[CLOSE] OSVDB ID : 36458 - Disclosed: 2007-08-10

Description:

StoreSprite contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the next variable upon submission to the secure/addaddress.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 36459 - Disclosed: 2007-08-10

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Storesprite 7 and earlier allow remote attackers to inject arbitrary web script or HTML via the next parameter to (1) addaddress.php, (2) editshipdetails.php, (3) register.php, or (4) login.php in secure/.

[CLOSE] OSVDB ID : 36460 - Disclosed: 2007-08-10

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Storesprite 7 and earlier allow remote attackers to inject arbitrary web script or HTML via the next parameter to (1) addaddress.php, (2) editshipdetails.php, (3) register.php, or (4) login.php in secure/.

[CLOSE] OSVDB ID : 36461 - Disclosed: 2007-08-10

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Storesprite 7 and earlier allow remote attackers to inject arbitrary web script or HTML via the next parameter to (1) addaddress.php, (2) editshipdetails.php, (3) register.php, or (4) login.php in secure/.

[CLOSE] OSVDB ID : 38720 - Disclosed: 2007-08-10

Description:

phpMyAdmin contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'unlim_num_rows', 'sql_query' and 'pos_parameter' variables upon submission to the tbl_export.php script, 'session_max_rows' and 'pos_parameter' variables upon submission to the sql.php script, 'username' variable upon submission to the server_privileges.php script and 'sql_query' variable upon submission to the main.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 36433 - Disclosed: 2007-08-07

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in VisionProject 3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) projectIssueId parameter in EditProjectIssue.do, the (2) projectId parameter in ProjectSelected.do, the (3) folderId parameter in ProjectDocuments.do and the (4) sortField parameter in ProjectIssues.do.

[CLOSE] OSVDB ID : 36434 - Disclosed: 2007-08-07

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in VisionProject 3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) projectIssueId parameter in EditProjectIssue.do, the (2) projectId parameter in ProjectSelected.do, the (3) folderId parameter in ProjectDocuments.do and the (4) sortField parameter in ProjectIssues.do.

[CLOSE] OSVDB ID : 36435 - Disclosed: 2007-08-07

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in VisionProject 3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) projectIssueId parameter in EditProjectIssue.do, the (2) projectId parameter in ProjectSelected.do, the (3) folderId parameter in ProjectDocuments.do and the (4) sortField parameter in ProjectIssues.do.

[CLOSE] OSVDB ID : 36436 - Disclosed: 2007-08-07

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in VisionProject 3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) projectIssueId parameter in EditProjectIssue.do, the (2) projectId parameter in ProjectSelected.do, the (3) folderId parameter in ProjectDocuments.do and the (4) sortField parameter in ProjectIssues.do.

[CLOSE] OSVDB ID : 36439 - Disclosed: 2007-08-01

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in index.php in WebDirector 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the deslocal parameter.

[CLOSE] OSVDB ID : 36332 - Disclosed: 2007-07-25

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in login.php in AdMan 1.0.20051202 FF 3 patch and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) user and (2) pwd parameters.

[CLOSE] OSVDB ID : 36339 - Disclosed: 2007-06-28

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in CMD_USER_STATS in DirectAdmin 1.30.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the domain parameter, a different vector than CVE-2007-1508.

[CLOSE] OSVDB ID : 36347 - Disclosed: 2007-06-27

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in search.asp in rwAuction Pro 5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) search, (2) show, (3) searchtype, (4) catid, and (5) searchtxt parameters, a different version and vectors than CVE-2005-4060.

[CLOSE] OSVDB ID : 37750 - Disclosed: 2007-06-22

Description:

access2asp contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'od' and 'search' variables upon submission to the suppliersList.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 37751 - Disclosed: 2007-06-22

Description:

access2asp contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'od' and 'search' variables upon submission to the contactsList.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 36384 - Disclosed: 2007-06-12

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in comments.cgi in Sporum Forum 3.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) view and (2) mode parameters.

[CLOSE] OSVDB ID : 36370 - Disclosed: 2007-05-02

Description:

(Description Provided by CVE) : SQL injection vulnerability in edit_image.asp in ClickGallery Server 5.1 and earlier allows remote attackers to execute arbitrary SQL commands via the image_id parameter.

[CLOSE] OSVDB ID : 36371 - Disclosed: 2007-05-02

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in edit_image.asp in ClickGallery Server 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the from parameter.

