| OSVDB ID | Disclosure Date | Title |
|---|
|
51766
Description:
Active Bids contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'search.asp' script not properly sanitizing user-supplied input to the 'search' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-16
|
Active Bids search.asp search Parameter SQL Injection
|
|
51767
Description:
Active Bids contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'auctionsended.asp' script not properly sanitizing user-supplied input to the 'SortDir' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-16
|
Active Bids auctionsended.asp SortDir Parameter SQL Injection
|
|
51768
Description:
Active Bids contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'wishlist.asp' script not properly sanitizing user-supplied input to the 'catid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-16
|
Active Bids wishlist.asp catid Parameter SQL Injection
|
|
52457
Description:
Unknown / Incomplete
|
2009-01-16
|
Sagem F@st 2404 restoreinfo.cgi Remote Reboot DoS
|
|
53254
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in SimpleCMMS before 0.1.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
|
2009-01-16
|
SimpleCMMS Multiple Unspecified SQL Injection
|
|
53300
Description:
Visuplay CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'news_article.php' script not properly sanitizing user-supplied input to the 'press_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-16
|
Visuplay CMS content_page.php Unspecified SQL Injection
|
|
90043
Description:
By default, Heatmiser Netmonitor installs with default user credentials (username/password combination). The 'admin' account has a password of 'admin', which is publicly known and documented. This allows remote attackers to trivially access the program or system and gain privileged access.
|
2009-01-16
|
Heatmiser Netmonitor Default Admin Credentials
|
|
53457
Description:
(Description Provided by CVE) : Red Hat Certificate System 7.2 uses world-readable permissions for password.conf and unspecified other configuration files, which allows local users to discover passwords by reading these files.
|
2009-01-15
|
Red Hat Certificate System password.conf Permission Weakness Cleartext Password Disclosure
|
|
53458
Description:
(Description Provided by CVE) : Red Hat Certificate System 7.2 stores passwords in cleartext in the UserDirEnrollment log, the RA wizard installer log, and unspecified other debug log files, and uses weak permissions for these files, which allows local users to discover passwords by reading the files.
|
2009-01-15
|
Red Hat Certificate System Multiple Log File Cleartext Password Disclosure
|
|
51415
Description:
RD-Autos Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the id parameter, when the option parameter is set to com_rdautos. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-15
|
RD-Autos Component for Joomla! index.php id Parameter SQL Injection
|
|
53499
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal /modules/blog/index.php upload_imm() Function File Upload Validation Bypass
|
|
53500
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal /modules/Downloads/index.php add_file() Function Case Sensitivity File Upload Validation Bypass
|
|
53501
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal Multiple Module File Upload Race Condition Arbitrary Code Execution
|
|
53502
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal /modules/blog/index.php Home Template Textarea SQL Injection
|
|
53503
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal /modules/rss/handler_image.php i Parameter XSS
|
|
53504
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal Blog Template XSS
|
|
53505
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal Reviews Module Comment Functionality XSS
|
|
53506
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal News Module Comment Functionality XSS
|
|
53507
Description:
Unknown / Incomplete
|
2009-01-15
|
MKPortal Malformed index.php Request Path Disclosure
|
|
51380
Description:
Unknown / Incomplete
|
2009-01-15
|
Content Translation Module for Drupal Unspecified Access Restriction Bypass
|
|
51432
Description:
(Description Provided by CVE) : Unspecified vulnerability in IBM Hardware Management Console (HMC) 7 release 3.2.0 SP1 has unknown impact and attack vectors.
|
2009-01-15
|
IBM Hardware Management Console (HMC) Unspecified Issue
|
|
51372
Description:
phpList contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'admin/index.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SERVER[ConfigFile]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.
|
2009-01-15
|
phpList admin/index.php _SERVER[ConfigFile] Parameter Traversal Local File Inclusion
|
|
51377
Description:
AN Guestbook contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'country' parameter upon submission to the 'sign1.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-01-15
|
AN Guestbook sign1.php country Parameter XSS
|
|
51376
Description:
Eventing Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'catid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-15
|
Eventing Component for Joomla! index.php catid Parameter SQL Injection
|
|
51414
Description:
(Description Provided by CVE) : Directory traversal vulnerability in common.php in SIR GNUBoard 4.31.03 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the g4_path parameter. NOTE: in some environments, this can be leveraged for remote code execution via a data: URI or a UNC share pathname.
