4.2 20060503224300 Red Hat Linux 9 Mutt Jay Beale INTERIM Jay Beale ACCEPTED Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. CVE-2003-0140 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED 'The Exchange 2003 Exadmin virtual directory uses only Integrated Windows Authentication.' 2.1.6 ACCEPTED 1 Corresponds to item 2.1.6 in the Exchange 2003 Benchmark Red Hat Linux 9 CUPS Jay Beale INTERIM Jay Beale ACCEPTED CUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out. CVE-2003-0195 ACCEPTED 1 Sun Solaris 8 kcms_configure David Proulx kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. CVE-2001-0594 ACCEPTED 1 Sun Solaris 8 libnsl David Proulx Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. CVE-2002-0391 ACCEPTED 1 Sun Solaris 8 xlock David Proulx Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. CVE-2001-0652 ACCEPTED 1 Sun Solaris 8 snmpdx David Proulx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0796 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 3 Sun Solaris 8 Xsun David Proulx Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. CVE-2002-0158 ACCEPTED 1 Sun Solaris 8 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. CVE-2002-0079 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 4 Microsoft Windows NT Windows Shell Matthew Burton Matthew Burton DRAFT INTERIM Matthew Burton ACCEPTED Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. CVE-2002-0070 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Christine Walzer INTERIM ACCEPTED Cross-site scripting vulnerability in Internet Explorer 6.0 allows remote attackers to execute scripts in the Local Computer zone via a URL that exploits a local HTML resource file, aka the "Cross-Site Scripting in Local HTML Resource" vulnerability. CVE-2002-0189 ACCEPTED 4 Microsoft Windows 2000 Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0715 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Andrew Buttner ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." CVE-2002-0147 ACCEPTED 4 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 3 Microsoft Windows NT FTP Tiffany Bergeron The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. CVE-2002-0073 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in Internet Information Server (IIS) 4.0 and 5.0 Active Server Pages allows attackers to cause a denial of service or execute arbitrary code. CVE-2002-0079 ACCEPTED 3 Microsoft Windows 2000 Network Connection Manager (NCM) Christine Walzer Christine Walzer INTERIM ACCEPTED A handler routine for the Network Connection Manager (NCM) in Windows 2000 allows local users to gain privileges via a complex attack that causes the handler to run in the LocalSystem context with user-specified code. CVE-2002-0720 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01 Tiffany Bergeron Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. CVE-2002-0193 ACCEPTED 3 Red Hat Linux 9 skk Jay Beale INTERIM Jay Beale ACCEPTED skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files. CVE-2003-0539 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." CVE-2002-0364 ACCEPTED 4 Microsoft Windows 2000 SMTP Tiffany Bergeron Andrew Buttner SMTP service in Microsoft Windows 2000, Windows XP Professional, and Exchange 2000 to cause a denial of service via a command with a malformed data transfer (BDAT) request. CVE-2002-0055 ACCEPTED 3 Sun Solaris 8 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. CVE-2002-0033 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass restrictions for executing scripts via an object that processes asynchronous events after the initial security checks have been made. CVE-2002-0026 ACCEPTED 4 Sun Solaris 7 Xsun David Proulx Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. CVE-2002-0158 ACCEPTED 1 Sun Solaris 7 whodo David Proulx Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. CVE-2001-1076 ACCEPTED 1 Microsoft Windows 2000 FTP Tiffany Bergeron The FTP service in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows attackers who have established an FTP session to cause a denial of service via a specially crafted status request containing glob characters. CVE-2002-0073 ACCEPTED 4 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Christine Walzer INTERIM ACCEPTED Windows 2000 allows local users to prevent the application of new group policy settings by opening Group Policy files with exclusive-read access. CVE-2002-0051 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. CVE-2002-0150 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Sun Solaris 7 rpc.rwalld David Proulx Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. CVE-2002-0573 ACCEPTED 1 Sun Solaris 7 libnsl David Proulx Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. CVE-2002-0391 ACCEPTED 1 Sun Solaris 7 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. CVE-2002-0084 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron IIS 4.0 and 5.0 allows remote attackers to read documents outside of the web root, and possibly execute arbitrary commands, via malformed URLs that contain UNICODE encoded characters, aka the "Web Server Folder Traversal" vulnerability. CVE-2000-0884 ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. CVE-2002-0071 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Cross-site scripting vulnerability in Help File search facility for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to embed scripts into another user's session. CVE-2002-0074 ACCEPTED 2 Sun Solaris 8 whodo David Proulx Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. CVE-2001-1076 ACCEPTED 1 Sun Solaris 7 admintool David Proulx Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. CVE-2002-0088 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.01 David Proulx Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1, or Internet Explorer 5.01 Service Pack 2 David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Red Hat Linux 9 EOG Jay Beale INTERIM Jay Beale ACCEPTED Format string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display. CVE-2003-0165 ACCEPTED 1 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers. CVE-2003-0081 ACCEPTED 1 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-0159 ACCEPTED 1 Sun Solaris 8 rpc.yppasswdd David Proulx Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. CVE-2001-0779 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx Christine Walzer INTERIM ACCEPTED The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality." CVE-2003-1328 ACCEPTED 3 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. CVE-2002-0075 ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron Christine Walzer INTERIM ACCEPTED The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference. CVE-2002-1561 ACCEPTED 2 Sun Solaris 8 admintool David Proulx Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. CVE-2002-0088 ACCEPTED 1 Microsoft Windows NT Remote Access Service (RAS) Tiffany Bergeron Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. CVE-2002-0366 ACCEPTED 1 Sun Solaris 7 mibiisa David Proulx Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0797 ACCEPTED 1 Microsoft Windows 2000 Remote Access Service (RAS) Tiffany Bergeron Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. CVE-2002-0366 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. CVE-2002-0018 ACCEPTED 4 Sun Solaris 7 kcms_configure David Proulx kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. CVE-2001-0594 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 David Proulx Christine Walzer INTERIM ACCEPTED Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. CVE-2003-0223 ACCEPTED 2 Sun Solaris 8 admintool David Proulx Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. CVE-2002-0089 ACCEPTED 1 Sun Solaris 7 admintool David Proulx Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. CVE-2002-0089 ACCEPTED 1 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions. CVE-2003-0356 ACCEPTED 1 Sun Solaris 8 dtspcd David Proulx Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands CVE-2001-0803 ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. CVE-2001-0344 ACCEPTED 2 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." CVE-2002-0147 ACCEPTED 3 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED Multiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors. CVE-2003-0357 ACCEPTED 1 Sun Solaris 7 dtspcd David Proulx Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands CVE-2001-0803 ACCEPTED 1 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string. CVE-2003-0428 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. CVE-2002-0367 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 David Proulx Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. CVE-2002-0023 ACCEPTED 3 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 3 Sun Solaris 8 rpc.rwalld David Proulx Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. CVE-2002-0573 ACCEPTED 1 Sun Solaris 7 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. CVE-2002-0678 ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. CVE-2002-0148 ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Tiffany Bergeron Jonathan Baker INTERIM Ingrid Skoog ACCEPTED Christine Walzer INTERIM ACCEPTED Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs. CVE-2001-0509 ACCEPTED 3 Microsoft Windows 2000 Microsoft SQL Server Yi-Fang Koh Ingrid Skoog INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879. CVE-2001-0542 ACCEPTED 3 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. CVE-2003-0429 ACCEPTED 1 Sun Solaris 8 lbxproxy David Proulx Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. CVE-2002-0090 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0013 ACCEPTED 1 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. CVE-2003-0430 ACCEPTED 1 Microsoft Windows 2000 Multiple UNC Provider (MUP) Tiffany Bergeron Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. CVE-2002-0151 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron INTERIM Ingrid Skoog ACCEPTED IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. CVE-2001-0151 ACCEPTED 3 Sun Solaris 7 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Harvey Rubinovitz Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. CVE-2002-0148 ACCEPTED 1 Sun Solaris 8 mibiisa David Proulx Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0797 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. CVE-2002-0149 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. CVE-2002-0078 ACCEPTED 5 Sun Solaris 8 cachefsd David Proulx Brian Soby Brian Soby INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. CVE-2002-0084 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 David Proulx Christine Walzer INTERIM ACCEPTED Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response. CVE-2002-0371 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. CVE-2002-0193 ACCEPTED 5 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences. CVE-2003-0431 ACCEPTED 1 Sun Solaris 7 rpc.yppasswdd David Proulx Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. CVE-2001-0779 ACCEPTED 1 Microsoft Windows NT Locator service Tiffany Bergeron Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information. CVE-2003-0003 ACCEPTED 1 Red Hat Linux 9 Ethereal Jay Beale INTERIM Jay Beale ACCEPTED Ethereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors. CVE-2003-0432 ACCEPTED 1 Red Hat Linux 9 Ximian Evolution Jay Beale INTERIM Jay Beale ACCEPTED The try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow. CVE-2003-0128 ACCEPTED 1 Red Hat Linux 9 Ximian Evolution Jay Beale INTERIM Jay Beale ACCEPTED Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times. CVE-2003-0129 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0. CVE-2003-0109 ACCEPTED 2 Red Hat Linux 9 Ximian Evolution Jay Beale INTERIM Jay Beale ACCEPTED The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image. CVE-2003-0130 ACCEPTED 1 Red Hat Linux 9 GDM Jay Beale INTERIM ACCEPTED GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file. CVE-2003-0547 ACCEPTED 1 Red Hat Linux 9 GDM Jay Beale INTERIM ACCEPTED The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549. CVE-2003-0548 ACCEPTED 1 Sun Solaris 7 snmpdx David Proulx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0796 ACCEPTED 1 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron ACCEPTED Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." CVE-2003-0526 ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Tiffany Bergeron ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. CVE-2003-0345 ACCEPTED 1 Sun Solaris 7 kcms_server David Proulx Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflows in extended stored procedures for Microsoft SQL Server 7.0 and 2000 allow remote attackers to cause a denial of service or execute arbitrary code via a database query with certain long arguments. CVE-2002-0154 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page. CVE-2003-0809 ACCEPTED 2 Sun Solaris 7 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. CVE-2002-0033 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Andrew Buttner Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 3 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CVE-2003-0528 ACCEPTED 1 Red Hat Linux 9 GDM Jay Beale INTERIM ACCEPTED The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name. CVE-2003-0549 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0 and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names. CVE-2002-0071 ACCEPTED 3 Sun Solaris 7 xlock David Proulx Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. CVE-2001-0652 ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. CVE-2002-0149 ACCEPTED 3 Red Hat Linux 9 GNU Ghostscript Jay Beale INTERIM Jay Beale ACCEPTED Unknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job. CVE-2003-0354 ACCEPTED 1 Microsoft Windows 2000 Windows Script Engine for Jscript DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. CVE-2003-0010 ACCEPTED 2 Red Hat Linux 9 GnuPG Jay Beale INTERIM Jay Beale ACCEPTED The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path. CVE-2003-0255 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Virtual Machine (VM) Tiffany Bergeron INTERIM ACCEPTED The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise." CVE-2003-0111 ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to spoof the safety check for HTTP headers and cause a denial of service or execute arbitrary code via HTTP header field values. CVE-2002-0150 ACCEPTED 3 Red Hat Linux 9 GtkHTML Jay Beale INTERIM ACCEPTED GtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages. CVE-2003-0133 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby INTERIM ACCEPTED The default permissions for the SNMP Parameters registry key in Windows NT 4.0 allows remote attackers to read and possibly modify the SNMP community strings to obtain sensitive information or modify network configuration, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0046 ACCEPTED 1 Microsoft Windows NT Microsoft Transaction Server (MTS) Matt Busby INTERIM ACCEPTED The default permissions for the MTS Package Administration registry key in Windows NT 4.0 allows local users to install or modify arbitrary Microsoft Transaction Server (MTS) packages and gain privileges, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0047 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1 Tiffany Bergeron Andrew Buttner ACCEPTED HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly. CVE-2001-0154 ACCEPTED 2 Microsoft Windows NT Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure." CVE-2002-1186 ACCEPTED 2 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0012 ACCEPTED 1 Microsoft Windows NT Multiple UNC Provider (MUP) Tiffany Bergeron Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. CVE-2002-0151 ACCEPTED 1 Microsoft Windows NT SMB (Server Message Block) Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. CVE-2003-0345 ACCEPTED 2 Microsoft Windows 2000 Windows Shell Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Shell (used as the Windows Desktop) allows local and possibly remote attackers to execute arbitrary code via a custom URL handler that has not been removed for an application that has been improperly uninstalled. CVE-2002-0070 ACCEPTED 2 Red Hat Linux 9 GtkHTML Jay Beale INTERIM Jay Beale ACCEPTED gtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference. CVE-2003-0541 ACCEPTED 1 Sun Solaris 8 fs.auto, xfs David Proulx Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. CVE-2002-1317 ACCEPTED 2 Red Hat Linux 9 Apache Jay Beale INTERIM Jay Beale ACCEPTED Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. CVE-2003-0020 ACCEPTED 1 Red Hat Linux 9 Apache Jay Beale INTERIM Jay Beale ACCEPTED Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020. CVE-2003-0083 ACCEPTED 1 Sun Solaris 7 fs.auto, xfs David Proulx Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. CVE-2002-1317 ACCEPTED 2 Red Hat Linux 9 Apache Jay Beale INTERIM Jay Beale ACCEPTED A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. CVE-2003-0132 ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. CVE-2002-0367 ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which could allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. CVE-2002-0018 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Harvey Rubinovitz Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0012 ACCEPTED 1 Red Hat Enterprise Linux 3 OpenSSL Jay Beale DRAFT INTERIM ACCEPTED The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. CVE-2004-0975 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Outlook Express Ingrid Skoog DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. CVE-2005-1213 ACCEPTED 1 Red Hat Linux 9 Apache Jay Beale INTERIM Jay Beale ACCEPTED Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite. CVE-2003-0192 ACCEPTED 1 Red Hat Linux 9 Apache Jay Beale INTERIM Jay Beale ACCEPTED The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service. CVE-2003-0253 ACCEPTED 1 Sun Solaris 8 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. CVE-2002-0678 ACCEPTED 1 Sun Solaris 7 CDE David Proulx Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. CVE-2002-0679 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Andrew Buttner Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." CVE-2003-1326 ACCEPTED 2 Sun Solaris 7 lbxproxy David Proulx Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. CVE-2002-0090 ACCEPTED 1 Microsoft Windows NT Internet Information Server 4.0 Tiffany Bergeron ACCEPTED Buffer overflow in the chunked encoding transfer mechanism in IIS 4.0 and 5.0 allows attackers to execute arbitrary code via the processing of HTR request sessions, aka "Heap Overrun in HTR Chunked Encoding Could Enable Web Server Compromise." CVE-2002-0364 ACCEPTED 3 Red Hat Linux 9 Apache Jay Beale INTERIM Jay Beale ACCEPTED Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket. CVE-2003-0254 ACCEPTED 1 Microsoft Windows XP Authenticode Tiffany Bergeron Andrew Buttner Andrew Buttner ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval. CVE-2003-0660 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2000 Christine Walzer Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document. CVE-2003-0664 ACCEPTED 2 Microsoft Windows 2000 SMB (Server Message Block) Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in SMB (Server Message Block) protocol in Microsoft Windows NT, Windows 2000, and Windows XP allows attackers to cause a denial of service (crash) via a SMB_COM_TRANSACTION packet with a request for the (1) NetShareEnum, (2) NetServerEnum2, or (3) NetServerEnum3, aka "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service". CVE-2002-0724 ACCEPTED 2 Microsoft Windows 2000 Certificate Enrollment Control Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the Certificate Enrollment ActiveX Control in Microsoft Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000, and Windows XP allow remote attackers to delete digital certificates on a user's system via HTML. CVE-2002-0699 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron IIS 5.0 allows remote attackers to execute arbitrary commands via a malformed request for an executable file whose name is appended with operating system commands, aka the "Web Server File Request Parsing" vulnerability. CVE-2000-0886 ACCEPTED 3 Sun Solaris 8 CDE David Proulx Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. CVE-2002-0679 ACCEPTED 1 Red Hat Linux 9 KDM Jay Beale INTERIM ACCEPTED KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. CVE-2003-0690 ACCEPTED 1 Microsoft Windows NT Remote Procedure Call (RPC) Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. CVE-2003-0352 ACCEPTED 3 Sun Solaris 8 kcms_server David Proulx Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Tiffany Bergeron ACCEPTED Buffer overflow in ISAPI extension (idq.dll) in Index Server 2.0 and Indexing Service 2000 in IIS 6.0 beta and earlier allows remote attackers to execute arbitrary commands via a long argument to Internet Data Administration (.ida) and Internet Data Query (.idq) files such as default.ida, as commonly exploited by Code Red. CVE-2001-0500 ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Tiffany Bergeron ACCEPTED The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval. CVE-2003-0660 ACCEPTED 1 Microsoft Windows 2000 Remote Data Protocol (RDP) Tiffany Bergeron Christine Walzer INTERIM ACCEPTED Remote Data Protocol (RDP) version 5.0 in Microsoft Windows 2000 and RDP 5.1 in Windows XP does not encrypt the checksums of plaintext session data, which could allow a remote attacker to determine the contents of encrypted sessions via sniffing, aka "Weak Encryption in RDP Protocol." CVE-2002-0863 ACCEPTED 3 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Windows Script Engine for JScript v5.6 Tiffany Bergeron David Proulx David Proulx ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. CVE-2003-0010 ACCEPTED 3 Microsoft Windows XP Windows XP Tiffany Bergeron Andrew Buttner ACCEPTED Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM INTERIM ACCEPTED Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application. CVE-2003-0659 ACCEPTED 3 Microsoft Windows 2000 Microsoft Word 2000 Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word and Excel allow remote attackers to steal sensitive information via certain field codes that insert the information when the document is returned to the attacker, as demonstrated in Word using (1) INCLUDETEXT or (2) INCLUDEPICTURE, aka "Flaw in Word Fields and Excel External Updates Could Lead to Information Disclosure." CVE-2002-1143 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource. CVE-2002-1187 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Andrew Buttner ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CVE-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe). CVE-2003-0838 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2000 Ingrid Skoog Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to. CVE-2002-1056 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Tiffany Bergeron DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0549 ACCEPTED 3 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Tiffany Bergeron Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available. CVE-2002-0053 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Harvey Rubinovitz Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. CVE-2002-0075 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 1 Microsoft Windows 2000 Messenger Service Christine Walzer ACCEPTED Andrew Buttner ACCEPTED The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0717 ACCEPTED 2 Red Hat Linux 9 KDM Jay Beale INTERIM ACCEPTED KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. CVE-2003-0692 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Ingrid Skoog DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 2 Microsoft Windows 2000 Help and Support Center (HSC) Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. CVE-2003-0711 ACCEPTED 3 Microsoft Windows NT DirectX Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow. CVE-2003-0346 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz ACCEPTED Cross-site scripting vulnerability (XSS) in Internet Explorer 5.01 through 6.0 allows remote attackers to read and execute files on the local system via web pages using the <frame> or <iframe> element and javascript, aka "Frames Cross Site Scripting," as demonstrated using the PrivacyPolicy.dlg resource. CVE-2002-1187 ACCEPTED 1 Red Hat Linux 9 krb5 Jay Beale INTERIM Jay Beale ACCEPTED Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. CVE-2003-0028 ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server Tiffany Bergeron Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM Ingrid Skoog ACCEPTED Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED The xp_displayparamstmt function in SQL Server and Microsoft SQL Server Desktop Engine (MSDE) does not properly restrict the length of a buffer before calling the srv_paraminfo function in the SQL Server API for Extended Stored Procedures (XP), which allows an attacker to cause a denial of service or execute arbitrary commands, aka the "Extended Stored Procedure Parameter Parsing" vulnerability. CVE-2000-1081 ACCEPTED 3 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Jonathan Baker INTERIM ACCEPTED INTERIM Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local users go gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability. CVE-2003-0230 ACCEPTED 4 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron Andrew Buttner ACCEPTED Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML document with a long argument to the RunQuery2 method. CVE-2003-0662 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Tiffany Bergeron DRAFT INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0549 ACCEPTED 1 Red Hat Linux 9 krb5 Jay Beale INTERIM Jay Beale ACCEPTED The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). CVE-2003-0082 ACCEPTED 1 Microsoft Windows Server 2003 Network News Transport Protocol (NNTP) Christine Walzer DRAFT INTERIM ACCEPTED The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. CVE-2004-0574 ACCEPTED 1 Red Hat Linux 9 krb5 Jay Beale INTERIM Jay Beale ACCEPTED Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack. CVE-2003-0138 ACCEPTED 1 Red Hat Linux 9 krb5 Jay Beale INTERIM Jay Beale ACCEPTED Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing." CVE-2003-0139 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Yi-Fang Koh Format string vulnerability in the C runtime functions in SQL Server 7.0 and 2000 allows attackers to cause a denial of service. CVE-2001-0879 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. CVE-2003-0127 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CVE-2005-1211 ACCEPTED 1 Microsoft Windows Server 2003 SMB (Server Message Block) Jonathan Baker DRAFT INTERIM ACCEPTED Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability." CVE-2005-1206 ACCEPTED 1 Red Hat Linux 9 Netfilter Jay Beale INTERIM Jay Beale ACCEPTED The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts. CVE-2003-0187 ACCEPTED 1 Red Hat Linux 9 Netfilter Jay Beale INTERIM Jay Beale ACCEPTED The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions. CVE-2003-0244 ACCEPTED 1 Microsoft Windows 2000 Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 2 Red Hat Enterprise Linux 3 Gaim Jay Beale DRAFT INTERIM ACCEPTED Gaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error. CVE-2005-1934 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0715 ACCEPTED 1 Microsoft Windows XP Client Server Runtime System (CSRSS) Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. CVE-2005-0551 ACCEPTED 1 Microsoft Windows XP Windows XP Tiffany Bergeron Andrew Buttner ACCEPTED Christine Walzer INTERIM ACCEPTED The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0717 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in SQL Server 7.0 and 2000 allows remote attackers to execute arbitrary code via a long OLE DB provider name to (1) OpenDataSource or (2) OpenRowset in an ad hoc connection. CVE-2002-0056 ACCEPTED 3 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Cross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions. CVE-2002-1217 ACCEPTED 2 Microsoft Windows 2000 SMB Signing (Server Message Block) Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED The SMB signing capability in the Server Message Block (SMB) protocol in Microsoft Windows 2000 and Windows XP allows attackers to disable the digital signing settings in an SMB session to force the data to be sent unsigned, then inject data into the session without detection, e.g. by modifying group policy information sent from a domain controller. CVE-2002-1256 ACCEPTED 2 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. CVE-2003-0246 ACCEPTED 1 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron ACCEPTED Microsoft Windows Media Player versions 6.4 and 7.1 and Media Player for Windows XP allow remote attackers to bypass Internet Explorer's (IE) security mechanisms and run code via an executable .wma media file with a license installation requirement stored in the IE cache, aka the "Cache Path Disclosure via Windows Media Player". CVE-2002-0372 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops"). CVE-2003-0247 ACCEPTED 1 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron ACCEPTED Buffer overflow in Microsoft Windows Media Player 6.4 allows remote attackers to execute arbitrary code via a malformed Advanced Streaming Format (ASF) file. CVE-2001-0719 ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the password encryption function of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows remote attackers to gain control of the database and execute arbitrary code via SQL Server Authentication, aka "Unchecked Buffer in Password Encryption Procedure." CVE-2002-0624 ACCEPTED 2 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. CVE-2003-0248 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.6 Ingrid Skoog DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. CVE-2002-1142 ACCEPTED 2 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions. CVE-2003-0364 ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron ACCEPTED Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. CVE-2003-0352 ACCEPTED 1 Microsoft Windows 2000 Simple Network Management Protocol (SNMP) Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0013 ACCEPTED 2 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Jonathan Baker INTERIM ACCEPTED Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe. CVE-2003-0231 ACCEPTED 4 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Jonathan Baker INTERIM ACCEPTED Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow. CVE-2003-0232 ACCEPTED 4 Red Hat Linux 9 /proc/tty/driver/serial Jay Beale INTERIM Jay Beale ACCEPTED /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. CVE-2003-0461 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Ingrid Skoog DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 1 Microsoft Windows 2000 Microsoft FrontPage Server Extensions 2000 Tiffany Bergeron Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 ACCEPTED 2 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). CVE-2003-0462 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd. CVE-2003-0464 ACCEPTED 1 Microsoft Windows 2000 SQL Server 2000 Yi-Fang Koh Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflow in bulk insert procedure of Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, allows attackers with database administration privileges to execute arbitrary code via a long filename in the BULK INSERT query. CVE-2002-0641 ACCEPTED 2 Microsoft Windows NT Windows NT 4.0 Tiffany Bergeron INTERIM ACCEPTED The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method. CVE-2003-0525 ACCEPTED 2 Microsoft Windows XP Windows Media Player for Windows XP Tiffany Bergeron ACCEPTED Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location. CVE-2003-0228 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Ingrid Skoog DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. CVE-2003-0476 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. CVE-2003-0501 ACCEPTED 1 Microsoft Windows XP Microsoft Color Management Module Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. CVE-2005-1219 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Workstation Service Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. CVE-2003-0812 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz ACCEPTED Cross-Frame scripting vulnerability in the WebBrowser control as used in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code, read arbitrary files, or conduct other unauthorized activities via script that accesses the Document property, which bypasses <frame> and <iframe> domain restrictions. CVE-2002-1217 ACCEPTED 1 Microsoft Windows 2000 Network News Transport Protocol (NNTP) Christine Walzer ACCEPTED Memory leak in NNTP service in Windows NT 4.0 and Windows 2000 allows remote attackers to cause a denial of service (memory exhaustion) via a large number of malformed posts. CVE-2001-0543 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2000 Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0820 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Tiffany Bergeron ACCEPTED Christine Walzer INTERIM ACCEPTED INTERIM Christine Walzer INTERIM ACCEPTED Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application. CVE-2003-0659 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 1 Red Hat Enterprise Linux 3 php Jay Beale DRAFT INTERIM ACCEPTED Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759. CVE-2005-1751 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 2 Red Hat Enterprise Linux 3 php Jay Beale DRAFT INTERIM ACCEPTED Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. CVE-2005-1921 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 1 Red Hat Enterprise Linux 3 cpio Jay Beale DRAFT INTERIM ACCEPTED Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete. CVE-2005-1111 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 1 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron Christine Walzer INTERIM ACCEPTED The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page. CVE-2003-0225 ACCEPTED 2 Microsoft Windows 2000 HTML Help ActiveX Control Christine Walzer Andrew Buttner ACCEPTED Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function. CVE-2002-0693 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. CVE-2003-0550 ACCEPTED 1 Microsoft Windows Server 2003 HTML Help Facility Andrew Buttner DRAFT INTERIM ACCEPTED Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer. CVE-2005-1208 ACCEPTED 1 Red Hat Enterprise Linux 3 gzip Jay Beale DRAFT INTERIM ACCEPTED Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. CVE-2005-1228 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. CVE-2003-0551 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. CVE-2003-0552 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call. CVE-2003-0619 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700. CVE-2003-0699 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods." CVE-2002-1254 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability". CVE-2005-1988 ACCEPTED 2 Microsoft Windows XP Microsoft Internet Explorer 6 Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. CVE-2003-0814 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure." CVE-2002-1185 ACCEPTED 2 Red Hat Linux 9 Linux kernel Jay Beale INTERIM Jay Beale ACCEPTED The C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0699. CVE-2003-0700 ACCEPTED 1 Microsoft Windows NT Simple Network Management Protocol (SNMP) Matt Busby Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in SNMP agent service in Windows 95/98/98SE, Windows NT 4.0, Windows 2000, and Windows XP allows remote attackers to cause a denial of service or execute arbitrary code via a malformed management request. NOTE: this candidate may be split or merged with other candidates. This and other PROTOS-related candidates, especially CVE-2002-0012 and CVE-2002-0013, will be updated when more accurate information is available. CVE-2002-0053 ACCEPTED 1 Microsoft Windows 2000 HTML Help Facility Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED The HTML Help facility in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP uses the Local Computer Security Zone when opening .chm files from the Temporary Internet Files folder, which allows remote attackers to execute arbitrary code via HTML mail that references or inserts a malicious .chm file containing shortcuts that can be executed, aka "Code Execution via Compiled HTML Help File." CVE-2002-0694 ACCEPTED 2 Microsoft Windows 2000 ISA Server 2000 Tiffany Bergeron ACCEPTED The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745. CVE-2003-0110 ACCEPTED 0 Microsoft Windows Server 2003 Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model and access information on the local system or in other domains, and possibly execute code, via cached methods and objects, aka "Cross Domain Verification via Cached Methods." CVE-2002-1254 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Red Hat Linux 9 Konqueror Jay Beale INTERIM ACCEPTED KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. CVE-2003-0459 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 1 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. CVE-2005-2265 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. CVE-2004-0963 ACCEPTED 1 Red Hat Linux 9 LPRng Jay Beale INTERIM Jay Beale ACCEPTED psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file. CVE-2003-0136 ACCEPTED 1 Microsoft Windows 2000 Telnet protocol Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in telnet server in Windows 2000 and Interix 2.2 allows remote attackers to execute arbitrary code via malformed protocol options. CVE-2002-0020 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word 2002 Ingrid Skoog DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to. CVE-2002-1056 ACCEPTED 2 Red Hat Linux 9 lv Jay Beale INTERIM Jay Beale ACCEPTED lv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories. CVE-2003-0188 ACCEPTED 1 Red Hat Linux 9 Mutt Jay Beale INTERIM ACCEPTED Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. CVE-2003-0140 ACCEPTED 1 Red Hat Linux 9 MySQL Jay Beale INTERIM Jay Beale ACCEPTED Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user. CVE-2003-0073 ACCEPTED 1 Microsoft Windows XP Microsoft Color Management Module Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. CVE-2005-1219 ACCEPTED 1 Red Hat Linux 9 MySQL Jay Beale INTERIM Jay Beale ACCEPTED MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf. CVE-2003-0150 ACCEPTED 1 Red Hat Linux 9 nfs-utils Jay Beale INTERIM Jay Beale ACCEPTED Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines. CVE-2003-0252 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading." CVE-2002-1188 ACCEPTED 2 Red Hat Linux 9 OpenSSH Jay Beale INTERIM Jay Beale ACCEPTED OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. CVE-2003-0190 ACCEPTED 1 Red Hat Linux 9 OpenSSH Jay Beale INTERIM Jay Beale ACCEPTED "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695. CVE-2003-0682 ACCEPTED 1 Red Hat Linux 9 OpenSSH Jay Beale INTERIM Jay Beale ACCEPTED A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. CVE-2003-0693 ACCEPTED 1 Sun Solaris 9 Bind Brian Soby DRAFT INTERIM ACCEPTED BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. CVE-2002-1220 ACCEPTED 1 Microsoft Windows XP Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 1 Microsoft Windows 2000 Utilities Manager/Windows Messaging Christine Walzer ACCEPTED Christine Walzer INTERIM ACCEPTED The control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function. CVE-2003-0350 ACCEPTED 2 Red Hat Linux 9 OpenSSH Jay Beale INTERIM Jay Beale ACCEPTED Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693. CVE-2003-0695 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 2 Red Hat Linux 9 OpenSSL Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." CVE-2003-0131 ACCEPTED 1 Microsoft Windows 2000 HTML Help Facility Andrew Buttner DRAFT INTERIM ACCEPTED Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer. CVE-2005-1208 ACCEPTED 1 Red Hat Linux 9 OpenSSL Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). CVE-2003-0147 ACCEPTED 1 Microsoft Windows 2000 Small Business Server 2000 Jonathan Baker DRAFT INTERIM ACCEPTED Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability." CVE-2005-1206 ACCEPTED 1 Microsoft Windows 2000 ISA Server 2000 Christine Walzer DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Microsoft ISA Server 2000 allows remote attackers to connect to services utilizing the NetBIOS protocol via a NetBIOS connection with an ISA Server that uses the NetBIOS (all) predefined packet filter. CVE-2005-1216 ACCEPTED 2 Red Hat Linux 9 pam_smb Jay Beale INTERIM Jay Beale ACCEPTED Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code. CVE-2003-0686 ACCEPTED 1 Red Hat Linux 9 CGI.pm Jay Beale INTERIM ACCEPTED Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter. CVE-2003-0615 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.01 Harvey Rubinovitz ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure." CVE-2002-1186 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. CVE-2003-0815 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Andrew Buttner INTERIM ACCEPTED Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed. CVE-2003-0904 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Internet Security and Acceleration Server 2000 David Proulx INTERIM ACCEPTED Buffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2003-0819 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Microsoft Internet Explorer 6 Service Pack 1 Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. CVE-2003-0816 ACCEPTED 2 Microsoft Windows 2000 Internet Information Server 5.0 Tiffany Bergeron ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun." CVE-2003-0224 ACCEPTED 2 Microsoft Windows 2000 Microsoft SQL Server 2000 Matthew Burton Matthew Burton Matthew Burton DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension." CVE-2002-0186 ACCEPTED 2 Red Hat Linux 9 php Jay Beale INTERIM Jay Beale ACCEPTED Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. CVE-2003-0442 ACCEPTED 1 Microsoft Windows 2000 Microsoft SQL Server 2000 Matthew Burton Matthew Burton DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the SQLXML ISAPI extension of Microsoft SQL Server 2000 allows remote attackers to execute arbitrary code via data queries with a long content-type parameter, aka "Unchecked Buffer in SQLXML ISAPI Extension." CVE-2002-0186 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Tiffany Bergeron ACCEPTED The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CVE-2003-0605 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz ACCEPTED Internet Explorer 5.01 through 6.0 does not properly perform security checks on certain encoded characters within a URL, which allows a remote attacker to steal potentially sensitive information from a user by redirecting the user to another site that has that information, aka "Encoded Characters Information Disclosure." CVE-2002-1186 ACCEPTED 1 Red Hat Linux 9 pine Jay Beale INTERIM Jay Beale ACCEPTED Buffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type. CVE-2003-0720 ACCEPTED 1 Microsoft Windows NT Remote Access Service (RAS) Matt Busby INTERIM ACCEPTED The default permissions for the RAS Administration key in Windows NT 4.0 allows local users to execute arbitrary commands by changing the value to point to a malicious DLL, aka one of the "Registry Permissions" vulnerabilities. CVE-2001-0045 ACCEPTED 1 Red Hat Linux 9 pine Jay Beale INTERIM Jay Beale ACCEPTED Integer signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number. CVE-2003-0721 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Ingrid Skoog DRAFT INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Ingrid Skoog DRAFT INTERIM ACCEPTED Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. CVE-2004-0566 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 3 Microsoft Windows XP Microsoft Internet Explorer 6 Tiffany Bergeron DRAFT INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0549 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Red Hat Linux 9 Postfix Jay Beale INTERIM ACCEPTED Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port. CVE-2003-0468 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Compnents 2.5 Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. CVE-2003-0903 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." CVE-2003-1025 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 2 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz ACCEPTED Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure." CVE-2002-1185 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Microsoft Internet Explorer 6 Service Pack 1 Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 2 Red Hat Linux 9 Postfix Jay Beale INTERIM ACCEPTED The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up. CVE-2003-0540 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. CVE-2005-2270 ACCEPTED 1 Microsoft Windows 2000 MSDTC Robert L. Hollis DRAFT INTERIM ACCEPTED The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer. CVE-2005-2119 ACCEPTED 2 Red Hat Linux 9 smbd Jay Beale INTERIM Jay Beale ACCEPTED Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. CVE-2003-0085 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Compnents 2.6 Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. CVE-2003-0903 ACCEPTED 1 Red Hat Linux 9 Samba Jay Beale INTERIM Jay Beale ACCEPTED The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown. CVE-2003-0086 ACCEPTED 1 Sun Solaris 7 Xsun Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. CVE-2001-0422 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 1 Red Hat Linux 9 Samba Jay Beale INTERIM Jay Beale ACCEPTED Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201. CVE-2003-0196 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. CVE-2003-0817 ACCEPTED 2 Red Hat Linux 9 Samba, Samba-TNG Jay Beale INTERIM Jay Beale ACCEPTED Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. CVE-2003-0201 ACCEPTED 1 Red Hat Linux 9 semi MIME library Jay Beale INTERIM Jay Beale ACCEPTED The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. CVE-2003-0440 ACCEPTED 1 Red Hat Linux 9 Sendmail Jay Beale INTERIM Jay Beale ACCEPTED The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. CVE-2003-0694 ACCEPTED 1 Microsoft Windows XP Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Workstation Service Tiffany Bergeron ACCEPTED Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. CVE-2003-0812 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. CVE-2005-1978 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Virtual Machine (VM) Tiffany Bergeron INTERIM ACCEPTED Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error. CVE-2002-1258 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. CVE-2005-2871 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 97 Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Ingrid Skoog Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0820 INTERIM 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 98 Andrew Buttner INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0820 ACCEPTED 1 Microsoft Windows Server 2003 Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 2 Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 ACCEPTED 2 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Brian Soby DRAFT INTERIM ACCEPTED Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. CVE-2004-1351 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP MSN Messenger Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis ACCEPTED Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. CVE-2004-0597 ACCEPTED 3 Red Hat Linux 9 Sendmail Jay Beale INTERIM Jay Beale ACCEPTED A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. CVE-2003-0681 ACCEPTED 1 Red Hat Linux 9 Sendmail Jay Beale INTERIM Jay Beale ACCEPTED The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. CVE-2003-0688 ACCEPTED 1 HP-UX 11 remshd Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors. CVE-2005-3779 ACCEPTED 5 Red Hat Linux 9 Sendmail Jay Beale INTERIM Jay Beale ACCEPTED The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. CVE-2003-0694 ACCEPTED 1 Microsoft Windows Server 2003 Services for UNIX Jonathan Baker DRAFT INTERIM ACCEPTED The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. CVE-2005-1205 ACCEPTED 1 Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer 6.0 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. CVE-2002-0648 ACCEPTED 1 Red Hat Linux 9 SquirrelMail Jay Beale INTERIM Jay Beale ACCEPTED Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser. CVE-2003-0160 ACCEPTED 1 Red Hat Linux 9 unzip Jay Beale INTERIM Jay Beale ACCEPTED Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. CVE-2003-0282 ACCEPTED 1 Red Hat Enterprise Linux 3 sysreport Jay Beale DRAFT INTERIM ACCEPTED sysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges. CVE-2005-1760 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. CVE-2006-0002 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 INTERIM 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." CVE-2003-1027 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 2 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 2 Red Hat Linux 9 up2date Jay Beale INTERIM Jay Beale ACCEPTED up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised. CVE-2003-0546 ACCEPTED 1 Red Hat Linux 9 vsftpd Jay Beale INTERIM Jay Beale ACCEPTED vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended. CVE-2003-0135 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. CVE-2003-0821 ACCEPTED 2 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. CVE-2005-1937 ACCEPTED 1 HP-UX 11 Samba Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. CVE-2004-1154 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 2 Microsoft Windows NT MDAC 2.8 Ingrid Skoog DRAFT INTERIM ACCEPTED The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability." CVE-2005-0050 ACCEPTED 1 Red Hat Enterprise Linux 3 mikmod Jay Beale DRAFT INTERIM ACCEPTED Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename. CVE-2003-0427 ACCEPTED 1 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. CVE-2004-0148 ACCEPTED 1 Microsoft Windows 2000 Microsoft ASN.1 Library Andrew Buttner INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. CVE-2003-0818 ACCEPTED 1 Red Hat Linux 9 xinetd Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. CVE-2003-0211 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. CVE-2006-0227 ACCEPTED 1 Red Hat Linux 9 xpdf Jay Beale INTERIM ACCEPTED Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. CVE-2003-0434 ACCEPTED 1 Red Hat Linux 9 ypserv Jay Beale INTERIM Jay Beale ACCEPTED ypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block. CVE-2003-0251 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2003-0820 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. CVE-2006-0292 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." CVE-2005-0803 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 97 Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. CVE-2003-0821 INTERIM 1 Red Hat Enterprise Linux 3 postgresql Jay Beale DRAFT INTERIM ACCEPTED PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability." CVE-2005-1409 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read. CVE-2006-0298 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability." CVE-2006-0021 ACCEPTED 1 Microsoft Windows NT NetDDE Agent Ingrid Skoog DRAFT INTERIM ACCEPTED NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation." CVE-2002-1230 ACCEPTED 1 Microsoft Windows 2000 Microsoft Agent Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. CVE-2005-1214 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. CVE-2006-0013 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Review blocked recipient list 1.2.7 ACCEPTED 1 Corresponds to item 1.2.7 in the Exchange 2003 Benchmark Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM Jonathan Baker Ingrid Skoog ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 1 Microsoft Windows Server 2003 TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. CVE-2005-1979 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Review the global accept and deny lists. 1.2.1 ACCEPTED 1 Corresponds to item 1.2.1 in the Exchange 2003 Benchmark Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 5.5 Harvey Rubinovitz ACCEPTED Internet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading." CVE-2002-1188 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. CVE-2003-0821 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". CVE-2005-1989 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. CVE-2006-0010 ACCEPTED 1 Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. CVE-2005-2123 ACCEPTED 2 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. CVE-2006-0190 ACCEPTED 1 Microsoft Windows 2000 Windows Internet Naming Service (WINS) Andrew Buttner INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-0825 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. CVE-2005-2122 ACCEPTED 2 Microsoft Windows XP Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." CVE-2005-0055 ACCEPTED 2 Red Hat Enterprise Linux 3 ImageMagick Jay Beale DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value. CVE-2005-1275 ACCEPTED 1 Microsoft Windows NT Windows Animated Cursor Christine Walzer DRAFT INTERIM ACCEPTED The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. CVE-2004-1305 ACCEPTED 1 Microsoft Windows 2000 Hyperlink Object Library Christine Walzer DRAFT INTERIM ACCEPTED The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow. CVE-2005-0057 ACCEPTED 1 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. CVE-2006-0010 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. CVE-2006-0013 ACCEPTED 1 Red Hat Enterprise Linux 3 gftp Jay Beale DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. CVE-2005-0372 ACCEPTED 2 Microsoft Windows Server 2003 Web Client Service Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters. CVE-2005-1207 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." CVE-2005-1790 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. CVE-2006-0008 ACCEPTED 1 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). CVE-2005-2269 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Microsoft Internet Explorer 6 Service Pack 1 Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. CVE-2003-0823 ACCEPTED 2 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. CVE-2005-2491 ACCEPTED 3 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. CVE-2005-2260 ACCEPTED 1 Microsoft Windows 2000 Microsoft FrontPage Server Extensions 2000 Tiffany Bergeron Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. CVE-2003-0822 ACCEPTED 2 Red Hat Enterprise Linux 3 Gaim Jay Beale DRAFT INTERIM ACCEPTED Gaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name. CVE-2005-1269 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 2 Red Hat Enterprise Linux 3 bzip2 Jay Beale DRAFT INTERIM ACCEPTED bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb"). CVE-2005-1260 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Data Access Compnents 2.7 Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. CVE-2003-0903 ACCEPTED 1 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. CVE-2005-1937 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. CVE-2005-2728 ACCEPTED 3 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. CVE-2003-0824 INTERIM 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. CVE-2006-0031 ACCEPTED 1 HP-UX 11 remshd Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. CVE-2005-3565 ACCEPTED 5 HP-UX 10 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. CVE-2005-3296 ACCEPTED 5 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Review whether anonymous HTTP access is allowed 2.1.2 ACCEPTED 1 Corresponds to item 2.1.2 in the Exchange 2003 Benchmark Microsoft Windows Server 2003 Microsoft Color Management Module Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. CVE-2005-1219 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CVE-2005-1211 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED 'A security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user\'s home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is \'/\', this action will render the system inoperable.' http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00614838 ACCEPTED 1 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. CVE-2005-2266 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Data Access Compnents 2.8 Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. CVE-2003-0903 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. CVE-2002-0648 ACCEPTED 1 Microsoft Windows 2000 Client Server Runtime System (CSRSS) Ingrid Skoog DRAFT INTERIM Christine Walzer Andrew Buttner ACCEPTED Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. CVE-2005-0551 ACCEPTED 1 Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. CVE-2004-0894 ACCEPTED 2 Microsoft Windows XP Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-1060 ACCEPTED 1 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. CVE-2005-2265 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CVE-2005-1211 ACCEPTED 1 Microsoft Windows 2000 Services for UNIX Jonathan Baker DRAFT INTERIM ACCEPTED The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. CVE-2005-1205 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED A security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user's home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is '/', this action will render the system inoperable. http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00614838 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function. CVE-2005-2307 