[CLOSE] OSVDB ID : 88648 - Disclosed: 2012-12-18

Description:

Novell NetIQ eDirectory contains an unspecified flaw that may allow a remote attacker to gain access to administrator cookie information via a specially crafted program. No further details have been provided.

[CLOSE] OSVDB ID : 88657 - Disclosed: 2012-12-18

Description:

Opera contains a flaw that is triggered when handling site requests. The issue is due to the browser not properly displaying the site URL when a hostile site rapidly requests for a page reload. This can lead the browser to display an arbitrary address, useful in phishing attacks.

[CLOSE] OSVDB ID : 88656 - Disclosed: 2012-12-18

Description:

Opera contains a flaw that is due to the program setting insecure permissions for the profile folder. This may allow a local attacker to overwrite arbitrary files or execute arbitrary commands.

[CLOSE] OSVDB ID : 90748 - Disclosed: 2012-12-18

Description:

BusyBox contains a flaw that is due to the program setting insecure permissions on nested directories that have been created using mdev. This may allow an attacker to more easily gain access to certain sub directories, and conduct attacks that rely on permission weaknesses.

[CLOSE] OSVDB ID : 88524 - Disclosed: 2012-12-18

Description:

JBoss Enterprise Application Platform contains a flaw in the processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor. The issue is triggered during the handling of an empty allowed role list. This may allow a remote attacker to invoke arbitrary methods.

[CLOSE] OSVDB ID : 88523 - Disclosed: 2012-12-18

Description:

JBoss Enterprise Application Platform contains a flaw that is triggered when an error occurs during the handling of role-based authorization for Enterprise Java Beans (EJB) access. With a specially configured JACC authorization module, a remote attacker can bypass authorization.

[CLOSE] OSVDB ID : 88547 - Disclosed: 2012-12-18

Description:

Profile Xbox Live ID Plugin for MyBB contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'xli' parameter upon submission to the usercp.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 88550 - Disclosed: 2012-12-18

Description:

Transactions Plugin for MyBB contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the bank.php script not properly sanitizing user-supplied input to the 'transaction' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 88549 - Disclosed: 2012-12-18

Description:

IDA Pro contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed ELF file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

[CLOSE] OSVDB ID : 88617 - Disclosed: 2012-12-18

Description:

Mozilla Firefox contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed HTML file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

[CLOSE] OSVDB ID : 88616 - Disclosed: 2012-12-18

Description:

MyYoutube Plugin for MyBB contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the Youtube Video ID field upon submission to the youtube.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 88615 - Disclosed: 2012-12-18

Description:

IBM Rational Policy Tester and Security AppScan Enterprise contain a flaw that is due to the programs failing to properly validate SSL certificates when manually viewing or scanning HTTPS sites. This may allow a remote attacker to spoof a valid server via a Man-in-the-Middle attack.

[CLOSE] OSVDB ID : 88614 - Disclosed: 2012-12-18

Description:

IBM Rational Policy Tester and Security AppScan Enterprise contain a flaw that is due to the programs failing to properly validate SSL certificates during the exploration of HTTPS sites. This may allow a remote attacker to spoof a valid server via a Man-in-the-Middle attack.

[CLOSE] OSVDB ID : 88721 - Disclosed: 2012-12-18

Description:

ownCloud contains a flaw that is due to the application failing to properly verify permissions when settings.php is accessed. This may allow a remote attacker to bypass authentication and edit the configuration settings for user_webdavauth or user_ldap and login as an arbitrary user.

[CLOSE] OSVDB ID : 88720 - Disclosed: 2012-12-18

Description:

ownCloud contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate path data upon submission to the apps/bookmark/index.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 88492 - Disclosed: 2012-12-17

Description:

Squid contains a flaw in cachemgr.cgi in tools/cachemgr.cc that may allow a remote denial of service. The issue is triggered during the handling of a specially crafted request, which will result in a consumption of CPU resources. This will cause a loss of availability for the program.

[CLOSE] OSVDB ID : 88491 - Disclosed: 2012-12-17

Description:

IBM Intelligent Operations Center contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via event data before returning it to the user. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 88695 - Disclosed: 2012-12-17

Description:

Adobe Flash Player has been reported to contain a flaw that results in memory corruption and may allow for remote code execution. Based on the provided crash details and additional cursory testing by OSVDB, there is, however, no evidence to support the claims of memory corruption and the possibility of code execution. Instead, the flaw is triggering an out-of-bounds read access violation when parsing unspecified data. With a specially crafted FLV file, a context-dependent attacker can cause a crash, but not immediately execute arbitrary code.

[CLOSE] OSVDB ID : 88611 - Disclosed: 2012-12-17

Description:

WordPress contains a flaw related to session management. The issue is due to wp-login.php not properly terminating the session on a 'logout' action. This means the session identifier, if stolen by a third-party, can be used to access the application even after the user has logged out.

[CLOSE] OSVDB ID : 88467 - Disclosed: 2012-12-17

Description:

Samsung Galaxy devices contain a flaw that may allow any application or local user to gain increased privileges. The issue is due to the /dev/exynos-mem device being readable and writeable to all users on the system, giving them full access to all physical memory. This would allow an application (e.g. downloaded from the Play market) to dump the contents of memory to disclose sensitive information or inject code into the running system for privilege escalation.

[CLOSE] OSVDB ID : 88494 - Disclosed: 2012-12-17

Description:

phpwcms contains a flaw that is triggered when input passed via 'article_summary' parameter to the preg_replace() function in the /include/inc_front/front.func.inc.php script is not properly sanitized. This may allow a remote attacker to potentially execute arbitrary code.

