[CLOSE] OSVDB ID : 21189 - Disclosed: 2005-11-25

Description:

drzes HMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /customers/pass_dirs.php script not properly sanitizing user-supplied input to the 'plan_id' or 'domain' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21190 - Disclosed: 2005-11-25

Description:

drzes HMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /customers/zone_files.php script not properly sanitizing user-supplied input to the 'plan_id' or 'domain' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21191 - Disclosed: 2005-11-25

Description:

drzes HMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /customers/htaccess.php script not properly sanitizing user-supplied input to the 'plan_id' or 'domain' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21192 - Disclosed: 2005-11-25

Description:

drzes HMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /customers/software.php script not properly sanitizing user-supplied input to the 'plan_id' or 'domain' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21193 - Disclosed: 2005-11-25

Description:

drzes HMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Domain Availability' field upon submission to the /customers/register_domain.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21165 - Disclosed: 2005-11-25

Description:

DMANews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'id', 'sortorder' and 'display_num' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21163 - Disclosed: 2005-11-25

Description:

Clientexec contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'billshowid', 'billdetailid', 'fuse' and 'frmClientID' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21162 - Disclosed: 2005-11-25

Description:

Fantastic News contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'news.php' script not properly sanitizing user-supplied input to the 'category' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 48707 - Disclosed: 2005-11-25

Description:

(Description Provided by CVE) : eFiction 1.0, 1.1, and 2.0, in unspecified environments, might allow remote attackers to conduct unauthorized operations by directly accessing (1) install.php or (2) upgrade.php. NOTE: it is unclear whether this is a vulnerability in eFiction itself or the result of incorrect system administration practices, e.g. by not removing utility scripts once they have been used.

[CLOSE] OSVDB ID : 22830 - Disclosed: 2005-11-25

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the Unicode version of msearch (unicode-msearch) 1.51(U1)-beta1, 1.51(U1), and 1.52(U1) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

[CLOSE] OSVDB ID : 21313 - Disclosed: 2005-11-25

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 21314 - Disclosed: 2005-11-25

Description:

SMBCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search feature not properly sanitizing user-supplied input to an unspecified variable(s). This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21320 - Disclosed: 2005-11-25

Description:

Systems Panel contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /knowledgebase/index.php script not properly sanitizing user-supplied input to the 'cid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21321 - Disclosed: 2005-11-25

Description:

Systems Panel contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /knowledgebase/view.php script not properly sanitizing user-supplied input to the 'aid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21322 - Disclosed: 2005-11-25

Description:

Sysbotz contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /contact/update.php script not properly sanitizing user-supplied input to the 'cid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21323 - Disclosed: 2005-11-25

Description:

Systems Panel contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /links/index.php script not properly sanitizing user-supplied input to the 'letter' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21324 - Disclosed: 2005-11-25

Description:

Systems Panel contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /messageboard/view.php script not properly sanitizing user-supplied input to the 'mid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21325 - Disclosed: 2005-11-25

Description:

Systems Panel contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /tickets/view.php script not properly sanitizing user-supplied input to the 'tid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21315 - Disclosed: 2005-11-25

Description:

DapperDesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'news.php' script not properly sanitizing user-supplied input to the 'page' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21316 - Disclosed: 2005-11-25

Description:

cSupport contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'tickets.php' script not properly sanitizing user-supplied input to the 'pg' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21317 - Disclosed: 2005-11-25

Description:

iSupport contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'include_file' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21368 - Disclosed: 2005-11-25

Description:

LogicBill contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'helpdesk.php' script not properly sanitizing user-supplied input to the '__mode' and '__id' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21369 - Disclosed: 2005-11-25

Description:

EZI contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'invoices.php' script not properly sanitizing user-supplied input to the 'i' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21370 - Disclosed: 2005-11-25

Description:

CS-Cart contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'sort_by' and 'sort_order' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 24606 - Disclosed: 2005-11-25

Description:

(Description Provided by CVE) : PHP remote file include vulnerability in functions_admin.php in Virtual War (VWar) 1.5.0 R10 allows remote attackers to include and execute arbitrary PHP code via unspecified attack vectors. NOTE: this issue has been referred to as XSS, but it is clear from the vendor description that it is a file inclusion problem.

[CLOSE] OSVDB ID : 21100 - Disclosed: 2005-11-24

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in support/index.php in DeskLance 2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the main parameter.

[CLOSE] OSVDB ID : 24118 - Disclosed: 2005-11-24

Description:

(Description Provided by CVE) : SQL injection vulnerability in DeskLance 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the announce parameter.

[CLOSE] OSVDB ID : 21096 - Disclosed: 2005-11-24

Description:

KnowledgeBuilder contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'article' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21097 - Disclosed: 2005-11-24

Description:

KnowledgeBuilder contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker passes input to the 'category' parameter in the 'index.php' script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 21098 - Disclosed: 2005-11-24

Description:

KnowledgeBuilder contains a flaw that may allow a remote denial of service. The issue is triggered when a large amount of SQL queries are sent to the 'category' parameter in 'index.php' script, and will result in loss of availability for the service.

[CLOSE] OSVDB ID : 21094 - Disclosed: 2005-11-24

Description:

OKBSYS Lite contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'q' variable upon submission to the 'search.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21102 - Disclosed: 2005-11-24

Description:

Support Center contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the "lorder", "Priority", "Status", "Category", "searchvalue", and "field" variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21117 - Disclosed: 2005-11-24

Description:

iDesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the faq.php script not properly sanitizing user-supplied input to the 'cat_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21085 - Disclosed: 2005-11-24

Description:

Orca Forum contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'forum.php' script not properly sanitizing user-supplied input to the 'msg' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21073 - Disclosed: 2005-11-24

Description:

A local overflow exists in SpeedCommander, Squeez, and ZipStar. The products fail to safely use the "lstrcat()" function in the "CxZIP60.dll", "CxZIP60u.dll", "CxUux60.dll", "CxUux60u.dll" modules while processing filename pathnames resulting in a stack-based overflow. With a specially crafted archive, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

[CLOSE] OSVDB ID : 21223 - Disclosed: 2005-11-24

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 21224 - Disclosed: 2005-11-24

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in index.php in vTiger CRM 4.2 and earlier allow remote attackers to read or include arbitrary files, an ultimately execute arbitrary PHP code, via .. (dot dot) and null byte ("%00") sequences in the (1) module parameter and (2) action parameter in the Leads module, as also demonstrated by injecting PHP code into log messages and accessing the log file.

[CLOSE] OSVDB ID : 21225 - Disclosed: 2005-11-24

Description:

vTiger CRM contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'date' or 'user_name' variables. This may allow a logged-in attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21226 - Disclosed: 2005-11-24

Description:

vTiger CRM contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login script not properly sanitizing user-supplied input to the username variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21227 - Disclosed: 2005-11-24

Description:

vTiger CRM contains a flaw that allows a remote cross site scripting attack. This flaw exists because the program does not validate RSS feeds upon submission to the RSS aggregation module script. This could allow a malicious blog or news site to create a specially crafted feed that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.