| OSVDB ID | Disclosure Date | Title |
|---|
|
62724
Description:
Unknown / Incomplete
|
2009-12-16
|
Drupal Core Locale Module Languages Interface Multiple Parameter XSS
|
|
63027
Description:
(Description Provided by CVE) : Unspecified vulnerability in the ClickHeat plugin, as used in phpMyVisites before 2.4, has unknown impact and attack vectors. NOTE: due to lack of details from the vendor, it is not clear whether this is related to CVE-2008-5793.
|
2009-12-16
|
phpMyVisites ClickHeat Plugin Unspecified Issue
|
|
64510
Description:
Unknown / Incomplete
|
2009-12-16
|
QuickHeal AntiVirus Permission Weakness Local Privilege Escalation
|
|
61055
Description:
daloRADIUS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'error' parameter upon submission to the 'daloradius-users/login.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-15
|
daloRADIUS daloradius-users/login.php error Parameter XSS
|
|
61211
Description:
Unknown / Incomplete
|
2009-12-15
|
Trango Access5830 Subscriber Unit Synchronization SUID Prediction Authentication Weakness
|
|
67684
Description:
(Description Provided by CVE) : The Relational Data Services component in IBM DB2 9.5 before FP5 allows attackers to obtain the password argument from the SET ENCRYPTION PASSWORD statement via vectors involving the GET SNAPSHOT FOR DYNAMIC SQL command.
|
2009-12-15
|
IBM DB2 Universal Database Relational Data Services Component SET ENCRYPTION PASSWORD Statement Password Disclosure
|
|
61049
Description:
(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
|
2009-12-15
|
VMware vCenter Lab Manager WebWorks Help Page wwhelp_entry.html XSS
|
|
61305
Description:
(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
|
2009-12-15
|
VMware vCenter Lab Manager WebWorks Help Page wwhelp/wwhimpl/api.htm XSS
|
|
61306
Description:
(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
|
2009-12-15
|
VMware vCenter Lab Manager WebWorks Help Page wwhelp/wwhimpl/common/html/frameset.htm XSS
|
|
61308
Description:
(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in WebWorks Help 2.0 through 5.0 in VMware vCenter 4.0 before Update 1 Build 208156; VMware Server 2.0.2; VMware ESX 4.0; VMware Lab Manager 2.x; VMware vCenter Lab Manager 3.x and 4.x before 4.0.1; VMware Stage Manager 1.x before 4.0.1; WebWorks Publisher 6.x through 8.x; WebWorks Publisher 2003; and WebWorks ePublisher 9.0.x through 9.3, 2008.1 through 2008.4, and 2009.x before 2009.3 allow remote attackers to inject arbitrary web script or HTML via (1) wwhelp_entry.html, reachable through index.html and wwhsec.htm, (2) wwhelp/wwhimpl/api.htm, (3) wwhelp/wwhimpl/common/html/frameset.htm, (4) wwhelp/wwhimpl/common/scripts/switch.js, or (5) the window.opener component in wwhelp/wwhimpl/common/html/bookmark.htm, related to (a) unspecified parameters and (b) messages used in topic links for the bookmarking functionality.
|
2009-12-15
|
VMware vCenter Lab Manager WebWorks Help Page wwhelp/wwhimpl/common/html/bookmark.htm XSS
|
|
67680
Description:
(Description Provided by CVE) : Unspecified vulnerability in the DRDA Services component in IBM DB2 9.5 before FP5 allows remote authenticated users to cause a denial of service (server trap) by calling a SQL stored procedure in unknown circumstances.
|
2009-12-15
|
IBM DB2 Universal Database DRDA Services Component SQL Stored Procedure Unspecified Remote DoS
|
|
67681
Description:
(Description Provided by CVE) : Unspecified vulnerability in the Engine Utilities component in IBM DB2 9.5 before FP5 allows remote authenticated users to cause a denial of service (segmentation fault) by modifying the db2ra data stream sent in a request from the Load Utility.