ACCEPTED 2 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption. CVE-2006-1185 INTERIM 0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." CVE-2005-0554 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". CVE-2005-1989 ACCEPTED 2 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. CVE-2006-1186 INTERIM 0 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability." CVE-2006-1189 INTERIM 0 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. CVE-2005-2087 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.1 Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. CVE-2003-0010 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.5 Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. CVE-2003-0010 ACCEPTED 2 Microsoft Windows NT Microsoft ASN.1 Library Andrew Buttner INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. CVE-2003-0818 ACCEPTED 1 Microsoft Windows XP Microsoft ASN.1 Library Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. CVE-2003-0818 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-complicit attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field. CVE-2006-0009 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft ASN.1 Library Andrew Buttner INTERIM ACCEPTED Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. CVE-2003-0818 ACCEPTED 1 Microsoft Windows NT Windows Internet Naming Service (WINS) Andrew Buttner INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-0825 ACCEPTED 1 Microsoft Windows NT Windows Internet Naming Service (WINS) Andrew Buttner INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-0825 ACCEPTED 1 Microsoft Windows Server 2003 Windows Internet Naming Service (WINS) Andrew Buttner INTERIM ACCEPTED The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. CVE-2003-0825 ACCEPTED 1 Red Hat Linux 9 PWLib Jay Beale Matt Busby ACCEPTED Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2004-0097 ACCEPTED 1 Red Hat Linux 9 netpbm Jay Beale Matt Busby ACCEPTED netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. CVE-2003-0924 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." CVE-2003-1026 ACCEPTED 3 Red Hat Linux 9 XFree86 Jay Beale Matt Busby ACCEPTED Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. CVE-2004-0083 ACCEPTED 1 Red Hat Linux 9 XFree86 Jay Beale Matt Busby ACCEPTED Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. CVE-2004-0084 ACCEPTED 1 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. CVE-2005-2261 ACCEPTED 1 Red Hat Linux 9 XFree86 Jay Beale Matt Busby ACCEPTED Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. CVE-2004-0106 ACCEPTED 1 Red Hat Enterprise Linux 3 netpbm Jay Beale Matt Busby ACCEPTED netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. CVE-2003-0924 ACCEPTED 1 Red Hat Linux 9 Mutt Jay Beale ACCEPTED Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. CVE-2004-0078 ACCEPTED 1 Microsoft Windows 2000 Outlook Express Robert L. Hollis DRAFT INTERIM Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. CVE-2006-0014 INTERIM 0 Red Hat Linux 9 Mailman Jay Beale ACCEPTED Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities. CVE-2003-0965 ACCEPTED 1 Red Hat Linux 9 Mailman Jay Beale ACCEPTED Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users. CVE-2003-0992 ACCEPTED 1 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. CVE-2005-1978 ACCEPTED 2 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. CVE-2005-2270 ACCEPTED 1 Red Hat Linux 9 Gaim Jay Beale ACCEPTED Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. CVE-2004-0006 ACCEPTED 1 Red Hat Linux 9 Gaim Jay Beale ACCEPTED Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0007 ACCEPTED 1 Red Hat Linux 9 Gaim Jay Beale ACCEPTED Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. CVE-2004-0008 ACCEPTED 1 Red Hat Linux 9 slocate Jay Beale Matt Busby ACCEPTED Heap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. CVE-2003-0848 ACCEPTED 1 Red Hat Linux 9 Midnight Commander Jay Beale Matt Busby ACCEPTED Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion. CVE-2003-1023 ACCEPTED 1 Red Hat Linux 9 KDE Jay Beale INTERIM ACCEPTED Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0592 ACCEPTED 1 Red Hat Enterprise Linux 3 mremap Jay Beale Matt Busby ACCEPTED The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. CVE-2004-0077 ACCEPTED 1 Red Hat Enterprise Linux 3 PWLib Jay Beale Matt Busby ACCEPTED Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. CVE-2004-0097 ACCEPTED 1 Red Hat Enterprise Linux 3 Samba 3.0.0 and 3.0.1 Jay Beale Matt Busby ACCEPTED The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. CVE-2004-0082 ACCEPTED 1 Red Hat Linux 9 mod_python Jay Beale Matt Busby ACCEPTED Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. CVE-2003-0973 ACCEPTED 1 Red Hat Enterprise Linux 3 XFree86 Jay Beale Matt Busby Matt Busby ACCEPTED Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. CVE-2004-0083 ACCEPTED 1 Red Hat Enterprise Linux 3 XFree86 Jay Beale Matt Busby Matt Busby ACCEPTED Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. CVE-2004-0084 ACCEPTED 1 Red Hat Enterprise Linux 3 XFree86 Jay Beale Matt Busby ACCEPTED Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. CVE-2004-0106 ACCEPTED 1 Red Hat Enterprise Linux 3 XMLSoft Libxml2 Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. CVE-2004-0110 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale Matt Busby ACCEPTED Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." CVE-2004-0003 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale Matt Busby ACCEPTED Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. CVE-2004-0010 ACCEPTED 1 Red Hat Linux 9 Vicam USB driver Jay Beale Matt Busby ACCEPTED The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. CVE-2004-0075 ACCEPTED 1 Red Hat Linux 9 mremap Jay Beale Matt Busby ACCEPTED The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. CVE-2004-0077 ACCEPTED 1 Red Hat Enterprise Linux 3 Mutt Jay Beale ACCEPTED Matt Busby Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. CVE-2004-0078 ACCEPTED 1 Red Hat Linux 9 mod_python Jay Beale Matt Busby ACCEPTED Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. CVE-2003-0973 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." CVE-2005-2088 ACCEPTED 3 Microsoft Windows 2000 Windows Media Services Tiffany Bergeron INTERIM Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. CVE-2003-0905 INTERIM 0 Microsoft Windows 95 Microsoft Outlook Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. CVE-2004-0121 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger Christine Walzer INTERIM Andrew Buttner ACCEPTED Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. CVE-2004-0122 ACCEPTED 1 Red Hat Enterprise Linux 3 gdk-pixbuf Jay Beale INTERIM Matt Busby ACCEPTED gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. CVE-2004-0111 ACCEPTED 1 Red Hat Linux 9 gdk-pixbuf Jay Beale INTERIM Matt Busby ACCEPTED gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. CVE-2004-0111 ACCEPTED 1 Red Hat Linux 9 tcpdump Jay Beale ACCEPTED tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. CVE-2003-0989 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 Red Hat Linux 9 sysstat Jay Beale Matt Busby INTERIM ACCEPTED The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. CVE-2004-0107 ACCEPTED 1 Red Hat Linux 9 tcpdump Jay Beale ACCEPTED The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. CVE-2004-0055 ACCEPTED 1 Red Hat Linux 9 tcpdump Jay Beale ACCEPTED The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. CVE-2004-0057 ACCEPTED 1 Red Hat Enterprise Linux 3 tcpdump Jay Beale ACCEPTED tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. CVE-2003-0989 ACCEPTED 1 Red Hat Enterprise Linux 3 tcpdump Jay Beale ACCEPTED The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. CVE-2004-0055 ACCEPTED 1 Red Hat Enterprise Linux 3 tcpdump Jay Beale ACCEPTED Matt Busby The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. CVE-2004-0057 ACCEPTED 1 Red Hat Linux 9 CVS server Jay Beale Matt Busby ACCEPTED CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. CVE-2003-0977 ACCEPTED 1 Red Hat Linux 9 Ethereal Jay Beale Matt Busby ACCEPTED The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. CVE-2003-1012 ACCEPTED 1 Red Hat Linux 9 Tethereal Jay Beale Matt Busby ACCEPTED The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. CVE-2003-1013 ACCEPTED 1 Red Hat Linux 9 KDE Personal Information Management (kdepim) Jay Beale ACCEPTED Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. CVE-2003-0988 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale Matt Busby ACCEPTED Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. CVE-2003-0984 ACCEPTED 1 Red Hat Linux 9 Linux kernel Jay Beale Matt Busby ACCEPTED The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. CVE-2003-0985 ACCEPTED 1 Red Hat Enterprise Linux 3 nfs-utils packages Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. CVE-2004-0154 ACCEPTED 1 Red Hat Enterprise Linux 3 Sysstat Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. CVE-2004-0107 ACCEPTED 1 Red Hat Linux 9 httpd Jay Beale Matt Busby INTERIM ACCEPTED Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. CVE-2003-0542 ACCEPTED 1 Red Hat Enterprise Linux 3 Apache Jay Beale Matt Busby INTERIM ACCEPTED Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. CVE-2003-0542 ACCEPTED 1 Red Hat Enterprise Linux 3 KDE Personal Information Management (kdepim) Jay Beale INTERIM Matt Busby ACCEPTED Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. CVE-2003-0988 ACCEPTED 1 Red Hat Enterprise Linux 3 CVS server Jay Beale Matt Busby INTERIM ACCEPTED CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. CVE-2003-0977 ACCEPTED 1 Red Hat Enterprise Linux 3 Linux kernel Matt Busby Matt Busby INTERIM ACCEPTED The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21 does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. CVE-2003-0985 ACCEPTED 1 Red Hat Enterprise Linux 3 Linux kernel Matt Busby Matt Busby INTERIM ACCEPTED Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. CVE-2004-0001 ACCEPTED 1 Red Hat Enterprise Linux 3 Net-SNMP Matt Busby Matt Busby INTERIM ACCEPTED Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. CVE-2003-0935 ACCEPTED 1 Red Hat Enterprise Linux 3 OpenSSL Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 ACCEPTED 1 Red Hat Enterprise Linux 3 OpenSSL Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. CVE-2004-0081 ACCEPTED 1 Red Hat Linux 9 mozilla Jay Beale INTERIM ACCEPTED Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. CVE-2003-0564 ACCEPTED 1 Red Hat Linux 9 mozilla Jay Beale INTERIM ACCEPTED Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0594 ACCEPTED 1 Red Hat Linux 9 mozilla Jay Beale INTERIM ACCEPTED Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. CVE-2004-0191 ACCEPTED 1 Red Hat Enterprise Linux 3 libxml2 Jay Beale Jay Beale INTERIM ACCEPTED Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. CVE-2004-0110 ACCEPTED 1 Red Hat Enterprise Linux 3 httpd Jay Beale Jay Beale INTERIM ACCEPTED Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. CVE-2004-0113 ACCEPTED 1 Red Hat Linux 9 Red Hat 9 Jay Beale INTERIM ACCEPTED The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. CVE-2004-0189 ACCEPTED 1 Red Hat Linux 9 Red Hat 9 Jay Beale Jay Beale INTERIM ACCEPTED Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. CVE-2004-0176 ACCEPTED 1 Red Hat Linux 9 Red Hat 9 Jay Beale Jay Beale INTERIM ACCEPTED The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. CVE-2004-0365 ACCEPTED 1 Red Hat Linux 9 Red Hat 9 Jay Beale Jay Beale INTERIM ACCEPTED Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. CVE-2004-0367 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. CVE-2006-1780 DRAFT 0 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Outlook Express Andrew Buttner INTERIM ACCEPTED The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." CVE-2004-0380 ACCEPTED 1 Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) Tiffany Bergeron INTERIM ACCEPTED Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. CVE-2003-0533 ACCEPTED 1 Microsoft Windows Server 2003 Secure Sockets Layer (SSL) David Proulx INTERIM ACCEPTED The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. CVE-2004-0120 ACCEPTED 1 Microsoft Windows XP Secure Sockets Layer (SSL) David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. CVE-2004-0120 ACCEPTED 2 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. CVE-2004-0176 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". CVE-2005-1989 ACCEPTED 2 Microsoft Windows XP Private Communications Transport (PCT) Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. CVE-2003-0719 ACCEPTED 2 Microsoft Windows 2000 Local Descriptor Table (LDT) Jonathan Baker INTERIM ACCEPTED The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. CVE-2003-0910 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. CVE-2004-0365 ACCEPTED 1 Microsoft Windows 2000 Secure Sockets Layer (SSL) David Proulx INTERIM ACCEPTED The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. CVE-2004-0120 ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. CVE-2003-0813 ACCEPTED 1 Microsoft Windows Server 2003 Remote Procedure Call (RPC) Christine Walzer A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. CVE-2003-0813 DRAFT 0 Microsoft Windows NT Windows logon process (winlogon) Andrew Buttner INTERIM ACCEPTED Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. CVE-2003-0806 ACCEPTED 1 Microsoft Windows 2000 Windows logon process (winlogon) Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. CVE-2003-0806 ACCEPTED 2 Microsoft Windows NT Enhanced Metafile (EMF) Windows Metafile (WMF) Andrew Buttner INTERIM ACCEPTED Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. CVE-2003-0906 ACCEPTED 1 Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. CVE-2003-0533 ACCEPTED 2 Microsoft Windows XP Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. CVE-2003-0813 ACCEPTED 1 Microsoft Windows Server 2003 COM Internet Services Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." CVE-2005-0047 ACCEPTED 1 Red Hat Linux 9 OpenSSL Matt Busby Matt Busby INTERIM ACCEPTED OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. CVE-2004-0081 ACCEPTED 1 Microsoft Windows NT Private Communications Transport (PCT) Andrew Buttner INTERIM ACCEPTED Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. CVE-2003-0719 ACCEPTED 1 Microsoft Windows Server 2003 Help and Support Center (HSC) Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe. CVE-2003-0907 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. CVE-2004-0367 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Agent Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. CVE-2005-1214 ACCEPTED 1 Microsoft Windows 2000 H.323 Jonathan Baker INTERIM ACCEPTED Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. CVE-2004-0117 ACCEPTED 1 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. CVE-2001-0507 ACCEPTED 1 Microsoft Windows Server 2003 NetWare Robert L. Hollis DRAFT INTERIM ACCEPTED The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. CVE-2005-1985 ACCEPTED 2 Microsoft Windows NT Local Descriptor Table (LDT) Jonathan Baker INTERIM ACCEPTED The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. CVE-2003-0910 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. CVE-2001-0507 ACCEPTED 2 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. CVE-1999-0278 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM Jay Beale ACCEPTED Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. CVE-2003-0564 ACCEPTED 1 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. CVE-1999-0874 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED IIS HTTP service uses Integrated Windows authentication. 2.1.4 ACCEPTED 1 Corresponds to item 2.1.4 in the Exchange 2003 Benchmark Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM Jay Beale ACCEPTED Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. CVE-2003-0594 ACCEPTED 1 Microsoft Windows Server 2003 Local Security Authority Subsystem Service (LSASS) Andrew Buttner INTERIM ACCEPTED Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. CVE-2003-0533 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5, Internet Explorer 5.5 Service Pack 1 Tiffany Bergeron INTERIM ACCEPTED Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. CVE-2001-0002 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." CVE-2001-0727 ACCEPTED 3 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. CVE-2003-0344 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability. CVE-2002-0190 ACCEPTED 3 Microsoft Windows Server 2003 Microsoft ASN.1 Library David Proulx INTERIM ACCEPTED Double-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0123 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated. CVE-2002-0022 ACCEPTED 3 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer 5.5 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. CVE-2003-0113 ACCEPTED 2 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. CVE-2000-0778 ACCEPTED 1 Red Hat Enterprise Linux 3 OpenSSL Matt Busby Matt Busby INTERIM ACCEPTED The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. CVE-2004-0112 ACCEPTED 1 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." CVE-2002-0869 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." CVE-2002-0869 ACCEPTED 2 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability." CVE-2002-1180 ACCEPTED 2 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. CVE-1999-0736 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. CVE-2003-0226 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Review block-list Exception list entries 1.2.3 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. CVE-2005-1192 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. CVE-2003-0227 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM Jay Beale ACCEPTED Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. CVE-2004-0191 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll. CVE-2003-0349 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. CVE-2004-0424 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x , allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. CVE-2004-0109 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. CVE-2004-0189 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. CVE-2002-1181 ACCEPTED 2 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. CVE-2002-1181 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. CVE-2004-0155 ACCEPTED 1 Microsoft Windows Server 2003 H.323 Jonathan Baker INTERIM ACCEPTED Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. CVE-2004-0117 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. CVE-2004-0164 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." CVE-2003-0309 ACCEPTED 2 Microsoft Windows 2000 Private Communications Transport (PCT) Andrew Buttner INTERIM ACCEPTED Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. CVE-2003-0719 ACCEPTED 1 Microsoft Windows NT SNMP Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. CVE-1999-0815 ACCEPTED 2 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. CVE-2004-0411 ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. CVE-2004-0116 ACCEPTED 1 Microsoft Windows NT HTML Help Facility Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. CVE-2003-1041 ACCEPTED 1 Microsoft Windows Server 2003 Remote Procedure Call (RPC) Christine Walzer Christine Walzer An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. CVE-2004-0116 DRAFT 0 Microsoft Windows XP Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. CVE-2004-0116 ACCEPTED 2 Microsoft Windows 2000 Enhanced Metafile (EMF) Windows Metafile (WMF) Andrew Buttner INTERIM ACCEPTED Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. CVE-2003-0906 ACCEPTED 1 Red Hat Enterprise Linux 3 ImageMagick Jay Beale DRAFT INTERIM ACCEPTED The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask. CVE-2005-1739 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.5 Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. CVE-2003-0353 ACCEPTED 2 Microsoft Windows XP Microsoft Data Access Components 2.6 Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. CVE-2003-0353 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer 5.5 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. CVE-2003-0114 ACCEPTED 2 Microsoft Windows XP H.323 Jonathan Baker INTERIM ACCEPTED Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. CVE-2004-0117 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. CVE-2006-1190 INTERIM 0 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. CVE-2003-0227 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. CVE-2004-0426 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Jet Database Engine Andrew Buttner INTERIM ACCEPTED Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. CVE-2004-0197 ACCEPTED 1 Microsoft Windows NT COM Internet Services Christine Walzer INTERIM ACCEPTED Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. CVE-2003-0807 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. CVE-2004-0396 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. CVE-2004-0421 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0183 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874. CVE-2002-0027 ACCEPTED 3 Red Hat Linux 9 OpenSSL Matt Busby Matt Busby INTERIM ACCEPTED The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. CVE-2004-0184 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. CVE-2004-0234 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). CVE-2004-0235 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. CVE-2004-0233 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). CVE-2004-0541 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. CVE-2004-0504 ACCEPTED 1 Microsoft Windows XP IIS 5.1 Christine Walzer INTERIM ACCEPTED Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." CVE-2002-0869 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. CVE-2004-0403 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. CVE-2006-1359 INTERIM 0 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. CVE-2004-0505 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. CVE-2004-0506 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0507 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Ingrid Skoog DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. CVE-2005-1213 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Andrew Buttner INTERIM ACCEPTED The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." CVE-2004-0380 ACCEPTED 1 Red Hat Enterprise Linux 3 MIT Kerberos 5 (krb5) Jay Beale INTERIM ACCEPTED Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. CVE-2004-0523 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size." CVE-2005-3295 ACCEPTED 1 Red Hat Enterprise Linux 3 CVS Jay Beale INTERIM ACCEPTED CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. CVE-2004-0414 ACCEPTED 1 Red Hat Enterprise Linux 3 CVS Jay Beale INTERIM ACCEPTED Double-free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. CVE-2004-0416 ACCEPTED 1 Microsoft Windows 2000 COM Internet Services Christine Walzer INTERIM ACCEPTED Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. CVE-2003-0807 ACCEPTED 1 Microsoft Windows 98 File and Print Sharing Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. CVE-2000-0979 ACCEPTED 2 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM INTERIM ACCEPTED /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. CVE-2003-0461 ACCEPTED 1 Sun Solaris 9 Sun Solaris 10 X Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in XFree86 before 4.3.0 allow user-complicit attackers to execute arbitrary code via a crafted pixmap image. CVE-2005-2495 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Review blocked sender list 1.2.8 ACCEPTED 1 Corresponds to item 1.2.8 in the Exchange 2003 Benchmark Microsoft Windows XP Help and Support Center (HSC) Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe. CVE-2003-0907 ACCEPTED 2 Red Hat Enterprise Linux 3 CVS Jay Beale INTERIM ACCEPTED Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. CVE-2004-0417 ACCEPTED 1 Red Hat Enterprise Linux 3 CVS Jay Beale INTERIM ACCEPTED serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. CVE-2004-0418 ACCEPTED 1 Microsoft Windows XP Windows XP Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Windows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka "Windows Management Vulnerability." CVE-2003-0909 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." CVE-2005-0055 ACCEPTED 2 Red Hat Enterprise Linux 3 SquirrelMail Jay Beale INTERIM ACCEPTED Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. CVE-2004-0519 ACCEPTED 0 Microsoft Windows XP Microsoft ASN.1 Library David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Double-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0123 ACCEPTED 2 Microsoft Windows XP Help and Support Center (HSC) Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm). CVE-2004-0199 ACCEPTED 2 Microsoft Windows XP IIS 5.1 Christine Walzer INTERIM ACCEPTED IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned. CVE-2002-1182 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Andrew Buttner INTERIM ACCEPTED The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." CVE-2004-0380 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED IIS 5.0 and 5.1 allows remote attackers to cause a denial of service (crash) via malformed WebDAV requests that cause a large amount of memory to be assigned. CVE-2002-1182 ACCEPTED 2 Red Hat Enterprise Linux 3 SquirrelMail Jay Beale INTERIM ACCEPTED Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. CVE-2004-0520 ACCEPTED 0 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. CVE-2003-0984 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6.0 allows remote attackers to cause the File Download dialogue box to misrepresent the name of the file in the dialogue in a way that could fool users into thinking that the file type is safe to download. CVE-2001-0875 ACCEPTED 3 Microsoft Windows XP Internet Explorer 5.01, Internet Explorer 5.01 Service Pack 1, or Internet Explorer 5.01 Service Pack 2 Internet Explorer 5.5 Service Pack 2 Internet Explorer 6.0 Internet Explorer 5.5 or Internet Explorer 5.5 Service Pack 1 Internet Explorer 6 SP1 Matthew Burton DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." CVE-2005-0053 ACCEPTED 2 Microsoft Windows 2000 Lightweight Directory Access Protocol (LDAP) Tiffany Bergeron INTERIM ACCEPTED Unknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message. CVE-2003-0663 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." CVE-2004-0003 ACCEPTED 1 Microsoft Windows NT IIS 4.0 Christine Walzer INTERIM ACCEPTED Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability." CVE-2006-1189 INTERIM 0 Microsoft Windows NT Microsoft Windows NT Tiffany Bergeron INTERIM ACCEPTED The Remote Registry server in Windows NT 4.0 allows local authenticated users to cause a denial of service via a malformed request, which causes the winlogon process to fail, aka the "Remote Registry Access Authentication" vulnerability. CVE-2000-0377 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Exchange 2000 Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Exchange Server 2000 System Attendant gives "Everyone" group privileges to the WinReg key, which could allow remote attackers to read or modify registry keys. CVE-2002-0049 ACCEPTED 2 Microsoft Windows NT Microsoft Windows NT Tiffany Bergeron INTERIM ACCEPTED The registry in Windows NT can be accessed remotely by users who are not administrators. CVE-1999-0562 ACCEPTED 1 Microsoft Windows 2000 NetBIOS Tiffany Bergeron INTERIM ACCEPTED A component service related to NETBIOS is running. CVE-1999-0621 ACCEPTED 1 Microsoft Windows NT SQL Server 2000 Tiffany Bergeron INTERIM ACCEPTED Jonathan Baker INTERIM INTERIM ACCEPTED Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED The registry key containing the SQL Server service account information in Microsoft SQL Server 2000, including Microsoft SQL Server Desktop Engine (MSDE) 2000, has insecure permissions, which allows local users to gain privileges, aka "Incorrect Permission on SQL Server Service Account Registry Key." CVE-2002-0642 ACCEPTED 3 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. CVE-2002-0648 ACCEPTED 1 Microsoft Windows 2000 Microsoft DirectPlay Tiffany Bergeron INTERIM ACCEPTED IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVE-2004-0202 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Outlook Express Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." CVE-2004-0380 ACCEPTED 2 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. CVE-2005-3296 ACCEPTED 5 Microsoft Windows Server 2003 COM Internet Services Christine Walzer INTERIM ACCEPTED Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. CVE-2003-0807 ACCEPTED 1 Microsoft Windows Server 2003 Help and Support Center (HSC) Harvey Rubinovitz INTERIM ACCEPTED Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm). CVE-2004-0199 ACCEPTED 1 Red Hat Enterprise Linux 3 SquirrelMail Jay Beale INTERIM ACCEPTED SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. CVE-2004-0521 ACCEPTED 0 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. CVE-2004-0010 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Veritas Backup Exec 8.5 Tiffany Bergeron INTERIM Ingrid Skoog Veritas Backup Exec 8.5 and earlier requires that the "RestrictAnonymous" registry key for Microsoft Exchange 2000 must be set to 0, which enables anonymous listing of the SAM database and shares. CVE-2002-1117 INTERIM 0 Red Hat Enterprise Linux 3 fetchmail Jay Beale DRAFT INTERIM ACCEPTED Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. CVE-2005-2335 ACCEPTED 1 Microsoft Windows XP Microsoft Data Access Components 2.7 Christine Walzer Christine Walzer INTERIM ACCEPTED Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. CVE-2003-0353 ACCEPTED 3 Microsoft Windows NT Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." CVE-2004-0124 ACCEPTED 1 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. CVE-2004-0180 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 X Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in XFree86 before 4.3.0 allow user-complicit attackers to execute arbitrary code via a crafted pixmap image. CVE-2005-2495 ACCEPTED 1 Microsoft Windows 2000 Print Spooler Service Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message. CVE-2005-1984 ACCEPTED 1 Microsoft Windows 2000 Utility Manager Harvey Rubinovitz INTERIM ACCEPTED The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213. CVE-2003-0908 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 snmpdx Brian Soby DRAFT INTERIM ACCEPTED Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0012 ACCEPTED 1 Red Hat Linux 9 OpenSSL Matt Busby Matt Busby INTERIM ACCEPTED The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. CVE-2004-0112 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. CVE-2001-0333 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Rockliffe MailSite Express Rahul Mohandas DRAFT INTERIM ACCEPTED Cross-site scripting (XSS) vulnerability in Rockliffe MailSite Express before 6.1.22 allows remote attackers to inject arbitrary web script or HTML via a message body. CVE-2005-3428 ACCEPTED 1 Microsoft Windows XP Compressed Folders David Proulx DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. CVE-2004-0575 ACCEPTED 3 Microsoft Windows XP Windows logon process (winlogon) Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. CVE-2003-0806 ACCEPTED 2 Microsoft Windows XP CertGetCertificateChain, CertVerifyCertificateChainPolicy, and WinVerifyTrust APIs Christine Walzer Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS. CVE-2002-0862 ACCEPTED 2 Microsoft Windows XP HTML Help Facility Andrew Buttner DRAFT INTERIM ACCEPTED Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer. CVE-2005-1208 ACCEPTED 1 Microsoft Windows NT Certificate Validation Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862). CVE-2002-1183 ACCEPTED 2 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. CVE-2004-0405 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087. CVE-2005-1990 ACCEPTED 2 Microsoft Windows 2000 Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." CVE-2004-0124 ACCEPTED 1 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. CVE-2005-2123 ACCEPTED 2 Microsoft Windows XP Enhanced Metafile (EMF) Windows Metafile (WMF) Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. CVE-2003-0906 ACCEPTED 2 Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Jay Beale INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. CVE-2004-0179 ACCEPTED 2 Microsoft Windows Server 2003 Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." CVE-2004-0124 ACCEPTED 1 Microsoft Windows 2000 IIS 5.0 Christine Walzer INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via a long print request that is passed to the extension through IIS 5.0. CVE-2001-0241 ACCEPTED 2 Microsoft Windows XP MSDTC Robert L. Hollis DRAFT INTERIM ACCEPTED The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer. CVE-2005-2119 ACCEPTED 2 Microsoft Windows XP Remote Procedure Call (RPC) Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." CVE-2004-0124 ACCEPTED 2 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. CVE-2005-2267 ACCEPTED 1 Sun Solaris 10 Perl Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications. CVE-2005-3962 ACCEPTED 1 Microsoft Windows XP Telephony Service Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. CVE-2005-0058 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft ASN.1 Library David Proulx INTERIM ACCEPTED Double-free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. CVE-2004-0123 ACCEPTED 1 Microsoft Windows NT SQL Server 2000 Tiffany Bergeron INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Multiple buffer overflows in SQL Server 2000 Resolution Service allow remote attackers to cause a denial of service or execute arbitrary code via UDP packets to port 1434 in which (1) a 0x04 byte causes the SQL Monitor thread to generate a long registry key name, or (2) a 0x08 byte with a long string causes heap corruption. CVE-2002-0649 ACCEPTED 3 Microsoft Windows 2000 NetBIOS Tiffany Bergeron INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Interactions between the CIFS Browser Protocol and NetBIOS as implemented in Microsoft Windows 95, 98, NT, and 2000 allow remote attackers to modify dynamic NetBIOS name cache entries via a spoofed Browse Frame Request in a unicast or UDP broadcast datagram. CVE-2000-1079 ACCEPTED 2 Red Hat Enterprise Linux 3 zgrep Jay Beale DRAFT INTERIM ACCEPTED zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. CVE-2005-0758 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. CVE-2006-0002 ACCEPTED 1 Red Hat Enterprise Linux 3 postgresql Jay Beale DRAFT INTERIM ACCEPTED The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments. CVE-2005-1410 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Outlook Express Ingrid Skoog DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. CVE-2005-1213 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies. CVE-2005-2703 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." CVE-2005-1790 ACCEPTED 1 Microsoft Windows Server 2003 Private Communications Transport (PCT) Andrew Buttner INTERIM ACCEPTED Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. CVE-2003-0719 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer 5.5 Service Pack 2 Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Heap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CVE-2003-0115. CVE-2003-0233 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows 2000 DirectX Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow. CVE-2003-0346 ACCEPTED 3 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5, Internet Explorer 5.5 Service Pack 1 Tiffany Bergeron INTERIM ACCEPTED Internet Explorer 5.5 and earlier allows remote attackers to display a URL in the address bar that is different than the URL that is actually being displayed, which could be used in web site spoofing attacks, aka the "Web page spoofing vulnerability." CVE-2001-0339 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." CVE-2005-2830 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED A security flaw in some versions of the HP-UX usermod command can result in recursively changing the ownership of all directories and files under a user's home directory. Specifically, executing # usermod -d <old home dir> -u <new gid> -m <username> or # usermod -d <old home dir> -u <new or old gid> -m <username> incorrectly changes ownership recursively to <username>. If the home directory is '/', this action will render the system inoperable. http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00614838 ACCEPTED 1 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Brian Soby Brian Soby INTERIM ACCEPTED CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 2 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." CVE-2005-2830 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 DirectX Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow. CVE-2003-0346 ACCEPTED 3 Microsoft Windows XP Microsoft Windows Server 2003 GDI+ Ingrid Skoog DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 2 Microsoft Windows XP NetWare Robert L. Hollis DRAFT INTERIM ACCEPTED The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. CVE-2005-1985 ACCEPTED 2 Red Hat Enterprise Linux 3 gzip Jay Beale DRAFT INTERIM ACCEPTED zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. CVE-2005-0758 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby DRAFT INTERIM ACCEPTED MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. CVE-2003-0058 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer 6.0 Jonathan Baker DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. CVE-2004-1319 ACCEPTED 2 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CVE-2005-1211 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-complicit attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122. CVE-2005-2118 ACCEPTED 2 Red Hat Enterprise Linux 3 Linux kernel Jay Beale DRAFT INTERIM ACCEPTED The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit. CVE-2004-0491 ACCEPTED 1 Microsoft Windows 2000 Remote Procedure Call (RPC) Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. CVE-2003-0605 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." CVE-2005-0803 ACCEPTED 2 Red Hat Enterprise Linux 3 Linux kernel Jay Beale DRAFT INTERIM ACCEPTED The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow. CVE-2005-1263 ACCEPTED 1 Red Hat Enterprise Linux 4 fetchmail Jay Beale DRAFT INTERIM ACCEPTED Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. CVE-2005-2335 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Color Management Module Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. CVE-2005-1219 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. CVE-2006-0010 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 uucp Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM ACCEPTED Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user. CVE-2004-1359 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 Microsoft Windows XP Services for UNIX Jonathan Baker DRAFT INTERIM ACCEPTED The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. CVE-2005-1205 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Tiffany Bergeron DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. CVE-2004-0549 ACCEPTED 2 Microsoft Windows XP TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. CVE-2005-1979 ACCEPTED 2 Microsoft Windows Server 2003 TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." CVE-2005-1980 ACCEPTED 2 Red Hat Enterprise Linux 3 telnet Jay Beale DRAFT INTERIM ACCEPTED Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. CVE-2005-0488 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability". CVE-2005-1988 ACCEPTED 1 Microsoft Windows XP SMB (Server Message Block) Jonathan Baker DRAFT INTERIM ACCEPTED Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability." CVE-2005-1206 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." CVE-2005-2830 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption. CVE-2006-1188 INTERIM 0 Microsoft Windows 2000 ISA Server 2000 Christine Walzer DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Microsoft ISA Server 2000 allows remote attackers to poison the ISA cache or bypass content restriction policies via a malformed HTTP request packet containing multiple Content-Length headers. CVE-2005-1215 ACCEPTED 2 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-complicit, remote FTP servers to overwrite files in arbitrary locations via crafted filenames. CVE-2005-2126 ACCEPTED 2 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. CVE-2004-0148 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. CVE-2002-0648 ACCEPTED 1 Microsoft Windows Server 2003 DirectX Robert L. Hollis DRAFT INTERIM ACCEPTED QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value. CVE-2005-2128 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via Unicode sequences with "zero-width non-joiner" characters. CVE-2005-2702 ACCEPTED 3 HP-UX 11 remshd Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. CVE-2005-3565 ACCEPTED 5 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." CVE-2005-0803 ACCEPTED 2 Red Hat Enterprise Linux 3 bzip2 Jay Beale DRAFT INTERIM ACCEPTED Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. CVE-2005-0953 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability." CVE-2005-2127 ACCEPTED 2 Microsoft Windows 2000 Crystal Enterprise Crystal Reports Andrew Buttner Jonathan Baker Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx. CVE-2004-0204 DRAFT 0 Microsoft Windows 2000 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers. CVE-2006-0028 ACCEPTED 1 Microsoft Windows 2000 COM Internet Services Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." CVE-2005-0047 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. CVE-2006-0002 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 2 Red Hat Enterprise Linux 3 gzip Jay Beale DRAFT INTERIM ACCEPTED Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. CVE-2005-0988 ACCEPTED 1 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. CVE-2005-2267 ACCEPTED 1 Red Hat Enterprise Linux 3 libxml2 Jay Beale DRAFT INTERIM ACCEPTED Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost. CVE-2004-0989 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. CVE-2005-2123 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. CVE-2006-1359 INTERIM 0 Microsoft Windows XP Windows Media Player 9 Christine Walzer DRAFT INTERIM ACCEPTED The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability." CVE-2005-0044 ACCEPTED 1 Microsoft Windows XP TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." CVE-2005-1980 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. CVE-2006-0010 ACCEPTED 1 Microsoft Windows XP HTML Help Facility Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. CVE-2003-1041 ACCEPTED 1 Microsoft Windows XP Microsoft Office XP SP3 Christine Walzer DRAFT INTERIM Jonathan Baker ACCEPTED Robert L. Hollis ACCEPTED Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information. CVE-2005-0564 ACCEPTED 2 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability." CVE-2006-0012 INTERIM 0 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-complicit attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122. CVE-2005-2118 ACCEPTED 2 Microsoft Windows XP Microsoft Agent Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. CVE-2005-1214 ACCEPTED 1 Red Hat Enterprise Linux 3 libgd Jay Beale DRAFT INTERIM ACCEPTED Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. CVE-2004-0941 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." CVE-2005-0554 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spawn windows without user interface components such as the address and status bar, which could be used to conduct spoofing or phishing attacks. CVE-2005-2707 ACCEPTED 2 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 Microsoft Windows Server 2003 Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0715 ACCEPTED 1 Microsoft Windows XP TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." CVE-2005-1980 ACCEPTED 2 Microsoft Windows XP MDAC Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. CVE-2006-0003 INTERIM 0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. CVE-2002-0648 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-complicit attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." CVE-2005-2829 ACCEPTED 1 Microsoft Windows XP NetWare Robert L. Hollis DRAFT INTERIM ACCEPTED The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. CVE-2005-1985 ACCEPTED 2 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. CVE-2005-3296 ACCEPTED 5 Microsoft Windows 2000 Telephony Service Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. CVE-2005-0058 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." CVE-2005-0803 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer 6.0 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability". CVE-2005-1988 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. CVE-2006-0013 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6.0 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087. CVE-2005-1990 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Interactive Training Ingrid Skoog DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Step-by-Step Interactive Training (orun32.exe) allows remote attackers to execute arbitrary code via a bookmark link file (.cbo, cbl, or .cbm extension) with a long User field. CVE-2005-1212 ACCEPTED 1 Red Hat Enterprise Linux 3 Linux kernel Jay Beale DRAFT INTERIM ACCEPTED The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released. CVE-2005-0176 ACCEPTED 1 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. CVE-2005-2260 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI. CVE-2004-0760 ACCEPTED 1 Microsoft Windows XP DirectX Robert L. Hollis DRAFT INTERIM ACCEPTED QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value. CVE-2005-2128 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087. CVE-2005-1990 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document. CVE-2005-0558 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED 'An undisclosed vulnerability has been identified in Apache HTTP server versions prior to Apache 1.3.34 that may allow HTTP Request Splitting/Spoofing attacks, resulting in remote unauthorized access.' http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00612828 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. CVE-2005-1211 ACCEPTED 1 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." CVE-2005-0803 ACCEPTED 2 Microsoft Windows 2000 Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 3 Red Hat Enterprise Linux 3 sudo Jay Beale DRAFT INTERIM ACCEPTED Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack. CVE-2005-1993 ACCEPTED 1 It appears that we can't parse the vulnerable configuration condition (an ALL in the second field of a line after a line that has no ALL in the second field) with our existing regexp. Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call. CVE-2005-2120 ACCEPTED 2 Red Hat Enterprise Linux 3 gedit Jay Beale DRAFT INTERIM ACCEPTED Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries. CVE-2005-1686 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. CVE-2005-2728 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function. CVE-2005-2307 ACCEPTED 2 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site. CVE-2006-1191 INTERIM 0 Microsoft Windows 2000 TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." CVE-2005-1980 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function. CVE-2005-2307 ACCEPTED 2 Microsoft Windows XP Web Client Service Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters. CVE-2005-1207 ACCEPTED 1 Microsoft Windows XP Windows Media Player Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 200 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data. CVE-2006-0006 ACCEPTED 1 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). CVE-2005-2269 ACCEPTED 1 Red Hat Enterprise Linux 3 libgd Jay Beale DRAFT INTERIM ACCEPTED Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. CVE-2004-0990 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. CVE-2005-1978 ACCEPTED 2 HP-UX 11 SecureShell Robert L. Hollis DRAFT INTERIM ACCEPTED zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. CVE-2005-2096 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. CVE-2005-2123 ACCEPTED 2 Microsoft Windows XP Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 2 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM The wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand. CVE-2005-0256 INTERIM 0 Microsoft Windows 2000 DirectX Robert L. Hollis DRAFT INTERIM ACCEPTED QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value. CVE-2005-2128 ACCEPTED 2 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." CVE-2005-2268 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. CVE-2005-1978 ACCEPTED 2 Microsoft Windows Server 2003 Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Buffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability". CVE-2005-0550 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to spoof DOM objects via an XBL control that implements an internal XPCOM interface. CVE-2005-2704 ACCEPTED 3 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sadmin Brian Soby Brian Soby DRAFT INTERIM ACCEPTED The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets. CVE-2003-0722 ACCEPTED 1 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. CVE-2005-3296 ACCEPTED 5 Microsoft Windows 98 Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Microsoft Windows 2000 Microsoft Color Management Module Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. CVE-2005-1219 ACCEPTED 1 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. CVE-2005-2263 ACCEPTED 1 Microsoft Windows XP TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. CVE-2005-1979 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-complicit, remote FTP servers to overwrite files in arbitrary locations via crafted filenames. CVE-2005-2126 ACCEPTED 2 HP-UX 11 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. CVE-2005-2871 ACCEPTED 3 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT INTERIM ACCEPTED Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). CVE-2005-0688 ACCEPTED 1 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function. CVE-2005-2307 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption. CVE-2006-1188 INTERIM 0 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Web View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 does not properly handle certain HTML characters in preview fields, which allows remote user-complicit attackers to execute arbitrary code. CVE-2005-2117 ACCEPTED 2 Microsoft Windows 98 Internet Explorer 6 Internet Explorer 6 SP1 Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability." CVE-2004-1050 ACCEPTED 3 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption. CVE-2006-1188 INTERIM 0 Microsoft Windows Server 2003 Telephony Service Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. CVE-2005-0058 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." CVE-2005-1790 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." CVE-2005-1790 ACCEPTED 1 Microsoft Windows XP Windows Animated Cursor Christine Walzer DRAFT INTERIM ACCEPTED The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. CVE-2004-1305 ACCEPTED 1 Microsoft Windows XP Windows Media Player 9 Christine Walzer DRAFT Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability." CVE-2004-1244 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in the JavaScript engine in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 might allow remote attackers to execute arbitrary code. CVE-2005-2705 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." CVE-2005-0054 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability." CVE-2006-0021 ACCEPTED 1 Red Hat Enterprise Linux 4 Jay Beale DRAFT INTERIM ACCEPTED The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. CVE-2005-2263 ACCEPTED 1 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." CVE-2005-2268 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. CVE-2006-0002 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." CVE-2005-2830 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". CVE-2005-1989 ACCEPTED 2 Microsoft Windows NT Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 1 Microsoft Windows Server 2003 MDAC Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. CVE-2006-0003 INTERIM 0 Microsoft Windows XP TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." CVE-2005-1980 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Harvey Rubinovitz DRAFT Jonathan Baker INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. CVE-2005-2087 ACCEPTED 2 Microsoft Windows 2000 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. CVE-2006-0031 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call. CVE-2005-2120 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. CVE-2005-2122 ACCEPTED 2 Microsoft Windows 2000 IIS 5.0 Jonathan Baker DRAFT INTERIM ACCEPTED The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes. CVE-2003-0718 ACCEPTED 1 Microsoft Windows 2000 Microsoft Office 2000 SP3 Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information. CVE-2005-0564 ACCEPTED 2 Microsoft Windows 2000 Certificate Validation Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS. CVE-2002-0862 ACCEPTED 2 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM The wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand. CVE-2005-0256 INTERIM 0 Microsoft Windows Server 2003 Microsoft Internet Explorer 6.0 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz Harvey Rubinovitz Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." CVE-2005-0053 ACCEPTED 2 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability". CVE-2005-1988 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. CVE-2006-1192 INTERIM 0 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087. CVE-2005-1990 ACCEPTED 2 Microsoft Windows 2000 TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. CVE-2005-1979 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the (1) EscapeAttributeValue in jsxml.c for E4X, (2) nsSVGCairoSurface::Init in SVG, and (3) nsCanvasRenderingContext2D.cpp in Canvas. CVE-2006-0297 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-complicit attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." CVE-2005-2829 ACCEPTED 1 Microsoft Windows NT Internet Explorer 6 Tiffany Bergeron INTERIM ACCEPTED Andrew Buttner Christine Walzer INTERIM ACCEPTED Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. CVE-2004-0212 ACCEPTED 1 HP-UX 11 SecureShell Robert L. Hollis DRAFT INTERIM ACCEPTED sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. CVE-2005-2798 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. CVE-2005-1268 ACCEPTED 3 Red Hat Enterprise Linux 3 FreeRADIUS Jay Beale DRAFT INTERIM ACCEPTED FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet. CVE-2004-0938 ACCEPTED 1 Red Hat Enterprise Linux 3 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. CVE-2005-2261 ACCEPTED 1 Microsoft Windows Server 2003 HTML Help ActiveX Control Matthew Burton DRAFT INTERIM ACCEPTED Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." CVE-2004-1043 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disallow execute permissions to the Exchange HTTP virtual directory ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should only allow digest or integrated windows authentication (NTLM) to connect to the Exchange HTTP virtual directories ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disallow all access to Exchange HTTP virtual directories ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should Display the routing groups in the Exchange System Manager ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should Display the administrative groups in the Exchange System Manager ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should enable forms based authentication ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should only allow digest or integrated windows authentication (NTLM) to connect to the Public HTTP virtual directories ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disallow execute permissions to the Public HTTP virtual directory ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disallow all access to Public HTTP virtual directories ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should zero out deleted database pages ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disable all automated message generation ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should only allow basic authentication with TSL encryption to connect to the IMAP4 service ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use SSL when downloading meeting requests ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use the default TCP ports for the the IMAP4 services ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should archive all messages received by mailboxes on this store ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should have clients support S/MIME ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should not delete mailboxes without waiting for the store to be backed up ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should subscribe to a block list to block spam ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should limit the size of messages to and from the server to 30MB ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should limit the number of recipients in outbound messages to 5000 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disable the filtering of recipients who are not