This installment of Security Bytes focuses on flaws in three different programs that have since been patched.
The Mozilla Foundation has fixed a variety of flaws in Bugzilla, a popular Web-based system software developers use to find and track vulnerabilities in their programs. Digital miscreants could exploit the flaws to disclose sensitive information, insert malicious script or conduct cross-site scripting attacks.
According to Mozilla's advisory, the problems are:
Mozilla said Bugzilla users should update to versions 2.18.6, 2.20.3, 2.22.1, or 2.23.3.
Cisco Wireless Location Appliance fixes
Cisco Systems has offered a fix and workarounds for a flaw in its 2700 Series Wireless Location Appliances (WLA). Specifically, the flaw affects versions prior to 188.8.131.52.
Cisco noted in its advisory that WLA software contains a default password for the "root" administrative account. A user who logs in using this username has complete control of the device. Cisco said the password is the same in all installations of the product prior to version 184.108.40.206 when shipped as part of a new product purchase, and that the vulnerability still exists on upgraded installations unless explicit steps are taken to change the password after the initial installation of the product.
Cisco has fixed the flaw in versions 220.127.116.11 and later when shipped on new devices for initial installation of the WLA software, the vendor said.
Meanwhile, Cisco said the flaw can be eliminated by logging in to the affected WLA and changing the default password for the administrative root account to a strong password chosen by the user. A reboot is not required for the new password to take effect, so network operations will not be disrupted, Cisco said.
Clam AntiVirus fixes
Clam AntiVirus users should upgrade to version 0.88.5 to correct a flaw attackers could exploit to cause a denial of service or heap-based buffer overflow and launch malicious code. The problems are:
An attacker who successfully exploits these issues could launch malicious code on the victim's computer system.