| OSVDB ID | Disclosure Date | Title |
|---|
|
64891
Description:
Unknown / Incomplete
|
2009-12-31
|
Simple:Press Plugin for WordPress TinyBrowser Restriction Bypass Arbitrary File Upload
|
|
64893
Description:
Unknown / Incomplete
|
2009-12-31
|
Simple:Press Plugin for WordPress Avatar Upload Handling Code Execution
|
|
61391
Description:
Unknown / Incomplete
|
2009-12-31
|
Avatar Studio Module for PHP-Fusion avatar_studio.php Multiple Parameter Traversal Local File Inclusion
|
|
61393
Description:
(Description Provided by CVE) : admin.php in dB Masters Multimedia Links Directory 3.1.3 allows remote attackers to bypass authentication and gain administrative access via a certain value of the admin_log cookie.
|
2009-12-31
|
dB Masters Links Directory admin.php admin_log Cookie Manipulation Authentication Bypass
|
|
61402
Description:
Unknown / Incomplete
|
2009-12-31
|
Run Digital Download Component for Joomla! File Access Unspecified Issue
|
|
61392
Description:
FlashChat contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the attacker views the [chat_dir]/phpinfo.php script, which will disclose the server's phpinfo information to a remote attacker.
|
2009-12-31
|
FlashChat phpinfo.php Direct Request Information Disclosure
|
|
61394
Description:
iDevAffiliate contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'payable' parameter upon submission to the 'signup.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-31
|
iDevAffiliate signup.php payable Parameter XSS
|
|
61398
Description:
PicMe contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the URL upon submission to the 'admin/banner.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-31
|
PicMe admin/banner.php URI XSS
|
|
61396
Description:
UranyumSoft contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious hacker requests the file "database/db.mdb" via browser, which will disclose the whole database to a remote attacker.
|
2009-12-31
|
UranyumSoft Listing Service database/db.mdb Direct Request Database Disclosure
|
|
61400
Description:
Unknown / Incomplete
|
2009-12-31
|
Wing FTP Server Unspecified XSS
|
|
61401
Description:
Unknown / Incomplete
|
2009-12-31
|
Wing FTP Server on Linux FTP Command Handling Remote DoS
|
|
61445
Description:
Unknown / Incomplete
|
2009-12-31
|
Weatimages index.php path Parameter Traversal Arbitrary Directory Access
|
|
61449
Description:
HLstatsX contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'hlstats.php' script not properly sanitizing user-supplied input to the 'award' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-31
|
HLstatsX hlstats.php award Parameter SQL Injection
|
|
61453
Description:
XOOPS PM module contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the op parameter upon submission to the 'modules/pm/readpmsg.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-31
|
XOOPS modules/pm/readpmsg.php op Parameter XSS
|
|
61454
Description:
XOOPS news module contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'include/notification_update.php' script not properly sanitizing user-supplied input to the 'not_list' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-31
|
News Module for XOOPS include/notification_update.php not_list Parameter SQL Injection
|
|
82826
Description:
OpenConnect contains a flaw related to the NetworkManager that may allow a remote denial of service. The issue is triggered when a use-after-free error occurs within the authentication dialog, and will result in loss of availability for the program.
|
2009-12-31
|
OpenConnect NetworkManager Authentication Dialog Use-after-free Remote DoS
|
|
61459
Description:
PDF-XChange Viewer contains a flaw that may allow an attacker to execute arbitrary code. The issue is triggered when PDFXCview.exe experiences an input validation error when processing a specially crafted PDF file.
