SB13-203: Vulnerability Summary for the Week of July 15, 2013

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: SB13-203: Vulnerability Summary for the Week of July 15, 2013

US Computer Emergency Readiness Team banner graphic

National Cyber Awareness System:

07/22/2013 08:55 AM EDT

Original release date: July 22, 2013

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities
Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
Back to top
apache -- struts Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. 2013-07-16 10.0 CVE-2013-2134
apache -- struts Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. 2013-07-16 10.0 CVE-2013-2135
blackberry -- qnx_momentics_tool_suite Stack-based buffer overflow in the bpe_decompress function in (1) BlackBerry QNX Neutrino RTOS through 6.5.0 SP1 and (2) QNX Momentics Tool Suite through 6.5.0 SP1 in the QNX Software Development Platform allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted packets to TCP port 4868. 2013-07-12 7.8 CVE-2013-2687
cisco -- asa_5500-x_series_ips_ssp_software Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software modules before 7.1(7)sp1E4 allows remote attackers to cause a denial of service (Analysis Engine process hang or device reload) via fragmented (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCue51272. 2013-07-18 7.8 CVE-2013-1218
cisco -- asa_5500-x_series_ips_ssp_software The IP stack in Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software and hardware modules before 7.1(5)E4, IPS 4500 sensors before 7.1(6)E4, and IPS 4300 sensors before 7.1(5)E4 allows remote attackers to cause a denial of service (MainApp process hang) via malformed IPv4 packets, aka Bug ID CSCtx18596. 2013-07-18 7.8 CVE-2013-1243
cisco -- intrusion_prevention_system Cisco Intrusion Prevention System (IPS) Software on IPS NME devices before 7.0(9)E4 allows remote attackers to cause a denial of service (device reload) via malformed IPv4 packets that trigger incorrect memory allocation, aka Bug ID CSCua61977. 2013-07-18 7.8 CVE-2013-3410
cisco -- intrusion_prevention_system The IDSM-2 drivers in Cisco Intrusion Prevention System (IPS) Software on Cisco Catalyst 6500 devices with an IDSM-2 module allow remote attackers to cause a denial of service (device hang) via malformed IPv4 TCP packets, aka Bug ID CSCuh27460. 2013-07-18 7.8 CVE-2013-3411
emc -- avamar_server EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly determine authorization for calls to Java RMI methods, which allows remote authenticated users to execute arbitrary code via unspecified vectors. 2013-07-19 9.0 CVE-2013-3274
hp -- network_node_manager_i Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.00, 9.1x, and 9.2x allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors. 2013-07-13 7.5 CVE-2013-2351
ibm -- aix Multiple unspecified vulnerabilities in the InfiniBand subsystem in IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02, allow local users to gain privileges via vectors involving (1) arp.ib or (2) ibstat. 2013-07-18 7.2 CVE-2013-4011
oracle -- oracle_and_sun_systems_product_suite Unspecified vulnerability in the Solaris Cluster component in Oracle and Sun Systems Products Suite 3.2, 3.3, and 4 prior to 4.1 SRU 3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Zone Cluster Infrastructure. 2013-07-17 7.2 CVE-2013-3746
oracle -- database_server Unspecified vulnerability in the XML Parser component in Oracle Database Server 11.2.0.2 and 11.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2013-07-17 9.0 CVE-2013-3751
oracle -- oracle_and_sun_systems_product_suite Unspecified vulnerability in the Solaris Cluster component in Oracle and Sun Systems Products Suite 3.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to HA for TimesTen. 2013-07-17 7.2 CVE-2013-3754
oracle -- database_server Unspecified vulnerability in the Oracle executable component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-3771. 2013-07-17 7.2 CVE-2013-3760
oracle -- database_server Unspecified vulnerability in the Oracle executable component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2013-3760. 2013-07-17 7.2 CVE-2013-3771
oracle -- database_server Unspecified vulnerability in the Network Layer component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. 2013-07-17 7.6 CVE-2013-3774
