GNU C Library (glibc) contains a flaw in the printf() function that may allow a denial of service. The issue is triggered during the handling of an incomplete multibyte sequence. This may allow a context-dependent attack to cause an infinite loop.

phpGiftReq contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'messagid', 'shopper', and 'shopfor' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

phpGiftReq contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the item.php script not properly sanitizing user-supplied input to the 'itemid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

A context-dependent memory corruption flaw exists in Excel. It fails to validate filter records resulting in memory corruption. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3731" target="_blank">CVE</a>)</span> :

Newscoop contains a flaw that allows the injection of PHP tags in to fields that are displayed on the frontend. This may allow a remote attacker to execute arbitrary PHP code.

Libxslt contains a flaw in libxslt/extensions.c related to handling of xmlHashTable structures that is triggered when a stylesheet is concurrently loaded by multiple threads. This allows an attacker to crash an application linked against the library or potentially execute arbitrary code.

Cross-site scripting (XSS) vulnerability in memcp.php in XMB U2U Instant Messenger allows remote authenticated users to inject arbitrary web script or HTML via the recipient field.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0519" target="_blank">CVE</a>)</span> :

dpkg contains a flaw that is due to the program setting permissions based on the program rather than the user during the extraction of .tar archives. This may allow a context-dependent attacker to write files to a system with arbitrary an arbitrary UID.

OpenSSH contains a flaw in the ssh_gssapi_parse_ename function in gss-serv.c that may allow a remote denial of service. The issue is triggered during the parsing of an overly large value in a certain length field, which will result in memory corruption. This may allow a remote attacker to cause a loss of availability for the program.

IBM Informix Dynamic Server is prone to an overflow condition. 'librpc.dll' in 'portmap.exe' fails to properly sanitize user-supplied input resulting in an integer overflow. With a specially crafted RPC packet with a crafted parameter size sent to TCP port 36890, a remote attacker can potentially execute arbitrary code.

Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to XMLDB, aka DB06. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that DB06 is for multiple cross-site scripting (XSS) vulnerabilities.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0273" target="_blank">CVE</a>)</span> :

Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-3434" target="_blank">CVE</a>)</span> :

WebKit contains a flaw that is triggered when handling nested first-letter pseudo elements during non-layout style changes. With a specially crafted web page, a context-dependent attacker can corrupt memory to cause a denial of service or potentially execute arbitrary code.

Oracle Business Intelligence Enterprise Edition contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the /em/console/help/webapp/HELP_10.1.3_NT_060914.0911.178/ohw_jslibs/vt_chrome.js script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Integer overflow in the _ncp32._NtrpTCPReceiveMsg function in rds.exe in the Cell Manager Database Service in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via a large value in the size parameter.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2281" target="_blank">CVE</a>)</span> :

Rack contains a flaw that is due to an error in the Rack::Session::Cookie function. Users of the Marshal session cookie encoding (the default), are subject to a timing attack that may lead an attacker to execute arbitrary code. This attack is more practical against 'cloud' users as intra-cloud latencies are sufficiently low to make the attack viable.

Stack-based buffer overflow in OmniInet.exe (aka the backup client service daemon) in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via an MSG_PROTOCOL command with long arguments, a different vulnerability than CVE-2009-3844.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2280" target="_blank">CVE</a>)</span> :

Unspecified vulnerability in the Agent in HP LoadRunner before 9.50 and HP Performance Center before 9.50 allows remote attackers to execute arbitrary code via unknown vectors.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1549" target="_blank">CVE</a>)</span> :

Universal Feed Parser (feedparser) contains a flaw in the handling of DOCTYPE declarations that may allow a denial of service. The issue is due to an error when handling malformed DOCTYPE declarations. With a specially crafted file, a context-dependent attacker can cause the application to crash.

dpkg contains a flaw when handling the -b argument as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the dpkg-source file to cause the program to unexpectedly overwrite an arbitrary file.

