[CLOSE] OSVDB ID : 43982 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Directory traversal vulnerability in the PXE TFTP Service (PXEMTFTP.exe) in LANDesk Management Suite (LDMS) 8.7 SP5 and earlier and 8.8 allows remote attackers to read arbitrary files via unspecified vectors.

[CLOSE] OSVDB ID : 43915 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Stack-based buffer overflow in XnView 1.92 and 1.92.1 allows user-assisted remote attackers to execute arbitrary code via a long FontName parameter in a slideshow (.sld) file, a different vector than CVE-2008-1461.

[CLOSE] OSVDB ID : 43894 - Disclosed: 2008-03-31

Description:

JV2 Folder Gallery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "image" variable upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 43909 - Disclosed: 2008-03-31

Description:

JV2 Quick Gallery contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the "f" variable upon submission. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 44024 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5) editmailinglist_step1.php, and (6) showtemplates.php in pages/.

[CLOSE] OSVDB ID : 43920 - Disclosed: 2008-03-31

Description:

WP-Download Plugin for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'wp-download.php' script not properly sanitizing user-supplied input to the 'dl_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 43956 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : The Macrovision InstallShield InstallScript One-Click Install (OCI) ActiveX control 12.0 before SP2 does not validate the DLL files that are named as parameters to the control, which allows remote attackers to download arbitrary library code onto a client machine.

[CLOSE] OSVDB ID : 43965 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Directory traversal vulnerability in admin/login.php in EasyNews 4.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.

[CLOSE] OSVDB ID : 43966 - Disclosed: 2008-03-31

Description:

EasyNews contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'dynamicpages/index.php' script not properly sanitizing user-supplied input to the 'read' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 43967 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in staticpages/easypublish/index.php in EasyNews 4.0 allows remote attackers to inject arbitrary web script or HTML via the read parameter in an edp_pupublish action.

[CLOSE] OSVDB ID : 44023 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5) editmailinglist_step1.php, and (6) showtemplates.php in pages/.

[CLOSE] OSVDB ID : 44019 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5) editmailinglist_step1.php, and (6) showtemplates.php in pages/.

[CLOSE] OSVDB ID : 44020 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5) editmailinglist_step1.php, and (6) showtemplates.php in pages/.

[CLOSE] OSVDB ID : 44021 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5) editmailinglist_step1.php, and (6) showtemplates.php in pages/.

[CLOSE] OSVDB ID : 44022 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in CuteFlow 1.5.0 and 2.10.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) page/showcirculation.php; and (2) edittemplate_step2.php, (3) showfields.php, (4) showuser.php, (5) editmailinglist_step1.php, and (6) showtemplates.php in pages/.

[CLOSE] OSVDB ID : 44025 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : SQL injection vulnerability in login.php in CuteFlow 1.5.0 and 2.10.0 allows remote attackers to execute arbitrary SQL commands via the UserId parameter, related to the login form field in index.php.

[CLOSE] OSVDB ID : 44026 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in CuteFlow 2.10.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) listid parameter to pages/editmailinglist_step1.php, the (2) userid parameter to pages/edituser.php, the (3) fieldid parameter to pages/editfield.php, and the (4) templateid to pages/edittemplate_step1.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 44027 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in CuteFlow 2.10.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) listid parameter to pages/editmailinglist_step1.php, the (2) userid parameter to pages/edituser.php, the (3) fieldid parameter to pages/editfield.php, and the (4) templateid to pages/edittemplate_step1.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 44028 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in CuteFlow 2.10.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) listid parameter to pages/editmailinglist_step1.php, the (2) userid parameter to pages/edituser.php, the (3) fieldid parameter to pages/editfield.php, and the (4) templateid to pages/edittemplate_step1.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 44029 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in CuteFlow 2.10.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) listid parameter to pages/editmailinglist_step1.php, the (2) userid parameter to pages/edituser.php, the (3) fieldid parameter to pages/editfield.php, and the (4) templateid to pages/edittemplate_step1.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 44187 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : The SOAP interface in OTRS 2.1.x before 2.1.8 and 2.2.x before 2.2.6 allows remote attackers to "read and modify objects" via SOAP requests, related to "Missing security checks."

