Weekly Update: a new vulnerability is published on the National Vulnerability Database (45 items)

New vulnerabilities from the NVD: CVE-2013-3738 A File Inclusion vulnerability exists in Zabbix 2.0.6 due to inadequate sanitization of request strings in CGI scripts, which could let a remote malicious user execute arbitrary code. Published at: February 17, 2020 at 06:15PM View on website February 17, 2020 at 08:14PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3722 A Denial of Service (infinite loop) exists in OpenSIPS before 1.10 in lookup.c. Published at: February 17, 2020 at 07:15PM View on website February 17, 2020 at 09:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2412 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-4531. Reason: This candidate is a duplicate of CVE-2012-4531. Notes: All CVE users should reference CVE-2012-4531 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Published at: February 18, 2020 at 12:15AM View on website February 18, 2020 at 01:49AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-5594 Mozilla Firefox before 25 allows modification of anonymous content of pluginProblem.xml binding Published at: February 18, 2020 at 03:15PM View on website February 18, 2020 at 05:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4454 WordPress Portable phpMyAdmin Plugin 1.4.1 has Multiple Security Bypass Vulnerabilities Published at: February 18, 2020 at 04:15PM View on website February 18, 2020 at 05:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4227 Cross-site request forgery (CSRF) vulnerability in the persona_xsrf_token function in persona.module in the Mozilla Persona module 7.x-1.x before 7.x-1.11 for Drupal allows remote attackers to hijack the authentication of aribitrary users via a security token that is not a string data type. Published at: February 18, 2020 at 05:15PM View on website February 18, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-6295 PrestaShop 1.5.5 vulnerable to privilege escalation via a Salesman account via upload module Published at: February 18, 2020 at 07:15PM View on website February 18, 2020 at 09:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3323 A Privilege Escalation Vulnerability exists in IBM Maximo Asset Management 7.5, 7.1, and 6.2, when WebSeal with Basic Authentication is used, due to a failure to invalidate the authentication session, which could let a malicious user obtain unauthorized access. Published at: February 18, 2020 at 07:15PM View on website February 18, 2020 at 09:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-2679 Multiple cross-site scripting (XSS) vulnerabilities in Cisco Linksys E4200 router with firmware 1.0.05 build 7 allow remote attackers to inject arbitrary web script or HTML via the (1) log_type, (2) ping_ip, (3) ping_size, (4) submit_type, or (5) traceroute_ip parameter to apply.cgi or (6) new_workgroup or (7) submit_button parameter to storage/apply.cgi. Published at: February 18, 2020 at 07:15PM View on website February 18, 2020 at 09:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0718 IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies. Published at: February 18, 2020 at 08:15PM View on website February 18, 2020 at 09:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2009-5146 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. Published at: February 18, 2020 at 07:15PM View on website February 18, 2020 at 09:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4228 The OG access fields (visibility fields) implementation in Organic Groups (OG) module 7.x-2.x before 7.x-2.3 for Drupal does not properly restrict access to private groups, which allows remote authenticated users to guess node IDs, subscribe to, and read the content of arbitrary private groups via unspecified vectors. Published at: February 18, 2020 at 09:15PM View on website February 18, 2020 at 11:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4226 The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination as the superuser to obtain sensitive information via the cached pages of the superuser. Published at: February 18, 2020 at 09:15PM View on website February 18, 2020 at 11:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2015-0749 A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information. Published at: February 19, 2020 at 05:15AM View on website February 19, 2020 at 08:49AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-2054 A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker must have the correct primary credentials in order to successfully exploit this vulnerability. Published at: February 19, 2020 at 05:15AM View on website February 19, 2020 at 08:49AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-3622 Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value. Published at: February 19, 2020 at 03:15PM View on website February 19, 2020 at 05:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-2727 The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection. Published at: February 19, 2020 at 04:15PM View on website February 19, 2020 at 05:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-2228 The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages. Published at: February 19, 2020 at 04:15PM View on website February 19, 2020 at 05:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-5581 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. Published at: February 19, 2020 at 05:15PM View on website February 19, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-6685 Nokogiri before 1.5.4 is vulnerable to XXE attacks Published at: February 19, 2020 at 05:15PM View on website February 19, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-6614 D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password. Published at: February 19, 2020 at 05:15PM View on website February 19, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1932 A cross-site scripting (XSS) vulnerability in Wolf CMS 0.75 and earlier allows remote attackers to inject arbitrary web script or HTML via the setting[admin_email] parameter to admin/setting. Published at: February 19, 2020 at 05:15PM View on website February 19, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0055 OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions. Published at: February 19, 2020 at 08:15PM View on website February 19, 2020 at 09:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-2018 Multiple SQL injection vulnerabilities in BOINC allow remote attackers to execute arbitrary SQL commands via unspecified vectors. Published at: February 