SCO : Security Vulnerabilities, CVEs, CVSS score between 4 and 4.99

Directory traversal vulnerability in (1) pkgadd and (2) pkgrm in SCO UnixWare 7.1.4 allows local users to gain privileges via unknown vectors.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

UnixWare pis and mkpis commands allow local users to gain privileges via a symlink attack.

Some packaging commands in SCO UnixWare 7.1.0 have insecure privileges, which allows local users to add or remove software packages.

Buffer overflow in lpshut in SCO OpenServer 5.0.6 can allow a local attacker to gain additional privileges via a long first argument to lpshut.

lpusers as included with SCO OpenServer 5.0 through 5.0.6 allows a local attacker to gain additional privileges via a buffer overflow attack in the '-u' command line parameter.

Buffer overflow in lpforms in SCO OpenServer 5.0-5.0.6 can allow a local attacker to gain additional privileges via a long first argument to the lpforms command.

sendmail 8.9.3, as included with the MMDF 2.43.3b package in SCO OpenServer 5.0.6, can allow a local attacker to gain additional privileges via a buffer overflow in the first argument to the command.

Multiple buffer overflows in programs used by scoadmin and sysadmsh in SCO OpenServer 5.0.6a and earlier allow local users to gain privileges via a long TERM environment variable to (1) atcronsh, (2) auditsh, (3) authsh, (4) backupsh, (5) lpsh, (6) sysadm.menu, or (7) termsh.

Buffer overflow in lpstat in SCO OpenServer 5.0 through 5.0.6a allows local users to execute arbitrary code as group bin via a long command line argument.

Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.

SCO UnixWare 7.1.1, 7.1.3, and Open UNIX 8.0.0 allows local users to bypass protections for the "as" address space file for a process ID (PID) by obtaining a procfs file descriptor for the file and calling execve() on a setuid or setgid program, which leaves the descriptor open to the user.

Unknown vulnerability in chroot on SCO UnixWare 7.1.1 through 7.1.4 allows local users to escape the chroot jail and conduct unauthorized activities.

The X server in SCO UnixWare 7.1.1, 7.1.3, and 7.1.4 does not properly create socket directories in /tmp, which could allow attackers to hijack local sockets.

Buffer overflow in (1) termsh, (2) atcronsh, and (3) auditsh in SCO OpenServer 5.0.6 and 5.0.7 might allow local users to execute arbitrary code via a long HOME environment variable.

Buffer overflow in nwprint in SCO OpenServer 5.0.7 allows local users to execute arbitrary code via a long command line argument.

Stack-based buffer overflow in (1) backupsh and (2) authsh in SCO Openserver 5.0.7 allows local users to execute arbitrary code via a long HOME environment variable.

Buffer overflow in uidadmin in SCO Unixware 7.1.3 and 7.1.4 allows local users to execute arbitrary code via a -S (scheme) argument that specifies a large file, a different vulnerability than CVE-2001-1063.

Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value.

ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value.