Информационная безопасность
[RU] switch to English


Межсайтовый скриптинг в Microsoft Report Viewer
дополнено с 10 августа 2011 г.
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11844
Тип:клиент
Уровень опасности:
5/10
Описание:Межсайтовый скриптинг через ActiveX.
Затронутые продукты:MICROSOFT : Visual Studio 2005
 MICROSOFT : Report Viewer 2005
CVE:CVE-2011-1976 (Cross-site scripting (XSS) vulnerability in the Report Viewer Control in Microsoft Visual Studio 2005 SP1 and Report Viewer 2005 SP1 allows remote attackers to inject arbitrary web script or HTML via a parameter in a data source, aka "Report Viewer Controls XSS Vulnerability.")
Оригинальный текстdocumentinfo_(at)_gdssecurity.com, Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls (30.08.2011)
Файлы:Microsoft Security Bulletin MS11-067 - Important Vulnerability in Microsoft Report Viewer Could Allow Information Disclosure (2578230)

Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11881
Тип:удаленная
Уровень опасности:
5/10
Описание:Инъекции PHP, инъекции SQL, обратный путь в каталогах, межсайтовый скриптинг, модификация файлов, утечка информации и т.д.
Затронутые продукты:JOOMLA : JCE Joomla Extension 2.0
 LIFESIZEROOM : LifeSize Room 3.5
 LIFESIZEROOM : LifeSize Room 4.7
 AXWAY : SecureTransport 4.8
 IBM : IBM Open Admin Tool 2.27
CVE:CVE-2011-2763 (The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) and 4.7.18 allows remote attackers to execute arbitrary commands via a modified request to the LSRoom_Remoting.doCommand function in gateway.php.)
 CVE-2011-2762 (The web interface on the LifeSize Room appliance LS_RM1_3.5.3 (11) allows remote attackers to bypass authentication via unspecified data associated with a "true" authentication status, related to AMF data and the LSRoom_Remoting.authenticate function in gateway.php.)
Оригинальный текстdocumentEhsan_Hp200_(at)_hotmail.com, webyuss (prodotto.php?id) (quadri.php?id) Remote SQL injection Vulnerability (30.08.2011)
 documentsk, XSS in IBM Open Admin Tool (30.08.2011)
 documentEhsan_Hp200_(at)_hotmail.com, bizConsulting (prodotto.php?id) Remote SQL injection Vulnerability (30.08.2011)
 documentJose Carlos de Arriba, [Foreground Security 2011-001]: Casper Suite (JSS 8.1) Cross-Site Scripting (30.08.2011)
 documentEhsan_Hp200_(at)_hotmail.com, phpWebSite (publisher) Remote SQL injection Vulnerability (30.08.2011)
 documentEhsan_Hp200_(at)_hotmail.com, Fabio Rispoli (prodotto.php?id) Remote SQL injection Vulnerability (30.08.2011)
 documentEhsan_Hp200_(at)_hotmail.com, Marketing & Development (prodotto.php?cat) Remote SQL injection Vulnerability (30.08.2011)
 documentEhsan_Hp200_(at)_hotmail.com, Datriks Solutions (prodotto.php?id) (dettaglio_socio.php?id) Remote SQL injection Vulnerability (30.08.2011)
 documentEhsan_Hp200_(at)_hotmail.com, Multimedia Creative (prodotto.php?id) Remote SQL injection Vulnerability (30.08.2011)
 documentddivulnalert_(at)_ddifrontline.com, DDIVRT-2011-32 Axway SecureTransport '/icons/' Directory Traversal (30.08.2011)
 documentsmcintyre_(at)_securestate.net, LifeSize Room Vulnerabilities (30.08.2011)
 documentadmin_(at)_bugreport.ir, JCE Joomla Extension <=2.0.10 Multiple Vulnerabilities (30.08.2011)

