Top Ten Web Application Vulnerabilities 2/22/2011 - 3/13/2011

1) Alcatel-Lucent OmniPCX Enterprise Remote Stack Buffer Overflow Vulnerability

 

Alcatel-Lucent OmniPCX Enterprise is susceptible to a remote stack buffer overflow because the application fails to properly perform boundary checks on user-supplied data. Successful exploitation would give an attacker the means to execute arbitrary code in context of the application, with failed attempts likely creating denial-of-service conditions. Fixes which resolve this vulnerability have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/46640

 

2) Cisco Secure Desktop ActiveX Control Executable File Arbitrary File Download Vulnerability

 

Cisco Secure Desktop is susceptible to an arbitrary file download vulnerability that can give an attacker the means to download and save malicious files on the affected system, allowing for execution of arbitrary code in context of the current authenticated user.  A fix has not yet been released of this writing. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/46536

 

3) IBM WebSphere Application Server Multiple Security Vulnerabilities

 

IBM WebSphere Application Server versions prior to 7.0.0.15 is susceptible to multiple vulnerabilities including Cross-Site Scripting and security-bypass issues.  If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. The security bypass issues can be exploited to gain unauthorized access to sensitive information.  Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/46736

 

4) IBM Lotus Sametime Server 'stcenter.nsf' Cross-Site Scripting Vulnerability

 

IBM Lotus Sametime Server is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. As of this writing a fix has not yet been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/46481

 

5) HP Power Manager Unspecified Cross-Site Scripting Vulnerability

 

HP Power Manager is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited.  Updates which resolve this vulnerability are available. Contact the vender for further details.

 

http://www.securityfocus.com/bid/46830

 

6) Kodak InSite Multiple Cross-Site Scripting Vulnerabilities

 

Kodack  InSite is susceptible to multiple instances of Cross-Site Scripting. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks.  As of this writing a fix has not yet been released. Contact the vendor for additional information. 

 

http://www.securityfocus.com/bid/46762

 

7) Alcatel-Lucent OmniVista 4760 Network Management System 'lang' Directory Traversal Vulnerability

 

Alcatel-Lucent OmniVista 4760 Network Management System is susceptible to a directory traversal vulnerability. Successful exploitation will give an attacker the ability to retrieve files arbitrary files from the affected system, likely leading to more damaging attacks. Fixes which resolve this issue have been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/46624

 

8) Red Hat Network Satellite Server Multiple Security Bypass Vulnerabilities

 

Red Hat Network Satellite Server is susceptible to multiple vulnerabilities including session fixation and brute-force password guessing attacks. Victims who are enticed into visiting a malicious URI can have their session hijacked and give an attacker unauthorized access to the application, while the brute-force password attack can be leveraged to gain unauthorized access. Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/46528

 

9) WordPress cdnvote 'cdnvote-post.php' Multiple SQL Injection Vulnerabilities

 

WordPress is susceptible to multiple instances of SQL Injection. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. As of this writing a fix has not yet been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/46483

 

10) Joomla!  Multiple Security Vulnerabilities

 

Joomla! versions prior to 1.6.1 is susceptible to multiple vulnerabilities including SQL Injection, Cross-Site Scripting, URI redirection, Cross-Site Request Forgery, information disclosure, and denial-of-service attacks.  Successful exploitation could give an attacker the means to steal cookie-based authentication credentials, redirect users to malicious sites, steal potentially sensitive information, deny service to legitimate users, access or modify backend database content, or perform other unauthorized actions.  A patch which resolves these vulnerabilities has been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/46787

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation