[CLOSE] OSVDB ID : 52756 - Disclosed: 2009-02-25

Description:

(Description Provided by CVE) : Unspecified vulnerability in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote attackers to bypass authentication and obtain administrative access via a crafted URL.

[CLOSE] OSVDB ID : 52898 - Disclosed: 2009-02-25

Description:

(Description Provided by CVE) : Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character.

[CLOSE] OSVDB ID : 79148 - Disclosed: 2009-02-25

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 89365 - Disclosed: 2009-02-25

Description:

Foswiki contains a flaw that may allow a remote denial of service. The issue is triggered when handling malformed META tags. With a specially crafted tag, a remote attacker can cause a loss of availability for the program.

[CLOSE] OSVDB ID : 53319 - Disclosed: 2009-02-24

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 53877 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : The Python AI module in Wesnoth 1.4.x and 1.5 before 1.5.11 allows remote attackers to escape the sandbox and execute arbitrary code by using a whitelisted module that imports an unsafe module, then using a hierarchical module name to access the unsafe module through the whitelisted module.

[CLOSE] OSVDB ID : 52749 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Unspecified vulnerability in the Settings Manager in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87, and possibly other versions, allows remote attackers to trick a user into visiting an arbitrary URL via unknown vectors, related to "a potential Clickjacking issue variant."

[CLOSE] OSVDB ID : 52748 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Unspecified vulnerability in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a crafted Shockwave Flash (aka .swf) file.

[CLOSE] OSVDB ID : 52747 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 does not properly remove references to destroyed objects during Shockwave Flash file processing, which allows remote attackers to execute arbitrary code via a crafted file, related to a "buffer overflow issue."

[CLOSE] OSVDB ID : 52746 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Untrusted search path vulnerability in Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on Linux allows local users to obtain sensitive information or gain privileges via a crafted library in a directory contained in the RPATH.

[CLOSE] OSVDB ID : 52745 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Adobe Flash Player 9.x before 9.0.159.0 and 10.x before 10.0.22.87 on Windows allows remote attackers to trick a user into visiting an arbitrary URL via an unspecified manipulation of the "mouse pointer display," related to a "Clickjacking attack."

[CLOSE] OSVDB ID : 52744 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled when displaying the Help Errors log.

[CLOSE] OSVDB ID : 55800 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : The Web Editor in Dassault Systemes ENOVIA SmarTeam V5 before Release 18 Service Pack 8, and possibly CATIA and other products, allows remote authenticated users to read the profile card of an object in the document class via a link that is sent from the owner of the document object.

[CLOSE] OSVDB ID : 52743 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 6 and 7, and RoboHelp Server 6 and 7, allows remote attackers to inject arbitrary web script or HTML via vectors involving files produced by RoboHelp.

[CLOSE] OSVDB ID : 55788 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Use-after-free vulnerability in the GIFReadNextExtension function in lib/pngxtern/gif/gifread.c in OptiPNG 0.6.2 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a crafted GIF image that causes the realloc function to return a new pointer, which triggers memory corruption when the old pointer is accessed.

[CLOSE] OSVDB ID : 54081 - Disclosed: 2009-02-24

Description:

Magento contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the login[username] variable upon submission to the admin login page, which calls the app/code/core/Mage/Admin/Model/Session.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 54082 - Disclosed: 2009-02-24

Description:

Magento contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the email parameter upon submission to the app/code/core/Mage/Adminhtml/controllers/IndexController.php script from a request to the admin/index/forgotpassword/ page. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 54083 - Disclosed: 2009-02-24

Description:

Magento contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input sent as part of the URL upon submission to the downloader/index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 54084 - Disclosed: 2009-02-24

Description:

Magento contains a flaw that allows a remote Cross-Site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps and/or confirmation for sensitive transactions for unspecified function(s). By using a crafted URL (e.g. a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 56371 - Disclosed: 2009-02-24

Description:

Phlatine's Personal Information Manager (pPIM) contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a malicious attacker makes a direct request for the 'Readme.txt' file, which will disclose version information to a remote attacker.

[CLOSE] OSVDB ID : 56372 - Disclosed: 2009-02-24

Description:

Phlatine's Personal Information Manager (pPIM) contains a flaw that may lead to an unauthorized password exposure. It is possible for a remote attacker to gain access to encrypted passwords when making a direct request for the 'password.dat' file.

[CLOSE] OSVDB ID : 56373 - Disclosed: 2009-02-24

Description:

Phlatline's Personal Information Manager (pPIM) contains a flaw that may allow an attacker to by authentication. The issue is triggered when a malicious attacker appends "login=1" to the desired script's URL.

