[CLOSE] OSVDB ID : 25347 - Disclosed: 2006-05-08

Description:

Ocean12 Calendar Manager Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'date' variable upon submission to the 'admin/main.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 25345 - Disclosed: 2006-05-08

Description:

Ocean12 Calendar Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/view.asp' script not properly sanitizing user-supplied input to the 'SearchFor' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 50317 - Disclosed: 2008-11-27

Description:

Ocean12 Contact Manager Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the DisplayFormat parameter upon submission to the default.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 50316 - Disclosed: 2008-11-27

Description:

Ocean12 Contact Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'default.asp' script not properly sanitizing user-supplied input to the 'Sort' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 57360 - Disclosed: 2008-11-27

Description:

Ocean12 FAQ Manager Pro contains a flaw that may allow a malicious user to download a database. The issue is triggered when the malicious user directly accesses the database via admin/o12faq.mdb, resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 50387 - Disclosed: 2008-11-28

Description:

Ocean12 FAQ Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'default.asp' script not properly sanitizing user-supplied input to the 'ID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 50395 - Disclosed: 2008-12-02

Description:

Ocean12 Mailing List Manager Gold contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'default.asp' script not properly sanitizing user-supplied input to the 'Email' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 50397 - Disclosed: 2008-12-02

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in default.asp in Ocean12 Mailing List Manager Gold allows remote attackers to inject arbitrary web script or HTML via the Email parameter.

[CLOSE] OSVDB ID : 50396 - Disclosed: 2008-12-02

Description:

(Description Provided by CVE) : Ocean12 Mailing List Manager Gold stores sensitive data under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for o12mail.mdb.

[CLOSE] OSVDB ID : 50398 - Disclosed: 2008-12-02

Description:

Ocean12 Mailing List Manager Gold contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 's_edit.asp' script not properly sanitizing user-supplied input to the 'Email' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 15959 - Disclosed: 2005-04-28

Description:

Mailing List Manager Pro contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the Admin_id and Admin_Password variables in the Login Panel script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries. Furthermore, the flaw allows anyone to login as admin, resulting in a loss of confidentiality and integrity.

[CLOSE] OSVDB ID : 15306 - Disclosed: 2005-04-04

Description:

Ocean12 Membership Manager contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page' variable upon submission to the main.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 15307 - Disclosed: 2005-04-04

Description:

Ocean12 Membership Manager contains a flaw that may allow an attacker to inject arbitrary SQL queries. The issue is due to the the 'UserID' variable in the main.asp script not being properly sanitized and may allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 50318 - Disclosed: 2008-11-27

Description:

Ocean12 Membership Manager Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login.asp script not properly sanitizing user-supplied input to the Username and Password parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49433 - Disclosed: 2008-10-28

Description:

(Description Provided by CVE) : Ocean12 Contact Manager Pro 1.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12con.mdb.

[CLOSE] OSVDB ID : 52725 - Disclosed: 2008-09-20

Description:

Oceandir contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'show_vote.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 68808 - Disclosed: 2010-09-30

Description:

(Description Provided by CVE) : The (1) SAPDatabase and (2) SAPInstance scripts in OCF Resource Agents (aka resource-agents or cluster-agents) 1.0.3 in Linux-HA place a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.

[CLOSE] OSVDB ID : 75515 - Disclosed: 2011-04-18

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 20751 - Disclosed: 2005-11-07

Description:

OcoMon contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the unspecified scripts not properly sanitizing user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the back-end database. No further details have been provided.

[CLOSE] OSVDB ID : 22645 - Disclosed: 2005-11-11

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in OcoMon 1.20, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors.

[CLOSE] OSVDB ID : 88069 - Disclosed: 2012-08-19

Description:

ocPortal contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the /adminzone/index.php script. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into creating an administrative user in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 80651 - Disclosed: 2012-03-21

Description:

ocPortal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'path' and 'line' parameters upon submission to the code_editor.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 64632 - Disclosed: 2010-05-14

Description:

ocPortal contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the creating administrative users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 71870 - Disclosed: 2010-12-29

Description:

ocPortal contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker passes a malformed 'page[]' parameter to the index.php script, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 85977 - Disclosed: 2012-03-21

Description:

ocPortal contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the 'redirect' parameter upon submission to the index.php script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

[CLOSE] OSVDB ID : 10712 - Disclosed: 2004-10-13

Description:

ocPortal contains a flaw that may allow a malicious user to execute arbitrary commands. The issue is due to a lack of sanitization on input provided to the req_path variable as part of the index.php script before it uses the input to include files. This allows a remote attacker to specify a custom PHP file on any server and have the commands be executed by the ocPortal system.

[CLOSE] OSVDB ID : 88068 - Disclosed: 2012-08-19

Description:

ocPortal contains a flaw that is due to the program generating a predictable seven digit session ID. This may allow a remote attacker to more easily compromise a user's session via a brute force attack.

[CLOSE] OSVDB ID : 80652 - Disclosed: 2012-03-21

Description:

ocPortal contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the site/catalogue_file.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'file' parameter. This directory traversal attack would allow the attacker to read arbitrary files.

[CLOSE] OSVDB ID : 70618 - Disclosed: 2010-09-26

Description:

ocrodjvu on Debian GNU / Linux contains a flaw while using Cuneiform as the OCR engine. The issue is triggered when a local attacker uses a symlink attack on temporary files generated upon invoking of Cuneiform. This may allow an attacker to modify arbitrary files.

[CLOSE] OSVDB ID : 76135 - Disclosed: 2011-10-07

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.