[CLOSE] OSVDB ID : 65001 - Disclosed: 2010-05-29

Description:

BF Quiz Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'catid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65004 - Disclosed: 2010-05-29

Description:

NP_Gallery Plugin for Nucleu contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'nucleus/plugins/NP_gallery.php' script not properly sanitizing user input supplied to the 'DIR_NUCLEUS' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65005 - Disclosed: 2010-05-29

Description:

NP_Gallery Plugin for Nucleus contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65007 - Disclosed: 2010-05-29

Description:

NP_Twitter Plugin for Nucleus contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'nucleus/plugins/NP_Twitter.php' script not properly sanitizing user input supplied to the 'DIR_PLUGINS' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65295 - Disclosed: 2010-05-29

Description:

GR Board contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'page.php' script not properly sanitizing user input supplied to the 'theme' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65208 - Disclosed: 2010-05-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 64994 - Disclosed: 2010-05-28

Description:

ImpressPages CMS contains a flaw that may allow an attacker to carry out SQL injection attacks. The issue is due to the 'admin.php' script not properly sanitizing user-supplied input to the 'page_size[]','sort_field[]' and 'road[]' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65148 - Disclosed: 2010-05-28

Description:

(Description Provided by CVE) : IBM DB2 9.7 before FP2, when AUTO_REVAL is IMMEDIATE, allows remote authenticated users to cause a denial of service (loss of privileges) to a view owner by defining a dependent view.

[CLOSE] OSVDB ID : 65149 - Disclosed: 2010-05-28

Description:

(Description Provided by CVE) : IBM DB2 9.7 before FP2 does not perform the expected access control on the monitor administrative views in the SYSIBMADM schema, which allows remote attackers to obtain sensitive information via unspecified vectors.

[CLOSE] OSVDB ID : 76877 - Disclosed: 2010-05-28

Description:

Groone's Simple Contact Form contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the contact/contact.php script not properly sanitizing user input supplied to the 'abspath' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 64982 - Disclosed: 2010-05-28

Description:

MediaWiki contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the CSS input. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 64983 - Disclosed: 2010-05-28

Description:

MediaWiki contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions such as create arbitrary users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 65000 - Disclosed: 2010-05-28

Description:

My Car Component for Joomla! contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'modveh' parameter upon submission to the 'index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65039 - Disclosed: 2010-05-28

Description:

Visitor Web Stats Module for osCommerce contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing input passed via the 'Accept-Language' HTTP header. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65011 - Disclosed: 2010-05-28

Description:

Joomla! contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'search' parameter upon submission to the 'administrator/index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 64999 - Disclosed: 2010-05-28

Description:

My Car Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'pagina' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65271 - Disclosed: 2010-05-28

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65348 - Disclosed: 2010-05-28

Description:

Groones Simple Contact Form contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'contact.php' script not properly sanitizing user input supplied to the 'abspath' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65351 - Disclosed: 2010-05-28

Description:

ArtDesign CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the news.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64949 - Disclosed: 2010-05-27

Description:

(Description Provided by CVE) : Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.

[CLOSE] OSVDB ID : 65279 - Disclosed: 2010-05-27

Description:

Cisco Network Building Mediator contains an unspecified flaw that may allow a remote attacker to use a XML RPC or XML RPC over HTTPS request to arbitrarily read and modify device configuration settings, allowing them to escalate their privileges.

[CLOSE] OSVDB ID : 64936 - Disclosed: 2010-05-27

Description:

MultiShop CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'pages.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65042 - Disclosed: 2010-05-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 64937 - Disclosed: 2010-05-27

Description:

MultiShop CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'itemdetail.php' script not properly sanitizing user-supplied input to the 'itemid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64969 - Disclosed: 2010-05-27

Description:

Medi-QnA Component for Joomla! contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'controller' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 64985 - Disclosed: 2010-05-27

Description:

Core FTP Server contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., .../) supplied via the CWD command. This directory traversal attack would allow the attacker to access arbitrary files on the file system.

