Research Lab

Positive Technologies Research Team and SecurityLab are willing to cooperate with independent researches in the analysis of the discovered vulnerabilities, in contacts with software vendors and CVE Number Reservation process. The vulnerabilities will be published in sections "Laboratory" and PT-advisory. The name of the researches will be preserved.

Our disclosure policy: en.securitylab.ru/lab/disclosure-policy.php

PT-2012-07 - TimThumb

Vulnerability status: Unpatched

Timeline:
16.05.12 - Vendor is notified
16.05.12 - Vendor gets vulnerability details

Severity: High (7.1)
(AV:N/AC:H/Au:S/C:C/I:C/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


1

Discovered by: Alexey Moskvin, Positive Research Center (Positive Technologies Company)


PT-2012-06 - nginx

Vulnerability status: Unpatched

Timeline:
15.05.2012 - Vendor is notified
15.05.2012 - Vendor gets vulnerability details

Severity: Medium (5.0)
(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


2

Discovered by: Vladimir Kochetkov, Positive Research Center (Positive Technologies Company)


PT-2012-05 - Quercus on Resin 4.x

Vulnerability status: Unpatched

Timeline:
23.03.2012 - Vendor is notified
23.03.2012 - Vendor gets vulnerability details
19.04.2012 - Vulnerability details were sent to CERT

Severity: High (10)
(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
55

Discovered by: Sergey Scherbel, Positive Research Center (Positive Technologies Company)


PT-2012-04 - Cisco

Vulnerability status: Unpatched

Timeline:
13.01.2012 - Vendor is notified
13.01.2012 - Vendor gets vulnerability details

Severity: Medium (4.0)
(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
125

Discovered by: Kirill Mosolov, Maxim Tsoy, Positive Research Center (Positive Technologies Company)


PT-2012-03 - Cisco

Vulnerability status: Unpatched

Timeline:
13.01.2012 - Vendor is notified
13.01.2012 - Vendor gets vulnerability details

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
125

Discovered by: Kirill Mosolov, Maxim Tsoy, Positive Research Center (Positive Technologies Company)


PT-2012-02 - Cisco

Vulnerability status: Unpatched

Timeline:
13.01.2012 - Vendor is notified
13.01.2012 - Vendor gets vulnerability details

Severity: High (9.0)
(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
125

Discovered by: Kirill Mosolov, Maxim Tsoy, Positive Research Center (Positive Technologies Company)


PT-2012-01 - Cisco

Vulnerability status: Unpatched

Timeline:
13.01.2012 - Vendor is notified
13.01.2012 - Vendor gets vulnerability details

Severity: High (7.1)
(AV:N/AC:M/Au:N/C:N/I:C/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
125

Discovered by: Kirill Mosolov, Maxim Tsoy, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-48

Vendor: AtMail

Product:
AtMail

Exploitation vector: Remote

Severity: High (9.0)
(AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 06 december, 2011

Fix issued: 26-03-2012



Discovered by: Sergey Scherbel, Positive Research Center (Positive Technologies Company)


PT-2011-47 - SAP

Vulnerability status: Patched

Timeline:
02.12.11 - Vendor is notified
02.12.11 - Vendor gets vulnerability details
08.05.12 - Vendor releases fixed version and details

Severity: Medium (7.8)
(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
167

Discovered by: Vladimir Zarichny, Positive Research Center (Positive Technologies Company)


PT-2011-46 - SAP

Vulnerability status: Unpatched

Timeline:
02.12.11 - Vendor is notified
02.12.11 - Vendor gets vulnerability details

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
167

Discovered by: Ilya Smith, Maxim Tsoy, Kirill Mosolov, Evgeny Ryzhov, Positive Research Center (Positive Technologies Company)


PT-2011-45 - SAP

Vulnerability status: Patched

Timeline:
02.12.11 - Vendor is notified
02.12.11 - Vendor gets vulnerability details
08.05.12 - Vendor releases fixed version and details

Severity: Medium (7.8)
(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
167

Discovered by: Vladimir Zarichny, Positive Research Center (Positive Technologies Company)