Утечка информации в Cisco Unified Communications Manager / Cisco Unified Presence Server
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11883
Тип:удаленная
Уровень опасности:
6/10
Описание:Утечка информации через OpenQuery.
Затронутые продукты:CISCO : Unified Communications Manager 8.5
 CISCO : Unified Presence Server 8.5
CVE:CVE-2011-1643 (Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x, 7.x before 7.1(5b)su4, 8.0, and 8.5 before 8.5(1)su2 and Cisco Unified Presence Server 6.x, 7.x, 8.0, and 8.5 before 8.5xnr allow remote attackers to read database data by connecting to a query interface through an SSL session, aka Bug IDs CSCti81574, CSCto63060, CSCto72183, and CSCto73833.)
Оригинальный текстdocumentCISCO, Cisco Security Advisory: Open Query Interface in Cisco Unified Communications Manager and Cisco Unified Presence Server (30.08.2011)

Выполнение кода в Pidgin
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11884
Тип:удаленная
Уровень опасности:
6/10
Описание:Возможно выполнение кода через URL file://
Затронутые продукты:PIDGIN : Pidgin 2.9
CVE:CVE-2011-3185 (gtkutils.c in Pidgin before 2.10.0 on Windows allows user-assisted remote attackers to execute arbitrary programs via a file: URL in a message.)
 CVE-2011-3184 (The msn_httpconn_parse_data function in httpconn.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.0 does not properly handle HTTP 100 responses, which allows remote attackers to cause a denial of service (incorrect memory access and application crash) via vectors involving a crafted server message.)
 CVE-2011-2943 (The irc_msg_who function in msgs.c in the IRC protocol plugin in libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly validate characters in nicknames, which allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted nickname that is not properly handled in a WHO response.)
Оригинальный текстdocumentInsomnia Security, Insomnia : ISVA-110822.1 - Pidgin IM Insecure URL Handling Remote Code Execution (30.08.2011)

Уязвимости безопасности в EMC RSA enVision
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11885
Тип:удаленная
Уровень опасности:
6/10
Описание:Утечка информации, несанкционированный доступ.
Затронутые продукты:EMC : RSA enVision 4
CVE:CVE-2011-2737 (RSA enVision 3.x and 4.x before 4 SP4 P3 allows remote attackers to read arbitrary files via unspecified vectors, related to an "arbitrary file retrieval vulnerability.")
 CVE-2011-2736 (RSA enVision 4.x before 4 SP4 P3 places cleartext administrative credentials in Task Escalation e-mail messages, which allows remote attackers to obtain sensitive information by sniffing the network or leveraging access to a recipient mailbox.)
Оригинальный текстdocumentEMC, ESA-2011-030: RSA, The Security Division of EMC, announces security fixes for RSA enVision (30.08.2011)

Утечка информации в NetSaro
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11886
Тип:удаленная
Уровень опасности:
5/10
Описание:Доступ к исходным кодам скриптов через административный веб-интерфейс.
Затронутые продукты:NETSARO : NetSaro Enterprise Messenger Server 2.0
Оригинальный текстdocumentrobkraus_(at)_soutionary.com, NetSaro Enterprise Messenger Server Administration Console Source Code Disclosure (30.08.2011)

DoS против ядра Linux
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11887
Тип:локальная
Уровень опасности:
4/10
Описание:Отказ при разборе файловой системы BeFS.
Затронутые продукты:LINUX : kernel 2.6
 LINUX : kernel 3.0
CVE:CVE-2011-2928 (The befs_follow_link function in fs/befs/linuxvfs.c in the Linux kernel before 3.1-rc3 does not validate the length attribute of long symlinks, which allows local users to cause a denial of service (incorrect pointer dereference and OOPS) by accessing a long symlink on a malformed Be filesystem.)
Оригинальный текстdocumentTimo Warns, [PRE-SA-2011-06] Linux kernel: ZERO_SIZE_PTR dereference for long symlinks in Be FS (30.08.2011)

Несанционированный доступ и утечка информации в Apache Tomcat
Опубликовано:30 августа 2011 г.
Источник:
SecurityVulns ID:11888
Тип:удаленная
Уровень опасности:
7/10
Описание:Часть содержимого сообщения AJP может быть воспринята как новое сообщение.
CVE:CVE-2011-3190 (Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.)
Оригинальный текстdocumentAPACHE, [SECURITY] CVE-2011-3190 Apache Tomcat Authentication bypass and information disclosure (30.08.2011)

