[CLOSE] OSVDB ID : 74418 - Disclosed: 2011-08-06

Description:

AChecker contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'myown_patch_id' parameter upon submission to the updater/patch_edit.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. Additionally, the program may disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 74414 - Disclosed: 2011-08-06

Description:

AChecker contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the user/user_create_edit.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 74419 - Disclosed: 2011-08-06

Description:

AChecker contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' parameter upon submission to the user/user_create_edit.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. Additionally, the program may disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 41527 - Disclosed: 2006-03-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 41524 - Disclosed: 2005-10-25

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 41526 - Disclosed: 2005-12-02

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 41528 - Disclosed: 2007-06-12

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 41525 - Disclosed: 2005-10-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 37445 - Disclosed: 2007-08-30

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 41523 - Disclosed: 2004-05-03

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 54886 - Disclosed: 2009-05-28

Description:

Achievo contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate parameters upon submission to the makeHiddenPostvars() function in the atk/atktools.inc script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 14538 - Disclosed: 2002-08-22

Description:

Achievo contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to class.atkdateattribute.js.php not properly sanitizing user input supplied to the 'config_atkroot' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 25811 - Disclosed: 2006-05-29

Description:

Achievo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the class.employee.inc script not properly sanitizing user-supplied input to the 'atkselector' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 59048 - Disclosed: 2009-10-14

Description:

Achievo contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'debugger.php' script not properly sanitizing user input supplied to the 'config_atkroot' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 88184 - Disclosed: 2012-12-05

Description:

Achievo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the dispatch.php script not properly sanitizing user-supplied input to the 'activityid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 87012 - Disclosed: 2012-11-01

Description:

Achievo contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the dispatch.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'atknodetype' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 60689 - Disclosed: 2009-12-03

Description:

Achievo contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'description' parameter upon submission to the 'dispatch.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 60690 - Disclosed: 2009-12-03

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 82186 - Disclosed: 2012-01-30

Description:

Achievo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the dispatch.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 78883 - Disclosed: 2012-01-30

Description:

Achievo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'action_vcard()' function in modules/person/class.person.inc not properly sanitizing user-supplied input passed via the 'id' parameter to the 'dispatch.php' script. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 75071 - Disclosed: 2011-03-23

Description:

Achievo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the dispatch.php script not properly sanitizing user-supplied input to the 'atkselector', 'viewuser', 'startdate' and 'enddate' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 48485 - Disclosed: 2008-09-23

Description:

Achievo contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'atkaction' and 'atknodetype' parameters upon submission to the 'dispatch.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 80826 - Disclosed: 2011-11-28

Description:

Achievo contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'atklevel', 'atknodetype', 'atkaction' and 'atkstackid' parameters upon submission to the dispatch.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 87013 - Disclosed: 2012-11-01

Description:

Achievo contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'atkselector' and 'atkfilter' parameters upon submission to the dispatch.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75065 - Disclosed: 2011-03-23

Description:

Achievo contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'searchstring' parameter upon submission to the dispatch.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 58935 - Disclosed: 2009-08-25

Description:

Achievo contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'title' parameter upon submission to the dispatch.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 58936 - Disclosed: 2009-08-20

Description:

Achievo contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'dispatch.php' script not properly sanitizing user-supplied input to the 'userid' parameter. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 75070 - Disclosed: 2011-03-23

Description:

Achievo contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the graph.php script not properly sanitizing user-supplied input to the 'viewstart' and 'viewend' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 75069 - Disclosed: 2011-03-23

Description:

Achievo contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the graph.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'plotter' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 75066 - Disclosed: 2011-03-23

Description:

Achievo contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the atk/popups/colorpicker.inc script does not validate the 'field' and 'usercol' parameters upon submission to the include.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.