[CLOSE] OSVDB ID : 77183 - Disclosed: 2011-11-13

Description:

V-CMS contains a flaw that allows a remote user to execute arbitrary PHP code. This flaw exists because the inline_image_upload.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the user to execute the script with the privileges of the web server.

[CLOSE] OSVDB ID : 77181 - Disclosed: 2011-11-13

Description:

V-CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the includes/TrueColorPicker/class.TrueColorPicker.php script does not validate the 'box' parameter upon submission to the includes/TrueColorPicker/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 77182 - Disclosed: 2011-11-13

Description:

V-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the process.php script not properly sanitizing user-supplied input to the 'user' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 77180 - Disclosed: 2011-11-13

Description:

V-CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'p' parameter upon submission to the redirect.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 87384 - Disclosed: 2012-06-03

Description:

V-CMS contains a flaw that allows a remote user to execute arbitrary PHP code. This flaw exists because the uploadify.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the user to execute the script, and therefore their own code.

[CLOSE] OSVDB ID : 24304 - Disclosed: 2006-03-30

Description:

v-creator contains a flaw that may allow a malicious user to execute arbitrary shell commands. The issue is triggered due to an input validation error in the 'enrypt()' and 'decrypt()' functions in VCEngine.php. It is possible that the flaw may allow arbitrary command execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 74279 - Disclosed: 2010-12-10

Description:

(Description Provided by CVE) : Passlogix v-GO Self-Service Password Reset (SSPR) and OEM before 7.0A allows physically proximate attackers to execute arbitrary programs without authentication by triggering use of an invalid SSL certificate and using the Internet Explorer interface to navigate through the filesystem via a "Save As" dialog that is reachable from the "Certificate Export" wizard.

[CLOSE] OSVDB ID : 55495 - Disclosed: 2009-06-30

Description:

V-SpacePal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login.asp script not properly sanitizing user-supplied input to the password parameter. This may allow an attacker to bypass authentication

[CLOSE] OSVDB ID : 26085 - Disclosed: 2006-05-25

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'core.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 23261 - Disclosed: 2006-02-17

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands in the target's web browser. The issue is due to 'frameset.php' not properly sanitizing user input supplied to the 'rframe' variable. This may allow an attacker to include a file from a remote host that contains arbitrary scripting commands which will be executed by the browser.

[CLOSE] OSVDB ID : 23262 - Disclosed: 2006-02-17

Description:

V-webmail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when invalid parameters are passed to the 'help.php' script, which will disclose file system path information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 55581 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/cachedConfig.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55583 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/email.list.search.php' script not properly sanitizing user input supplied to the 'CONFIG[includes]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55573 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/Console/Getopt.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55578 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/File.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55576 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/Log.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55572 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/Mail/mimeDecode.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55568 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/Mail/RFC822.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55569 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/Net/Socket.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55574 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/System.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55570 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/XML/Parser.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55571 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/pear/XML/Tree.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55582 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/prepend.php' script not properly sanitizing user input supplied to the 'CONFIG[includes]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 55579 - Disclosed: 2008-07-10

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'includes/prepend.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from an arbitrary remote host that contains commands which will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 48793 - Disclosed: 2008-10-05

Description:

V-webmail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides unexpected input to the login page, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 48795 - Disclosed: 2008-10-05

Description:

V-webmail contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login.php script not properly sanitizing user-supplied input to the 'username' field. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 48794 - Disclosed: 2008-10-05

Description:

V-webmail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides malformed session data, which will disclose the software's configured temporary directory resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 26086 - Disclosed: 2006-05-25

Description:

V-webmail contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'pop3.php' script not properly sanitizing user input supplied to the 'CONFIG[pear_dir]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 23260 - Disclosed: 2006-02-17

Description:

V-webmail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'newid' variable upon submission to the 'preferences.personal.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 48796 - Disclosed: 2008-10-05

Description:

V-webmail contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the "to" variable upon submission to the redirect.php script. This could allow a user to create a specially crafted URL that would allow malicious redirection in a user's browser to an arbitrary web site, without user interaction.