (2) the lingua parameter to changelanguagesession.php. | 2012-11-23 | 7.5 | CVE-2012-5861 |
| sinapsitech -- esolar_duo_photovoltaic_system_monitor | login.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by leveraging a (1) cleartext password or (2) password hash contained in this script, as demonstrated by a password of astridservice or 36e44c9b64. | 2012-11-23 | 10.0 | CVE-2012-5862 |
| sinapsitech -- esolar_duo_photovoltaic_system_monitor | ping.php on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 allows remote attackers to execute arbitrary commands via shell metacharacters in the ip_dominio parameter. | 2012-11-23 | 10.0 | CVE-2012-5863 |
| sinapsitech -- esolar_duo_photovoltaic_system_monitor | The management web pages on the Sinapsi eSolar Light Photovoltaic System Monitor (aka Schneider Electric Ezylog photovoltaic SCADA management server), Sinapsi eSolar, and Sinapsi eSolar DUO with firmware before 2.0.2870_2.2.12 do not require authentication, which allows remote attackers to obtain administrative access via a direct request, as demonstrated by a request to ping.php. | 2012-11-23 | 10.0 | CVE-2012-5864 |
| xen -- xen | The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. | 2012-11-23 | 7.2 | CVE-2012-6030 |
| yabsoft -- advanced_image_hosting_script | SQL injection vulnerability in view_comments.php in YABSoft Advanced Image Hosting (AIH) Script, possibly 2.3, allows remote attackers to execute arbitrary SQL commands via the gal parameter. | 2012-11-26 | 7.5 | CVE-2012-6039 |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| awcm-cms -- ar_web_content_manager | cookie_gen.php in ar web content manager (AWCM) 2.2 does not require authentication, which allows remote attackers to generate arbitrary cookies via the name parameter in conjunction with the content parameter. | 2012-11-26 | 5.0 | CVE-2012-2437 |
| awcm-cms -- ar_web_content_manager | ar web content manager (AWCM) 2.2 does not restrict the number of comment records that can be submitted through HTTP requests, which allows remote attackers to cause a denial of service (disk consumption) via the coment parameter to (1) show_video.php or (2) topic.php. | 2012-11-26 | 5.0 | CVE-2012-2438 |
| bigace -- bigace | Session fixation vulnerability in BIGACE before 2.7.8 allows remote attackers to hijack web sessions via unspecified vectors. | 2012-11-23 | 6.8 | CVE-2012-5173 |
| citrix -- xenserver | The physdev_get_free_pirq hypercall in arch/x86/physdev.c in Xen 4.1.x and Citrix XenServer 6.0.2 and earlier uses the return value of the get_free_pirq function as an array index without checking that the return value indicates an error, which allows guest OS users to cause a denial of service (invalid memory write and host crash) and possibly gain privileges via unspecified vectors. | 2012-11-23 | 6.1 | CVE-2012-3495 |
| citrix -- xenserver | XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when translating paging mode is not used, allows local PV OS guest kernels to cause a denial of service (BUG triggered and host crash) via invalid flags such as MEMF_populate_on_demand. | 2012-11-23 | 4.7 | CVE-2012-3496 |
| citrix -- xenserver | PHYSDEVOP_map_pirq in Xen 4.1 and 4.2 and Citrix XenServer 6.0.2 and earlier allows local HVM guest OS kernels to cause a denial of service (host crash) and possibly read hypervisor or guest memory via vectors related to a missing range check of map->index. | 2012-11-23 | 5.6 | CVE-2012-3498 |
| citrix -- xenserver | The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall in Xen 4.2 and Citrix XenServer 6.0.2 allows local guest kernels or administrators to cause a denial of service (host crash) and possibly gain privileges via a crafted grant reference that triggers a write to an arbitrary hypervisor memory location. | 2012-11-23 | 6.9 | CVE-2012-3516 |
