[CLOSE] OSVDB ID : 28461 - Disclosed: 2006-08-29

Description:

vtiger CRM contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'solution' variables upon submission to the 'HelpDesk' module. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 28462 - Disclosed: 2006-08-29

Description:

vtiger CRM contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered because access controls are not applied when files are requested directly, enabling users without administrative privileges to access modules which are restricted to administrators. This flaw may lead to a loss of integrity.

[CLOSE] OSVDB ID : 30714 - Disclosed: 2006-08-29

Description:

(Description Provided by CVE) : Gonafish.com LinksCaffe 2.0 and 3.0 do not properly restrict access to administrator functions, which allows remote attackers to gain full administration rights via a direct request to Admin/admin1953.php.

[CLOSE] OSVDB ID : 30804 - Disclosed: 2006-08-29

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 30712 - Disclosed: 2006-08-29

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in index.php in phpECard 2.1.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the include_path parameter. NOTE: the provenance of this information is unknown; the details are obtained from third party information.

[CLOSE] OSVDB ID : 58789 - Disclosed: 2006-08-29

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 31297 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : The KDE PAM configuration shipped with Fedora Core 5 causes KDM passwords to be cached, which allows attackers to login without a password by attempting to log in multiple times.

[CLOSE] OSVDB ID : 28319 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'subgroupname' variable upon submission to the loginreq2.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 28320 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the headeruserdata.php script not properly sanitizing user-supplied input to the 'groupname' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 28321 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the event_list.php script not properly sanitizing user input supplied to the 'GLOBALS[admin_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28322 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the calendar.php script not properly sanitizing user input supplied to the 'GLOBALS[language_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28323 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the gallery_summary.php script not properly sanitizing user input supplied to the 'GLOBALS[admin_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28324 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the showguestbook.php script not properly sanitizing user input supplied to the 'GLOBALS[admin_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28325 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the showlinks.php script not properly sanitizing user input supplied to the 'GLOBALS[admin_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28326 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the shownews.php script not properly sanitizing user input supplied to the 'GLOBALS[language_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28327 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the showpoll.php script not properly sanitizing user input supplied to the 'GLOBALS[language_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28328 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the review_summary.php script not properly sanitizing user input supplied to the 'GLOBALS[admin_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28329 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the search.php script not properly sanitizing user input supplied to the 'GLOBALS[language_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28330 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the toprated.php script not properly sanitizing user input supplied to the 'GLOBALS[language_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28331 - Disclosed: 2006-08-28

Description:

ezContents contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the whatsnew.php script not properly sanitizing user input supplied to the 'GLOBALS[language_home]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28359 - Disclosed: 2006-08-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 28360 - Disclosed: 2006-08-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 28248 - Disclosed: 2006-08-28

Description:

Web3news contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to _class.security.php not properly sanitizing user input supplied to the 'PHPSECURITYADMIN_PATH' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 28339 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown impact via unspecified vectors involving the (1) mosMail, (2) JosIsValidEmail, and (3) josSpoofValue functions; (4) the lack of inclusion of globals.php in administrator/index.php; (5) the Admin User Manager; and (6) the poll module.

[CLOSE] OSVDB ID : 28340 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown impact via unspecified vectors involving the (1) mosMail, (2) JosIsValidEmail, and (3) josSpoofValue functions; (4) the lack of inclusion of globals.php in administrator/index.php; (5) the Admin User Manager; and (6) the poll module.

[CLOSE] OSVDB ID : 28341 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Unspecified vulnerability in PEAR.php in Joomla! before 1.0.11 allows remote attackers to perform "remote execution," related to "Injection Flaws."

[CLOSE] OSVDB ID : 28342 - Disclosed: 2006-08-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 28343 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown impact via unspecified vectors involving the (1) mosMail, (2) JosIsValidEmail, and (3) josSpoofValue functions; (4) the lack of inclusion of globals.php in administrator/index.php; (5) the Admin User Manager; and (6) the poll module.

[CLOSE] OSVDB ID : 28344 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Joomla! before 1.0.11 omits some checks for whether _VALID_MOS is defined, which allows attackers to have an unknown impact, possibly resulting in PHP remote file inclusion.

[CLOSE] OSVDB ID : 28345 - Disclosed: 2006-08-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 28346 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11 allow attackers to bypass user authentication via unknown vectors involving the (1) do_pdf command and the (2) emailform com_content task.

[CLOSE] OSVDB ID : 28347 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11 allow attackers to bypass user authentication via unknown vectors involving the (1) do_pdf command and the (2) emailform com_content task.

[CLOSE] OSVDB ID : 28348 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.11 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in (1) Admin Module Manager, (2) Admin Help, and (3) Search.

[CLOSE] OSVDB ID : 28349 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.11 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in (1) Admin Module Manager, (2) Admin Help, and (3) Search.

[CLOSE] OSVDB ID : 28350 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.0.11 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in (1) Admin Module Manager, (2) Admin Help, and (3) Search.

[CLOSE] OSVDB ID : 28351 - Disclosed: 2006-08-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 28352 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to "Injection Flaws," allow attackers to have an unknown impact via (1) globals.php, which uses include_once() instead of require(); (2) the $options variable; (3) Admin Upload Image; (4) ->load(); (5) content submissions when frontpage is selected; (6) the mosPageNav constructor; (7) saveOrder functions; (8) the absence of "exploit blocking rules" in htaccess; and (9) the ACL.

[CLOSE] OSVDB ID : 28353 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : The Admin Upload Image functionality in Joomla! before 1.0.11 allows remote authenticated users to upload files outside of the /images/stories/ directory via unspecified vectors.

[CLOSE] OSVDB ID : 28354 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to "Injection Flaws," allow attackers to have an unknown impact via (1) globals.php, which uses include_once() instead of require(); (2) the $options variable; (3) Admin Upload Image; (4) ->load(); (5) content submissions when frontpage is selected; (6) the mosPageNav constructor; (7) saveOrder functions; (8) the absence of "exploit blocking rules" in htaccess; and (9) the ACL.

[CLOSE] OSVDB ID : 28355 - Disclosed: 2006-08-28

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to "Injection Flaws," allow attackers to have an unknown impact via (1) globals.php, which uses include_once() instead of require(); (2) the $options variable; (3) Admin Upload Image; (4) ->load(); (5) content submissions when frontpage is selected; (6) the mosPageNav constructor; (7) saveOrder functions; (8) the absence of "exploit blocking rules" in htaccess; and (9) the ACL.