|
2009-01-15
|
GNUBoard common.php g4_path Parameter Traversal Local File Inclusion
|
|
51410
Description:
A code execution flaw exists in Appstream Client. The LaunchObj ActiveX control fails to validate data passed to the installAppMgr method. With a specially crafted website, a context-dependent attacker can cause arbitrary code execution resulting in a loss of integrity.
|
2009-01-15
|
Symantec AppStream Client LaunchObj ActiveX (launcher.dll) installAppMgr Method Arbitrary Code Execution
|
|
51409
Description:
(Description Provided by CVE) : Syslserve 1.058 and earlier, and probably 1.059, allows remote attackers to cause a denial of service (hang) via a crafted UDP Syslog packet.
|
2009-01-15
|
Syslserve Crafted UDP Syslog Request Handling Application Crash DoS
|
|
52474
Description:
Unknown / Incomplete
|
2009-01-15
|
Drupal Node Access API Unspecified SQL Injection
|
|
51486
Description:
(Description Provided by CVE) : Stack-based buffer overflow in PXEService.exe in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to execute arbitrary code via a large PXE protocol request in a UDP packet.
|
2009-01-15
|
SystemcastWizard Lite PXE Service UDP Packet Handling Overflow
|
|
51487
Description:
(Description Provided by CVE) : Directory traversal vulnerability in the TFTP service in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors.
|
2009-01-15
|
SystemcastWizard Lite TFTP Service Traversal Arbitrary File Download
|
|
51597
Description:
(Description Provided by CVE) : Buffer overflow in the Registry Setting Tool in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier has unknown impact and attack vectors.
|
2009-01-15
|
SystemcastWizard Lite Registry Setting Tool Unspecified Overflow
|
|
51763
Description:
LinksPro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'Default.asp' script not properly sanitizing user-supplied input to the 'OrderDirection' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-15
|
LinksPro Default.asp OrderDirection Parameter SQL Injection
|
|
51769
Description:
Blue Eye CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'clanek' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
|
2009-01-15
|
Blue Eye CMS index.php clanek Parameter SQL Injection
|
|
55647
Description:
(Description Provided by CVE) : Unquoted Windows search path vulnerability in the scheduler (sched.exe) in Avira AntiVir, AntiVir Premium, Premium Security Suite, and AntiVir Professional might allow local users to gain privileges via a malicious antivir.exe file in the "C:\Program Files\avira\" directory.
|
2009-01-15
|
Avira Multiple Products sched.exe CreateProcess() API Local Privilege Escalation
|
|
56513
Description:
(Description Provided by CVE) : Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2) inserting DVD media, (3) connecting a USB device, and (4) connecting a Firewire device; (5) allows user-assisted remote attackers to execute arbitrary code by mapping a network drive; and allows user-assisted attackers to execute arbitrary code by clicking on (6) an icon under My Computer\Devices with Removable Storage and (7) an option in an AutoPlay dialog, related to the Autorun.inf file. NOTE: vectors 1 and 3 on Vista are already covered by CVE-2008-0951.
|
2009-01-15
|
Microsoft Windows Autorun / NoDriveTypeAutoRun Registry Value Enforcement Weakness
|
|
51343
Description:
(Description Provided by CVE) : Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.1.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
|
2009-01-14
|
Oracle Secure Backup Administration Server login.php Arbitrary Command Execution
|
|
51332
Description:
(Description Provided by CVE) : Unspecified vulnerability in the OC4J component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality via unknown vectors.
|
2009-01-14
|
Oracle Application Server OC4J LDAP Encoded Traversal Arbitrary File Access
|
|
51344
Description:
(Description Provided by CVE) : Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
|
2009-01-14
|
Oracle Secure Backup Administration Server common.php Arbitrary Command Execution
|
|
51392
Description:
(Description Provided by CVE) : Cisco ONS 15310-CL, 15310-MA, 15327, 15454, 15454 SDH, and 15600 with software 7.0.2 through 7.0.6, 7.2.2, 8.0.x, 8.5.1, and 8.5.2 allows remote attackers to cause a denial of service (control-card reset) via a crafted TCP session.
|
2009-01-14
|
Cisco ONS Products Crafted TCP Stream Traffic Remote DoS
|
|
51395
Description:
(Description Provided by CVE) : PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to obtain the decryption key via unspecified vectors, related to a "logic error."
|
2009-01-14
|
Cisco IronPort Products Secure E-mail Message Decryption Key Remote Disclosure
|
