Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
2 Dec 2011 Closed High CVSS v2: 7.5 SA65
ProxyAV uses a version of libpng that is vulnerable to a buffer overflow attack. This vulnerability could allow a remote attacker to read and modify ProxyAV data.
All versions of ProxyAV prior to 220.127.116.11 are vulnerable.
ProxyAV 3.4 - a fix is available in 18.104.22.168.
ProxyAV 3.3 - a fix is avialable in 22.214.171.124.
ProxyAV 3.2 and earlier - please upgrade to a later version.
CVE-2010-1205 - CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ProxyAV uses libpng version 1.2.8 to generate statistical graphs in PNG format. This version of libpng is vulnerable to a buffer overflow attack. It is possible that a remote attacker could execute arbitrary code on ProxyAV through this library that would run with escalated privileges.
ProxyAV 126.96.36.199 contains an upgrade to libpng version 1.2.46 fixing this CVE.
Deploying ProxyAV behind a firewall and adding constraints on what IP addresses can be used to connect to ProxyAV will greatly limit the ability to attack a ProxyAV installation.