|
2009-12-15
|
IBM DB2 Universal Database Engine Utilities Component Load Utility db2ra Data Stream Manipulation Remote DoS
|
|
67682
Description:
(Description Provided by CVE) : Unspecified vulnerability in db2licm in the Engine Utilities component in IBM DB2 9.5 before FP5 has unknown impact and local attack vectors.
|
2009-12-15
|
IBM DB2 Universal Database Engine Utilities Component db2licm Unspecified Local Issue
|
|
67683
Description:
(Description Provided by CVE) : The Install component in IBM DB2 9.5 before FP5 and 9.7 before FP1 configures the High Availability (HA) scripts with incorrect file-permission and authorization settings, which has unknown impact and local attack vectors.
|
2009-12-15
|
IBM DB2 Universal Database Install Component High Availability (HA) Scripts Installation Permission Weakness Unspecified Local Issue
|
|
63325
Description:
IntelliCom NetBiterConfig utility version 1.3.0 and earlier are prone to an overflow condition. The NetBiterConfig utility fails to properly sanitize user-supplied input (e.g., a hostname of 0x60 bytes) resulting in a stack-based overflow. With a specially crafted HICP-protocol UDP packet., a remote attacker can potentially cause the affected application to crash or execute arbitrary code.
|
2009-12-15
|
Intellicom NetBiter webSCADA NetBiterConfig.exe hn Parameter Remote Overflow
|
|
60980
Description:
Acrobat and Reader contain a flaw that may allow an attacker to execute arbitrary code. The issue is triggered by a use-after-free condition in Doc.media.newPlayer when parsing a specially crafted PDF file.
|
2009-12-15
|
Adobe Reader / Acrobat Doc.media.newPlayer Use-After-Free Arbitrary Code Execution
|
|
61023
Description:
(Description Provided by CVE) : Unspecified vulnerability in the Watchdog (aba_watchdog) extension 2.0.2 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unknown attack vectors.
|
2009-12-15
|
Watchdog Extension for TYPO3 Unspecified Information Disclosure
|
|
61024
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the ListMan (nl_listman) extension 1.2.1 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
2009-12-15
|
ListMan Extension for TYPO3 Unspecified XSS
|
|
60984
Description:
(Description Provided by CVE) : Directory traversal vulnerability in Pforum.php in Rocomotion P forum before 1.28 allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors.
|
2009-12-15
|
Rocomotion P Forum Pforum.php Unspecified Parameter Traversal Arbitrary File Access
|
|
61043
Description:
(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in the administration interface in Horde Application Framework before 3.3.6, Horde Groupware before 1.2.5, and Horde Groupware Webmail Edition before 1.2.5 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) phpshell.php, (2) cmdshell.php, or (3) sqlshell.php in admin/, related to the PHP_SELF variable.
|
2009-12-15
|
Horde Administration Interface admin/phpshell.php PATH_INFO Parameter XSS
|
|
61180
Description:
Unknown / Incomplete
|
2009-12-15
|
jCore Multiple Unspecified Issues (0.4)
|
|
61050
Description:
(Description Provided by CVE) : Multiple cross-site request forgery (CSRF) vulnerabilities in PyForum 1.0.3 and possibly earlier versions, and possibly zForum, allow remote attackers to hijack the authentication of victims for requests that change passwords, and other unspecified requests, via unknown vectors.
|
2009-12-15
|
PyForum User Credentials Modification CSRF
|
|
61053
Description:
Unknown / Incomplete
|
2009-12-15
|
iGaming CMS users.php User Account Creation CSRF
|
|
61054
Description:
Unknown / Incomplete
|
2009-12-15
|
Dubsite CMS Admin Account Creation CSRF
|
|
61057
Description:
Linkster contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'linkster.php' script not properly sanitizing user-supplied input to the 'CID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-15
|
Linkster linkster.php CID Parameter SQL Injection
|
|
61051
Description:
(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in models.parser in PyForum 1.0.3 and possibly earlier versions, and possibly zForum, allow remote attackers to inject arbitrary web script or HTML via crafted BBcode (1) img or (2) url tags, which are not properly handled when a post is viewed.
