Today's NIST CVE Issuance's For Vulnerabilities In AgileBits 1Password, Cisco Unified IP Phone 7900 series devices (aka TNP phones) with software, SimpleInvoices, Apache HTTP Server, Open Constructor And IBM Security AppScan Enterprise | BOT24

Today's NIST CVE Issuance's For Vulnerabilities In AgileBits 1Password, Cisco Unified IP Phone 7900 series devices (aka TNP phones) with software, SimpleInvoices, Apache HTTP Server, Open Constructor And IBM Security AppScan Enterprise

Click on the underlined CVE for additional vuln specific info


CVE-2012-6369
Summary: Cross-site scripting (XSS) vulnerability in the Troubleshooting Reporting System feature in AgileBits 1Password 3.9.9 might allow remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header that is not properly handled in a View Troubleshooting Report action.
Published: 12/28/2012
CVE-2012-5445
Summary: The kernel in Cisco Native Unix (CNU) on Cisco Unified IP Phone 7900 series devices (aka TNP phones) with software before 9.3.1-ES10 does not properly validate unspecified system calls, which allows attackers to execute arbitrary code or cause a denial of service (memory overwrite) via a crafted binary.
Published: 12/28/2012
CVSS Severity: 10.0 (HIGH)
CVE-2012-4932
Summary: Multiple cross-site scripting (XSS) vulnerabilities in SimpleInvoices before stable-2012-1-CIS3000 allow remote attackers to inject arbitrary web script or HTML via (1) the having parameter in a manage action to index.php; (2) the Email field in an Add User action; (3) the Customer Name field in an Add Customer action; the (4) Street address, (5) Street address 2, (6) City, (7) Zip code, (8) State, (9) Country, (10) Mobile Phone, (11) Phone, (12) Fax, (13) Email, (14) PayPal business name, (15) PayPal notify url, (16) PayPal return url, (17) Eway customer ID, (18) Custom field 1, (19) Custom field 2, (20) Custom field 3, or (21) Custom field 4 field in an Add Biller action; (22) the Customer field in an Add Invoice action; the (23) Invoice or (24) Notes field in a Process Payment action; (25) the Payment type description field in a Payment Types action; (26) the Description field in an Invoice Preferences action; (27) the Description field in a Manage Products action; ! or (28) the Description field in a Tax Rates action.
Published: 12/28/2012
CVSS Severity: 4.3 (MEDIUM)
CVE-2012-4528
Summary: The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data.
Published: 12/28/2012
CVSS Severity: 5.0 (MEDIUM)
CVE-2012-3873
Summary: Multiple SQL injection vulnerabilities in Open Constructor 3.12.0 allow remote authenticated users to execute arbitrary SQL commands via the id parameter to (1) data/gallery/edit.php, (2) data/guestbook/edit.php, (3) data/file/edit.php, (4) data/htmltext/edit.php, (5) data/publication/edit.php, or (6) data/event/edit.php.
Published: 12/28/2012
CVSS Severity: 6.5 (MEDIUM)
CVE-2012-3872
Summary: Multiple cross-site scripting (XSS) vulnerabilities in Open Constructor 3.12.0 allow remote attackers to inject arbitrary web script or HTML via (1) the result parameter to data/file/edit.php, (2) the q parameter to confirm.php, or (3) the keyword parameter to users/users.php.
Published: 12/28/2012
CVSS Severity: 4.3 (MEDIUM)
CVE-2012-3871
Summary: Cross-site scripting (XSS) vulnerability in data/hybrid/i_hybrid.php in Open Constructor 3.12.0 allows remote authenticated users to inject arbitrary web script or HTML via the header parameter.
Published: 12/28/2012
CVSS Severity: 3.5 (LOW)
CVE-2012-3870
Summary: Multiple cross-site scripting (XSS) vulnerabilities in objects/createobject.php in Open Constructor 3.12.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) name or (2) description parameter.
Published: 12/28/2012
CVSS Severity: 3.5 (LOW)
CVE-2012-0741
Summary: IBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tester before 8.5.0.3 do not validate X.509 certificates during use of the Manual Explore Proxy feature, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary certificate.
Published: 12/28/2012
CVSS Severity: 5.8 (MEDIUM)
CVE-2012-0738
Summary: IBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tester before 8.5.0.3 do not validate X.509 certificates during scanning, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary certificate.
Published: 12/28/2012
CVSS Severity: 5.8 (MEDIUM)


Share on Google Plus

About Bradley Susser

    Blogger Comment
    Facebook Comment

0 comments :

Post a Comment