SB15-069: Vulnerability Summary for the Week of March 2, 2015

"US-CERT" <US-CERT@xxxxxxxxxxxxxxxx> · Tue, 10 Mar 2015 20:16:22 -0500

Title:     SB15-069: Vulnerability Summary for the Week of March 2, 2015

  National Cyber Awareness System:

SB15-069: Vulnerability Summary for the Week of March 2, 2015
03/10/2015 07:56 PM EDT

Original release date: March 10, 2015 

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
 Vendor -- Product Description Published CVSS Score Source & Patch Info

clip-bucket -- clipbucket
SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) allows remote attackers to execute arbitrary SQL commands via the item parameter.
2015-02-27
7.5
CVE-2015-2102
EXPLOIT-DB
MISC
OSVDB

dns-sync_project -- dns-sync
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.
2015-02-27
10.0
CVE-2014-9682
CONFIRM
CONFIRM
MLIST

freebsd -- freebsd
Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory.
2015-02-27
7.8
CVE-2015-1414
FREEBSD
DEBIAN

iij -- seil/b1
npppd in the PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 Fuji routers 1.00 through 3.30, SEIL/X1 routers 3.50 through 4.70, SEIL/X2 routers 3.50 through 4.70, and SEIL/B1 routers 3.50 through 4.70 allows remote attackers to cause a denial of service (infinite loop and device hang) via a crafted SSTP packet.
2015-02-27
7.1
CVE-2015-0887
CONFIRM
JVNDB
JVN

kent-web -- joyful_note
KENT-WEB Joyful Note before 5.3 allows remote attackers to delete files or write to files, and consequently execute arbitrary code, via vectors involving an article.
2015-02-27
7.5
CVE-2015-0889
CONFIRM
JVNDB
JVN

ninjaforms -- ninja_forms
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.
2015-03-05
7.5
CVE-2014-9688
CONFIRM

photocati_media -- photocrati
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.
2015-03-05
7.5
CVE-2015-2216
MISC

symantec -- netbackup_opscenter
Symantec NetBackup OpsCenter 7.6.0.2 through 7.6.1 on Linux and UNIX allows remote attackers to execute arbitrary _javascript_ code via unspecified vectors.
2015-03-05
10.0
CVE-2015-1483
CONFIRM
BID

web-dorado -- spider_calendar
SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php.
2015-03-03
7.5
CVE-2015-2196
EXPLOIT-DB

Back to top

Medium Vulnerabilities

Primary
 Vendor -- Product Description Published CVSS Score Source & Patch Info

beehive_forum -- beehive_forum
Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly handled in an error message.
2015-03-03
4.3
CVE-2015-2198
EXPLOIT-DB
CONFIRM

bestwebsoft -- captcha
The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.
2015-03-03
5.0
CVE-2014-9283
CONFIRM
JVNDB
JVN

bestwebsoft -- google_captcha
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors.
2015-03-03
5.0
CVE-2015-0890
CONFIRM
JVNDB
JVN

canonical -- ubuntu_linux
The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction.
2015-03-02
4.7
CVE-2015-0239
CONFIRM
CONFIRM
UBUNTU
UBUNTU
UBUNTU
UBUNTU
MLIST
CONFIRM
MLIST
CONFIRM

checkpw_project -- checkpw
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.
2015-02-27
5.0
CVE-2015-0885
JVNDB
JVN
CONFIRM
CONFIRM

cisco -- secure_access_control_system
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka Bug ID CSCuj83189.
2015-03-05
6.5
CVE-2014-2130
CISCO

cisco -- ios
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.
2015-03-05
6.8
CVE-2015-0598
CISCO

cisco -- ios
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connection attempt with a blank password, aka Bug IDs CSCuo09400 and CSCun16016.
2015-03-05
4.3
CVE-2015-0607
SECTRACK
BID
CONFIRM
CISCO

cisco -- unified_web_and_e-mail_interaction_manager
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.
2015-02-27
4.3
CVE-2015-0655
CISCO

cisco -- network_analysis_module_firmware
Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269.
2015-03-03
4.3
CVE-2015-0656
CISCO

cisco -- ios_xr
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.
2015-03-05
5.0
CVE-2015-0657
CISCO

cisco -- ios
The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS allows remote attackers to trigger self-referential adjacencies via a crafted Autonomic Networking (AN) message, aka Bug ID CSCup62157.
2015-03-05
5.0
CVE-2015-0659
CISCO

cisco -- ios_xr
The SNMPv2 implementation in Cisco IOS XR allows remote authenticated users to cause a denial of service (snmpd daemon reload) via a malformed SNMP packet, aka Bug ID CSCur25858.
2015-03-05
4.0
CVE-2015-0661
CISCO

cosmoshop -- cosmoshop
Cross-site scripting (XSS) vulnerability in the admin-login panel (admin/index.cgi) in Cosmoshop allows remote attackers to inject arbitrary web script or HTML via the username field (u_name parameter).
2015-02-27
4.3
CVE-2015-2103
BUGTRAQ
MISC

dlguard -- dlguard
DLGuard 4.5 allows remote attackers to obtain the installation path via the c parameter to index.php.
2015-03-04
5.0
CVE-2015-2209
MISC
FULLDISC

ffmpeg -- ffmpeg
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.
2015-02-27
6.8
CVE-2014-9676
MLIST

fortinet -- fortimail
Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMail before 4.3.9, 5.0.x before 5.0.8, 5.1.x before 5.1.5, and 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via the release parameter to module/releasecontrol.
2015-03-04
4.3
CVE-2014-8617
CONFIRM
FULLDISC

fusion_project -- fusion
Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordpress allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension in a fusion_save action, then accessing it via unspecified vectors.
2015-03-03
6.5
CVE-2015-2194
MISC

hp -- xp7_global_link_manager_software
Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before 7.6.1-06, and HP XP7 Global Link Manager Software (aka HGLM) 6.x through 8.x before 8.1.2-00, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2015-03-03
4.3
CVE-2014-7896
HP

ibm -- notes_traveler_companion
The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by conducting a phishing attack involving an encrypted e-mail message.
2015-03-01
4.3
CVE-2014-8921
CONFIRM

impliedbydesign -- navigate
Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2015-02-27
4.3
CVE-2015-2101
MISC
CONFIRM
CONFIRM
BID

kent-web -- clip_board
KENT-WEB Clip Board before 4.1 allows remote attackers to delete arbitrary files via unspecified vectors.
2015-02-27
6.4
CVE-2015-0888
CONFIRM
JVNDB
JVN

linux -- linux_kernel
net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers.
2015-03-02
5.0
CVE-2014-8160
CONFIRM
CONFIRM
UBUNTU
UBUNTU
UBUNTU
UBUNTU
MLIST
MLIST
CONFIRM

magic_hills -- wonderplugin_audio_player
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or the itemid parameter in the (3) wonderplugin_audio_show_item or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php.
2015-03-05
4.3
CVE-2015-2218
MISC
EXPLOIT-DB
MISC
OSVDB
OSVDB

microsoft -- windows_2003_server
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue.
2015-03-06
5.0
CVE-2015-1637
CONFIRM

mindrot -- jbcrypt
Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.
2015-02-27
5.0
CVE-2015-0886
CONFIRM
CONFIRM
JVNDB
JVN

netcat -- netcat
NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php.
2015-03-05
5.0
CVE-2015-2214
MISC
FULLDISC
MISC

ninjaforms -- ninja_forms
Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrators to inject arbitrary web script or HTML via the fields[1] parameter to wp-admin/post.php.
2015-03-05
4.3
CVE-2015-2220
MISC
BUGTRAQ
MISC

sap -- hana
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or (2) xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs, aka SAP Note 2069676.
2015-02-27
4.3
CVE-2015-2072
BID
BUGTRAQ
FULLDISC
MISC

sap -- businessobjects_edge
SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396.
2015-02-27
5.0
CVE-2015-2075
BID
BUGTRAQ
FULLDISC
MISC

sap -- businessobjects_edge
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.
2015-02-27
5.0
CVE-2015-2076
BID
BUGTRAQ
FULLDISC
MISC

services_single_sign-on_server_helper_project -- services_single_sign-on_server_helper
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.
2015-03-05
5.8
CVE-2015-2215
MISC
BID

sharelatex -- sharelatex
Common LaTeX Service Interface (CLSI) before 0.1.3, as used in ShareLaTeX before 0.1.3, allows remote authenticated users to execute arbitrary code via ` (backtick) characters in a filename.
2015-03-03
6.5
CVE-2015-0934
CERT-VN

tips_and_tricks_hq -- all_in_one_wordpress_security_and_firewall
SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
2015-03-06
6.0
CVE-2015-0894
CONFIRM
JVNDB
JVN

tisa -- maroyaka_simple_board
Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Simple Board allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2015-03-04
4.3
CVE-2015-0891
JVNDB
JVN
MISC

tisa -- maroyaka_image_album
Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Image Album allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2015-03-04
4.3
CVE-2015-0892
JVNDB
JVN
MISC

tisa -- maroyaka_relay_novel
Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Relay Novel allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2015-03-04
4.3
CVE-2015-0893
JVNDB
JVN
MISC

toshiba -- bluetooth_stack
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.
2015-02-27
6.9
CVE-2015-0884
CERT-VN
CONFIRM
CONFIRM
MISC

wonderplugin -- audio_player
Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php.
2015-03-03
6.5
CVE-2015-2199
MISC
EXPLOIT-DB
MISC
OSVDB
OSVDB

wp_media_cleaner_project -- wp_media_cleaner
Multiple cross-site scripting (XSS) vulnerabilities in the WP Media Cleaner plugin 2.2.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) paged, or (3) s parameter in the wp-media-cleaner page to wp-admin/upload.php.
2015-03-03
4.3
CVE-2015-2195
BUGTRAQ

Back to top

Low Vulnerabilities

Primary
 Vendor -- Product Description Published CVSS Score Source & Patch Info

canonical -- ubuntu_linux
Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.
2015-03-03
3.6
CVE-2014-9683
CONFIRM
CONFIRM
UBUNTU
UBUNTU
UBUNTU
UBUNTU
MLIST
CONFIRM
CONFIRM

entity_api_project -- entity_api
Cross-site scripting (XSS) vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API.
2015-03-03
3.5
CVE-2015-2197
MISC
CONFIRM
BID

linux -- linux_kernel
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644.
2015-03-02
2.1
CVE-2013-7421
MISC
MLIST
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM

linux -- linux_kernel
The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template _expression_ in the salg_name field, as demonstrated by the vfat(aes) _expression_, a different vulnerability than CVE-2013-7421.
2015-03-02
2.1
CVE-2014-9644
MISC
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM

sharelatex -- sharelatex
Absolute path traversal vulnerability in ShareLaTeX 0.1.3 and earlier, when the paranoid openin_any setting is omitted, allows remote authenticated users to read arbitrary files via a \include command.
2015-03-03
3.5
CVE-2015-0933
CERT-VN

Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

OTHER RESOURCES:

Contact Us | Security Publications | Alerts and Tips | Related Resources

STAY CONNECTED:

SUBSCRIBER SERVICES:
Manage Preferences  |  Unsubscribe  |  Help

This email was sent to linux-security@xxxxxxxxxxx using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870