20, 2020 at 02:15AM View on website February 20, 2020 at 03:49AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2014-3484 Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid name length in a DNS response, related to an infinite loop with no output. Published at: February 20, 2020 at 06:15AM View on website February 20, 2020 at 08:49AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2629 Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) conduct cross-site scripting (XSS) attacks via the page_title parameter to admin/content_pages_edit.php; the (3) category_name[] parameter to admin/products_category.php; the (4) site_name, (5) seo_title, or (6) meta_keywords parameter to admin/settings_siteinfo.php; the (7) company_name, (8) address1, (9) address2, (10) city, (11) state, (12) country, (13) author_first_name, (14) author_last_name, (15) author_email, (16) contact_first_name, (17) contact_last_name, (18) contact_email, (19) general_email, (20) general_phone, (21) general_fax, (22) sales_email, (23) sales_phone, (24) support_email, or (25) support_phone parameter to admin/settings_company.php; or the (26) sy stem_email, (27) sender_name, (28) smtp_server, (29) smtp_username, (30) smtp_password, or (31) order_notice_email parameter to admin/settings_email.php. Published at: February 20, 2020 at 06:15AM View on website February 20, 2020 at 08:49AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-2498 The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages. Published at: February 20, 2020 at 06:15AM View on website February 20, 2020 at 08:49AM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5366 The IPv6 implementation in Apple Mac OS X (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Router Advertisement packets containing multiple Routing entries. Published at: February 20, 2020 at 05:15PM View on website February 20, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5365 The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Router Advertisement packets containing multiple Routing entries. Published at: February 20, 2020 at 05:15PM View on website February 20, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5364 The IPv6 implementation in Microsoft Windows 7 and earlier allows remote attackers to cause a denial of service via a flood of ICMPv6 Router Advertisement packets containing multiple Routing entries. Published at: February 20, 2020 at 05:15PM View on website February 20, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5363 The IPv6 implementation in FreeBSD and NetBSD (unknown versions, year 2012 and earlier) allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2011-2393. Published at: February 20, 2020 at 05:15PM View on website February 20, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5362 The IPv6 implementation in Microsoft Windows 7 and earlier allows remote attackers to cause a denial of service via a flood of ICMPv6 Neighbor Solicitation messages, a different vulnerability than CVE-2010-4669. Published at: February 20, 2020 at 05:15PM View on website February 20, 2020 at 07:49PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-3351 Multiple cross-site scripting (XSS) vulnerabilities in LongTail Video JW Player through 5.10.2295 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) logo.link, or (3) aboutlink parameter, or a nested URI scheme name for (4) javascript, (5) asfunction, or (6) vbscript. Published at: February 20, 2020 at 08:15PM View on website February 20, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-2599 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-3835. Reason: This issue was MERGED into CVE-2012-3835 in accordance with CVE content decisions, because it is the same type of vulnerability and affects the same versions. Notes: All CVE users should reference CVE-2012-3835 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Published at: February 20, 2020 at 08:15PM View on website February 20, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-4915 fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts. Published at: February 20, 2020 at 08:15PM View on website February 20, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2011-0699 Integer signedness error in the btrfs_ioctl_space_info function in the Linux kernel 2.6.37 allows local users to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted slot value. Published at: February 20, 2020 at 08:15PM View on website February 20, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-5236 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. Published at: February 20, 2020 at 09:15PM View on website February 20, 2020 at 11:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-4088 Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism. Published at: February 21, 2020 at 06:15PM View on website February 21, 2020 at 07:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3551 Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket split mechanism. Published at: February 21, 2020 at 06:15PM View on website February 21, 2020 at 07:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0063 Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan. Published at: February 21, 2020 at 06:15PM View on website February 21, 2020 at 07:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2013-3587 The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929. Published at: February 21, 2020 at 08:15PM View on website February 21, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-6277 Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8.5.x, IBM Lotus Domino 8.5.x before 8.5.3 FP4, and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, related to "a number of underlying issues" in which "some of these cases demonstrated memory corruption with attacker-controlled input and could be exploited to run arbitrary code." Published at: February 21, 2020 at 07:15PM View on website February 21, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0844 Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar. Published at: February 21, 2020 at 08:15PM View on website February 21, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-0828 Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BMP). Published at: February 21, 2020 at 08:15PM View on website February 21, 2020 at 09:46PM via National Vulnerability Database New vulnerabilities from the NVD: CVE-2012-1093 The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation. Published at: February 21, 2020 at 09:15PM View on website February 21, 2020 at 11:46PM via National Vulnerability Database