in Active Directory ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Charles Schmidt INTERIM ACCEPTED Microsoft Exchange Server 2003 should archive filtered messages 1.2.9 ACCEPTED 2 Corresponds to item 1.2.9 in the Exchange 2003 Benchmark Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should filter messages with a blank sender ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should drop connections if the address matches filters ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should accept messages without notifying the sender of filtering ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disable Outlook Mobile Access ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disable ActiveSync ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should only allow basic authentication with TSL encryption to connect to the POP3 service ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use SSL when downloading meeting requests ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use TCP ports 143 and 995 for the POP3 service ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should have mailbox store clients support S/MIME signatures ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should enable subject logging and display ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should enable message tracking ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disable automatic log removal ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should not disable all monitoring on this server ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should change state to critical when any service stops ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should limit any connector scope to the routing group ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should disallow unauthenticated entities to relay through this SMTP connector ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should force outbound connections to use basic authentication with TLS encryption ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should have any SMTP connectors use a smart host ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should only allow basic authentication with TSL encryption to connect to the SMTP server ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should not resolve anonymous email ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should only allow explicitly listed hosts to relay messages through this sever ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use a smart host to relay SMTP messages ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should not perform reverse DNS lookups on incoming messages ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use port 25 for outbound SMTP connections ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use only basic authentication with TLS encryption for outbound SMTP connections ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should enable logging of connections between SMTP hosts ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should use port 25 for inbound SMTP connections ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Charles Schmidt DRAFT INTERIM ACCEPTED Microsoft Exchange Server 2003 should apply sender, recipient, and connection filters ACCEPTED 1 Microsoft Windows 2000 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption. CVE-2006-0030 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Winamp Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Nullsoft Winamp 5.12 allows remote attackers to execute arbitrary code via a playlist (pls) file with a long file name (File1 field). CVE-2006-0476 ACCEPTED 1 Microsoft Windows Server 2003 Print Spooler Service Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message. CVE-2005-1984 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. CVE-2005-1192 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Management Console Robert L. Hollis DRAFT INTERIM ACCEPTED The (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges. CVE-2005-4552 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers. CVE-2006-0028 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM 'An undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition..' http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00619550 INTERIM 0 Microsoft Windows Server 2003 TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." CVE-2005-1980 ACCEPTED 2 Red Hat Enterprise Linux 4 mozilla Jay Beale DRAFT INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. CVE-2005-2266 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-complicit, remote FTP servers to overwrite files in arbitrary locations via crafted filenames. CVE-2005-2126 ACCEPTED 2 Microsoft Windows NT Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 2 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 Microsoft Windows Server 2003 DirectX Robert L. Hollis DRAFT INTERIM ACCEPTED QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value. CVE-2005-2128 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability." CVE-2006-0021 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127. CVE-2005-2831 ACCEPTED 1 Microsoft Windows XP IIS 5.1 Jonathan Baker DRAFT INTERIM ACCEPTED The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes. CVE-2003-0718 ACCEPTED 1 HP-UX 11 envd Robert L. Hollis DRAFT INTERIM ACCEPTED envd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors. CVE-2005-3564 ACCEPTED 5 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com. CVE-2005-4560 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com. CVE-2005-4560 ACCEPTED 1 Microsoft Windows XP DirectX Robert L. Hollis DRAFT INTERIM ACCEPTED QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value. CVE-2005-2128 ACCEPTED 2 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." CVE-2005-2830 ACCEPTED 1 Sun Solaris 7 CDE Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Double-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. CVE-2004-0368 ACCEPTED 1 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. CVE-2005-3296 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Firefox before 1.0.7 and Mozilla before Suite 1.7.12 allows remote attackers to execute Javascript with chrome privileges via an about: page such as about:mozilla. CVE-2005-2706 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Solaris Management Console Robert L. Hollis DRAFT INTERIM ACCEPTED The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers. CVE-2005-3398 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. CVE-2006-1186 INTERIM 0 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability." CVE-2006-0012 INTERIM 0 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." CVE-2006-1245 INTERIM 0 Microsoft Windows Server 2003 MSDTC Robert L. Hollis DRAFT INTERIM ACCEPTED The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer. CVE-2005-2119 ACCEPTED 2 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. CVE-2006-0436 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability." CVE-2005-2127 ACCEPTED 2 Microsoft Windows NT Certificate Validation Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862). CVE-2002-1183 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. CVE-2006-0002 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-complicit attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." CVE-2005-2829 ACCEPTED 1 HP-UX 11 Samba Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. CVE-2004-1154 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com. CVE-2005-4560 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Unspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors. CVE-2005-3779 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. CVE-2006-0010 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability." CVE-2005-2127 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. CVE-2005-1978 ACCEPTED 2 Sun Solaris 9 Samba Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string. CVE-2002-1318 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability." CVE-2005-2127 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT INTERIM 'An unspecified vulnerability in the \"/usr/ucb/ps\" command could allow unprivileged local users to see environment settings for processes of other users. When the \'e\' flag is used, a low-privileged user can see environment variables and values for processes that belong to root and any other system users. NOTE: \"/usr/bin/ps\" is the default \'ps\' command for most users per the command search path and is not affected by this vulnerability' http://sunsolve9.sun.com/search/document.do?assetkey=1-26-102215-1&amp;searchclause= INTERIM 0 HP-UX 10 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. CVE-2005-3296 ACCEPTED 5 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127. CVE-2005-2831 ACCEPTED 1 Sun Solaris 7 libpng Brian Soby DRAFT INTERIM ACCEPTED Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image. CVE-2004-0599 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to execute arbitrary code via an XBM image file that ends in a large number of spaces instead of the expected end tag. CVE-2005-2701 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Solaris Management Console (SMC) Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM ACCEPTED The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack. CVE-2004-1354 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with double-byte characters, aka the "Double Byte Character Parsing Memory Corruption Vulnerability." CVE-2006-1189 INTERIM 0 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. CVE-2006-0002 ACCEPTED 1 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. CVE-2005-2122 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." CVE-2005-1790 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-complicit attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." CVE-2005-2829 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. CVE-2006-0010 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com. CVE-2005-4560 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. CVE-2006-0296 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED The function allocation code (js_NewFunction in jsfun.c) in Firefox 1.5 allows attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via user-defined methods that trigger garbage collection in a way that operates on freed objects. CVE-2006-0293 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. CVE-2005-2491 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED 'mozilla.org has launched and delivered SeaMonkey, a community effort to deliver production-quality releases of code derived from the \"Mozilla Application Suite\". This equates to a cessation in software and security patches for that baseline. Using an unsupported software represents a high security risk because no fixes or patches will be made available in response to new vulnerabilities.' http://www.mozilla.org/projects/seamonkey/ ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. CVE-2006-1192 INTERIM 0 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. CVE-2005-1978 ACCEPTED 2 Microsoft Windows 2000 HTML Help Facility Andrew Buttner INTERIM ACCEPTED Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. CVE-2004-0201 ACCEPTED 0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-complicit attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field. CVE-2006-0009 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-complicit attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." CVE-2005-2829 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. CVE-2005-2087 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-complicit attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." CVE-2005-2829 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." CVE-2005-1790 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers. CVE-2006-0028 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption. CVE-2006-0030 ACCEPTED 1 Microsoft Windows XP MDAC Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. CVE-2006-0003 INTERIM 0 Microsoft Windows NT VDM Ingrid Skoog Ingrid Skoog ACCEPTED The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code. CVE-2004-0118 ACCEPTED 2 Microsoft Windows XP TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. CVE-2005-1979 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 allow remote attackers to execute arbitrary code by changing an element's style from position:relative to position:static, which causes Gecko to operate on freed memory. CVE-2006-0294 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. CVE-2005-1987 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. CVE-2005-2122 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. CVE-2005-2087 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call. CVE-2005-2120 ACCEPTED 2 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127. CVE-2005-2831 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6, when using an HTTPS proxy server that requires Basic Authentication, sends URLs in cleartext, which allows remote attackers to obtain sensitive information, aka "HTTPS Proxy Vulnerability." CVE-2005-2830 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption. CVE-2006-0029 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED 'As Service Packs released by Microsft mature, earlier versions and releases become unspported. This equates to a cessation in software and security patches for that baseline. Using an unsupported version of Windows represents a severe security risk.' http://www.microsoft.com/sp ACCEPTED 3 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. CVE-2006-0031 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." CVE-2005-2088 ACCEPTED 1 Sun Solaris 8 tcsh Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges. CVE-2003-1024 ACCEPTED 2 Microsoft Windows XP HTML Help Facility Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. CVE-2004-0201 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function. CVE-2005-2307 ACCEPTED 2 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. CVE-2005-1192 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780. CVE-2006-0161 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability." CVE-2005-2127 ACCEPTED 2 Microsoft Windows 2000 NetWare Robert L. Hollis DRAFT INTERIM ACCEPTED The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. CVE-2005-1985 ACCEPTED 4 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. CVE-2005-2122 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability." CVE-2005-2127 ACCEPTED 3 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. CVE-2006-1190 INTERIM 0 HP-UX 11 SecureShell Robert L. Hollis DRAFT INTERIM ACCEPTED zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. CVE-2005-2096 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127. CVE-2005-2831 ACCEPTED 1 Microsoft Windows Server 2003 NetWare Robert L. Hollis DRAFT INTERIM ACCEPTED The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. CVE-2005-1985 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. CVE-2005-2123 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. CVE-2006-0013 ACCEPTED 1 Microsoft Windows Server 2003 Windows Internet Naming Service (WINS) Matthew Burton DRAFT INTERIM ACCEPTED The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." CVE-2004-1080 ACCEPTED 1 Microsoft Windows Server 2003 TIP Robert L. Hollis DRAFT INTERIM ACCEPTED Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. CVE-2005-1979 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. CVE-2005-2122 ACCEPTED 2 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. CVE-2005-1192 ACCEPTED 1 Microsoft Windows 2000 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-complicit attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field. CVE-2006-0009 ACCEPTED 1 Microsoft Windows 2000 PowerPoint Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft PowerPoint 2000 in Office 2000 SP3 has an interaction with Internet Explorer that allows remote attackers to obtain sensitive information via a PowerPoint presentation that attempts to access objects in the Temporary Internet Files Folder (TIFF). CVE-2006-0004 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127. CVE-2005-2831 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Windows Media Player Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute. CVE-2006-0005 ACCEPTED 1 Microsoft Windows 2000 Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED Mozilla Firefox 1.5, Thunderbird 1.5 if Javascript is enabled in mail, and SeaMonkey before 1.0 might allow remote attackers to execute arbitrary code via the QueryInterface method of the built-in Location and Navigator objects, which leads to memory corruption. CVE-2006-0295 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". CVE-2004-0839 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com. CVE-2005-4560 ACCEPTED 1 HP-UX 11 SecureShell Robert L. Hollis DRAFT INTERIM ACCEPTED sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled, allows GSSAPI credentials to be delegated to clients who log in using non-GSSAPI methods, which could cause those credentials to be exposed to untrusted users or hosts. CVE-2005-2798 ACCEPTED 1 Microsoft Windows Server 2003 Windows Media Player 9 Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability." CVE-2004-1244 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." CVE-2006-1245 INTERIM 0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption. CVE-2006-0029 ACCEPTED 1 HP-UX 11 envd Robert L. Hollis DRAFT INTERIM ACCEPTED envd daemon in HP-UX B.11.00 through B.11.11 allows local users to obtain privileges via unknown attack vectors. CVE-2005-3564 ACCEPTED 5 HP-UX 11 remshd Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. CVE-2005-3565 ACCEPTED 5 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. CVE-2006-0436 ACCEPTED 1 Microsoft Windows 2000 Windows Media Player Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 200 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data. CVE-2006-0006 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption. CVE-2006-0029 ACCEPTED 1 Sun Solaris 10 X Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in in.rexecd in Solaris 10 allows local users to gain privileges on Kerberos systems via unknown attack vectors. CVE-2006-0769 ACCEPTED 1 Microsoft Windows XP Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in the login page for HP Systems Insight Manager (SIM) 4.0 and 4.1, when accessed by Microsoft Internet Explorer with the MS04-025 patch, leads to a denial of service (browser hang). NOTE: although the advisory is vague, this issue does not appear to involve an attacker at all. If not, then this issue is not a vulnerability. CVE-2005-3983 ACCEPTED 1 Microsoft Windows 2000 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The thread termination routine in the kernel for Windows NT 4.0 and 2000 (NTOSKRNL.EXE) allows local users to modify kernel memory and execution flow via steps in which a terminating thread causes Asynchronous Procedure Call (APC) entries to free the wrong data, aka the "Windows Kernel Vulnerability." CVE-2005-2827 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in HP HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain privileges via unknown attack vectors. CVE-2006-0436 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. CVE-2006-1186 INTERIM 0 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors. CVE-2006-1388 INTERIM 0 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. CVE-2006-0008 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, aka a variant of the "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2127. CVE-2005-2831 ACCEPTED 1 Microsoft Windows XP Windows Media Player Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 200 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data. CVE-2006-0006 ACCEPTED 1 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." CVE-2006-1245 INTERIM 0 Microsoft Windows ME Windows Shell Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. CVE-2004-0214 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. CVE-2006-0013 ACCEPTED 1 Microsoft Windows XP HyperTerminal Harvey Rubinovitz DRAFT Harvey Rubinovitz Harvey Rubinovitz INTERIM Christine Walzer David Proulx ACCEPTED HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0568 ACCEPTED 1 Microsoft Windows XP SMB (Server Message Block) Christine Walzer DRAFT INTERIM ACCEPTED The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. CVE-2005-0045 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. CVE-2005-1192 ACCEPTED 1 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250. CVE-2006-0191 ACCEPTED 1 Microsoft Windows 2000 Outlook Express Robert L. Hollis DRAFT INTERIM Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. CVE-2006-0014 INTERIM 0 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com. CVE-2005-4560 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687). CVE-2004-0782 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED 'An undisclosed vulnerability in the pagedata subsystem in /proc may allow a local unprivileged user to cause significant performance degradation and even panic the system.' http://sunsolve9.sun.com/search/document.do?assetkey=1-26-102159-1&amp;searchclause= ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis DRAFT Matthew Wojcik Matthew Wojcik Robert L. Hollis INTERIM ACCEPTED Mozilla Firefox 1.5, Netscape 8.0.4 and 7.2, and K-Meleon before 0.9.12 allows remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. NOTE: despite initial reports, the Mozilla vendor does not believe that this issue can be used to trigger a crash or buffer overflow in Firefox. Also, it has been independently reported that Netscape 8.1 does not have this issue. CVE-2005-4134 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis DRAFT INTERIM ACCEPTED The E4X implementation in Mozilla Firefox before 1.5.0.1, Thunderbird 1.5 if running Javascript in mail, and SeaMonkey before 1.0 exposes the internal "AnyName" object to external interfaces, which allows multiple cooperating domains to exchange information in violation of the same origin restrictions. CVE-2006-0299 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code. CVE-2006-0901 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." CVE-2005-2088 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption. CVE-2006-0030 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." CVE-2006-1245 INTERIM 0 Microsoft Windows 2000 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed description, which leads to memory corruption. CVE-2006-0029 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via a BIFF parsing format file containing malformed BOOLERR records that lead to memory corruption, probably involving invalid pointers. CVE-2006-0028 ACCEPTED 1 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. CVE-2004-0148 ACCEPTED 1 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM ACCEPTED wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. CVE-2004-0148 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM ACCEPTED An unspecified Microsoft WMF parsing application, as used in Internet Explorer 5.01 SP4 on Windows 2000 SP4, and 5.5 SP2 on Windows Millennium, and possibly other versions, allows attackers to cause a denial of service (crash) and possibly execute code via a crafted WMF file with a manipulated WMF header size, possibly involving an integer overflow, a different vulnerability than CVE-2005-4560, and aka "WMF Image Parsing Memory Corruption Vulnerability." CVE-2006-0020 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors. CVE-2006-1388 INTERIM 0 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. CVE-2006-1192 INTERIM 0 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability." CVE-2006-0021 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. CVE-2006-0008 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. CVE-2006-1186 INTERIM 0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-complicit attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field. CVE-2006-0009 ACCEPTED 1 Sun Solaris 8 Licence Logging Service Brian Soby DRAFT INTERIM ACCEPTED gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files. CVE-2004-1349 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 2 Microsoft Windows XP Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests. CVE-2005-0061 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. CVE-2006-1359 INTERIM 0 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. CVE-2005-2491 ACCEPTED 1 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM An undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition.. http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00619550 INTERIM 0 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Windows Media Player Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the bitmap processing routine in Microsoft Windows Media Player 7.1 on Windows 2000 SP4, Media Player 9 on Windows 200 SP4 and XP SP1, and Media Player 10 on XP SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted bitmap (.BMP) file that specifies a size of 0 but contains additional data. CVE-2006-0006 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via certain malformed IGMP packets, aka the "IGMP v3 DoS Vulnerability." CVE-2006-0021 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. CVE-2006-0008 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Unspecified vulnerability in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed graphic, which leads to memory corruption. CVE-2006-0030 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit. CVE-2006-0023 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors. CVE-2006-1388 INTERIM 0 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption. CVE-2006-1185 INTERIM 0 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. CVE-2006-1359 INTERIM 0 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability." CVE-2006-0012 INTERIM 0 Microsoft Windows 2000 Outlook Express Robert L. Hollis DRAFT INTERIM Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. CVE-2006-0014 INTERIM 0 Sun Solaris 8 Sun Solaris 9 sendfilev() Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. CVE-2004-1356 ACCEPTED 2 Microsoft Windows XP Windows XP Matthew Burton DRAFT INTERIM ACCEPTED Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). CVE-2005-0688 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. CVE-2006-0008 ACCEPTED 1 Red Hat Linux 9 Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Sendmail Robert L. Hollis DRAFT INTERIM Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations. CVE-2006-0058 INTERIM 0 HP-UX 11 Operating System Robert L. Hollis DRAFT INTERIM An undisclosed vulnerability has been identified in /sbin/passwd which could be exploited to create a Denial of Service condition.. http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00619550 INTERIM 0 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability". CVE-2005-0553 ACCEPTED 1 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit. CVE-2006-0023 ACCEPTED 1 Sun Solaris 10 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile. CVE-2006-0745 ACCEPTED 1 Microsoft Windows XP Internet Explorer 6.0 Jonathan Baker DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. CVE-2004-1319 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. CVE-2006-1359 INTERIM 0 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. CVE-2006-1186 INTERIM 0 HP-UX 10 HP-UX 11 HP-UX 11i Sendmail Robert L. Hollis DRAFT INTERIM Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations. CVE-2006-0058 INTERIM 0 Sun Solaris 8 Sun Enterprise Storage Manager (ESM) Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 does not always correctly identify the domain that is associated with a browser window, which allows remote attackers to obtain sensitive cross-domain information and spoof sites by running script after the user has navigated to another site. CVE-2006-1191 INTERIM 0 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption. CVE-2006-1185 INTERIM 0 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. CVE-2005-1268 ACCEPTED 1 Microsoft Windows NT VDM Ingrid Skoog ACCEPTED The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code. CVE-2004-0118 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Visual Studio .NET 2003 Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors. CVE-2006-1388 INTERIM 0 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. CVE-2006-1192 INTERIM 0 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. CVE-2005-2728 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 /usr/lib/print/conv_fix Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files. CVE-2004-1360 ACCEPTED 2 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. CVE-2006-1190 INTERIM 0 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." CVE-2005-0054 ACCEPTED 2 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to conduct phishing