Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
2 Dec 2011 Closed High CVSS v2: 7.5 SA65
ProxyAV uses a version of libpng that is vulnerable to a buffer overflow attack. This vulnerability could allow a remote attacker to read and modify ProxyAV data.
All versions of ProxyAV prior to 188.8.131.52 are vulnerable.
ProxyAV 3.4 - a fix is available in 184.108.40.206.
ProxyAV 3.3 - a fix is avialable in 220.127.116.11.
ProxyAV 3.2 and earlier - please upgrade to a later version.
CVE-2010-1205 - CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ProxyAV uses libpng version 1.2.8 to generate statistical graphs in PNG format. This version of libpng is vulnerable to a buffer overflow attack. It is possible that a remote attacker could execute arbitrary code on ProxyAV through this library that would run with escalated privileges.
ProxyAV 18.104.22.168 contains an upgrade to libpng version 1.2.46 fixing this CVE.
Deploying ProxyAV behind a firewall and adding constraints on what IP addresses can be used to connect to ProxyAV will greatly limit the ability to attack a ProxyAV installation.