PT-2011-44 - SAP

Vulnerability status: Patched

Timeline:
02.12.11 - Vendor is notified
02.12.11 - Vendor gets vulnerability details
08.05.12 - Vendor releases fixed version and details

Severity: Medium (7.8)
(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
167

Discovered by: Vladimir Zarichny, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-43

Vendor: Kayako

Product:
Kayako Fusion

Exploitation vector: Remote

Severity: Medium (6.5)
(AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 25 november, 2011

Fix issued: 25-11-2011



Discovered by: Yuri Goltsev, Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


PT-2011-42 - Citrix

Vulnerability status: Unpatched

Timeline:
10.11.2011 - Vendor is notified
10.11.2011 - Vendor gets vulnerability details

Severity: High (7.1)
(AV:N/AC:M/Au:N/C:N/I:C/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
188

Discovered by: Kirill Mosolov, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-41

Vendor: Citrix

Product:
Citrix License Administration Console 11.9

Exploitation vector: Remote

Severity: Medium (4.9)
(AV:N/AC:H/Au:S/C:C/I:N/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 november, 2011

Fix issued: 13-03-2012



Discovered by: Maxim Tsoy, Kirill Mosolov, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-40

Vendor: Citrix

Product:
Citrix License Administration Console 11.9

Exploitation vector: Remote

Severity: High (7.1)
(AV:N/AC:M/Au:N/C:N/I:C/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 november, 2011

Fix issued: 13-03-2012



Discovered by: Maxim Tsoy, Kirill Mosolov, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-39

Vendor: Citrix

Product:
Citrix XenServer-6.0.0 WLB

Exploitation vector: Remote

Severity: High (7.8)
(AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 november, 2011

Fix issued: 13-03-2012



Discovered by: Kirill Mosolov, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-38

Vendor: Citrix

Product:
Citrix XenServer Virtual Switch Controller 6.0.x

Exploitation vector: Remote

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 november, 2011

Fix issued: 13-03-2012



Discovered by: Kirill Mosolov, Maxim Tsoy, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-37

Vendor: Citrix

Product:
Citrix XenServer Virtual Switch Controller 6.0.x

Exploitation vector: Remote

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 november, 2011

Fix issued: 13-03-2012



Discovered by: Maxim Tsoy, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-36

Vendor: Citrix

Product:
Citrix XenServer Virtual Switch Controller 6.0.x

Exploitation vector: Local

Severity: High (9.0)
(AV:N/AC:L/Au:S/C:C/I:C/A:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 november, 2011

Fix issued: 13-03-2012



Discovered by: Maxim Tsoy, Kirill Mosolov, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-35

Vendor: Citrix

Product:
Citrix XenServer Virtual Switch Controller 6.0.x

Exploitation vector: Remote

Severity: High (7.1)
(AV:N/AC:M/Au:N/C:N/I:C/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 november, 2011

Fix issued: 13-03-2012



Discovered by: Maxim Tsoy, Positive Research Center (Positive Technologies Company)


PT-2011-34 - Citrix

Vulnerability status: Unpatched

Timeline:
10.11.2011 - Vendor is notified
10.11.2011 - Vendor gets vulnerability details

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
188

Discovered by: Maxim Tsoy, Positive Research Center (Positive Technologies Company)


PT-2011-33 - Citrix

Vulnerability status: Unpatched

Timeline:
10.11.2011 - Vendor is notified
10.11.2011 - Vendor gets vulnerability details

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
188

Discovered by: Ilya Smith, Maxim Tsoy, Positive Research Center (Positive Technologies Company)


PT-2011-32 - Citrix

Vulnerability status: Unpatched

Timeline:
10.11.2011 - Vendor is notified
10.11.2011 - Vendor gets vulnerability details

Severity: Medium (4.9)
(AV:N/AC:H/Au:S/C:C/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
188

Discovered by: Kirill Mosolov, Positive Research Center (Positive Technologies Company)


PT-2011-31 - Citrix

Vulnerability status: Unpatched

Timeline:
10.11.2011 - Vendor is notified
10.11.2011 - Vendor gets vulnerability details