oracle -- virtualization Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization All 4.6 releases including 4.63 and 4.7 prior to 4.71 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web UI. 2013-07-17 7.5 CVE-2013-3779
siemens -- openscape_session_border_controller core/getLog.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to obtain sensitive server and statistics information via unspecified vectors. 2013-07-18 7.8 CVE-2013-4778
siemens -- openscape_session_border_controller core/getLog.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to read arbitrary files via unspecified vectors. 2013-07-18 7.8 CVE-2013-4780
siemens -- openscape_session_border_controller core/getLog.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to execute arbitrary commands via unspecified vectors. 2013-07-18 10.0 CVE-2013-4781
sun -- sunos Unspecified vulnerability in Oracle Solaris 11 allows remote attackers to affect availability via vectors related to Driver/IDM (iSCSI Data Mover). 2013-07-17 7.8 CVE-2013-3748
sun -- sunos Unspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel/VM 2013-07-17 7.2 CVE-2013-3750
sun -- sunos Unspecified vulnerability in Oracle Solaris 11 allows remote attackers to affect availability via vectors related to Kernel/STREAMS framework. 2013-07-17 7.8 CVE-2013-3753
ubnt -- aircam Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allows remote attackers to execute arbitrary code via a long rtsp: URI in a DESCRIBE request. 2013-07-18 7.5 CVE-2013-1606
wave -- embassy_remote_administration_server SQL injection vulnerability in the Help Desk application in Wave EMBASSY Remote Administration Server (ERAS) allows remote attackers to execute arbitrary SQL commands via the ct100$4MainController$TextBoxSearchValue parameter (aka the search field). 2013-07-15 7.5 CVE-2013-3577
wave -- embassy_remote_administration_server SQL injection vulnerability in the Help Desk application in Wave EMBASSY Remote Administration Server (ERAS) allows remote authenticated users to execute arbitrary SQL commands via the ct100$4MainController$TextBoxSearchValue parameter (aka the search field), leading to execution of operating-system commands. 2013-07-15 9.0 CVE-2013-3578

Medium Vulnerabilities
Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
Back to top
acquia -- commons The Commons Group module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors. 2013-07-16 5.0 CVE-2013-1907
acquia -- commons The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors. 2013-07-16 5.0 CVE-2013-1908
anshul_sharma -- category-grid-view-gallery Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. 2013-07-16 4.3 CVE-2013-4117
autodesk -- autocad Unspecified vulnerability in Autodesk AutoCAD through 2014, AutoCAD LT through 2014, and DWG TrueView through 2014 allows remote attackers to execute arbitrary code via a crafted DWG file. 2013-07-18 6.8 CVE-2013-3665
blackberry -- qnx_software_development_platform Buffer overflow in phrelay in BlackBerry QNX Neutrino RTOS through 6.5.0 SP1 in the QNX Software Development Platform allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted packets to TCP port 4868 that leverage improper handling of the /dev/photon device file. 2013-07-12 5.4 CVE-2013-2688
blackberry -- z10 BlackBerry 10 OS before 10.0.10.648 on BlackBerry Z10 smartphones uses weak permissions for a BlackBerry Protect object, which allows physically proximate attackers to bypass intended access restrictions by leveraging a user's BlackBerry Protect password-reset request and a user's installation of a crafted application. 2013-07-13 6.2 CVE-2013-3692
cisco -- unified_communications_manager An unspecified function in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary commands via unknown vectors, aka Bug ID CSCuh73440. 2013-07-18 6.5 CVE-2013-3402
cisco -- unified_communications_manager Multiple untrusted search path vulnerabilities in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allow local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCuh73454. 2013-07-18 6.8 CVE-2013-3403
cisco -- unified_communications_manager SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, leading to discovery of encrypted credentials by leveraging metadata, aka Bug ID CSCuh01051. 2013-07-18 6.4 CVE-2013-3404
