Sebastian Apelt

**Name of the Vulnerable Software and Affected Versions** Foxit Reader (affected versions not specified) **Description** This issue allows remote attackers to execute arbitrary code on vulnerable installations. User interaction is required, where the target must visit a malicious page or open a malicious file. The flaw exists within the XFA remerge method due to the lack of validating the existence of an object prior to performing operations on it. An attacker can leverage this to execute code in the context of the current process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Adobe Acrobat Reader versions 15.020.20042 and earlier Adobe Acrobat Reader versions 15.006.30244 and earlier Adobe Acrobat Reader version 11.0.18 and earlier Adobe Acrobat versions prior to the fixed version **Description** The issue is related to a use-after-free vulnerability in the XFA engine, specifically tied to validation functionality. This could allow for arbitrary code execution if successfully exploited. The vulnerability is also related to memory use after it has been freed, which can be exploited by a remote attacker to execute arbitrary code, potentially related to checking functionality. **Recommendations** For Adobe Acrobat Reader versions 15.020.20042 and earlier, update to a version later than 15.020.20042 to resolve the issue. For Adobe Acrobat Reader versions 15.006.30244 and earlier, update to a version later than 15.006.30244 to resolve the issue. For Adobe Acrobat Reader version 11.0.18 and earlier, update to a version later than 11.0.18 to resolve the issue. For Adobe Acrobat, update to the fixed version to resolve the issue. As a temporary workaround, consider disabling the XFA engine functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Adobe Reader versions (affected versions not specified) Adobe Reader Document Cloud versions (affected versions not specified) Adobe Acrobat Document Cloud versions (affected versions not specified) Adobe Acrobat versions (affected versions not specified) **Description** The issue is caused by a buffer overflow, allowing a remote attacker to execute arbitrary code or cause a denial of service (memory corruption). A memory corruption vulnerability in Adobe Acrobat and Reader enables attackers to execute code. **Recommendations** For Adobe Reader, update to a version that fixes the buffer overflow issue. For Adobe Reader Document Cloud, update to a version that fixes the buffer overflow issue. For Adobe Acrobat Document Cloud, update to a version that fixes the buffer overflow issue. For Adobe Acrobat, update to a version that fixes the buffer overflow issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Adobe Reader versions (affected versions not specified) Adobe Acrobat versions (affected versions not specified) **Description** The issue is caused by a buffer overflow, allowing a remote attacker to execute arbitrary code or cause a denial of service (memory corruption). A memory corruption vulnerability in Adobe Acrobat and Reader enables attackers to execute code. **Recommendations** For Adobe Reader, update to a version that fixes the buffer overflow issue. For Adobe Acrobat, update to a version that fixes the memory corruption vulnerability. As a temporary workaround, consider restricting the use of Adobe Reader and Adobe Acrobat until a patch is available.

