| OSVDB ID | Disclosure Date | Title |
|---|
|
55554
Description:
Zoph contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate upon submission to the 'people.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2009-07-02
|
Zoph People Page Unspecified XSS
|
|
54845
Description:
Online Grades & Attendance contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the index.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied to the SKIN parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands which will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system.
|
2009-06-02
|
Online Grades & Attendance index.php GLOBALS[SKIN] Parameter Traversal Local File Inclusion
|
|
54843
Description:
Online Grades contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the parents/parents.php script not properly sanitizing user-supplied input to the ADD parameter (when the func parameter is set to mailto), and the cc parameter (when the func parameter is set to showteachermemo). This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-06-01
|
Online Grades parents/parents.php Multiple Parameter SQL Injection
|
|
54844
Description:
Online Grades contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the key parameter (when 'action' is set to 'resetpass'). This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-06-01
|
Online Grades index.php key Parameter SQL Injection
|
|
54846
Description:
Online Grades & Attendance contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the admin/admin.php script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied to the skin parameter. This may allow an attacker with a valid Admin account to include a file from the targeted host that contains arbitrary commands which will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system.
|
2009-06-01
|
Online Grades & Attendance admin/admin.php skin Parameter Traversal Local File Inclusion
|
|
54407
Description:
BIGACE contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the New User Registration function not properly sanitizing user-supplied input to the 'username' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-05-12
|
BIGACE New User Registration username Parameter SQL Injection
|
|
54602
Description:
myGesuad contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the common/login.php script not properly sanitizing user-supplied input to the formUser parameter. This may allow an attacker to bypass authentication.
|
2009-05-07
|
myGesuad common/login.php formUser Parameter SQL Injection Authentication Bypass
|
|
54604
Description:
myGesaud contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/kategorie.php script not properly sanitizing user-supplied input to the ID parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-05-07
|
myGesuad modules/kategorie.php ID Parameter SQL Injection
|
|
54605
Description:
myGesaud contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/budget.php script not properly sanitizing user-supplied input to the ID parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-05-07
|
myGesuad modules/budget.php ID Parameter SQL Injection
|
|
54606
Description:
myGesaud contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/zahlung.php script not properly sanitizing user-supplied input to the ID parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-05-07
|
myGesuad modules/zahlung.php ID Parameter SQL Injection
|
|
54603
Description:
myGesaud contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/adresse.php script not properly sanitizing user-supplied input to the ID parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-05-07
|
myGesuad modules/adresse.php ID Parameter SQL Injection
|