cisco -- unified_communications_manager SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuh81766. 2013-07-18 6.5 CVE-2013-3412
cisco -- identity_services_engine_software Cross-site request forgery (CSRF) vulnerability in the web framework on the Cisco Identity Services Engine (ISE) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuh25506. 2013-07-18 6.8 CVE-2013-3420
cisco -- secure_access_control_system Cross-site scripting (XSS) vulnerability in the Help index page in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud75170. 2013-07-12 4.3 CVE-2013-3421
cisco -- secure_access_control_system Cross-site scripting (XSS) vulnerability in Administration pages in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCud75165. 2013-07-12 4.3 CVE-2013-3422
cisco -- secure_access_control_system Cross-site scripting (XSS) vulnerability in the web interface in Cisco Secure Access Control System (ACS) allows remote attackers to inject arbitrary web script or HTML via an unspecified field, aka Bug ID CSCud75174. 2013-07-12 4.3 CVE-2013-3423
cisco -- secure_access_control_system Cross-site request forgery (CSRF) vulnerability in Administration and View pages in Cisco Secure Access Control System (ACS) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCud75177. 2013-07-12 6.8 CVE-2013-3424
cisco -- unified_ip_phone_9951 The Serviceability servlet on Cisco 9900 IP phones does not properly restrict paths, which allows remote attackers to read arbitrary files by specifying a pathname in a file request, aka Bug ID CSCuh52810. 2013-07-18 5.0 CVE-2013-3426
cisco -- secure_access_control_system The web interface in Cisco Secure Access Control System (ACS) does not properly suppress error-condition details, which allows remote authenticated users to obtain sensitive information via an unspecified request that triggers an error, aka Bug ID CSCue65957. 2013-07-15 4.0 CVE-2013-3428
cisco -- unified_communications_manager Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02276. 2013-07-18 6.8 CVE-2013-3433
cisco -- unified_communications_manager Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02242. 2013-07-18 6.8 CVE-2013-3434
cisco -- ios The default configuration of the Group Encrypted Transport VPN (GET VPN) feature on Cisco IOS uses an improper mechanism for enabling Group Domain of Interpretation (GDOI) traffic flow, which allows remote attackers to bypass the encryption policy via certain uses of UDP port 848, aka Bug ID CSCui07698. 2013-07-19 5.0 CVE-2013-3436
drupal -- drupal The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors. 2013-07-16 4.3 CVE-2013-0246
emc -- avamar_server EMC Avamar Server and Avamar Virtual Edition before 7.0 on Data Store Gen3, Gen4, and Gen4s platforms do not properly restrict use of FRAME elements, which makes it easier for remote attackers to obtain sensitive information via a crafted web site, related to "cross frame scripting vulnerabilities." 2013-07-19 4.3 CVE-2013-3275
google -- glass Google Glass before XE6 does not properly restrict the processing of QR codes, which allows physically proximate attackers to modify the configuration or redirect users to arbitrary web sites via a crafted symbol, as demonstrated by selecting a Wi-Fi access point in order to conduct a man-in-the-middle attack. 2013-07-18 6.9 CVE-2013-4872
ibm -- lotus_notes Buffer overflow in the .mdb parser in Autonomy KeyView IDOL, as used in IBM Notes 8.5.x before 8.5.3 FP4, allows remote attackers to execute arbitrary code via a crafted file, aka SPR KLYH92XL3W. 2013-07-18 6.8 CVE-2012-6349
ibm -- api_management Unspecified vulnerability in IBM API Management 2.0 before 2.0.0.1 allows remote attackers to access tenant APIs, and consequently obtain sensitive information or modify data, via unknown vectors. 2013-07-19 6.4 CVE-2013-0559
linux -- linux_kernel The KVM subsystem in the Linux kernel before 3.0 does not check whether kernel addresses are specified during allocation of memory slots for use in a guest's physical address space, which allows local users to gain privileges or obtain sensitive information from kernel memory via a crafted application, related to arch/x86/kvm/paging_tmpl.h and virt/kvm/kvm_main.c. 2013-07-16 6.9 CVE-2013-1943
linux -- linux_kernel The fib6_add_rt2node function in net/ipv6/ip6_fib.c in the IPv6 stack in the Linux kernel through 3.10.1 does not properly handle Router Advertisement (RA) messages in certain circumstances involving three routes that initially qualified for membership in an ECMP route set until a change occurred for one of the first two routes, which allows remote attackers to cause a denial of service (system crash) via a crafted sequence of messages. 2013-07-15 5.4 CVE-2013-4125
mdolon -- sharebar Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences. 2013-07-16 6.8 CVE-2013-3491
metin_saylan -- dropdown_menu_widget Cross-site request forgery (CSRF) vulnerability in the Dropdown Menu Widget plugin 1.9.1 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences. 2013-07-12 6.8 CVE-2013-2704
modsecurity -- modsecurity The ModSecurity module before 2.7.4 for the Apache HTTP Server allows remote attackers to cause a denial of service (NULL pointer dereference, process crash, and disk consumption) via a POST request with a large body and a crafted Content-Type header. 2013-07-15 4.3 CVE-2013-2765
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Parser. 2013-07-17 4.0 CVE-2013-3783
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. 2013-07-17 4.0 CVE-2013-3793
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Partition. 2013-07-17 4.0 CVE-2013-3794
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options. 2013-07-17 5.0 CVE-2013-3801
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Full Text Search. 2013-07-17 4.0 CVE-2013-3802
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.69 and earlier, 5.5.31 and earlier, and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. 2013-07-17 4.0 CVE-2013-3804
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.30 and earlier and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Prepared Statements. 2013-07-17 4.0 CVE-2013-3805
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.68 and earlier, 5.5.30 and earlier, and 5.6.10 allows remote authenticated users to affect availability via unknown vectors related to Server Options. 2013-07-17 4.0 CVE-2013-3808
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Audit Log. 2013-07-17 4.0 CVE-2013-3809
novell -- groupwise Cross-site scripting (XSS) vulnerability in the client in Novell GroupWise through 8.0.3 HP3, and 2012 through SP2, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML via the body of an e-mail message. 2013-07-15 4.3 CVE-2013-1087
oracle -- e-business_suite Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Client System Analyzer. 2013-07-17 4.0 CVE-2013-3747
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5.0, 11.1.1.7.0, and 11.1.2.0.0 allows remote attackers to affect integrity via vectors related to SSO Engine. 2013-07-17 4.3 CVE-2013-3755
oracle -- e-business_suite Unspecified vulnerability in the Oracle Landed Cost Management component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Shipment Workbench. 2013-07-17 5.5 CVE-2013-3756
oracle -- enterprise_manager Unspecified vulnerability in the Enterprise Manager (EM) Base Platform 10.2.0.5 and 11.1.0.1; EM DB Control 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3; and EM Plugin for DB 12.1.0.2 and 12.1.0.3 in Oracle Enterprise Manager Grid Control allows remote attackers to affect integrity via unknown vectors related to Schema Management. 2013-07-17 4.3 CVE-2013-3758
oracle -- peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote attackers to affect integrity via vectors related to PIA Search Functionality. 2013-07-17 4.3 CVE-2013-3759
oracle -- peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products Portal 9.1 and PeopleTools 8.52 allows remote attackers to affect integrity via vectors related to PIA Core Technology. 2013-07-17 4.3 CVE-2013-3761
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 7.4.0 and 7.5.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2013-3764. 2013-07-17 5.5 CVE-2013-3763
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Endeca Server component in Oracle Fusion Middleware 7.4.0 and 7.5.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors, a different vulnerability than CVE-2013-3763. 2013-07-17 5.5 CVE-2013-3764
oracle -- e-business_suite_access_gate Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite Access Gate 1.2.1 allows remote attackers to affect integrity via unknown vectors. 2013-07-17 4.3 CVE-2013-3767
