| OSVDB ID | Disclosure Date | Title |
|---|
|
59870
Description:
Super Serious Stats contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'user.php' script not properly sanitizing user-supplied input to the 'uid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-31
|
Super Serious Stats user.php uid Parameter SQL Injection
|
|
59965
Description:
(Description Provided by CVE) : Panda Global Protection 2010, Internet Security 2010, and Antivirus Pro 2010 use weak permissions (Everyone: Full Control) for the product files, which allows local users to gain privileges by replacing executables with Trojan horse programs.
|
2009-10-31
|
Panda Multiple Products Default Directory Permissions Weakness Local Privilege Escalation
|
|
60074
Description:
(Description Provided by CVE) : The activation resend function in the Profiles module in XOOPS before 2.4.1 sends activation codes in response to arbitrary activation requests, which allows remote attackers to bypass administrative approval via a request involving activate.php.
|
2009-10-31
|
XOOPS Profiles Module New User Activation Permission Verification Bypass
|
|
73532
Description:
(Description Provided by CVE) : Memory leak in the ldap_explode_dn function in IBM Tivoli Directory Server (TDS) 6.0 before 6.0.0.61 (aka 6.0.0.8-TIV-ITDS-IF0003) allows remote authenticated users to cause a denial of service (memory consumption) via an empty string argument.
|
2009-10-31
|
IBM Tivoli Directory Server ldap_explode_dn Empty String Argument Remote DoS
|
|
59721
Description:
Unknown / Incomplete
|
2009-10-30
|
Intel Desktop Boards DQ Series Bitmap Processing Local Overflow
|
|
59635
Description:
Unknown / Incomplete
|
2009-10-30
|
My Remote File Server on Windows Permission Weakness Local Privilege Escalation
|
|
59465
Description:
Unknown / Incomplete
|
2009-10-30
|
Jumi Component for Joomla! Trojaned Distribution
|
|
59576
Description:
Mura CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'go/default/blog/blog-post-with-flash-video/' script not properly sanitizing user-supplied input to the 'txtName' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-30
|
Mura CMS go/default/blog/blog-post-with-flash-video/ txtName Parameter SQL Injection
|
|
59577
Description:
Mura CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'txtName' and 'txtUrl' parameters upon submission to the 'go/default/blog/blog-post-with-flash-video/' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-30
|
Mura CMS go/default/blog/blog-post-with-flash-video/ Multiple Parameter XSS
|
|
59578
Description:
Mura CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'link' parameter upon submission to the 'default/includes/display_objects/sendtofriend/index.cfm' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-30
|
Mura CMS default/includes/display_objects/sendtofriend/index.cfm link Parameter XSS
|
|
59579
Description:
Mura CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'returnURL' parameter upon submission to the 'go/default/blog/index.cfm' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-30
|
Mura CMS go/default/blog/index.cfm returnURL Parameter XSS
|
|
59583
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the resume blocktype in Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
2009-10-30
|
Mahara Resume Blocktype XSS
|
|
59584
Description:
(Description Provided by CVE) : Mahara before 1.0.13, and 1.1.x before 1.1.7, allows remote authenticated institution administrators to reset a site administrator password via unspecified vectors.
|
2009-10-30
|
Mahara Site Admin Password Reset Remote Privilege Escalation
|
|
59660
Description:
SoftRemote is prone to an overflow condition. spdedit.exe fails to properly sanitize user-supplied input resulting in a stack overflow. With a specially crafted SPD file, a context-dependent attacker can potentially cause arbitrary code execution.
|
2009-10-30
|
SafeNet SoftRemote spdedit.exe SPD Policy File Handling Overflow
|
|
59724
Description:
(Description Provided by CVE) : Stack-based buffer overflow in SafeNet SoftRemote 10.8.5 (Build 2) and 10.3.5 (Build 6), and possibly other versions before 10.8.9, allows local users to execute arbitrary code via a long string in a (1) TREENAME or (2) GROUPNAME Policy file (spd).
|
2009-10-30
|
SafeNet SoftRemote Multiple Policy File Local Overflow
|
|
63224
Description:
PSAtr contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the news.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-30
|
PSAtr news.asp id Parameter SQL Injection
|
|
63296
Description:
Unknown / Incomplete
|
2009-10-30
|
Windows Media Player Error Message Remote File Enumeration
|
|
65079
Description:
(Description Provided by CVE) : Integer overflow in the __vstrfmon_l function in stdlib/strfmon_l.c in the strfmon implementation in the GNU C Library (aka glibc or libc6) before 2.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a crafted format string, as demonstrated by the %99999999999999999999n string, a related issue to CVE-2008-1391.