HP Network Node Manager (NNM) Remote Console 7.50, 7.51, and 7.53 assigns Everyone Full Control permission for the %PROGRAMFILES%\HP OpenView directory tree, which allows local users to gain privileges via a Trojan horse executable file or ActiveX component, or a modified bin\ovtrcsvc.exe for the HP Open View Shared Trace Service.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0819" target="_blank">CVE</a>)</span> :

IBM Lotus Domino is prone to an overflow condition. The SMTP service fails to properly sanitize user-supplied input resulting in a buffer overflow. With a specially crafted e-mail message containing multiple 'filename' parameters, a remote attacker can potentially execute arbitrary code.

Multiple Oracle products contain a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'locale' parameter upon submission to the help/topics/iastop_cs/iastop_cs_farm_page.html page. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Unspecified vulnerability in the Application Service Level Management component in Oracle Database Server 11.1.0.7 and Enterprise Manager Grid Control allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Service Level Agreements.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0787" target="_blank">CVE</a>)</span> :

UseModWiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the user-submitted content upon submission to the 'wiki.pl' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

IBM Informix Dynamic Server is prone to an overflow condition. An unspecified logging function in 'oninit.exe' fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted EXPLAIN directive, a remote attacker can potentially execute arbitrary code.

cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument to the "-p" option to swcons, which allows local users in the system group to create an arbitrary file, and enable world writability of this file, via a symlink attack involving use of the file's name as the argument. NOTE: this issue is due to an incomplete fix for CVE-2007-5804.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5805" target="_blank">CVE</a>)</span> :

Cerberus Helpdesk contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is due to an error in the 'customize' ticket worklist that may allow a remote attacker to gain access to custom fields in arbitrary groups.

SAP NetWeaver Portal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'systemid' parameter upon submission to the /irj/servlet/prt/portal/prtroot/com.sap.portal.usermanagement.admin.UserMapping script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Oracle Database Server and Oracle Enterprise Manager Grid Control contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /em/console/ecm/config/compareWizard/compareWizFirstConfig script not properly sanitizing user-supplied input to the 'fConfigGuid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Oracle Database contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an error occurs in the authentication protocol, which may allow a remote attacker to gain access to session key and salt information for arbitrary users. This may make it easier for the attacker to conduct a brute force guessing attack due to cryptographic hash information being leaked.

Multiple stack-based buffer overflows in the (1) POP3 and (2) IMAP services in IBM Lotus Domino allow remote attackers to execute arbitrary code via non-printable characters in an envelope sender address, aka SPR KLYH87LLVJ.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0919" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in the NRouter (aka Router) service in IBM Lotus Domino allows remote attackers to execute arbitrary code via long filenames associated with Content-ID and ATTACH:CID headers in attachments in malformed calendar-request e-mail messages, aka SPR KLYH87LKRE.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0918" target="_blank">CVE</a>)</span> :

Citrix Online Plug-in for Windows for XenApp & XenDesktop before 11.2, Citrix Online Plug-in for Mac for XenApp & XenDesktop before 11.0, Citrix ICA Client for Linux before 11.100, Citrix ICA Client for Solaris before 8.63, and Citrix Receiver for Windows Mobile before 11.5 allow remote attackers to execute arbitrary code via (1) a crafted HTML document, (2) a crafted .ICA file, or (3) a crafted type field in an ICA graphics packet, related to a "heap offset overflow" issue.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2990" target="_blank">CVE</a>)</span> :

Novell eDirectory for Linux contains a flaw that may allow a remote denial of service. The issue is triggered when an error in the NCP implementation is exploited via a crafted FileSetLock NCP request, and will result in a loss of availability.

Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0275" target="_blank">CVE</a>)</span> :

A memory corruption flaw exists in Office Web Components. The OWC10.Spreadsheet ActiveX control fails to validate calls to the msDataSourceObject method resulting in memory corruption. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

International Components for Unicode for C/C++ (ICU4C) contains a flaw in the TextCache that may allow a remote denial of service. The issue is triggered when handling 1,679,616 transliterators, which will cause an infinite loop. This will result in a loss of availability for the program.

The Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 does not properly allocate memory, which allows remote attackers to execute arbitrary code via unspecified vectors that trigger "system state" corruption, aka "Office Web Components Memory Allocation Vulnerability."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0562" target="_blank">CVE</a>)</span> :

gif2png contains an overflow condition in the handling of command-line arguments. The issue is due to an error within gif2png.c resulting in improper validation of user-supplied input. With a specially crafted request containing an overly long command-line argument, a context-dependent attacker can cause a stack-based buffer overflow, resulting in a denial of service or potentially execution of arbitrary code.

Microsoft Internet Explorer contains a flaw that may allow a malicious user to execute code on a user's machine. The issue is triggered when user accesses a malicious web page that contains instructions to instantiate an activeX control. It is possible that the flaw may allow execute code resulting in a loss of integrity.

The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.185 on Windows, and on Windows Mobile, downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a certain ActiveX control in vpnweb.ocx, aka Bug ID CSCsy00904.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2039" target="_blank">CVE</a>)</span> :

Iconfidant SSL Server is prone to an overflow condition. The key exchange functionality fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted client master key packet whose specific length field sums exceed 0x4000, a remote attacker can potentially execute arbitrary code.

Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to execute arbitrary code via a file with invalid ASMRuleBook structures that trigger heap memory corruption.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4241" target="_blank">CVE</a>)</span> :

LibTIFF 3.9.4 and earlier does not properly handle an invalid td_stripbytecount field, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted TIFF file, a different vulnerability than CVE-2010-2443.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2482" target="_blank">CVE</a>)</span> :

xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-6059" target="_blank">CVE</a>)</span> :

LibTIFF is prone to an overflow condition. The OJPEGReadHeaderInfoSecStreamSof() function fails to properly sanitize user-supplied input resulting in a buffer overflow. With a specially crafted TIFF file, a context-dependent attacker can potentially cause arbitrary code execution.

IBM Informix Dynamic Server is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With specially crafted lengthy DBINFO keyword arguments in an SQL statement, a remote attacker can potentially execute arbitrary code.

Heap-based buffer overflow in the CGIFCodec::GetPacketBuffer function in datatype/image/gif/common/gifcodec.cpp in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via a GIF file with crafted chunk sizes that trigger improper memory allocation.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4242" target="_blank">CVE</a>)</span> :

A REMOTE overflow exists in BadBlue http Server. The BadBlue http Server fails to validate the mfcisapicommand parameter resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

Multiple buffer overflows in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3, allow remote attackers to execute arbitrary code via a crafted parameter size.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2753" target="_blank">CVE</a>)</span> :

Multiple buffer overflows in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3, allow remote attackers to execute arbitrary code via a crafted parameter size.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2753" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in the MailCheck821Address function in nnotes.dll in the nrouter.exe service in the server in IBM Lotus Domino 8.0.x before 8.0.2 FP5 and 8.5.x before 8.5.1 FP2 allows remote attackers to execute arbitrary code via a long e-mail address in an ORGANIZER:mailto header in an iCalendar calendar-invitation e-mail message, aka SPR NRBY7ZPJ9V.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3407" target="_blank">CVE</a>)</span> :

RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allow remote attackers to have an unspecified impact via a crafted media file that uses HTTP chunked transfer coding, related to an "overflow."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4243" target="_blank">CVE</a>)</span> :

Buffer overflow in the RTSPProtocol::HandleSetParameterRequest function in client/core/rtspprotocol.cpp in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted RTSP SET_PARAMETER request.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4248" target="_blank">CVE</a>)</span> :

PayProCart contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker uses a cross-site scripting style attack to include the usrauthstamp.php script, which will disclose arbitrary user's IP addresses resulting in a loss of confidentiality.