[CLOSE] OSVDB ID : 88613 - Disclosed: 2012-12-17

Description:

Adobe Shockwave Player contains a flaw that is triggered during the handling of a specially crafted HTML document that calls Shockwave content via a compatibility parameter. This will force the program to downgrade to the insecure version 10.4.0.025 of Shockwave, which may allow a remote attacker to potentially execute arbitrary code.

[CLOSE] OSVDB ID : 88612 - Disclosed: 2012-12-17

Description:

Adobe Shockwave Player contains a flaw that may cause an installation of arbitrary signed Xtras during the handling of a specially crafted Shockwave movie that has an Xtra URL. This may potentially allow a remote attacker to more easily execute arbitrary code.

[CLOSE] OSVDB ID : 88489 - Disclosed: 2012-12-17

Description:

Aptdaemon contains a flaw when importing keys from the keyserver and the PPA GPG keys are not properly authenticated. This may allow a remote attacker to install arbitrary package repository GPG keys via a Man-in-the-Middle (MitM) attack.

[CLOSE] OSVDB ID : 88493 - Disclosed: 2012-12-17

Description:

phpwcms contains a flaw that is triggered when input passed via the 'article_summary' parameter to the preg_replace() function in the /include/inc_front/content.func.inc.php script is not properly sanitized. This may allow a remote attacker to potentially execute arbitrary code.

[CLOSE] OSVDB ID : 88658 - Disclosed: 2012-12-17

Description:

Inkscape contains an XXE (Xml eXternal Entity) injection flaw that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source during the rasterization of SVG files. By sending specially crafted XML data, a remote attacker can gain access to arbitrary files.

[CLOSE] OSVDB ID : 88719 - Disclosed: 2012-12-17

Description:

Novell iPrint Client contains an unspecified flaw in the 'op-client-interface-version' parameter that may allow a remote attacker to execute arbitrary code. No further details are currently available.

[CLOSE] OSVDB ID : 88843 - Disclosed: 2012-12-17

Description:

RSS Reader Extension for MediaWiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the RSS feed before returning it to the user. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 90191 - Disclosed: 2012-12-17

Description:

By default, Moxa EDR-G903 Series Routers install with a hardcoded default user credentials (username/password combination). The account and password may allow remote attackers to trivially access the program or system and gain privileged access.

[CLOSE] OSVDB ID : 90190 - Disclosed: 2012-12-17

Description:

Moxa EDR-G903 Series Routers contain a flaw that is due to the device having weak entropy when generating SSH and HTTPS keys. A remote attacker can calculate private authentication keys, allowing for a man-in-the-middle attack. This would potentially disclose information, and allow the attacker to send commands to the device.

[CLOSE] OSVDB ID : 91265 - Disclosed: 2012-12-17

Description:

Automatic Bug Reporting Tool (ABRT) contains a flaw as abrt-action-install-debuginfo creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against directories used to store crash information to cause the program to unexpectedly grant elevated privileges to the attacker.

[CLOSE] OSVDB ID : 91264 - Disclosed: 2012-12-17

Description:

Red Hat Enterprise Virtualization Manager contains a flaw in the domain management tool (rhevm-manage-domains) that may lead to unauthorized disclosure of sensitive information. The issue is due to the program logging the administrative password to a world-readable log file. This may allow a local attacker to gain access to password information.

[CLOSE] OSVDB ID : 91511 - Disclosed: 2012-12-17

Description:

AMD Catalyst Control Center contains a flaw that is due to the auto update utility insecurely validating new updates. This may allow a remote attacker to spoof a valid update via a Man-in-the-Middle attack.

[CLOSE] OSVDB ID : 88488 - Disclosed: 2012-12-16

Description:

User Profile Skype ID Plugin for MyBB contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'skype' parameter upon submission to the usercp.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 88610 - Disclosed: 2012-12-16

Description:

Totem Movie Player contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed AVI file, resulting in a divide-by-zero error. With a specially crafted AVI file, a context-dependent attacker can crash the application.

[CLOSE] OSVDB ID : 88813 - Disclosed: 2012-12-15

Description:

VLC Media Player contains an overflow condition in modules/codec/subsdec.c. The issue is triggered as user-supplied input is not properly validated when handling HTML subtitle files. This may allow a context-dependent attacker to cause a buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

[CLOSE] OSVDB ID : 88460 - Disclosed: 2012-12-15

Description:

TWiki contains a flaw in the Locale::Maketext CPAN module. The issue is triggered when input passed via MAKETEXT macros are not properly sanitized. This may allow a remote attacker to execute arbitrary shell commands by Perl backtick ('') operators.

[CLOSE] OSVDB ID : 89694 - Disclosed: 2012-12-15

Description:

SAP NetWeaver Web Application Server (WAS) contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is triggered when an unspecified error occurs in the AdapaterFramework servlet. This may allow a remote attacker to gain access to version and other sensitive information.

[CLOSE] OSVDB ID : 88459 - Disclosed: 2012-12-15

Description:

TWiki contains a flaw in twiki/lib/TWiki.pm that may allow a remote denial of service. The issue is triggered during the handling of a specially crafted MAKETEXT macro, which will result in excessive memory allocation, or possibly crash the software, leading to a loss of availability for the program.

[CLOSE] OSVDB ID : 88546 - Disclosed: 2012-12-15

Description:

Quenlig contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'comment' parameter when creating a comment for a question. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.