Description

The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.

Remediation

References

CVE-2010-3433

Related Vulnerabilities

WordPress Plugin Banner Effect Header Cross-Site Request Forgery (1.2.6)

WordPress Plugin cformsII 'lib_ajax.php' Multiple Cross-Site Scripting Vulnerabilities (13.1)

Internet Information Services Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-1999-0349)

WordPress Plugin Yet Another Photoblog Unspecified Vulnerability (1.10.6)

WordPress Plugin Easy2Map Photos Cross-Site Scripting (2.0.6)

Severity

Medium

Classification

CVE-2010-3433 CWE-264

Tags

Missing Update Known Vulnerabilities