Severity: High (7.1)
(AV:N/AC:M/Au:N/C:N/I:C/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
188

Discovered by: Maxim Tsoy, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-30

Vendor: D-Link

Product:
D-Link DIR-300

Exploitation vector: Remote

Severity: Medium (6.8)
(AV:N/AC:L/Au:S/C:C/I:N/A:N)

CVE ID: CVE-2011-4723

Vulnerability status: Patched

Advisory published: 09 september, 2011

Fix issued: 19-09-2011



Discovered by: Sergey Scherbel, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-29

Vendor: D-Link

Product:
D-Link DIR-300

Exploitation vector: Remote

Severity: High (10.0)
(AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 09 september, 2011

Fix issued: 19-09-2011



Discovered by: Sergey Scherbel, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-27

Vendor: Cisco

Product:
Cisco Secure ACS 5.x

Exploitation vector: Remote

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2011-3317

Vulnerability status: Patched

Advisory published: 28 july, 2011

Fix issued: 13-02-2012



Discovered by: Maxim Tsoy, Yuriy Goltsev, Alexander Zaitsev and Evgeniy Tolmachev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-26

Vendor: Cisco

Product:
Cisco Secure ACS 5.x

Exploitation vector: Remote

Severity: Medium (6.8)
(AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE ID: CVE-2011-3293

Vulnerability status: Patched

Advisory published: 19 july, 2011

Fix issued: 13-02-2012



Discovered by: Maxim Tsoy, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-25

Vendor: Support Incident Tracker

Product:
Support Incident Tracker 3.x

Exploitation vector: Remote

Severity: High (6.5)
(AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 13 july, 2011

Fix issued: 17-07-2011



Discovered by: Yuri Goltsev, Positive Research Center (Positive Technologies Company)


PT-2011-24 - Arbor Networks

Vulnerability status: Unpatched

Timeline:
12.07.2011 - Vendor is notified
19.07.2011 - Vendor gets vulnerability details

Severity: High (6.8)
(AV:N/AC:L/Au:S/C:N/I:N/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
310

Discovered by: Dmitriy Gutsko, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-23

Vendor: GLPI

Product:
GLPI 0.x

Exploitation vector: Remote

Severity: Medium (6.5)
(AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 11 july, 2011

Fix issued: 21-07-2011



Discovered by: Yuri Goltsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-21

Vendor: OneOrZero

Product:
OneOrZero AIMS 2.x

Exploitation vector: Remote

Severity: High (7.5)
(AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 08 july, 2011



Discovered by: Yuri Goltsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-20

Vendor: OneOrZero

Product:
OneOrZero AIMS 2.x

Exploitation vector: Remote

Severity: High (7.5)
(AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 08 july, 2011



Discovered by: Yuri Goltsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-19

Vendor: Help Request System

Product:
Help Request System 1.x

Exploitation vector: Remote

Severity: High (7.5)
(AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 07 july, 2011

Fix issued: 16-07-2011



Discovered by: Yuri Goltsev, Positive Research Center (Positive Technologies Company)


PT-2011-18 - Arbor Networks

Vulnerability status: Unpatched

Timeline:
01.07.2011 - Vendor is notified
19.07.2011 - Vendor gets vulnerability details

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:N/I:P/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
321

Discovered by: Maxim Tsoy, Positive Research Center (Positive Technologies Company)


PT-2011-17 - Arbor Networks

Vulnerability status: Unpatched

Timeline:
01.07.2011 - Vendor is notified
19.07.2011 - Vendor gets vulnerability details

Severity: Medium (7.0)
(AV:N/AC:M/Au:S/C:C/I:P/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
321

Discovered by: Maxim Tsoy, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-16

Vendor: Mozilla

Product:
Mozilla Firefox 3.6.x
Mozilla Firefox 4.0.x
Mozilla Firefox 5.x
Mozilla Firefox 6.0.x
Mozilla Firefox 7.x

Exploitation vector: Remote

Severity: Low (5)
(AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 29 june, 2011



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


PT-2011-15 - BoonEx

Vulnerability status: Unpatched

Timeline:
29.06.2011 - Vendor is notified
01.07.2011 - Vendor gets vulnerability details
23.08.2011 - Vulnerability details were sent to CERT

