[CLOSE] OSVDB ID : 22191 - Disclosed: 2006-01-02

Description:

B-net Software contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'title' and 'message' variables upon submission to the guestbook.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 22190 - Disclosed: 2006-01-02

Description:

B-net Software contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'name' and 'shout' variables upon submission to the shout.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 36291 - Disclosed: 2007-06-25

Description:

b1gBB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'footer.inc.php' script not properly sanitizing user input supplied to the 'tfooter' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 38951 - Disclosed: 2007-06-28

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in b1gbb 2.24.0 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showthread.php or (2) showboard.php.

[CLOSE] OSVDB ID : 38950 - Disclosed: 2007-06-28

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in b1gbb 2.24.0 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showthread.php or (2) showboard.php.

[CLOSE] OSVDB ID : 38937 - Disclosed: 2007-06-28

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in visitenkarte.php in b1gBB 2.24.0 allows remote attackers to inject arbitrary web script or HTML via the user parameter.

[CLOSE] OSVDB ID : 37102 - Disclosed: 2007-09-17

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in hilfe.php in b1gMail 6.3.1 allows remote attackers to inject arbitrary web script or HTML via the chapter parameter.

[CLOSE] OSVDB ID : 35715 - Disclosed: 2006-12-23

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in b2verifauth.php in b2 Blog 0.5 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the index parameter.

[CLOSE] OSVDB ID : 70668 - Disclosed: 2011-01-24

Description:

B2 Portfolio Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' not properly sanitizing user-supplied input to the 'c' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 34495 - Disclosed: 2007-03-26

Description:

(Description Provided by CVE) : CRLF injection vulnerability in BSMTP.DLL in B21Soft BASP21 2003.0211, and BASP21 Pro 1.0.702.27 and earlier, allows remote attackers to inject arbitrary headers into e-mail messages via CRLF sequences in Subject lines.

[CLOSE] OSVDB ID : 42792 - Disclosed: 2008-03-06

Description:

(Description Provided by CVE) : Buffer overflow in the BFup ActiveX control (BFup.dll) in B21Soft BFup before 1.0.802.29 allows remote attackers to execute arbitrary code via a long FilePath parameter.

[CLOSE] OSVDB ID : 54303 - Disclosed: 2009-02-27

Description:

B2B Forward Auction Creator contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin.asp script not properly sanitizing user-supplied input to the 'User ID' and 'Password' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64212 - Disclosed: 2010-04-30

Description:

B2B Gold Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'product.html' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 54308 - Disclosed: 2009-02-27

Description:

B2B Horizontal Marketplace Creator contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin.asp script not properly sanitizing user-supplied input to the 'User ID' and 'Password' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 54306 - Disclosed: 2009-02-27

Description:

B2B Online Shop Creator contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin.asp' script not properly sanitizing user-supplied input to the 'User ID' and 'Password' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 54304 - Disclosed: 2009-02-27

Description:

B2B Reverse Auction Creator contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin.asp script not properly sanitizing user-supplied input to the 'User ID' and 'Password' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 47957 - Disclosed: 2008-09-07

Description:

B2B Trading Marketplace Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the listings.php script not properly sanitizing user-supplied input to the 'cid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 54309 - Disclosed: 2009-02-27

Description:

B2C StoreBuilder Designer contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin.asp script not properly sanitizing user-supplied input to the 'User ID' and 'Password' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 30778 - Disclosed: 2006-11-28

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in b2evolution 1.8.2 through 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) app_name parameter in (a) _404_not_found.page.php, (b) _410_stats_gone.page.php, and (c) _referer_spam.page.php in inc/VIEW/errors/; the (2) baseurl parameter in (d) inc/VIEW/errors/_404_not_found.page.php; and the (3) ReqURI parameter in (e) inc/VIEW/errors/_referer_spam.page.php.

[CLOSE] OSVDB ID : 30779 - Disclosed: 2006-11-28

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in b2evolution 1.8.2 through 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) app_name parameter in (a) _404_not_found.page.php, (b) _410_stats_gone.page.php, and (c) _referer_spam.page.php in inc/VIEW/errors/; the (2) baseurl parameter in (d) inc/VIEW/errors/_404_not_found.page.php; and the (3) ReqURI parameter in (e) inc/VIEW/errors/_referer_spam.page.php.

[CLOSE] OSVDB ID : 30780 - Disclosed: 2006-11-28

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in b2evolution 1.8.2 through 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) app_name parameter in (a) _404_not_found.page.php, (b) _410_stats_gone.page.php, and (c) _referer_spam.page.php in inc/VIEW/errors/; the (2) baseurl parameter in (d) inc/VIEW/errors/_404_not_found.page.php; and the (3) ReqURI parameter in (e) inc/VIEW/errors/_referer_spam.page.php.

[CLOSE] OSVDB ID : 66143 - Disclosed: 2010-07-09

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 71192 - Disclosed: 2011-03-15

Description:

b2evolution contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'p' parameter upon submission to the blogs/htsrv/comment_post.php script when commenting on a blog. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 34152 - Disclosed: 2007-04-14

Description:

b2evolution has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue was supposedly due to 'blogs/index.php' not properly sanitizing user input supplied to the 'core_subdir' variable. However, third-party research indicates that file inclusions are not possible because the software uses a hard-coded value from a configuration script for this variable, which is therefore restricted from being called directly.

[CLOSE] OSVDB ID : 32027 - Disclosed: 2007-01-09

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter.

[CLOSE] OSVDB ID : 32026 - Disclosed: 2006-11-28

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in inc/CONTROL/import/import-mt.php in b2evolution 1.8.5 through 1.9 beta allows remote attackers to execute arbitrary PHP code via a URL in the inc_path parameter.

[CLOSE] OSVDB ID : 12717 - Disclosed: 2005-01-06

Description:

b2evolution contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that the 'title' parameter in the 'index.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

[CLOSE] OSVDB ID : 75746 - Disclosed: 2011-01-18

Description:

(Description Provided by CVE) : b2evolution 3.3.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by locales/ru_RU/ru-RU.locale.php and certain other files.

[CLOSE] OSVDB ID : 29850 - Disclosed: 2006-08-29

Description:

b2evolution has been reported to contain a flaw that may allow a remote attacker to execute arbitrary commands. The issue is supposedly due to multiple scripts not properly sanitizing user input supplied to the 'path' related variables. However, subsequent examination indicates that an attacker can not manipulate the data before being processed.

[CLOSE] OSVDB ID : 35609 - Disclosed: 2007-04-27

Description:

(Description Provided by CVE) : ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in b2evolution allow remote attackers to execute arbitrary PHP code via a URL in the (1) inc_path parameter to (a) a_noskin.php, (b) a_stub.php, (c) admin.php, (d) contact.php, (e) default.php, (f) index.php, and (g) multiblogs.php in blogs/; the (2) view_path and (3) control_path parameters to blogs/admin.php; and the (4) skins_path parameter to (h) blogs/contact.php and (i) blogs/multiblogs.php. NOTE: this issue is disputed by CVE, since the inc_path, view_path, control_path, and skins_path variables are all initialized in conf/_advanced.php before they are used.