[CLOSE] OSVDB ID : 49548 - Disclosed: 2008-10-31

Description:

SFS EZ BIZ PRO contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'track.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49546 - Disclosed: 2008-10-31

Description:

SFS EZ Hotscripts-like Site contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'showcategory.php' script not properly sanitizing user-supplied input to the 'cid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49545 - Disclosed: 2008-10-31

Description:

SFS EZ Hotscripts-like Site contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'software-description.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49540 - Disclosed: 2008-10-31

Description:

SFS EZ Hot or Not contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the viewcomments.php script not properly sanitizing user-supplied input to the phid variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49539 - Disclosed: 2008-10-31

Description:

SFS EZ Top Sites contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'topsite.php' script not properly sanitizing user-supplied input to the 'ts' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 56520 - Disclosed: 2008-10-31

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 49455 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Cross-site request forgery (CSRF) vulnerability in Interact 2.4.1 allows remote attackers to hijack the authentication of super administrators for requests that create super administrator accounts.

[CLOSE] OSVDB ID : 49458 - Disclosed: 2008-10-31

Description:

Interact contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'spaces/emailuser.php' script not properly sanitizing user-supplied input to the 'email_user_key' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49465 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Multiple cross-site request forgery (CSRF) vulnerabilities in the management interface on the A-LINK WL54AP3 and WL54AP2 access points before firmware 1.4.2-eng1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify the network configuration via certain parameters to goform/formWanTcpipSetup or (2) modify credentials via certain parameters to goform/formPasswordSetup.

[CLOSE] OSVDB ID : 49466 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Multiple cross-site request forgery (CSRF) vulnerabilities in the management interface on the A-LINK WL54AP3 and WL54AP2 access points before firmware 1.4.2-eng1 allow remote attackers to hijack the authentication of administrators for requests that (1) modify the network configuration via certain parameters to goform/formWanTcpipSetup or (2) modify credentials via certain parameters to goform/formPasswordSetup.

[CLOSE] OSVDB ID : 49484 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Multiple stack-based buffer overflows in (1) University of Washington IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine 2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain privileges by specifying a long folder extension argument on the command line to the tmail or dmail program; and (b) remote attackers to execute arbitrary code by sending e-mail to a destination mailbox name composed of a username and '+' character followed by a long string, processed by the tmail or possibly dmail program.

[CLOSE] OSVDB ID : 49485 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Multiple stack-based buffer overflows in (1) University of Washington IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine 2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain privileges by specifying a long folder extension argument on the command line to the tmail or dmail program; and (b) remote attackers to execute arbitrary code by sending e-mail to a destination mailbox name composed of a username and '+' character followed by a long string, processed by the tmail or possibly dmail program.

[CLOSE] OSVDB ID : 49486 - Disclosed: 2008-10-31

Description:

SFS EZ Career contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'content.php' script not properly sanitizing user-supplied input to the 'topic' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49512 - Disclosed: 2008-10-31

Description:

SFS EZ Webring contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'category.php' script not properly sanitizing user-supplied input to the 'cat' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49513 - Disclosed: 2008-10-31

Description:

SFS EZ Auction contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'viewfaqs.php' script not properly sanitizing user-supplied input to the 'cat' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49505 - Disclosed: 2008-10-31

Description:

Article Publisher Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'contact_author.php' script not properly sanitizing user-supplied input to the 'userid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49502 - Disclosed: 2008-10-31

Description:

Logz CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'fichiers/add_url.php' script not properly sanitizing user-supplied input to the 'art' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49495 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Directory traversal vulnerability in templates/mytribiqsite/tribal-GPL-1066/includes/header.inc.php in Tribiq CMS 5.0.10a, when register_globals is enabled and magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the template_path parameter. NOTE: it was later reported that this issue also affects 5.0.12c.

[CLOSE] OSVDB ID : 49496 - Disclosed: 2008-10-31

Description:

Tribiq CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'template_path' variables upon submission to the 'header.inc.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 49524 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.

[CLOSE] OSVDB ID : 49503 - Disclosed: 2008-10-31

Description:

Logz CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'art' variables upon submission to the 'fichiers/add_url.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 49506 - Disclosed: 2008-10-31

Description:

Article Publisher Pro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/admin.php' script not properly sanitizing user-supplied input to the 'username' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 49518 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in autoinstall4imagesgalleryupgrade.php in the Fantastico De Luxe Module for cPanel allow remote attackers to inject arbitrary web script or HTML via the (1) localapp, (2) updatedir, (3) scriptpath_show, (4) domain_show, (5) thispage, (6) thisapp, and (7) currentversion parameters in an Upgrade action.

[CLOSE] OSVDB ID : 54418 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : ** DISPUTED ** Tribiq CMS 5.0.9a beta allows remote attackers to bypass authentication and gain administrative access by setting the COOKIE_LAST_ADMIN_USER and COOKIE_LAST_ADMIN_LANG cookies. NOTE: a third party reports that the vendor disputes the existence of this issue.

[CLOSE] OSVDB ID : 54894 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : The management interface on the A-LINK WL54AP3 and WL54AP2 access points has a blank default password for the admin account, which makes it easier for remote attackers to obtain access.

[CLOSE] OSVDB ID : 55864 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Xigla Software Absolute FAQ Manager.NET 6.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55880 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Xigla Software Absolute Live Support .NET 5.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55881 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Xigla Software Absolute Form Processor .NET 4.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55882 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Absolute Content Rotator 6.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55883 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Xigla Software Absolute Newsletter 6.0 and 6.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55913 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Xigla Software Absolute Control Panel XE 1.5 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55915 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Absolute Banner Manager .NET 4.0 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55916 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Xigla Software Absolute News Manager.NET 5.1 allows remote attackers to bypass authentication and gain administrative access by setting a cookie to a certain value.

[CLOSE] OSVDB ID : 55917 - Disclosed: 2008-10-31

Description:

(Description Provided by CVE) : Xigla Software Absolute News Feed 1.0 and possibly 1.5 allows remote attackers to bypass authentication and gain administrative access by setting a certain cookie.

[CLOSE] OSVDB ID : 56919 - Disclosed: 2008-10-31

Description:

Fantastico De Luxe Module for cPanel contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the 'autoinstall4imagesgalleryupgrade.php' script not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied to the 'scriptpath_show' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands which will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In additin, this flaw can potentially be used to disclose the contents of any file on the system.

[CLOSE] OSVDB ID : 49798 - Disclosed: 2008-10-30

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the community title, (2) API input, and vectors related to the (3) Homepage, (4) Blogs, (5) Profiles, (6) Dogear, (7) Activities, and (8) Global Search components. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 49789 - Disclosed: 2008-10-30

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in IBM Lotus Connections 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via the sortField parameter to unspecified components. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 49788 - Disclosed: 2008-10-30

Description:

(Description Provided by CVE) : IBM Lotus Connections 2.x before 2.0.1 stores the password for the administrative user in the trace.log file, which allows local users to obtain sensitive information by reading this file. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 49787 - Disclosed: 2008-10-30

Description:

(Description Provided by CVE) : IBM Lotus Connections 2.x before 2.0.1 allows attackers to discover passwords via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 49786 - Disclosed: 2008-10-30

Description:

(Description Provided by CVE) : Multiple unspecified vulnerabilities in the Profiles search pages in IBM Lotus Connections 2.x before 2.0.1 have unknown impact and attack vectors related to "Active" content. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.