[CLOSE] OSVDB ID : 46475 - Disclosed: 2008-06-22

Description:

EXP Shop component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'catid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 46482 - Disclosed: 2008-06-22

Description:

RSS-aggregator contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'display.php' script not properly sanitizing user input supplied to the 'path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 46480 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Directory traversal vulnerability in includes/header.php in Hedgehog-CMS 1.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the c_temp_path parameter. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.

[CLOSE] OSVDB ID : 46487 - Disclosed: 2008-06-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 46476 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : SQL injection vulnerability in cgi-bin/igsuite in IGSuite 3.2.4 allows remote attackers to execute arbitrary SQL commands via the formid parameter.

[CLOSE] OSVDB ID : 46486 - Disclosed: 2008-06-22

Description:

ODARS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'resource_categories_view.php' script not properly sanitizing user input supplied to the 'CLASSES_ROOT' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 46488 - Disclosed: 2008-06-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 46533 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : World in Conflict (WIC) 1.008 and earlier allows remote attackers to cause a denial of service (access violation and crash) via a zero-byte data block to TCP port 48000, which triggers a NULL pointer dereference.

[CLOSE] OSVDB ID : 46797 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : sHibby sHop 2.2 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request to Db/urun.mdb.

[CLOSE] OSVDB ID : 46819 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : SQL injection vulnerability in index.php in PageSquid CMS 0.3 Beta allows remote attackers to execute arbitrary SQL commands via the page parameter.

[CLOSE] OSVDB ID : 46828 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in view/index.php in CMS Mini 0.2.2 allow remote attackers to read arbitrary local files via a .. (dot dot) in the (1) path and (2) p parameter.

[CLOSE] OSVDB ID : 46864 - Disclosed: 2008-06-22

Description:

HomePH Design contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'admin/templates/template_thumbnail.php' script not properly sanitizing user input supplied to the 'thumb_template' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 46866 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in backend/umleitung.php in CMReams CMS 1.3.1.1 Beta 2 allows remote attackers to inject arbitrary web script or HTML via the lang[be_red_text] parameter.

[CLOSE] OSVDB ID : 46868 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Directory traversal vulnerability in load_language.php in CMReams CMS 1.3.1.1 Beta 2, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the page_language parameter.

[CLOSE] OSVDB ID : 46869 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in phpDMCA 1.0.0 allow remote attackers to execute arbitrary PHP code via a URL in the ourlinux_root_path parameter to (1) adodb-errorpear.inc.php and (2) adodb-pear.inc.php in adodb/.

[CLOSE] OSVDB ID : 46870 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple PHP remote file inclusion vulnerabilities in phpDMCA 1.0.0 allow remote attackers to execute arbitrary PHP code via a URL in the ourlinux_root_path parameter to (1) adodb-errorpear.inc.php and (2) adodb-pear.inc.php in adodb/.

[CLOSE] OSVDB ID : 46891 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/.

[CLOSE] OSVDB ID : 46892 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/.

[CLOSE] OSVDB ID : 46893 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/.

[CLOSE] OSVDB ID : 46894 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/.

[CLOSE] OSVDB ID : 46895 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/.

[CLOSE] OSVDB ID : 46896 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in HomePH Design 2.10 RC2, when register_globals is enabled, allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the (1) thumb_template parameter to (a) admin/templates/template_thumbnail.php, and the (2) language parameter to (b) account/account.php, (c) downloads/downloads.php, (d) forum/forum.php, (e) fotogalerie/delete.php, and (f) fotogalerie/fotogalerie.php in admin/features/.

[CLOSE] OSVDB ID : 46897 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2.10 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) error_meldung parameter to admin/features/register/register.php, the (2) feature_language[ueberschrift] parameter to admin/features/memberlist/memberlist.php, the (3) language_array[ueberschrift] parameter to admin/features/lostpassword/lostpassword.php, the (4) language_feature[titel] parameter to admin/features/kalender/eingabe.php, and the (5) language_feature[bildmenu] parameter to admin/features/fotogalerie/eingabe.php.

[CLOSE] OSVDB ID : 46898 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2.10 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) error_meldung parameter to admin/features/register/register.php, the (2) feature_language[ueberschrift] parameter to admin/features/memberlist/memberlist.php, the (3) language_array[ueberschrift] parameter to admin/features/lostpassword/lostpassword.php, the (4) language_feature[titel] parameter to admin/features/kalender/eingabe.php, and the (5) language_feature[bildmenu] parameter to admin/features/fotogalerie/eingabe.php.

