SB15-069: Vulnerability Summary for the Week of March 2, 2015

Original release date: March 10, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
clip-bucket — clipbucket SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) allows remote attackers to execute arbitrary SQL commands via the item parameter. 2015-02-27 7.5 CVE-2015-2102
EXPLOIT-DB
MISC
OSVDB
dns-sync_project — dns-sync The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function. 2015-02-27 10.0 CVE-2014-9682
CONFIRM
CONFIRM
MLIST
freebsd — freebsd Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory. 2015-02-27 7.8 CVE-2015-1414
FREEBSD
DEBIAN
iij — seil/b1 npppd in the PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 Fuji routers 1.00 through 3.30, SEIL/X1 routers 3.50 through 4.70, SEIL/X2 routers 3.50 through 4.70, and SEIL/B1 routers 3.50 through 4.70 allows remote attackers to cause a denial of service (infinite loop and device hang) via a crafted SSTP packet. 2015-02-27 7.1 CVE-2015-0887
CONFIRM
JVNDB
JVN
kent-web — joyful_note KENT-WEB Joyful Note before 5.3 allows remote attackers to delete files or write to files, and consequently execute arbitrary code, via vectors involving an article. 2015-02-27 7.5 CVE-2015-0889
CONFIRM
JVNDB
JVN
ninjaforms — ninja_forms Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users. 2015-03-05 7.5 CVE-2014-9688
CONFIRM
photocati_media — photocrati SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter. 2015-03-05 7.5 CVE-2015-2216
MISC
symantec — netbackup_opscenter Symantec NetBackup OpsCenter 7.6.0.2 through 7.6.1 on Linux and UNIX allows remote attackers to execute arbitrary JavaScript code via unspecified vectors. 2015-03-05 10.0 CVE-2015-1483
CONFIRM
BID
web-dorado — spider_calendar SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php. 2015-03-03 7.5 CVE-2015-2196
EXPLOIT-DB

