[CLOSE] OSVDB ID : 31438 - Disclosed: 2006-04-30

Description:

(Description Provided by CVE) : SQL injection vulnerability in index.php in BoonEx Barracuda 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) link_dir_target and (2) link_id_target parameter, possibly involving the link_edit functionality.

[CLOSE] OSVDB ID : 25131 - Disclosed: 2006-04-30

Description:

TrueCrypt contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is caused by the unsafe use of the 'execvp()' function to execute external commands without sanitising the user's current PATH settings. This flaw may lead to a loss of integrity.

[CLOSE] OSVDB ID : 25158 - Disclosed: 2006-04-30

Description:

Aardvark Topsites PHP contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to sources/lostpw.php not properly sanitizing user input supplied to the 'CONFIG[path]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 25150 - Disclosed: 2006-04-30

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart 3.33 and earlier allows remote attackers to inject arbitrary web script or HTML via the setbackurl parameter.

[CLOSE] OSVDB ID : 25144 - Disclosed: 2006-04-30

Description:

CPS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'pos' variable upon submission to the 'popup_image' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. Additionally, the error output will disclose the software's installation path and other system information. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 25141 - Disclosed: 2006-04-30

Description:

OrbitHYIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'referral' variable upon submission to the signup.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 25142 - Disclosed: 2006-04-30

Description:

OrbitHYIP contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'id' variable upon submission to the members.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 25189 - Disclosed: 2006-04-30

Description:

(Description Provided by CVE) : Multiple buffer overflows in client.c in CGI:IRC (CGIIRC) before 0.5.8 might allow remote attackers to execute arbitrary code via (1) cookies or (2) the query string.

[CLOSE] OSVDB ID : 25491 - Disclosed: 2006-04-30

Description:

(Description Provided by CVE) : RT: Request Tracker 3.5.HEAD allows remote attackers to obtain sensitive information via the Rows parameter in Dist/Display.html, which reveals the installation path in an error message.

[CLOSE] OSVDB ID : 25132 - Disclosed: 2006-04-30

Description:

PHP Newsfeed contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the deltables.php script not properly sanitizing user-supplied input to the 'name' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25133 - Disclosed: 2006-04-30

Description:

PHP Newsfeed contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the manualsubmit.php script not properly sanitizing user-supplied input to the 'select', 'header', 'url', 'source' or 'time' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25134 - Disclosed: 2006-04-30

Description:

PHP Newsfeed contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the delete.php script not properly sanitizing user-supplied input to the 'num' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25135 - Disclosed: 2006-04-30

Description:

PHP Newsfeed contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the searchnews.php script not properly sanitizing user-supplied input to the 'tablename' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25122 - Disclosed: 2006-04-30

Description:

MaxTrade contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the pocategories.php script not properly sanitizing user-supplied input to the "categori" and "stranica" variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25121 - Disclosed: 2006-04-30

Description:

(Description Provided by CVE) : resmgrd in resmgr for SUSE Linux and other distributions does not properly handle when access to a USB device is granted by using "usb:<bus>,<dev>" notation, which grants access to all USB devices and allows local users to bypass intended restrictions. NOTE: this is a different vulnerability than CVE-2005-4788.

[CLOSE] OSVDB ID : 25124 - Disclosed: 2006-04-30

Description:

PHP Pro Publish contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/login.php' script not properly sanitizing user-supplied input to the 'email' or 'password' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25125 - Disclosed: 2006-04-30

Description:

PHP Pro Publish contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'cat.php' script not properly sanitizing user-supplied input to the 'catid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25126 - Disclosed: 2006-04-30

Description:

PHP Pro Publish contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'search.php' script not properly sanitizing user-supplied input to the 'find_str' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25127 - Disclosed: 2006-04-30

Description:

PHP Pro Publish contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'art.php' script not properly sanitizing user-supplied input to the 'artid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25128 - Disclosed: 2006-04-30

Description:

PHP Pro Publish contains a flaw that may allow a malicious user to run arbitrary code. The issue is triggered due to 'set_inc.php' not properly sanitizing settings made by administrative users. That way, arbitrary PHP code may be injected, which will be executed when the file is included, resulting in a loss of integrity.

