Weekly Update: a new vulnerability is published on the National Vulnerability Database (32 items)

New vulnerabilities from the NVD: CVE-2013-3936 (opsview, opsview_core) Multiple cross-site scripting (XSS) vulnerabilities in Opsview before 4.4.1 and Opsview Core before 20130522 allow remote attackers to inject arbitrary web script or HTML. Published at: January 02, 2020 at 05:15PM View on website January 08, 2020 at 05:40PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3941 (xnview) Xjp2.dll in XnView before 2.13 allows remote attackers to execute arbitrary code via (1) the Csiz parameter in a SIZ marker, which triggers an incorrect memory allocation, or (2) the lqcd field in a QCD marker in a crafted JPEG2000 file, which leads to a heap-based buffer overflow. Published at: January 02, 2020 at 10:15PM View on website January 08, 2020 at 11:40PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3945 (mrsid) The MrSID plugin (MrSID.dll) before 4.37 for IrfanView allows remote attackers to execute arbitrary code via a nband tag. Published at: January 02, 2020 at 09:15PM View on website January 09, 2020 at 01:40AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5266 Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2010 allows SQL injection filter bypass. Published at: January 09, 2020 at 01:15AM View on website January 09, 2020 at 03:40AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5250 Snare for Linux before 1.7.0 has CSRF in the web interface. Published at: January 09, 2020 at 01:15AM View on website January 09, 2020 at 03:40AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5247 Snare for Linux before 1.7.0 has password disclosure because the rendered page contains the field RemotePassword. Published at: January 09, 2020 at 01:15AM View on website January 09, 2020 at 03:40AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5018 Koala Framework before 2011-11-21 has XSS via the request_uri parameter. Published at: January 09, 2020 at 01:15AM View on website January 09, 2020 at 03:40AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2724 The Simplenews module 6.x-1.x before 6.x-1.4, 6.x-2.x before 6.x-2.0-alpha4, and 7.x-1.x before 7.x-1.0-rc1 for Drupal reveals the email addresses of new mailing list subscribers when confirmation is required, which allows remote attackers to obtain sensitive information via the confirmation page. Published at: January 09, 2020 at 10:15PM View on website January 10, 2020 at 12:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2714 The BrowserID (Mozilla Persona) module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users via the audience identifier. Published at: January 09, 2020 at 10:15PM View on website January 10, 2020 at 12:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1261 Cross-site scripting (XSS) vulnerability in cgi-bin/scrut_fa_exclusions.cgi in Plixer International Scrutinizer NetFlow and sFlow Analyzer 8.6.2.16204 and other versions before 9.0.1.19899 allows remote attackers to inject arbitrary web script or HTML via the standalone parameter. Published at: January 09, 2020 at 10:15PM View on website January 10, 2020 at 12:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1260 Cross-site scripting (XSS) vulnerability in cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allows remote attackers to inject arbitrary web script or HTML via the newUser parameter. NOTE: this might not be a vulnerability, since an administrator might already have the privileges to create arbitrary script. Published at: January 09, 2020 at 10:15PM View on website January 10, 2020 at 12:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1259 Multiple SQL injection vulnerabilities in Plixer International Scrutinizer NetFlow & sFlow Analyzer 8.6.2.16204, and possibly other versions before 9.0.1.19899, allow remote attackers to execute arbitrary SQL commands via the (1) addip parameter to cgi-bin/scrut_fa_exclusions.cgi, (2) getPermissionsAndPreferences parameter to cgi-bin/login.cgi, or (3) possibly certain parameters to d4d/alarms.php as demonstrated by the search_str parameter. Published at: January 09, 2020 at 10:15PM View on website January 10, 2020 at 12:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1258 cgi-bin/userprefs.cgi in Plixer International Scrutinizer NetFlow & sFlow Analyzer before 9.0.1.19899 does not validate user permissions, which allow remote attackers to add user accounts with administrator privileges via the newuser, pwd, and selectedUserGroup parameters. Published at: January 09, 2020 at 10:15PM View on website January 10, 2020 at 12:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5558 Cross-site scripting (XSS) vulnerability in the Smiley module 6.x-1.x versions prior to 6.x-1.1 and Smileys module 6.x-1.x versions prior to 6.x-1.1 for Drupal allows remote authenticated users with the "administer smiley" permission to inject arbitrary web script or HTML via a smiley acronym. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-4434 fwknop before 2.0.3 allow remote authenticated users to cause a denial of service (server crash) or possibly execute arbitrary code. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3810 Samsung Kies before 2.5.0.12094_27_11 has registry modification. Published at: January 10, 2020 at 12:15AM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3809 Samsung Kies before 2.5.0.12094_27_11 has arbitrary directory modification. Published at: January 10, 2020 at 12:15AM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3808 Samsung Kies before 2.5.0.12094_27_11 has arbitrary file modification. Published at: January 10, 2020 at 12:15AM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3807 Samsung Kies before 2.5.0.12094_27_11 has arbitrary file execution. Published at: January 10, 2020 at 12:15AM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3806 Samsung Kies before 2.5.0.12094_27_11 contains a NULL pointer dereference vulnerability which could allow remote attackers to perform a denial of service. Published at: January 10, 2020 at 12:15AM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3490 The (1) my_popenv_impl and (2) my_spawnv functions in src/condor_utils/my_popen.cpp and the (3) systemCommand function in condor_vm-gahp/vmgahp_common.cpp in Condor 7.6.x before 7.6.10 and 7.8.x before 7.8.4 does not properly check the return value of setuid calls, which might cause a subprocess to be created with root privileges and allow remote attackers to gain privileges via unspecified vectors. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2950 Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information. Published at: January 10, 2020 at 12:15AM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2931 PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2226 Invision Power Board before 3.3.1 fails to sanitize user-supplied input which could allow remote attackers to obtain sensitive information or execute arbitrary code by uploading a malicious file. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2142 The error function in Error.cc in poppler before 0.21.4 allows remote attackers to execute arbitrary commands via a PDF containing an escape sequence for a terminal emulator. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1915 EllisLab CodeIgniter 2.1.2 allows remote attackers to bypass the xss_clean() Filter and perform XSS attacks. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2010-3282 389 Directory Server before 1.2.7.1 (aka Red Hat Directory Server 8.2) and HP-UX Directory Server before B.08.10.03, when audit logging is enabled, logs the Directory Manager password (nsslapd-rootpw) in cleartext when changing cn=config:nsslapd-rootpw, which might allow local users to obtain sensitive information by reading the log. Published at: January 09, 2020 at 11:15PM View on website January 10, 2020 at 02:14AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-4595 Pretty-Link WordPress plugin 1.5.2 has XSS Published at: January 10, 2020 at 04:15PM View on website January 10, 2020 at 06:14PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3824 In Arial Campaign Enterprise before 11.0.551, multiple pages are accessible without authentication or authorization. Published at: January 10, 2020 at 07:15PM View on website January 10, 2020 at 10:14PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3823 Arial Campaign Enterprise before 11.0.551 stores passwords in clear text and these may be retrieved. Published at: January 10, 2020 at 07:15PM View on website January 10, 2020 at 10:14PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3822 Arial Campaign Enterprise before 11.0.551 has unauthorized access to the User-Edit.asp page, which allows remote attackers to enumerate users' credentials. Published at: January 10, 2020 at 07:15PM View on website January 10, 2020 at 10:14PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5020 An SQL Injection vulnerability exists in the ID parameter in Online TV Database 2011. Published at: January 10, 2020 at 09:15PM View on website January 11, 2020 at 12:14AM via National Vulnerability Database