[CLOSE] OSVDB ID : 52808 - Disclosed: 2008-11-06

Description:

SoftComplex PHP Image Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'ctg' and 'Admin' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 53224 - Disclosed: 2008-11-06

Description:

Nice PHP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the FAQ script not properly sanitizing user-supplied input to the 'Password' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 53672 - Disclosed: 2008-11-06

Description:

DeltaScripts PHP Links contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/adm_login.php' script not properly sanitizing user-supplied input to the 'admin_username' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 53700 - Disclosed: 2008-11-06

Description:

Pre ADS Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'msg' parameters upon submission to the 'x' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 53701 - Disclosed: 2008-11-06

Description:

Pre ADS Portal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'msg' parameters upon submission to the 'x' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 50306 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) Testproject Names and (2) Testplan Names in planEdit.php, and possibly (3) Testcaseprefixes in projectview.tpl.

[CLOSE] OSVDB ID : 50307 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in TestLink before 1.8 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) Testproject Names and (2) Testplan Names in planEdit.php, and possibly (3) Testcaseprefixes in projectview.tpl.

[CLOSE] OSVDB ID : 49695 - Disclosed: 2008-11-05

Description:

Mole Group Taxi Google API Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'login.php' script not properly sanitizing user-supplied input to the 'user name' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49694 - Disclosed: 2008-11-05

Description:

Mole Group Airline Ticket Sale Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'info.php' script not properly sanitizing user-supplied input to the 'flight' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49735 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : The SPARC hypervisor in Sun System Firmware 6.6.3 through 6.6.5 and 7.1.3 through 7.1.3.e on UltraSPARC T1, T2, and T2+ processors allows logical domain users to access memory in other logical domains via unknown vectors.

[CLOSE] OSVDB ID : 49588 - Disclosed: 2008-11-05

Description:

Pre Podcast Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'Tour.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 50070 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Directory traversal vulnerability in index.php in Simple Machines Forum (SMF) 1.0 before 1.0.15 and 1.1 before 1.1.7 allows remote authenticated administrators to install packages from arbitrary directories via a .. (dot dot) in the package parameter during an install2 action, as demonstrated by a predictable package filename in attachments/ that was uploaded through a post2 action to index.php.

[CLOSE] OSVDB ID : 49809 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.

[CLOSE] OSVDB ID : 50037 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : system-tools-backends before 2.6.0-1ubuntu1.1 in Ubuntu 8.10, as used by "Users and Groups" in GNOME System Tools, hashes account passwords with 3DES and consequently limits effective password lengths to eight characters, which makes it easier for context-dependent attackers to successfully conduct brute-force password attacks.

[CLOSE] OSVDB ID : 49579 - Disclosed: 2008-11-05

Description:

PHP Auto Listings contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'moreinfo.php' script not properly sanitizing user-supplied input to the 'itemno' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49571 - Disclosed: 2008-11-05

Description:

Drinks Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'recid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49737 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Novell Access Manager 3 SP4 does not properly expire X.509 certificate sessions, which allows physically proximate attackers to obtain a logged-in session by using a victim's web-browser process that continues to send the original and valid SSL sessionID, related to inability of Apache Tomcat to clear entries from its SSL cache.

[CLOSE] OSVDB ID : 49808 - Disclosed: 2008-11-05

Description:

A remote overflow exists in VideoLAN VLC Media Player. The media player fails to properly bounds check CUE Demuxer images resulting in a stack overflow. With a specially crafted image, an attacker can cause arbitrary code execution resulting in a loss of integrity.

[CLOSE] OSVDB ID : 49572 - Disclosed: 2008-11-05

Description:

Dada Mail Manager Component for Joomla! contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'config.dadamail.php' script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 49573 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Pre Classified Listing PHP allows remote attackers to bypass authentication and gain administrative access by setting the (1) adminname and the (2) adminid cookies to "admin".

[CLOSE] OSVDB ID : 49574 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : The get_file_type function in lib/file_content.php in DFLabs PTK 0.1, 0.2, and 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters after an arg1= sequence in a filename within a forensic image.

[CLOSE] OSVDB ID : 49580 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the administrative interface in Drupal Content Construction Kit (CCK) 5.x before 5.x-1.10 and 6.x before 6.x-2.0, a module for Drupal, allows remote authenticated users with "administer content" permissions to inject arbitrary web script or HTML via (1) field labels and (2) content-type names.

[CLOSE] OSVDB ID : 49601 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Unspecified vulnerability in the VLAN Trunking Protocol (VTP) implementation on Cisco IOS and CatOS, when the VTP operating mode is not transparent, allows remote attackers to cause a denial of service (device reload or hang) via a crafted VTP packet sent to a switch interface configured as a trunk port.

[CLOSE] OSVDB ID : 49709 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Unspecified vulnerability in Adobe ColdFusion 8 and 8.0.1 and ColdFusion MX 7.0.2 allows local users to bypass sandbox restrictions, and obtain sensitive information or possibly gain privileges, via unknown vectors.

[CLOSE] OSVDB ID : 49636 - Disclosed: 2008-11-05

Description:

hMailServer PHPWebAdmin contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'page' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 49637 - Disclosed: 2008-11-05

Description:

hMailServer PHPWebAdmin contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'initialize.php' script not properly sanitizing user input supplied to the 'hmail_config[includepath]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 49662 - Disclosed: 2008-11-05

Description:

Pre Simple CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'siteadmin/loginsucess.php' script not properly sanitizing user-supplied input to the 'user' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49716 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Unspecified vulnerability in the AdvFS showfile command in HP Tru64 UNIX 5.1B-3 and 5.1B-4 allows local users to gain privileges via unspecified vectors.

[CLOSE] OSVDB ID : 49753 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Adobe Flash Player 9.0.124.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving HTTP response headers.

[CLOSE] OSVDB ID : 49780 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Unspecified vulnerability in Adobe Flash Player 9.0.124.0 and earlier makes it easier for remote attackers to conduct DNS rebinding attacks via unknown vectors.

[CLOSE] OSVDB ID : 49781 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Unspecified vulnerability in the Flash Player ActiveX control in Adobe Flash Player 9.0.124.0 and earlier on Windows allows attackers to obtain sensitive information via unknown vectors.

[CLOSE] OSVDB ID : 49783 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Adobe Flash Player 9.0.124.0 and earlier, when a Mozilla browser is used, does not properly interpret jar: URLs, which allows attackers to obtain sensitive information via unknown vectors.

[CLOSE] OSVDB ID : 49785 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Adobe Flash Player 9.0.124.0 and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy.

[CLOSE] OSVDB ID : 49790 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Adobe Flash Player 9.0.124.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to loose interpretation of an ActionScript attribute.

[CLOSE] OSVDB ID : 49821 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Heap-based buffer overflow in the cddb_read_disc_data function in cddb.c in libcdaudio 0.99.12p2 allows remote CDDB servers to execute arbitrary code via long CDDB data.

[CLOSE] OSVDB ID : 49840 - Disclosed: 2008-11-05

Description:

Small ShoutBox Module for phpBB contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'shoutbox_view.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 52280 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Pre Multi-Vendor Shopping Malls allows remote attackers to bypass authentication and gain administrative access by setting the (1) adminname and the (2) adminid cookies to "admin".

[CLOSE] OSVDB ID : 52281 - Disclosed: 2008-11-05

Description:

Pre Multi-Vendor Shopping Malls contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the buyer_detail.php script not properly sanitizing user-supplied input to the 'sid' and 'cid' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 53709 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : homeadmin/adminhome.php in Pre ADS Portal 2.0 and earlier does not require administrative authentication, which allows remote attackers to have an unspecified impact via a direct request.

[CLOSE] OSVDB ID : 54276 - Disclosed: 2008-11-05

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in login.php in Pre Projects Pre Real Estate Listings allow remote attackers to execute arbitrary SQL commands via (1) the us parameter (aka the Username field) or (2) the ps parameter (aka the Password field).