| convergine -- file_king_advanced_file_management | Cross-site scripting (XSS) vulnerability in users.php in File King Advanced File Management 1.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter. | 2012-11-26 | 4.3 | CVE-2012-6040 |
| debian -- trousers | tcsd in TrouSerS before 0.3.10 allows remote attackers to cause a denial of service (daemon crash) via a crafted type_offset value in a TCP packet to port 30003. | 2012-11-26 | 5.0 | CVE-2012-0698 |
| emc -- rsa_adaptive_authentication_on-premise | Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Adaptive Authentication On-Premise (AAOP) before 7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2012-11-27 | 4.3 | CVE-2012-4611 |
| geopainting -- gpsmapedit | GPSMapEdit 1.1.73.2 allows user-assisted remote attackers to cause a denial of service (crash) via a long string in a lst file. | 2012-11-26 | 4.3 | CVE-2012-6042 |
| google -- android | drivers/gpu/msm/kgsl.c in the Qualcomm Innovation Center (QuIC) Graphics KGSL kernel-mode driver for Android 2.3 through 4.2 allows remote attackers to cause a denial of service (NULL pointer dereference) via an application that uses crafted arguments in a kgsl_ioctl call. | 2012-11-30 | 5.0 | CVE-2012-4222 |
| google -- chrome | Skia, as used in Google Chrome before 23.0.1271.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. | 2012-11-27 | 5.0 | CVE-2012-5130 |
| google -- chrome | Google Chrome before 23.0.1271.91 allows remote attackers to cause a denial of service (application crash) via a response with chunked transfer coding. | 2012-11-27 | 5.0 | CVE-2012-5132 |
| google -- chrome | Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document. | 2012-11-27 | 6.8 | CVE-2012-5134 |
| google -- chrome | Google Chrome before 23.0.1271.91 does not properly perform a cast of an unspecified variable during handling of the INPUT element, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted HTML document. | 2012-11-27 | 6.8 | CVE-2012-5136 |
| google -- cityhash | Google CityHash computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack. | 2012-11-28 | 5.0 | CVE-2012-6051 |
| guitar-pro -- guitar_pro | Guitar Pro 6.1.1 r10791 allows remote attackers to cause a denial of service (crash) via a long string in a gpx file. | 2012-11-26 | 5.0 | CVE-2012-6048 |
| ibm -- tivoli_endpoint_manager | Unspecified vulnerability in Tivoli Endpoint Manager for Remote Control Broker 8.2 before 8.2.1-TIV-TEMRC821-IF0002 allows remote attackers to cause a denial of service (resource consumption) via unknown vectors. | 2012-11-29 | 5.0 | CVE-2012-4841 |
| ibm -- websphere_datapower_xc10_appliance | The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2, when a collective configuration is enabled, has a single secret key that is shared across different customers' installations, which allows remote attackers to spoof a container server by (1) sniffing the network to locate a cleartext transmission of this key or (2) leveraging knowledge of this key from another installation. | 2012-11-23 | 4.3 | CVE-2012-5756 |
| jruby -- jruby | The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. | 2012-11-23 | 4.3 | CVE-2010-1330 |
| jruby -- jruby | JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838. | 2012-11-28 | 5.0 | CVE-2012-5370 |
| lighttpd -- lighttpd | The http_request_split_value function in request.c in lighttpd 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header. | 2012-11-24 | 5.0 | CVE-2012-5533 |
| mahara -- mahara | Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php. | 2012-11-24 | 6.4 | CVE-2012-2239 |
| mahara -- mahara | Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script. NOTE: this can be leveraged with CVE-2012-2244 to execute arbitrary code without authentication, as demonstrated by modifying the clamav path. | 2012-11-24 | 4.3 | CVE-2012-2243 |
| mahara -- mahara | Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote authenticated administrators to execute arbitrary programs by modifying the path to clamav. NOTE: this can be exploited without authentication by leveraging CVE-2012-2243. | 2012-11-24 | 6.0 | CVE-2012-2244 |