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via unknown vectors related to Rich Text Editor. 2013-07-17 4.3 CVE-2013-3768
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1, 11.1.1.6.0, and 11.1.1.7.0 allows remote attackers to affect integrity via unknown vectors related to Site Studio. 2013-07-17 4.3 CVE-2013-3769
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1, 11.1.1.6.0, and 11.1.1.7.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Content Server. 2013-07-17 5.5 CVE-2013-3770
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1, 11.1.1.6.0, and 11.1.1.7.0 allows remote attackers to affect integrity via unknown vectors related to Web Forms. 2013-07-17 4.3 CVE-2013-3772
oracle -- xcp Unspecified vulnerability in the SPARC Enterprise M Series Servers component in Oracle and Sun Systems Products Suite XCP 1114 and earlier allows remote attackers to affect availability via vectors related to XSCF Control Package (XCP). 2013-07-17 5.0 CVE-2013-3773
oracle -- ilearning Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 5.2.1 and 6.0 allows remote attackers to affect integrity via unknown vectors related to Learner Pages. 2013-07-17 4.3 CVE-2013-3775
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3781. 2013-07-17 6.8 CVE-2013-3776
oracle -- e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Signon. 2013-07-17 4.3 CVE-2013-3777
oracle -- e-business_suite Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Help. 2013-07-17 4.3 CVE-2013-3778
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise Portal component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Saved Search. 2013-07-17 4.0 CVE-2013-3780
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3776. 2013-07-17 6.8 CVE-2013-3781
oracle -- virtualization Unspecified vulnerability in the Secure Global Desktop component in Oracle Virtualization 4.6 prior to 4.63 and 4.7 prior to 4.71 allows remote attackers to affect integrity via unknown vectors related to Web UI. 2013-07-17 4.3 CVE-2013-3782
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors Time and Labor. 2013-07-17 5.5 CVE-2013-3784
oracle -- e-business_suite Unspecified vulnerability in the Oracle iSupplier Portal component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Supplier Management. 2013-07-17 4.3 CVE-2013-3788
oracle -- database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2013-07-17 6.5 CVE-2013-3789
oracle -- enterprise_manager Unspecified vulnerability in Enterprise Manager (EM) Base Platform 10.2.0.5 and EM DB Control 11.1.0.7 in Oracle Enterprise Manager Grid Control allows remote attackers to affect integrity via unknown vectors related to User Interface Framework. 2013-07-17 4.3 CVE-2013-3791
oracle -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Data Manipulation Language. 2013-07-17 4.0 CVE-2013-3795
oracle -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. 2013-07-17 4.0 CVE-2013-3796
oracle -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect integrity and availability via unknown vectors related to MemCached. 2013-07-17 5.8 CVE-2013-3798
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Business Interlinks. 2013-07-17 6.4 CVE-2013-3800
oracle -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3811. 2013-07-17 4.0 CVE-2013-3806
oracle -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Server Privileges. 2013-07-17 4.0 CVE-2013-3807
oracle -- industry_applications Unspecified vulnerability in the Oracle Policy Automation component in Oracle Industry Applications 10.2.0, 10.3.0, 10.3.1, 10.4.0, 10.4.1, and 10.4.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Determinations Engine. 2013-07-17 4.0 CVE-2013-3816
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect integrity via unknown vectors related to Portal. 2013-07-17 4.3 CVE-2013-3818
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and availability via unknown vectors related to Mobile Applications. 2013-07-17 6.4 CVE-2013-3819
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect availability via unknown vectors related to Business Interlink. 2013-07-17 5.0 CVE-2013-3820
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51, 8.52, and 8.53 allows remote attackers to affect confidentiality and availability via unknown vectors related to Integration Broker. 2013-07-17 6.4 CVE-2013-3821
