stef-guest at alioth.debian.org
2007-May-16 20:35 UTC
[Secure-testing-commits] r5850 - data/CVE
Author: stef-guest Date: 2007-05-16 20:35:35 +0000 (Wed, 16 May 2007) New Revision: 5850 Modified: data/CVE/list Log: CVE-2007-1401: new php4 issue add some info about possible javascript hijacking vulns NFUs Modified: data/CVE/list ==================================================================--- data/CVE/list 2007-05-16 19:48:50 UTC (rev 5849) +++ data/CVE/list 2007-05-16 20:35:35 UTC (rev 5850) @@ -437,15 +437,34 @@ RESERVED CVE-2007-2385 (The Yahoo! UI framework exchanges data using JavaScript Object ...) TODO: check yui - TODO: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf + NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf + NOTE: This allows to steal data from affected websites. Therefore web applications should + NOTE: only be considered vunerabile if they process confidential data. + NOTE: The frameworks should be fixed in any case. CVE-2007-2384 (The Script.aculo.us framework exchanges data using JavaScript Object ...) TODO: check glpi knowledgeroot mt-daapd op-panel python-webhelpers qwik rails wordpress + NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf + NOTE: This allows to steal data from affected websites. Therefore web applications should + NOTE: only be considered vunerabile if they process confidential data. + NOTE: The frameworks should be fixed in any case. CVE-2007-2383 (The Prototype (prototypejs) framework exchanges data using JavaScript ...) TODO: check glpi hobix knowledgeroot libbio-ruby1.8 mt-daapd op-panel poker-web python-webhelpers qwik rails wordpress + NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf + NOTE: This allows to steal data from affected websites. Therefore web applications should + NOTE: only be considered vunerabile if they process confidential data. + NOTE: The frameworks should be fixed in any case. CVE-2007-2382 (The Moo.fx framework exchanges data using JavaScript Object Notation ...) - NOT-FOR-US: MochiKit framework + TODO: check + NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf + NOTE: This allows to steal data from affected websites. Therefore web applications should + NOTE: only be considered vunerabile if they process confidential data. + NOTE: The frameworks should be fixed in any case. CVE-2007-2381 (The MochiKit framework exchanges data using JavaScript Object Notation ...) TODO: check python-paste + NOTE: see http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf + NOTE: This allows to steal data from affected websites. Therefore web applications should + NOTE: only be considered vunerabile if they process confidential data. + NOTE: The frameworks should be fixed in any case. CVE-2007-2380 (The Microsoft Atlas framework exchanges data using JavaScript Object ...) NOT-FOR-US: Microsoft Atlas CVE-2007-2379 (The jQuery framework exchanges data using JavaScript Object Notation ...) @@ -2701,7 +2720,8 @@ CVE-2007-1402 (The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll allows ...) NOT-FOR-US: Rediff Toolbar ActiveX control CVE-2007-1401 (Buffer overflow in the crack extension (CrackLib), as bundled with PHP ...) - TODO: check + - php4 <unfixed> + TODO: check php5 CVE-2007-1400 (Plash permits sandboxed processes to open /dev/tty, which allows local ...) NOT-FOR-US: Plash CVE-2007-1399 (Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP ...) @@ -5661,7 +5681,7 @@ CVE-2007-0324 (Multiple buffer overflows in the LizardTech DjVu Browser Plug-in ...) NOT-FOR-US: LizardTech DjVu Browser Plug-in CVE-2007-0323 (Buffer overflow in the SetLanguage function in Research In Motion ...) - TODO: check + NOT-FOR-US: Research In Motion (RIM) TeamOn Import Object ActiveX control CVE-2007-0322 RESERVED CVE-2007-0321 (Buffer overflow in the Update Service Agent ActiveX Control in ...) @@ -5903,9 +5923,9 @@ CVE-2007-0222 (Directory traversal vulnerability in the EmChartBean server side ...) NOT-FOR-US: Oracle Application Server CVE-2007-0221 (IMAP support in Microsoft Exchange Server 2000 SP3 allows remote ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2007-0220 (Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2007-0219 (Microsoft Internet Explorer 5.01, 6, and 7 uses certain COM objects ...) NOT-FOR-US: Microsoft CVE-2007-0218 @@ -5919,7 +5939,7 @@ CVE-2007-0214 (The HTML Help ActiveX control (Hhctrl.ocx) in Microsoft Windows 2000 ...) NOT-FOR-US: Microsoft CVE-2007-0213 (Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2007-0212 RESERVED CVE-2007-0211 (The hardware detection functionality in the Windows Shell in Microsoft ...) @@ -6504,7 +6524,7 @@ CVE-2007-0040 RESERVED CVE-2007-0039 (The Exchange Collaboration Data Objects (EXCDO) functionality in ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2007-0038 (Stack-based buffer overflow in the animated cursor code in Microsoft ...) NOT-FOR-US: Microsoft CVE-2007-0037