Severity: High (7.1)
(AV:N/AC:H/Au:S/C:C/I:C/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
323

Discovered by: Yuri Goltsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-14

Vendor: BoonEx

Product:
Dolphin 6.x

Exploitation vector: Remote

Severity: High (7.5)
(AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 29 june, 2011



Discovered by: Yuri Goltsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-22

Vendor: Adobe Systems

Product:
Adobe Flash Player 10.x

Exploitation vector: Remote

Severity: High (10)
(AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVE ID: CVE-2011-2137

Vulnerability status: Patched

Advisory published: 28 june, 2011

Fix issued: 09-08-2011



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-13

Vendor: ManageEngine ServiceDesk Plus 8.x

Product:
ManageEngine ServiceDesk Plus 8.x

Exploitation vector: Remote

Severity: Medium (6.5)
(AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 24 june, 2011

Fix issued: 29-03-2012



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-12

Vendor: ManageEngine ServiceDesk Plus 8.x

Product:
ManageEngine ServiceDesk Plus 8.x

Exploitation vector: Remote

Severity: Medium (6.3)
(AV:N/AC:M/Au:S/C:C/I:N/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 24 june, 2011

Fix issued: 29-11-2011



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


PT-2011-11 - ManageEngine ServiceDesk Plus 8.x

Vulnerability status: Patched

Timeline:
24.06.2011 - Vendor is notified
28.06.2011 - Vendor gets vulnerability details
13.10.2011 - Vendor releases fixed version and details

Severity: High (7.8)
(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
328

Discovered by: Dmitry Evteev, Positive Research Center (Positive Technologies Company)


PT-2011-10 - ManageEngine ServiceDesk Plus 8.x

Vulnerability status: Unpatched

Timeline:
24.06.2011 - Vendor is notified
28.06.2011 - Vendor gets vulnerability details

Severity: High (8.5)
(AV:N/AC:M/Au:S/C:C/I:C/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
328

Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-09

Vendor: ManageEngine ServiceDesk Plus 8.x

Product:
ManageEngine ServiceDesk Plus 8.x

Exploitation vector: Remote

Severity: High (8.5)
(AV:N/AC:M/Au:S/C:C/I:C/A:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 24 june, 2011

Fix issued: 29-03-2012



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-08

Vendor: D-Link

Product:
D-Link DPH 150s IP Phone

Exploitation vector: Remote

Severity: High (9.7)
(AV:N/AC:L/Au:N/C:P/I:C/A:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 24 june, 2011

Fix issued: 20-07-2011



Discovered by: Alexander Zaitsev, Gleb Gritsai and Yuri Goltsev, Positive Research Center (Positive Technologies Company)


PT-2011-07 - Cisco

Vulnerability status: Unpatched

Timeline:
23.06.2011 - Vendor is notified
24.06.2011 - Vendor gets vulnerability details

Severity: Medium (5.0)
(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
329

Discovered by: Alexander Zaitsev and Gleb Gritsai, Positive Research Center (Positive Technologies Company)


PT-2011-06 - VMWare

Vulnerability status: Unpatched

Timeline:
20.06.2011 - Vendor is notified
24.06.2011 - Vendor gets vulnerability details

Severity: Medium (5.8)
(AV:N/AC:M/Au:N/C:N/I:P/A:P)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
332

Discovered by: Denis Baranov, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-05

Vendor: Koha Library Software

Product:
Koha 3.x

Exploitation vector: Remote

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 31 may, 2011

Fix issued: 19-06-2011



Discovered by: Yuriy Goltsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-04

Vendor: Kayako Web Solutions

Product:
Kayako SupportSuite 3.x

Exploitation vector: Remote

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 30 may, 2011

Fix issued: 25-08-2011



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-03

Vendor: Kayako Web Solutions

Product:
Kayako SupportSuite 3.x

Exploitation vector: Remote

Severity: Low (5.0)
(AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 30 may, 2011

Fix issued: 25-08-2011



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-02

Vendor: Kayako Web Solutions

Product:
Kayako SupportSuite 3.x

Exploitation vector: Remote

Severity: High (6.5)
(AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 30 may, 2011

Fix issued: 25-08-2011



Discovered by: Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Identifier: PT-2011-01

Vendor: Kayako Web Solutions

Product:
Kayako SupportSuite 3.x

Exploitation vector: Remote

Severity: Medium (4.3)
(AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 30 may, 2011

Fix issued: 25-08-2011



Discovered by: Yuriy Goltsev, Positive Research Center (Positive Technologies Company)


PT-2010-11 - IrisvisiaCMS

Vulnerability status: Unpatched

Timeline:
11.09.2010 - Sent email to vendor

Severity: High (10.0)
(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
555

Discovered by: Yuri Goltsev, Positive Research


PT-2010-09 - Newton CMS

Vulnerability status: Unpatched

Timeline:
10.09.2010 - vendor notified
11.09.2010 - Status request sent

Severity: Medium (6.4)
(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
615

Discovered by: Yuri Goltsev, Positive Research


PT-2010-05 - OpenSSL Project

Vulnerability status: Unpatched

Timeline:
09/07/2010 - Vendor notified

Severity: Medium (6.4)
(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
618

Discovered by: Sergey Rublev, Positive Research


PT-2010-08 - Quantum Art

Vulnerability status: Unpatched

Timeline:
08.19.2010 - Vendor notified
11.09.2010 - Status request sent

Severity: Medium (6.4)
(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitation vector: Remote


Days sinse vendor notification:


30
60
637

Discovered by: Dmitry Evteev, Positive Research


PT-2009-44: Multiple vulnerabilities in Kayako Support Suite - Kayako

Vulnerability status: Unpatched

Timeline:
10/12/2009 - Vendor notified
10/13/2009 - Vendor response

Severity: Medium (6.4)
AV:N/AC:H/Au:M/C:C/I:C/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
947

Discovered by: Timur Yunusov, Positive Research


Identifier: PT-2009-43

Vendor: Kayako

Product:
Kayako SupportSuite 3.x

Exploitation vector: Remote

Severity: Low (4.3)
AV:N/AC:M/Au:N/C:P/I:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 13 october, 2009

Fix issued: 12-03-2010



Discovered by: Timur Yunusov, Positive Research


Identifier: PT-2009-42

Vendor: Kayako

Product:
Kayako SupportSuite 3.x

Exploitation vector: Remote

Severity: Medium (7.0)
AV:N/AC:M/Au:S/C:C/I:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 13 october, 2009

Fix issued: 09-02-2010



Discovered by: Timur Yunusov, Positive Research


Identifier: PT-2009-41

Vendor: Kayako

Product:
Kayako SupportSuite 3.x

Exploitation vector: Remote

Severity: Low (6.4)
AV:N/AC:L/Au:N/C:P/I:N/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 13 october, 2009

Fix issued: 12-03-2010



Discovered by: Timur Yunusov, Positive Research


Identifier: PT-2009-40

Vendor: Atlassian

Product:
JIRA 3.13.4

Exploitation vector: Remote

Severity: Low (0.0)
(AV:N/AC:L/Au:N/C:N/I:N/A:N/E:P/RL:W/RC:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 june, 2009

Fix issued: 24-06-2009



Discovered by: Dmitry Evteev, Positive Research


PT-2009-39 - Avaya

Vulnerability status: Unpatched

Timeline:
04.08.2009 - Vendor notified 04.13.2009 - Vendor response 04.14.2009 - Sent detail information

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1133

Discovered by: Nikita Tarakanov, Positive Research


PT-2009-38 - Citrix

Vulnerability status: Unpatched

Timeline:
04.10.2009 - Vendor notified 04.16.2009 - Vendor response 04.16.2009 - Sent detail information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1133

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-37 - Cisco

Vulnerability status: Unpatched

Timeline:
04.10.2009 - Vendor notified

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1133

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-36

Product:
Neo CMS

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 27 march, 2009

Fix issued: 27-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-32 Cross-Site Scripting Vulnerability - N/A

