| OSVDB ID | Disclosure Date | Title |
|---|
|
59422
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/blog.php status_message Parameter XSS
|
|
59423
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/news.php status_message Parameter XSS
|
|
59424
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/srv_updates.php status_message Parameter XSS
|
|
59425
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/srv_backups.php status_message Parameter XSS
|
|
59426
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/srv_twist_prevention.php status_message Parameter XSS
|
|
59427
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/srv_tags.php status_message Parameter XSS
|
|
59428
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/srv_tags_reindex.php status_message Parameter XSS
|
|
59429
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/google_sitemap.php status_message Parameter XSS
|
|
59430
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/sitemap_history.php status_message Parameter XSS
|
|
59431
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/srv_options.php status_message Parameter XSS
|
|
59432
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS _admin/locales.php status_message Parameter XSS
|
|
59433
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS Forum Message Body IMG BBcode Tag XSS
|
|
59434
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS Guestbook Message Body IMG BBcode Tag XSS
|
|
59435
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS Comment Message Body IMG BBcode Tag XSS
|
|
59436
Description:
Amiro.CMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'status_message' parameter upon submission to the '/news', '/comment', '/forum', '/blog', '/tags', '/_admin/forum.php', '/_admin/discussion.php', '/_admin/guestbook.php', '/_admin/blog.php', '/_admin/news.php', '/_admin/google_sitemap.php', '/_admin/sitemap_history.php', '/_admin/locales.php' and '/_admin/plugins_wizard.php' scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2009-10-19
|
Amiro.CMS Avatar File Content IMG BBcode Tag XSS
|
|
60311
Description:
(Description Provided by CVE) : Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.
|
2009-10-19
|
Linux Kernel drivers/scsi/gdth.c gdth_read_event() Function IOCTL Handling Local DoS
|
|
59051
Description:
Input passed via the "name" and "HTTP_RAW_POST_DATA" parameters to "ofc_upload_image.php" is not sanitized. This can be exploited to create arbitrary PHP files with the .php extension that can be remotely executed.
|
2009-10-19
|
Open Flash Chart ofc_upload_image.php Multiple Parameter File Upload Arbitrary Code Execution
|
|
59066
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the help pages in IBM Rational AppScan Enterprise Edition 5.5.0.2 allows remote attackers to inject arbitrary web script or HTML via the query string.
|
2009-10-19
|
IBM Rational AppScan on Windows Help Pages Query String XSS
|
|
59056
Description:
AjaxChat Component for Joomla! contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'components/com_ajaxchat/tests/ajcuser.php' script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2009-10-19
|
AjaxChat Component for Joomla! components/com_ajaxchat/tests/ajcuser.php mosConfig_absolute_path Parameter Remote File Inclusion
|
|
59137
Description:
Sahana disaster management system contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'mod' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.
|
2009-10-19
|
Sahana Disaster Management System index.php mod Parameter Traversal Local File Inclusion
|
|
59210
Description:
(Description Provided by CVE) : net/unix/af_unix.c in the Linux kernel 2.6.31.4 and earlier allows local users to cause a denial of service (system hang) by creating an abstract-namespace AF_UNIX listening socket, performing a shutdown operation on this socket, and then performing a series of connect operations to this socket.
|
2009-10-19
|
Linux Kernel net/unix/af_unix.c AF_UNIX Socket Reconnect Local DoS
|
|
59377
Description:
BookLibrary Component for Joomla! contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'doc/releasenote.php' script not properly sanitizing user input supplied to the 'mosConfig_absolute_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2009-10-19
|
BookLibrary Component for Joomla! doc/releasenote.php mosConfig_absolute_path Parameter Remote File Inclusion
|
|
62306
Description:
Google Chrome contains a flaw in the pop-up blocking feature within WebKit when handling click events. With a specially crafted web page, a context-dependent attacker can bypass the pop-up blocking feature.
|
2009-10-19
|
Google Chrome WebKit Mouse-click Event Handling Pop-up Blocker Restriction Bypass Weakness
|
|
63223
Description:
Unknown / Incomplete
|
2009-10-19
|
phpCMS download.php f Parameter Arbitrary File Access
|
|
62858
Description:
Unknown / Incomplete
|
2009-10-18
|
McKesson Horizon Clinical Infrastructure (HCI) Multiple Hardcoded Oracle Database Passwords
|
|
66230
Description:
By default, 3Com OfficeConnect Routers install with multiple default passwords. The following account:password combinations are publicly known and documented: support:support, user:5, nobody:admin, (no username)/PASSWORD. This allows attackers to trivially access the program or system.
|
2009-10-18
|
3Com OfficeConnect Router Multiple Default Accounts
|
|
91396
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/print_profiles.php script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/print_profiles.php Unspecified SQL Injection
|
|
91395
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/printers.php script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/printers.php Unspecified SQL Injection
|
|
91394
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/shipping_companies.php script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/shipping_companies.php Unspecified SQL Injection
|
|
91393
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/view_print_transaction.php script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/view_print_transaction.php Unspecified SQL Injection
|
|
91392
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/db/company_db.inc script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/db/company_db.inc Unspecified SQL Injection
|
|
91391
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/db/printers_db.inc script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/db/printers_db.inc Unspecified SQL Injection
|
|
91390
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/db/voiding_db.inc script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/db/voiding_db.inc Unspecified SQL Injection
|
|
91389
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /admin/db/users_db.inc script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /admin/db/users_db.inc Unspecified SQL Injection
|
|
91388
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /dimensions/includes/dimensions_db.inc script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /dimensions/includes/dimensions_db.inc Unspecified SQL Injection
|
|
91387
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /dimensions/inquiry/search_dimensions.php script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /dimensions/inquiry/search_dimensions.php Unspecified SQL Injection
|
|
91386
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /gl/bank_account_reconcile.php script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /gl/bank_account_reconcile.php Unspecified SQL Injection
|
|
91385
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /gl/gl_budget.php script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /gl/gl_budget.php Unspecified SQL Injection
|
|
91384
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /gl/includes/db/gl_db_account_types.inc script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /gl/includes/db/gl_db_account_types.inc Unspecified SQL Injection
|
|
91383
Description:
FrontAccounting (FA) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /gl/includes/db/gl_db_accounts.inc script not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2009-10-18
|
FrontAccounting (FA) /gl/includes/db/gl_db_accounts.inc Unspecified SQL Injection
|