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.1 allows remote attackers to affect integrity via unknown vectors related to Web Client (CS). 2013-07-17 4.3 CVE-2013-3822
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. 2013-07-17 4.0 CVE-2013-3823
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile Collaboration Framework component in Oracle Supply Chain Products Suite 9.3.1 allows remote authenticated users to affect integrity via unknown vectors related to Manufacturing/Mfg Parts. 2013-07-17 4.0 CVE-2013-3824
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile Product Collaboration component in Oracle Supply Chain Products Suite 9.3.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Folders & Files Attachment. 2013-07-17 4.0 CVE-2013-3825
paolo_bacchilega -- file_roller Directory traversal vulnerability in File Roller 3.6.x before 3.6.4, 3.8.x before 3.8.3, and 3.9.x before 3.9.3, when libarchive is used, allows remote attackers to create arbitrary files via a crafted archive that is not properly handled in a "Keep directory structure" action, related to fr-archive-libarchive.c and fr-window.c. 2013-07-18 5.0 CVE-2013-4668
parallels -- parallels_plesk_panel The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. 2013-07-18 6.8 CVE-2013-4878
php -- php ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. 2013-07-13 6.8 CVE-2013-4113
quade -- edit_limit The Edit Limit module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict access to comments, which allows remote authenticated users with the "edit comments" permission to edit arbitrary comments of other users via unspecified vectors. 2013-07-16 5.0 CVE-2013-2122
redhat -- enterprise_linux A certain Red Hat patch to the KVM subsystem in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly implement the PV EOI feature, which allows guest OS users to cause a denial of service (host OS crash) by leveraging a time window during which interrupts are disabled but copy_to_user function calls are possible. 2013-07-16 5.7 CVE-2013-1935
redhat -- enterprise_linux A certain Red Hat patch to the do_filp_open function in fs/namei.c in the kernel package before 2.6.32-358.11.1.el6 on Red Hat Enterprise Linux (RHEL) 6 does not properly handle failure to obtain write permissions, which allows local users to cause a denial of service (system crash) by leveraging access to a filesystem that is mounted read-only. 2013-07-16 4.7 CVE-2013-2188
sharp -- aquos_hn-pp150 The Sharp AQUOS PhotoPlayer HN-PP150 with firmware before 1.04.00.04 allows remote attackers to cause a denial of service (networking outage) via crafted packet data. 2013-07-12 5.0 CVE-2013-3655
siemens -- openscape_session_border_controller Cross-site scripting (XSS) vulnerability in core/handleTw.php on the Siemens Enterprise OpenScape Branch appliance and OpenScape Session Border Controller (SBC) before 2 R0.32.0, and 7 before 7 R1.7.0, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2013-07-18 4.3 CVE-2013-4779
sun -- sunos Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows remote attackers to affect confidentiality via unknown vectors related to Utility/Remote Execution Server (in.rexecd). 2013-07-17 5.0 CVE-2013-0398
sun -- sunos Unspecified vulnerability in Oracle Solaris 11 allows remote attackers to affect integrity via vectors related to Service Management Facility (SMF). 2013-07-17 4.3 CVE-2013-3752
sun -- sunos Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows remote attackers to affect integrity and availability via vectors related to SMF/File Locking Services. 2013-07-17 6.4 CVE-2013-3757
sun -- sunos Unspecified vulnerability in Oracle Solaris 11 allows local users to affect availability via unknown vectors related to Kernel/VM. 2013-07-17 4.9 CVE-2013-3765
sun -- sunos Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel. 2013-07-17 6.0 CVE-2013-3786
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote attackers to affect availability via unknown vectors related to Kernel. 2013-07-17 4.3 CVE-2013-3787
sun -- sunos Unspecified vulnerability in Oracle Solaris 11 allows local users to affect availability via unknown vectors related to Filesystem/DevFS. 2013-07-17 4.7 CVE-2013-3797
