The sun.plugin2.applet.Applet2ClassLoader class of Oracle Java does not properly validate if the URL of a Java class file matches the "codebase" parameter while loading applets. This vulnerability allows an applet to execute arbitrary code outside the sandbox without restrictions, which can be exploited to install an agent on the target machine.

The default Java security properties configuration does not restrict access to certain objects in the com.sun.jmx.mbeanserver packages. This flaw allows an unprivileged Java applet to escape the sandbox and execute arbitrary code on the target machine with the privileges of the current user.

The Import Server component of Oracle WebCenter Capture is affected by a buffer overflow vulnerability. This could allow command execution when a user loads a web page which calls the SetAnnotationFont method of the BlackIceDevMode.ocx ActiveX control with a overly long string argument. This module runs a web server waiting for vulnerable clients (Internet Explorer 6 and 7 in Windows XP SP3) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

Oracle AutoVue Electro-Mechanical Professional is prone to a vulnerability that may allow the execution of any library file named dwmapi.dll, if this dll is located in the same folder than a .DWG file. The attacker must entice a victim into opening a specially crafted .DWG file. This file and the associated binary may be delivered to a user through remote WebDAV shares. An attacker may exploit this issue to execute arbitrary code.

Oracle AutoVue ActiveX control can be exploited to create or overwrite arbitrary files in the context of the currently logged-on user.

A buffer overflow vulnerability found in the AutoVue.ocx ActiveX control due in strcpy function in the SetMarkupMode method, when handling a specially crafted sMarkup argument. This module runs a web server waiting for vulnerable clients (Internet Explorer 6 and 7 without JAVA, and Internet Explorer 8 with JAVA 6 in Windows XP, and Internet Explorer 8 and 9 in Windows VISTA/SEVEN with Java 6 installed) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

This module exploits a XSS vulnerability in the opera:historysearch page in Opera which leads to remote command injection. This module runs a web server waiting for vulnerable clients (Opera) to connect to it. When the client connects, it will try to install an agent by exploiting this vulnerability.

Opera Web Browser is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input before copying it to an insufficiently sized buffer.

OpenOffice is prone to a integer-based buffer-overflow vulnerability that occurs because it fails to perform adequate boundary checks on user-supplied dataa via a crafted sprmTDefTable table property modified in a Word document. This module runs a malicious web server on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to it.

This module exploits a heap-based buffer overflow vulnerability in the OpenOffice software included in most linux distributions. The vulnerability is caused by the prtdata tag with a length parameter inconsistency, which causes vtable entries to be overwritten. The exploit is triggered when an unsuspecting user opens a specially crafted file distributed via an email.