| OSVDB ID | Disclosure Date | Title |
|---|
|
10663
Description:
DUclassmate contains a flaw in the 'account.asp' script that may lead to an unauthorized password exposure. It is possible to change other users passwords by altering the 'MM-recordId' value on the 'My Account' page, which may lead to a loss of integrity.
|
2004-10-12
|
DUclassmate account.asp MM-recordId Parameter Arbitrary Password Modification
|
|
10662
Description:
Sticker contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a remote user with access to a public key posts messages to a group secured with the corresponding private key. This flaw may lead to a loss of integrity.
|
2004-10-12
|
Sticker Secure Messaging Private Group Posting Restriction Bypass
|
|
10713
Description:
Micronet SP916BM routers contain a flaw that may allow a local attacker gain access. When the device is powered off, the password for the account "admin" is reset to its default, "admin". It is possible to power cycle the device and then log into the web management interface (which is only accessible via the same subnet as the router, unless the administrator has explicitly enabled logins from other subnets) with administrative privileges.
|
2004-10-12
|
Micronet SP916BM Router Admin Password Reset
|
|
10752
Description:
FuseTalk contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the search string sent to the searchresults.cfm script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-10-12
|
FuseTalk searchresults.cfm Search String XSS
|
|
10753
Description:
FuseTalk contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the ProfileID variable upon submission to the tombstone.cfm script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-10-12
|
FuseTalk tombstone.cfm ProfileID Parameter XSS
|
|
10855
Description:
Coppermine Photo Gallery contains a flaw that may allow a remote attacker to arbitrary manipulate votings. The issue is triggered due the gallery relying on browser cookies to restrict voting. If cookies are turned on and a user votes, they will not be able to vote a second time. However, if the user disables cookies in their browser, Coppermine will allow them to vote as many times as they want.
|
2004-10-12
|
Coppermine Photo Gallery Voting Restriction Bypass
|
|
66484
Description:
wxWidgets contains an unspecified flaw related to wxSingleInstanceChecker. No further details have been provided.
|
2004-10-11
|
wxWidgets on Unix wxSingleInstanceChecker Unspecified Issue
|
|
19198
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in DUware DUclassified 4.0 allows remote attackers to inject arbitrary web script or HTML via the message text.
|
2004-10-11
|
DUware DUclassified Message Text XSS
|
|
10676
Description:
ZanfiCmsLite contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the index.php script not properly sanitizing input to the "inc" variable. An attacker may use this to include an arbitrary file from a remote server which will be processed and any commands executed.
|
2004-10-11
|
Zanfi CMS Lite index.php inc Variable Arbitrary Command Execution
|
|
10659
Description:
MySQL contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker uses multiple threads to ALTER the same or different MERGE tables in order to change the UNION., and will result in loss of availability for the server.
|
2004-10-11
|
MySQL ALTER MERGE Tables to Change the UNION DoS
|
|
10660
Description:
MySQL ALTER TABLE/RENAME contains a flaw that may allow a malicious user to force old permission checks. The issue is triggered when an error in ALTER TABLE/RENAME operation forces old permission checks on tables. It is possible that the flaw may allow an attacker to bypass permissions resulting in a loss of confidentiality and/or integrity.
|
2004-10-11
|
MySQL ALTER TABLE/RENAME Forces Old Permission Checks
|
|
10684
Description:
ASN.1 Compiler contains a flaw related to the CHOICE code spin. No further details have been provided.
|
2004-10-11
|
ASN.1 Compiler CHOICE Code Spin Unspecified Issue
|
|
10685
Description:
ASN.1 Compiler contains a flaw related to the "ANY Type encoding/decoding" feature which has an undisclosed impact. No further details have been provided.
|
2004-10-11
|
ASN.1 Compiler ANY Type Encoding/Decoding Unspecified Issue
|
|
10640
Description:
CJOverkill contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user supplied input to remove HTML code upon submission to the trade.php. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-10-11
|
CJOverkill trade.php Multiple Method XSS
|
|
10638
Description:
Turbo Traffic Trader Nitro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "msg" array and "siteurl" variables upon submission to the ttt-webmaster.php. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-10-11
|
Turbo Traffic Trader Nitro ttt-webmaster.php Multiple Method XSS
|
|
10639
Description:
Turbo Traffic Trader Nitro contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "ttt_admin" variable in settings.php is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-10-11
|
Turbo Traffic Trader Nitro settings.php SQL Injection
|
|
10637
Description:
Apache mod_ssl SSL CipherSuite contains a flaw that may allow a malicious user to bypass SSL CipherSuite access restrictions. The issue is triggered when the SSL CipherSuite directive is used with a directory context to require a restricted set of cipher suites. An attacker can use an alternate ciphersuite possibly allowing them to bypass access restrictions resulting in a loss of confidentiality and/or integrity.
|
2004-10-11
|
Apache HTTP Server mod_ssl SSLCipherSuite Access Restriction Bypass
|
|
10677
Description:
Zanfi Cms Lite contains a flaw within adm_pages.php that may lead to an unauthorized information disclosure. The issue is triggered when a user sends a request for the script without arguments, which will disclose path information resulting in a loss of confidentiality.
|
2004-10-11
|
ZanfiCmsLite adm_pages.php Path Disclosure
|
|
10678
Description:
Zanfi Cms Lite contains a flaw within corr_pages that may lead to an unauthorized information disclosure. The issue is triggered when an attacker sends a request for the script without arguments, which will disclose path information resulting in a loss of confidentiality.
