CVE List
| Id | CVE No. | Status | Description | Phase | Votes | Comments | Actions |
|---|---|---|---|---|---|---|---|
| 2966 | CVE-2001-0145 | Candidate | Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands via a malformed vCard birthday field. | Proposed (20010404) | ACCEPT(4) Baker, Balinsky, Cole, Wall | MODIFY(1) Frech | REVIEWING(3) Bishop, Christey, Ziese | Christey> In a post to Bugtraq, Joel Moses notes that this is a | duplicate of CVE-2000-0756: | http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2 | | As of this writing, it is not certain which candidate | should be preferred: the candidate that has been publicly | known longer (i.e. CVE-2000-0756), or the more "official" | candidate, which has probably been publicized more (i.e. | CVE-2001-0145). | Balinsky> It seems that this is a more specific case of | CVE-2000-0756. The reference for 2000-0756 states that there is a | buffer overflow in the birthday AND the e-mail field, as well as other | suspected fields. As this current candidate only addresses the | birthday field, it seems that there are likely different lines of code | involved. | Microsoft is not specific about what specifically the patch | addresses. It is possible that the other overflows in 2000-0756 are | still vulnerable and that the @stake group just didn"t bother to test | them. | We will not know the answer until someone retests those other | fields to see if they are still vulnerable. | If they are, then 2000-0756 might deserve being split up. | Frech> XF:outlook-vcard-dos(5175) | Christey> Consider adding BID:2459 | View |
| 1738 | CVE-2000-0160 | Candidate | The Microsoft Active Setup ActiveX component in Internet Explorer 4.x and 5.x allows a remote attacker to install software components without prompting the user by stating that the software"s manufacturer is Microsoft. | Modified (20000321-01) | ACCEPT(4) Baker, LeBlanc, Levy, Wall | MODIFY(1) Frech | NOOP(1) Cole | REVIEWING(1) Christey | Christey> In a followup to Bugtraq, Juan Carlos Cuartango makes some | clarifications, specifically that the code that is executed | *must* be signed by Microsoft. | | See BUGTRAQ:20000222 MS signed softwrare privileges | | Microsoft sends some followups, including a statement that it | will include notification. | | The question is, does this belong in CVE? There is no known | means of exploitation; on the other hand, it is related | to privacy concerns. Several posts to the Bugtraq list | indicate that some people believe that unprompted installation | is a significant concern. | Frech> XF:win-active-setup | Levy> BID 999 | | I do consider this vulnerability as it allows a malicious web page | to install *old* and *vulnerable* components signed by microsoft. | LeBlanc> Fixed in MS00-042 | Christey> BID:999 | Also add XF:ie-active-setup-download ? | View |
| 5857 | CVE-2002-1473 | Candidate | Multiple buffer overflows in lp subsystem for HP-UX 10.20 through 11.11 (11i) allow local users to cause a denial of service and possibly execute arbitrary code. | Proposed (20030317) | ACCEPT(3) Armstrong, Cole, Green | NOOP(1) Cox | REVIEWING(1) Christey | Christey> In 2003, the "disable" command was reported to have a | vuln. that was fixed by the HP advisory in this candidate: | | BUGTRAQ:20030213 HPUX disable buffer overflow vulnerability | URL:http://www.securityfocus.com/archive/1/311791 | | BUGTRAQ:20030214 HPUX disable buffer overflow vulnerability | URL:http://www.securityfocus.com/archive/1/311915 | | Should CVE-2002-1473 be updated to include this later-reported | issue? Or should it gets its own ID? | View |
| 2519 | CVE-2000-0950 | Candidate | Format string vulnerability in x-gw in TIS Firewall Toolkit (FWTK) allows local users to execute arbitrary commands via a malformed display name. | Proposed (20001129) | ACCEPT(4) Baker, Cole, Frech, Mell | NOOP(1) Renaud | REVIEWING(1) Christey | Christey> I thought I saw some mailing list that questioned whether this | problem was only a DoS... | View |
| 4395 | CVE-2002-0001 | Candidate | Vulnerability in RFC822 address parser in mutt before 1.2.5.1 and mutt 1.3.x before 1.3.25 allows remote attackers to execute arbitrary commands via an improperly terminated comment or phrase in the address list. | Modified (20050707) | ACCEPT(4) Baker, Cole, Green, Wall | MODIFY(1) Frech | NOOP(2) Christey, Foat | Christey> I need to review this for accuracy; is it just a buffer | overflow? See Mark Cox" comments in his "Chinese Whisper" | article. | Frech> XF:mutt-address-handling-bo(7759) | Christey> See Caldera advisory for a good, short description of the | issue. | BID:3774 | URL:http://www.securityfocus.com/bid/3774 | SUSE:SuSE-SA:2002:001 | URL:http://www.suse.de/de/support/security/2002_001_mutt_txt.html | CONECTIVA:CLA-2002:449 | DEBIAN:DSA-096 | FREEBSD:FreeBSD-SA-02:04 | HP:HPSBTL0201-011 | URL:http://online.securityfocus.com/advisories/3778 | CALDERA:CSSA-2002-002.0 | URL:http://www.calderasystems.com/support/security/advisories/CSSA-2002-002.0.txt | View |
Page 305 of 20943, showing 5 records out of 104715 total, starting on record 1521, ending on 1525