Vulnerability status: Unpatched

Timeline:
03/25/2009 - Vendor is notified
03/25/2009 - Vendor response

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1149

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-35: SQL Injection Vulnerability - N/A

Vulnerability status: Unpatched

Timeline:
03/25/2009 - Vendor is notified
03/26/2009 - Vendor response

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1149

Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-34

Product:
AKmedia CMS

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 25 march, 2009

Fix issued: 26-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-33

Product:
iNTERNET.cms

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 25 march, 2009

Fix issued: 18-05-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-29

Product:
Tribiq CMS 5.0.11

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 24 march, 2009

Fix issued: 29-09-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-28: SQL Injection Vulnerability - N/A

Vulnerability status: Unpatched

Timeline:
03/24/2009 - Vendor is notified
03/24/2009 - Vendor response

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1150

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-27: Multiple Vulnerabilities - Huberspace

Vulnerability status: Unpatched

Timeline:
03/24/2009 - Vendor notified

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1150

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-30: Multiple Vulnerabilities - N/A

Vulnerability status: Patched

Timeline:
03.12.2009 - Vendor notified
no response
03.24.2009 - Second notification

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1162

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-31: Multiple Vulnerabilities - N/A

Vulnerability status: Unpatched

Timeline:
03.11.2009 - Vendor notified
no response
03.24.2009 - Second notification

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1163

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-26 Cross-Site Scripting Vulnerability - Cupid Systems

Vulnerability status: Unpatched

Timeline:
03/11/2009 - Vendor is notified
03/11/2009 - Vendor response
03/24/2009 - Requested status update from vendor

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1163

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-25: Multiple Vulnerabilities - N/A

Vulnerability status: Unpatched

Timeline:
03/11/2009 - Vendor notified
03/11/2009 - Vendor response
03/24/2009 - Requested status update from vendor

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1163

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-19 - Cisco

Vulnerability status: Unpatched

Timeline:
03.10.2009 - Vendor notified

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1164

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-24

Product:
ELDORADO CMS 3.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 13-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-13

Product:
TinX/cms 3.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: CVE-2009-0825

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 05-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-23: Multiple Vulnerabilities - N/A

Vulnerability status: Unpatched

Timeline:
03/04/2009 - Vendor notified
03/04/2009 - Vendor response
03/04/2009 - Requested status update from vendor
03/24/2009 - Second requested status update from vendor

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
1170

Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-16

Product:
Subrion CMS 1.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 25-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-12

Vendor: Umisoft

Product:
UMI.CMS 2.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 06-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-22

Product:
EXcms 2.x

Exploitation vector: Remote

Severity: Low (0.0)
AV:N/AC:L/Au:N/C:N/I:N/A:N

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 03 march, 2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-15

Product:
Living CMS 1.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 03 march, 2009

Fix issued: 11-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-14

Product:
BLOG:CMS 4.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 03 march, 2009

Fix issued: 03-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-21

Product:
CMS.Pilot 1.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 02 march, 2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-20

Product:
A.CMS 1.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 march, 2009

Fix issued: 04-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-18

Product:
Cetera CMS

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 march, 2009

Fix issued: 24-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-17

Product:
ABO.CMS 5.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 march, 2009

Fix issued: 05-04-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-11

Vendor: SlySoft

Product:
AnyDVD 6.x
Virtual CloneDrive 5.x
CloneDVD 2.x
CloneCD 5.x

Exploitation vector: Local

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

CVE ID: CVE-2009-0824

Vulnerability status: Patched

Advisory published: 11 february, 2009

Fix issued: 06-03-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-09

Vendor: Trend Micro

Product:
Trend Micro Internet Security Pro 2009
Trend Micro Internet Security 2008
Trend Micro Internet Security Pro 2008

Exploitation vector: Local

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

CVE ID: CVE-2009-0686

Vulnerability status: Unpatched

Advisory published: 04 february, 2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-08 - Sunbelt Software

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
no response
02.12.2009 - Second notification
no response

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1198

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-07 - PC Tools

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.11.2009 - Vendor replied
02.24.2009 - Sent detailed information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1198

