[CLOSE] OSVDB ID : 79230 - Disclosed: 2012-02-14

Description:

Oracle Java SE contains a flaw related to the COMPONENT component that may allow a remote attacker to cause a denial of service and gain unauthorized access to manipulate some unspecified data and read certain unspecified information. No further details have been provided.

[CLOSE] OSVDB ID : 79231 - Disclosed: 2012-02-14

Description:

Oracle Java SE contains a flaw related to the Install component that may allow a remote attacker to execute arbitrary code. No further details have been provided.

[CLOSE] OSVDB ID : 79232 - Disclosed: 2012-02-14

Description:

Oracle Java SE contains a flaw related to the Serialization component that may allow a remote attacker to cause a denial of service and gain unauthorized access to read certain unspecified information, and affect integrity in an unspecified fashion. No further details have been provided.

[CLOSE] OSVDB ID : 79254 - Disclosed: 2012-02-14

Description:

A memory corruption flaw exists in Microsoft Visio Viewer. The program fails to sanitize certain unspecified user-supplied input, resulting in memory corruption. With a specially crafted Viso file, a context-dependent attacker can execute arbitrary code.

[CLOSE] OSVDB ID : 79255 - Disclosed: 2012-02-14

Description:

A memory corruption flaw exists in Microsoft Visio Viewer. The program fails to sanitize certain unspecified user-supplied input, resulting in memory corruption. With a specially crafted Viso file, a context-dependent attacker can execute arbitrary code.

[CLOSE] OSVDB ID : 79256 - Disclosed: 2012-02-14

Description:

A memory corruption flaw exists in Microsoft Visio Viewer. The program fails to sanitize certain unspecified user-supplied input, resulting in memory corruption. With a specially crafted Viso file, a context-dependent attacker can execute arbitrary code.

[CLOSE] OSVDB ID : 79257 - Disclosed: 2012-02-14

Description:

A memory corruption flaw exists in Microsoft Visio Viewer. The program fails to sanitize certain unspecified user-supplied input, resulting in memory corruption. With a specially crafted Viso file, a context-dependent attacker can execute arbitrary code.

[CLOSE] OSVDB ID : 79258 - Disclosed: 2012-02-14

Description:

A memory corruption flaw exists in Microsoft Visio Viewer. The program fails to sanitize certain unspecified user-supplied input, resulting in memory corruption. With a specially crafted Viso file, a context-dependent attacker can execute arbitrary code.

[CLOSE] OSVDB ID : 79264 - Disclosed: 2012-02-14

Description:

Microsoft SharePoint contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'skey' parameter upon submission to the wizardlist.aspx script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 79593 - Disclosed: 2012-02-14

Description:

Fork CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'highlight' parameter upon submission to the backend/core/engine/base.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 84148 - Disclosed: 2012-02-14

Description:

WebKit contains a use-after-free error in the 'NavigationScheduler::schedule' function in WebCore/loader/NavigationScheduler.cpp when a redirect is scheduled during a load. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

[CLOSE] OSVDB ID : 84155 - Disclosed: 2012-02-14

Description:

WebKit contains a use-after-free error in the 'CompositeEditCommand::deleteInsignificantText' function in WebCore/editing/CompositeEditCommand.cpp when deleting nodes. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

[CLOSE] OSVDB ID : 84202 - Disclosed: 2012-02-14

Description:

WebKit contains a use-after-free error in the 'RenderBlock::LineBreaker::nextLineBreak' function in WebCore/rendering/RenderBlockLineLayout.cpp when handling line break iterators in counter content. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

[CLOSE] OSVDB ID : 88425 - Disclosed: 2012-02-14

Description:

International Components for Unicode for C/C++ (ICU4C) contains an overflow condition in the _getKeywords function in uloc.c. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

[CLOSE] OSVDB ID : 81634 - Disclosed: 2012-02-13

Description:

Storage Manager Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the LoginServlet not properly sanitizing user-supplied input to the 'loginName' parameter. This may allow an attacker to manipulate an SQL query that will result in bypassing authentication. Once authenticated, the attacker will have access to the application with the same privileges as the account used during the authentication bypass. In addition, this may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 79246 - Disclosed: 2012-02-13

Description:

Horde, Horde Groupware, and Horde Groupware Webmail Edition contain a flaw related to the integrity of the source code packages that contain several trojan backdoors, which may allow a remote attacker to execute arbitrary PHP code.

[CLOSE] OSVDB ID : 79281 - Disclosed: 2012-02-13

Description:

Sonexis ConferenceManager contains a flaw related to the backup functionality. The issue is due to the upload.asp script not providing authentication. This may allow an attacker to upload arbitrary databases to the system.

[CLOSE] OSVDB ID : 86525 - Disclosed: 2012-02-13

Description:

A memory corruption flaw exists in Mozilla Firefox. The program fails to sanitize user-supplied input when an error related to RegExpGuard occurs, which will result in memory corruption. This may potentially allow a remote attacker to execute arbitrary code.

