A context-dependent memory corruption flaw exists in Excel. It fails to validate filter records resulting in memory corruption. With a specially crafted file, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3731" target="_blank">CVE</a>)</span> :

Cross-site scripting (XSS) vulnerability in memcp.php in XMB U2U Instant Messenger allows remote authenticated users to inject arbitrary web script or HTML via the recipient field.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0519" target="_blank">CVE</a>)</span> :

The ssh_gssapi_parse_ename function in gss-serv.c in OpenSSH 5.8 and earlier, when gssapi-with-mic authentication is enabled, allows remote authenticated users to cause a denial of service (memory consumption) via a large value in a certain length field. NOTE: there may be limited scenarios in which this issue is relevant.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-5000" target="_blank">CVE</a>)</span> :

IBM Informix Dynamic Server is prone to an overflow condition. 'librpc.dll' in 'portmap.exe' fails to properly sanitize user-supplied input resulting in an integer overflow. With a specially crafted RPC packet with a crafted parameter size sent to TCP port 36890, a remote attacker can potentially execute arbitrary code.

Unspecified vulnerability in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and attack vectors related to XMLDB, aka DB06. NOTE: as of 20070123, Oracle has not disputed claims by a reliable researcher that DB06 is for multiple cross-site scripting (XSS) vulnerabilities.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0273" target="_blank">CVE</a>)</span> :

Apple iTunes before 10.5.1 does not properly verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a Trojan horse update, as demonstrated by evilgrade and DNS cache poisoning.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-3434" target="_blank">CVE</a>)</span> :

Integer overflow in the _ncp32._NtrpTCPReceiveMsg function in rds.exe in the Cell Manager Database Service in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via a large value in the size parameter.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2281" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in OmniInet.exe (aka the backup client service daemon) in the Application Recovery Manager component in HP OpenView Storage Data Protector 5.50 and 6.0 allows remote attackers to execute arbitrary code via an MSG_PROTOCOL command with long arguments, a different vulnerability than CVE-2009-3844.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2280" target="_blank">CVE</a>)</span> :

Unspecified vulnerability in the Agent in HP LoadRunner before 9.50 and HP Performance Center before 9.50 allows remote attackers to execute arbitrary code via unknown vectors.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1549" target="_blank">CVE</a>)</span> :

HP Network Node Manager (NNM) Remote Console 7.50, 7.51, and 7.53 assigns Everyone Full Control permission for the %PROGRAMFILES%\HP OpenView directory tree, which allows local users to gain privileges via a Trojan horse executable file or ActiveX component, or a modified bin\ovtrcsvc.exe for the HP Open View Shared Trace Service.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0819" target="_blank">CVE</a>)</span> :

Multiple Oracle products contain a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'locale' parameter upon submission to the help/topics/iastop_cs/iastop_cs_farm_page.html page. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Unspecified vulnerability in the Application Service Level Management component in Oracle Database Server 11.1.0.7 and Enterprise Manager Grid Control allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Service Level Agreements.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0787" target="_blank">CVE</a>)</span> :

UseModWiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the user-submitted content upon submission to the 'wiki.pl' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

IBM Informix Dynamic Server is prone to an overflow condition. An unspecified logging function in 'oninit.exe' fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted EXPLAIN directive, a remote attacker can potentially execute arbitrary code.

cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument to the "-p" option to swcons, which allows local users in the system group to create an arbitrary file, and enable world writability of this file, via a symlink attack involving use of the file's name as the argument. NOTE: this issue is due to an incomplete fix for CVE-2007-5804.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5805" target="_blank">CVE</a>)</span> :

Oracle Database Server and Oracle Enterprise Manager Grid Control contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /em/console/ecm/config/compareWizard/compareWizFirstConfig script not properly sanitizing user-supplied input to the 'fConfigGuid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Multiple stack-based buffer overflows in the (1) POP3 and (2) IMAP services in IBM Lotus Domino allow remote attackers to execute arbitrary code via non-printable characters in an envelope sender address, aka SPR KLYH87LLVJ.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0919" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in the NRouter (aka Router) service in IBM Lotus Domino allows remote attackers to execute arbitrary code via long filenames associated with Content-ID and ATTACH:CID headers in attachments in malformed calendar-request e-mail messages, aka SPR KLYH87LKRE.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-0918" target="_blank">CVE</a>)</span> :

Citrix Online Plug-in for Windows for XenApp & XenDesktop before 11.2, Citrix Online Plug-in for Mac for XenApp & XenDesktop before 11.0, Citrix ICA Client for Linux before 11.100, Citrix ICA Client for Solaris before 8.63, and Citrix Receiver for Windows Mobile before 11.5 allow remote attackers to execute arbitrary code via (1) a crafted HTML document, (2) a crafted .ICA file, or (3) a crafted type field in an ICA graphics packet, related to a "heap offset overflow" issue.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2990" target="_blank">CVE</a>)</span> :

Novell eDirectory for Linux contains a flaw that may allow a remote denial of service. The issue is triggered when an error in the NCP implementation is exploited via a crafted FileSetLock NCP request, and will result in a loss of availability.

Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0275" target="_blank">CVE</a>)</span> :

A memory corruption flaw exists in Office Web Components. The OWC10.Spreadsheet ActiveX control fails to validate calls to the msDataSourceObject method resulting in memory corruption. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.

The Office Web Components ActiveX Control in Microsoft Office XP SP3, Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 SP1, and Office Small Business Accounting 2006 does not properly allocate memory, which allows remote attackers to execute arbitrary code via unspecified vectors that trigger "system state" corruption, aka "Office Web Components Memory Allocation Vulnerability."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0562" target="_blank">CVE</a>)</span> :

Microsoft Internet Explorer contains a flaw that may allow a malicious user to execute code on a user's machine. The issue is triggered when user accesses a malicious web page that contains instructions to instantiate an activeX control. It is possible that the flaw may allow execute code resulting in a loss of integrity.

The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.185 on Windows, and on Windows Mobile, downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a certain ActiveX control in vpnweb.ocx, aka Bug ID CSCsy00904.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2039" target="_blank">CVE</a>)</span> :

Iconfidant SSL Server is prone to an overflow condition. The key exchange functionality fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted client master key packet whose specific length field sums exceed 0x4000, a remote attacker can potentially execute arbitrary code.

Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to execute arbitrary code via a file with invalid ASMRuleBook structures that trigger heap memory corruption.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4241" target="_blank">CVE</a>)</span> :

xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-6059" target="_blank">CVE</a>)</span> :

IBM Informix Dynamic Server is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With specially crafted lengthy DBINFO keyword arguments in an SQL statement, a remote attacker can potentially execute arbitrary code.

Heap-based buffer overflow in the CGIFCodec::GetPacketBuffer function in datatype/image/gif/common/gifcodec.cpp in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via a GIF file with crafted chunk sizes that trigger improper memory allocation.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4242" target="_blank">CVE</a>)</span> :

A REMOTE overflow exists in BadBlue http Server. The BadBlue http Server fails to validate the mfcisapicommand parameter resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

Multiple buffer overflows in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3, allow remote attackers to execute arbitrary code via a crafted parameter size.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2753" target="_blank">CVE</a>)</span> :

Multiple buffer overflows in the authentication functionality in librpc.dll in the Informix Storage Manager (ISM) Portmapper service (aka portmap.exe), as used in IBM Informix Dynamic Server (IDS) 10.x before 10.00.TC9 and 11.x before 11.10.TC3, allow remote attackers to execute arbitrary code via a crafted parameter size.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2753" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in the MailCheck821Address function in nnotes.dll in the nrouter.exe service in the server in IBM Lotus Domino 8.0.x before 8.0.2 FP5 and 8.5.x before 8.5.1 FP2 allows remote attackers to execute arbitrary code via a long e-mail address in an ORGANIZER:mailto header in an iCalendar calendar-invitation e-mail message, aka SPR NRBY7ZPJ9V.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3407" target="_blank">CVE</a>)</span> :

RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allow remote attackers to have an unspecified impact via a crafted media file that uses HTTP chunked transfer coding, related to an "overflow."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4243" target="_blank">CVE</a>)</span> :

Buffer overflow in the RTSPProtocol::HandleSetParameterRequest function in client/core/rtspprotocol.cpp in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted RTSP SET_PARAMETER request.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4248" target="_blank">CVE</a>)</span> :

PayProCart contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker uses a cross-site scripting style attack to include the usrauthstamp.php script, which will disclose arbitrary user's IP addresses resulting in a loss of confidentiality.