**Name of the Vulnerable Software and Affected Versions** EMC AutoStart versions 5.3.x through 5.4.x before 5.4.1 **Description** The issue is related to multiple buffer overflows that can be triggered by sending crafted messages over TCP, potentially allowing remote attackers to cause a denial of service or execute arbitrary code. **Recommendations** For versions 5.3.x through 5.4.x before 5.4.1, update to version 5.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CA ETrust Secure Content Manager version 8.0 CA Gateway Security version 8.1 **Description** The issue allows remote attackers to cause a denial of service and execute arbitrary code via a crafted request to port 1882. This involves an incorrect integer calculation and a heap-based buffer overflow in the eCS component. **Recommendations** For CA ETrust Secure Content Manager version 8.0, consider restricting access to port 1882 to minimize the risk of exploitation. For CA Gateway Security version 8.1, avoid using the vulnerable eCS component until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions 11.0 through 11.1 RealPlayer SP versions 1.0 through 1.1.5 RealPlayer Enterprise versions 2.1.2 and 2.1.3 Linux RealPlayer version 11.0.2.1744 HelixPlayer version 1.0.6 **Description** The issue is related to a heap-based buffer overflow that allows remote attackers to execute arbitrary code via crafted ImageMap data in a RealMedia file. This is due to certain improper integer calculations. **Recommendations** For RealPlayer versions 11.0 through 11.1, update to a version that fixes the improper integer calculations issue. For RealPlayer SP versions 1.0 through 1.1.5, update to a version that fixes the improper integer calculations issue. For RealPlayer Enterprise versions 2.1.2 and 2.1.3, update to a version that fixes the improper integer calculations issue. For Linux RealPlayer version 11.0.2.1744, update to a version that fixes the improper integer calculations issue. For HelixPlayer version 1.0.6, update to a version that fixes the improper integer calculations issue.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions 11.0 through 11.1 RealPlayer SP versions 1.0 through 1.1.5 RealPlayer Enterprise versions 2.1.2 and 2.1.3 **Description** The issue is related to a heap-based buffer overflow that allows remote attackers to execute arbitrary code. This is achieved by providing a crafted value in an unspecified header field in an RMX file. **Recommendations** For RealPlayer versions 11.0 through 11.1, update to a version that contains a fix for this issue. For RealPlayer SP versions 1.0 through 1.1.5, update to a version that contains a fix for this issue. For RealPlayer Enterprise versions 2.1.2 and 2.1.3, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to RMX files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM Informix Dynamic Server (IDS) versions 7.x through 7.31.xD10 IBM Informix Dynamic Server (IDS) versions 9.x through 9.40.xC9 IBM Informix Dynamic Server (IDS) versions 10.00 through 10.00.xC7 IBM Informix Dynamic Server (IDS) versions 11.10 through 11.10.xC1 **Description** The issue is caused by an integer overflow in librpc.dll in portmap.exe, allowing remote attackers to execute arbitrary code or cause a denial of service via a crafted parameter size. This can result in heap memory corruption. **Recommendations** For IBM Informix Dynamic Server (IDS) versions 7.x through 7.31.xD10, update to version 7.31.xD11 or later. For IBM Informix Dynamic Server (IDS) versions 9.x through 9.40.xC9, update to version 9.40.xC10 or later. For IBM Informix Dynamic Server (IDS) versions 10.00 through 10.00.xC7, update to version 10.00.xC8 or later. For IBM Informix Dynamic Server (IDS) versions 11.10 through 11.10.xC1, update to version 11.10.xC2 or later.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions 11.0 through 11.1 RealPlayer SP versions 1.0 through 1.1.4 RealPlayer Enterprise version 2.1.2 **Description** The issue arises from the improper validation of file contents by the rjrmrpln.dll in RealPlayer, allowing remote attackers to execute arbitrary code. This can be achieved through crafted Name Value Property (NVP) elements in logical streams in a media file. **Recommendations** For RealPlayer versions 11.0 through 11.1, update to a version that properly validates file contents to prevent remote code execution. For RealPlayer SP versions 1.0 through 1.1.4, update to a version that properly validates file contents to prevent remote code execution. For RealPlayer Enterprise version 2.1.2, update to a version that properly validates file contents to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** Microsoft Windows XP versions SP2 through SP3 Microsoft Windows Server 2003 version SP2 **Description** The issue arises from improper memory allocation during font parsing in the OpenType Font (OTF) format driver. This allows local users to gain privileges via a crafted application. An elevation of privilege vulnerability exists due to the improper parsing of specially crafted OpenType fonts, which could enable an attacker to run arbitrary code in kernel mode. This could lead to the installation of programs, viewing, changing, or deleting data, or creating new accounts with full user rights. **Recommendations** For Microsoft Windows XP versions SP2 through SP3, update to a version that properly allocates memory during font parsing to prevent privilege escalation. For Microsoft Windows Server 2003 version SP2, ensure that the OpenType Font format driver is updated to correctly parse OpenType fonts and prevent arbitrary code execution in kernel mode.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Storage Manager (TSM) FastBack versions 5.5.0.0 through 5.5.6.0 IBM Tivoli Storage Manager (TSM) FastBack versions 6.1.0.0 through 6.1.0.1 **Description** The issue is related to the ` CalcHashValueWithLength` function in FastBackServer.exe, which does not properly validate an unspecified length value. This allows remote attackers to cause a denial of service by sending data over TCP, resulting in a daemon crash. **Recommendations** For versions 5.5.0.0 through 5.5.6.0, consider disabling the ` CalcHashValueWithLength` function as a temporary workaround until a patch is available. For versions 6.1.0.0 through 6.1.0.1, restrict access to the FastBackServer.exe to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Storage Manager (TSM) FastBack versions 5.5.0.0 through 5.5.6.0 IBM Tivoli Storage Manager (TSM) FastBack versions 6.1.0.0 through 6.1.0.1 **Description** The issue allows remote attackers to execute arbitrary code via multiple requests, by writing a certain value to a memory location specified by a UDP packet field in the FastBackMount.exe of the Mount service. **Recommendations** For versions 5.5.0.0 through 5.5.6.0, update to a version outside of this range to resolve the issue. For versions 6.1.0.0 through 6.1.0.1, update to a version outside of this range to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Storage Manager (TSM) FastBack versions 5.5.0.0 through 5.5.6.0 IBM Tivoli Storage Manager (TSM) FastBack versions 6.1.0.0 through 6.1.0.1 **Description** The issue involves multiple stack-based buffer overflows in FastBackServer.exe, allowing remote attackers to execute arbitrary code. This can be achieved through various vectors, including the `AGI SendToLog` function, the `group`, `workgroup`, or `domain` name field to the `USER S AddADGroup` function, the `user path` variable to the `FXCLI checkIndexDBLocation` function, or the ` AGI S ActivateLTScriptReply` function. **Recommendations** For versions 5.5.0.0 through 5.5.6.0, consider disabling the `AGI SendToLog` function and restricting access to the `USER S AddADGroup` function until a patch is available. For versions 6.1.0.0 through 6.1.0.1, avoid using the `user path` variable in the `FXCLI checkIndexDBLocation` function and restrict access to the ` AGI S ActivateLTScriptReply` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Storage Manager (TSM) FastBack versions 5.5.0.0 through 5.5.6.0 IBM Tivoli Storage Manager (TSM) FastBack versions 6.1.0.0 through 6.1.0.1 **Description** The issue allows remote attackers to execute arbitrary code via a crafted packet. This is due to the FXCLI OraBR Exec Command function in FastBackServer.exe using values of packet fields to determine the content and length of data copied to memory. **Recommendations** For versions 5.5.0.0 through 5.5.6.0, consider disabling the FXCLI OraBR Exec Command function until a patch is available. For versions 6.1.0.0 through 6.1.0.1, consider disabling the FXCLI OraBR Exec Command function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Storage Manager (TSM) FastBack versions 5.5.0.0 through 5.5.6.0 IBM Tivoli Storage Manager (TSM) FastBack versions 6.1.0.0 through 6.1.0.1 **Description** The issue allows remote attackers to cause a denial of service, resulting in a NULL pointer dereference and daemon crash, via data in a TCP packet. This is related to the DAS ReadBlockReply function in FastBackServer.exe. **Recommendations** For versions 5.5.0.0 through 5.5.6.0, consider disabling the DAS ReadBlockReply function as a temporary workaround until a patch is available. For versions 6.1.0.0 through 6.1.0.1, consider disabling the DAS ReadBlockReply function as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Storage Manager (TSM) FastBack versions 5.5.0.0 through 5.5.6.0 IBM Tivoli Storage Manager (TSM) FastBack versions 6.1.0.0 through 6.1.0.1 **Description** The issue allows remote attackers to execute arbitrary code via format string specifiers located after a | (pipe) character in a string, specifically in the Eventlog function in FastBackServer.exe. **Recommendations** For versions 5.5.0.0 through 5.5.6.0, consider restricting access to the Eventlog function in FastBackServer.exe until a patch is available. For versions 6.1.0.0 through 6.1.0.1, consider restricting access to the Eventlog function in FastBackServer.exe until a patch is available. As a temporary workaround, avoid using format string specifiers located after a | (pipe) character in a string in the affected function.