[CLOSE] OSVDB ID : 44207 - Disclosed: 2008-03-31

Description:

Neat weblog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'articleId' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 44209 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Directory traversal vulnerability in body.php in phpSpamManager (phpSM) 0.53 beta allows remote attackers to read arbitrary local files via a .. (dot dot) in the filename parameter.

[CLOSE] OSVDB ID : 44241 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : SQL injection vulnerability in jgs_treffen.php in the JGS-XA JGS-Treffen 2.0.2 and earlier addon for Woltlab Burning Board (wBB) allows remote attackers to execute arbitrary SQL commands via the view_id parameter in an ansicht action.

[CLOSE] OSVDB ID : 52805 - Disclosed: 2008-03-31

Description:

PHPGKit contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'connexion.php' not properly sanitizing user input supplied to the 'DOCUMENT_ROOT' parameter. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 57623 - Disclosed: 2008-03-31

Description:

@lex Poll contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'language_setup' parameters upon submission to the 'setup.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 57624 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in @lex Guestbook 4.0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) language_setup parameter to setup.php or (2) test parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: a third party has been reported that the test parameter is not used in @lex Guestbook.

[CLOSE] OSVDB ID : 57625 - Disclosed: 2008-03-31

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in @lex Guestbook 4.0.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) language_setup parameter to setup.php or (2) test parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: a third party has been reported that the test parameter is not used in @lex Guestbook.

[CLOSE] OSVDB ID : 43922 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : aavmker4.sys in avast! Home and Professional 4.7 for Windows does not properly validate input to IOCTL 0xb2d60030, which allows local users to gain privileges via certain IOCTL requests.

[CLOSE] OSVDB ID : 43993 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : suPHP before 0.6.3 allows local users to gain privileges via (1) a race condition that involves multiple symlink changes to point a file owned by a different user, or (2) a symlink to the directory of a different user, which is used to determine privileges.

[CLOSE] OSVDB ID : 43994 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : suPHP before 0.6.3 allows local users to gain privileges via (1) a race condition that involves multiple symlink changes to point a file owned by a different user, or (2) a symlink to the directory of a different user, which is used to determine privileges.

[CLOSE] OSVDB ID : 43912 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : Stack-based buffer overflow in the audit_log_user_command function in lib/audit_logging.c in Linux Audit before 1.7 might allow remote attackers to execute arbitrary code via a long command argument. NOTE: some of these details are obtained from third party information.

[CLOSE] OSVDB ID : 43905 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : PowerDNS Recursor before 3.1.5 uses insufficient randomness to calculate (1) TRXID values and (2) UDP source port numbers, which makes it easier for remote attackers to poison a DNS cache, related to (a) algorithmic deficiencies in rand and random functions in external libraries, (b) use of a 32-bit seed value, and (c) choice of the time of day as the sole seeding information.

[CLOSE] OSVDB ID : 44142 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : ** DISPUTED ** gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999).

[CLOSE] OSVDB ID : 48861 - Disclosed: 2008-03-30

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 43910 - Disclosed: 2008-03-30

Description:

Smoothflash contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin_view_image.php' script not properly sanitizing user-supplied input to the 'cid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 44201 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : Directory traversal vulnerability in v2demo/page.php in Jshop Server 1.x through 2.x allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the xPage parameter.

[CLOSE] OSVDB ID : 44240 - Disclosed: 2008-03-30

Description:

(Description Provided by CVE) : Directory traversal vulnerability in view_private.php in Keep It Simple Guest Book (KISGB) 5.0.0 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the tmp_theme parameter. NOTE: 5.1.1 is also reportedly affected.

[CLOSE] OSVDB ID : 44396 - Disclosed: 2008-03-30

Description:

mxbBB mx_blogs contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'includes/functions_weblog.php' script not properly sanitizing user input supplied to the ' mx_root_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 51111 - Disclosed: 2008-03-30

Description:

Unknown / Incomplete