attacks by spoofing the address bar and other parts of the trust UI via unknown methods that allow "window content to persist" after the user has navigated to another site, aka the "Address Bar Spoofing Vulnerability." NOTE: this is a different vulnerability than CVE-2006-1626. CVE-2006-1192 INTERIM 0 Microsoft Windows XP Microsoft Windows Server 2003 MDAC Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. CVE-2006-0003 INTERIM 0 Microsoft Windows XP Operating System Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability." CVE-2006-0012 INTERIM 0 Microsoft Windows XP Windows XP Matthew Burton DRAFT INTERIM ACCEPTED Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability." CVE-2005-0048 ACCEPTED 1 HP-UX 11 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. CVE-2005-1268 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP FrontPage Server Extensions Robert L. Hollis DRAFT Cross-site scripting (XSS) vulnerability in _vti_bin/_vti_adm/fpadmdll.dll in Microsoft FrontPage Server Extensions 2002 and SharePoint Team Services allows remote attackers to inject arbitrary web script or HTML, then leverage the attack to execute arbitrary programs or create new accounts, via the (1) operation, (2) command, and (3) name parameters. CVE-2006-0015 DRAFT 0 Microsoft Windows NT Windows Shell Andrew Buttner DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. CVE-2004-0214 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-complicit attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. CVE-2006-0031 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 VDM Ingrid Skoog Ingrid Skoog DRAFT INTERIM ACCEPTED The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. CVE-2004-0208 ACCEPTED 1 HP-UX 11 LDAP Robert L. Hollis DRAFT INTERIM 'An undisclosed vulnerability has been identified in su when used with LDAP. The potential vulnerability could be exploited by a local authorized user to gain unauthorized access.' http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=c00637553 INTERIM 0 Microsoft Windows Server 2003 Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests. CVE-2005-0061 ACCEPTED 1 HP-UX 11 ftpd Robert L. Hollis DRAFT INTERIM The wu_fnmatch function in wu_fnmatch.c for wu-fptd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir copmmand. CVE-2005-0256 INTERIM 0 Microsoft Windows Server 2003 Operating System Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Windows Explorer in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via attack vectors involving COM objects and "crafted files and directories," aka the "Windows Shell Vulnerability." CVE-2006-0012 INTERIM 0 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Buffer overflow in mshtml.dll in Microsoft Internet Explorer 6.0.2900.2180, and probably other versions, allows remote attackers to execute arbitrary code via an HTML tag with a large number of script action handlers such as onload and onmouseover, as demonstrated using onclick, aka the "Multiple Event Handler Memory Corruption Vulnerability." CVE-2006-1245 INTERIM 0 Microsoft Windows 2000 Outlook Express Robert L. Hollis DRAFT INTERIM Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. CVE-2006-0014 INTERIM 0 Microsoft Windows 2000 Outlook Express Robert L. Hollis DRAFT INTERIM Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. CVE-2006-0014 INTERIM 0 Microsoft Windows XP Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via HTML elements with a certain crafted tag, which leads to memory corruption. CVE-2006-1188 INTERIM 0 Microsoft Windows 2000 Internet Explorer Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to execute HTA files via unknown vectors. CVE-2006-1388 INTERIM 0 Microsoft Windows 2000 MDAC Robert L. Hollis DRAFT INTERIM Unspecified vulnerability in the RDS.Dataspace ActiveX control, which is contained in ActiveX Data Objects (ADO) and distributed in Microsoft Data Access Components (MDAC) 2.7 and 2.8, allows remote attackers to execute arbitrary code via unknown attack vectors. CVE-2006-0003 INTERIM 0 Microsoft Windows 2000 Outlook Express Robert L. Hollis DRAFT INTERIM Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. CVE-2006-0014 INTERIM 0 Microsoft Windows XP Task Scheduler Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. CVE-2004-0212 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis DRAFT INTERIM Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. CVE-2006-1190 INTERIM 0 Sun Solaris 8 Sun Solaris 9 Operating System Robert L. Hollis DRAFT INTERIM ACCEPTED Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688). CVE-2004-0783 ACCEPTED 1 Microsoft Windows 2000 Outlook Express Robert L. Hollis DRAFT INTERIM Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. CVE-2006-0014 INTERIM 0 Microsoft Windows XP Microsoft Internet Explorer 6 Andrew Buttner DRAFT INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Samba Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. CVE-2004-0963 ACCEPTED 1 Microsoft Windows 2000 Negotiate SSP interface Ingrid Skoog INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection. CVE-2004-0119 ACCEPTED 2 Microsoft Windows XP Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0715 ACCEPTED 1 Microsoft Windows Server 2003 Client Server Runtime System (CSRSS) Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. CVE-2005-0551 ACCEPTED 1 Microsoft Windows XP Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 LDAP Robert L. Hollis DRAFT Unspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch. CVE-2006-1782 DRAFT 0 Microsoft Windows XP Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Sun Solaris 7 NIS Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code. CVE-2001-1328 ACCEPTED 1 Microsoft Windows Server 2003 SMB (Server Message Block) Christine Walzer DRAFT INTERIM ACCEPTED The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. CVE-2005-0045 ACCEPTED 1 Microsoft Windows NT NetDDE Jonathan Baker DRAFT INTERIM ACCEPTED Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0206 ACCEPTED 1 Microsoft Windows XP Enhanced Metafile (EMF) Ingrid Skoog DRAFT INTERIM ACCEPTED Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer." CVE-2004-0209 ACCEPTED 1 Sun Solaris 7 dtspcd Brian Soby DRAFT INTERIM ACCEPTED The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. CVE-1999-0689 ACCEPTED 1 Microsoft Windows XP Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 2 Microsoft Windows Server 2003 Local Security Authority Subsystem Service (LSASS) Christine Walzer DRAFT INTERIM ACCEPTED LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. CVE-2004-0894 ACCEPTED 1 Microsoft Windows XP SMB (Server Message Block) Christine Walzer DRAFT INTERIM ACCEPTED The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. CVE-2005-0045 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable. CVE-2003-0092 ACCEPTED 1 Microsoft Windows XP Windows XP Matthew Burton DRAFT INTERIM ACCEPTED Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-0790 ACCEPTED 1 Microsoft Windows 2000 HTML Help Facility Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. CVE-2003-1041 ACCEPTED 0 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Jonathan Baker DRAFT INTERIM ACCEPTED Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. CVE-2004-0215 ACCEPTED 1 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 3 Microsoft Windows Server 2003 Negotiate Security Software Provider Ingrid Skoog INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection. CVE-2004-0119 ACCEPTED 2 Microsoft Windows XP Windows XP Matthew Burton DRAFT INTERIM ACCEPTED Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." CVE-2004-1043 ACCEPTED 1 Microsoft Windows XP Task Scheduler Tiffany Bergeron Tiffany Bergeron INTERIM ACCEPTED Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. CVE-2004-0212 ACCEPTED 0 Sun Solaris 9 Solaris Management Console (SMC) Brian Soby DRAFT INTERIM ACCEPTED Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. CVE-2003-0466 ACCEPTED 1 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." CVE-2004-0174 ACCEPTED 1 Microsoft Windows XP Negotiate SSP interface Ingrid Skoog Ingrid Skoog Ingrid Skoog ACCEPTED Christine Walzer INTERIM ACCEPTED The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection. CVE-2004-0119 ACCEPTED 1 Sun Solaris 7 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. CVE-2004-0523 ACCEPTED 1 Microsoft Windows XP Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 2 Sun Solaris 7 Bind Brian Soby DRAFT INTERIM ACCEPTED Brian Soby Brian Soby INTERIM ACCEPTED ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value. CVE-2003-0914 ACCEPTED 2 Microsoft Windows NT Outlook Web Access Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query. CVE-2004-0203 ACCEPTED 2 Microsoft Windows NT Windows kernel Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 1 Sun Solaris 7 login Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin. CVE-2001-0797 ACCEPTED 1 Microsoft Windows XP Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Buffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability". CVE-2005-0550 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." CVE-2005-0053 ACCEPTED 2 Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Christine Walzer DRAFT INTERIM ACCEPTED LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. CVE-2004-0894 ACCEPTED 1 Sun Solaris 9 pam_krb5 Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files. CVE-2004-0653 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". CVE-2004-0839 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability." CVE-2005-0555 ACCEPTED 1 Sun Solaris 7 Bind Brian Soby DRAFT INTERIM ACCEPTED BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. CVE-2002-1221 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer 5.5 Service Pack 2 Andrew Buttner DRAFT INTERIM ACCEPTED Double-free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. CVE-2003-1048 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. CVE-2004-0963 ACCEPTED 1 Microsoft Windows NT Certificate Validation Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Windows 98 and Windows NT 4.0 do not properly verify the Basic Constraints of digital certificates, allowing remote attackers to execute code, aka "New Variant of Certificate Validation Flaw Could Enable Identity Spoofing" (CAN-2002-0862). CVE-2002-1183 ACCEPTED 1 Microsoft Windows 2000 Enhanced Metafile (EMF) Ingrid Skoog DRAFT INTERIM ACCEPTED Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer." CVE-2004-0209 ACCEPTED 1 Microsoft Windows Server 2003 Indexing Service Harvey Rubinovitz DRAFT INTERIM ACCEPTED The Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2004-0897 ACCEPTED 1 Microsoft Windows 2000 Microsoft Outlook Express Jonathan Baker DRAFT INTERIM ACCEPTED Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. CVE-2004-0215 ACCEPTED 1 Sun Solaris 9 Kerberos5 Brian Soby DRAFT Brian Soby INTERIM ACCEPTED The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding. CVE-2004-0644 ACCEPTED 1 Microsoft Windows Server 2003 HTML Help Facility Andrew Buttner INTERIM ACCEPTED Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. CVE-2004-0201 ACCEPTED 0 Sun Solaris 9 Samba Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. CVE-2003-0201 ACCEPTED 1 Microsoft Windows NT POSIX Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow. CVE-2004-0210 ACCEPTED 0 Sun Solaris 9 Sendmail Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server. CVE-2002-0906 ACCEPTED 1 Microsoft Windows XP Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT INTERIM ACCEPTED Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-1060 ACCEPTED 1 Microsoft Windows XP DirectX Tiffany Bergeron Tiffany Bergeron Tiffany Bergeron Tiffany Bergeron INTERIM ACCEPTED IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVE-2004-0202 ACCEPTED 1 Microsoft Windows NT IIS 4.0 David Proulx INTERIM ACCEPTED Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function. CVE-2004-0205 ACCEPTED 0 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2000 Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. CVE-2004-0963 ACCEPTED 1 Microsoft Windows XP Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. CVE-2004-0845 ACCEPTED 2 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sendmail Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c. CVE-2002-1337 ACCEPTED 1 Microsoft Windows XP Operating System Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Robert L. Hollis ACCEPTED The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. CVE-2004-0420 ACCEPTED 2 Sun Solaris 7 libc Brian Soby DRAFT INTERIM ACCEPTED The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang). CVE-2002-1265 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." CVE-2005-0554 ACCEPTED 1 Microsoft Windows NT Windows kernel Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 1 Microsoft Windows 2000 MDAC 2.8 Christine Walzer DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. CVE-2004-0597 ACCEPTED 2 Microsoft Windows NT DHCP Ingrid Skoog DRAFT Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability." CVE-2004-0899 ACCEPTED 1 Microsoft Windows XP Jonathan Baker DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability." CVE-2005-0051 ACCEPTED 2 Microsoft Windows Server 2003 SMTP Christine Walzer DRAFT Christine Walzer INTERIM ACCEPTED The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated. CVE-2004-0840 ACCEPTED 1 Microsoft Windows XP Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. CVE-2003-0352 ACCEPTED 1 This bulletin has been superceded by MS03-039. Definition reflects updated information. Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Project Professional 2002 Ingrid Skoog DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames. CVE-2004-0848 ACCEPTED 1 Microsoft Windows XP COM Internet Services Christine Walzer DRAFT INTERIM ACCEPTED Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." CVE-2005-0047 ACCEPTED 1 Sun Solaris 7 libpng Brian Soby DRAFT INTERIM ACCEPTED Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. CVE-2004-0597 ACCEPTED 1 Microsoft Windows 2000 Windows Media Player 9 Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability." CVE-2004-1244 ACCEPTED 1 Microsoft Windows Server 2003 Operating System Christine Walzer INTERIM ACCEPTED Robert L. Hollis ACCEPTED The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. CVE-2004-0420 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability." CVE-2005-0056 ACCEPTED 2 Microsoft Windows NT NetDDE Jonathan Baker DRAFT INTERIM ACCEPTED Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0206 ACCEPTED 1 Microsoft Windows XP DirectX Tiffany Bergeron Tiffany Bergeron Tiffany Bergeron INTERIM ACCEPTED Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVE-2004-0202 ACCEPTED 2 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document. CVE-2005-0558 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. CVE-2004-0764 ACCEPTED 1 Sun Solaris 7 NIS Brian Soby DRAFT INTERIM ACCEPTED The getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments. CVE-2002-1199 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Basic Security Module Brian Soby DRAFT Unknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic). CVE-2004-0654 DRAFT 0 Microsoft Windows XP Microsoft Windows Server 2003 Enhanced Metafile (EMF) Ingrid Skoog Ingrid Skoog DRAFT INTERIM ACCEPTED Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer." CVE-2004-0209 ACCEPTED 1 Microsoft Windows XP Indexing Service Harvey Rubinovitz DRAFT INTERIM ACCEPTED The Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. CVE-2004-0897 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." CVE-2004-0844 ACCEPTED 2 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." CVE-2004-0843 ACCEPTED 2 Microsoft Windows 2000 Utility Manager Jonathan Baker INTERIM ACCEPTED Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. CVE-2004-0213 ACCEPTED 0 Microsoft Windows NT Remote Procedure Call (RPC) Matthew Burton DRAFT INTERIM ACCEPTED The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values. CVE-2004-0569 ACCEPTED 1 Microsoft Windows Server 2003 DirectX Tiffany Bergeron Tiffany Bergeron Tiffany Bergeron INTERIM ACCEPTED IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVE-2004-0202 ACCEPTED 1 Sun Solaris 8 Kerberos5 Brian Soby DRAFT INTERIM ACCEPTED The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). CVE-2003-0082 ACCEPTED 1 Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberos Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." CVE-2004-0843 ACCEPTED 1 Sun Solaris 7 Bind Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). CVE-2002-1219 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT INTERIM ACCEPTED The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." CVE-2004-1080 ACCEPTED 1 Microsoft Windows XP HyperTerminal Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer David Proulx INTERIM ACCEPTED HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0568 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." CVE-2005-0554 ACCEPTED 2 Microsoft Windows 2000 Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer Andrew Buttner ACCEPTED Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application. CVE-2005-0060 ACCEPTED 1 Microsoft Windows 2000 MDAC 2.8 Ingrid Skoog DRAFT INTERIM ACCEPTED The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability." CVE-2005-0050 ACCEPTED 1 Microsoft Windows XP Hyperlink Object Library Andrew Buttner DRAFT INTERIM ACCEPTED The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow. CVE-2005-0057 ACCEPTED 1 Sun Solaris 7 libpng Brian Soby DRAFT INTERIM ACCEPTED The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference. CVE-2004-0598 ACCEPTED 1 Microsoft Windows Server 2003 Windows Animated Cursor Christine Walzer DRAFT INTERIM ACCEPTED The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. CVE-2004-1305 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Cluster Brian Soby DRAFT INTERIM ACCEPTED Double-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. CVE-2003-0545 ACCEPTED 1 Sun Solaris 7 kcms_server Brian Soby DRAFT INTERIM ACCEPTED Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Microsoft Windows XP Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." CVE-2004-0841 ACCEPTED 2 Sun Solaris 8 Sun Crypto Accelerator 4000 Brian Soby DRAFT INTERIM ACCEPTED The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 ACCEPTED 1 Microsoft Windows 98 Windows Shell Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. CVE-2004-0214 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Outlook Express Jonathan Baker DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. CVE-2004-0215 ACCEPTED 2 Sun Solaris 7 Sun Am7990 Ethernet Driver Brian Soby DRAFT Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. CVE-2003-0001 DRAFT 0 Microsoft Windows 2000 Microsoft Office 2000 SP3 Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. CVE-2004-0573 ACCEPTED 2 Microsoft Windows 2000 Certificate Validation Christine Walzer Christine Walzer Christine Walzer Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS. CVE-2002-0862 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Matthew Burton DRAFT INTERIM ACCEPTED Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated. CVE-2004-0846 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2000 Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document. CVE-2005-0558 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. CVE-2004-0230 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." CVE-2005-0055 ACCEPTED 2 Microsoft Windows XP Microsoft Windows Server 2003 DirectX Tiffany Bergeron Tiffany Bergeron Tiffany Bergeron INTERIM ACCEPTED IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. CVE-2004-0202 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Office 2003 Ingrid Skoog Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 3 Sun Solaris 9 OpenSSH Brian Soby DRAFT INTERIM ACCEPTED A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. CVE-2003-0693 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.5 Ingrid Skoog DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. CVE-2002-1142 ACCEPTED 2 Microsoft Windows Server 2003 Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application. CVE-2005-0060 ACCEPTED 1 Microsoft Windows NT Windows Internet Naming Service (WINS) Matthew Burton DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." CVE-2004-1080 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Visio Professional 2002 Ingrid Skoog DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames. CVE-2004-0848 ACCEPTED 1 Microsoft Windows 2000 Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Brian Soby Brian Soby INTERIM ACCEPTED CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. CVE-2002-0678 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability." CVE-2005-0555 ACCEPTED 1 Sun Solaris 9 fs.auto, xfs Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. CVE-2002-1317 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6.0 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz Harvey Rubinovitz Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability." CVE-2005-0056 ACCEPTED 2 Red Hat Enterprise Linux 3 Linux kernel Jay Beale DRAFT INTERIM ACCEPTED The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call. CVE-2004-0427 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT Matthew Burton Matthew Burton INTERIM ACCEPTED Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." CVE-2004-1043 ACCEPTED 1 Microsoft Windows 2000 POSIX Ingrid Skoog INTERIM ACCEPTED The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow. CVE-2004-0210 ACCEPTED 0 Microsoft Windows XP Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CVE-2003-0528 ACCEPTED 1 Microsoft Windows XP COM Internet Services Christine Walzer DRAFT INTERIM ACCEPTED Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." CVE-2005-0047 ACCEPTED 1 Microsoft Windows XP Operating System Christine Walzer INTERIM ACCEPTED Robert L. Hollis ACCEPTED The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. CVE-2004-0420 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." CVE-2004-0842 ACCEPTED 1 Red Hat Enterprise Linux 3 Linux kernel Jay Beale DRAFT INTERIM ACCEPTED Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program. CVE-2004-0554 ACCEPTED 1 Microsoft Windows 2000 Windows Media Player 9 Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability." CVE-2005-0044 ACCEPTED 2 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Adobe Acrobat Reader Matthew Wojcik DRAFT INTERIM ACCEPTED Format string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields. CVE-2004-1153 ACCEPTED 1 iDEFENSE reports that deleting eBook.api from the plug_ins directory is a workaround. See http://www.idefense.com/application/poi/display?id=163&type=vulnerabilities Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." CVE-2005-0053 ACCEPTED 2 Microsoft Windows XP Cursor and Icon Formatting Christine Walzer DRAFT INTERIM ACCEPTED Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." CVE-2004-1049 ACCEPTED 1 Red Hat Enterprise Linux 3 Linux kernel Jay Beale DRAFT INTERIM ACCEPTED Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool. CVE-2004-0495 ACCEPTED 1 Microsoft Windows XP Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CVE-2003-0528 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 TCP/IP Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. CVE-2004-1355 ACCEPTED 2 Sun Solaris 7 Sendmail Brian Soby DRAFT INTERIM ACCEPTED The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. CVE-2003-0694 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." CVE-2005-0053 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Project Professional 2002 Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 3 Microsoft Windows XP Jonathan Baker DRAFT INTERIM ACCEPTED The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability." CVE-2005-0051 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz Harvey Rubinovitz Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." CVE-2005-0054 ACCEPTED 2 Microsoft Windows NT Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Sun Solaris 7 CDE Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. CVE-1999-0691 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Visio Professional 2002 Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 3 Microsoft Windows XP Explorer.exe Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED Buffer overflow in EXPLORER.EXE on Windows XP allows attackers to execute arbitrary code as the XP user via a desktop.ini file with a long .ShellClassInfo parameter. CVE-2003-0306 ACCEPTED 0 Microsoft Windows NT Cursor and Icon Formatting Christine Walzer DRAFT INTERIM ACCEPTED Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." CVE-2004-1049 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability". CVE-2005-0553 ACCEPTED 2 Microsoft Windows 2000 NetDDE Jonathan Baker DRAFT INTERIM ACCEPTED Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0206 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid. CVE-2004-0758 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6.0 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz Harvey Rubinovitz Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." CVE-2005-0055 ACCEPTED 2 Microsoft Windows Server 2003 HyperTerminal Harvey Rubinovitz DRAFT Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0568 ACCEPTED 1 Microsoft Windows 2000 Windows kernel Christine Walzer Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. CVE-2003-0112 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability." CVE-2005-0555 ACCEPTED 1 Microsoft Windows XP VDM Ingrid Skoog DRAFT INTERIM ACCEPTED The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. CVE-2004-0208 ACCEPTED 1 Microsoft Windows NT HTML Help Facility Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. CVE-2004-0201 ACCEPTED 1 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." CVE-2005-0054 ACCEPTED 2 Microsoft Windows Server 2003 Hyperlink Object Library Christine Walzer DRAFT INTERIM ACCEPTED The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow. CVE-2005-0057 ACCEPTED 1 Microsoft Windows 2000 Windows Animated Cursor Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. CVE-2004-1305 ACCEPTED 2 Microsoft Windows Server 2003 Cursor and Icon Formatting Christine Walzer DRAFT INTERIM ACCEPTED Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." CVE-2004-1049 ACCEPTED 1 Microsoft Windows XP NetDDE Jonathan Baker DRAFT INTERIM ACCEPTED Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0206 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code. CVE-2004-0757 ACCEPTED 1 Microsoft Windows NT Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 2 Microsoft Windows XP Microsoft Office 2003 Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. CVE-2004-0573 ACCEPTED 3 Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Ingrid Skoog DRAFT INTERIM ACCEPTED LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. CVE-2004-0894 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability." CVE-2005-0056 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Visio Professional 2003 Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 3 Sun Solaris 9 Kerberos5 Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Double-free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code. CVE-2004-0643 ACCEPTED 1 Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Christine Walzer DRAFT INTERIM ACCEPTED LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. CVE-2004-0894 ACCEPTED 1 Microsoft Windows XP Microsoft Office XP SP3 Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. CVE-2004-0573 ACCEPTED 2 Microsoft Windows NT Cursor and Icon Formatting Christine Walzer DRAFT INTERIM ACCEPTED Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." CVE-2004-1049 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." CVE-2004-0842 ACCEPTED 2 Microsoft Windows XP Microsoft Outlook Express Jonathan Baker DRAFT INTERIM Christine Walzer ACCEPTED Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. CVE-2004-0215 ACCEPTED 1 Microsoft Windows 2000 Operating System Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. CVE-2004-0420 ACCEPTED 2 Microsoft Windows XP SMB (Server Message Block) Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. CVE-2003-0345 ACCEPTED 0 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code. CVE-2004-1352 ACCEPTED 1 Microsoft Windows 2000 Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 3 Microsoft Windows 2000 Task Scheduler Tiffany Bergeron INTERIM ACCEPTED Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. CVE-2004-0212 ACCEPTED 0 Microsoft Windows XP Windows Shell Harvey Rubinovitz DRAFT INTERIM ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT INTERIM ACCEPTED Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-0790 ACCEPTED 1 Microsoft Windows Server 2003 SMTP Christine Walzer DRAFT INTERIM ACCEPTED The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated. CVE-2004-0840 ACCEPTED 1 Microsoft Windows XP Internet Explorer 6.0 Jonathan Baker DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. CVE-2004-1319 ACCEPTED 2 Sun Solaris 9 Solaris Volume Manager (SVM) Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM. CVE-2004-1346 ACCEPTED 2 Microsoft Windows XP NetBT Name Service Ingrid Skoog Ingrid Skoog Ingrid Skoog INTERIM ACCEPTED The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information. CVE-2003-0661 ACCEPTED 0 Microsoft Windows NT HTML Help ActiveX Control Matthew Burton DRAFT INTERIM ACCEPTED Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." CVE-2004-1043 ACCEPTED 1 Sun Solaris 9 sshd Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED The Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities. CVE-2004-1357 ACCEPTED 2 Microsoft Windows XP Windows XP Matthew Burton DRAFT INTERIM ACCEPTED TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. CVE-2004-0230 ACCEPTED 1 Microsoft Windows Server 2003 HTML Help Facility Andrew Buttner INTERIM ACCEPTED Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. CVE-2003-1041 ACCEPTED 0 Microsoft Windows XP Operating System Christine Walzer INTERIM ACCEPTED Robert L. Hollis ACCEPTED INTERIM The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. CVE-2004-0420 INTERIM 1 Microsoft Windows XP Client Server Runtime System (CSRSS) Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. CVE-2005-0551 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 MDAC 2.7 Matthew Burton DRAFT INTERIM ACCEPTED The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." CVE-2004-0847 ACCEPTED 1 Sun Solaris 9 Basic Security Module Brian Soby DRAFT INTERIM ACCEPTED The patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged. CVE-2004-1358 ACCEPTED 1 Microsoft Windows Server 2003 OLE Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability." CVE-2005-0044 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows NT MDAC 2.1 Ingrid Skoog DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Heap-based buffer overflow in the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) 2.1 through 2.6, and Internet Explorer 5.01 through 6.0, allows remote attackers to execute code via a malformed HTTP request to the Data Stub. CVE-2002-1142 ACCEPTED 2 Microsoft Windows NT DHCP Ingrid Skoog DRAFT INTERIM ACCEPTED The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." CVE-2004-0900 ACCEPTED 1 Microsoft Windows Server 2003 MDAC 2.8 Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability." CVE-2005-0050 ACCEPTED 2 Microsoft Windows 2000 Windows Explorer Ingrid Skoog DRAFT Andrew Buttner INTERIM ACCEPTED The Web View DLL (webvw.dll), as used in Windows Explorer on Windows 2000 systems, does not properly filter an apostrophe ("'") in the author name in a document, which allows attackers to execute arbitrary script via extra attributes when Web View constructs a mailto: link for the preview pane when the user selects the file. CVE-2005-1191 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." CVE-2005-0054 ACCEPTED 2 Sun Solaris 7 Solaris Runtime Linker Brian Soby DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable. CVE-2003-0609 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted. CVE-2004-0761 ACCEPTED 1 Microsoft Windows NT Internet Explorer 6 Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. CVE-2004-0420 ACCEPTED 2 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sendmail Brian Soby DRAFT A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. CVE-2003-0681 DRAFT 0 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 priocntl() Brian Soby DRAFT INTERIM ACCEPTED Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module. CVE-2002-1296 ACCEPTED 1 Red Hat Enterprise Linux 3 libpng Jay Beale DRAFT INTERIM ACCEPTED Portable Network Graphics (PNG) library libpng 1.2.5 and earlier does not correctly calculate offsets, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a buffer overflow attack on the row buffers. CVE-2002-1363 ACCEPTED 1 Microsoft Windows Server 2003 Windows Internet Naming Service (WINS) Matthew Burton DRAFT INTERIM ACCEPTED The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." CVE-2004-1080 ACCEPTED 1 Microsoft Windows XP Help and Support Center (HSC) Christine Walzer DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. CVE-2003-0711 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 2 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability". CVE-2005-0553 ACCEPTED 1 Microsoft Windows ME Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Microsoft Windows ME Internet Explorer 5.5 Service Pack 2 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". CVE-2004-0839 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby DRAFT INTERIM ACCEPTED Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. CVE-2003-0542 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Project Professional 2003 Ingrid Skoog DRAFT Ingrid Skoog INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 3 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." CVE-2005-0554 ACCEPTED 1 Microsoft Windows XP Windows Shell Andrew Buttner DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 2 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT INTERIM ACCEPTED Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability." CVE-2005-0048 ACCEPTED 1 Microsoft Windows XP Windows XP Matthew Burton DRAFT INTERIM ACCEPTED Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-1060 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 sendfilev() Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument. CVE-2001-0414 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6.0 Jonathan Baker DRAFT INTERIM ACCEPTED Christine Walzer INTERIM Andrew Buttner ACCEPTED The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. CVE-2004-1319 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. CVE-2004-0845 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Office XP SP2 Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 3 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 2 Microsoft Windows XP Windows Help and Support Center Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. CVE-2003-0711 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." CVE-2005-0055 ACCEPTED 2 Microsoft Windows Server 2003 Compressed Folders David Proulx DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. CVE-2004-0575 ACCEPTED 3 Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer 6 Service Pack 1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability." CVE-2005-0555 ACCEPTED 1 Microsoft Windows XP Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application. CVE-2005-0060 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." CVE-2004-0843 ACCEPTED 1 Microsoft Windows NT VDM Ingrid Skoog DRAFT INTERIM ACCEPTED The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. CVE-2004-0208 ACCEPTED 1 Microsoft Windows NT Windows Animated Cursor Christine Walzer DRAFT INTERIM ACCEPTED The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. CVE-2004-1305 ACCEPTED 1 Sun Solaris 8 Bind Brian Soby DRAFT INTERIM ACCEPTED Unknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash). CVE-2004-1348 ACCEPTED 1 Microsoft Windows Server 2003 Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CVE-2003-0528 ACCEPTED 1 Microsoft Windows NT HyperTerminal Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0568 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method. CVE-2004-0763 ACCEPTED 1 Microsoft Windows XP Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests. CVE-2005-0061 ACCEPTED 1 Microsoft Windows XP GDI+ Ingrid Skoog DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 2 Microsoft Windows XP Microsoft Office XP SP2 Ingrid Skoog DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. CVE-2004-0573 ACCEPTED 2 Microsoft Windows NT Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office XP SP3 Ingrid Skoog Ingrid Skoog Ingrid Skoog DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames. CVE-2004-0848 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 DtMail Brian Soby DRAFT INTERIM ACCEPTED Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value. CVE-2004-0800 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows Server 2003 Microsoft Exchange Server 2003 Christine Walzer DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port. CVE-2005-0560 ACCEPTED 1 Microsoft Windows 2000 SMB (Server Message Block) Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. CVE-2005-0045 ACCEPTED 2 Sun Solaris 7 bash, tcsh, cash, sh, ksh Brian Soby DRAFT INTERIM ACCEPTED Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack. CVE-2000-1134 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 2 Microsoft Windows XP Microsoft Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability." CVE-2005-0056 ACCEPTED 2 Sun Solaris 7 lpstat, libprint Brian Soby DRAFT INTERIM ACCEPTED Unknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files. CVE-2003-0999 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. CVE-2003-0020 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". CVE-2004-0839 ACCEPTED 1 Microsoft Windows XP Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." CVE-2004-0842 ACCEPTED 2 Sun Solaris 7 Bind Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers. CVE-2002-0651 ACCEPTED 1 Microsoft Windows 2000 Internet Explorer 6 SP1 Ingrid Skoog DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 2 Microsoft Windows XP Distributed Component Object Model (DCOM) interface Christine Walzer DRAFT INTERIM ACCEPTED Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. CVE-2003-0715 ACCEPTED 1 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Matthew Burton DRAFT Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated. CVE-2004-0846 DRAFT 0 Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Samba Matthew Burton DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document. CVE-2005-0558 ACCEPTED 1 Microsoft Windows Server 2003 Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Cluster Brian Soby DRAFT INTERIM ACCEPTED Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. CVE-2003-0543 ACCEPTED 1 Microsoft Windows 2000 ISA Server 2000 Christine Walzer DRAFT INTERIM ACCEPTED Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results. CVE-2004-0892 ACCEPTED 1 Microsoft Windows Server 2003 Compressed Folders David Proulx DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. CVE-2004-0575 ACCEPTED 3 Microsoft Windows NT DHCP Ingrid Skoog DRAFT INTERIM ACCEPTED The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability." CVE-2004-0899 ACCEPTED 1 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Visual Studio .NET 2002 Ingrid Skoog DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. CVE-2004-0200 ACCEPTED 2 Microsoft Windows 2000 VDM Ingrid Skoog DRAFT INTERIM ACCEPTED The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. CVE-2004-0208 ACCEPTED 1 Microsoft Windows NT Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. CVE-2004-0571 ACCEPTED 2 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 cachefsd Brian Soby DRAFT INTERIM ACCEPTED cachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request. CVE-2002-0085 ACCEPTED 1 Microsoft Windows 2000 Windows Shell Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. CVE-2004-0214 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." CVE-2004-0841 ACCEPTED 1 Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Christine Walzer DRAFT INTERIM ACCEPTED LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. CVE-2004-0894 ACCEPTED 1 Microsoft Windows NT Windows Internet Naming Service (WINS) Matthew Burton DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." CVE-2004-1080 ACCEPTED 2 Sun Solaris 7 CDE Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. CVE-1999-0693 ACCEPTED 1 Sun Solaris 7 lpstat Brian Soby DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege. CVE-2003-0091 ACCEPTED 1 Microsoft Windows XP Message Queuing Ingrid Skoog DRAFT INTERIM ACCEPTED Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message. CVE-2005-0059 ACCEPTED 1 Microsoft Windows Server 2003 Network News Transport Protocol (NNTP) Christine Walzer DRAFT INTERIM ACCEPTED The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. CVE-2004-0574 ACCEPTED 1 Microsoft Windows XP Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Buffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability". CVE-2005-0550 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. CVE-2004-0762 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret. CVE-2003-0987 ACCEPTED 1 Sun Solaris 7 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby DRAFT INTERIM ACCEPTED The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). CVE-2003-0082 ACCEPTED 1 Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers SEAM Microsoft Windows Server 2003 Windows kernel Christine Walzer DRAFT INTERIM ACCEPTED The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." CVE-2004-0893 ACCEPTED 1 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Adobe Acrobat Reader Matthew Wojcik DRAFT INTERIM ACCEPTED Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. CVE-2004-0597 ACCEPTED 1 Microsoft Windows Server 2003 Program Group Converter Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. CVE-2004-0572 ACCEPTED 1 Microsoft Windows XP unknown Christine Walzer DRAFT INTERIM ACCEPTED The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability." CVE-2005-0044 ACCEPTED 1 Microsoft Windows NT HyperTerminal Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0568 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability." CVE-2005-0048 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 kernel Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users. CVE-2003-0669 ACCEPTED 2 Sun Solaris 8 Sun Solaris 9 Sun Cluster Brian Soby DRAFT INTERIM ACCEPTED OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. CVE-2003-0544 ACCEPTED 1 Microsoft Windows NT Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 2 Microsoft Windows Server 2003 NetDDE Jonathan Baker DRAFT INTERIM ACCEPTED Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0206 ACCEPTED 1 Microsoft Windows 2000 Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer Andrew Buttner ACCEPTED The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests. CVE-2005-0061 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Integer overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code. CVE-2004-0722 ACCEPTED 1 Sun Solaris 9 Kerberos5 Brian Soby DRAFT INTERIM ACCEPTED Double-free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code. CVE-2004-0772 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. CVE-2003-0993 ACCEPTED 1 Microsoft Windows 2000 Cursor and Icon Formatting Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." CVE-2004-1049 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer 6.0 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability." CVE-2005-0555 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." CVE-2004-0727 ACCEPTED 1 Microsoft Windows Server 2003 Help and Support Center (HSC) Christine Walzer DRAFT INTERIM ACCEPTED Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. CVE-2003-0711 ACCEPTED 1 Microsoft Windows 2000 Windows Shell Harvey Rubinovitz DRAFT INTERIM Andrew Buttner ACCEPTED The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. CVE-2005-0063 ACCEPTED 1 Microsoft Windows Server 2003 Windows Messenger Matthew Burton DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." CVE-2005-0053 ACCEPTED 2 Sun Solaris 7 Sun RPC Brian Soby DRAFT INTERIM ACCEPTED Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. CVE-2002-0391 ACCEPTED 1 Specific applications using this library are not tested for because Suns advisory only provides a sample of known vulnerable applications and states that they are still investigating. Microsoft Windows 2000 HyperTerminal Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. CVE-2004-0568 ACCEPTED 1 Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Christine Walzer DRAFT INTERIM ACCEPTED Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. CVE-2004-0901 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. CVE-2004-0718 ACCEPTED 1 Microsoft Windows Server 2003 Internet Explorer 6.0 Jonathan Baker DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. CVE-2004-1319 ACCEPTED 2 Microsoft Windows NT VDM Ingrid Skoog DRAFT INTERIM ACCEPTED The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. CVE-2004-0208 ACCEPTED 1 Microsoft Windows Server 2003 IIS 6.0 Jonathan Baker DRAFT INTERIM ACCEPTED The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes. CVE-2003-0718 ACCEPTED 1 Microsoft Windows NT MDAC 2.8 Ingrid Skoog DRAFT INTERIM ACCEPTED The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability." CVE-2005-0050 ACCEPTED 1 Microsoft Windows 2000 Windows 2000 Matthew Burton DRAFT INTERIM ACCEPTED TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. CVE-2004-0230 ACCEPTED 1 Microsoft Windows XP Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer ACCEPTED Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application. CVE-2005-0060 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. CVE-2004-0790 ACCEPTED 1 Microsoft Windows NT Windows NT 4.0 Matthew Burton DRAFT INTERIM ACCEPTED The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." CVE-2004-1080 ACCEPTED 1 Microsoft Windows 2000 Windows kernel Ingrid Skoog DRAFT INTERIM Christine Walzer Andrew Buttner ACCEPTED Buffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability". CVE-2005-0550 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 LDAP Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges. CVE-2004-1353 ACCEPTED 2 Microsoft Windows NT DHCP Ingrid Skoog DRAFT INTERIM ACCEPTED The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." CVE-2004-0900 ACCEPTED 1 Microsoft Windows NT Proxy Server 2.0 SP1 Christine Walzer DRAFT INTERIM Christine Walzer Ingrid Skoog ACCEPTED Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results. CVE-2004-0892 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. CVE-2004-0492 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." CVE-2005-0053 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability". CVE-2005-0553 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 Windows kernel Ingrid Skoog Ingrid Skoog DRAFT INTERIM ACCEPTED The kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program. CVE-2004-0211 ACCEPTED 1 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis ACCEPTED GIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width. CVE-2005-0562 ACCEPTED 3 Sun Solaris 9 Kerberos5 Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Double-free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code. CVE-2004-0642 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability." CVE-2005-0056 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Word 2003 Matthew Burton DRAFT INTERIM ACCEPTED Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). CVE-2005-0688 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability". CVE-2005-0553 ACCEPTED 1 Microsoft Windows XP Microsoft Windows Server 2003 MDAC 2.7 Matthew Burton DRAFT INTERIM ACCEPTED The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." CVE-2004-0847 ACCEPTED 1 Microsoft Windows 2000 Message Queuing Ingrid Skoog DRAFT INTERIM Christine Walzer Andrew Buttner ACCEPTED Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message. CVE-2005-0059 ACCEPTED 1 Microsoft Windows Server 2003 Network News Transport Protocol (NNTP) Christine Walzer DRAFT INTERIM ACCEPTED Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. CVE-2004-0573 ACCEPTED 1 Microsoft Windows NT Network News Transport Protocol (NNTP) Christine Walzer DRAFT INTERIM ACCEPTED The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. CVE-2004-0574 ACCEPTED 1 Microsoft Windows XP NetDDE Jonathan Baker DRAFT INTERIM ACCEPTED Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0206 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME. CVE-2003-0834 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. CVE-2004-0845 ACCEPTED 1 Microsoft Windows NT Remote Procedure Call (RPC) Matthew Burton DRAFT INTERIM ACCEPTED Matthew Burton INTERIM ACCEPTED The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values. CVE-2004-0569 ACCEPTED 2 Microsoft Windows XP Windows Shell Andrew Buttner DRAFT INTERIM ACCEPTED Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. CVE-2004-0214 ACCEPTED 1 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. CVE-2004-0216 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. CVE-2004-0216 ACCEPTED 2 Microsoft Windows Server 2003 SMTP Christine Walzer DRAFT INTERIM ACCEPTED The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated. CVE-2004-0840 ACCEPTED 1 Microsoft Windows ME Internet Explorer 5.5 Service Pack 2 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. CVE-2004-0845 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." CVE-2004-0842 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." CVE-2004-0841 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. CVE-2004-0845 ACCEPTED 2 Microsoft Windows 2000 Network News Transport Protocol (NNTP) Christine Walzer DRAFT INTERIM ACCEPTED The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. CVE-2004-0574 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." CVE-2004-0841 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." CVE-2004-0841 ACCEPTED 1 Microsoft Windows ME Internet Explorer 5.5 Service Pack 2 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. CVE-2004-0216 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". CVE-2004-0839 ACCEPTED 2 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." CVE-2004-0843 ACCEPTED 2 Microsoft Windows XP Compressed Folders David Proulx DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. CVE-2004-0575 ACCEPTED 3 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." CVE-2004-0842 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 4 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. CVE-2004-0216 ACCEPTED 1 Microsoft Windows Server 2003 NetDDE Jonathan Baker DRAFT INTERIM ACCEPTED Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. CVE-2004-0206 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." CVE-2004-0727 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." CVE-2004-0727 ACCEPTED 1 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Internet Explorer 5.5 Service Pack 2 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." CVE-2004-0843 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." CVE-2004-0843 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 5.5 Service Pack 2 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Harvey Rubinovitz Matthew Wojcik INTERIM ACCEPTED Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." CVE-2004-0727 ACCEPTED 3 Microsoft Windows Server 2003 Microsoft Internet Explorer 6 Service Pack 1 for Windows Server 2003 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." CVE-2004-0727 ACCEPTED 1 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. CVE-2004-0845 ACCEPTED 1 Microsoft Windows XP Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. CVE-2004-0216 ACCEPTED 2 Microsoft Windows XP Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". CVE-2004-0839 ACCEPTED 2 Microsoft Windows 2000 Microsoft Internet Explorer 5.01 Service Pack 3 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. CVE-2004-0216 ACCEPTED 1 Microsoft Windows XP Internet Explorer 6 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." CVE-2004-0727 ACCEPTED 2 Microsoft Windows ME Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." CVE-2004-0841 ACCEPTED 2 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Internet Explorer 6 SP1 Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." CVE-2004-0844 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Jonathan Baker INTERIM Matthew Wojcik ACCEPTED The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site. CVE-2005-1477 ACCEPTED 3 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Jonathan Baker INTERIM Matthew Wojcik ACCEPTED Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477. CVE-2005-1476 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. CVE-2005-2270 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). CVE-2005-2269 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Christine Walzer Jonathan Baker Matthew Wojcik INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." CVE-2005-2268 ACCEPTED 6 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis Christine Walzer Jonathan Baker INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. CVE-2005-2267 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Jonathan Baker Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. CVE-2005-1937 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. CVE-2005-2265 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL. CVE-2005-2264 ACCEPTED 6 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. CVE-2005-2263 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM Matthew Wojcik Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling." CVE-2005-2262 ACCEPTED 6 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. CVE-2005-2261 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. CVE-2005-2260 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis Jonathan Baker INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160. CVE-2005-1532 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis Jonathan Baker INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript: URLs, as demonstrated using (1) a javascript: URL in a view-source: URL, (2) a javascript: URL in a jar: URL, or (3) "a nested variant." CVE-2005-1531 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Christine Walzer Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. CVE-2005-2263 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM Matthew Wojcik Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object. CVE-2005-1160 ACCEPTED 6 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which may allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code by passing objects of the wrong type. CVE-2005-1159 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Multiple "missing security checks" in Firefox before 1.0.3 allow remote attackers to inject arbitrary Javascript into privileged pages using the _search target of the Firefox sidebar. CVE-2005-1158 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to execute arbitrary script and code via a new search plugin using sidebar.addSearchEngine, aka "Firesearching 1." CVE-2005-1156 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking." CVE-2005-1155 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the user visits that domain, aka "Cross-site scripting through global scope pollution." CVE-2005-1154 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM Matthew Wojcik Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option. CVE-2005-1153 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote attackers to execute arbitrary code via a javascript: URL in the PLUGINSPAGE attribute of an EMBED tag. CVE-2005-0752 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM Matthew Wojcik ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The find_replen function in jsstr.c in the the Javascript engine for Mozilla Suite 1.7.6, Firefox 1.0.1 and 1.0.2, and Netscape 7.2 allows remote attackers to read portions of heap memory in a Javascript string via the lambda replace method. CVE-2005-0989 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2." CVE-2005-0401 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page. CVE-2005-0402 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Heap-based buffer overflow in GIF2.cpp in Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2, and possibly other applications that use the same library, allows remote attackers to execute arbitrary code via a GIF image with a crafted Netscape extension 2 block and buffer size. CVE-2005-0399 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. CVE-2005-0233 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox 1.0 allows remote attackers to execute arbitrary code via plugins that load "privileged content" into frames, as demonstrated using certain XUL events when a user drags a scrollbar two times, aka "Firescrolling." CVE-2005-0527 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing." CVE-2005-0231 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging." CVE-2005-0230 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks. CVE-2005-0584 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks. CVE-2005-0585 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content. CVE-2005-0586 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. CVE-2005-0587 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:include and xsl:import tags in XSLT stylesheets to the current domain, which allows remote attackers to determine the existence of files on the local system. CVE-2005-0588 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The