| mahara -- mahara | Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to conduct clickjacking attacks to delete arbitrary users and bypass CSRF protection via account/delete.php. | 2012-11-24 | 6.8 | CVE-2012-2246 |
| mahara -- mahara | Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to artefact/file/ and a crafted SVG file. | 2012-11-24 | 4.3 | CVE-2012-2247 |
| mahara -- mahara | Cross-site scripting (XSS) vulnerability in group/members.php in Mahara 1.5.x before 1.5.7 and 1.6.x before 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. | 2012-11-24 | 4.3 | CVE-2012-2253 |
| mahara -- mahara | Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2, allow remote attackers to inject arbitrary web script or HTML via a CSV header with "unknown fields," which are not properly handled in error messages in the (1) bulk user, (2) group, and (3) group member upload capabilities. NOTE: this issue was originally part of CVE-2012-2243, but that ID was SPLIT due to different issues by different researchers. | 2012-11-24 | 4.3 | CVE-2012-6037 |
| mikrotik -- routeros | The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consumption), read the router version, and possibly have other impacts via a request to download the router's DLLs or plugins, as demonstrated by roteros.dll. | 2012-11-26 | 6.4 | CVE-2012-6050 |
| mjsware -- m-player | M-Player 0.4 allows remote attackers to cause a denial of service (crash) via a crafted MP3 file. | 2012-11-26 | 4.3 | CVE-2012-6044 |
| morequick -- greenbrowser | Double free vulnerability in GreenBrowser before 6.0.1002, when the keyword search bar (F6) is activated, allows remote attackers to execute arbitrary code via a crafted iframe. | 2012-11-26 | 6.8 | CVE-2012-6041 |
| net4visions -- ibrowser | Directory traversal vulnerability in ibrowser.php in the CMScout 2.09 IBrowser TinyMCE Plugin 1.4.1, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter. NOTE: some of these details are obtained from third party information. | 2012-11-26 | 6.8 | CVE-2010-5281 |
| o-dyn -- collabtive | Multiple cross-site scripting (XSS) vulnerabilities in Collabtive 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) User parameter in the edit user profile feature to manageuser.php, (2) y parameter in a newcal action to manageajax.php, and the (3) pic parameter to thumb.php. | 2012-11-26 | 4.3 | CVE-2010-5284 |
| o-dyn -- collabtive | Cross-site request forgery (CSRF) vulnerability in admin.php in Collabtive 0.6.5 allows remote attackers to hijack the authentication of administrators for requests that add administrative users via the edituser action. | 2012-11-26 | 6.8 | CVE-2010-5285 |
| opensolution -- quick.cart | Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long string or (2) invalid characters in a cookie, which reveals the installation path in an error message. | 2012-11-26 | 5.0 | CVE-2012-6049 |
| opentext -- livelink_ecm | Multiple cross-site scripting (XSS) vulnerabilities in OpenText ECM (formerly Livelink ECM) 9.7.1 allow remote attackers to inject arbitrary web script or HTML via the (1) viewType and (2) sort parameters in a browse action to livelink/livelink; and the (3) nodeid, (4) setctx, and (5) support parameters to livelinkdav/nodes/OOB_DAVWindow.html. | 2012-11-26 | 4.3 | CVE-2010-5282 |
| opentext -- livelink_ecm | Cross-site request forgery (CSRF) vulnerability in OpenText ECM (formerly Livelink ECM) 9.7.1 allows remote attackers to hijack the authentication of administrators for requests that change folder and resource permissions. | 2012-11-26 | 6.8 | CVE-2010-5283 |
| oracle -- jdk | Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 and 8 before build 39, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | 2012-11-28 | 5.0 | CVE-2012-2739 |
| oracle -- jdk | Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash3 algorithm, a different vulnerability than CVE-2012-2739. | 2012-11-28 | 5.0 | CVE-2012-5373 |