DoS против Cisco Unified Communications Manager / Cisco Intercompany Media Engine Cisco TelePresence Codecs
дополнено с 30 августа 2011 г.
Опубликовано:20 сентября 2011 г.
Источник:
SecurityVulns ID:11882
Тип:удаленная
Уровень опасности:
6/10
Описание:Отказ при разборе пакета Service Advertisement Framework (SAF), отказ при разборе SIP, DoS через флуд соединениями.
Затронутые продукты:CISCO : Unified Communications Manager 6.1
 CISCO : Unified Communications Manager 7.0
 CISCO : Unified Communications Manager 8.5
 CISCO : Intercompany Media Engine 8.0
 CISCO : TelePresence C40
 CISCO : TelePresence C60
 CISCO : TelePresence C90
 CISCO : TelePresence E20
 CISCO : TelePresence EX60
 CISCO : TelePresence EX90
 CISCO : TelePresence 6000 MXP
 CISCO : TelePresence 9000 MXP
CVE:CVE-2011-2577 (Unspecified vulnerability in Cisco TelePresence C Series Endpoints, E/EX Personal Video units, and MXP Series Codecs, when using software versions before TC 4.0.0 or F9.1, allows remote attackers to cause a denial of service (crash) via a crafted SIP packet to port 5060 or 5061, aka Bug ID CSCtq46500.)
 CVE-2011-2564 (Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth19417.)
 CVE-2011-2563 (Unspecified vulnerability in the Service Advertisement Framework (SAF) in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 8.x before 8.5(1) and Cisco Intercompany Media Engine 8.x before 8.5(1) allows remote attackers to cause a denial of service (device reload) via crafted SAF packets, aka Bug ID CSCth26669.)
 CVE-2011-2562 (Unspecified vulnerability in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 6.x before 6.1(5)su2, 7.x before 7.1(5b)su3, 8.x before 8.0(3a)su1, and 8.5 before 8.5(1) allows remote attackers to cause a denial of service (service outage) via a SIP INVITE message, aka Bug ID CSCth43256.)
 CVE-2011-2561 (The SIP process in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 7.x before 7.1(5b)su4 and 8.x before 8.0(1) does not properly handle SDP data within a SIP call in certain situations related to use of the g729ar8 codec for a Media Termination Point (MTP), which allows remote attackers to cause a denial of service (service outage) via a crafted call, aka Bug ID CSCtc61990.)
 CVE-2011-2560 (The Packet Capture Service in Cisco Unified Communications Manager (aka CUCM, formerly CallManager) 4.x does not properly handle idle TCP connections, which allows remote attackers to cause a denial of service (memory consumption and restart) by making many connections, aka Bug ID CSCtf97162.)
 CVE-2011-2544 (Cross-site scripting (XSS) vulnerability in the web interface in Cisco TelePresence System MXP Series F9.1 and earlier allows remote authenticated users to inject arbitrary web script or HTML via a crafted Call ID, as demonstrated by resultant cross-site request forgery (CSRF) attacks that change passwords or cause a denial of service, aka Bug ID CSCtq46488.)
 CVE-2011-2543 (Buffer overflow in the cuil component in Cisco Telepresence System Integrator C Series 4.x before TC4.2.0 allows remote authenticated users to cause a denial of service (endpoint reboot or process crash) or possibly execute arbitrary code via a long location parameter to the getxml program, aka Bug ID CSCtq46496.)
Оригинальный текстdocumentlists_(at)_senseofsecurity.com, Cisco TelePresence Multiple Vulnerabilities - SOS-11-010 (20.09.2011)
 documentCISCO, Cisco Security Advisory: Denial of Service Vulnerability in Cisco TelePresence Codecs (05.09.2011)
 documentCISCO, Cisco Security Advisory: Denial of Service Vulnerabilities in Cisco Intercompany Media Engine (30.08.2011)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород