A command injection vulnerability exists in Realtek SDK. The vulnerability is due to lack of input sanitization on user-supplied data when processing the NewInternalClient requests to the miniigd SOAP service. By sending a crafted SOAP request to the affected service, a remote unauthenticated attacker can exploit this vulnerability to execute code with root privileges.

3DES is a widely supported stream cipher often preferred by TLS servers and other servers using encrypted sessions. Recent cryptanalysis results one of which is the SWEET32 exploit biases in the 3DES keystroke to recover repeatedly encrypted plain-texts. As a result 3DES can no longer be seen as providing a sufficient level of security for encrypted sessions.

A mail phishing attack had been reported, attempting to obtain the victim’s PayPal credentials. The attacker uses embedded redirection links in order to gain the victim’s account information.

A SQL injection vulnerability has been reported in Trend Micro Control Manager. The vulnerability is due to lack of validation on two parameters in the AdHocQuery_Processor.aspx script. A remote, authenticated attacker could exploit this vulnerability by sending a malicious HTTP request to the target system. Successful exploitation could lead to arbitrary code execution in the security context of the user.

A cross-site scripting vulnerability exists in the Filter API component of Mantis Bug Tracker. The vulnerability is due to insufficient input validation on the view_type parameter in view_all_bug_page.php. A remote attacker could exploit this vulnerability by enticing authenticated users to click on a crafted link. Successful exploitation could allow the attacker to execute malicious script code in the context of the victim’s browser.

When calling window location toString() or comparing window location toString is called an attacker can return arbitrary values. An attacker can make the applet believe that it is embedded inside the hosting page, by overriding window location toString. Hence, an attacker can call any method that is exposed on the SWF script to same domain JavaScript.

A vulnerability has been reported in Microsoft Works 7 and Microsoft Office 2003 and 2007. The vulnerability is due to a boundary error while handling an overly large argument. A remote attacker can exploit this issue by enticing a target victim to open a specially crafted web page that would pass the large crafted argument to the vulnerable method.

The vulnerability is due to improper parsing of XML Address Name attribute of LeviStudio project files. A remote attacker could exploit this vulnerability by enticing a user to open a crafted project. Successful exploitation could allow the attacker to execute arbitrary code under the security context of the user process.