[CLOSE] OSVDB ID : 62613 - Disclosed: 2010-02-28

Description:

The Foursquare mobile application contains a flaw that may lead to an unauthorized information disclosure. The issue is due to the device using HTTP Basic authentication for users to authenticate to the device. When this authentication method is used without the protection of SSL/TLS, the credentials are sent over the network in cleartext. An attacker with access to traffic between the device and user could intercept this information.

[CLOSE] OSVDB ID : 68279 - Disclosed: 2010-02-28

Description:

webSPELL contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'asearch.php' script not properly sanitizing user-supplied input to the 'search' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 62629 - Disclosed: 2010-02-28

Description:

Uiga FanClub contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 62628 - Disclosed: 2010-02-28

Description:

Uiga Personal Portal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 62630 - Disclosed: 2010-02-28

Description:

Uiga FanClub contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the "admin_name" and "admin_password" parameters upon submission to the 'admin/admin_login.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 62667 - Disclosed: 2010-02-28

Description:

Oracle Siebel CRM contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URI upon submission to the 'htim_enu/start.swe' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 62710 - Disclosed: 2010-02-28

Description:

Comptel Provisioning and Activation contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'error_msg_parameter' parameter upon submission to the 'index.jsp' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 62751 - Disclosed: 2010-02-28

Description:

(Description Provided by CVE) : cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 in Apple Safari 4.0.3 and 4.0.4 on Windows, allows remote attackers to cause a denial of service (application crash) via a long string in the BACKGROUND attribute of a BODY element.

[CLOSE] OSVDB ID : 63632 - Disclosed: 2010-02-28

Description:

(Description Provided by CVE) : The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE.

[CLOSE] OSVDB ID : 65129 - Disclosed: 2010-02-28

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in login.php in HazelPress Lite 0.0.4 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) password fields.

[CLOSE] OSVDB ID : 65132 - Disclosed: 2010-02-28

Description:

Open Education System (OES) contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'forum/admin.php' script not properly sanitizing user input supplied to the 'CONF_INCLUDE_PATH' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65133 - Disclosed: 2010-02-28

Description:

Open Education System (OES) contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'plotgraph/index.php' script not properly sanitizing user input supplied to the 'CONF_INCLUDE_PATH' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65134 - Disclosed: 2010-02-28

Description:

Open Education System (OES) contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'admin_user/mod_admuser.php' script not properly sanitizing user input supplied to the 'CONF_INCLUDE_PATH' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65135 - Disclosed: 2010-02-28

Description:

Open Education System (OES) contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'ogroup/mod_group.php' script not properly sanitizing user input supplied to the 'CONF_INCLUDE_PATH' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 68280 - Disclosed: 2010-02-28

Description:

webSPELL contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'clanwars_details.php' script not properly sanitizing user-supplied input to the 'cwID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 68281 - Disclosed: 2010-02-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 68282 - Disclosed: 2010-02-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 62622 - Disclosed: 2010-02-27

Description:

(Description Provided by CVE) : include/userlogin.class.php in DeDeCMS 5.5 GBK, when session.auto_start is enabled, allows remote attackers to bypass authentication and gain administrative access via a value of 1 for the _SESSION[dede_admin_id] parameter, as demonstrated by a request to uploads/include/dialog/select_soft_post.php.

[CLOSE] OSVDB ID : 62670 - Disclosed: 2010-02-27

Description:

libpng contains a flaw in the decompression of PNG files that may allow a remote denial of service. The issue is triggered when the 'png_decompress_chunk()' function in pngrutil.c fails to properly decompress certain highly compressed ancillary-chunk data. With a specially crafted PNG file, a context-dependent attacker can cause the system to exhaust the CPU and memory.

[CLOSE] OSVDB ID : 62664 - Disclosed: 2010-02-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 62626 - Disclosed: 2010-02-27

Description:

ScriptsFeed Business Directory Software contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'login.php' script not properly sanitizing user-supplied input to the 'us' and 'ps' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 63199 - Disclosed: 2010-02-27

Description:

phpMySite contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'name', 'city', 'email', 'state' and 'message' parameters upon submission to the 'contact.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 63200 - Disclosed: 2010-02-27

Description:

phpMySite contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'action' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 63734 - Disclosed: 2010-02-27

Description:

Uiga FanClub contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the admin/admin_login.php script not properly sanitizing user-supplied input to the 'admin_name' and 'admin_password' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64105 - Disclosed: 2010-02-27

Description:

phpCDB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'firstvisit.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'lang_global' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64106 - Disclosed: 2010-02-27

Description:

phpCDB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'newfolder.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'lang_global' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64107 - Disclosed: 2010-02-27

Description:

phpCDB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'showfolders.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'lang_global' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64108 - Disclosed: 2010-02-27

Description:

phpCDB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'newlang.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'lang_global' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64109 - Disclosed: 2010-02-27

Description:

phpCDB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'showinnerfolder.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'lang_global' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64110 - Disclosed: 2010-02-27

Description:

phpCDB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'writecode.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'lang_global' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64111 - Disclosed: 2010-02-27

Description:

phpCDB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'showcode.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'lang_global' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64112 - Disclosed: 2010-02-27

Description:

phpRAINCHECK contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'print_raincheck.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64783 - Disclosed: 2010-02-27

Description:

(Description Provided by CVE) : Unspecified vulnerability in Dovecot 1.2.x before 1.2.11 allows remote attackers to cause a denial of service (CPU consumption) via long headers in an e-mail message.

[CLOSE] OSVDB ID : 65121 - Disclosed: 2010-02-27

Description:

ProMan contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'elisttasks.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SESSION[userLang]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 65122 - Disclosed: 2010-02-27

Description:

ProMan contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'managepmanagers.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SESSION[userLang]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 65123 - Disclosed: 2010-02-27

Description:

ProMan contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'manageusers.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SESSION[userLang]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 65124 - Disclosed: 2010-02-27

Description:

ProMan contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'helpfunc.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SESSION[userLang]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 65125 - Disclosed: 2010-02-27

Description:

ProMan contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'managegroups.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SESSION[userLang]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 65126 - Disclosed: 2010-02-27

Description:

ProMan contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'manageprocess.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SESSION[userLang]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 65127 - Disclosed: 2010-02-27

Description:

ProMan contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'manageusersgroups.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the '_SESSION[userLang]' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.