Weekly Update: a new vulnerability is published on the National Vulnerability Database (30 items)

New vulnerabilities from the NVD: CVE-2011-2670 Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style Sheets Published at: January 13, 2020 at 04:15PM View on website January 13, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5018 (koala_framework) Koala Framework before 2011-11-21 has XSS via the request_uri parameter. Published at: January 09, 2020 at 01:15AM View on website January 14, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-3203 A Code Execution vulnerability exists the attachment parameter to index.php in Jcow CMS 4.x to 4.2 and 5.2 to 5.2. Published at: January 14, 2020 at 10:15PM View on website January 14, 2020 at 11:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-3202 A Cross-Site Scripting (XSS) vulnerability exists in the g parameter to index.php in Jcow CMS 4.2 and earlier. Published at: January 14, 2020 at 11:15PM View on website January 15, 2020 at 01:56AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-3183 A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier. Published at: January 14, 2020 at 11:15PM View on website January 15, 2020 at 01:56AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-2934 A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions. Published at: January 14, 2020 at 11:15PM View on website January 15, 2020 at 01:56AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-2933 An Arbitrary File Upload vulnerability exists in admin/media/upload.php in WebsiteBaker 2.8.1 and earlier due to a failure to restrict uploaded files with .htaccess, .php4, .php5, and .phtl extensions. Published at: January 14, 2020 at 11:15PM View on website January 15, 2020 at 01:56AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-2715 An SQL Injection vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table names or column names. Published at: January 15, 2020 at 12:15AM View on website January 15, 2020 at 01:56AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-2714 A Cross-Site Scripting vulnerability exists in Drupal 6.20 with Data 6.x-1.0-alpha14 due to insufficient sanitization of table descriptions, field names, or labels before display. Published at: January 15, 2020 at 12:15AM View on website January 15, 2020 at 01:56AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-2706 A Cross-Site Scripting (XSS) vulnerability exists in the reorder administrator functions in sNews 1.71. Published at: January 14, 2020 at 11:15PM View on website January 15, 2020 at 01:56AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1563 Joomla! before 2.5.3 allows Admin Account Creation. Published at: January 15, 2020 at 03:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1562 Joomla! core before 2.5.3 allows unauthorized password change. Published at: January 15, 2020 at 03:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1326 Cisco IronPort Web Security Appliance up to and including 7.5 does not validate the basic constraints of the certificate authority which could lead to MITM attacks Published at: January 15, 2020 at 04:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1316 Cisco IronPort Web Security Appliance does not check for certificate revocation which could lead to MITM attacks Published at: January 15, 2020 at 04:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0945 whoopsie-daisy before 0.1.26: Root user can remove arbitrary files Published at: January 15, 2020 at 03:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0334 Cisco IronPort Web Security Appliance AsyncOS software prior to 7.5 has a SSL Certificate Caching vulnerability which could allow man-in-the-middle attacks Published at: January 15, 2020 at 03:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0070 spamdyke prior to 4.2.1: STARTTLS reveals plaintext Published at: January 15, 2020 at 04:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-4907 Joomla! 1.5x through 1.5.12: Missing JEXEC Check Published at: January 15, 2020 at 04:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-4336 Tiki Wiki CMS Groupware 7.0 has XSS via the GET "ajax" parameter to snarf_ajax.php. Published at: January 15, 2020 at 04:15PM View on website January 15, 2020 at 05:56PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5250 (snare) Snare for Linux before 1.7.0 has CSRF in the web interface. Published at: January 09, 2020 at 01:15AM View on website January 15, 2020 at 10:27PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2009-1120 EMC RepliStor Server Service before ESA-09-003 has a DoASOCommand Remote Code Execution Vulnerability. The flaw exists within the DoRcvRpcCall RPC function -exposed via the rep_srv.exe process- where the vulnerability is caused by an error when the rep_srv.exe handles a specially crafted packet sent by an unauthenticated attacker. Published at: January 15, 2020 at 08:15PM View on website January 15, 2020 at 10:27PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2007-4774 The Linux kernel before 2.4.36-rc1 has a race condition. It was possible to bypass systrace policies by flooding the ptraced process with SIGCONT signals, which can can wake up a PTRACED process. Published at: January 15, 2020 at 07:15PM View on website January 15, 2020 at 10:27PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2007-4773 Systrace before 1.6.0 has insufficient escape policy enforcement. Published at: January 15, 2020 at 07:15PM View on website January 15, 2020 at 10:27PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2005-4891 Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL statements. Published at: January 15, 2020 at 07:15PM View on website January 15, 2020 at 10:27PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-5266 (securesphere_web_application_firewall) Imperva SecureSphere Web Application Firewall (WAF) before 12-august-2010 allows SQL injection filter bypass. Published at: January 09, 2020 at 01:15AM View on website January 16, 2020 at 12:27AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2009-5068 There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several "co-admins" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the filesystem and therefore gain new privileges by reading the settings.php with the database passwords. Published at: January 15, 2020 at 11:15PM View on website January 16, 2020 at 02:27AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2009-5025 A backdoor (aka BMSA-2009-07) was found in PyForum v1.0.3 where an attacker who knows a valid user email could force a password reset on behalf of that user. Published at: January 15, 2020 at 11:15PM View on website January 16, 2020 at 02:27AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2009-3724 python-markdown2 before 1.0.1.14 has multiple cross-site scripting (XSS) issues. Published at: January 15, 2020 at 11:15PM View on website January 16, 2020 at 02:27AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2010-3048 Cisco Unified Personal Communicator 7.0 (1.13056) does not free allocated memory for received data and does not perform validation if memory allocation is successful, causing a remote denial of service condition. Published at: January 16, 2020 at 08:15PM View on website January 16, 2020 at 09:27PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2007-6070 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Published at: January 17, 2020 at 09:15PM View on website January 18, 2020 at 12:27AM via National Vulnerability Database