The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

vulnerability note CVE-2012-4201 CVE-2012-4202 CVE-2012-4207

Thunderbird 10: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Thunderbird can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Thunderbird, openSUSE, RHEL.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 21/11/2012.
Identifiers: BID-56607, BID-56611, BID-56612, BID-56614, BID-56618, BID-56628, BID-56629, BID-56630, BID-56631, BID-56632, BID-56633, BID-56634, BID-56635, BID-56636, BID-56637, BID-56638, BID-56639, BID-56640, BID-56641, BID-56642, BID-56643, BID-56644, CERTA-2012-AVI-681, CVE-2012-4201, CVE-2012-4202, CVE-2012-4207, CVE-2012-4209, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838, CVE-2012-5839, CVE-2012-5840, CVE-2012-5841, CVE-2012-5842, CVE-2012-5843, DSA-2588-1, MFSA 2012-100, MFSA 2012-101, MFSA 2012-103, MFSA 2012-105, MFSA 2012-106, MFSA 2012-91, MFSA 2012-92, MFSA 2012-93, openSUSE-SU-2012:1586-1, RHSA-2012:1483-01, VIGILANCE-VUL-12174.

Description of the vulnerability

Several vulnerabilities were announced in Thunderbird.

An attacker can generate several memory corruptions, in order to execute code. [severity:4/4; BID-56611, BID-56612, CVE-2012-5842, CVE-2012-5843, MFSA 2012-91]

An attacker can use a malicious GIF image, in order to generate a buffer overflow, leading to code execution. [severity:4/4; BID-56614, CVE-2012-4202, MFSA 2012-92]

An attacker can use the evalInSandbox() function, in order to obtain the contents of a file. [severity:3/4; BID-56618, CVE-2012-4201, MFSA 2012-93]

An attacker can wait before changing an object, in order to create a Cross Site Scripting. [severity:3/4; BID-56631, CVE-2012-5841, MFSA 2012-100]

An attacker can generate a Cross Site Scripting in pages encoded with the HZ-GB-2312 charset. [severity:2/4; BID-56632, CVE-2012-4207, MFSA 2012-101]

An attacker can use "top.location" and a plugin, in order to generate a Cross Site Scripting. [severity:3/4; BID-56629, CVE-2012-4209, MFSA 2012-103]

An attacker can use several vulnerabilities of the Address Sanitizer, in order to execute code. [severity:4/4; BID-56628, BID-56630, BID-56633, BID-56634, BID-56635, BID-56636, BID-56637, BID-56638, BID-56639, BID-56640, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5839, CVE-2012-5840, MFSA 2012-105]

An attacker can use several vulnerabilities of the Address Sanitizer, in order to execute code. [severity:4/4; BID-56641, BID-56642, BID-56643, BID-56644, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838, MFSA 2012-106]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-4201 CVE-2012-4202 CVE-2012-4203

Firefox 11-16: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox can be used by an attacker to execute code on victim's computer.
Impacted products: Fedora, Firefox, openSUSE, Slackware.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 15.
Creation date: 21/11/2012.
Identifiers: BID-56607, BID-56611, BID-56612, BID-56613, BID-56614, BID-56616, BID-56618, BID-56621, BID-56623, BID-56625, BID-56627, BID-56628, BID-56629, BID-56630, BID-56631, BID-56632, BID-56633, BID-56634, BID-56635, BID-56636, BID-56637, BID-56638, BID-56639, BID-56640, BID-56641, BID-56642, BID-56643, BID-56644, BID-56646, CERTA-2012-AVI-682, CVE-2012-4201, CVE-2012-4202, CVE-2012-4203, CVE-2012-4204, CVE-2012-4205, CVE-2012-4206, CVE-2012-4207, CVE-2012-4208, CVE-2012-4209, CVE-2012-4210, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5836, CVE-2012-5838, CVE-2012-5839, CVE-2012-5840, CVE-2012-5841, CVE-2012-5842, CVE-2012-5843, FEDORA-2012-18661, FEDORA-2012-18683, MFSA 2012-100, MFSA 2012-101, MFSA 2012-103, MFSA 2012-104, MFSA 2012-105, MFSA 2012-106, MFSA 2012-91, MFSA 2012-92, MFSA 2012-93, MFSA 2012-94, MFSA 2012-95, MFSA 2012-96, MFSA 2012-97, MFSA 2012-98, MFSA 2012-99, openSUSE-SU-2012:1583-1, openSUSE-SU-2012:1586-1, openSUSE-SU-2013:0131-1, openSUSE-SU-2013:0149-1, openSUSE-SU-2013:0175-1, openSUSE-SU-2014:1100-1, SSA:2012-326-02, VIGILANCE-VUL-12173.