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
beehive_forum — beehive_forum Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly handled in an error message. 2015-03-03 4.3 CVE-2015-2198
EXPLOIT-DB
CONFIRM
bestwebsoft — captcha The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. 2015-03-03 5.0 CVE-2014-9283
CONFIRM
JVNDB
JVN
bestwebsoft — google_captcha The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. 2015-03-03 5.0 CVE-2015-0890
CONFIRM
JVNDB
JVN
canonical — ubuntu_linux The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction. 2015-03-02 4.7 CVE-2015-0239
CONFIRM
CONFIRM
UBUNTU
UBUNTU
UBUNTU
UBUNTU
MLIST
CONFIRM
MLIST
CONFIRM
checkpw_project — checkpw checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a — (dash dash) in a username. 2015-02-27 5.0 CVE-2015-0885
JVNDB
JVN
CONFIRM
CONFIRM
cisco — secure_access_control_system Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka Bug ID CSCuj83189. 2015-03-05 6.5 CVE-2014-2130
CISCO
cisco — ios The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693. 2015-03-05 6.8 CVE-2015-0598
CISCO
cisco — ios The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connection attempt with a blank password, aka Bug IDs CSCuo09400 and CSCun16016. 2015-03-05 4.3 CVE-2015-0607
SECTRACK
BID
CONFIRM
CISCO
cisco — unified_web_and_e-mail_interaction_manager Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184. 2015-02-27 4.3 CVE-2015-0655
CISCO
cisco — network_analysis_module_firmware Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269. 2015-03-03 4.3 CVE-2015-0656
CISCO
cisco — ios_xr Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192. 2015-03-05 5.0 CVE-2015-0657
CISCO
cisco — ios The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS allows remote attackers to trigger self-referential adjacencies via a crafted Autonomic Networking (AN) message, aka Bug ID CSCup62157. 2015-03-05 5.0 CVE-2015-0659
CISCO
cisco — ios_xr The SNMPv2 implementation in Cisco IOS XR allows remote authenticated users to cause a denial of service (snmpd daemon reload) via a malformed SNMP packet, aka Bug ID CSCur25858. 2015-03-05 4.0 CVE-2015-0661
CISCO
cosmoshop — cosmoshop Cross-site scripting (XSS) vulnerability in the admin-login panel (admin/index.cgi) in Cosmoshop allows remote attackers to inject arbitrary web script or HTML via the username field (u_name parameter). 2015-02-27 4.3 CVE-2015-2103
BUGTRAQ
MISC
dlguard — dlguard DLGuard 4.5 allows remote attackers to obtain the installation path via the c parameter to index.php. 2015-03-04 5.0 CVE-2015-2209
MISC
FULLDISC
ffmpeg — ffmpeg The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service (“invalid memory handler”) and possibly execute arbitrary code via a crafted video that triggers a use after free. 2015-02-27 6.8 CVE-2014-9676
MLIST
fortinet — fortimail Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMail before 4.3.9, 5.0.x before 5.0.8, 5.1.x before 5.1.5, and 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via the release parameter to module/releasecontrol. 2015-03-04 4.3 CVE-2014-8617
CONFIRM
FULLDISC
fusion_project — fusion Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for WordPress allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension in a fusion_save action, then accessing it via unspecified vectors. 2015-03-03 6.5 CVE-2015-2194
MISC
hp — xp7_global_link_manager_software Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before 7.6.1-06, and HP XP7 Global Link Manager Software (aka HGLM) 6.x through 8.x before 8.1.2-00, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-03 4.3 CVE-2014-7896
HP
ibm — notes_traveler_companion The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by conducting a phishing attack involving an encrypted e-mail message. 2015-03-01 4.3 CVE-2014-8921
CONFIRM
impliedbydesign — navigate Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-02-27 4.3 CVE-2015-2101
MISC
CONFIRM
CONFIRM
BID
kent-web — clip_board KENT-WEB Clip Board before 4.1 allows remote attackers to delete arbitrary files via unspecified vectors. 2015-02-27 6.4 CVE-2015-0888
CONFIRM
JVNDB
JVN
linux — linux_kernel net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers. 2015-03-02 5.0 CVE-2014-8160
CONFIRM
CONFIRM
UBUNTU
UBUNTU
UBUNTU
UBUNTU
MLIST
MLIST
CONFIRM
magic_hills — wonderplugin_audio_player Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or the itemid parameter in the (3) wonderplugin_audio_show_item or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. 2015-03-05 4.3 CVE-2015-2218
MISC
EXPLOIT-DB
MISC
OSVDB
OSVDB
microsoft — windows_2003_server Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the “FREAK” issue. 2015-03-06 5.0 CVE-2015-1637
CONFIRM
mindrot — jbcrypt Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. 2015-02-27 5.0 CVE-2015-0886
CONFIRM
CONFIRM
JVNDB
JVN
netcat — netcat NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php. 2015-03-05 5.0 CVE-2015-2214
MISC
FULLDISC
MISC
ninjaforms — ninja_forms Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrators to inject arbitrary web script or HTML via the fields[1] parameter to wp-admin/post.php. 2015-03-05 4.3 CVE-2015-2220
MISC
BUGTRAQ
MISC
sap — hana Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or (2) xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs, aka SAP Note 2069676. 2015-02-27 4.3 CVE-2015-2072
BID
BUGTRAQ
FULLDISC
MISC
sap — businessobjects_edge SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396. 2015-02-27 5.0 CVE-2015-2075
BID
BUGTRAQ
FULLDISC
MISC
sap — businessobjects_edge The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395. 2015-02-27 5.0 CVE-2015-2076
BID
BUGTRAQ
FULLDISC
MISC
services_single_sign-on_server_helper_project — services_single_sign-on_server_helper Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. 2015-03-05 5.8 CVE-2015-2215
MISC
BID
sharelatex — sharelatex Common LaTeX Service Interface (CLSI) before 0.1.3, as used in ShareLaTeX before 0.1.3, allows remote authenticated users to execute arbitrary code via ` (backtick) characters in a filename. 2015-03-03 6.5 CVE-2015-0934
CERT-VN
tips_and_tricks_hq — all_in_one_wordpress_security_and_firewall SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2015-03-06 6.0 CVE-2015-0894
CONFIRM
JVNDB
JVN
tisa — maroyaka_simple_board Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Simple Board allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-04 4.3 CVE-2015-0891
JVNDB
JVN
MISC
tisa — maroyaka_image_album Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Image Album allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-04 4.3 CVE-2015-0892
JVNDB
JVN
MISC
tisa — maroyaka_relay_novel Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Relay Novel allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-04 4.3 CVE-2015-0893
JVNDB
JVN
MISC
toshiba — bluetooth_stack Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character. 2015-02-27 6.9 CVE-2015-0884
CERT-VN
CONFIRM
CONFIRM
MISC
wonderplugin — audio_player Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. 2015-03-03 6.5 CVE-2015-2199
MISC
EXPLOIT-DB
MISC
OSVDB
OSVDB
wp_media_cleaner_project — wp_media_cleaner Multiple cross-site scripting (XSS) vulnerabilities in the WP Media Cleaner plugin 2.2.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) paged, or (3) s parameter in the wp-media-cleaner page to wp-admin/upload.php. 2015-03-03 4.3 CVE-2015-2195
BUGTRAQ

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
canonical — ubuntu_linux Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename. 2015-03-03 3.6 CVE-2014-9683
CONFIRM
CONFIRM
UBUNTU
UBUNTU
UBUNTU
UBUNTU
MLIST
CONFIRM
CONFIRM
entity_api_project — entity_api Cross-site scripting (XSS) vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API. 2015-03-03 3.5 CVE-2015-2197
MISC
CONFIRM
BID
linux — linux_kernel The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644. 2015-03-02 2.1 CVE-2013-7421
MISC
MLIST
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
linux — linux_kernel The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421. 2015-03-02 2.1 CVE-2014-9644
MISC
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
sharelatex — sharelatex Absolute path traversal vulnerability in ShareLaTeX 0.1.3 and earlier, when the paranoid openin_any setting is omitted, allows remote authenticated users to read arbitrary files via a include command. 2015-03-03 3.5 CVE-2015-0933
CERT-VN

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Leave a Reply