Heap-based buffer overflow in datatype/smil/common/smlpkt.cpp in smlrender.dll in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10 and 11.0.0, and Helix Player 10.x and 11.0.0 allows remote attackers to execute arbitrary code via an SMIL file with crafted string lengths.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4257" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in a token searching function in the dtscore library in Data Transport Services in CA Software Delivery r11.2 C1, C2, C3, and SP4; Unicenter Software Delivery 4.0 C3; CA Advantage Data Transport 3.0 C1; and CA IT Client Manager r12 allows remote attackers to execute arbitrary code via crafted data.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2026" target="_blank">CVE</a>)</span> :

Multiple buffer overflows in the Marvell wireless driver, as used in Linksys WAP4400N Wi-Fi access point with firmware 1.2.17 on the Marvell 88W8361P-BEM1 chipset, and other products, allow remote 802.11-authenticated users to cause a denial of service (wireless access point crash) and possibly execute arbitrary code via an association request with long (1) rates, (2) extended rates, and unspecified other information elements.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5475" target="_blank">CVE</a>)</span> :

Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2502" target="_blank">CVE</a>)</span> :

include/utils/ListViewUtils.php in vtiger CRM before 5.1.0 allows remote authenticated users to bypass intended access restrictions and read the (1) visibility, (2) location, and (3) recurrence fields of a calendar via a custom view.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3251" target="_blank">CVE</a>)</span> :

A memory corruption flaw exists in RealPlayer. The program fails to sanitize user-supplied input containing a malformed Media Properties Header (MDPR) resulting in memory corruption. With a specially crafted MDPR in a RealMedia file, a context-dependent attacker can execute arbitrary code.

The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1924" target="_blank">CVE</a>)</span> :

The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1924" target="_blank">CVE</a>)</span> :

vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete (1) attachments, (2) reports, (3) filters, (4) views, and (5) tickets; insert (6) attachments, (7) reports, (8) filters, (9) views, and (10) tickets; and edit (11) reports, (12) filters, (13) views, and (14) tickets via unspecified vectors.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3258" target="_blank">CVE</a>)</span> :

WPGIMP32.FLT in Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 does not properly parse the length of a WordPerfect Graphics (WPG) file, which allows remote attackers to execute arbitrary code via a crafted WPG file, aka the "WPG Image File Heap Corruption Vulnerability."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-3460" target="_blank">CVE</a>)</span> :

Heap-based buffer overflow in RealNetworks RealPlayer 10; RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741; RealPlayer 11 11.0.0 through 11.0.4; RealPlayer Enterprise; Mac RealPlayer 10, 10.1, and 11.0; Linux RealPlayer 10; and Helix Player 10.x allows remote attackers to execute arbitrary code via an SIPR codec field with a small length value that triggers incorrect memory allocation.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4244" target="_blank">CVE</a>)</span> :

Heap-based buffer overflow in RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741, RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10 and 10.1, Linux RealPlayer 10, and Helix Player 10.x allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a compressed GIF file, related to gifcodec.cpp and gifimage.cpp.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4245" target="_blank">CVE</a>)</span> :

Directory traversal vulnerability in caloggerd in CA BrightStor ARCServe Backup 11.0, 11.1, and 11.5 allows remote attackers to append arbitrary data to arbitrary files via directory traversal sequences in unspecified input fields, which are used in log messages. NOTE: this can be leveraged for code execution in many installation environments by writing to a startup file or configuration file.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2241" target="_blank">CVE</a>)</span> :

GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Windows Server 2003 SP2, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2503" target="_blank">CVE</a>)</span> :

Heap-based buffer overflow in the Intel Indeo41 codec for Windows Media Player in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote attackers to execute arbitrary code via a large size value in a movi record in an IV41 stream in a media file, as demonstrated by an AVI file.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4309" target="_blank">CVE</a>)</span> :

A heap based buffer overflow exists in Microsoft Office Web Components. With a specially crafted web page, an attacker can cause code execution resulting in a loss of confidentiality and/or availability.

RealPlayer is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted multi-rate audio stream, a context-dependent attacker can potentially execute arbitrary code.

Oracle Database contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to Workspace Manager not properly sanitizing user-supplied input to the LT.ROLLBACKWORKSPACE procedure. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

Directory traversal vulnerability in the Shared Folders feature for VMware Workstation before 5.5.4, when a folder is shared, allows users on the guest system to write to arbitrary files on the host system via the "Backdoor I/O Port" interface.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1744" target="_blank">CVE</a>)</span> :

Oracle Fusion Middleware contains a flaw related to the BI Publisher component. The component suffers from a response splitting vulnerability in the '/xmlpserver' script, with the vulnerable parameter '_xuil'. This may allow a remote attacker to conduct cross-site scripting attacks or to phish user credentials using a fake response from the server.

Stack-based buffer overflow in NWFTPD.nlm before 5.10.01 in the FTP server in Novell NetWare 5.1 through 6.5 SP8 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long (1) MKD, (2) RMD, (3) RNFR, or (4) DELE command.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0625" target="_blank">CVE</a>)</span> :

The BPEL Console component in Oracle Fusion Middleware contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'processName' parameter upon submission to the BPELCONSOLE/DEFAULT/processLog.jsp script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-5023" target="_blank">CVE</a>)</span> :

Multiple buffer overflows in Adobe Photoshop Elements 8.0 and earlier allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted (1) .grd or (2) .abr file, a related issue to CVE-2010-1296.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2443" target="_blank">CVE</a>)</span> :

Multiple buffer overflows in Adobe Photoshop Elements 8.0 and earlier allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted (1) .grd or (2) .abr file, a related issue to CVE-2010-1296.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2443" target="_blank">CVE</a>)</span> :

Microsoft Outlook contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to an integer underflow error when parsing certain content and can be exploited to cause a heap-based buffer overflow via e.g. a specially crafted e-mail message. It may allow execution of arbitrary code, but requires that Outlook is connected to an Exchange server with Online Mode.

Multiple stack-based buffer overflows in IAO.EXE in the Intel Alert Originator Service in Symantec Alert Management System 2 (AMS2), as used in Symantec System Center (SSS); Symantec AntiVirus Server; Symantec AntiVirus Central Quarantine Server; Symantec AntiVirus (SAV) Corporate Edition 9 before 9.0 MR7, 10.0 and 10.1 before 10.1 MR8, and 10.2 before 10.2 MR2; Symantec Client Security (SCS) 2 before 2.0 MR7 and 3 before 3.1 MR8; and Symantec Endpoint Protection (SEP) before 11.0 MR3, allow remote attackers to execute ...<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1430" target="_blank">CVE</a>)</span> :

By default, the Tumbleweed IME Server places weak restrictions on the password complexity. User passwords are only required to be 7 characters long and contain a minimum of one number and one alphanumeric character. Any user passwords that meet but do not exceed these criteria would be more susceptible to brute force attacks.

The TW_AUTHENTICATE_SESSION cookie, for the IME application, contains the base64 value of the username and password. If an unauthenticated user checks the "Remember my password" checkbox on the login page, the authenticated user's username and password will be stored in the TW_AUTHENTICATE_SESSION cookie. This cookie is stored in the authenticated user's browser cache until the "Logout" button is clicked or until the cookie expires. The cookie's expiration time is approximately one month from the day the cookie was originally set. ...

Tumbleweed EMF administration module contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'sort' and 'lineId' variables upon submission to the /emfadmin/statusView.do action. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

When connecting to the EMF administrative interface, the system will set a JSESSIONID token for session management. If cookies are disabled or the cookie is deleted at any point, the system will begin transmitting the session token via GET request, potentially exposing the session token via the URL. Since the information is stored in the URL, if a page refers the administrator to a resource on a different machine, this information may show up in the logs on an untrusted ...

When an initial connection is made to the Tumbleweed administrative web application, the system sets the JSESSIONID token prior to authentication and does not change subsequent to successful authentication. By establishing a connection to the system in order to obtain a new session identifier, an attacker could use this in a crafted URL to potentially fixate an administrative session.

Once a session is established and authentication credentials are supplied, the EMF will allow multiple users to connect using the same session identifier without having to re-authenticate. The EMF does not check to ensure the sessions originate from the same IP address. This session concurrency (aka session piggybacking) will last as long as the authenticated session is maintained. The session is only terminated, for all connections, when the logout function is initiated; regardless of which connection makes the request. When ...

The Tumbleweed Email Firewall (EMF) administrative interface login script (logon.do) fails to properly sanitize input to the 'password' variable. By supplying invalid characters such as "&{(.", "&[[{(" or "&{(]}", an attacker can force a servlet exception that will leak the underlying web server and version. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Oracle Secure Backup contains a flaw that may allow an attacker to execute arbitrary commands. The issue is triggered when the exec_qr() function in the login.php script receives malformed data in the '$rbtool' parameter, which is later passed to the popen() function, resulting in arbitrary command execution.

Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly process Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted audio file that uses the Windows Media Speech codec, aka "Windows Media Runtime Voice Sample Rate Vulnerability."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0555" target="_blank">CVE</a>)</span> :

Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, Solaris, and, Linux; 5.0 Update 27 and earlier for Windows; and 1.4.2_29 and earlier for Windows allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4466" target="_blank">CVE</a>)</span> :

GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "Memory Corruption Vulnerability."<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2528" target="_blank">CVE</a>)</span> :

RealPlayer is prone to an overflow condition. The pnen3260.dll module fails to properly parse the TIT2 atom within AAC files resulting in an integer overflow. With a specially crafted TIT2 atom within an AAC file, a context-dependent attacker can potentially execute arbitrary code.

A memory corruption flaw exists in RealPlayer.An error in the processing of the "StreamTitle" tag in a SHOUTcast stream using the ICY protocol may be exploited to cause memory corruption. With a specially crafted StreamTitle tag in an ICY SHOUTcast stream a context-dependent attacker can execute arbitrary code.

RealPlayer is prone to an overflow condition. The program fails to properly parse large Screen Width values in the Screen Descriptor headers of GIF87a files, resulting in a heap-based buffer overflow. With a specially crafted GIF87a file, a context-dependent attacker can potentially execute arbitrary code.

RealPlayer is prone to an overflow condition. The program fails to properly parse large numbers of subbands in cook audio codec information encapsulated in a Real Audio media file, resulting in a heap-based buffer overflow. With a specially crafted Real Audio file, a context-dependent attacker can potentially execute arbitrary code.

vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3257" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in the Lotus Domino Web Access ActiveX control in IBM Lotus iNotes (aka Domino Web Access or DWA) 6.5, 7.0 before 7.0.4, 8.0, 8.0.2, and before 229.281 for Domino 8.0.2 FP4 allows remote attackers to execute arbitrary code via a long URL argument to an unspecified method, aka PRAD7JTNHJ.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0919" target="_blank">CVE</a>)</span> :

Stack-based buffer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via unspecified vectors.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1318" target="_blank">CVE</a>)</span> :

Integer overflow in the AgentX::receive_agentx function in AgentX++ 1.4.16, as used in RealNetworks Helix Server and Helix Mobile Server 11.x through 13.x and other products, allows remote attackers to execute arbitrary code via a request with a crafted payload length.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1319" target="_blank">CVE</a>)</span> :

Unspecified vulnerability in the Database Vault component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.2 allows remote authenticated users to affect integrity and availability via unknown vectors related to Privileged Account.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3511" target="_blank">CVE</a>)</span> :

Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.1.0.7 allows remote authenticated users to affect integrity and availability, related to SYSDBA.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-2322" target="_blank">CVE</a>)</span> :

Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0993" target="_blank">CVE</a>)</span> :

Microsoft Office is prone to an overflow condition. The TIFF Import/Export Graphic Filter, after having encountered a specific error, fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially TIFF image, a context-dependent attacker can potentially execute arbitrary code.

A memory corruption flaw exists in Microsoft Office. The TIFF Import/Export Graphic Filter fails to sanitize user-supplied input when converting the endianness of certain data resulting in memory corruption. With a specially crafted TIFF image, a context-dependent attacker can execute arbitrary code.

Novell eDirectory contains a flaw that may allow a remote denial of service. The issue is triggered when the NCP implementation handles a malformed request. It explicitly trusts a field while translating it to an index. If the index is too large, it will result in a loss of availability.

Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument.<span style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0780" target="_blank">CVE</a>)</span> :

Office Web Components is prone to an overflow condition. The ActiveX control fails to properly sanitize user-supplied input via the HTMLURL parameter resulting in a buffer overflow. With a specially crafted website, a context-dependent attacker can potentially cause arbitrary code execution.

Tumbleweed Integrated Messaging Exchange (IME) Server is prone to an input validation weakness that may allow a remote authenticated user to crash the IME Server as well as the Microsoft IIS server. Such an attack would require an administrator to restart the services as the watchdog IIS process is unable to gracefully restart the server. The /ime facility in Tumbleweed Integrated Messaging Exchange (IME) does not properly handle malformed input. The fprintf function in the TW_TxnAccDeliveryPageEntry.tpl script, as reached by ...

Tumbleweed Integrated Messaging Exchange (IME) Server is prone to an input validation weakness that may allow a remote authenticated user to crash the IME Server as well as the Microsoft IIS server. Such an attack would require an administrator to restart the services as the watchdog IIS process is unable to gracefully restart the server. The /ime facility in Tumbleweed Integrated Messaging Exchange (IME) does not properly handle malformed input. The fprintf function in the TW_TxnAccMaillistEditEntryStart.tpl script, as reached by ...