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-06 - F-Secure

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.11.2009 - Vendor replied
02.16.2009 - Sent detailed information
02.16.2009 - Vendor replied

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1198

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-05

Vendor: Computer Associates (CA)

Product:
CA Internet Security Suite Plus 2009
CA Internet Security Suite Plus 2008
CA Internet Security Suite 2007

Exploitation vector: Local

Severity: Medium (4.9)
AV:L/AC:L/Au:N/C:N/I:N/A:C

CVE ID: CVE-2009-0682

Vulnerability status: Patched

Advisory published: 04 february, 2009

Fix issued: 18-08-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-04 - Tall Emu

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.04.2009 - Vendor replied
02.04.2009 - Sent detailed information

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1198

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-03 - Tall Emu

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.04.2009 - Vendor replied
02.04.2009 - Sent detailed information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1198

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-02 - Tall Emu

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.04.2009 - Sent detailed information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1198

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-01

Vendor: PGP

Product:
PGP Corporate Desktop 9.x

Exploitation vector: Local

Severity: Medium (6.2)
AV:L/AC:H/Au:N/C:C/I:C/A:C

CVE ID: CVE-2009-0681

Vulnerability status: Patched

Advisory published: 04 february, 2009

Fix issued: 02-04-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2008-09

Vendor: Microsoft

Product:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Storage Server 2003
Microsoft Windows Vista

Exploitation vector: Local

Severity: High (7.2)
AV:L/AC:M/Au:S/C:C/I:C/A:C

CVE ID: CVE-2009-1922

Vulnerability status: Patched

Advisory published: 19 november, 2008

Fix issued: 11-08-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2008-08 - Microsoft

Vulnerability status: Unpatched

Timeline:
11.19.2008 - Vendor notified
11.21.2008 - Vendor replied

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1275

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2008-07

Vendor: VMWare

Product:
VMware Workstation 6.x
VMWare Player 2.x
VMWare ACE 2.x
VMware Server 2.x

Exploitation vector: Local

Severity: Medium (4.4)
AV:L/AC:M/Au:S/C:N/I:N/A:C

CVE ID: CVE-2009-1146

Vulnerability status: Patched

Advisory published: 14 october, 2008

Fix issued: 31-03-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2008-06 VMware Multiple Products Denial of Service Vulnerability - VMWare

Vulnerability status: Patched

Timeline:
10.14.2008 - Vendor notified
10.16.2008 - Vendor replied
10.16.2008 - Sent detailed information
05.28.2009 - Vendor releases fixed version and details

Severity: Medium (4.4)
AV:L/AC:M/Au:S/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
1311

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2008-05

Vendor: VMWare

Product:
VMware Workstation 6.x
VMWare Player 2.x
VMware Server 2.x
VMWare ACE 2.x

Exploitation vector: Local

Severity: Medium (6.6)
AV:L/AC:M/Au:S/C:C/I:C/A:C

CVE ID: CVE-2009-1147

Vulnerability status: Patched

Advisory published: 14 october, 2008

Fix issued: 03-04-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Cisco Security Advisory: Cisco Security Agent Remote Code Execution Vulnerabilities

Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to ...

27 october, 2011

Cisco Security Advisory: Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras

A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 24 ...

27 october, 2011

Cisco Security Advisory: Cisco Unified Contact Center Express Directory Traversal Vulnerability

Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive ...

27 october, 2011

MS12-035: Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2693777)

This security update resolves two privately reported vulnerabilities in the .NET Framework.

09 may, 2012

MS12-034: Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578)

This security update resolves three publicly disclosed vulnerabilities and seven privately reported ...

08 may, 2012

MS12-033: Vulnerability in Windows Partition Manager Could Allow Elevation of Privilege (2690533)

This security update resolves a privately reported vulnerability in Microsoft Windows.

08 may, 2012

This Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product

This Sun Alert covers CVE-2010-0896 for the mail component of the Sun Convergence product.

14 april, 2010

This Alert Covers CVE-2010-0893 for the Mail Component of the Sun Convergence Product

This Alert covers CVE-2010-0893 for the mail component of the Sun Convergence product.

14 april, 2010

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010