Adrian Pastor

**Name of the Vulnerable Software and Affected Versions** CUPS versions prior to 1.4.4 Mac OS X 10.5.8 Mac OS X 10.6 versions prior to 10.6.4 **Description** A cross-site request forgery (CSRF) issue exists in the web interface, allowing remote attackers to hijack the authentication of administrators for requests that change settings. **Recommendations** For CUPS versions prior to 1.4.4, update to version 1.4.4 or later to resolve the issue. For Mac OS X 10.5.8, consider upgrading to a newer version of Mac OS X that includes the fix. For Mac OS X 10.6 versions prior to 10.6.4, update to Mac OS X 10.6.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Cisco IOS versions 11.0 through 12.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the query string to the ping program or other aspects of the URI, due to an input sanitization error in the embedded HTTP server. This could enable an unauthenticated, remote attacker to execute arbitrary HTML and script code in the user's browser session by convincing a user to follow a malicious link. **Recommendations** For Cisco IOS versions 11.0 through 12.4, update to the latest software version that includes the fix for this issue. As a temporary workaround, consider disabling the embedded HTTP server when it is not in use to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Proxim Wireless Tsunami MP.11 2411 version 3.0.3 **Description** The issue allows remote attackers to easily obtain sensitive information or modify variables due to the default SNMP read/write community being set to public. **Recommendations** For version 3.0.3, change the default SNMP read/write community string from public to a secure string to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** SonicWALL SonicOS Enhanced versions prior to 4.0.1.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML into arbitrary web sites via a URL to a site that is blocked based on content filtering. This occurs because the content filtering system's block page does not properly handle the input, leading to a cross-site scripting (XSS) vulnerability. This can be used for "universal website hijacking." **Recommendations** For versions prior to 4.0.1.1, update to version 4.0.1.1 or later to resolve the issue.

Cross-site scripting (XSS) vulnerability in WebID/IISWebAgentIF.dll in RSA Authentication Agent 5.3.0.258, and other versions before 5.3.3.378, allows remote attackers to inject arbitrary web script or HTML via a URL-encoded postdata parameter. NOTE: this is different than CVE-2005-1118, but it might be the same as CVE-2008-1470.