Heap-based buffer overflow in datatype/smil/common/smlpkt.cpp in smlrender.dll in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10 and 11.0.0, and Helix Player 10.x and 11.0.0 allows remote attackers to execute arbitrary code via an SMIL file with crafted string lengths.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4257" target="_blank">CVE</a>)</span> :

Apache Axis2 contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is due to the program storing password information in plaintext in the axis2.xml file, which may allow a local attacker to gain access to such information.

Jenkins contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is due to the update center transmitting the proxy password in cleartext. This may allow a remote attacker to gain access to password information when sniffing a user's network traffic.

Stack-based buffer overflow in a token searching function in the dtscore library in Data Transport Services in CA Software Delivery r11.2 C1, C2, C3, and SP4; Unicenter Software Delivery 4.0 C3; CA Advantage Data Transport 3.0 C1; and CA IT Client Manager r12 allows remote attackers to execute arbitrary code via crafted data.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2026" target="_blank">CVE</a>)</span> :

Multiple buffer overflows in the Marvell wireless driver, as used in Linksys WAP4400N Wi-Fi access point with firmware 1.2.17 on the Marvell 88W8361P-BEM1 chipset, and other products, allow remote 802.11-authenticated users to cause a denial of service (wireless access point crash) and possibly execute arbitrary code via an association request with long (1) rates, (2) extended rates, and unspecified other information elements.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5475" target="_blank">CVE</a>)</span> :

Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2502" target="_blank">CVE</a>)</span> :

include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3251" target="_blank">CVE</a>)</span> :

A memory corruption flaw exists in RealPlayer. The program fails to sanitize user-supplied input containing a malformed Media Properties Header (MDPR) resulting in memory corruption. With a specially crafted MDPR in a RealMedia file, a context-dependent attacker can execute arbitrary code.

The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1924" target="_blank">CVE</a>)</span> :

The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1924" target="_blank">CVE</a>)</span> :

vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3258" target="_blank">CVE</a>)</span> :

WPGIMP32.FLT in Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 does not properly parse the length of a WordPerfect Graphics (WPG) file, which allows remote attackers to execute arbitrary code via a crafted WPG file, aka the "WPG Image File Heap Corruption Vulnerability."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-3460" target="_blank">CVE</a>)</span> :

Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via an SIPR codec field with a small length value that triggers incorrect memory allocation.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4244" target="_blank">CVE</a>)</span> :

Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a compressed GIF file, related to gifcodec.cpp and gifimage.cpp.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4245" target="_blank">CVE</a>)</span> :

Directory traversal vulnerability in caloggerd in CA BrightStor ARCServe Backup 11.0, 11.1, and 11.5 allows remote attackers to append arbitrary data to arbitrary files via directory traversal sequences in unspecified input fields, which are used in log messages. NOTE: this can be leveraged for code execution in many installation environments by writing to a startup file or configuration file.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2241" target="_blank">CVE</a>)</span> :

GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2503" target="_blank">CVE</a>)</span> :

Heap-based buffer overflow in the Intel Indeo41 codec for Windows Media Player in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote attackers to execute arbitrary code via a large size value in a movi record in an IV41 stream in a media file, as demonstrated by an AVI file.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4309" target="_blank">CVE</a>)</span> :

A heap based buffer overflow exists in Microsoft Office Web Components. With a specially crafted web page, an attacker can cause code execution resulting in a loss of confidentiality and/or availability.

Blue Coat K9 Web Protection is prone to an overflow condition. The Filter Service (k9filter.exe) fails to properly sanitize user-supplied input in requests to the web-based K9 Web Protection Administration interface. With a specially crafted HTTP request containing an overly long "Referer" header, a context-dependent attacker can cause a stack-based buffer overflow and execute arbitrary code on a user's system.

RealPlayer is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted multi-rate audio stream, a context-dependent attacker can potentially execute arbitrary code.