Description of the vulnerability

Several vulnerabilities were announced in Firefox.

An attacker can generate several memory corruptions, in order to execute code. [severity:4/4; BID-56611, BID-56612, CVE-2012-5842, CVE-2012-5843, MFSA 2012-91]

An attacker can use a malicious GIF image, in order to generate a buffer overflow, leading to code execution. [severity:4/4; BID-56614, CVE-2012-4202, MFSA 2012-92]

An attacker can use the evalInSandbox() function, in order to obtain the contents of a file. [severity:3/4; BID-56618, CVE-2012-4201, MFSA 2012-93]

An attacker can use a SVG text, and CSS properties, in order to corrupt the memory. [severity:4/4; BID-56616, CVE-2012-5836, MFSA 2012-94]

An attacker can use a "javascript:" url in a new tab, in order to execute code. [severity:2/4; BID-56623, CVE-2012-4203, MFSA 2012-95]

An attacker can generate a memory corruption in str_unescape(), in order to execute code. [severity:3/4; BID-56613, CVE-2012-4204, MFSA 2012-96]

An attacker can use a XMLHttpRequest object from the sandbox, in order to obtain information. [severity:3/4; BID-56621, CVE-2012-4205, MFSA 2012-97]

An attacker can invite the victim to load Firefox from a directory containing a malicious DLL, in order to execute code. [severity:3/4; BID-56625, CVE-2012-4206, MFSA 2012-98]

An attacker can use XrayWrappers, in order to access to object properties. [severity:3/4; BID-56627, CVE-2012-4208, MFSA 2012-99]

An attacker can wait before changing an object, in order to create a Cross Site Scripting. [severity:3/4; BID-56631, CVE-2012-5841, MFSA 2012-100]

An attacker can generate a Cross Site Scripting in pages encoded with the HZ-GB-2312 charset. [severity:2/4; BID-56632, CVE-2012-4207, MFSA 2012-101]

An attacker can use "top.location" and a plugin, in order to generate a Cross Site Scripting. [severity:3/4; BID-56629, CVE-2012-4209, MFSA 2012-103]

An attacker can use Style Inspector, in order to inject HTML/CSS code. [severity:4/4; BID-56646, CVE-2012-4210, MFSA 2012-104]

An attacker can use several vulnerabilities of the Address Sanitizer, in order to execute code. [severity:4/4; BID-56628, BID-56630, BID-56633, BID-56634, BID-56635, BID-56636, BID-56637, BID-56638, BID-56639, BID-56640, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5839, CVE-2012-5840, MFSA 2012-105]

An attacker can use several vulnerabilities of the Address Sanitizer, in order to execute code. [severity:4/4; BID-56641, BID-56642, BID-56643, BID-56644, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838, MFSA 2012-106]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-4201 CVE-2012-4202 CVE-2012-4206

Firefox 10: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Firefox can be used by an attacker to execute code on victim's computer.
Impacted products: Debian, Firefox, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 4/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 10.
Creation date: 21/11/2012.
Identifiers: BID-56607, BID-56611, BID-56612, BID-56614, BID-56618, BID-56625, BID-56628, BID-56629, BID-56630, BID-56631, BID-56632, BID-56633, BID-56634, BID-56635, BID-56636, BID-56637, BID-56638, BID-56639, BID-56640, BID-56641, BID-56642, BID-56643, BID-56644, BID-56646, CERTA-2012-AVI-681, CVE-2012-4201, CVE-2012-4202, CVE-2012-4206, CVE-2012-4207, CVE-2012-4209, CVE-2012-4210, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838, CVE-2012-5839, CVE-2012-5840, CVE-2012-5841, CVE-2012-5842, CVE-2012-5843, DSA-2583-1, MDVSA-2012:173, MFSA 2012-100, MFSA 2012-101, MFSA 2012-103, MFSA 2012-104, MFSA 2012-105, MFSA 2012-106, MFSA 2012-91, MFSA 2012-92, MFSA 2012-93, MFSA 2012-98, openSUSE-SU-2012:1586-1, openSUSE-SU-2014:1100-1, RHSA-2012:1482-01, SUSE-SU-2012:1592-1, VIGILANCE-VUL-12172.

