4.3 - CVE-2007-0242

Executive Summary

Informations
Name	CVE-2007-0242	First vendor Publication	2007-04-03
Vendor	Cve	Last vendor Modification	2023-11-07

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0242

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11510

Oval ID:	oval:org.mitre.oval:def:11510
Title:	The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
Description:	The UTF-8 decoder in codecs/qutfcodec.cpp in Qt 3.3.8 and 4.2.3 does not reject long UTF-8 sequences as required by the standard, which allows remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-0242	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
OS Section: RHEL3, CentOS3 RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND Configuration section qt-config is earlier than 1:3.1.2-17.RHEL3 AND qt is earlier than 1:3.1.2-17.RHEL3 AND qt-devel is earlier than 1:3.1.2-17.RHEL3 AND qt-MySQL is earlier than 1:3.1.2-17.RHEL3 AND qt-ODBC is earlier than 1:3.1.2-17.RHEL3 AND qt-designer is earlier than 1:3.1.2-17.RHEL3 OR OS Section: RHEL4, CentOS4, Oracle Linux 4 RHEL4, CentOS4 or Oracle Linux 4 The operating system installed on the system is Red Hat Enterprise Linux 4 AND CentOS Linux 4.x AND Oracle Linux 4.x AND Configuration section qt-config is earlier than 1:3.3.3-13.RHEL4 AND qt is earlier than 1:3.3.3-13.RHEL4 AND qt-MySQL is earlier than 1:3.3.3-13.RHEL4 AND qt-ODBC is earlier than 1:3.3.3-13.RHEL4 AND qt-designer is earlier than 1:3.3.3-13.RHEL4 AND qt-devel is earlier than 1:3.3.3-13.RHEL4 AND qt-PostgreSQL is earlier than 1:3.3.3-13.RHEL4 AND kdelibs is earlier than 6:3.3.1-9.el4 AND kdelibs-devel is earlier than 6:3.3.1-9.el4 OR OS Section: RHEL5, CentOS5, Oracle Linux 5 RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section qt-config is earlier than 1:3.3.6-23.el5 AND qt is earlier than 1:3.3.6-23.el5 AND qt-MySQL is earlier than 1:3.3.6-23.el5 AND kdelibs-apidocs is earlier than 6:3.5.4-13.el5 AND qt-ODBC is earlier than 1:3.3.6-23.el5 AND qt-designer is earlier than 1:3.3.6-23.el5 AND qt-devel is earlier than 1:3.3.6-23.el5 AND qt-PostgreSQL is earlier than 1:3.3.6-23.el5 AND kdelibs is earlier than 6:3.5.4-13.el5 AND qt-devel-docs is earlier than 1:3.3.6-23.el5 AND kdelibs-devel is earlier than 6:3.5.4-13.el5

Definition Id: oval:org.mitre.oval:def:18627

Oval ID:	oval:org.mitre.oval:def:18627
Title:	DSA-1292-1 qt4-x11
Description:	Andreas Nolden discovered a bug in the UTF8 decoding routines in qt4-x11, a C++ GUI library framework, that could allow remote attackers to conduct cross-site scripting (XSS) and directory traversal attacks via long sequences that decode to dangerous metacharacters.
Family:	unix	Class:	patch
Reference(s):	DSA-1292-1 CVE-2007-0242	Version:	7
Platform(s):	Debian GNU/Linux 4.0	Product(s):	qt4-x11
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND qt4-x11 DPKG is earlier than 4.2.1-2etch1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Qt cpe:2.3:a:qt:qt:4.2.3:::::::* cpe:2.3:a:qt:qt:3.3.8:::::::*	2

OpenVAS Exploits

Date	Description
2012-07-30	Name : CentOS Update for qt4 CESA-2011:1324 centos5 x86_64 File : nvt/gb_CESA-2011_1324_qt4_centos5_x86_64.nasl
2011-09-23	Name : CentOS Update for qt4 CESA-2011:1324 centos5 i386 File : nvt/gb_CESA-2011_1324_qt4_centos5_i386.nasl
2011-09-23	Name : RedHat Update for qt4 RHSA-2011:1324-01 File : nvt/gb_RHSA-2011_1324-01_qt4.nasl
2009-10-10	Name : SLES9: Security update for Qt3 File : nvt/sles9p5013213.nasl
2009-04-09	Name : Mandriva Update for qt3 MDKSA-2007:074 (qt3) File : nvt/gb_mandriva_MDKSA_2007_074.nasl
2009-04-09	Name : Mandriva Update for qt4 MDKSA-2007:075 (qt4) File : nvt/gb_mandriva_MDKSA_2007_075.nasl
2009-04-09	Name : Mandriva Update for qt4 MDKSA-2007:075-1 (qt4) File : nvt/gb_mandriva_MDKSA_2007_075_1.nasl
2009-04-09	Name : Mandriva Update for kdelibs MDKSA-2007:076 (kdelibs) File : nvt/gb_mandriva_MDKSA_2007_076.nasl
2009-03-23	Name : Ubuntu Update for kdelibs, qt-x11-free vulnerability USN-452-1 File : nvt/gb_ubuntu_USN_452_1.nasl
2009-02-27	Name : Fedora Update for qt FEDORA-2007-703 File : nvt/gb_fedora_2007_703_qt_fc6.nasl
0000-00-00	Name : Slackware Advisory SSA:2007-093-03 qt File : nvt/esoft_slk_ssa_2007_093_03.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
34679	Qt codecs/qutfcodec.cpp UTF-8 Decoder Long Sequence XSS

