Software Vulnerability
Main
Software Alerts
Software and Script Bug ExploitsSoftware Vulnerability
Random Feeds
Archives
| Jan 2012 | Dec 2011 | Nov 2011 | Oct 2011 | Sep 2011 | Aug 2011 | Jul 2011 | Jun 2011 | May 2011 | Apr 2011 | Mar 2011 | Feb 2011 | Jan 2011 | Dec 2010 | Nov 2010 | Oct 2010 | Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Feb 2010 | Jan 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Feb 2009 | Jan 2009 | Dec 2008 | Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 | Feb 2008 | Jan 2008 | Dec 2007 | Nov 2007 |Thu, 23 Sep 10
CVE-2010-3332 (.net_framework)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3332
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack.
Thu, 23 Sep 10
egroupware
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3314
Cross-site scripting (XSS) vulnerability in login.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
Thu, 23 Sep 10
egroupware
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3313
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
Thu, 23 Sep 10
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3301
The IA32 system call emulation functionality in arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.36-rc4-git2 on the x86_64 platform does not zero extend the %eax register after the 32-bit entry path to ptrace is used, which allows local users to gain privileges by triggering an out-of-bounds access to the system call table using the %rax register. NOTE: this vulnerability exists because of a CVE-2007-4573 regression.
Thu, 23 Sep 10
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3477
The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.
Thu, 23 Sep 10
drupal
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3094
Multiple cross-site scripting (XSS) vulnerabilities in Drupal 6.x before 6.18 allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via (1) an action description, (2) an action message, (3) a node, or (4) a taxonomy term, related to the actions feature and the trigger module.
Thu, 23 Sep 10
drupal
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3093
The comment module in Drupal 5.x before 5.23 and 6.x before 6.18 allows remote authenticated users with certain privileges to bypass intended access restrictions and reinstate removed comments via a crafted URL, related to an "unpublishing bypass" issue.
Thu, 23 Sep 10
drupal
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3092
The upload module in Drupal 5.x before 5.23 and 6.x before 6.18 does not properly support case-insensitive filename handling in a database configuration, which allows remote authenticated users to bypass the intended restrictions on downloading a file by uploading a different file with a similar name.
Thu, 23 Sep 10
mac_os_x, mac_os_x_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1820
Apple Filing Protocol (AFP) Server in Apple Mac OS X 10.6.x through 10.6.4 does not properly handle errors, which allows remote attackers to bypass the password requirement for shared-folder access by leveraging knowledge of a valid account name.
Thu, 23 Sep 10
websphere_application_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0781
Unspecified vulnerability in the administrative console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.33 allows remote authenticated users to cause a denial of service (CPU consumption) via a crafted URL.
Thu, 23 Sep 10
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3080
Double free vulnerability in the snd_seq_oss_open function in sound/core/seq/oss/seq_oss_init.c in the Linux kernel before 2.6.36-rc4 might allow local users to cause a denial of service or possibly have unspecified other impact via an unsuccessful attempt to open the /dev/sequencer device.
Thu, 23 Sep 10
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3078
The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call.
Thu, 23 Sep 10
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3067
Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.
Thu, 23 Sep 10
kernel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2942
The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump fun...
Thu, 23 Sep 10
otrs
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3476
Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attackers to cause a denial of service (CPU consumption) via a large message, a different vulnerability than CVE-2010-2080.
Thu, 23 Sep 10
db2
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3475
IBM DB2 9.7 before FP3 does not properly enforce privilege requirements for execution of entries in the dynamic SQL cache, which allows remote authenticated users to bypass intended access restrictions by leveraging the cache to execute an UPDATE statement contained in a compiled compound SQL statement.
Thu, 23 Sep 10
db2
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3474
IBM DB2 9.7 before FP3 does not perform the expected drops or invalidations of dependent functions upon a loss of privileges by the functions' owners, which allows remote authenticated users to bypass intended access restrictions via calls to these functions, a different vulnerability than CVE-2009-3471.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3473
Open redirect vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3472
Multiple cross-site scripting (XSS) vulnerabilities in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3471
Session fixation vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 4.0.2.x before 4.0.2.7-P8AE-FP007 allows remote attackers to hijack web sessions via unspecified vectors.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3470
Multiple cross-site scripting (XSS) vulnerabilities in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-021 and 4.0.2.x before 4.0.2.7-P8AE-FP007 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5002
The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 4.0.2.x before 4.0.2.1-P8AE-FP001 does not record Get Content Failure Audit events, which might allow remote attackers to attempt content access without detection.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5001
The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 4.0.2.x before 4.0.2.2-P8AE-FP002 grants a document's Creator-Owner full control over an annotation object, even if the default instance security has changed, which might allow remote authenticated users to bypass intended access restrictions in opportunistic circumstances.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5000
Multiple cross-site scripting (XSS) vulnerabilities in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 4.0.2.x before 4.0.2.3-P8AE-FP003 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to .jsp pages.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4999
Cross-site scripting (XSS) vulnerability in the Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-016 allows remote attackers to inject arbitrary web script or HTML via the Name field.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4998
The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-019 and 4.0.2.x before 4.0.2.7-P8AE-FP007, in certain FileTracker configurations, does not apply a security policy to the first document added during a session, which might allow remote attackers to bypass intended access restrictions via unspecified vectors.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-7261
The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-010 records DEBUG messages containing user credentials in the log4j.xml file, which might allow local users to obtain sensitive information by reading this file.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7242
The Workplace (aka WP) component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-001 does not ensure that the AE Administrator role is present for Site Preferences modifications, which allows remote authenticated users to bypass intended access restrictions via unspecified vectors.
Thu, 23 Sep 10
filenet_p8_application_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7241
The Image Viewer component in IBM FileNet P8 Application Engine (P8AE) 3.5.1 before 3.5.1-002 removes a user from an ACL when the user is denied all permissions for an annotation, which might allow remote authenticated users to bypass intended access restrictions in opportunistic circumstances.
Thu, 23 Sep 10
flock
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3262
Cross-site scripting (XSS) vulnerability in Flock Browser 3.x before 3.0.0.4114 allows remote attackers to inject arbitrary web script or HTML via a crafted RSS feed.
Thu, 23 Sep 10
word
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3200
MSO.dll in Microsoft Word 2003 SP3 11.8326.11.8324 allows remote attackers to cause a denial of service (NULL pointer dereference and multiple-instance application crash) via a crafted buffer in a Word document, as demonstrated by word_crash_11.8326.8324_poc.doc.
Thu, 23 Sep 10
squid
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3072
The string-comparison functions in String.cci in Squid 3.x before 3.1.8 and 3.2.x before 3.2.0.2 allow remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request.
Thu, 23 Sep 10
otrs
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2080
Multiple cross-site scripting (XSS) vulnerabilities in Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Wed, 1 Sep 10
moobbs2
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2365
Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs2 before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Wed, 1 Sep 10
moobbs
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2364
Cross-site scripting (XSS) vulnerability in Free CGI Moo moobbs before 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.