|
2009-12-15
|
PyForum BBcode Tags Unspecified XSS
|
|
61061
Description:
SitioOnline contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'lista_articulos.php' script not properly sanitizing user-supplied input to the 'id_categoria' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-15
|
SitioOnline lista_articulos.php id_categoria Parameter SQL Injection
|
|
61062
Description:
SitioOnline contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'detalle_articulo.php' script not properly sanitizing user-supplied input to the 'id_producto' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-12-15
|
SitioOnline detalle_articulo.php id_producto Parameter SQL Injection
|
|
61134
Description:
(Description Provided by CVE) : CQWeb (aka the web interface) in IBM Rational ClearQuest before 7.1.1 does not properly handle use of legacy URLs for automatic login, which might allow attackers to discover the passwords for user accounts via unspecified vectors.
|
2009-12-15
|
IBM Rational ClearQuest CQWeb Unspecified Password Disclosure
|
|
61115
Description:
Ez Faq Maker contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'sid' parameter upon submission to the 'index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-12-15
|
Ez Faq Maker index.php sid Parameter XSS
|
|
61157
Description:
(Description Provided by CVE) : The D-Link DIR-615 with firmware 3.10NA does not require administrative authentication for apply.cgi, which allows remote attackers to (1) change the admin password via the admin_password parameter, (2) disable the security requirement for the Wi-Fi network via unspecified vectors, or (3) modify DNS settings via unspecified vectors.
|
2009-12-15
|
D-Link DIR-615 apply.cgi Crafted HTTP Request Admin Authentication Bypass
|
|
61143
Description:
Unknown / Incomplete
|
2009-12-15
|
Ez News Manager admin.php Admin Password Manipulation CSRF
|
|
61250
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the Diocese of Portsmouth Calendar (pd_calendar) extension 0.4.1 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
2009-12-15
|
Diocese of Portsmouth Calendar Extension for TYPO3 Unspecified XSS
|
|
61251
Description:
(Description Provided by CVE) : SQL injection vulnerability in the Diocese of Portsmouth Calendar (pd_calendar) extension 0.4.1 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors, a different issue than CVE-2008-6691.
|
2009-12-15
|
Diocese of Portsmouth Calendar Extension for TYPO3 Unspecified SQL Injection
|
|
61252
Description:
(Description Provided by CVE) : SQL injection vulnerability in the Flash SlideShow (slideshow) extension 0.2.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
|
2009-12-15
|
Flash SlideShow Extension for TYPO3 Unspecified SQL Injection
|
|
61253
Description:
(Description Provided by CVE) : SQL injection vulnerability in the Subscription (mf_subscription) extension 0.2.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
|
2009-12-15
|
Subscription Extension for TYPO3 Unspecified SQL Injection
|
|
61254
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the No indexed Search (no_indexed_search) extension 0.2.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
2009-12-15
|
No indexed Search Extension for TYPO3 Unspecified XSS
|
|
61255
Description:
(Description Provided by CVE) : SQL injection vulnerability in the No indexed Search (no_indexed_search) extension 0.2.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
|
2009-12-15
|
No indexed Search Extension for TYPO3 Unspecified SQL Injection
|
|
61256
Description:
(Description Provided by CVE) : SQL injection vulnerability in the Job Exchange (jobexchange) extension 0.0.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.
|
2009-12-15
|
Job Exchange Extension for TYPO3 Unspecified SQL Injection
|
|
61257
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the Training Company Database (trainincdb) extension 0.4.7 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
2009-12-15
|
Training Company Database Extension for TYPO3 Unspecified XSS
|
