[CLOSE] OSVDB ID : 56353 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Cross-site request forgery (CSRF) vulnerability in index.php in WoltLab Burning Board (wBB) 3.0.1, and possibly other 3.x versions, allows remote attackers to hijack the authentication of users for requests that delete private messages via the pmID parameter in a delete action in a PM page, a different vulnerability than CVE-2008-0472.

[CLOSE] OSVDB ID : 40692 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in dms/policy/rep_request.php in F5 BIG-IP Application Security Manager (ASM) 9.4.3 allows remote attackers to inject arbitrary web script or HTML via the report_type parameter.

[CLOSE] OSVDB ID : 40818 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in forum.php in Gerd Tentler Simple Forum 3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) open and (2) date_show parameters.

[CLOSE] OSVDB ID : 40768 - Disclosed: 2008-01-26

Description:

ASPired2Protect contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the login.asp script not properly sanitizing user-supplied input to the 'username' or 'password' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40819 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Directory traversal vulnerability in thumbnail.php in Gerd Tentler Simple Forum 3.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

[CLOSE] OSVDB ID : 41180 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) uri parameter to (a) yui-menu.tpl.php, (b) simple.tpl.php, and (c) advanced.tpl.php in dispatcher/framework/; and the (2) page parameter to (d) yui-menu.php, (e) simple.php, and (f) advanced.php in dispatcher/framework/, different vectors than CVE-2008-0521.

[CLOSE] OSVDB ID : 41181 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) uri parameter to (a) yui-menu.tpl.php, (b) simple.tpl.php, and (c) advanced.tpl.php in dispatcher/framework/; and the (2) page parameter to (d) yui-menu.php, (e) simple.php, and (f) advanced.php in dispatcher/framework/, different vectors than CVE-2008-0521.

[CLOSE] OSVDB ID : 41182 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) uri parameter to (a) yui-menu.tpl.php, (b) simple.tpl.php, and (c) advanced.tpl.php in dispatcher/framework/; and the (2) page parameter to (d) yui-menu.php, (e) simple.php, and (f) advanced.php in dispatcher/framework/, different vectors than CVE-2008-0521.

[CLOSE] OSVDB ID : 41183 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) uri parameter to (a) yui-menu.tpl.php, (b) simple.tpl.php, and (c) advanced.tpl.php in dispatcher/framework/; and the (2) page parameter to (d) yui-menu.php, (e) simple.php, and (f) advanced.php in dispatcher/framework/, different vectors than CVE-2008-0521.

[CLOSE] OSVDB ID : 41184 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) uri parameter to (a) yui-menu.tpl.php, (b) simple.tpl.php, and (c) advanced.tpl.php in dispatcher/framework/; and the (2) page parameter to (d) yui-menu.php, (e) simple.php, and (f) advanced.php in dispatcher/framework/, different vectors than CVE-2008-0521.

[CLOSE] OSVDB ID : 41185 - Disclosed: 2008-01-26

Description:

(Description Provided by CVE) : Multiple directory traversal vulnerabilities in Bubbling Library 1.32 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) uri parameter to (a) yui-menu.tpl.php, (b) simple.tpl.php, and (c) advanced.tpl.php in dispatcher/framework/; and the (2) page parameter to (d) yui-menu.php, (e) simple.php, and (f) advanced.php in dispatcher/framework/, different vectors than CVE-2008-0521.

[CLOSE] OSVDB ID : 50969 - Disclosed: 2008-01-26

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 42840 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : Stack-based buffer overflow in the ClientConnection::NegotiateProtocolVersion function in vncviewer/ClientConnection.cpp in vncviewer for UltraVNC 1.0.2 and 1.0.4 before 01252008, when in LISTENING mode or when using the DSM plugin, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a modified size value.

[CLOSE] OSVDB ID : 41153 - Disclosed: 2008-01-25

Description:

Patchlink contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the script creating temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly write to, or overwrite an attacker specified file.

[CLOSE] OSVDB ID : 42838 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email.

[CLOSE] OSVDB ID : 42839 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email.

[CLOSE] OSVDB ID : 42536 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : SQL injection vulnerability in Mambo LaiThai 4.5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

[CLOSE] OSVDB ID : 43227 - Disclosed: 2008-01-25

Description:

General Electric (GE) Proficy Real-Time Information Portal contains a flaw that may lead to an unauthorized password exposure. It is possible for a remote attacker to gain access to base64 encoded passwords when the Web servers are configured to use the Base64 encoded authentication scheme resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 40573 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : Unspecified vulnerability in metashell before 0.03 has unknown impact and attack vectors related to a "PATH execution security flaw," possibly an untrusted search path vulnerability.

