- VU#807665: Washington Courts web site vulnerable to SQL injection and cross-site scripting
- VU#204055: Blackboard Transact database credentials disclosure
- VU#707943: Microsoft Windows based applications may insecurely load dynamic libraries
- VU#278785: DevonIT weak authentication and buffer overflow in /usr/bin/tm-console-bin
- VU#644319: Ghostscript Heap Corruption in TrueType bytecode interpreter
US-CERT publishes information on a wide variety of vulnerabilities. Descriptions of these vulnerabilities are available from this web page in a searchable database format, and are published as "US-CERT Vulnerability Notes". The notes are very similar to alerts, but they may have less complete information. In particular, solutions may not be available for all the vulnerabilities in this database.
Updated: 37 min ago
VU#807665: Washington Courts web site vulnerable to SQL injection and cross-site scripting
The Washington Courts web site(http://www.courts.wa.gov/)is vulnerable to SQL injection and cross-site scripting. An attacker could gain access to information stored on the site or manipulate the site's appearance to victims that browse to an attacker-supplied URL.
Categories: US-CERT
VU#204055: Blackboard Transact database credentials disclosure
The Blackboard Transact application contains two vulnerabilities that allow an unauthorized user to access the database credentials.
Categories: US-CERT
VU#707943: Microsoft Windows based applications may insecurely load dynamic libraries
Some applications for Microsoft Windows may use unsafe methods for determining how to load DLLs. As a result,these applications can be forced to load a DLL from an attacker-controlled source rather than a trusted location.
Categories: US-CERT
VU#278785: DevonIT weak authentication and buffer overflow in /usr/bin/tm-console-bin
The DevonIT management tool for thin clients uses a shared secret that is transmitted over the network in the clear. The/usr/bin/tm-console-bin application contains a buffer overflow,which may allow an attacker to execute arbitrary code.
Categories: US-CERT
VU#644319: Ghostscript Heap Corruption in TrueType bytecode interpreter
The TrueType bytecode interpreter which is a part of Ghostscript is prone to heap corruption.
Categories: US-CERT
VU#320233: Wyse ThinOS LPD service buffer overflow vulnerability
Wyse ThinOS HF 4.4.079i has a buffer overflow vulnerability in the LPD service(515/tcp).
Categories: US-CERT
VU#660993: Adobe Flash 10.1 ActionScript AVM1 ActionPush vulnerability
Adobe Flash contains a vulnerability in the handling of the ActionScript,AVM1 ActionPush command,which can allow a remote,unauthenticated attacker to execute arbitrary code.
Categories: US-CERT
VU#275247: FreeType 2 CFF font stack corruption vulnerability
FreeType 2 contains a vulnerability in the processing of CFF fonts,which may allow a remote,unauthenticated attacker to execute arbitrary code on a vulnerable system.
Categories: US-CERT
VU#174089: Oracle Siebel Option Pack for IE ActiveX control memory initialization vulnerability
The Oracle Siebel Option Pack for IE ActiveX control fails to properly initialize memory,which may allow a remote,unauthenticated attacker to execute arbitrary code on a vulnerable system.
Categories: US-CERT
VU#703189: Invensys Wonderware Archestra ConfigurationAccessComponent ActiveX control stack buffer overflow
The Invensys Wonderware Archestra ConfigurationAccessComponent ActiveX control contains a stack buffer overflow that could allow a remote attacker to execute arbitrary code on an affected system
Categories: US-CERT
VU#840249: Wind River Systems VxWorks weak default hashing algorithm in standard authentication API (loginLib)
The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password.
Categories: US-CERT
VU#362332: Wind River Systems VxWorks debug service enabled by default
Some products based on VxWorks have the WDB target agent debug service enabled by default. This service provides read/write access to the device's memory and allows functions to be called.
Categories: US-CERT
VU#940193: Microsoft Windows automatically executes code specified in shortcut files
Microsoft Windows automatically executes code specified in shortcut(LNK and PIF)files.
Categories: US-CERT
VU#541921: ISC DHCP server fails to handle zero-length client identifier
A vulnerability in ISC DHCP could allow a remote attacker to cause the DHCP server to exit,resulting in a denial of service.
Categories: US-CERT
VU#732671: Cisco Industrial Ethernet 3000 Series switches have hardcoded SNMP community strings
Cisco Industrial Ethernet 3000(IE 3000)Series switches running Cisco IOS Software releases 12.2(52)SE or 12.2(52)SE1,contain well-known,hard-coded read and write SNMP community strings. An remote attacker could take full control of a vulnerable device.
Categories: US-CERT
VU#643615: libpng fails to limit number of rows in header
Libpng contains a vulnerability in the way it handles images containing an extra row of image data beyond the height reported in the image header.
Categories: US-CERT
VU#173009: Snare Agent web interface cross-site request forgery vulnerabilities
The Snare Agent web interface is susceptible to cross-site request forgery attacks.
Categories: US-CERT
VU#251133: S2 NetBox allows unauthenticated HTTP access to node logs, backups, and employee photographs
S2 NetBox and related products do not adequately restrict access to node logs,backups,and employee photographs. A remote,unauthenticated attacker could use information obtained from a vulnerable system to aid in further attacks.
Categories: US-CERT
VU#221257: Symantec AppStream and Workspace Streaming vulnerable to arbitrary code download and execution
The Symantec AppStream and Workspace Streaming clients fail to properly validate downloads,which can allow a remote,unauthenticated attacker to download and execute arbitrary code on a vulnerable system.
Categories: US-CERT
VU#578319: Microsoft Windows Help and Support Center URI processing vulnerability
The Microsoft Windows Help and Support Center application fails to properly sanitize hcp://URIs,which can allow a remote,unauthenticated attacker to execute arbitrary commands.
Categories: US-CERT
