Top 10 Web Application Vulnerabilities November 2011

1) HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities

 

HP OpenView Network Node Manager is susceptible to multiple remote code execution vulnerabilities because of a lack of proper input validation on user-supplied data. Successful exploitation will give an attacker the means to execute arbitrary code with the privileges of the application user, possibly leading to a complete system compromise. Updates which resolve this vulnerability are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/50471

 

2) Cisco Small Business SRP500 Series Appliances Web Interface Remote Command Injection Vulnerability

 

Cisco Small Business SRP500 Series Appliances  are susceptible to a remote command injection vulnerability.  If successfully exploited, an attacker will be able to issue commands in context of the root user, which may lead to a complete compromise of the appliance.  Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/50495

 

3) SAP Netweaver Multiple Security Vulnerabilities

 

SAP Netweaver is susceptible to multiple security vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, HTML Injection, Path Traversal, and Authentication Bypass. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, abuse of the trust a web application places in a user, or unintended access.  Updates which resolve these issues are available. Contact the vendor for more details.

 

 http://www.securityfocus.com/bid/50680

 

4) Ruby on Rails Translate Helper Method Cross-Site Scripting Vulnerability

 

Ruby on Rails is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this issue are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/50722

 

5) IBM Rational Asset Manager Cross-Site Scripting Vulnerability

 

IBM Rational Asset Manager  is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks.  Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/50556

 

6) Oracle NoSQL 'log' Parameter Directory Traversal Vulnerability

 

Oracle NoSQL is susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to obtain arbitrary files in context of the web server process. Information gained through these methods would likely lead to more damaging attacks. As of this writing, a fix has not been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/50567

 

7) Apache Tomcat 'sort' and 'orderBy' Parameters Cross-Site Scripting Vulnerabilities

 

Apache Tomcat is susceptible to Cross-Site Scripting vulnerabilities. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited.  Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/45015

 

8) GE Proficy Historian Web Administrator Cross-Site Scripting Vulnerability

 

The Historian Web Administrator component for Proficy Historian is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. As of this writing, a fix has not been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/50473

 

9) Barracuda Link Balancer Multiple Cross-Site Scripting Vulnerabilities

 

Barracuda Link Balancer is susceptible to multiple instances of Cross-Site Scripting, which can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these issues are available. Contact the vendor for additional  information.

 

http://www.securityfocus.com/bid/50554

 

10) Barracuda Message Archiver 'index.cgi' Multiple HTML-injection Vulnerabilities

 

Barracuda Message Archiver is susceptible to multiple HTML Injection vulnerabilities. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve these issues are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/50535

Comments
Hp applications(anon) | ‎12-04-2011 01:18 AM

ok thanks for the information

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation