CVE-2009-3596
published 2009-10-08CVE-2009-3596: JoxTechnology Ajox Poll does not properly restrict access to admin/managepoll.php, which allows remote attackers to bypass authentication and gain…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.33%
81.4th percentile
JoxTechnology Ajox Poll does not properly restrict access to admin/managepoll.php, which allows remote attackers to bypass authentication and gain administrative access via a direct request.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2010-0277 pidgin MSN protocol plugin memory corruption
bugzilla·2010-01-11·CVSS 7.5
CVE-2010-0277 [HIGH] CVE-2010-0277 pidgin MSN protocol plugin memory corruption
CVE-2010-0277 pidgin MSN protocol plugin memory corruption
slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and
Adium 1.3.8 allows remote attackers to cause a denial of service
(memory corruption) or possibly have unspecified other impact via
unknown vectors, a different issue than CVE-2010-0013.
Reference: URL:http://www.openwall.com/lists/oss-security/2010/01/07/2
Reference: MISC:http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
Discussion:
http://pidgin.im/news/security/?id=43
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2010:0115 https://rhn.redhat.com/errata/RHSA-2010-0115.html
---
pidgin-2.6.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.
Bugzilla
CVE-2010-0013 pidgin/libpurple: MSN custom smiley request directory traversal file disclosure
bugzilla·2010-01-05·CVSS 7.5
CVE-2010-0013 [HIGH] CVE-2010-0013 pidgin/libpurple: MSN custom smiley request directory traversal file disclosure
CVE-2010-0013 pidgin/libpurple: MSN custom smiley request directory traversal file disclosure
On 26C3, Fabian Yamaguchi presented a directory traversal flaw in libpurple MSN protocol implementation. The flaw can be used by the remote attacker to download arbitrary file readable by the user running instant messenger using libpurple (such as pidgin) from the victim's computer via MSN emoticon / smiley download request. More details in Fabian's presentation:
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
http://events.ccc.de/congress/2009/Fahrplan/attachments/1483_26c3_ipv4_fuckups.pdf
(slides 10-22)
Upstream fix:
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
which depends on the other two commits:
http://d.pidgin.im/viewmtn/revision/in
Bugzilla
CVE-2009-4377 wireshark: invalid pointer dereference in SMB/SMB2 dissectors
bugzilla·2009-12-22·CVSS 9.3
CVE-2009-4377 [CRITICAL] CVE-2009-4377 wireshark: invalid pointer dereference in SMB/SMB2 dissectors
CVE-2009-4377 wireshark: invalid pointer dereference in SMB/SMB2 dissectors
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4377 to
the following vulnerability:
Name: CVE-2009-4377
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4377
Assigned: 20091221
Reference: CONFIRM: http://www.wireshark.org/security/wnpa-sec-2009-09.html
Reference: CONFIRM: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4301
Reference: BID:37407
Reference: URL: http://www.securityfocus.com/bid/37407
Reference: OSVDB:61178
Reference: URL: http://osvdb.org/61178
Reference: SECTRACK:1023374
Reference: URL: http://www.securitytracker.com/id?1023374
Reference: SECUNIA:37842
Reference: URL: http://secunia.com/advisories/37842
Reference: VUPEN:ADV-2009-3596
Reference: URL: http://www.
2009-10-08
Published