Oracle Database contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to Workspace Manager not properly sanitizing user-supplied input to the LT.ROLLBACKWORKSPACE procedure. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Blue Coat K9 Web Protection is prone to overflow conditions. The Filter Service (k9filter.exe) fails to properly sanitize user-supplied input in HTTP responses from a centralized server, resulting in stack-based buffer overflows. With a specially crafted HTTP response containing overly long version information, a context-dependent attacker can execute arbitrary code on a user's system.

Directory traversal vulnerability in the Shared Folders feature for VMware Workstation before 5.5.4, when a folder is shared, allows users on the guest system to write to arbitrary files on the host system via the "Backdoor I/O Port" interface.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1744" target="_blank">CVE</a>)</span> :

Oracle Fusion Middleware contains a flaw related to the BI Publisher component. The component suffers from a response splitting vulnerability in the '/xmlpserver' script, with the vulnerable parameter '_xuil'. This may allow a remote attacker to conduct cross-site scripting attacks or to phish user credentials using a fake response from the server.

Stack-based buffer overflow in NWFTPD.nlm before 5.10.01 in the FTP server in Novell NetWare 5.1 through 6.5 SP8 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long (1) MKD, (2) RMD, (3) RNFR, or (4) DELE command.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0625" target="_blank">CVE</a>)</span> :

The BPEL Console component in Oracle Fusion Middleware contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'processName' parameter upon submission to the BPELCONSOLE/DEFAULT/processLog.jsp script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-5023" target="_blank">CVE</a>)</span> :

Adobe Photoshop Elements is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted ABR brush file, a context-dependent attacker can potentially execute arbitrary code..

Adobe Photoshop Elements is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted GRD gradient file, a context-dependent attacker can potentially execute arbitrary code..

Microsoft Outlook contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to an integer underflow error when parsing certain content and can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted e-mail message. It may allow execution of arbitrary code, but requires that Outlook is connected to an Exchange server with Online Mode.

Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allow remote attackers to execute ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1430" target="_blank">CVE</a>)</span> :

Disk Pool Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input to multiple dpm_*() functions. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

By default, the Tumbleweed IME Server places weak restrictions on the password complexity. User passwords are only required to be 7 characters long and contain a minimum of one number and one alphanumeric character. Any user passwords that meet but do not exceed these criteria would be more susceptible to brute force attacks.

The TW_AUTHENTICATE_SESSION cookie, for the IME application, contains the base64 value of the username and password. If an unauthenticated user checks the "Remember my password" checkbox on the login page, the authenticated user's username and password will be stored in the TW_AUTHENTICATE_SESSION cookie. This cookie is stored in the authenticated user's browser cache until the "Logout" button is clicked or until the cookie expires. The cookie's expiration time is approximately one month from the day the cookie was originally set. ...

Tumbleweed EMF administration module contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'sort' and 'lineId' variables upon submission to the /emfadmin/statusView.do action. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

When connecting to the EMF administrative interface, the system will set a JSESSIONID token for session management. If cookies are disabled or the cookie is deleted at any point, the system will begin transmitting the session token via GET request, potentially exposing the session token via the URL. Since the information is stored in the URL, if a page refers the administrator to a resource on a different machine, this information may show up in the logs on an untrusted ...

When an initial connection is made to the Tumbleweed administrative web application, the system sets the JSESSIONID token prior to authentication and does not change subsequent to successful authentication. By establishing a connection to the system in order to obtain a new session identifier, an attacker could use this in a crafted URL to potentially fixate an administrative session.

Once a session is established and authentication credentials are supplied, the EMF will allow multiple users to connect using the same session identifier without having to re-authenticate. The EMF does not check to ensure the sessions originate from the same IP address. This session concurrency (aka session piggybacking) will last as long as the authenticated session is maintained. The session is only terminated, for all connections, when the logout function is initiated; regardless of which connection makes the request. When ...

The Tumbleweed Email Firewall (EMF) administrative interface login script (logon.do) fails to properly sanitize input to the 'password' variable. By supplying invalid characters such as "&{(.", "&[[{(" or "&{(]}", an attacker can force a servlet exception that will leak the underlying web server and version. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.