[CLOSE] OSVDB ID : 56374 - Disclosed: 2009-02-24

Description:

Phlatline's Personal Information Manager (pPIM) contains a flaw that may allow an attacker to send email. The issue is triggered due to improper authentication measures on the 'sendmail.php' script.

[CLOSE] OSVDB ID : 56375 - Disclosed: 2009-02-24

Description:

Phlatline's Personal Information Manager (pPIM) contains a flaw that may allow an attacker to create and delete notes. The issue is triggered due to improper authentication measures on notes.php.

[CLOSE] OSVDB ID : 56376 - Disclosed: 2009-02-24

Description:

Phlatine's Personal Information Manager (pPIM) contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate unspecified parameter(s) upon submission to unspecified script(s). This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 56377 - Disclosed: 2009-02-24

Description:

Phlatine's Personal Information Manager (pPIM) contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a malicious attacker makes a direct request for a .email file, which will disclose user credentials to a remote attacker.

[CLOSE] OSVDB ID : 56378 - Disclosed: 2009-02-24

Description:

Phlatline's Personal Information Manager (pPIM) contains a flaw that may allow an attacker to execute arbitrary code. The issue is triggered as the 'makegroup.php' script is not properly sanitised before being written to a link file

[CLOSE] OSVDB ID : 52496 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Unspecified vulnerability in OpenGoo before 1.2.1 allows remote authenticated users to modify their own permissions via unknown attack vectors.

[CLOSE] OSVDB ID : 52295 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Multiple CRLF injection vulnerabilities in webadmin in ZNC before 0.066 allow remote authenticated users to modify the znc.conf configuration file and gain privileges via CRLF sequences in the quit message and other vectors.

[CLOSE] OSVDB ID : 52830 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : Unspecified vulnerability in HP Virtual Rooms Client before 7.0.1, when running on Windows, allows remote attackers to execute arbitrary code via unknown vectors.

[CLOSE] OSVDB ID : 52357 - Disclosed: 2009-02-24

Description:

xGuestbook contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'login.php' script not properly sanitizing user-supplied input to the 'user' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 52364 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : The ext4_isize function in fs/ext4/ext4.h in the Linux kernel 2.6.27 before 2.6.27.19 and 2.6.28 before 2.6.28.7 uses the i_size_high structure member during operations on arbitrary types of files, which allows local users to cause a denial of service (CPU consumption and error-message flood) by attempting to mount a crafted ext4 filesystem.

[CLOSE] OSVDB ID : 56370 - Disclosed: 2009-02-24

Description:

(Description Provided by CVE) : The CICS listener in IBM TXSeries for Multiplatforms 6.2 GA waits for a forcepurge acknowledgement from the CICS Application Server (CICSAS) after an eci response timeout, which might allow remote authenticated users to cause a denial of service (forcepurge handling delay), or have unspecified other impact, via vectors involving slow or nonexistent acknowledgement.

[CLOSE] OSVDB ID : 52695 - Disclosed: 2009-02-23

Description:

(Description Provided by CVE) : Microsoft Office Excel 2000 SP3, 2002 SP3, 2003 SP3, and 2007 SP1; Excel Viewer 2003 Gold and SP3; Excel Viewer; Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1; and Excel in Microsoft Office 2004 and 2008 for Mac allow remote attackers to execute arbitrary code via a crafted Excel document that triggers an access attempt on an invalid object, as exploited in the wild in February 2009 by Trojan.Mdropper.AC.

[CLOSE] OSVDB ID : 52414 - Disclosed: 2009-02-23

Description:

EQDKP Plus contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'search' parameters upon submission to the 'itemsearch.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 56380 - Disclosed: 2009-02-23

Description:

(Description Provided by CVE) : HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only.

[CLOSE] OSVDB ID : 52412 - Disclosed: 2009-02-23

Description:

(Description Provided by CVE) : Ziproxy 2.6.0, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header.

[CLOSE] OSVDB ID : 52340 - Disclosed: 2009-02-23

Description:

Centreon contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'main.php' script not properly sanitizing user-supplied input to the 'p' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 52192 - Disclosed: 2009-02-23

Description:

My_eGallery Module for MDPro contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script (when "module" is set to "My_eGallery" and "do" is set to "showpic") not properly sanitizing user-supplied input to the pid parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 52229 - Disclosed: 2009-02-23

Description:

Professioneller Anzeigenmarkt contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the siteadmin/login.php script not properly sanitizing user-supplied input to the username1 and password1 parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database.