[CLOSE] OSVDB ID : 74711 - Disclosed: 2011-08-19

Description:

U BuddyPress Forum Attachment for WordPress contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'fileurl' parameter. This directory traversal attack would allow the attacker to access arbitrary files.

[CLOSE] OSVDB ID : 74710 - Disclosed: 2011-08-21

Description:

U Extended Comment Plugin for WordPress contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the wp-content/plugins/u-extended-comment/includes/attachment.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'fileurl' parameter to the index.php script. This directory traversal attack would allow the attacker to access arbitrary files.

[CLOSE] OSVDB ID : 79752 - Disclosed: 2012-03-01

Description:

The U+Box 2.0 application for Android contains an unspecified flaw that may allow a remote attacker to have an unspecified impact. No further details have been provided.

[CLOSE] OSVDB ID : 79753 - Disclosed: 2012-03-01

Description:

The U+Box 2.0 Pad application for Android contains an unspecified flaw that may allow a remote attacker to have an unspecified impact. No further details have been provided.

[CLOSE] OSVDB ID : 64367 - Disclosed: 2010-01-12

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 49542 - Disclosed: 2008-10-30

Description:

(Description Provided by CVE) : webmail/modules/filesystem/edit.php in U-Mail Webmail server 4.91 allows remote attackers to overwrite arbitrary files via an absolute pathname in the path parameter and arbitrary content in the content parameter. NOTE: this can be leveraged for code execution by writing to a file under the web document root.

[CLOSE] OSVDB ID : 53371 - Disclosed: 2004-06-08

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 57533 - Disclosed: 1999-06-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 64996 - Disclosed: 2010-05-20

Description:

U.S. Robotics USR5463 Router contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'ddns_domainame' parameter upon submission to the 'cgi-bin/setup_ddns.exe' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 13046 - Disclosed: 2002-01-30

Description:

(Description Provided by CVE) : Infopop UBB.Threads 5.4 and Wired Community Software WWWThreads 5.0 through 5.0.9 allows remote attackers to upload arbitrary files by using a filename that contains an accepted extension, but ends in a different extension.

[CLOSE] OSVDB ID : 17521 - Disclosed: 2005-06-23

Description:

UBB.threads contains a flaw that allows a remote cross site request forgery attack. This flaw exists because the application does not validate input upon submission to the 'addaddress.php' script. This could allow a malicious user to create a specially crafted URL that would execute arbitrary code in a user's browser, with the permissions of the user viewing the URL, within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 17530 - Disclosed: 2005-06-23

Description:

UBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'addfav.php' script not properly sanitizing user-supplied input to the 'main' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25714 - Disclosed: 2006-05-22

Description:

UBB.threads contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to addpost_newpoll.php not properly sanitizing user input supplied to the 'thispath' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 32322 - Disclosed: 2006-09-29

Description:

(Description Provided by CVE) : Multiple direct static code injection vulnerabilities in Groupee UBB.threads 6.5.1.1 allow remote attackers to (1) inject PHP code via a theme[] array parameter to admin/doedittheme.php, which is injected into includes/theme.inc.php; (2) inject PHP code via a config[] array parameter to admin/doeditconfig.php, and then execute the code via includes/config.inc.php; and inject a reference to PHP code via a URL in the config[path] parameter, and then execute the code via (3) dorateuser.php, (4) calendar.php, and unspecified other scripts.

[CLOSE] OSVDB ID : 32321 - Disclosed: 2006-09-29

Description:

(Description Provided by CVE) : Multiple direct static code injection vulnerabilities in Groupee UBB.threads 6.5.1.1 allow remote attackers to (1) inject PHP code via a theme[] array parameter to admin/doedittheme.php, which is injected into includes/theme.inc.php; (2) inject PHP code via a config[] array parameter to admin/doeditconfig.php, and then execute the code via includes/config.inc.php; and inject a reference to PHP code via a URL in the config[path] parameter, and then execute the code via (3) dorateuser.php, (4) calendar.php, and unspecified other scripts.

[CLOSE] OSVDB ID : 12365 - Disclosed: 2004-12-13

Description:

UBB.threads contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'Cat' variables upon submission to the 'calendar.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 17526 - Disclosed: 2005-06-23

Description:

UBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'calendar.php' script not properly sanitizing user-supplied input to the 'year' or 'month' variables. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 17512 - Disclosed: 2005-06-23

Description:

UBB.threads contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to language preferences extracted from the cookie not properly sanitizing the 'language' parameter. This may allow an attacker to include an arbitrary file location, appended with a null byte (%00), that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 32320 - Disclosed: 2006-09-29

Description:

(Description Provided by CVE) : Groupee UBB.threads 6.5.1.1 allows remote attackers to obtain sensitive information via a direct request for cron/php/subscriptions.php, which reveals the path in an error message.

[CLOSE] OSVDB ID : 47954 - Disclosed: 2008-09-02

Description:

UBB.threads contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'dosearch.inc.php' script not properly sanitizing user-supplied input to the 'Forum[]' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 11050 - Disclosed: 2004-10-21

Description:

UBB.threads contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the Name variable in the dosearch.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 17517 - Disclosed: 2005-06-23

Description:

UBB.thread contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Searchpage' variable upon submission to the 'dosearch.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 17525 - Disclosed: 2005-06-23

Description:

UBB.threads contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'download.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 14744 - Disclosed: 2005-03-11

Description:

UBB.threads contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'editpost.php' script not properly sanitizing user-supplied input to the 'Number' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 78192 - Disclosed: 2012-01-05

Description:

UBB.threads contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'Loginname' parameter upon submission to the forums/ubbthreads.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 17532 - Disclosed: 2005-06-23

Description:

UBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'grabnext.php' script not properly sanitizing user-supplied input to the 'posted' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26122 - Disclosed: 2006-05-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 26120 - Disclosed: 2006-05-27

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in index.php in UBBThreads 5.x and earlier allows remote attackers to inject arbitrary web script or HTML via the debug parameter, as demonstrated by stealing MD5 hashes of passwords.

[CLOSE] OSVDB ID : 12366 - Disclosed: 2004-12-13

Description:

UBB.threads contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'Cat' variables upon submission to the 'login.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 17528 - Disclosed: 2005-06-23

Description:

UBB.threads contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'mailthread.php' script not properly sanitizing user-supplied input to the 'Number' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.