| OSVDB ID | Disclosure Date | Title |
|---|
|
77102
Description:
(Description Provided by CVE) : APIFTP Server in Optimalog Optima PLC 1.5.2 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
|
2011-11-14
|
Optima PLC APIFTPServer.exe Packet Parsing Infinite Loop Remote DoS
|
|
77161
Description:
(Description Provided by CVE) : IBM AIX 6.1 and 7.1 does not restrict the wpar_limits_config and wpar_limits_modify system calls, which allows local users to cause a denial of service (system crash) via a crafted call.
|
2011-11-14
|
IBM AIX Multiple System Call Parsing Local DoS
|
|
77174
Description:
(Description Provided by CVE) : IBM WebSphere MQ 6.0 on OpenVMS, when the default rights of the MQM group are established, does not properly verify User Authorization File (UAF) data, which allows local users to kill listener processes and the command server via a control command.
|
2011-11-14
|
IBM WebSphere MQ Control Command Local Access Restriction Bypass
|
|
77177
Description:
Unknown / Incomplete
|
2011-11-14
|
Seraphim Tech Advanced Upload and Email PHP Script uploadurl.php File Upload Arbitrary PHP Code Execution
|
|
87718
Description:
CodeIgniter contains a flaw that may allow a remote attacker to inject an unspecified parameter in to the security library. No further details have been provided.
|
2011-11-14
|
CodeIgniter Security Library Unspecified Parameter Injection Issue
|
|
87717
Description:
CodeIgniter contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input passed via common functions before returning it to the user. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-14
|
CodeIgniter Common Functions Unspecified XSS
|
|
87716
Description:
CodeIgniter contains a flaw that may allow a remote attacker to inject unspecified input to the database driver. No further details have been provided.
|
2011-11-14
|
CodeIgniter Database Driver Unspecified Injection Issue
|
|
89940
Description:
By default, Delta Controls ENTELITOUCH installs with default user credentials (username/password combination). The 'DELTA' account has a password of 'LOGIN', which is publicly known and documented. This allows remote attackers to trivially access the program or system and gain privileged access.
|
2011-11-14
|
Delta Controls ENTELITOUCH Default User Credentials
|
|
77183
Description:
(Description Provided by CVE) : Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in temp/.
|
2011-11-13
|
V-CMS includes/inline_image_upload.php File Upload Arbitrary PHP Code Execution
|
|
86003
Description:
BBShop contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the bbshop/admin/admin.php script not properly sanitizing user input supplied to the '_shop_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2011-11-13
|
BBShop bbshop/admin/admin.php _shop_path Parameter Remote File Inclusion
|
|
86002
Description:
BBShop contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the bbshop/admin/index.php script not properly sanitizing user input supplied to the '_shop_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2011-11-13
|
BBShop bbshop/admin/index.php _shop_path Parameter Remote File Inclusion
|
|
77091
Description:
Unknown / Incomplete
|
2011-11-13
|
Zingiri Web Shop Plugin for WordPress /tiny_mce/plugins/ajaxfilemanager/ajax_file_cut.php selectedDoc[] Parameter Remote PHP Code Execution
|
|
77095
Description:
Search Plugin for Hotaru CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'return' and 'search' parameters upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-13
|
Search Plugin for Hotaru CMS index.php Multiple Parameter XSS
|
|
77180
Description:
V-CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'p' parameter upon submission to the redirect.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-13
|
V-CMS redirect.php p Parameter XSS
|
|
77181
Description:
V-CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the includes/TrueColorPicker/class.TrueColorPicker.php script does not validate the 'box' parameter upon submission to the includes/TrueColorPicker/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-13
|
V-CMS includes/TrueColorPicker/index.php box Parameter XSS
|
|
77182
Description:
V-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the process.php script not properly sanitizing user-supplied input to the 'user' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-11-13
|
V-CMS process.php user Parameter SQL Injection
|
|
77680
Description:
Search Plugin for Hotaru CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'SITE_NAME' parameter upon submission to the admin_index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-13
|
Search Plugin for Hotaru CMS admin_index.php SITE_NAME Parameter XSS
|
|
86001
Description:
BBShop contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the bbshop/shop/index.php script not properly sanitizing user input supplied to the '_shop_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2011-11-13
|
BBShop bbshop/shop/index.php _shop_path Parameter Remote File Inclusion
|
|
86000
Description:
BBShop contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the bbshop/shop/main.php script not properly sanitizing user input supplied to the '_shop_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2011-11-13
|
BBShop bbshop/shop/main.php _shop_path Parameter Remote File Inclusion
|
|
77156
Description:
Tiki Wiki CMS/Groupware contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the templates/tiki-admin_system.tpl script does not validate input passed via the URL upon submission to the tiki-admin_system.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
Tiki Wiki CMS/Groupware tiki-admin_system.php URI XSS
|
|
77167
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in SAP/BW/DOC/METADATA in SAP NetWeaver allows remote attackers to inject arbitrary web script or HTML via the page parameter.
|
2011-11-11
|
SAP NetWeaver /SAP/BW/DOC/METADATA page Parameter XSS
|
|
80827
Description:
Tiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the input passed via the URL upon submission to the tiki-remind_password.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
Tiki Wiki CMS tiki-remind_password.php URI XSS
|
|
80828
Description:
Tiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the tiki-index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
Tiki Wiki CMS tiki-index.php URI XSS
|
|
80829
Description:
Tiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the url upon submission to the tiki-login_scr.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
Tiki Wiki CMS tiki-login_scr.php URI XSS
|
|
80830
Description:
Tiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the tiki-removepage.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
Tiki Wiki CMS tiki-removepage.php URI XSS
|
|
80831
Description:
Tiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the tiki-rename_page.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
Tiki Wiki CMS tiki-rename_page.php URI XSS
|
|
84875
Description:
By default, HP Virtual SAN Appliance HP SAN/iQ installs with a default password. The global$agent account has a password of L0CAlu53R which is publicly known and documented. This allows attackers to trivially access hydra.exe and gain privileged access.
|
2011-11-11
|
HP Virtual SAN Appliance HP SAN/iQ hydra.exe Hardcoded Default Credentials
|
|
77099
Description:
DLGuard contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'searchCart' parameter upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
DLGuard index.php searchCart Parameter XSS
|
|
77155
Description:
Tiki Wiki CMS/Groupware contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the lib/smarty_tiki/function.query.php script does not validate input passed via the URL upon submission to the tiki-pagehistory.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
Tiki Wiki CMS/Groupware tiki-pagehistory.php URI XSS
|
|
77166
Description:
SAP NetWeaver contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the program does not validate certain unspecified input upon submission to BAPI explorer. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
SAP NetWeaver BAPI Explorer Unspecified XSS
|
|
77165
Description:
SAP NetWeaver contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'instname' parameter upon submission to the VsiTestScan servlet. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
SAP NetWeaver VsiTestScan instname Parameter XSS
|
|
77168
Description:
Unknown / Incomplete
|
2011-11-11
|
SAP NetWeaver RSTXSCRP report sa38 Transaction File Name Field UNC Path Insertion
|
|
77169
Description:
Unknown / Incomplete
|
2011-11-11
|
SAP NetWeaver TH_GREP Report <STRING> Parameter SOAP Request Parsing Remote Shell Command Execution
|
|
77170
Description:
SAP NetWeaver contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the SPML Service does not require multiple steps or explicit confirmation for sensitive transactions for the addition of new users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.
|
2011-11-11
|
SAP NetWeaver SPML Service User Creation CSRF
|
|
77171
Description:
Unknown / Incomplete
|
2011-11-11
|
SAP NetWeaver CTC Service OS Command Authentication Bypass
|
|
77164
Description:
SAP NetWeaver contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'name' parameter upon submission to the VsiTestServlet servlet. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-11-11
|
SAP NetWeaver VsiTestServlet name Parameter XSS
|
|
77372
Description:
Unknown / Incomplete
|
2011-11-11
|
Gitblit Repository Clone Authentication Bypass
|
|
82087
Description:
HP StorageWorks P4000 Virtual SAN Appliance Software contains a flaw that is related to hard-coded credentials in the management service on TCP port 13838, which may allow a remote attacker to bypass authentication and execute arbitrary commands.
|
2011-11-11
|
HP StorageWorks P4000 Virtual SAN Appliance Software Management Service Authentication Bypass Remote Command Execution
|
|
83318
Description:
Kool Media Converter contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed OGG file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).
|
2011-11-11
|
Kool Media Converter Malformed OGG File Handling DoS
|
|
84543
Description:
wxBitcoin and bitcoind contain a flaw that is triggered when the encrypt wallet feature fails to properly communicate with the deletion functionality of BSDDB. This may allow a context-dependent attacker to bypass the BSDDB interface and gain access to potentially sensitive private key information.
|
2011-11-11
|
wxBitcoin / bitcoind encrypt wallet Feature BSDDB Interface Bypass Private Key Disclosure
|