[CLOSE] OSVDB ID : 64987 - Disclosed: 2010-05-27

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65152 - Disclosed: 2010-05-27

Description:

(Description Provided by CVE) : jail.c in jail in FreeBSD 8.0 and 8.1-PRERELEASE, when the "-l -U root" options are omitted, does not properly restrict access to the current working directory, which might allow local users to read, modify, or create arbitrary files via standard filesystem operations.

[CLOSE] OSVDB ID : 65036 - Disclosed: 2010-05-27

Description:

(Description Provided by CVE) : sys/nfsclient/nfs_vfsops.c in the NFS client in the kernel in FreeBSD 7.2 through 8.1-PRERELEASE, when vfs.usermount is enabled, does not validate the length of a certain fhsize parameter, which allows local users to gain privileges via a crafted mount request.

[CLOSE] OSVDB ID : 65112 - Disclosed: 2010-05-27

Description:

Chrome contains a flaw that may allow a remote denial of service. The issue is triggered when processing a web page containing a large number of invalid NNTP elements, and will result in loss of availability for the application.

[CLOSE] OSVDB ID : 65109 - Disclosed: 2010-05-27

Description:

Firefox contains a flaw that may allow a remote denial of service. The issue is triggered when processing a web page containing a large number of invalid NNTP elements, and will result in loss of availability for the application.

[CLOSE] OSVDB ID : 65110 - Disclosed: 2010-05-27

Description:

Internet Explorer contains a flaw that may allow a remote denial of service. The issue is triggered when processing a web page with a large number of invalid NNTP elements, and will result in loss of availability for the application.

[CLOSE] OSVDB ID : 65111 - Disclosed: 2010-05-27

Description:

Opera contains a flaw that may allow a remote denial of service. The issue is triggered when processing a web page with a large number of invalid NNTP elements, and will result in loss of availability for the application.

[CLOSE] OSVDB ID : 65116 - Disclosed: 2010-05-27

Description:

ClearSite contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'docs.php' script not properly sanitizing user input supplied to the 'cs_base_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 65117 - Disclosed: 2010-05-27

Description:

ClearSite contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'include/admin/device_admin.php' script not properly sanitizing user input supplied to the 'cs_base_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 73981 - Disclosed: 2010-05-27

Description:

(Description Provided by CVE) : dexdump in Android SDK before 2.3 does not properly perform structural verification, which allows user-assisted remote attackers to cause a denial of service (dexdump crash) and possibly execute arbitrary code via a malformed APK or dex file that calls a method using more arguments than the number of register that have been declared for that method.

[CLOSE] OSVDB ID : 89818 - Disclosed: 2010-05-27

Description:

By default, Dataprobe iBoot-G2 Power Switch installs with default user credentials (username/password combination) for the web interface. The 'admin' account has a password of 'admin' and the 'user' account has a password of 'user', which are publicly known and documented. These allows remote attackers to trivially access the program or system and gain privileged access.

[CLOSE] OSVDB ID : 65280 - Disclosed: 2010-05-26

Description:

(Description Provided by CVE) : Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt HTTP sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83631.

[CLOSE] OSVDB ID : 65281 - Disclosed: 2010-05-26

Description:

(Description Provided by CVE) : Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not encrypt XML RPC sessions from operator workstations, which allows remote attackers to discover Administrator credentials by sniffing the network, aka Bug ID CSCtb83505.

[CLOSE] OSVDB ID : 65282 - Disclosed: 2010-05-26

Description:

(Description Provided by CVE) : Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Network Building Mediator NBM-2400 and NBM-4800 and the Richards-Zeta Mediator 2500 does not properly restrict network access to an unspecified configuration file, which allows remote attackers to read passwords and unspecified other account details via a (1) XML RPC or (2) XML RPC over HTTPS session, aka Bug ID CSCtb83512.