Form Fill feature in Firefox before 1.0.1 allows remote attackers to steal potentially sensitive information via an input control that monitors the values that are generated by the autocomplete capability. CVE-2005-0589 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption. CVE-2005-0255 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED The installation confirmation dialog in Firefox before 1.0.1, Thunderbird before 1.0.1, and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long "user:pass" sequence in the URL, which appears before the real hostname. CVE-2005-0590 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing." CVE-2005-0591 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Thunderbird Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Heap-based buffer overflow in the UTF8ToNewUnicode function for Firefox before 1.0.1 and Mozilla before 1.7.6 might allow remote attackers to cause a denial of service (crash) or execute arbitrary code via invalid sequences in a UTF8 encoded string that result in a zero length value. CVE-2005-0592 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site. CVE-2005-0593 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. CVE-2004-1156 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0 allows the user to store a (1) javascript: or (2) data: URLs as a Livefeed bookmark, then executes it in the security context of the currently loaded page when the user later accesses the bookmark, which could allow remote attackers to execute arbitrary code. CVE-2005-0150 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages. CVE-2005-0149 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Thunderbird Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future. CVE-2005-0148 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials. CVE-2005-0147 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability." CVE-2004-1380 ACCEPTED 4 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature. CVE-2005-0145 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Thunderbird Robert L. Hollis Christine Walzer INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated. CVE-2004-1316 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks. CVE-2004-1381 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks. CVE-2005-0144 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Firefox Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks. CVE-2005-0143 ACCEPTED 5 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Jonathan Baker INTERIM ACCEPTED INTERIM ACCEPTED Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF. CVE-2005-0142 ACCEPTED 4 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis INTERIM ACCEPTED INTERIM ACCEPTED Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab. CVE-2005-0141 ACCEPTED 4 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. CVE-2005-1983 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message. CVE-2005-1984 ACCEPTED 2 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". CVE-2005-1989 ACCEPTED 3 Microsoft Windows Server 2003 Internet Explorer Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". CVE-2005-1989 ACCEPTED 3 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. CVE-2005-0058 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. CVE-2005-0058 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. CVE-2005-0058 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis INTERIM ACCEPTED Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. CVE-2005-0058 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests. CVE-2005-1218 ACCEPTED 2 Microsoft Windows 2000 Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message. CVE-2005-1981 ACCEPTED 2 Microsoft Windows 2000 Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used. CVE-2005-1982 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message. CVE-2005-1981 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used. CVE-2005-1982 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message. CVE-2005-1981 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used. CVE-2005-1982 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message. CVE-2005-1981 ACCEPTED 2 Microsoft Windows XP Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used. CVE-2005-1982 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message. CVE-2005-1981 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used. CVE-2005-1982 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message. CVE-2005-1981 ACCEPTED 2 Microsoft Windows Server 2003 Operating System Robert L. Hollis INTERIM ACCEPTED Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used. CVE-2005-1982 ACCEPTED 2 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Robert L. Hollis Christine Walzer Jonathan Baker INTERIM ACCEPTED Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. CVE-2005-2266 ACCEPTED 4 Sun Solaris 8 Sun Solaris 9 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret. CVE-2003-0987 ACCEPTED 5 Sun Solaris 8 Sun Solaris 9 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. CVE-2003-0020 ACCEPTED 5 Sun Solaris 8 Sun Solaris 9 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." CVE-2004-0174 ACCEPTED 5 Sun Solaris 8 Sun Solaris 9 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. CVE-2003-0993 ACCEPTED 5 Sun Solaris 8 Sun Solaris 9 Apache Robert L. Hollis DRAFT INTERIM ACCEPTED Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. CVE-2004-0492 ACCEPTED 5 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 XDM Robert L. Hollis Christine Walzer DRAFT INTERIM ACCEPTED X Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request. CVE-2004-1347 ACCEPTED 5 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 libtiff Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. CVE-2004-0803 ACCEPTED 5 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 libtiff Robert L. Hollis DRAFT INTERIM ACCEPTED Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452. CVE-2004-0804 ACCEPTED 5 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 libtiff Robert L. Hollis DRAFT INTERIM ACCEPTED Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. CVE-2004-0886 ACCEPTED 5 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 libtiff Robert L. Hollis DRAFT INTERIM ACCEPTED Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow. CVE-2004-1308 ACCEPTED 5 01 01 11 11 10 10 02 02 27 38 03 03 04 05 02 02 5 2 3790 347 5 2 3790 2464 5 1 2600 2698 5 1 2600 1701 5 0 2195 7053 5 2 3790 2465 5 2 3790 2483 5 1 2600 2716 5 1 2600 1715 6 0 3790 2491 5 1 2600 1699 5 2 3790 2477 Mozilla Thunderbird \(0\.[6-8]\) 0\.[6-8]($|\s).* Mozilla Firefox \(0\.9.*\) 0\.9($|\s).* Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-4]\)) [0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-4]($|\s).* Mozilla Thunderbird \(0\.[0-8]\) 0\.[0-8]($|\s).* Mozilla (\(1\.7\)|\(1\.[0-7]\.[0-3]\)) 1\.7($|\s).*|1\.7\.[0-3]($|\s).* Mozilla Thunderbird \(0\.[6-9]\) 0\.[6-9]($|\s).* Mozilla Firefox \(0\.[0-9].*\) 0\.[0-9]($|\s).* Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)) [0-1]\.0($|\s).* Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-5]\)) [0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-5]($|\s).* Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)) [0-1]\.0($|\s).* Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-1]\)) [0-1]\.0($|\s).*|[0-1]\.0\.[0-1]($|\s).* Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-6]\)) [0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-6]($|\s).* Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-7]\)) Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-3]\)) Mozilla Thunderbird (\(0\.[0-9]\)|\(1\.0\)|\(1\.0\.[0-2]\)) [0-1]\.0($|\s).*|[0-1]\.0\.[0-2]($|\s).* Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-2]\)) [0-1]\.0($|\s).*|[0-1]\.0\.[0-2]($|\s).* Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-8]\)) [0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-8]($|\s).* Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-4]\)) [0-1]\.0($|\s).*|[0-1]\.0\.[0-4]($|\s).* [0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-7]($|\s).* [0-1]\.0($|\s).*|[0-1]\.0\.[0-3]($|\s).* 1 6 0 2900 2524 6 0 2900 2523 6.00.2900.2180 5 2 3790 193 5 2 3790 193 6 0 2800 1584 1 5 0 2195 6972 6 0 2750 166 4 0 1381 33578 01 08 03 5 1 2600 158 5 1 2600 149 1 5 5 1877 79 5 0 0 799 1 1 0 3705 6021 1,0,3705,3 1,0,3705,2 1 0 3705 556 1 2 6.2.0208 1 2 0 390 16 17 38 4 0 1381 7329 4 0 1381 7345 6 0 3790 212 4 0 1381 33566 6 1 0 9231 5 0 2195 7000 02 01 06 6 0 3790 241 5 0 3900 7032 5 2 3790 184 5 2 3790 173 05 19 25 4 0 1381 842 5 2 3790 205 01 04 07 04 1 1 5 1 0 1044 12 05 5 0 3900 6970 5 0 2195 6946 4 0 1381 33587 6 0 3790 198 KB888258 3 0 1200 408 5 2 3790 205 Service Pack 2 or less for Windows Office XP needs regex involving strings and less than 6 0 2800 1411 02 09 06 02 07 13 03 02 01 02 04 03 5 0 2195 7023 6 5 6981 3 06 07 10.0.6626.0 4 0 1381 33591 5 1 2600 1363 4 0 1381 7323 The presence of /etc/named.conf indicates that system system is probably configured as a DNS server 16 4 0 1381 7270 6 0 3790 198 10.0.4330.0 04 04 6 0 2800 1580 6 0 2800 1580 11.0.5614.0 03 5 50 4945 2800 earlier earlier earlier earlier 04 18 11 11 egrep "^[Srecipient=2|S2]|^[^#]*\$>2|^[^#]*\$>recipient|^[^#]*\$>4|^[^#]*\$>final" /etc/mail/sendmail.cf True if any lines returned 4 72 3841 1100 09 07 14 1 5 0 3900 7036 5 2 3790 242 2 12 5118 0 ^2\.1.*$ 10 08 1 1 1 4322 1085 1 1 1 4322 2037 1,0,4322,0 5 1 2600 1634 6 0 2600 151 05 1 5 1 2600 1243 5 1 2600 117 1 1 13 6 1 0 9232 1 4 71 2195 6920 03 02 01 5 1 2600 1193 5 1 2600 112 5 0 3900 6922 6 0 2742 200 6 0 3264 0 11.0.3216.5614 Installed 4 0 1381 7312 5 1 2600 1555 5 1 2600 1555 5 1 2600 1567 5 1 2600 1567 5 0 2195 7017 5 2 3790 227 srv03_qfe 5 2 3790 225 srv03_qfe 5 0 2195 6159 5 2 3790 233 5 0 2195 6922 5 0 2195 6952 4 0 1381 33630 6 0 2600 115 6 0 2800 1233 1 01 4 0 1381 33577 4 0 1381 7286 5 1 2600 1613 10 0 6714 0 05 10 10 03 01 3 6 5 1 2600 1619 5 0 2195 6929 earlier earlier earlier 02 5 0 2195 6966 1 10.2.5110 4 0 1381 33618 2 53 6202 0 04 6 0 3264 0 11.0.6252.7 ^5\.[1-2]$ 9.00.9327 9.00.9327 Installed 2003 1100 6252 0 01 02 02 6 0 3790 185 6 0 3790 181 04 02 03 01 01 01 02 02 5 2 3790 245 5 0 2195 7021 6 0 3790 279 5 1 2600 2563 5 0 2195 7005 1 5 0 3534 2800 10 02 03 03 08 09 SUNWkrbu - 32bit, SUNWkrbux - 64bit 5 2 3790 163 1 4 0 1381 7299 1 0 0 5 5 0 2195 6928 1 6 0 3790 219 5 1 2600 1596 egrep ^flags:.*a[sd] /etc/security/audit_control True if any lines returned grep c2audit /etc/system True if "set c2audit:audit_load = 1" or similiar 12 18 33 01 03 24 Package which contains /usr/lib/netsvc/yp/ypxfrd 5 2 3790 163 4 0 1381 7280 4 0 1381 7268 6 0 3790 168 1.1 10.0.8326.0 10 0 6735 0 10.0.8326.0 5 1 2600 109 1 6 0 3790 211 1 5 1 2600 2577 1 4 0 1381 7304 5 1 0 639 5.1.0639 4 0 1381 33545 1 5 0 3826 2400 CVE-2002-1265 01 CVE-2002-1265 01 CVE-2002-1265 01 CVE-2002-1265 01 CVE-2002-1265 01 CVE-2002-1265 01 CVE-2002-1265 03 CVE-2002-1265 03 CVE-2002-1265 09 CVE-2002-1265 14 CVE-2002-1265 01 CVE-2002-1265 01 CVE-2002-1265 01 6 0 2800 1556 03 08 08 1 1 6 0 2745 2800 9 0 0 8929 16384 HttpRedirect ^http:*,PERMANENT,* 4 2 788 1 1 5 1 2600 1517 1 ^4\.08\.01.*$ 5 1 2600 148 1 ^4\.09.*$ 5 3 0 903 1 ^4\.08\.02.*$ 5 2 3677 144 6 0 2800 1643 01 4 0 1381 7269 4 0 1381 33567 1 02 15 5 50 4942 400 5 2 3790 220 5 0 2195 6945 10 0 6754 0 10 07 1 5 0 3821 2800 12 13 5 1 2600 1597 5 0 3900 7009 02 01 2 5 5 2558 10 SUNWcsu = 32bit, SUNWcsxu = 64bit 06 13 08 09 11 05 16 5 1 2600 1364 5 1 2600 137 05 01 02 5 1 2600 1564 5 1 2600 155 5 2 3790 1280 5 2 3790 142 5 1 2600 1606 0 1 6 0 2800 1441 01 19 12 5 1 2600 1620 5 1 2600 1605 01 5 1 2600 1560 1 4 0 1381 33574 4 0 1381 33565 5 2 3790 252 01 02 5 1 2600 166 01 02 51 14 01 02 51 14 5 1 2600 1580 5 1 2600 1580 5 1 2600 1254 5 0 2195 6902 11 0 6502 0 1 5 1 2600 1555 5 50 4963 1700 5\.50\..* 2 81 1124 0 ^2\.81.*$ 2 80 1062 0000 2 71 9053 0 2 53 6306 0 ^2\.53.*$ 6 0 3790 504 6 0 3790 2663 6 0 3790 503 B\.11\.11\.(00.*|01\.00[0-7]) 5 2 3790 198 1 4 0 1381 3356 4 0 1381 7267 4 72 3843 3100 1 10 0 6790 0 6 0 3790 2662 2 82 2644 0 5 0 3528 700 05 09 14 5 1 3102 1355 4 0 1381 33563 4 0 1381 7265 01

\s*version\.c\s+8\.13\.[0-5]\D.*

\s*version\.c\s+8\.12\.([0-9]|10)\D.*

\s*version\.c\s+([0-7]|8\.([0-9]|1[01]))\D.*

6 1 0 9232 17 14 6 0 2900 2627 8\.13\.[0-5] 8\.12\.([0-9]|10) ([0-7]|8\.([0-9]|1[01])) 5 1 2600 2685 5 1 2600 1693 12 27 6 0 2800 1807 6 0 2800 1816 6 1 2600 3 5 1 2600 1792 9 0 0 3344 9.0.* 02 6 1 3790 1 5 0 3837 1200 B.11.22 03 01 06 03 03 06 29 22 33 29 22 33 01 04 03 04 03 03 03 5 2 3790 462 6 0 2900 2869 24 1 5 1 2600 2598 C:\Program Files\Windows NT\hypertrm.exe /t %1 5 1 2600 1609 5 1 2600 2821 Windows ME 10 0 0 3990 10\.0\.* 6 2 2551 0 5 0 2195 7071 C.04.01.00.00 C.04.00.00.00 5 2 3790 220 02 02 7 10 0 3077 7.1.* B.11.23 B.11.11 B.11.11 1.1 5 1 2600 1789 1 6 0 2800 1476 5 0 2195 6992 3 0 2 629 9 0 0 8936 9 0 0 8938 .*-OEM-.* 6 0 3790 2534 1 5 2 3790 239 5 2 3790 453 5 2 3790 386 A(\.0[0-3]\..*|\.04\.[0-1].*|\.04\.20\.00[0-3]) 6 0 2800 1523 6 0 2800 1522 6 0 3790 413 5 0 2195 7065 5 0 3833 200 02 03 04 04 5 1 2600 2743 02 11 0 8012 0 5 1 2600 2744 6 0 2900 2763 6 2 4 0 5 0 2195 6902 2 71 9053 0 11 0 8012 0 .* 5 1 2600 1762 5 1 2600 1762 5 0 3835 2200 5 5 3201 0 .*OFFICE9.* Solaris Management Console web interface 01 02 B.10.20 B.10.20 HP-UX B.10.20 01 05 01 05 6 0 2900 2769 01 5 2 3790 2606 A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3]) A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3]) A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3]) A\.01\.(0.*|10.*|11[^\.]|11\.0[0-3]) 11 0 6566 0 .*OFFICE11.* 6 0 3790 418 6 0 2900 2869 5 0 3839 2200 5\.0\..* 01 01 02 02 03 03 31 09 21 6 4 2600 1738 6 4 2600 0 5 1 2600 2818 5 0 2195 7073 B.11.00 B.11.00 6 0 2600 165 6 0 2600 1579 5 1 2600 2827 6 4 3790 399 6 4 3790 0 6 1 3940 42 4 0 1381 33598 6 0 2800 1724 5 2 3790 374 5 2 3790 374 01 A\.0[12]\..* A\.([01].*|2\.00\.00) 6 1 1002 0 5 2 3790 346 ^Service Pack [1-9]|\d{2,}$ 5 1 2 275 ADSTYPE_PRINTABLE_STRING .+ ADSTYPE_PRINTABLE_STRING \:3$ ADSTYPE_INTEGER 25 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 268 ADSTYPE_INTEGER 25 ADSTYPE_INTEGER 1 ADSTYPE_PRINTABLE_STRING .+ ADSTYPE_INTEGER 0 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 131072 ADSTYPE_INTEGER 2 ADSTYPE_PRINTABLE_STRING .+ ADSTYPE_INTEGER 270 ADSTYPE_INTEGER 4096 ADSTYPE_PRINTABLE_STRING ^local\: ADSTYPE_PRINTABLE_STRING ^\d+\:1\: ADSTYPE_INTEGER 0 ADSTYPE_INTEGER 0 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 262144 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 995 ADSTYPE_INTEGER 110 ADSTYPE_PRINTABLE_STRING ^https\:\/\/ ADSTYPE_INTEGER 4 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 2 ADSTYPE_INTEGER 4 ADSTYPE_INTEGER 2 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 8 ADSTYPE_INTEGER 2 ADSTYPE_PRINTABLE_STRING Filter ADSTYPE_INTEGER 5000 ADSTYPE_INTEGER 30720 ADSTYPE_INTEGER 30720 ADSTYPE_INTEGER 2 ADSTYPE_INTEGER 0 ADSTYPE_DN_STRING .+ ADSTYPE_INTEGER 993 ADSTYPE_INTEGER 143 ADSTYPE_PRINTABLE_STRING ^https\:\/\/ ADSTYPE_INTEGER 4 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 2 ADSTYPE_INTEGER 0 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 2147483648 ADSTYPE_INTEGER 16 ADSTYPE_INTEGER 2 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 512 ADSTYPE_INTEGER 4 ADSTYPE_INTEGER 64 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 2147483648 ADSTYPE_INTEGER 16 ADSTYPE_INTEGER 2 ADSTYPE_INTEGER 1 ADSTYPE_INTEGER 4 ADSTYPE_INTEGER 512 5 2 3790 233 1 1812 udp earlier 1 4 71 1979 1 1 6 0 3790 259 B\.11\.11\.(00.*|01\.00[0-5]) 5 0 1558 6608 9 0 0 8930 1 5 0 2195 6958 5 1 2600 1734 2 80 1062 0 4 0 1381 7268 5 0 1462 22 5 0 1460 9 5 2 3790 468 5 0 3825 700 1.1 9 0 0 3250 9.00.00.2980 5 1 2600 1617 6 0 2900 2802 5 2 3790 366 1 1 5 0 2195 7061 5 0 2195 7035 ((1\.7\.12\..*)|(1\.(([8-9])|(\d{2,}))\..*)|(1\.7\.((1[3-9])|([2-9]\d+))\..*)) HP-UX B.11.22 6 0 3790 383 5 0 2195 7054 -S 2 01 01 02 5 2 3790 280 6 1 9 732 6 1 9 726 5 1 2600 1151 A(\.0[0-3]\..*|\.04\.[0-1].*|\.04\.20\.00[0-4]) 8 0 0 4495 8\.0\.* 5 2 3790 1673 5 1 2600 1733 5 2 3790 396 1 1 1 earlier 5 0 2195 7069 1 earlier 5 0 2195 6991 A.02.00 A.02.10 A.04.50 A.04.50 A.04.60 A.04.60 A.04.70 A.04.70 6 5 2600 2749 6 5 2600 0 02 02 3 5 0 117 As stated in the iDefense security advisory, if this key exists and contains a value, then the system has Interactive Training installed, and it will process .cbo files. 5 0 2195 7057 HP-UX B.10.24 5 1 2600 2736 2 81 1124 0 5 2 3790 76 6 0 6617 86 1 5 0 3539 2400 earlier earlier 5 0 3900 7071 5 0 3900 7078 10 00 6764 0 5 2 3790 2549 5 2 3790 2549 5 1 2600 2595 6 0 3790 507 earlier earlier 2004 10 25 0 1 10 0 6772 0 .*OFFICE10.* 5 0 2195 7021 9 0 0 8938 4 9 1 9800 9 6 0 3790 2541 5 1 2600 1331 5 1 2600 1755 B.11.11 B.11.11 ^4\.[0]*9\..* 6 3 1 889 6 5 3790 2519 6 5 3790 0 B\.11\.00\.(00.*|01\.00[0-3]) 5 50 4956 500 6 0 3790 2666 5 1 2600 2673 5 1 2600 1683 1 1 1 1 earlier 5 1 2600 2726 5 1 2600 2726 5 1 2600 1684 6 5 6749 0 02 03 04 5 2 3790 426 5 2 3790 426 5 2 3790 359 earlier 5 1 2600 2770 earlier earlier earlier 6 0 2800 1751 6 0 2900 2668 1 6 1 0 9231 Rough translation of the Sun recommended test of: % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COM 07 07 04 02 1 1 1 5 1 2600 1727 5 2 3790 121 ^4\.[0]*9\.[0]+\.[0]*901 ^4\.[0]*9\.[0]+\.[0]*900 6 0 3790 2577 02 5 50 4701 2400 5 50 4616 200 1 ^4\.[0]*8\..* 1 1 6 0 3790 449 6\..* 5 50 4952 2800 regular earlier 6 0 6617 47 6 0 6603 0 1 1 1 2 4 ^Windows.* 2000 80 636 0 2000 80 636 0 5 0 2195 6905 4 1 5 2 3790 2483 5 1 2600 2716 5 1 2600 1715 01 02 2001 12 4414 53 5 1 2600 1720 5 1 2600 1720 5 0 2195 2956 2001 12 4720 130 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 earlier 5 1 2600 1331 5 1 2600 132 5 0 2195 6898 5 0 2195 7069 2000 2 3511 0 5 0 1558 6072 5 2 3790 2453 1 5 131 2600 1123 5 1 2600 1343 5 1 2600 128 .*zipfldr\.dll.* 1 6 0 2800 1584 6 0 2750 167 ^([1-5]\.[0-9].*|6\.(0.*|1|1\.([0-9]($|\..*)|[0-1][0-9]($|\..*)|20($|\..*)|21($|\..*))))$ 5 0 2195 3649 15 18 1 0 0 4 1 5 0 2195 7059 ^Service Pack [0-4]$ 08 41 83 08 52 94 earlier 4 0 1381 33562 4 0 1381 7263 ^2\.7.* 2000 81 9041 40 2000 81 9001 40 1 1 1 earlier 0 8.5 We think, but are not sure that the affected version of bkupexec.exe is 3.60.1.298 The file should be found in C:\Program Files\VERITAS\Backup Exec\NT\bkupexec.exe 5 2 3790 161 5 2 3790 141 srv03_qfe 5 2 3790 137 srv03_qfe HP-UX B.11.04 B.11.04 B.11.04 B.11.04 1 6 00 3790 137 1 5 3 0 903 ^4\.09\.00.* 1 5 2 3677 144 ^4\.08\.02.* 1 5 1 2600 891 ^4\.08\.01.* 1 5 0 2258 410 ^4\.08\.00.* 1 5 0 2195 6927 ^4\.07.* 2000 80 628 0 2000 80 606 0 2000 80 606 0 2000 80 606 0 2000 80 606 0 2000 80 606 0 2000 80 650 0 0 0 0 6 0 5700 21 Microsoft Exchange 2000 1 4 0 1381 7058 4 2 764 1 earlier 3 6 0 2900 2578 ^Service Pack [0-2]$ 6 00 2800 1409 1 5 1 2600 1515 5 1 2600 137 5 1 2600 1362 5 1 2600 137 earlier 6 0 2800 1492 6 0 2800 1491 5 1 2600 1363 5 1 2600 136 5 1 2600 1340 5 1 2600 128 Non-perjoritive check .* 09 02 1 1 1 1 earlier 1 4 10 2001 0 Windows 98 5 0 2195 6904 earlier B.11.23 earlier 6 00 2739 300 6,0,2600,0000 6 0 2800 1506 6,0,2800,1106 5 1 2600 1125 1 earlier earlier earlier 1 1 1 1 earlier 1 1 1 earlier 1 1 1 earlier earlier earlier earlier earlier 1 1 1 earlier Y 4 0 1381 33559 4 0 1381 7255 1 4 0 8618 0 4 0 8618 0 earlier 4 1 0 3861 5 1 2600 1348 5 1 2600 134 2000 80 746 0 ^2\.6.* 1 3 70 11 40 The ImageMagick-* RPMs all require that the main ImageMagick RPM have the same version and release number. earlier 5 0 2195 6898 5 1 2600 1361 5 1 2600 135 5 2 3790 142 1 5 2 3790 185 5 0 2195 6906 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 earlier 4 0 1381 133 5 2 3790 132 UDP earlier earlier 1 1 earlier earlier earlier 4 1 0 3932 1 1 4 1 0 3931 Non-perjoritive test .* 1 5 0 2195 6672 1 4 0 1381 279 5 0 2195 5807 4 2 780 1 5 50 4927 2100 3 6 0 2713 1100 5 2 3790 139 6 0 2716 2200 5 50 4926 2500 3 1 1 1 1 6 0 2712 0300 1 1 5 50 4613 1700 5.50.4522.1800 5.50.4134.0600 5.50.4134.0100 5 2 3790 134 earlier ^Service Pack [6-9]|\d{2,}$ 4 0 1381 164 5 0 2195 3649 5 131 1880 14 5 2 3790 2506 4 2 769 1 5 0 2195 6901 5 2 3790 1241 5 2 3790 125 4 87 1964 1880 earlier earlier earlier earlier earlier 1 5 2 3790 250 5 1 2600 1361 5 1 2600 135 5 1 2600 1361 5 1 2600 134 4 0 1381 33562 4 0 1381 7263 5 0 2195 6895 2 4 0 1381 33559 4 0 1381 7255 1 5 0 2195 6904 5 1 2195 6899 5 131 2195 6824 1 earlier earlier 5 1 2600 1347 5 1 2600 136 5 2 3790 132 1 5 0 2195 6902 1 5 50 4939 300 5,50,4807,1700 01 03 09 01 03 09 1 1 1 1 1 1 1 1 1 earlier earlier earlier earlier 1 1 1 earlier earlier earlier earlier earlier earlier earlier earlier x86_64 earlier earlier earlier earlier earlier earlier earlier earlier earlier earlier earlier earlier 1 1 1 earlier 1 1 1 1 1 1 1 1 1 earlier earlier 1 earlier earlier earlier 1 1 1 earlier earlier earlier earlier earlier earlier earlier 6 1 0 211 6 0 0 0 10.0.6626.0 10.0.4333.0 10 00 5709 0000 4 4 1 4 1 0 3934 4 1 0 3934 4.1 earlier earlier earlier earlier earlier earlier earlier earlier TCP earlier earlier earlier earlier earlier earlier earlier 1 1 1 earlier 1 1 earlier 1 1 1 earlier TCP earlier 6 0 3790 2663 6\.0\..* earlier earlier earlier earlier 1 1 1 earlier 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 earlier earlier earlier 1720 earlier 5 2 3790 99 4 0 1381 33554 4 0 1381 7255 5 2 3790 88 10 0 6775 0 .*-OEM-.* 5 1 2600 1274 5 1 2600 119 5 0 2195 6824 6 0 2900 2722 6 0 2800 1543 6\..* 6 0 3790 2491 6 0 3790 373 6 0 2800 1499 6 0 2800 1498 6 0 2900 2873 5 2 3790 2516 8 0 1969 33 3.5 7 0 1701 44 3.0 2.2 5 3000 2073 13 0 1 5 2 3790 336 5 1 2600 160 1 5 0 2195 6987 5 0 2195 7035 5 0 3828 2700 1 2000 85 1025 0 2000 85 1025 0 ^2\.8.*$ 6 0 2800 1506 6 0 2800 1505 5 2 3790 2476 Non-pejorative check HP-UX B.10.10 HP-UX B.10.01 B.10.10 B.10.10 B.10.01 B.10.01 B.11.00 B.11.00 10 0 6789 0 .* Installed 2000 81 9042 0 2000 81 9042 0 ^2\.71.*$ 2000 81 9002 0 2000 81 9002 0 1 1 1 earlier (((A|B)\.2\.0\.55\.\d+)|((A|B)\.[3-9]\..*)|((A|B)\.[1-9]\d+\..*)|((A|B)\.2\.[1-9]\d*\..*)|((A|B)\.2\.\d+\.[6-9]\d+\..*)|((A|B)\.2\.\d+\.5[6-9]\d*\..*)|((A|B)\.2\.\d+\.\d{3,}\..*)) 7 0 8002 0 6 0 2800 1528 1 5 2 3790 316 1 1 1 earlier 5 2 3790 2591 5 0 2195 7073 5 0 2195 7071 1 5 2 3790 227 4 0 1381 7342 The ImageMagick-devel, ImageMagick-c++-devel, and ImageMagick-c++ RPMs all require that the exact same version of the ImageMagick RPM is present. As such, we can test for a vulnerable version of the former alone, rather than testing for the presence of each of these RPMs in particular. earlier 6 0 2900 2604 6.0.2900.2180 6 0 3790 2521 4 1 5 0 2195 6870 ^.*ServerNT.*$ 24 19 16 12 11 5 2 3790 2542 5 1 2600 2777 5 1 2600 2777 6 0 2800 1516 6 0 2800 1515 10 0 5815 0 Non-perjorative test .* Non-perjorative test .* 1 10 0 803 2 Non-pejorative test .* 5 1 2600 1790 1 2 0 0 3423 1 4 0 1381 7207 4 0 1381 7202 4 0 1381 7177 4 0 1381 7177 5 2 3790 2617 earlier 8 00 01 9904 5 2 3790 419 .* 1\.0[ab].* SeaMonkey \(1\.0[ab]\) Mozilla \(.*\) .* 1\.5($|\s).* Mozilla Firefox \(1\.5\) (0\..*|1\.0\..*) Mozilla Firefox \((0\..*|1\.0\..*\)) 1 8 20060 11112 (0\..*|1\.0\..*) Mozilla Thunderbird \((0\..*|1\.0\..*\)) 10 0 5815 0 earlier 1 1 1 earlier 03 03 SunOS 5.10 17 16 17 ^i.*86 17 [Ss][Pp][Aa][Rr][Cc] earlier 1 5 0 2195 6823 B.11.23 1 1 1 earlier 4 4 0 1381 33632 1 A.02.01 A.02.01 A.02.01 A.02.01 Multiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs. earlier ^.*3.S 9 0 0 8216 TCP earlier earlier 5 5 2658 34 2653 For "/tmp is readable by non-root users," use a compound test. 1 earlier 1 1 1 earlier earlier 6 0 3790 2440 6 0 3790 327 1 5 2 3790 2442 5 2 3790 329 HP-UX B.11.23 HP-UX B.11.00 \d+/8\d+ HP-UX HP-UX B.11.11 \d+/7\d+ HP-UX earlier earlier 6\.2\.020[5-9] MSN Messenger 6.2 01 01 01 6 0 3790 274 8 0 0 9716 8 0 0 9315 We think, but are not sure that the affected version of bkupexec.exe is 3.60.1.298 The file should be found in C:Program Files\VERITAS\Backup Exec\NT\bkupexec.exe Mozilla Firefox (\(0\.[0-9].*\)|\(1\.0\)|\(1\.0\.[0-6]\)) (0\.[0-9].*|1\.0($|\s).*|1\.0\.[1-6]($|\s).*) ([0-1]\.[0-7]($|\s).*|[0-1]\.[0-7]\.[0-8]($|\s).*|1\.7\.10($|\s).*) Mozilla (\([0-1]\.[0-7]\)|\([0-1]\.[0-7]\.[0-9]\)|\(1\.7\.10\)) 5 0 3809 0 6 5 6756 0 5 2 3790 2492 5 2 3790 2492 1 5 00 2195 6862 6 0 2900 2620 TCP 1 1 1 1 earlier 1 1 1 1 1 1 earlier earlier earlier 30 25 2000 80 747 0 2000 80 747 0 TCP earlier 5 0 2195 7059 5 0 2195 7059 ^Service Pack 4 5 2 3790 224 1 6 0 3790 118 1 3 70 11 46 3 70 11 46 ^2\.5.*$ earlier 6 0 2800 1400 6 0 2737 800 5 50 4937 800 5 0 3813 800 6 0 2743 600 1 1 1 earlier 1 5 0 3526 800 ^2\.70.*$ 8.00.194 earlier 2000 80 760 0 2000 80 309 0 5 0 2195 6624 4 1 1 3 0 1200 291 0 6 5 6980 57 5 0 3510 1100 earlier earlier KB899753 3 0 1200 430 Microsoft ISA Server 2000 Updates 5 0 2195 7044 5 2 3790 309 earlier earlier earlier earlier earlier 1 1 0 0 3 5 0 2195 6713 1 5 1 2600 2525 03 earlier earlier earlier 5 1 2600 1710 earlier 1 1 1 earlier earlier 10 0 2609 0 4 1 5 0 33668 1 1 earlier 11 0 6506 0 1 1 1 Multiple RPMs were updated in this release, but all but mozilla-nspr have mozilla-with-their-same-version as an installation dependency. So, if mozilla is up to date, mozilla-chat, mozilla-devel, ... , mozilla-js-debugger are all up to date. Mozilla itself requires that mozilla-nspr and mozilla-nss be installed with the same version as itself. This closes the loop -- if mozilla is up to date, so are the other mozilla-FOO RPMs. earlier ^.*4.S 1 1 1 earlier 6 0 3790 280 2 331066 3 0 1200 257 3 0 1200 257 6 0 2734 1600 5 0 3831 1800 1 1 1 1 1 1 earlier 1 5 2 3790 2435 5 2 3790 2427 5 2 3790 315 1 5 2 3644 0 5 2 3644 0 5 2 3644 0 5 2 3669 0 10 00 4205 0000 10 00 4205 0000 4 00 02 7523 4 0 02 7523 1 earlier 1 6 0 3790 94 earlier 6 0 2800 1276 5 50 4934 1600 5 0 3810 1700 5 0 2195 6799 9 0 0 8216 5 0 3523 1700 1 5 0 2195 3881 4 1 5 1 2600 2709 1 8 0 0 4490 1 4 0 1381 7224 WinNT 2000 80 650 0 1 1 4 00 02 7523 earlier 2000 80 765 0 2000 80 765 0 2000 80 765 0 2000 80 818 0 5 0 2195 6753 1 2 62 9119 1 ^2\.6.*$ 2000 80 650 0 1 6 4 9 1121 earlier 1 8 0 0 4482 8 0 0 4482 6 4 9 1124 6 4 9 1121 8.0.0.4477 1 1 5 0 2195 6110 2000 80 561 0 2000 80 578 0 5 1 2600 1301 5 1 2600 120 5 1 2600 1301 5 1 2600 120 1 5 1 2600 2622 1 1 1 earlier 5 0 2195 6011 earlier 1 x64 5 2 3790 2437 5 2 3790 324 ia64 x86 CoPNGFilter Class 1 5 0 3541 2700 2.4.20-6 NULL 6 2.4.20 1 earlier earlier 4 1 6 0 3790 206 5.2 5 50 4943 400 1 1 0 1 2125 6 0 2800 1458 2000 80 765 0 2000 80 765 0 2000 80 798 0 2000 80 765 0 2000 80 778 0 2000 80 800 0 2000 80 816 0 2000 80 818 0 2000 80 818 0 2000 80 818 0 2000 80 818 0 2000 80 765 0 2000 80 811 0 2000 80 818 0 2000 80 818 0 2000 80 223 0 2000 80 223 0 2000 80 223 0 2000 80 223 0 earlier 5 50 4922 900 1 6 1 5 132 ^Service Pack [5-9]|\d{2,}$ 1 5 2 3790 80 5 0 3819 300 5.00.3700.1000 4 1 5 0 2195 6861 5 0 2195 6861 1 6 0 3790 191 6.00.3790.0000 1 5 0 3532 300 9 0 0 6328 9 0 0 6926 4 1 1 5 1 2600 1255 5 1 2600 118 3 3 4 1 5 0 2195 5880 5.0 5 131 2195 6758 ^.*idq\.dll.*$ 1 5 0 2195 3645 4 0 1381 7224 1 1 1 1 earlier 10 5 0 2195 2784 0 1 5 131 3659 0 2 1 5 0 2195 5971 9 0 0 7924 ^Service Pack [2-9]|\d{2,}$ 5.1 3 3 1 5 131 2600 1243 Service Pack 1 5 131 2600 117 1 4 2 776 1 10 5 50 4923 2500 20 earlier 1 6 0 3790 326 6,0,3790,0 1 earlier earlier earlier earlier ^3.S 4 0 1381 7092 4 0 1381 7152 6 earlier 1 1 1 3 1 1 1 earlier 5 0 3502 4718 4 0 1381 7214 1 1 4 0 1381 7125 5 0 2195 4919 6 0 2722 900 1 4 0 1381 7203 1 3 3 1 1 5 0 3214 2000 4 1 4 0 1381 7097 4 0 1381 7064 earlier 5 0 3810 0 1 1 earlier 5,5,0,8513 5,1,0,8513 5,6,0,8513 5 6 0 8513 5 5 0 8513 5 1 0 8513 1 1 1 earlier 30 Y 5 0 2195 6802 .hta 3 3 6 0 2800 1264 6.00.2800.1106 2000 80 628 0 2000 80 606 0 2000 80 606 0 2000 80 606 0 2000 80 606 0 2000 80 606 0 2000 80 608 0 1 1 1 1 5 0 2195 6699 816456 3 earlier 1 5 0 2195 6685 earlier 4 1 4 0 1381 7202 2 gopher:// 6 0 2719 2200 02 3 3 3 3 1 6 0 2715 400 1 1 0 9 3940 20 1 5 0 2195 5080 4 1 4 0 1381 7134 1 1 51 2000 80 428 0 2000 80 384 0 2000 80 213 0 2000 80 213 0 19 1 5 0 2195 3407 1 5 0 2195 5695 4 2 2000 80 296 0 8.00.194 1 1 1 7 earlier earlier 2 1 5 0 2195 6672 2 1 5 0 893 1105 5 0 2195 4983 19 4 1 4 0 1381 7140 RASPHONE.PBK 1 1 5 0 2195 6106 6 0 2723 2500 2 earlier 1 1 1 earlier 5 0 3502 4856 1 5 0 3513 900 5.00.3502.1000 1 1 1 Service Pack 2 1 1 1 5 0 2195 2103 02 6 22 1 1 1 1 1 5 0 2195 4980 ^.*LanmanNT.*$ 1 1 1 4 2 764 1 1 1 1 38 SunOS 5.7 1 1 1 01 SunOS 5.9 2 4 1 5 0 2195 4905 ^.*ism\.dll.*$ 1 5 0 2195 5671 earlier earlier 5 0 3504 2500 5.00.3315.1000 5.00.3314.2101 5.00.3105.0106 5.00.3103.1000 5.00.2920.0000 5.00.2919.6307 5.00.2919.3800 5.00.2919.800 1 5 0 2195 5974 ^Service Pack [4-9]|\d{2,}$ 4 5 50 4725 2100 5.50.4522.1800 5.50.4134.0600 5.50.4134.0100 ^Service Pack [3-9]|\d{2,}$ 5 0 2195 5269 5 1 5 0 2195 6810 ^Service Pack [4-9]|\d{2,}$ 5.0 6 0 2716 2200 1 4 0 1381 7116 4.0 ^6\.0+\.2600\.0+$ 6 0 2713 1100 ^.*asp\.dll.*$ 1 1 1 4 2 775 1 Terminal Server 0 4 1 1 1 9 1 1 52 1 1 1 1 1 1 1 1 1 1 1 1 5 50 4913 1100 5.50.4807.2300 16 1 1 38 1 1 1 root 6 30 1 1 1 SunOS 5.8 earlier 4 65 1 1 1 earlier ^i.*86 9