[CLOSE] OSVDB ID : 51584 - Disclosed: 2009-01-25

Description:

WB News contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'comments.php' script not properly sanitizing user input supplied to the 'config[insalldir]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 22523 - Disclosed: 2006-01-17

Description:

(Description Provided by CVE) : Cross-site scripting vulnerability in WBNews 1.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the Name field.

[CLOSE] OSVDB ID : 51585 - Disclosed: 2009-01-25

Description:

WB News contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'news.php' script not properly sanitizing user input supplied to the 'config[installdir]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 51591 - Disclosed: 2009-01-25

Description:

WB News contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'search.php' script not properly sanitizing user input supplied to the 'config[installdir]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 63973 - Disclosed: 2010-04-17

Description:

WB News contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'message' and 'name' parameters upon submission to the comments.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 53822 - Disclosed: 2009-04-20

Description:

(Description Provided by CVE) : WB News 2.1.2 allows remote attackers to bypass authentication and gain administrative access via a modified WBNEWS cookie, as demonstrated by setting this cookie to 1.

[CLOSE] OSVDB ID : 38304 - Disclosed: 2007-08-27

Description:

(Description Provided by CVE) : SQL injection vulnerability in acrotxt.php in WBB2-Addon: Acrotxt 1 allows remote attackers to execute arbitrary SQL commands via the show parameter.

[CLOSE] OSVDB ID : 34182 - Disclosed: 2007-03-15

Description:

WBBlog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'e_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 34183 - Disclosed: 2007-03-15

Description:

WBBlog contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'e_id' parameter upon submission to the 'index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 38886 - Disclosed: 2007-09-19

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/ddns in the web management panel for the WBR3404TX broadband router with firmware R1.94p0vTIG allow remote attackers to inject arbitrary web script or HTML via the (1) DD or (2) DU parameter.

[CLOSE] OSVDB ID : 51579 - Disclosed: 2008-12-04

Description:

(Description Provided by CVE) : Wbstreet (aka PHPSTREET Webboard) 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain database credentials via a direct request to connect.inc.

[CLOSE] OSVDB ID : 51575 - Disclosed: 2008-12-04

Description:

Wbstreet contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'show.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 12105 - Disclosed: 2004-11-20

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 12107 - Disclosed: 2004-11-20

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 12106 - Disclosed: 2004-11-20

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 33539 - Disclosed: 2007-01-14

Description:

(Description Provided by CVE) : wcSimple Poll stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password hashes via a direct request for password.txt.

[CLOSE] OSVDB ID : 15103 - Disclosed: 2005-03-24

Description:

(Description Provided by CVE) : Webmasters-Debutants WD Guestbook 2.8 allows remote attackers to bypass authentication and perform certain administrator actions via a direct HTTP POST request to (1) ajout_admin2.php or (2) suppr.php.

[CLOSE] OSVDB ID : 15104 - Disclosed: 2005-03-24

Description:

(Description Provided by CVE) : Webmasters-Debutants WD Guestbook 2.8 allows remote attackers to bypass authentication and perform certain administrator actions via a direct HTTP POST request to (1) ajout_admin2.php or (2) suppr.php.

[CLOSE] OSVDB ID : 34661 - Disclosed: 2007-01-18

Description:

(Description Provided by CVE) : ** DISPUTED ** WDaemon 9.5.4 allows remote attackers to access the /WorldClient.dll URI on TCP port 3000, which has unknown impact. NOTE: The researcher reports that the vendor response was "this is not a security bug."

[CLOSE] OSVDB ID : 72771 - Disclosed: 2011-03-01

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 38136 - Disclosed: 2007-10-22

Description:

(Description Provided by CVE) : Directory traversal vulnerability in index.php in InstaGuide Weather (aka Weather for PHP) 1.0, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the PageName parameter.

[CLOSE] OSVDB ID : 34807 - Disclosed: 2007-04-10

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in index.php in Weatimages 1.7.1 and earlier, when weatimages.ini is missing, allows remote attackers to execute arbitrary PHP code via a URL in the ini[langpack] parameter.

[CLOSE] OSVDB ID : 61445 - Disclosed: 2009-12-31

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65440 - Disclosed: 2010-04-28

Description:

(Description Provided by CVE) : Web Application Finger Printer (WAFP) 0.01-26c3 uses fixed pathnames under /tmp for temporary files and directories, which (1) allows local users to cause a denial of service (application outage) by creating a file with a pathname that the product expects is available for its own internal use, (2) allows local users to overwrite arbitrary files via symlink attacks on certain files in /tmp, (3) might allow local users to delete arbitrary files and directories via a symlink attack on a directory under /tmp, and (4) might make it easier for local users to obtain sensitive information by reading files in a directory under /tmp, related to (a) lib/wafp_pidify.rb, (b) utils/generate_wafp_fingerprint.sh, (c) utils/online_update.sh, and (d) utils/extract_from_db.sh.

[CLOSE] OSVDB ID : 3088 - Disclosed: 2003-12-16

Description:

WebArtFactory CMS contains a flaw that may allow a malicious user unauthorized access to all management webpages. The issue is due to an undisclosed vulnerability in the authentication mechanism for the management subsystem.

[CLOSE] OSVDB ID : 23387 - Disclosed: 2006-01-12

Description:

(Description Provided by CVE) : SQL injection vulnerability in dropbase.php in MitriDAT Web Calendar Pro allows remote attackers to modify internal SQL queries and cause a denial of service (inaccessible database) via the tabls parameter.

[CLOSE] OSVDB ID : 44536 - Disclosed: 2008-04-22

Description:

(Description Provided by CVE) : SQL injection vulnerability in one_day.php in Web Calendar Pro 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter.

[CLOSE] OSVDB ID : 36950 - Disclosed: 2006-08-25

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in CliServ Web Community 0.65 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cl_headers parameter to (1) menu.php3 and (2) login.php3.

[CLOSE] OSVDB ID : 36949 - Disclosed: 2006-08-25

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in CliServ Web Community 0.65 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the cl_headers parameter to (1) menu.php3 and (2) login.php3.

[CLOSE] OSVDB ID : 54635 - Disclosed: 2009-05-22

Description:

Web Conference Room Free contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified variables upon submission to an unspecified script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.