| php-fusion -- php-fusion | Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. | 2012-11-26 | 4.3 | CVE-2012-6043 |
| ramui -- ramui_forum | Cross-site scripting (XSS) vulnerability in gb/user/index.php in Ramui Forum, possibly 1.0 Beta, allows remote attackers to inject arbitrary web script or HTML via the query parameter. | 2012-11-26 | 4.3 | CVE-2012-6045 |
| razorcms -- razorcms | admin/core/admin_func.php in razorCMS before 1.2.1 does not properly restrict access to certain administrator directories and files, which allows remote authenticated users to read, edit, rename, move, copy and delete files via the (1) dir parameter in a fileman or (2) filemanview action. NOTE: this issue has been referred to as a "path traversal." | 2012-11-26 | 6.5 | CVE-2012-6038 |
| redhat -- jboss_enterprise_portal_platform | The W3C XML Encryption Standard, as used in the JBoss Web Services (JBossWS) component in JBoss Enterprise Portal Platform before 5.2.2 and other products, when using block ciphers in cipher-block chaining (CBC) mode, allows remote attackers to obtain plaintext data via a chosen-ciphertext attack on SOAP responses, aka "character encoding pattern attack." | 2012-11-23 | 5.0 | CVE-2011-1096 |
| redhat -- jboss_enterprise_brms_platform | Cross-site request forgery (CSRF) vulnerability in the JMX Console (jmx-console) in JBoss Enterprise Portal Platform before 5.2.2, BRMS Platform 5.3.0 before roll up patch1, and SOA Platform 5.3.0 allows remote authenticated users to hijack the authentication of arbitrary users for requests that perform operations on MBeans and possibly execute arbitrary code via unspecified vectors. | 2012-11-23 | 6.0 | CVE-2011-2908 |
| redhat -- jboss_enterprise_application_platform | The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. | 2012-11-23 | 6.8 | CVE-2011-4085 |
| redhat -- resteasy | The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818. | 2012-11-23 | 5.0 | CVE-2011-5245 |
| redhat -- resteasy | RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack. | 2012-11-23 | 5.0 | CVE-2012-0818 |
| redhat -- jboss_enterprise_application_platform | The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications. | 2012-11-23 | 4.6 | CVE-2012-1167 |
| redhat -- jboss_enterprise_data_services_platform | The Teiid Java Database Connectivity (JDBC) socket, as used in JBoss Enterprise Data Services Platform before 5.3.0, does not encrypt login messages by default contrary to documentation and specification, which allows remote attackers to obtain login credentials via a man-in-the-middle (MITM) attack. | 2012-11-23 | 4.3 | CVE-2012-3431 |
| rubinius -- rubinius | Rubinius computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash3 algorithm. | 2012-11-28 | 5.0 | CVE-2012-5372 |
| ruby-lang -- ruby | The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. | 2012-11-24 | 5.0 | CVE-2012-4522 |
| ruby-lang -- ruby | Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815. | 2012-11-28 | 5.0 | CVE-2012-5371 |
| tecnick -- tcexam | Multiple SQL injection vulnerabilities in Nicola Asuni TCExam before 11.3.009 allow remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands via the (1) user_groups[] parameter to admin/code/tce_edit_test.php or (2) subject_id parameter to admin/code/tce_show_all_questions.php. | 2012-11-23 | 6.0 | CVE-2012-4601 |
| tecnick -- tcexam | Multiple cross-site scripting (XSS) vulnerabilities in admin/code/tce_select_users_popup.php in Nicola Asuni TCExam before 11.3.009 allow remote attackers to inject arbitrary web script or HTML via the (1) cid or (2) uids parameter. | 2012-11-23 | 4.3 | CVE-2012-4602 |
| x7_group -- x7_chat | Cross-site request forgery (CSRF) vulnerability in X7 Chat 2.0.5.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that add a user to an arbitrary group via the users page in an adminpanel action to index.php. | 2012-11-26 | 6.8 | CVE-2012-6047 |