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1324.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0883.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0909.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110921_qt4_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20071008_kdelibs_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070913_qt_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2011-09-22	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-1324.nasl - Type : ACT_GATHER_INFO
2011-09-22	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-1324.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-074.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-075.nasl - Type : ACT_GATHER_INFO
2007-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_qt-3047.nasl - Type : ACT_GATHER_INFO
2007-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_qt3-3052.nasl - Type : ACT_GATHER_INFO
2007-11-10	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-452-1.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote openSUSE host is missing a security update. File : suse_qt3-3048.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote openSUSE host is missing a security update. File : suse_qt-3050.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote openSUSE host is missing a security update. File : suse_libqt4-3056.nasl - Type : ACT_GATHER_INFO
2007-10-12	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0909.nasl - Type : ACT_GATHER_INFO
2007-10-09	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0909.nasl - Type : ACT_GATHER_INFO
2007-09-24	Name : The remote Fedora Core host is missing a security update. File : fedora_2007-703.nasl - Type : ACT_GATHER_INFO
2007-09-14	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0883.nasl - Type : ACT_GATHER_INFO
2007-09-14	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0883.nasl - Type : ACT_GATHER_INFO
2007-05-16	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1292.nasl - Type : ACT_GATHER_INFO
2007-04-05	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2007-093-03.nasl - Type : ACT_GATHER_INFO
2007-04-05	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-076.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

http://www.nabble.com/Bug-417390:-CVE-2007-0242%2C--Qt-UTF-8-overlong-sequenc...

Source	Url
BID	http://www.securityfocus.com/bid/23269
CONFIRM	http://support.avaya.com/elmodocs2/security/ASA-2007-424.htm http://support.novell.com/techcenter/psdb/39ea4b325a7da742cb8b6995fa585b14.html http://support.novell.com/techcenter/psdb/fc79b7f48d739f9c803a24ddad933384.html http://www.trolltech.com/company/newsroom/announcements/press.2007-03-30.9172... https://issues.rpath.com/browse/RPL-1202
DEBIAN	http://www.debian.org/security/2007/dsa-1292
FEDORA	http://fedoranews.org/updates/FEDORA-2007-703.shtml
MANDRIVA	http://www.mandriva.com/security/advisories?name=MDKSA-2007:074 http://www.mandriva.com/security/advisories?name=MDKSA-2007:075 http://www.mandriva.com/security/advisories?name=MDKSA-2007:076
OVAL	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
REDHAT	http://rhn.redhat.com/errata/RHSA-2011-1324.html http://www.redhat.com/support/errata/RHSA-2007-0883.html http://www.redhat.com/support/errata/RHSA-2007-0909.html
SECUNIA	http://secunia.com/advisories/24699 http://secunia.com/advisories/24705 http://secunia.com/advisories/24726 http://secunia.com/advisories/24727 http://secunia.com/advisories/24759 http://secunia.com/advisories/24797 http://secunia.com/advisories/24847 http://secunia.com/advisories/24889 http://secunia.com/advisories/25263 http://secunia.com/advisories/26804 http://secunia.com/advisories/26857 http://secunia.com/advisories/27108 http://secunia.com/advisories/27275 http://secunia.com/advisories/46117
SGI	ftp://patches.sgi.com/support/free/security/advisories/20070901-01-P.asc
SLACKWARE	http://slackware.com/security/viewer.php?l=slackware-security&y=2007&...
SUSE	http://www.novell.com/linux/security/advisories/2007_6_sr.html
UBUNTU	http://www.ubuntu.com/usn/usn-452-1
VUPEN	http://www.vupen.com/english/advisories/2007/1212
XF	https://exchange.xforce.ibmcloud.com/vulnerabilities/33397

Alert History

If you want to see full details history, please login or register.

Date	Informations
2023-11-07 21:47:58	Multiple Updates
2021-05-04 12:05:14	Multiple Updates
2021-04-22 01:05:49	Multiple Updates
2020-05-23 00:19:07	Multiple Updates
2017-10-11 09:23:50	Multiple Updates
2017-07-29 12:01:57	Multiple Updates
2016-04-26 15:37:55	Multiple Updates
2014-02-17 10:38:38	Multiple Updates
2013-05-11 00:40:33	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	2
CPE ID(s)	2
Sources(s)	36
osvdb(s)	1
Openvas Exploit(s)	11
Nessus® Exploit(s)	24

	Related
9.3	RHSA-2011:1324
7.5	RHSA-2007:0883
6.8	RHSA-2007:0909
4.3	USN-452-1
4.3	DSA-1292
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)

4.3 - CVE-2007-0242

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU