| OSVDB ID | Disclosure Date | Title |
|---|
|
78104
Description:
Whois Search Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the wp-content/plugins/wordpress-whois-search/vendors/samswhois/samswhois.inc.php script does not validate the 'domain' parameter upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-31
|
Whois Search Plugin for WordPress index.php domain Parameter XSS
|
|
78718
Description:
(Description Provided by CVE) : Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address.
|
2011-12-31
|
Bugzilla UTF-8 Encoded Character Email Address Handling Arbitrary User Spoofing
|
|
78096
Description:
TheCartPress Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'tcp_name_post_1' parameter upon submission to the admin/OptionsPostsList.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-31
|
TheCartPress Plugin for WordPress admin/OptionsPostsList.php tcp_name_post_1 Parameter XSS
|
|
78139
Description:
Unknown / Incomplete
|
2011-12-31
|
Mozilla Firefox Drag and Drop Handling XSS Weakness
|
|
78231
Description:
(Description Provided by CVE) : Dl Download Ticket Service 0.3 through 0.9 allows remote attackers to login as an arbitrary user by supplying an authorization header.
|
2011-12-31
|
dl Download Ticket Service Internal Authorization Header Parsing Authentication Bypass
|
|
78222
Description:
(Description Provided by CVE) : ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
|
2011-12-31
|
ZNC bouncedcc Module modules/bouncedcc.cpp CBounceDCCMod::OnPrivCTCP() Function DCC Command Parsing Remote DoS
|
|
78596
Description:
Kaixin001 Application for Android contains a flaw related that may allow a remote attacker to access and manipulate data relating to a user's account, plaintext password, personal information or contacts.
|
2011-12-31
|
Kaixin001 (com.kaixin001.activity) Application for Android Unspecified User Data Manipulation
|
|
78898
Description:
OCaml contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.
|
2011-12-31
|
OCaml Hash Collision CPU Consumption Remote DoS
|
|
78110
Description:
MaraDNS contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.
|
2011-12-30
|
MaraDNS Hash Collision Form Parameter Parsing Remote DoS
|
|
78679
Description:
(Description Provided by CVE) : RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
|
2011-12-30
|
RESTEasy XML Entity Reference Parsing Remote Information Disclosure
|
|
81781
Description:
Cisco Unified MeetingPlace contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing unspecified user input, specifically directory traversal style attacks (e.g., ../../). This directory traversal attack would allow the attacker to enumerate arbitrary folders.
|
2011-12-30
|
Cisco Unified MeetingPlace Unspecified Traversal Folder Enumeration
|
|
82506
Description:
DedeCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the list.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-30
|
DedeCMS list.php id Parameter SQL Injection
|
|
82507
Description:
DedeCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the members.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-30
|
DedeCMS members.php id Parameter SQL Injection
|
|
82508
Description:
DedeCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the book.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-30
|
DedeCMS book.php id Parameter SQL Injection
|
|
78054
Description:
Microsoft .NET Framework contains a flaw that allows a remote cross site redirection attack. This flaw exists due to an error in the authentication of forms when handling a returned URL. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.
|
2011-12-30
|
Microsoft .NET Framework Forms Authentication Return URL Handling Arbitrary Site Redirect
|
|
78055
Description:
Microsoft .NET Framework contains a flaw that is triggered by the way ASP.NET improperly parses usernames. This may allow an attacker to bypass authentication.
|
2011-12-30
|
Microsoft .NET Framework ASP.NET Username Parsing Authentication Bypass
|
|
78686
Description:
Kayako contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Tickets Module does not validate the 'title' parameter upon submission to the staff/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-30
|
Kayako SupportSuite Tickets Module staff/index.php title Parameter XSS
|
|
81783
Description:
Cisco Unified MeetingPlace contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain input in MP Web before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-30
|
Cisco Unified MeetingPlace MP Web Unspecified XSS
|
|
78117
Description:
Jetty contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.
|
2011-12-30
|
Jetty Hash Collision Form Parameter Parsing Remote DoS
|
|
78115
Description:
PHP contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.