|
2009-12-30
|
PDF-XChange Viewer PDFXCview.exe PDF File Handling Memory Corruption
|
|
61388
Description:
Unknown / Incomplete
|
2009-12-30
|
Esinti Web Design Gold Defter data/defter.mdb Direct Request Database Disclosure
|
|
61389
Description:
phpAuction contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'TPL_name','TPL_nick','TPL_email','TPL_birthdate','TPL_address','TPL_city','TPL_prov','TPL_zip' and 'TPL_phone' parameter upon submission to the register.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-30
|
phpAuction register.php Multiple Parameter XSS
|
|
61385
Description:
Unknown / Incomplete
|
2009-12-30
|
Futility Forum message.mdb Direct Request Database Disclosure
|
|
61390
Description:
Despe FreeCell contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'col1', 'col2', 'col3', 'col4', 'col5', 'col6', 'col7', 'col8', 'as21', 'as22', 'as23', 'as24', 'res11', 'res12', 'res13', and 'res14' parameters upon submission to the 'solitaire.php' script when 'nbcoup' is set to a number between 1 and 9. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-30
|
Despe FreeCell solitaire.php Multiple Parameter XSS
|
|
61399
Description:
Unknown / Incomplete
|
2009-12-30
|
Autocomplete Widgets for CCK Text and Number Module for Drupal Access Restriction Bypass
|
|
61397
Description:
I-Escorts Directory contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'country_escorts.php' script not properly sanitizing user-supplied input to the 'country_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-30
|
I-Escorts Directory country_escorts.php country_id Parameter SQL Injection
|
|
61561
Description:
Artist avenue Component for Mambo / Joomla! contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'Itemid' parameter upon submission to the 'index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-30
|
Artist avenue Component for Mambo / Joomla! index.php Itemid Parameter XSS
|
|
61563
Description:
RoseOnlineCMS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'modules/admincp.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'admin' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.
|
2009-12-30
|
RoseOnlineCMS modules/admincp.php admin Parameter Traversal Local File Inclusion
|
|
61564
Description:
Dictionary Module for XOOPS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'detail.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-30
|
Dictionary Module for XOOPS detail.php id Parameter SQL Injection
|
|
61386
Description:
Unknown / Incomplete
|
2009-12-29
|
BigAnt Messenger AntServer Module (AntServer.exe) USV Request Handling Remote Overflow
|
|
61380
Description:
CommonSense CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'q' parameter upon submission to the 'search.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-29
|
SenseSites CommonSense CMS search.php q Parameter XSS
|
|
61424
Description:
AproxEngine contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'login', 'password', 'art', 'Referer', 'from', 'generator', 'author', 'description', 'keywords', 'mail' and 'betreff' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-29
|
AproxEngine index.php Multiple Parameter SQL Injection
|
|
61384
Description:
phpFK PHP Forum ohne contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'search' parameter upon submission to the 'search.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-29
|
phpFK PHP Forum ohne search.php search Parameter XSS
|
|
61387
Description:
Unknown / Incomplete
|
2009-12-29
|
MySimpleFileUploader upload.php File Upload Arbitrary PHP Code Execution
|
|
61381
Description:
Helpdesk Pilot contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'knowledgebase.php' script not properly sanitizing user-supplied input to the 'article_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-29
|
Helpdesk Pilot knowledgebase.php article_id Parameter SQL Injection
|
|
61395
Description:
Unknown / Incomplete
|
2009-12-29
|
DirectAdmin Admin Account Creation CSRF
|
|
61419
Description:
(Description Provided by CVE) : inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.
|
2009-12-29
|
MyBB inc/functions_time.php Crafted Year Value Request Remote DoS
|
|
61425
Description:
AproxEngine contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the login and password parameters upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-29
|
AproxEngine index.php Multiple Parameter XSS
|
|
61426
Description:
Unknown / Incomplete
|
2009-12-29
|
AproxEngine engine/inc/galerie_unlink.php datei Parameter Arbitrary File Deletion
|
|
61427
Description:
Unknown / Incomplete
|
2009-12-29
|
AproxEngine engine/inc/galerie_del_verz.php del_verz Parameter Arbitrary Directory Deletion
|
|
61428
Description:
Unknown / Incomplete
|
2009-12-29
|
AproxEngine index.php from Parameter Admin Email Spoofing Weakness
|
|
61652
Description:
(Description Provided by CVE) : Multiple unspecified vulnerabilities in Visualization Library before 2009.08.812 have unknown impact and attack vectors.
|
2009-12-29
|
Visualization Library Unspecified Issue
|
|
63881
Description:
Unknown / Incomplete
|
2009-12-29
|
FreeWebshop.org HTTP Header IP Spoofing Weakness
|
