Wazi » Security Team

Kernel 2.6.9 [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Kernel 2.6.9 [Medium]

Description

The nfs_lock function in fs/nfs/file.c in the Linux kernel 2.6.9 does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on an NFS filesystem and then changing this file’s permissions, a related issue to CVE-2010-0727.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2007-6733
Severity: Medium

NIST National Vulnerabilities Database

Com Abbrev 1.1 and prior [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Com Abbrev 1.1 and prior [High]

Description

Directory traversal vulnerability in the Abbreviations Manager (com_abbrev) component 1.1 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0985
Severity: High

NIST National Vulnerabilities Database

Acidcat Cms 3.5.3 and prior [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Acidcat Cms 3.5.3 and prior [Medium]

Description

Acidcat CMS 3.5.3 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing credentials via a direct request for databases/acidcat_3.mdb.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0984
Severity: Medium

NIST National Vulnerabilities Database

Rezervi 3.0.2 [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Rezervi 3.0.2 [Medium]

Description

PHP remote file inclusion vulnerability in include/mail.inc.php in Rezervi 3.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the root parameter, a different vector than CVE-2007-2156.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0983
Severity: Medium

NIST National Vulnerabilities Database

Com Cartweberp 1.56.75 and prior [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Com Cartweberp 1.56.75 and prior [Medium]

Description

Directory traversal vulnerability in the CARTwebERP (com_cartweberp) component 1.56.75 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0982
Severity: Medium

NIST National Vulnerabilities Database

Com Tpjobs [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Com Tpjobs [High]

Description

SQL injection vulnerability in the TPJobs (com_tpjobs) component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id_c[] parameter in a resadvsearch action to index.php.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0981
Severity: High

NIST National Vulnerabilities Database

L4d Stats 1.1 [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

L4d Stats 1.1 [High]

Description

SQL injection vulnerability in player.php in Left 4 Dead (L4D) Stats 1.1 allows remote attackers to execute arbitrary SQL commands via the steamid parameter.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0980
Severity: High

NIST National Vulnerabilities Database

Image-gallery 1.1 [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Image-gallery 1.1 [Medium]

Description

Cross-site scripting (XSS) vulnerability in display.php in Obsession-Design Image-Gallery (ODIG) 1.1 allows remote attackers to inject arbitrary web script or HTML via the folder parameter.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0979
Severity: Medium

NIST National Vulnerabilities Database

Guestbook 1.0 [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Guestbook 1.0 [Medium]

Description

KMSoft Guestbook (aka GBook) 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/db.mdb.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0978
Severity: Medium

NIST National Vulnerabilities Database

Pd Portal 4.0 [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Pd Portal 4.0 [Medium]

Description

PD PORTAL 4.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for db/db.mdb.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0977
Severity: Medium

NIST National Vulnerabilities Database

Acidcat Cms 3.5.3 and prior [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Acidcat Cms 3.5.3 and prior [High]

Description

Acidcat CMS 3.5.x does not prevent access to install.asp after installation finishes, which might allow remote attackers to restart the installation process and have unspecified other impact via requests to install.asp and other install_*.asp scripts. NOTE: the final installation screen states “Important: you must now delete all files beginning with ‘install’ from the root directory.”

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0976
Severity: High

NIST National Vulnerabilities Database

Barnowl 1.5 and prior [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Barnowl 1.5 and prior [High]

Description

Buffer overflow in BarnOwl before 1.5.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted CC: header.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0793
Severity: High

NIST National Vulnerabilities Database

Enterprise Linux 4 [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Enterprise Linux 4 [Medium]

Description

A certain Red Hat patch for the Linux kernel in Red Hat Enterprise Linux (RHEL) 4 on the ia64 platform allows local users to use ptrace on an arbitrary process, and consequently gain privileges, via vectors related to a missing ptrace_check_attach call.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0729
Severity: Medium

NIST National Vulnerabilities Database

Kernel 6 and prior [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Kernel 6 and prior [Medium]

Description

The gfs2_lock function in the Linux kernel before 2.6.34-rc1-next-20100312, and the gfs_lock function in the Linux kernel on Red Hat Enterprise Linux (RHEL) 5 and 6, does not properly remove POSIX locks on files that are setgid without group-execute permission, which allows local users to cause a denial of service (BUG and system crash) by locking a file on a (1) GFS or (2) GFS2 filesystem, and then changing this file’s permissions.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0727
Severity: Medium

NIST National Vulnerabilities Database

Php 5.3.1 [Medium]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Php 5.3.1 [Medium]

Description

The xmlrpc extension in PHP 5.3.1 does not properly handle a missing methodName element in the first argument to the xmlrpc_decode_request function, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) and possibly have unspecified other impact via a crafted argument.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0397
Severity: Medium

NIST National Vulnerabilities Database

Phpcityportal [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Phpcityportal [High]

Description

PHP remote file inclusion vulnerability in external.php in PHPCityPortal allows remote attackers to execute arbitrary PHP code via a URL in the url parameter.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0975
Severity: High

NIST National Vulnerabilities Database

Phpcityportal [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Phpcityportal [High]

Description

Multiple SQL injection vulnerabilities in PHPCityPortal allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) video_show.php, (2) spotlight_detail.php, (3) real_estate_details.php, and (4) auto_details.php.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0974
Severity: High

NIST National Vulnerabilities Database

Domain Verkaus And Auktions Portal [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Domain Verkaus And Auktions Portal [High]

Description

SQL injection vulnerability in index.php in phppool media Domain Verkaus and Auktions Portal allows remote attackers to execute arbitrary SQL commands via the id parameter.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0973
Severity: High

NIST National Vulnerabilities Database

Com Gcalendar 2.1.5 and prior [High]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Com Gcalendar 2.1.5 and prior [High]

Description

Directory traversal vulnerability in the GCalendar (com_gcalendar) component 2.1.5 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0972
Severity: High

NIST National Vulnerabilities Database

Atutor 1.6.4 [Low]

Security Team — Tue, 30 Nov 1999 06:00:00 +0000

Affects:

Atutor 1.6.4 [Low]

Description

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information.

If you have questions about this security warning or need to have it translated and you have an active technical support contract, please call 1-888-OPENLOGIC or email us at support@openlogic.com.

CVE Identifier: CVE-2010-0971
Severity: Low

NIST National Vulnerabilities Database