Description of the vulnerability

Several vulnerabilities were announced in Firefox.

An attacker can generate several memory corruptions, in order to execute code. [severity:4/4; BID-56611, BID-56612, CVE-2012-5842, CVE-2012-5843, MFSA 2012-91]

An attacker can use a malicious GIF image, in order to generate a buffer overflow, leading to code execution. [severity:4/4; BID-56614, CVE-2012-4202, MFSA 2012-92]

An attacker can use the evalInSandbox() function, in order to obtain the contents of a file. [severity:3/4; BID-56618, CVE-2012-4201, MFSA 2012-93]

An attacker can invite the victim to load Firefox from a directory containing a malicious DLL, in order to execute code. [severity:3/4; BID-56625, CVE-2012-4206, MFSA 2012-98]

An attacker can wait before changing an object, in order to create a Cross Site Scripting. [severity:3/4; BID-56631, CVE-2012-5841, MFSA 2012-100]

An attacker can generate a Cross Site Scripting in pages encoded with the HZ-GB-2312 charset. [severity:2/4; BID-56632, CVE-2012-4207, MFSA 2012-101]

An attacker can use "top.location" and a plugin, in order to generate a Cross Site Scripting. [severity:3/4; BID-56629, CVE-2012-4209, MFSA 2012-103]

An attacker can use Style Inspector, in order to inject HTML/CSS code. [severity:4/4; BID-56646, CVE-2012-4210, MFSA 2012-104]

An attacker can use several vulnerabilities of the Address Sanitizer, in order to execute code. [severity:4/4; BID-56628, BID-56630, BID-56633, BID-56634, BID-56635, BID-56636, BID-56637, BID-56638, BID-56639, BID-56640, CVE-2012-4212, CVE-2012-4213, CVE-2012-4214, CVE-2012-4215, CVE-2012-4216, CVE-2012-4217, CVE-2012-4218, CVE-2012-5829, CVE-2012-5839, CVE-2012-5840, MFSA 2012-105]

An attacker can use several vulnerabilities of the Address Sanitizer, in order to execute code. [severity:4/4; BID-56641, BID-56642, BID-56643, BID-56644, CVE-2012-5830, CVE-2012-5833, CVE-2012-5835, CVE-2012-5838, MFSA 2012-106]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2012-6468 CVE-2012-6469

Opera: two vulnerabilities

Synthesis of the vulnerability

An attacker can invite the victim to display a malicious site with Opera, in order to obtain information, or to execute code.
Impacted products: openSUSE, Opera.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/11/2012.
Identifiers: BID-56594, CERTA-2012-AVI-669, CVE-2012-6468, CVE-2012-6469, openSUSE-SU-2013:0148-1, VIGILANCE-VUL-12171.

Description of the vulnerability

Two vulnerabilities were announced in Opera.

The memory buffer reserved for HTTP response headers may overflow, which leads to code execution. [severity:3/4; CVE-2012-6468]

JavaScript code in an HTTP error page allows an attacker to check the existence of local paths. [severity:1/4; CVE-2012-6469]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-4856

IBM Power 5 Systems: bypassing the IP filtering of Service Processor

Synthesis of the vulnerability

When an IBM Power 5 Systems server contains a Service Processor extension device, all IP addresses of which are dynamically assigned, an attacker can access to administration functions.
Impacted products: AIX.
Severity: 3/4.
Consequences: administrator access/rights.
Provenance: intranet client.
Creation date: 20/11/2012.
Identifiers: CVE-2012-4856, VIGILANCE-VUL-12170, VU#194604.

Description of the vulnerability

Service Processor is an extension device for IBM Power 5 Systems servers.

This device provides administration functions. Access to these functions is restricted by IP filtering. However, when all IP addresses of the extension device are assigned dynamically, for instance with DHCP, the IP filter is not enabled.

When an IBM Power 5 Systems server contains a Service Processor extension device, all IP addresses of which are dynamically assigned, an attacker can therefore access to administration functions.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 12169

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Windows (platform) ~ not comprehensive, Java OpenJDK, Java Oracle, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Creation date: 19/11/2012.
Identifiers: SE-2012-01, VIGILANCE-VUL-12169.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK.

Some of these vulnerabilities are duplicates of VIGILANCE-VUL-12150 and VIGILANCE-VUL-12072, but the exact match is unknown.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 12168

ArcGIS: information leak about database tables

Synthesis of the vulnerability

An attacker who causes a server side error, can get information about the database schema.
Impacted products: ArcGIS ArcView, ArcGIS for Desktop, ArcGIS for Server.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 16/11/2012.
Identifiers: NIM085361, VIGILANCE-VUL-12168.

Description of the vulnerability

ArcGIS uses a relational database.

An attacker who causes a server side error, can get information about the database schema.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-5526

Perl CGI.pm: HTTP header injection via header

Synthesis of the vulnerability

An attacker who controls an application based on the Perl CGI.pm module, can inject headers in HTTP responses.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, AIX, Mandriva Linux, openSUSE, Solaris, Perl Module ~ not comprehensive, RHEL.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 16/11/2012.
Identifiers: BID-56562, CERTA-2013-AVI-387, CERTA-2013-AVI-543, CERTA-2013-AVI-590, CERTA-2013-AVI-593, CERTFR-2014-AVI-112, CERTFR-2014-AVI-244, CVE-2012-5526, DSA-2586-1, DSA-2587-1, FEDORA-2012-18318, FEDORA-2012-18330, FEDORA-2012-19282, IV43973, IV46765, K15867, MDVSA-2012:180, openSUSE-SU-2013:0497-1, openSUSE-SU-2013:0502-1, RHSA-2013:0685-01, SOL15867, VIGILANCE-VUL-12167.

Description of the vulnerability

The Perl module CGI.pm from the standard library facilitates the development of Web applications based on the CGI interface, which specifies the communication protocol between the application and the HTTP server.

The module defines a routine header(), which generates headers of HTTP responses. The header value should not include end of line characters. However, the routine header() does not reject values containing line ends for headers Set-Cookie and P3P, which leads to the injection of headers in the response from the HTTP server.

An attacker who controls an application based on the Perl CGI.pm module, can therefore inject headers in HTTP responses.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2012-5703

VMware ESX, ESXi: denial of service via vSphere API

Synthesis of the vulnerability

An unauthenticated attacker can send a malicious query to the API of VMware ESX or ESXi, in order to stop the management service.
Impacted products: ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 16/11/2012.
Identifiers: BID-56571, CERTA-2012-AVI-663, CVE-2012-5703, ESX410-201211001, ESX410-201211401-SG, ESX410-201211402-SG, ESX410-201211405-SG, ESX410-201211407-SG, ESXi410-201211001, ESXi410-201211401-SG, ESXi410-201211402-BG, VIGILANCE-VUL-12166, VMSA-2012-0016.

Description of the vulnerability

The VMware ESX and ESXi products use the vSphere API to be interfaced with various tools.

However, one API function does not check its parameters, so a fatal error occurs, and stops the daemon.

An unauthenticated attacker can therefore send a malicious query to the API of VMware ESX or ESXi, in order to stop the management service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2012-5565 CVE-2012-5567 CVE-2012-6640

Horde: three Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger three Cross Site Scripting in Horde components, in order to execute JavaScript code in the context of the web site.
Impacted products: openSUSE, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 15/11/2012.
Identifiers: BID-56541, BID-56666, CERTA-2012-AVI-660, CVE-2012-5565, CVE-2012-5567, CVE-2012-6640, openSUSE-SU-2012:1625-1, openSUSE-SU-2012:1626-1, openSUSE-SU-2013:0176-1, VIGILANCE-VUL-12165.

Description of the vulnerability

Three Cross Site Scripting were announced in Horde components.

An attacker can trigger a Cross Site Scripting in the portal. [severity:2/4; CVE-2012-5567]

An attacker can trigger a Cross Site Scripting by sending a message that includes a SVG file. [severity:2/4; CVE-2012-6640]

An attacker can trigger a Cross Site Scripting with the attachment feature. [severity:2/4; BID-56666, CVE-2012-5565]

An attacker can therefore trigger three Cross Site Scripting in Horde components, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

Previous page   Next page

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 501 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2846