[CLOSE] OSVDB ID : 37337 - Disclosed: 2006-04-30

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in sources/join.php in Aardvark Topsites PHP 4.2.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the CONFIG[path] parameter, a different vector than CVE-2006-2149.

[CLOSE] OSVDB ID : 27780 - Disclosed: 2006-04-29

Description:

Mac OS X contains a flaw that may allow a remote denial of service. The issue is triggered when an OS X application is directed to open a malformed EXR file, and will result in loss of availability for the application.

[CLOSE] OSVDB ID : 26968 - Disclosed: 2006-04-29

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 25163 - Disclosed: 2006-04-29

Description:

HB-NS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the "topic" and "id" variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 25164 - Disclosed: 2006-04-29

Description:

HB-NS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "poster_name", "poster_email", "poster_homepage", and "message" variables upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 25157 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : SQL injection vulnerability in news.php in AZNEWS allows remote attackers to execute arbitrary SQL commands via the ID parameter.

[CLOSE] OSVDB ID : 25155 - Disclosed: 2006-04-29

Description:

WEBInsta Limbo contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to sql.php not properly sanitizing user input supplied to the 'classes_dir' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 25140 - Disclosed: 2006-04-29

Description:

OpenPHPNuke contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to master.php not properly sanitizing user input supplied to the 'root_path' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 26774 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in Project EROS bbsengine before bbsengine-20060429-1550-jam allow remote attackers to execute arbitrary SQL commands via (1) unspecified parameters in the php/comment.php and (2) the getpartialmatches method in php/aolbonics.php.

[CLOSE] OSVDB ID : 25262 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in /includes/kb_constants.php in Knowledge Base Mod for PHPbb 2.0.2 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the module_root_path parameter.

[CLOSE] OSVDB ID : 25166 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Thyme 1.3 allows remote attackers to inject arbitrary web script or HTML via the search page.

[CLOSE] OSVDB ID : 25123 - Disclosed: 2006-04-29

Description:

TextFileBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the '[color]', '[size]', and '[url]' BBcode upon submission to an unknown or unspecified script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 41174 - Disclosed: 2006-04-29

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 25295 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in w-Agora (aka Web-Agora) 4.2.0 allows remote attackers to inject arbitrary web script or HTML via a post with a BBCode tag that contains a JavaScript event name followed by whitespace before the '=' (equals) character, which bypasses a restrictive regular expression that attempts to remove onmouseover and other events.

[CLOSE] OSVDB ID : 25607 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : SQL injection vulnerability in weblog_posting.php in Blog Mod 0.2.x allows remote attackers to execute arbitrary SQL commands via the r parameter.

[CLOSE] OSVDB ID : 25606 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : Multiple format string vulnerabilities in xiTK (xitk/main.c) in xine 0.99.4 might allow attackers to cause a denial of service via format string specifiers in an MP3 filename specified on the command line. NOTE: this is a different vulnerability than CVE-2006-1905. In addition, if the only attack vectors involve a user-assisted, local command line argument of a non-setuid program, this issue might not be a vulnerability.

[CLOSE] OSVDB ID : 67621 - Disclosed: 2006-04-29

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 67890 - Disclosed: 2006-04-29

Description:

(Description Provided by CVE) : gnome-power-manager 2.14.0 does not properly implement the lock_on_suspend and lock_on_hibernate settings for locking the screen when the suspend or hibernate button is pressed, which might make it easier for physically proximate attackers to access an unattended laptop via a resume action, a related issue to CVE-2010-2532.

[CLOSE] OSVDB ID : 33794 - Disclosed: 2006-04-28

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in the registration form in Casinosoft Casino Script (Masvet) 3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) surname field.

[CLOSE] OSVDB ID : 25582 - Disclosed: 2006-04-28

Description:

(Description Provided by CVE) : PHP remote file include vulnerability in admin/config_settings.tpl.php in I-RATER Platinum allows remote attackers to execute arbitrary code via a URL in the include_path parameter. NOTE: this is a different vector, and possibly a different vulnerability, than CVE-2006-1929.