[CLOSE] OSVDB ID : 31036 - Disclosed: 2006-07-24

Description:

MusicBox contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'type' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 27411 - Disclosed: 2006-07-20

Description:

IDevSpot PhpHostBot contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to order/index.php not properly sanitizing user input supplied to the 'page' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 27410 - Disclosed: 2006-07-20

Description:

PhpLinkExchange contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php script not properly sanitizing user input supplied to the 'page' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 27099 - Disclosed: 2006-07-11

Description:

HiveMail contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.results.php script not properly sanitizing user-supplied input to the 'fields[]' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 27100 - Disclosed: 2006-07-11

Description:

HiveMail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "email", "cond", and "name" variables upon submission to the addressbook.view.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 27101 - Disclosed: 2006-07-11

Description:

HiveMail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'daysprune' variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 27102 - Disclosed: 2006-07-11

Description:

HiveMail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'date[to]' variable upon submission to the compose.email.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 27103 - Disclosed: 2006-07-11

Description:

HiveMail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'markas' variable upon submission to the read.markas.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 27104 - Disclosed: 2006-07-11

Description:

HiveMail contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker defines the "searchdate" and "folderids" variables in the search.results.php script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 26863 - Disclosed: 2006-06-27

Description:

H-Sphere contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'next_template', 'start', 'curr_menu_id' and 'arid' variables upon submission to the psoft.hsphere.CP script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26872 - Disclosed: 2006-06-27

Description:

Hostflow Help Desk contains a flaw that may allow a malicious user to gain unauthorized access. The issue is triggered when an attacker gains access to the URL used by an authenticated user, which contains all necessary authentication information. It is possible that the flaw may allow unauthorized access resulting in a loss of integrity.

[CLOSE] OSVDB ID : 27627 - Disclosed: 2006-06-27

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in HSPcomplete 3.2.2 and 3.3 Beta and earlier allow remote attackers to execute arbitrary SQL commands via the (1) type parameter in report.php and (2) level parameter in custom_buttons.php.

[CLOSE] OSVDB ID : 27628 - Disclosed: 2006-06-27

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in HSPcomplete 3.2.2 and 3.3 Beta and earlier allow remote attackers to execute arbitrary SQL commands via the (1) type parameter in report.php and (2) level parameter in custom_buttons.php.

[CLOSE] OSVDB ID : 43500 - Disclosed: 2006-06-27

Description:

(Description Provided by CVE) : Cross-domain vulnerability in MYweb4net Browser 3.8.8.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, a similar vulnerability to CVE-2006-3280.

[CLOSE] OSVDB ID : 27625 - Disclosed: 2006-06-26

Description:

(Description Provided by CVE) : SQL injection vulnerability in index.php in Zorum Forum 3.5 allows remote attackers to execute arbitrary SQL commands via the (1) offset, (2) tid, (3) fromid, (4) sortby, (5) fromfrommethod, and (6) fromfromlist parameters.

[CLOSE] OSVDB ID : 27626 - Disclosed: 2006-06-26

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in index.php in Zorum Forum 3.5 allows remote attackers to inject web script or HTML via the multiple unspecified parameters, including the (1) frommethod, (2) list, and (3) method, which are reflected in an error message. NOTE: some of these vectors might be resultant from SQL injection.

[CLOSE] OSVDB ID : 27623 - Disclosed: 2006-06-25

Description:

OpenForum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'ofdisp' and 'ofmsgid' variables upon submission to the 'openforum.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26848 - Disclosed: 2006-06-25

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in phpQLAdmin 2.2.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) user_add.php or (2) unit_add.php.

[CLOSE] OSVDB ID : 26849 - Disclosed: 2006-06-25

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in phpQLAdmin 2.2.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the domain parameter in (1) user_add.php or (2) unit_add.php.

[CLOSE] OSVDB ID : 26840 - Disclosed: 2006-06-25

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in pm.php in DeluxeBB 1.07 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) subject or (2) to parameters.

[CLOSE] OSVDB ID : 26804 - Disclosed: 2006-06-25

Description:

GL-SH Deaf Forum contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'sort', 'search', 'page', and 'action' variables upon submission to the show.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26798 - Disclosed: 2006-06-25

Description:

(Description Provided by CVE) : SQL injection vulnerability in index.php in Infinite Core Technologies (ICT) 1.0 Gold and earlier allows remote attackers to execute arbitrary SQL commands via the post parameter.