[CLOSE] OSVDB ID : 27358 - Disclosed: 2006-07-17

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Zoho Virtual Office 3.2 Build 3210 allows remote attackers to execute arbitrary web script or HTML via an HTML message.

[CLOSE] OSVDB ID : 39550 - Disclosed: 2007-08-14

Description:

(Description Provided by CVE) : Zoidcom 0.6.7 and earlier allows remote attackers to cause a denial of service (application crash) via a JOIN packet (aka connection packet) containing 0x69 in the ninth byte, which triggers a "double-delete" of trace data, a different vulnerability than CVE-2005-1643.

[CLOSE] OSVDB ID : 16495 - Disclosed: 2005-05-10

Description:

A remote overflow exists in Zoidcom. The ZCom_Bitstream::Deserialize function fails to validate packet size data resulting in a buffer overflow. With a specially crafted request, an attacker can cause denial of service resulting in a loss of availability.

[CLOSE] OSVDB ID : 59047 - Disclosed: 2009-10-14

Description:

(Description Provided by CVE) : ZoIPer 2.22, and possibly other versions before 2.24 Library 5324, allows remote attackers to cause a denial of service (crash) via a SIP INVITE request with an empty Call-Info header.

[CLOSE] OSVDB ID : 55104 - Disclosed: 2009-06-15

Description:

Zoki Catalog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'system/application/controllers/catalog.php' script not properly sanitizing user-supplied input to the 'search_text' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 64507 - Disclosed: 2010-05-06

Description:

Zolsoft Office Server contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the manipulation of a user's password. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 83854 - Disclosed: 1999-11-02

Description:

Zom-Mail is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a buffer overflow. With an overly long name of a file attachment, a remote attacker can potentially execute arbitrary code.

[CLOSE] OSVDB ID : 71318 - Disclosed: 2010-10-27

Description:

Zomplog contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' parameter upon submission to the /admin/editor_pages.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71317 - Disclosed: 2010-10-27

Description:

Zomplog contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'weblog_subtitle' parameter upon submission to the /admin/settings.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71319 - Disclosed: 2010-10-27

Description:

Zomplog contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'about' parameter upon submission to the /admin/settings_menu.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71320 - Disclosed: 2010-10-27

Description:

Zomplog contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the /admin/users.php script does not require multiple steps or explicit confirmation for sensitive transactions for the creation of users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 44808 - Disclosed: 2008-05-02

Description:

Zomplog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'catname' parameter upon submission to the 'admin/category.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 41410 - Disclosed: 2007-09-28

Description:

(Description Provided by CVE) : Unrestricted file upload vulnerability in admin/upload_files.php in Zomplog 3.8.1 and earlier allows remote authenticated administrators to upload and execute arbitrary .php files by sending a modified MIME type. NOTE: this can be exploited by unauthenticated attackers by leveraging CVE-2007-5230.

[CLOSE] OSVDB ID : 41409 - Disclosed: 2007-09-28

Description:

(Description Provided by CVE) : admin/upload_files.php in Zomplog 3.8.1 and earlier does not check for administrative credentials, which allows remote attackers to perform administrative actions via a direct request. NOTE: this can be leveraged for code execution by exploiting CVE-2007-5231.

[CLOSE] OSVDB ID : 67214 - Disclosed: 2010-08-15

Description:

Zomplog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' parameter upon submission to the 'category.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 67221 - Disclosed: 2010-08-15

Description:

Zomplog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' parameter upon submission to the 'changeclothes.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 67217 - Disclosed: 2010-08-15

Description:

Zomplog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' parameter upon submission to the 'comments.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 20250 - Disclosed: 2005-10-20

Description:

Zomplog contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'detail.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 20253 - Disclosed: 2005-10-20

Description:

Zomplog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'name' variable upon submission to the 'detail.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 41411 - Disclosed: 2007-09-28

Description:

(Description Provided by CVE) : Zomplog 3.8.1 and earlier stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to download files that were uploaded by users, as demonstrated by obtaining a directory listing via a direct request to /upload and then retrieving individual files. NOTE: in a non-default configuration, the directory listing is denied, but filenames may be predicable.

[CLOSE] OSVDB ID : 67215 - Disclosed: 2010-08-15

Description:

Zomplog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' parameter upon submission to the 'entry.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 20251 - Disclosed: 2005-10-20

Description:

Zomplog contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'get.php' script not properly sanitizing user-supplied input to the 'catid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 20254 - Disclosed: 2005-10-20

Description:

Zomplog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'username' variable upon submission to the 'get.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 20252 - Disclosed: 2005-10-20

Description:

Zomplog contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'catid' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 20255 - Disclosed: 2005-10-20

Description:

Zomplog contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'search' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 45513 - Disclosed: 2008-05-16

Description:

(Description Provided by CVE) : Zomplog 3.8.2 and earlier allows remote attackers to gain administrative access by creating an admin account via a direct request to install/newuser.php with the admin parameter set to 1.

[CLOSE] OSVDB ID : 35017 - Disclosed: 2007-05-20

Description:

(Description Provided by CVE) : SQL injection vulnerability in plugins/mp3playlist/mp3playlist.php in Zomplog 3.8 and earlier allows remote attackers to execute arbitrary SQL commands via the speler parameter.

[CLOSE] OSVDB ID : 67225 - Disclosed: 2010-08-15

Description:

Zomplog contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions such as add an administrative user or change an administrator's password. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 67216 - Disclosed: 2010-08-15

Description:

Zomplog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' parameter upon submission to the 'newentry.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 67218 - Disclosed: 2010-08-15

Description:

Zomplog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' parameter upon submission to the 'newpage.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.