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 and 11, when running on AMD64, allows local users to affect availability via unknown vectors related to Kernel. 2013-07-17 4.9 CVE-2013-3799
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 allows remote attackers to affect confidentiality and integrity via vectors related to Libraries/PAM-Unix. 2013-07-17 5.8 CVE-2013-3813
swfupload_project -- swfupload Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. 2013-07-19 4.3 CVE-2012-3414
verizon -- wireless_network_extender The Uboot bootloader on the Verizon Wireless Network Extender SCS-26UC4 allows physically proximate attackers to obtain root access by connecting a crafted HDMI cable and using a sys session to modify the ramboot environment variable. 2013-07-18 6.2 CVE-2013-4874
verizon -- wireless_network_extender The Uboot bootloader on the Verizon Wireless Network Extender SCS-2U01 allows physically proximate attackers to bypass the intended boot process and obtain a login prompt by connecting a crafted HDMI cable and sending a SysReq interrupt. 2013-07-18 6.2 CVE-2013-4875
verizon -- wireless_network_extender The Verizon Wireless Network Extender SCS-2U01 has a hardcoded password for the root account, which makes it easier for physically proximate attackers to obtain administrative access by leveraging a login prompt. 2013-07-18 6.2 CVE-2013-4876
yahoo -- tumblr The Yahoo! Tumblr app before 3.4.1 for iOS sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. 2013-07-18 5.0 CVE-2013-4873

Low Vulnerabilities
Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
Back to top
N/A -- N/A Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) and the IM & Presence Service in Cisco Unified Presence Server through 9.1(2) use the same CTI and database-encryption key across different customers' installations, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of this key, aka Bug IDs CSCsc69187 and CSCui01756. NOTE: the vendor has provided a statement that the "hard-coded static encryption key is considered a hardening issue rather than a vulnerability, and as such, has a CVSS score of 0/0." 2013-07-18 0.0 CVE-2013-4869
angrydonuts -- ctools The Chaos Tool Suite (ctools) module 7.x-1.x before 7.x-1.3 for Drupal does not properly restrict node access, which allows remote authenticated users with the "access content" permission to read restricted node titles via an autocomplete list. 2013-07-16 3.5 CVE-2013-1925
drupal -- drupal The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-friendly version" permission to read node titles and possibly node content via unspecified vectors. 2013-07-16 2.1 CVE-2013-0245
mysql -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.31 and earlier and 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Replication. 2013-07-17 3.5 CVE-2013-3812
oracle -- e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.3 allows remote authenticated users to affect confidentiality via unknown vectors related to Logging. 2013-07-17 3.5 CVE-2013-3749
oracle -- database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect integrity via unknown vectors related to Privileged Account. 2013-07-17 2.1 CVE-2013-3790
oracle -- hyperion Unspecified vulnerability in the Hyperion BI+ component in Oracle Hyperion 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Intelligence Service. 2013-07-17 3.5 CVE-2013-3803
oracle -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to XA Transactions. 2013-07-17 3.5 CVE-2013-3810
oracle -- mysql Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote authenticated users to affect availability via unknown vectors related to InnoDB, a different vulnerability than CVE-2013-3806. 2013-07-17 3.5 CVE-2013-3811
sun -- sunos Unspecified vulnerability in Oracle Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Libraries/Libc. 2013-07-17 2.1 CVE-2013-3745
verizon -- wireless_network_extender The Verizon Wireless Network Extender SCS-26UC4 and SCS-2U01 does not use CAVE authentication, which makes it easier for remote attackers to obtain ESN and MIN values from arbitrary phones, and conduct cloning attacks, by sniffing the network for registration packets. 2013-07-18 2.6 CVE-2013-4877

 


This product is provided subject to this Notification and this Privacy & Use policy.


This email was sent to linux-security@xxxxxxxxxxx using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux