Research Lab

Positive Technologies Research Team and SecurityLab are willing to cooperate with independent researches in the analysis of the discovered vulnerabilities, in contacts with software vendors and CVE Number Reservation process. The vulnerabilities will be published in sections "Laboratory" and PT-advisory. The name of the researches will be preserved.

Our disclosure policy: en.securitylab.ru/lab/disclosure-policy.php

PT-2009-44: Multiple vulnerabilities in Kayako Support Suite - Kayako

Vulnerability status: Unpatched

Timeline:
10/12/2009 - Vendor notified
10/13/2009 - Vendor response

Severity: Medium (6.4)
AV:N/AC:H/Au:M/C:C/I:C/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
153

Discovered by: Timur Yunusov, Positive Technologies Research Team


PT-2009-43: Session predictability in Kayako Support Suite - Kayako

Vulnerability status: Unpatched

Timeline:
10/12/2009 - Vendor notified
10/13/2009 - Vendor response

Severity: Low (4.3)
AV:N/AC:M/Au:N/C:P/I

Exploitation vector: Remote


Days sinse vendor notification:


30
60
153

Discovered by: Timur Yunusov, Positive Technologies Research Team


PT-2009-42: Cross-Site Request Forgery in Kayako Support Suite - Kayako

Vulnerability status: Unpatched

Timeline:
10/12/2009 - Vendor notified
10/13/2009 - Vendor response

Severity: Medium (7.0)
AV:N/AC:M/Au:S/C:C/I:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
153

Discovered by: Timur Yunusov, Positive Technologies Research Team


PT-2009-41: Multiple vulnerabilities in Kayako Support Suite - Kayako

Vulnerability status: Unpatched

Timeline:
10/12/2009 - Vendor notified
10/13/2009 - Vendor response

Severity: Low (6.4)
AV:N/AC:L/Au:N/C:P/I:N/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
153

Discovered by: Timur Yunusov, Positive Technologies Research Team


Identifier: PT-2009-40

Vendor: Atlassian

Product:
JIRA 3.13.4

Exploitation vector: Remote

Severity: Low (0.0)
(AV:N/AC:L/Au:N/C:N/I:N/A:N/E:P/RL:W/RC:C)

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 june, 2009

Fix issued: 24-06-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-39 - Avaya

Vulnerability status: Unpatched

Timeline:
04.08.2009 - Vendor notified 04.13.2009 - Vendor response 04.14.2009 - Sent detail information

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
339

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-38 - Citrix

Vulnerability status: Unpatched

Timeline:
04.10.2009 - Vendor notified 04.16.2009 - Vendor response 04.16.2009 - Sent detail information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
339

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-37 - Cisco

Vulnerability status: Unpatched

Timeline:
04.10.2009 - Vendor notified

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
339

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-36

Product:
Neo CMS

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 27 march, 2009

Fix issued: 27-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-32 Cross-Site Scripting Vulnerability - N/A

Vulnerability status: Unpatched

Timeline:
03/25/2009 - Vendor is notified
03/25/2009 - Vendor response

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitation vector: Remote


Days sinse vendor notification:


30
60
355

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-35: SQL Injection Vulnerability - N/A

Vulnerability status: Unpatched

Timeline:
03/25/2009 - Vendor is notified
03/26/2009 - Vendor response

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
355

Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-34

Product:
AKmedia CMS

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 25 march, 2009

Fix issued: 26-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-33

Product:
iNTERNET.cms

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 25 march, 2009

Fix issued: 18-05-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-29

Product:
Tribiq CMS 5.0.11

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 24 march, 2009

Fix issued: 29-09-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-28: SQL Injection Vulnerability - N/A

Vulnerability status: Unpatched

Timeline:
03/24/2009 - Vendor is notified
03/24/2009 - Vendor response

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
356

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-27: Multiple Vulnerabilities - Huberspace

Vulnerability status: Unpatched

Timeline:
03/24/2009 - Vendor notified

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
356

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-30: Multiple Vulnerabilities - N/A

Vulnerability status: Patched

Timeline:
03.12.2009 - Vendor notified
no response
03.24.2009 - Second notification

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
368

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-31: Multiple Vulnerabilities - N/A

Vulnerability status: Unpatched

Timeline:
03.11.2009 - Vendor notified
no response
03.24.2009 - Second notification

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
369

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-26 Cross-Site Scripting Vulnerability - Cupid Systems

Vulnerability status: Unpatched

Timeline:
03/11/2009 - Vendor is notified
03/11/2009 - Vendor response
03/24/2009 - Requested status update from vendor

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitation vector: Remote


Days sinse vendor notification:


30
60
369

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-25: Multiple Vulnerabilities - N/A

Vulnerability status: Unpatched

Timeline:
03/11/2009 - Vendor notified
03/11/2009 - Vendor response
03/24/2009 - Requested status update from vendor

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
369

Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-19 - Cisco

Vulnerability status: Unpatched

Timeline:
03.10.2009 - Vendor notified

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
370

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-24

Product:
ELDORADO CMS 3.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 13-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-13

Product:
TinX/cms 3.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: CVE-2009-0825

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 05-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


PT-2009-23: Multiple Vulnerabilities - N/A

Vulnerability status: Unpatched

Timeline:
03/04/2009 - Vendor notified
03/04/2009 - Vendor response
03/04/2009 - Requested status update from vendor
03/24/2009 - Second requested status update from vendor

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation vector: Remote


Days sinse vendor notification:


30
60
376

Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-16

Product:
Subrion CMS 1.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 25-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-12

Vendor: Umisoft

Product:
UMI.CMS 2.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 04 march, 2009

Fix issued: 06-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-22

Product:
EXcms 2.x

Exploitation vector: Remote

Severity: Low (0.0)
AV:N/AC:L/Au:N/C:N/I:N/A:N

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 03 march, 2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-15

Product:
Living CMS 1.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 03 march, 2009

Fix issued: 11-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-14

Product:
BLOG:CMS 4.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 03 march, 2009

Fix issued: 03-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-21

Product:
CMS.Pilot 1.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Unpatched

Advisory published: 02 march, 2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-20

Product:
A.CMS 1.x

Exploitation vector: Remote

Severity: Medium (4.3)
AV:N/AC:M/Au:N/C:N/I:P/A:N

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 march, 2009

Fix issued: 04-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-18

Product:
Cetera CMS

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 march, 2009

Fix issued: 24-03-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-17

Product:
ABO.CMS 5.x

Exploitation vector: Remote

Severity: High (7.5)
AV:N/AC:L/Au:N/C:P/I:P/A:P

CVE ID: N/A

Vulnerability status: Patched

Advisory published: 02 march, 2009

Fix issued: 05-04-2009



Discovered by: Dmitry Evteev, Positive Technologies Research Team


Identifier: PT-2009-11

Vendor: SlySoft

Product:
AnyDVD 6.x
Virtual CloneDrive 5.x
CloneDVD 2.x
CloneCD 5.x

Exploitation vector: Local

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

CVE ID: CVE-2009-0824

Vulnerability status: Patched

Advisory published: 11 february, 2009

Fix issued: 06-03-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-09

Vendor: Trend Micro

Product:
Trend Micro Internet Security Pro 2009
Trend Micro Internet Security 2008
Trend Micro Internet Security Pro 2008

Exploitation vector: Local

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

CVE ID: CVE-2009-0686

Vulnerability status: Unpatched

Advisory published: 04 february, 2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-08 - Sunbelt Software

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
no response
02.12.2009 - Second notification
no response

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
404

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-07 - PC Tools

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.11.2009 - Vendor replied
02.24.2009 - Sent detailed information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
404

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-06 - F-Secure

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.11.2009 - Vendor replied
02.16.2009 - Sent detailed information
02.16.2009 - Vendor replied

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
404

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-05

Vendor: Computer Associates (CA)

Product:
CA Internet Security Suite Plus 2009
CA Internet Security Suite Plus 2008
CA Internet Security Suite 2007

