Top Five Web Application Vulnerabilities 8/31/09 - 9/13/09 - The HP Security Laboratory Blog -
The HP Security Laboratory Blog » Top Five Web Application Vulnerabilities 8/31/09 - 9/13/09
Top Five Web Application Vulnerabilities 8/31/09 - 9/13/09

1) Ruby on Rails Form Helpers Unicode String Handling Cross-Site Scripting Vulnerability

Ruby on Rails is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which address this issue have been released. Contact the vendor for additional information.

 http://www.securityfocus.com/bid/36278

2) IBM Lotus Domino Web Access Cross-Site Scripting Vulnerability

IBM Lotus Domino Web Access (iNotes) is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which address this issue have been released. Contact the vendor for further details.

 http://www.securityfocus.com/bid/36292

3) Mozilla Bugzilla Multiple Remote Vulnerabilities

Bugzilla is susceptible to several remote vulnerabilities including multiple instances of SQL Injection and a password disclosure vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. The information disclosure vulnerability can be leveraged to steal user passwords. Fixes which address these issues have been released. Contact the vendor for more information.

http://www.securityfocus.com/bid/36373 (‘Bug.create()’ WebService Function SQL Injection Vulnerability)http://www.securityfocus.com/bid/36372 (URL Password Information Disclosure Vulnerability)
http://www.securityfocus.com/bid/36371(‘Bug.search()’ WebService Function SQL Injection Vulnerability)

4) IBM Lotus Notes RSS Reader Widget HTML Injection Vulnerability

IBM Lotus Notes is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. This issue has reportedly been resolved in a hotfix. Contact the vendor for more details.

http://www.securityfocus.com/bid/36305

5) DotNetNuke Multiple Cross-Site Scripting Vulnerabilities

DotNetNuke is susceptible to multiple Cross-Site Scripting vulnerabilities. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials.   Updates which resolve these issues are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/36274

Posted 09-14-2009 7:54 PM by mark.painter
Filed under: , ,

Add a Comment

(required)  
(optional)
(required)  
Remember Me?

Type the numbers and letters above:
Privacy Statement
Powered by Community Server (Non-Commercial Edition), by Telligent Systems