**Name of the Vulnerable Software and Affected Versions** RealPlayer versions 11.0 through 11.1 RealPlayer SP versions 1.0 through 1.1.4 **Description** The issue is related to multiple integer overflows in the ParseKnownType function, allowing remote attackers to execute arbitrary code via crafted data in an FLV file, specifically through `HX FLV META AMF TYPE MIXEDARRAY` or `HX FLV META AMF TYPE ARRAY` data. **Recommendations** For RealPlayer versions 11.0 through 11.1, update to a version that fixes the integer overflows in the ParseKnownType function. For RealPlayer SP versions 1.0 through 1.1.4, update to a version that fixes the integer overflows in the ParseKnownType function. As a temporary workaround, consider avoiding the use of FLV files from untrusted sources until a patch is available.

**Name of the Vulnerable Software and Affected Versions** IBM Informix Dynamic Server (IDS) versions 10.x prior to 10.00.TC9 IBM Informix Dynamic Server (IDS) versions 11.x prior to 11.10.TC3 **Description** The issue concerns multiple buffer overflows in the authentication functionality of the Informix Storage Manager (ISM) Portmapper service, specifically within the librpc.dll component. This allows remote attackers to execute arbitrary code by providing a crafted parameter size. **Recommendations** For IBM Informix Dynamic Server (IDS) versions 10.x prior to 10.00.TC9, update to version 10.00.TC9 or later. For IBM Informix Dynamic Server (IDS) versions 11.x prior to 11.10.TC3, update to version 11.10.TC3 or later.

**Name of the Vulnerable Software and Affected Versions** IBM Informix Dynamic Server (IDS) versions 10.00.TC8 and earlier IBM Informix Dynamic Server (IDS) versions 11.10.TC2 and earlier **Description** The issue is related to an integer signedness error in the authentication functionality of the librpc.dll component, used in the Informix Storage Manager (ISM) Portmapper service. This error can be exploited by remote attackers to execute arbitrary code via a crafted parameter size, triggering a stack-based buffer overflow. **Recommendations** For IBM Informix Dynamic Server (IDS) versions 10.00.TC8 and earlier, update to version 10.00.TC9 or later. For IBM Informix Dynamic Server (IDS) versions 11.10.TC2 and earlier, update to version 11.10.TC3 or later.