|
2004-10-11
|
ZanfiCmsLite corr_pages.php Path Disclosure
|
|
10679
Description:
Zanfi Cms Lite contains a flaw within del_block.php that may lead to an unauthorized information disclosure. The issue is triggered when an attacker sends a request for the script without arguments, which will disclose path information resulting in a loss of confidentiality.
|
2004-10-11
|
ZanfiCmsLite del_block.php Path Disclosure
|
|
10680
Description:
Zanfi Cms Lite contains a flaw within del_page.php that may lead to an unauthorized information disclosure. The issue is triggered when an attacker sends a request for the script without arguments, which will disclose path information resulting in a loss of confidentiality.
|
2004-10-11
|
ZanfiCmsLite del_page.php Path Disclosure
|
|
10681
Description:
Zanfi Cms Lite contains a flaw within footer.php that may lead to an unauthorized information disclosure. The issue is triggered when an attacker sends a request for the script without arguments, which will disclose path information resulting in a loss of confidentiality.
|
2004-10-11
|
ZanfiCmsLite footer.php Path Disclosure
|
|
10682
Description:
Zanfi Cms Lite contains a flaw within home.php that may lead to an unauthorized information disclosure. The issue is triggered when an attacker sends a request for the script without arguments, which will disclose path information resulting in a loss of confidentiality.
|
2004-10-11
|
ZanfiCmsLite home.php Path Disclosure
|
|
10673
Description:
Web Mail contains a flaw related to the view.html. No further details have been provided.
|
2004-10-11
|
IceWarp WebMail view.html File View Unspecified Issue
|
|
10674
Description:
Ice Warp Web Mail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-10-11
|
IceWarp WebMail Multiple Unspecified XSS
|
|
10760
Description:
Ideal BB contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that input variables in the SQL statements are not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-10-11
|
IdealBB Unspecified SQL Injection
|
|
10761
Description:
IdealBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate input variables upon submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-10-11
|
IdealBB Multiple Unspecified XSS
|
|
10762
Description:
IdealBB contains a flaw that allows a HTTP splitting attack.This could allow a user to create a specially crafted URL that would cause the target server to return a split response. This could allow the attacker to spoof content on the target server, leading to a loss of integrity.
|
2004-10-11
|
IdealBB Unspecified HTTP Splitting
|
|
10646
Description:
GNU gettext contains a flaw that may allow a malicious local user to overwrite arbitrary files. The issue is due to temporary files being created insecurely. It is possible that the flaw may allow a malicious user to overwrite arbitrary files resulting in a loss of integrity.
|
2004-10-11
|
GNU gettext Multiple Script Temporary File Symlink Arbitrary File Overwrite
|
|
10897
Description:
ClientExec contains a flaw that may lead to an unauthorized information disclosure. The issue is caused by a flaw in the default configuration which installs phpinfo.php in the main ClientExec directory. This could be exploited to disclose PHP and system configuration information resulting in a loss of confidentiality.
|
2004-10-11
|
ClientExec phpinfo.php Information Disclosure
|
|
11010
Description:
It has been reported that the Distributed Link tracking Server Service and Internet Connection Firewall Service DACL's on Windows 2003 have insecure default permissions allowing 'everyone' access to manipulate or disable the services. Subsequent posts have revealed that the default permissions are acceptable and the original poster did not fully understand the DACL permission scheme.
|
2004-10-11
|
Windows 2003 Multiple DACL Insecure Permissions
|
|
10664
Description:
DUforum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the password in the login form is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-10-11
|
DUforum Login Form Password Parameter SQL Injection
|
|
10665
Description:
DUforum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the FOR_ID variable in the messages.asp script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-10-11
|
DUforum messages.asp FOR_ID Parameter SQL Injection
|
|
10666
Description:
DUforum contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the MSG_ID variable in the messageDetail.asp script is not verified properly and will allow an attacker to inject or manipulate SQL queries.
|
2004-10-11
|
DUforum messageDetail.asp MSG_ID Parameter SQL Injection
|
|
10667
Description:
DUforum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate data sent as a private message. This could allow a user to create a specially crafted message that would execute arbitrary code in the recipient's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
|
2004-10-11
|
DUforum Private Message XSS
|
|
11393
Description:
Unknown / Incomplete
|
2004-10-10
|
Gbook MX common.php SQL Injection
|
|
10596
Description:
BNC contains a flaw related to the handling of the backspace character that may allow an attacker to execute arbitrary BNC commands. No further details have been provided.
|
2004-10-09
|
BNC IRC Proxy Unspecified Backspace Issue
|
|
10759
Description:
NatterChat contains a flaw that will allow a remote attacker to inject arbitrary SQL code. No further details have been provided.
|
2004-10-09
|
NatterChat Unspecified SQL Injection
|
|
10671
Description:
Yeemp contains a flaw that may allow a remote attacker to overwrite arbitrary files and potentially take advantage of additional attack vectors. The issue is due to the program not properly recognizing and displaying file transfer encryption status. With a carefully crafted transfer request, an attacker could overwrite arbitrary media fils for contacts on a user's list. Additionally, this may allow an attacker to gain additional attack vectors against the netpbm and ogg123 invocations.
|
2004-10-08
|
Yeemp Unencrypted File Send Arbitrary Code Execution
|
|
10683
Description:
Unknown / Incomplete
|
2004-10-08
|
yeemp Unencrypted Key Exchange Spoofing Weakness
|