|
2011-12-30
|
PHP Hash Collision Form Parameter Parsing Remote DoS
|
|
78682
Description:
Kayako contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Troubleshooter Module does not validate the 'description ' parameter upon submission to the staff/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-30
|
Kayako SupportSuite Troubleshooter Module staff/index.php description Parameter XSS
|
|
78683
Description:
Kayako contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Downloads Module does not validate the 'title' parameter upon submission to the staff/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-30
|
Kayako SupportSuite Downloads Module staff/index.php title Parameter XSS
|
|
78684
Description:
Kayako contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Teamwork Module does not validate the 'fullname', 'jobtitle', 'email1address', 'email2address', 'email3address', 'customerid' and 'mobiletelephonenumber' parameters upon submission to the staff/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-30
|
Kayako SupportSuite Teamwork Module staff/index.php Multiple Parameter XSS
|
|
78685
Description:
Kayako contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Livesupport Module does not validate the 'redirecturl' and 'title' parameters upon submission to the staff/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-30
|
Kayako SupportSuite Livesupport Module staff/index.php Multiple Parameter XSS
|
|
81782
Description:
Cisco Unified MeetingPlace contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain input on the account page before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-30
|
Cisco Unified MeetingPlace Account Page Unspecified XSS
|
|
84170
Description:
WebKit contains a use-after-free error that is triggered when handling inline positioned elements. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
|
2011-12-30
|
WebKit Inline Positioned Element Handling Use-after-free Issue
|
|
78069
Description:
Akiva WebBoard contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /WB/Default.asp script not properly sanitizing user-supplied input to the 'name' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-29
|
Akiva WebBoard /WB/Default.asp name Parameter SQL Injection Authentication Bypass
|
|
78056
Description:
Microsoft .NET Framework contains a flaw that is triggered due to the way the program authenticates forms. When parsing sliding expiry cached content, a remote attacker may potentially be able to execute arbitrary code.
|
2011-12-29
|
Microsoft .NET Framework Forms Authentication Sliding Expiry Cached Content Parsing Remote Code Execution
|
|
78681
Description:
Kayako contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the news Module does not validate the 'subject' parameter upon submission to the staff/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-29
|
Kayako SupportSuite News Module staff/index.php subject Parameter XSS
|
|
78280
Description:
(Description Provided by CVE) : The authoritative server in MaraDNS through 2.0.04 computes hash values for DNS data without restricting the ability to trigger hash collisions predictably, which might allow local users to cause a denial of service (CPU consumption) via crafted records in zone files, a different vulnerability than CVE-2012-0024.
|
2011-12-29
|
MaraDNS Hash Collision Zone File Record Parsing Local DoS
|
|
78460
Description:
Kayako contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'resultdata' parameter upon submission to the staff/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-29
|
Kayako SupportSuite staff/index.php resultdata Parameter XSS
|
|
78461
Description:
Unknown / Incomplete
|
2011-12-29
|
Kayako SupportSuite Template Editing PHP Code Execution
|
|
78068
Description:
Neturf eCommerce Shopping Cart contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'SearchFor' parameter upon submission to the search.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-12-29
|
Neturf eCommerce Shopping Cart search.php SearchFor Parameter XSS
|
|
78114
Description:
Oracle GlassFish Server contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.
|
2011-12-29
|
Oracle GlassFish Server Hash Collision Form Parameter Parsing Remote DoS
|
|
78080
Description:
Blog Module for DiY-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the list.php script not properly sanitizing user-supplied input to the 'start', 'month' and 'year' parameters when called by the mod.php script. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-29
|
Blog Module for DiY-CMS list.php Multiple Parameter SQL Injection
|
|
78081
Description:
Blog Module for DiY-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'start', 'month' and 'year' parameters when called by the mod.php script. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-29
|
Blog Module for DiY-CMS index.php Multiple Parameter SQL Injection
|
|
78082
Description:
Blog Module for DiY-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the main_index.php script not properly sanitizing user-supplied input to the 'start', 'month' and 'year' parameters when called by the mod.php script. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-29
|
Blog Module for DiY-CMS main_index.php Multiple Parameter SQL Injection
|
|
78083
Description:
Blog Module for DiY-CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the viewpost.php script not properly sanitizing user-supplied input to the 'start', 'month' and 'year' parameters when called by the mod.php script. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-12-29
|
Blog Module for DiY-CMS viewpost.php Multiple Parameter SQL Injection
|
|
78459
Description:
Unknown / Incomplete
|
2011-12-29
|
Kayako SupportSuite staff/index.php Multiple Parameter Empty Value Path Disclosure
|
|
78462
Description:
Unknown / Incomplete
|
2011-12-29
|
Kayako SupportSuite LiveSupport Module Subject Parameter XSS
|
