[CLOSE] OSVDB ID : 26277 - Disclosed: 2006-06-09

Description:

KAPhotoservice contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'New Category' field and the 'apage' variable upon submission to the edtalbum.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26416 - Disclosed: 2006-06-09

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in ClickGallery 5.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gallery_id parameter in gallery.asp and (2) parentcurrentpage parameter in view_gallery.asp.

[CLOSE] OSVDB ID : 26417 - Disclosed: 2006-06-09

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in ClickGallery 5.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gallery_id parameter in gallery.asp and (2) parentcurrentpage parameter in view_gallery.asp.

[CLOSE] OSVDB ID : 26411 - Disclosed: 2006-06-09

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in BlueCollar i-Gallery 4.1 PLUS and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) n and (2) d parameters in (a) login.asp and the d parameter in (b) igallery.asp.

[CLOSE] OSVDB ID : 26412 - Disclosed: 2006-06-09

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in BlueCollar i-Gallery 4.1 PLUS and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) n and (2) d parameters in (a) login.asp and the d parameter in (b) igallery.asp.

[CLOSE] OSVDB ID : 26365 - Disclosed: 2006-06-09

Description:

ePhotos contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the subphotos.asp script not properly sanitizing user-supplied input to the 'CAT_ID' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26366 - Disclosed: 2006-06-09

Description:

ePhotos contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the photos.asp script not properly sanitizing user-supplied input to the 'AL_ID' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26367 - Disclosed: 2006-06-09

Description:

ePhotos contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the subLevel2.asp script not properly sanitizing user-supplied input to the "CAT_ID" and "SUB_ID" variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26198 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'tf_lang' variable upon submission to the publication_index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26199 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'tf_name' or 'tf_user' variables upon submission to the group_index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26200 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'tf_lastname' variable upon submission to the user_index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26201 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'tf_name' or 'tf_contact' variables upon submission to the list_index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26202 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'tf_datebefore' or 'tf_dateafter' variables upon submission to the company_index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26203 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the an unspecified script (likely index.php) not properly sanitizing user-supplied input to the 'new_order' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26204 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the group_index.php script not properly sanitizing user-supplied input to the 'new_order', 'tf_user' and 'order_dir' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26205 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the user_index.php script not properly sanitizing user-supplied input to the 'order_dir' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26206 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the list_index.php script not properly sanitizing user-supplied input to the 'order_dir' and 'new_order' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26207 - Disclosed: 2006-06-06

Description:

Open Business Management (OBM) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the company_index.php script not properly sanitizing user-supplied input to the 'entity', 'order_dir', 'new_order' and 'tf_dateafter' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 26179 - Disclosed: 2006-06-06

Description:

KnowledgeTree Open Source contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'fDocumentId' variable upon submission to the view.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26180 - Disclosed: 2006-06-06

Description:

KnowledgeTree Open Source contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'fSearchableText' variable upon submission to the search/simpleSearch.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26297 - Disclosed: 2006-06-06

Description:

KnowledgeTree Open Source contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker provides a crafted 'fDocumentId' variable to the view.php script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 25976 - Disclosed: 2006-06-05

Description:

Particle Wiki contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'version' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25953 - Disclosed: 2006-06-05

Description:

Particle gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the viewimage.php script not properly sanitizing user-supplied input to the imageid variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25963 - Disclosed: 2006-06-05

Description:

LabWiki contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'help' variable upon submission to the recentchanges.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 26009 - Disclosed: 2006-05-27

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in EVA-Web 2.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) debut_image parameter in (a) article-album.php3, (2) date parameter in (b) rubrique.php3, and the (3) perso and (4) aide parameters to (c) an unknown script, probably index.php.

[CLOSE] OSVDB ID : 26010 - Disclosed: 2006-05-27

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in EVA-Web 2.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) debut_image parameter in (a) article-album.php3, (2) date parameter in (b) rubrique.php3, and the (3) perso and (4) aide parameters to (c) an unknown script, probably index.php.

[CLOSE] OSVDB ID : 26011 - Disclosed: 2006-05-27

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in EVA-Web 2.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) debut_image parameter in (a) article-album.php3, (2) date parameter in (b) rubrique.php3, and the (3) perso and (4) aide parameters to (c) an unknown script, probably index.php.

[CLOSE] OSVDB ID : 26012 - Disclosed: 2006-05-27

Description:

(Description Provided by CVE) : An unspecified script in EVA-Web 2.1.2 and earlier, probably index.php, allows remote attackers to obtain the full path of the web server via invalid (1) perso or (2) aide parameters.

[CLOSE] OSVDB ID : 25504 - Disclosed: 2006-05-13

Description:

FlexChat contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'username' and 'CFTOKEN' variables upon submission to the index.cfm script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 25505 - Disclosed: 2006-05-13

Description:

FlexChat contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "CFTOKEN" and "CFID" variables upon submission to the chat.cfm script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 25307 - Disclosed: 2006-05-08

Description:

Creative Community Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ArticleView.php script not properly sanitizing user-supplied input to the 'article_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25308 - Disclosed: 2006-05-08

Description:

Creative Community Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DiscView.php script not properly sanitizing user-supplied input to the 'forum_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25309 - Disclosed: 2006-05-08

Description:

Creative Community Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the Discussion.php script not properly sanitizing user-supplied input to the 'forum_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25310 - Disclosed: 2006-05-08

Description:

Creative Community Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the EventView.php script not properly sanitizing user-supplied input to the 'event_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25311 - Disclosed: 2006-05-08

Description:

Creative Community Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the PollResults.php script not properly sanitizing user-supplied input to the 'AddVote' or 'answer_id' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25312 - Disclosed: 2006-05-08

Description:

Creative Community Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the DiscReply.php script not properly sanitizing user-supplied input to the 'mid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25239 - Disclosed: 2006-05-03

Description:

Albinator contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'eday.php' not properly sanitizing user input supplied to the 'Config_rootdir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 25240 - Disclosed: 2006-05-03

Description:

Albinator contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'eshow.php' script not properly sanitizing user input supplied to the 'Config_rootdir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 25241 - Disclosed: 2006-05-03

Description:

Albinator contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'forgot.php' script not properly sanitizing user input supplied to the 'Config_rootdir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 25242 - Disclosed: 2006-05-03

Description:

Albinator contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'cid' variable upon submission to the 'dlisting.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.