[CLOSE] OSVDB ID : 40581 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in OpenWebMail before 2.53 (Stable) allow remote attackers to inject arbitrary web script or HTML via unknown vectors.

[CLOSE] OSVDB ID : 40697 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ajax/ajax_getTiers.asp script not properly sanitizing user-supplied input to the 'idcust' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40698 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ajax/ajax_getCust.asp script not properly sanitizing user-supplied input to the 'idcust' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40699 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ajax/ajax_getBrands.asp script not properly sanitizing user-supplied input to the 'recid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40700 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ajax/ajax_tableFields.asp script not properly sanitizing user-supplied input to the 'tableName' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40701 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin/utilities_ConfigHelp.asp script not properly sanitizing user-supplied input to the 'helpfield' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40702 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin/SA_shipFedExMeter.asp script not properly sanitizing user-supplied input to the 'FedExAccount' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40703 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ajax/ajax_optInventory.asp script not properly sanitizing user-supplied input to the 'idProduct' and 'options' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 40704 - Disclosed: 2008-01-25

Description:

CandyPress Store contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'helpfield' variables upon submission to the admin/utilities_ConfigHelp.asp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 40762 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : Stack-based buffer overflow in the Persits.XUpload.2 ActiveX control in XUpload.ocx 3.0.0.4 and earlier in Persits XUpload 3.0 allows remote attackers to execute arbitrary code via a long argument to the AddFile method. NOTE: some of these details are obtained from third party information.

[CLOSE] OSVDB ID : 41152 - Disclosed: 2008-01-25

Description:

Patchlink contains a flaw that may allow a malicious local user to overwrite arbitrary files on the system. The issue is due to the script creating temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly write to, or overwrite an attacker specified file.

[CLOSE] OSVDB ID : 40923 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : SQL injection vulnerability in category.php in Flinx 1.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

[CLOSE] OSVDB ID : 41168 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : The NamoInstaller.NamoInstall.1 ActiveX control in NamoInstaller.dll 3.0.0.1 and earlier in Namo Web Editor in Sejoong Namo ActiveSquare 6 allows remote attackers to execute arbitrary code via a URL in the argument to the Install method. NOTE: some of these details are obtained from third party information.

[CLOSE] OSVDB ID : 41559 - Disclosed: 2008-01-25

Description:

CandyPress contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a malicious user supplies an invalid 'FedExAccount' variable to the admin/SA_shipFedExMeter.asp, which will disclose installation path information resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 74525 - Disclosed: 2008-01-25

Description:

(Description Provided by CVE) : Bugzilla 2.20.x before 2.20.5, 2.22.x before 2.22.3, and 3.0.x before 3.0.3 on Windows does not delete the temporary files associated with uploaded attachments, which allows local users to obtain sensitive information by reading these files, a different vulnerability than CVE-2011-2977.

[CLOSE] OSVDB ID : 53477 - Disclosed: 2008-01-24

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 42039 - Disclosed: 2008-01-24

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4) redirectto, and (5) resourceid parameters to (a) jsp/ThresholdActionConfiguration.jsp; the (6) page and (7) redirect parameters to (b) jsp/UpdateGlobalSettings.jsp; and the (8) haid and (9) returnpath parameters to (c) showTile.do. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 42845 - Disclosed: 2008-01-24

Description:

(Description Provided by CVE) : ActivationHandler in Magnolia CE 3.5.x before 3.5.4 does not check permissions during importing, which allows remote attackers to have an unknown impact via activation of a new item, possibly involving addition of arbitrary new content.

[CLOSE] OSVDB ID : 41333 - Disclosed: 2008-01-24

Description:

(Description Provided by CVE) : Unrestricted file upload vulnerability in GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension to the main virtual directory.

[CLOSE] OSVDB ID : 53183 - Disclosed: 2008-01-24

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 42041 - Disclosed: 2008-01-24

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 8.1 build 8100 allow remote attackers to inject arbitrary web script or HTML via the (1) showlink parameter to jsp/DiscoveryProfiles.jsp; the (2) attributeIDs, (3) attributeToSelect, (4) redirectto, and (5) resourceid parameters to (a) jsp/ThresholdActionConfiguration.jsp; the (6) page and (7) redirect parameters to (b) jsp/UpdateGlobalSettings.jsp; and the (8) haid and (9) returnpath parameters to (c) showTile.do. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.