[CLOSE] OSVDB ID : 46899 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2.10 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) error_meldung parameter to admin/features/register/register.php, the (2) feature_language[ueberschrift] parameter to admin/features/memberlist/memberlist.php, the (3) language_array[ueberschrift] parameter to admin/features/lostpassword/lostpassword.php, the (4) language_feature[titel] parameter to admin/features/kalender/eingabe.php, and the (5) language_feature[bildmenu] parameter to admin/features/fotogalerie/eingabe.php.

[CLOSE] OSVDB ID : 46900 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2.10 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) error_meldung parameter to admin/features/register/register.php, the (2) feature_language[ueberschrift] parameter to admin/features/memberlist/memberlist.php, the (3) language_array[ueberschrift] parameter to admin/features/lostpassword/lostpassword.php, the (4) language_feature[titel] parameter to admin/features/kalender/eingabe.php, and the (5) language_feature[bildmenu] parameter to admin/features/fotogalerie/eingabe.php.

[CLOSE] OSVDB ID : 46901 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in HomePH Design 2.10 RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) error_meldung parameter to admin/features/register/register.php, the (2) feature_language[ueberschrift] parameter to admin/features/memberlist/memberlist.php, the (3) language_array[ueberschrift] parameter to admin/features/lostpassword/lostpassword.php, the (4) language_feature[titel] parameter to admin/features/kalender/eingabe.php, and the (5) language_feature[bildmenu] parameter to admin/features/fotogalerie/eingabe.php.

[CLOSE] OSVDB ID : 47086 - Disclosed: 2008-06-22

Description:

(Description Provided by CVE) : upgrade.asp in sHibby sHop 2.2 and earlier does not require administrative authentication, which allows remote attackers to update a file or have unspecified other impact via a direct request.

[CLOSE] OSVDB ID : 53905 - Disclosed: 2008-06-22

Description:

HoMaP-CMS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'html/admin/modules/plugin_admin.php' script not properly sanitizing user input supplied to the '_settings[pluginpath]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 46471 - Disclosed: 2008-06-21

Description:

CCLeague Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin.php script not properly sanitizing user-supplied input to the 'u' cookie variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 46470 - Disclosed: 2008-06-21

Description:

CCLeague Pro contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a user manipulates cookie data and sets the 'type' field to 'admin'. This flaw may lead to a loss of integrity.

[CLOSE] OSVDB ID : 46474 - Disclosed: 2008-06-21

Description:

AJ HYIP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the news.php script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 46498 - Disclosed: 2008-06-21

Description:

(Description Provided by CVE) : admin/upload.php in le.cms 1.4 and earlier allows remote attackers to bypass administrative authentication, and upload and execute arbitrary files in images/, via a nonzero value for the submit0 parameter in conjunction with filenames in the filename and upload parameters.

[CLOSE] OSVDB ID : 46483 - Disclosed: 2008-06-21

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Online Fantasy Football League (OFFL) 0.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fflteam_id parameter to teams.php, the (2) league_id parameter to leagues.php, and the (3) player_id parameter to players.php.

[CLOSE] OSVDB ID : 46477 - Disclosed: 2008-06-21

Description:

Jamroom contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'purchase.php' script not properly sanitizing user input supplied to the 'jamroom[jm_dir] parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 46478 - Disclosed: 2008-06-21

Description:

Jamroom contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'payment.php' script not properly sanitizing user input supplied to the 'jamroom[jm_dir]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 46479 - Disclosed: 2008-06-21

Description:

(Description Provided by CVE) : Directory traversal vulnerability in index.php in AproxEngine 5.1.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.

[CLOSE] OSVDB ID : 46484 - Disclosed: 2008-06-21

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Online Fantasy Football League (OFFL) 0.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fflteam_id parameter to teams.php, the (2) league_id parameter to leagues.php, and the (3) player_id parameter to players.php.

[CLOSE] OSVDB ID : 46485 - Disclosed: 2008-06-21

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Online Fantasy Football League (OFFL) 0.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fflteam_id parameter to teams.php, the (2) league_id parameter to leagues.php, and the (3) player_id parameter to players.php.

[CLOSE] OSVDB ID : 46499 - Disclosed: 2008-06-21

Description:

(Description Provided by CVE) : SQL injection vulnerability in projects.php in Scientific Image DataBase 0.41 allows remote attackers to execute arbitrary SQL commands via the id parameter.