Exploitation vector: Local

Severity: Medium (4.9)
AV:L/AC:L/Au:N/C:N/I:N/A:C

CVE ID: CVE-2009-0682

Vulnerability status: Patched

Advisory published: 04 february, 2009

Fix issued: 18-08-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-04 - Tall Emu

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.04.2009 - Vendor replied
02.04.2009 - Sent detailed information

Severity: Medium (6.9)
AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
404

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-03 - Tall Emu

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.04.2009 - Vendor replied
02.04.2009 - Sent detailed information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
404

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2009-02 - Tall Emu

Vulnerability status: Unpatched

Timeline:
02.04.2009 - Vendor notified
02.04.2009 - Sent detailed information

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
404

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2009-01

Vendor: PGP

Product:
PGP Corporate Desktop 9.x

Exploitation vector: Local

Severity: Medium (6.2)
AV:L/AC:H/Au:N/C:C/I:C/A:C

CVE ID: CVE-2009-0681

Vulnerability status: Patched

Advisory published: 04 february, 2009

Fix issued: 02-04-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2008-09

Vendor: Microsoft

Product:
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Storage Server 2003
Microsoft Windows Vista

Exploitation vector: Local

Severity: High (7.2)
AV:L/AC:M/Au:S/C:C/I:C/A:C

CVE ID: CVE-2009-1922

Vulnerability status: Patched

Advisory published: 19 november, 2008

Fix issued: 11-08-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2008-08 - Microsoft

Vulnerability status: Unpatched

Timeline:
11.19.2008 - Vendor notified
11.21.2008 - Vendor replied

Severity: Medium (4.7)
AV:L/AC:M/Au:N/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
481

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2008-07

Vendor: VMWare

Product:
VMware Workstation 6.x
VMWare Player 2.x
VMWare ACE 2.x
VMware Server 2.x

Exploitation vector: Local

Severity: Medium (4.4)
AV:L/AC:M/Au:S/C:N/I:N/A:C

CVE ID: CVE-2009-1146

Vulnerability status: Patched

Advisory published: 14 october, 2008

Fix issued: 31-03-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


PT-2008-06 VMware Multiple Products Denial of Service Vulnerability - VMWare

Vulnerability status: Patched

Timeline:
10.14.2008 - Vendor notified
10.16.2008 - Vendor replied
10.16.2008 - Sent detailed information
05.28.2009 - Vendor releases fixed version and details

Severity: Medium (4.4)
AV:L/AC:M/Au:S/C:N/I:N/A:C

Exploitation vector: Local


Days sinse vendor notification:


30
60
517

Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Identifier: PT-2008-05

Vendor: VMWare

Product:
VMware Workstation 6.x
VMWare Player 2.x
VMware Server 2.x
VMWare ACE 2.x

Exploitation vector: Local

Severity: Medium (6.6)
AV:L/AC:M/Au:S/C:C/I:C/A:C

CVE ID: CVE-2009-1147

Vulnerability status: Patched

Advisory published: 14 october, 2008

Fix issued: 03-04-2009



Discovered by: Nikita Tarakanov, Positive Technologies Research Team


Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance

Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthent ...

11 february, 2010

Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities

Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) Pla ...

18 december, 2009

Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that co ...

23 november, 2009

MS10-017: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (980150)

This security update resolves seven privately reported vulnerabilities in Microsoft Office Excel.

09 march, 2010

MS10-016: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)

This security update addresses a privately reported vulnerability in Windows Movie Maker and Microso ...

09 march, 2010

MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)

This security update resolves one publicly disclosed and one privately reported vulnerability in Mic ...

10 february, 2010

SunOS 5.10_x86: ucode driver patch

6905530 processor microcode code can panic when retrieving microcode revision.

02 february, 2010

Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalation of Privileges or Man-in-the-Middle on SSL Connections

Multiple security vulnerabilities have been identified in the PostgreSQL software shipped with Solar ...

31 december, 2009

Directory Proxy Server Provided with Directory Server Enterprise Edition 6 is Subject to Denial of Service (DoS) and May Allow Unauthorized Access to Certain Data

Directory Proxy Server Provided with Directory Server Enterprise Edition 6 is Subject to Denial of S ...

31 december, 2009