Race condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object.

Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack.

Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate local documents with external domain names located after the file:// substring in a URL, which allows user-assisted remote attackers to read arbitrary cookies via a crafted HTML document, as demonstrated by a URL with file://example.com/C:/ at the beginning.

Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 allows remote attackers to spoof the location bar via an IDN with invalid Unicode characters that are displayed as whitespace, as demonstrated by the \u115A through \u115E characters.

The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) js_LeaveSharpObject, (2) ParseXMLSource, and (3) a certain assertion in jsinterp.c; and other vectors.

Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors involving "double frame construction."

Unspecified vulnerability in the PCNFSD dissector in Wireshark 0.8.20 through 1.0.7 allows remote attackers to cause a denial of service (crash) via crafted PCNFSD packets.

Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of service (infinite loop, application hang, and memory consumption) via a KEYGEN element in conjunction with (1) a META element specifying automatic page refresh or (2) a JavaScript onLoad event handler for a BODY element. NOTE: it was later reported that earlier versions are also affected.

The SVG component in Mozilla Firefox 3.0.4 allows remote attackers to cause a denial of service (application hang) via a large value in the r (aka Radius) attribute of a circle element, related to an "unclamped loop."

Unspecified vulnerability in the VMware Descheduled Time Accounting driver in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745, VMware Fusion 2.x before 2.0.2 build 147997, VMware ESXi 3.5, and VMware ESX 3.0.2, 3.0.3, and 3.5, when the Descheduled Time Accounting Service is not running, allows guest OS users on Windows to cause a denial of service via unknown vectors.

Heap-based buffer overflow in aiff_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an AIFF file with an invalid header value.

mod/server.mod/servmsg.c in Eggheads Eggdrop and Windrop 1.6.19 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PRIVMSG that causes an empty string to trigger a negative string length copy. NOTE: this issue exists because of an incorrect fix for CVE-2007-2807.

Heap-based buffer overflow in voc_read_header in libsndfile 1.0.15 through 1.0.19, as used in Winamp 5.552 and possibly other media programs, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a VOC file with an invalid header value.

The web interface in Open Computer and Software Inventory Next Generation (OCS Inventory NG) 1.01 generates different error messages depending on whether a username is valid, which allows remote attackers to enumerate valid usernames.

Directory traversal vulnerability in src/torrent_info.cpp in Rasterbar libtorrent before 0.14.4, as used in firetorrent, qBittorrent, deluge Torrent, and other applications, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) and partial relative pathname in a Multiple File Mode list element in a .torrent file.

Stack-based buffer overflow in the btFiles::BuildFromMI function (trunk/btfiles.cpp) in Enhanced CTorrent (aka dTorrent) 3.3.2 and probably earlier, and CTorrent 1.3.4, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Torrent file containing a long path.

The hypervisor_callback function in Xen, possibly before 3.4.0, as applied to the Linux kernel 2.6.30-rc4, 2.6.18, and probably other versions allows guest user applications to cause a denial of service (kernel oops) of the guest OS by triggering a segmentation fault in "certain address ranges."

Cross-site request forgery (CSRF) vulnerability in Transmission 1.5 before 1.53 and 1.6 before 1.61 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

SLiM Simple Login Manager 1.3.0 places the X authority magic cookie (mcookie) on the command line when invoking xauth from (1) app.cpp and (2) switchuser.cpp, which allows local users to access the X session by listing the process and its arguments.

Off-by-one error in the packet_read_query_section function in packet.c in nsd 3.2.1, and process_query_section in query.c in nsd 2.3.7, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors that trigger a buffer overflow.