| xen -- xen | Xen 4.0 and 4.1 allows local HVM guest OS kernels to cause a denial of service (domain 0 VCPU hang and kernel panic) by modifying the physical address space in a way that triggers excessive shared page search time during the p2m teardown. | 2012-11-24 | 4.9 | CVE-2012-3433 |
| xen -- xen | (1) TMEMC_SAVE_GET_CLIENT_WEIGHT, (2) TMEMC_SAVE_GET_CLIENT_CAP, (3) TMEMC_SAVE_GET_CLIENT_FLAGS and (4) TMEMC_SAVE_END in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (NULL pointer dereference or memory corruption and host crash) or possibly have other unspecified impacts via a NULL client id. | 2012-11-23 | 6.9 | CVE-2012-3497 |
| xen -- xen | The graphical console in Xen 4.0, 4.1 and 4.2 allows local OS guest administrators to obtain sensitive host resource information via the qemu monitor. NOTE: this might be a duplicate of CVE-2007-0998. | 2012-11-23 | 4.6 | CVE-2012-4411 |
| xen -- xen | The HVMOP_pagetable_dying hypercall in Xen 4.0, 4.1, and 4.2 does not properly check the pagetable state when running on shadow pagetables, which allows a local HVM guest OS to cause a denial of service (hypervisor crash) via unspecified vectors. | 2012-11-24 | 4.9 | CVE-2012-4538 |
| xen -- xen | The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (CPU hang and host crash) via unspecified vectors related to a spinlock being held in the "bad_copy error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. | 2012-11-23 | 4.7 | CVE-2012-6031 |
| xen -- xen | Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. | 2012-11-23 | 4.9 | CVE-2012-6032 |
| xen -- xen | The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which allows local guest OS users to access control stack operations via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. | 2012-11-23 | 4.4 | CVE-2012-6033 |
| xen -- xen | The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. | 2012-11-23 | 6.9 | CVE-2012-6035 |
| xen -- xen | The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or possibly execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. | 2012-11-23 | 4.4 | CVE-2012-6036 |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| citrix -- xenserver | The set_debugreg hypercall in include/asm-x86/debugreg.h in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when running on x86-64 systems, allows local OS guest users to cause a denial of service (host crash) by writing to the reserved bits of the DR7 debug control register. | 2012-11-23 | 2.1 | CVE-2012-3494 |
| emc -- it_operations_intelligence | EMC Smarts Network Configuration Manager (NCM) before 9.1 uses a hardcoded encryption key for the storage of credentials, which allows local users to obtain sensitive information via unspecified vectors. | 2012-11-27 | 2.1 | CVE-2012-4615 |
| redhat -- jboss_enterprise_brms_platform | JGroups diagnostics service in JBoss Enterprise Portal Platform before 5.2.2, SOA Platform before 5.3.0, and BRMS Platform before 5.3.0, is enabled without authentication when started by the JGroups channel, which allows remote attackers in adjacent networks to read diagnostics information via a crafted IP multicast. | 2012-11-23 | 3.3 | CVE-2012-2377 |
| remote_login_service_hackers -- remote_login_service | Remote Login Service (RLS) 1.0.0 does not properly clear account information when switching users, which might allow physically proximate users to obtain login credentials. | 2012-11-24 | 2.1 | CVE-2012-0959 |
| sgi -- performance_co-pilot | The (1) pcmd and (2) pmlogger init scripts in Performance Co-Pilot (PCP) before 3.6.10 allow local users to overwrite arbitrary files via a symlink attack on a /var/tmp/##### temporary file. | 2012-11-29 | 2.1 | CVE-2012-5530 |
| xen -- xen | The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check incoming guest output buffer pointers," which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. | 2012-11-23 | 0.0 | CVE-2012-6034 |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.