[CLOSE] OSVDB ID : 91841 - Disclosed: 2013-03-28

Description:

v0pCr3w Web Shell is software designed to maintain remote access to a compromised host via a PHP-based web interface. While the software may be installed to a path that is difficult to find, or not public, it provides no authentication for the attacker who installed it. This means that anyone able to access the web shell can execute arbitrary commands on the host.

[CLOSE] OSVDB ID : 51101 - Disclosed: 2008-11-08

Description:

(Description Provided by CVE) : SQL injection vulnerability in V3 Chat - Profiles/Dating Script 3.0.2 allows remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.

[CLOSE] OSVDB ID : 26724 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26719 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26715 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : V3 Chat allows remote attackers to obtain the installation path via (1) an invalid id parameter to mail/index.php or (2) membername parameter to messenger/online.php, which displays the path in an error page due to an incorrect SQL statement.

[CLOSE] OSVDB ID : 26717 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26718 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26726 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : mycontacts.php in V3 Chat allows remote authenticated users to gain privileges as other users via a modified membername parameter.

[CLOSE] OSVDB ID : 26716 - Disclosed: 2006-06-17

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 26720 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26725 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26722 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26723 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 26721 - Disclosed: 2006-06-17

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in V3 Chat allow remote attackers to inject arbitrary web script or HTML via crafted HTML tags, as demonstrated by the IMG tag, in the (1) id parameter in (a) mail/index.php and (b) mail/reply.php; (2) login_id parameter in (c) members/is_online.php; (3) site_id parameter in (d) messenger/online.php, (e) messenger/search.php, and (f) messenger/profile.php; (4) contact_name parameter in messenger/search.php; (5) membername parameter in (g) messenger/profileview.php; (6) unspecified parameters used when "editing a profile"; and (7) cust_name parameter in (h) messenger/expire.php. NOTE: The vendor disputes the vectors involving files in the messenger directory, stating "... the referenced folder 'messenger' was never available to the general public...".

[CLOSE] OSVDB ID : 49675 - Disclosed: 2008-11-08

Description:

(Description Provided by CVE) : admin/index.php in V3 Chat Live Support 3.0.4 allows remote attackers to bypass authentication and gain administrative access by setting the admin cookie to 1.

[CLOSE] OSVDB ID : 70089 - Disclosed: 2010-12-17

Description:

V3 Internet Security contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when an error in the 'AhnRec2k.sys' kernel driver when processing IOCTLs occurs, allowing a local attacker to use a crafted 0x8101261C IOCTL to gain elevalted privileges.

[CLOSE] OSVDB ID : 35703 - Disclosed: 2007-05-02

Description:

(Description Provided by CVE) : SQL injection vulnerability in index.php in the v4bJournal module for PostNuke allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a journal_comment action.

[CLOSE] OSVDB ID : 75101 - Disclosed: 2011-02-25

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 89752 - Disclosed: 2013-01-30

Description:

Vaadin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via map argument keys to the JsonPaintTarget.addAttribute() method. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 76719 - Disclosed: 2011-09-28

Description:

Vaadin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'src' attribute upon submission to multiple UI components. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 76717 - Disclosed: 2011-09-28

Description:

Vaadin contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions involving separator characters for certain unspecified functions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 76716 - Disclosed: 2011-09-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 70398 - Disclosed: 2011-01-12

Description:

Vaadin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 76718 - Disclosed: 2011-09-28

Description:

Vaadin contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 80948 - Disclosed: 2012-04-05

Description:

Vacation Rental Listing contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the creation of arbitrary administrative users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 47372 - Disclosed: 2008-08-10

Description:

Vacation Rental Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25789 - Disclosed: 2006-05-25

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in index.php in Vacation Rental Script 1.0 allows remote attackers to inject arbitrary web script or HTML via the obj parameter.

[CLOSE] OSVDB ID : 70019 - Disclosed: 2010-12-21

Description:

Vacation Rental Script contains a flaw related to the uploading of files with arbitrary extensions to a folder inside the webroot. This issue is triggered when a remote attacker to upload a PHP file with an image or gif content type. This may allow the execution of arbitrary code.

[CLOSE] OSVDB ID : 62296 - Disclosed: 2010-02-12

Description:

Vacation Rentals Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'rental_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 51160 - Disclosed: 2008-12-30

Description:

Vacation Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the properties_view.php script not properly sanitizing user-supplied input to the editid1 parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.