**Name of the Vulnerable Software and Affected Versions** Plone CMS versions prior to 3.0.6 Plone CMS versions 3.0.5 and earlier **Description** The issue allows remote attackers to obtain administrative privileges by sniffing the network, as a base64 encoded form of the `username` and `password` is placed in the " ac" cookie for the admin account. **Recommendations** For Plone CMS versions prior to 3.0.6, update to version 3.0.6 or later to resolve the issue. For Plone CMS versions 3.0.5 and earlier, update to version 3.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin account until a patch is available. Avoid using the ` ac` cookie in the affected Plone CMS versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Plone CMS versions 3.x through 3.1.x **Description** The issue allows remote attackers to gain permanent access to an account by sniffing the network, due to the use of invariant data when calculating an HMAC-SHA1 value for an authentication cookie. This makes it easier for attackers to exploit the system. **Recommendations** For Plone CMS versions 3.x through 3.1.x, consider updating the authentication mechanism to use more secure and variable data when calculating the HMAC-SHA1 value for authentication cookies, to prevent remote attackers from gaining permanent access to accounts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plone CMS (affected versions not specified) **Description** The issue concerns the handling of user authentication states. Specifically, it does not record users' authentication states and implements the logout feature solely on the client side. This makes it easier for context-dependent attackers to reuse a logged-out session. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plone CMS versions 3.0.5 through 3.0.6 Plone CMS versions prior to 3.1 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to perform certain actions without the victim's consent. Specifically, attackers can (1) add arbitrary accounts via the "join form" page and (2) change the privileges of arbitrary groups via the "prefs groups overview" page. **Recommendations** For Plone CMS versions 3.0.5 and 3.0.6, update to version 3.1 or later to resolve the issue. For Plone CMS versions prior to 3.1, update to version 3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "join form" and "prefs groups overview" pages until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Plone CMS versions prior to 3 **Description** The issue allows remote attackers to obtain access by sniffing the network, as a base64 encoded form of the `username` and `password` is placed in the ` ac` cookie for all user accounts. **Recommendations** For versions prior to 3, consider disabling the use of the ` ac` cookie or restricting access to sensitive areas of the CMS until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** F5 FirePass 4100 SSL VPN versions 5.4.1 through 5.5.2 F5 FirePass 4100 SSL VPN versions 6.0 through 6.0.1 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the query string to specific API endpoints, such as "my.activation.php3" and "my.logon.php3", when pre-logon sequences are enabled. **Recommendations** For F5 FirePass 4100 SSL VPN versions 5.4.1 through 5.5.2, update to a version outside of this range to resolve the issue. For F5 FirePass 4100 SSL VPN versions 6.0 through 6.0.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the "my.activation.php3" and "my.logon.php3" endpoints until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Sun Java System Identity Manager versions 6.0 SP1 through 7.1 **Description** The issue allows remote attackers to inject frames from arbitrary web sites and conduct phishing attacks via the `helpUrl` parameter. This is related to the `/idm/help/index.jsp` endpoint. **Recommendations** For Sun Java System Identity Manager versions 6.0 SP1 through 7.1, consider restricting access to the `/idm/help/index.jsp` endpoint to minimize the risk of exploitation. Avoid using the `helpUrl` parameter in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Sun Java System Identity Manager versions 6.0 SP1 through 7.1 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a URL in the `nextPage` parameter in the /idm/user/login.jsp endpoint. **Recommendations** For Sun Java System Identity Manager versions 6.0 SP1 through 7.1, consider restricting access to the /idm/user/login.jsp endpoint until a fix is available, and avoid using the `nextPage` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Absolute News Manager.NET version 5.1 **Description** The issue allows remote attackers to obtain sensitive information. This is achieved via a direct request to "getpath.aspx", which reveals the installation path in an error message. **Recommendations** For Absolute News Manager.NET version 5.1, consider restricting access to the "getpath.aspx" page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** F5 Firepass 4100 SSL VPN versions 5.4 through 5.5.2 F5 Firepass 4100 SSL VPN versions 6.0 through 6.0.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `backurl` parameter in the download plugin.php3 file. **Recommendations** For versions 5.4 through 5.5.2, avoid using the `backurl` parameter in the download plugin.php3 file until a fix is available. For versions 6.0 through 6.0.1, restrict access to the download plugin.php3 file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Thomson/Alcatel SpeedTouch 7G router versions 6.2.6.B and earlier Description: The issue allows remote attackers on an intranet to bypass authentication and gain administrative access. This can be achieved via vectors including a '/' (slash) character at the end of the PATH INFO to `cgi/b`. Additionally, remote attackers outside the intranet can exploit this by leveraging a separate CSRF vulnerability. Recommendations: For versions 6.2.6.B and earlier, as a temporary workaround, consider restricting access to the `cgi/b` endpoint to minimize the risk of exploitation. Avoid using the '/' character at the end of the PATH INFO to prevent bypassing authentication. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Thomson/Alcatel SpeedTouch 7G router versions 6.2.6.B and earlier Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Recommendations: For versions 6.2.6.B and earlier, update to a version later than 6.2.6.B to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Thomson/Alcatel SpeedTouch 7G router versions 6.2.6.B and earlier BT Home Hub version 6.2.6.B and earlier SpeedTouch 780 (affected versions not specified) Description: The issue allows remote attackers to perform actions as administrators via unspecified POST requests. This can be demonstrated by enabling an inbound remote-assistance HTTPS session on TCP port 51003. An authentication bypass can be leveraged to exploit this issue in the absence of an existing administrative session. Recommendations: For Thomson/Alcatel SpeedTouch 7G router versions 6.2.6.B and earlier, consider restricting access to administrative functions until a fix is available. For BT Home Hub version 6.2.6.B and earlier, restrict inbound remote-assistance HTTPS sessions on TCP port 51003 to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft ASP .NET Framework version 2.0.50727.42 **Description** The issue allows remote attackers to bypass request filtering, which can lead to cross-site scripting (XSS) attacks or cause a denial of service. This can be achieved by exploiting the improper handling of comment enclosures, for example, via an xss:expression STYLE attribute in a closing XSS HTML tag. **Recommendations** For Microsoft ASP .NET Framework version 2.0.50727.42, consider updating to a newer version that properly handles comment enclosures to prevent request filtering bypass and subsequent attacks. As a temporary workaround, restrict access to potentially vulnerable endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Centrality Communications (aka Aredfox) PA168 chipset and firmware versions 1.54 and earlier **Description** The issue concerns the admin web console, which does not require passwords or authentication tokens when using HTTP. This allows remote attackers to connect to existing superuser sessions, potentially obtaining sensitive information such as passwords and configuration data. **Recommendations** For firmware versions 1.54 and earlier, consider disabling HTTP access to the admin web console until a patch is available. Restrict access to the admin web console to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.