[CLOSE] OSVDB ID : 79215 - Disclosed: 2012-02-13

Description:

ALFTP is prone to a flaw in the way it loads dynamic-link libraries (DLL). The program uses a fixed path to look for specific files or libraries. This path includes directories that may not be trusted or under user control. By placing a custom version of the file or library in the path, the program will load it before the legitimate version. This allows an attacker to inject custom code that will be run with the privilege of the program or user executing the program. This can be done by tricking a user into opening a file from the local file system or a USB drive in some cases.

[CLOSE] OSVDB ID : 79247 - Disclosed: 2012-02-13

Description:

The Linux Kernel contains a flaw that may lead to an unauthorized information disclosure. The issue is due to the Overlayfs filesystem not performing validation of extended permissions, which will disclose sensitive files to a local attacker.

[CLOSE] OSVDB ID : 79270 - Disclosed: 2012-02-13

Description:

CardDavMATE contains an unspecified flaw related to the cleanup of globalAccountSettings of the logout functionality that may allow an attacker to perform actions with an unknown impact. No further details have been provided.

[CLOSE] OSVDB ID : 79279 - Disclosed: 2012-02-13

Description:

Sonexis ConferenceManager contains a flaw related to the backup functionality. The issue is due to the admin/backup/settings.asp script not providing authentication. This may allow an attacker to arbitrary manipulate user credentials.

[CLOSE] OSVDB ID : 79280 - Disclosed: 2012-02-13

Description:

Sonexis ConferenceManager contains a flaw that may lead to an unauthorized information disclosure. The issue is due to the download.asp script not providing authentication, which will disclose database information to a remote attacker.

[CLOSE] OSVDB ID : 79328 - Disclosed: 2012-02-13

Description:

Cisco IronPort Encryption Appliance contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'header' parameter upon submission to the default URI after the admin/ script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 79274 - Disclosed: 2012-02-13

Description:

Fork CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'report' parameter upon submission to the 'private/en/blog/settings' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 79795 - Disclosed: 2012-02-13

Description:

WebKit contains a typecasting flaw that is triggered when creating line boxes. With a specially crafted web page, a context-dependent attacker can corrupt memory to cause a denial of service or potentially execute arbitrary code.

[CLOSE] OSVDB ID : 84139 - Disclosed: 2012-02-13

Description:

WebKit contains a use-after-free error in the 'RenderBlock::containingColumnsBlock' and 'RenderBlock::columnsBlockForSpanningElement' functions in WebCore/rendering/RenderBlock.cpp when handling a button in a multi-column layout. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.

[CLOSE] OSVDB ID : 87730 - Disclosed: 2012-02-13

Description:

Serv-U FTP Server contains a flaw that may allow a remote denial of service. The issue is triggered during the handling of a saturation of specially crafted POST requests, which will result in a loss of availability for the server.

[CLOSE] OSVDB ID : 87729 - Disclosed: 2012-02-13

Description:

Serv-U FTP Server contains an unspecified flaw related to UNC path comparison. No further details have been provided.

[CLOSE] OSVDB ID : 79218 - Disclosed: 2012-02-12

Description:

PBBoard contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the manipulation of an administrator's password. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 79273 - Disclosed: 2012-02-12

Description:

Fork CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'report' parameter upon submission to the 'private/en/settings' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 79249 - Disclosed: 2012-02-12

Description:

PHP contains a flaw that may allow a remote denial of service. The issue is due to the 'SimpleXMLRPCRequestHandler.do_POST()' method not properly handling an EOF when processing POST requests, which causes high CPU consumption and will result in a loss of availability for the service.

[CLOSE] OSVDB ID : 79592 - Disclosed: 2012-02-12

Description:

Fork CMS contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the 'frontend/core/engine/javascript.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'module' parameter to the 'frontend/js.php' script. This directory traversal attack would allow the attacker to read arbitrary files.

[CLOSE] OSVDB ID : 79217 - Disclosed: 2012-02-12

Description:

Zero Install contains a flaw related to SSL server certificates. The issue is due to the application not validating the 'Common Name' field. This may allow an attacker to spoof arbitrary certificates and perform Man-in-the-Middle (MitM) attacks.

[CLOSE] OSVDB ID : 79351 - Disclosed: 2012-02-12

Description:

Ultimix contains a flaw related to the sape::sape_common_api package that may allow an attacker to perform actions with an unknown impact. No further details have been provided.

[CLOSE] OSVDB ID : 79596 - Disclosed: 2012-02-12

Description:

Zimbra Web Client contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'view' parameter upon submission to the zimbra/h/calendar script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 79555 - Disclosed: 2012-02-12

Description:

Nova CMS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the administrator/modules/moduleslist.php script not properly sanitizing user input supplied to the 'id' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 79272 - Disclosed: 2012-02-11

Description:

Fork CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the execute() function in the backend/core/engine/base.php script does not validate the 'error' parameter upon submission to the private/en/users/index script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 79141 - Disclosed: 2012-02-11

Description:

CubeCart contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the 'goto' parameter upon submission to the admin/login.php script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

[CLOSE] OSVDB ID : 79140 - Disclosed: 2012-02-11

Description:

CubeCart contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the 'r' parameter upon submission to the switch.php script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.