|
2009-10-30
|
GNU C Library stdlib/strfmon_l.c __vstrfmon_l Function Format String Overflow DoS
|
|
59704
Description:
Runtimes for Java Technology contains a flaw related to the XML component XML4J update that may allow an attacker to perform unspecified impact. No further details have been provided.
|
2009-10-29
|
IBM Runtimes for Java Technology XML Component XML4J Update Unspecified Issue
|
|
59586
Description:
Oscailt CMS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'obj_id' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.
|
2009-10-29
|
Oscailt CMS index.php obj_id Parameter Traversal Local File Inclusion
|
|
59703
Description:
Solaris contains a flaw that may allow an attacker to bypass security controls. The issue is triggered when trusted extensions prevents the operation of the xscreensaver-demo command for the XScreenSaver application.
|
2009-10-29
|
Solaris Trusted Extensions XScreenSaver xscreensaver-demo Command Restart Daemon Security Control Bypass
|
|
59696
Description:
CubeCart contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when a remote attacker sends an HTTP request with empty "X_CLUSTER_CLIENT_IP" and "User-Agent" headers and the "ccAdmin" cookie set to "+", allowing a remote attacker to gain administrative privileges.
|
2009-10-29
|
CubeCart classes/session/cc_admin_session.php Multiple HTTP Header ccAdmin Cookie Manipulation Admin Authentication Bypass
|
|
60075
Description:
SemanticScuttle contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'sort' parameter upon submission to the 'index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-29
|
SemanticScuttle index.php sort Parameter XSS
|
|
60243
Description:
(Description Provided by CVE) : The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot) via a %0d%0a sequence in the page parameter to the xslt program on TCP port 50001, a related issue to CVE-2006-4523.
|
2009-10-29
|
2Wire Gateway Multiple Products Management Interface xslt page Parameter Remote DoS
|
|
60425
Description:
(Description Provided by CVE) : The nsGIFDecoder2::GifWrite function in decoders/gif/nsGIFDecoder2.cpp in libpr0n in Mozilla Firefox before 3.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an animated GIF file with a large image size, a different vulnerability than CVE-2009-3373.
|
2009-10-29
|
Mozilla Firefox libpr0n decoders/gif/nsGIFDecoder2.cpp nsGIFDecoder2::GifWrite Function Remote DoS
|
|
60473
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) gl/manage/bank_accounts.php Unspecified Parameter SQL Injection
|
|
60474
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) gl/manage/currencies.php Unspecified Parameter SQL Injection
|
|
60475
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) gl/manage/exchange_rates.php Unspecified Parameter SQL Injection
|
|
60476
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) gl/manage/gl_account_types.php Unspecified Parameter SQL Injection
|
|
60477
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) gl/manage/gl_accounts.php Unspecified Parameter SQL Injection
|
|
60478
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) includes/db/audit_trail_db.inc Unspecified Parameter SQL Injection
|
|
60479
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) includes/db/comments_db.inc Unspecified Parameter SQL Injection
|
|
60480
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) includes/db/inventory_db.inc Unspecified Parameter SQL Injection
|
|
60481
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) includes/db/manufacturing_db.inc Unspecified Parameter SQL Injection
|
|
60482
Description:
(Description Provided by CVE) : Multiple SQL injection vulnerabilities in FrontAccounting (FA) 2.2.x before 2.2 RC allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) bank_accounts.php, (2) currencies.php, (3) exchange_rates.php, (4) gl_account_types.php, and (5) gl_accounts.php in gl/manage/; and (6) audit_trail_db.inc, (7) comments_db.inc, (8) inventory_db.inc, (9) manufacturing_db.inc, and (10) references_db.inc in includes/db/.
|
2009-10-29
|
FrontAccounting (FA) includes/db/references_db.inc Unspecified Parameter SQL Injection
|
|
75714
Description:
(Description Provided by CVE) : ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
|
2009-10-29
|
Linux Kernel AuerswaldPBX/System Telephone USB Driver Privilege Escalation
|
|
59355
Description:
Unknown / Incomplete
|
2009-10-28
|
Rising Multiple Products Default Directory Permission Weakness Local Privilege Escalation
|
|
59357
Description:
(Description Provided by CVE) : Opera before 10.01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted domain name.
|
2009-10-28
|
Opera Crafted Domain Name Handling Memory Corruption Arbitrary Code Execution
|
|
59358
Description:
Unknown / Incomplete
|
2009-10-28
|
Opera Feed Subscription Page Script Execution Feed Manipulation
|
|
59359
Description:
(Description Provided by CVE) : Opera before 10.01 on Windows does not prevent use of Web fonts in rendering the product's own user interface, which allows remote attackers to spoof the address field via a crafted web site.
|
2009-10-28
|
Opera Web Font Handling Address Bar Spoofing
|
