[CLOSE] OSVDB ID : 68408 - Disclosed: 2010-05-25

Description:

(Description Provided by CVE) : The Security component in IBM DB2 UDB 9.5 before FP6a logs AUDIT events by using a USERID and an AUTHID value corresponding to the instance owner, instead of a USERID and an AUTHID value corresponding to the logged-in user account, which makes it easier for remote authenticated users to execute Audit administration commands without discovery.

[CLOSE] OSVDB ID : 76027 - Disclosed: 2010-05-25

Description:

WebAsyst Shop-Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'blog_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64963 - Disclosed: 2010-05-25

Description:

(Description Provided by CVE) : Buffer overflow in Webby Webserver 1.01 allows remote attackers to execute arbitrary code via a long HTTP GET request.

[CLOSE] OSVDB ID : 65066 - Disclosed: 2010-05-25

Description:

(Description Provided by CVE) : The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.

[CLOSE] OSVDB ID : 65120 - Disclosed: 2010-05-25

Description:

NITRO Web Gallery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'PictureId' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65286 - Disclosed: 2010-05-25

Description:

RuubikCMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'description' parameter upon submission to the 'index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65355 - Disclosed: 2010-05-25

Description:

360 Web Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the webpages-form-led-edit.php script not properly sanitizing user-supplied input to the 'IDFM' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65354 - Disclosed: 2010-05-25

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65350 - Disclosed: 2010-05-25

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 69922 - Disclosed: 2010-05-25

Description:

IBM Lotus Notes Traveler contains a flaw that may allow a remote denial of service. The issue is triggered when a context-dependent attacker uses a malformed document to cause a denial of service via a sync failure.

[CLOSE] OSVDB ID : 64849 - Disclosed: 2010-05-24

Description:

(Description Provided by CVE) : Multiple integer overflows in src/image.c in Ziproxy before 3.0.1 allow remote attackers to execute arbitrary code via (1) a large JPG image, related to the jpg2bitmap function or (2) a large PNG image, related to the png2bitmap function, leading to heap-based buffer overflows.

[CLOSE] OSVDB ID : 64850 - Disclosed: 2010-05-24

Description:

(Description Provided by CVE) : Multiple integer overflows in src/image.c in Ziproxy before 3.0.1 allow remote attackers to execute arbitrary code via (1) a large JPG image, related to the jpg2bitmap function or (2) a large PNG image, related to the png2bitmap function, leading to heap-based buffer overflows.

[CLOSE] OSVDB ID : 64919 - Disclosed: 2010-05-24

Description:

razorCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/index.php' script not properly sanitizing user-supplied input to the 'content' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64832 - Disclosed: 2010-05-24

Description:

McAfee Email Gateway contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered by direct access to admin/systemWebAdminConfig.do, allowing a remote attacker to gain administrative privileges.

[CLOSE] OSVDB ID : 64854 - Disclosed: 2010-05-24

Description:

ECShop contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'search.php' script not properly sanitizing user-supplied input to the 'encode' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 64941 - Disclosed: 2010-05-24

Description:

(Description Provided by CVE) : Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allow remote attackers to hijack the authentication of administrators for requests that (1) reset the modem, (2) erase the firmware, (3) change the administrative password, (4) install modified firmware, or (5) change the access level, as demonstrated by a request to goform/_aslvl.

[CLOSE] OSVDB ID : 64942 - Disclosed: 2010-05-24

Description:

(Description Provided by CVE) : The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 allows remote attackers to bypass authentication, and reset the modem or replace the firmware, via a direct request to an unspecified page.

[CLOSE] OSVDB ID : 64943 - Disclosed: 2010-05-24

Description:

(Description Provided by CVE) : The web interface on the Cisco Scientific Atlanta WebSTAR DPC2100R2 cable modem with firmware 2.0.2r1256-060303 has a default administrative password (aka SAPassword) of W2402, which makes it easier for remote attackers to obtain privileged access.

[CLOSE] OSVDB ID : 65343 - Disclosed: 2010-05-24

Description:

Microsoft Internet Explorer contains a flaw related to ICMFilter. in the CSS filter property. This may allow a remote attacker to access arbitrary UNC files and disclose local passwords.

[CLOSE] OSVDB ID : 65276 - Disclosed: 2010-05-24

Description:

Zabbix contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the events.php script not properly sanitizing user-supplied input to the 'nav_time' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 90276 - Disclosed: 2010-05-24

Description:

Apache Axis2 contains a flaw that may lead to unauthorized disclosure of potentially sensitive information. The issue is due to the program storing password information in plaintext in the axis2.xml file, which may allow a local attacker to gain access to such information.

[CLOSE] OSVDB ID : 64833 - Disclosed: 2010-05-23

Description:

KAVSafe.sys 2010.4.14.609 and earlier, as used in Kingsoft Webshield 3.5.1.2 and earlier contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when an error in the KAVSafe.sys driver occurs, allowing a local attacker to corrupt kernel memory and allow the attacker to gain system privileges in order to execute arbitrary code via a specially crafted 830020D4h IOCTL.

[CLOSE] OSVDB ID : 65258 - Disclosed: 2010-05-23

Description:

odCMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'Page' parameter upon submission to the '_main/index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65259 - Disclosed: 2010-05-23

Description:

odCMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'Page' parameter upon submission to the '_members/index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65260 - Disclosed: 2010-05-23

Description:

odCMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'Page' parameter upon submission to the '_forum/index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65261 - Disclosed: 2010-05-23

Description:

odCMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'Page' parameter upon submission to the '_docs/index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65262 - Disclosed: 2010-05-23

Description:

odCMS contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'Page' parameter upon submission to the '_announcements/index.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65263 - Disclosed: 2010-05-23

Description:

odCMS contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the admin password manipulation. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 65292 - Disclosed: 2010-05-23

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65359 - Disclosed: 2010-05-23

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 91751 - Disclosed: 2010-05-23

Description:

Wicd contains a flaw that is due to wicd-daemon.py resetting /etc/resolv.conf to insecure permissions when the program is restarted. This may allow a local attacker to change the content of the file, allowing them to control the server used for DNS resolution. This can greatly assist attacks that require DNS tampering.

[CLOSE] OSVDB ID : 64841 - Disclosed: 2010-05-22

Description:

ScriptsFeed Recipes contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'control/admin_login.php' script not properly sanitizing user-supplied input to the 'loginid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65119 - Disclosed: 2010-05-22

Description:

Cyberhost contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'default.asp' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 65384 - Disclosed: 2010-05-22

Description:

BigAce contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the user-defined input upon submission to the create category module URI. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 65353 - Disclosed: 2010-05-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65360 - Disclosed: 2010-05-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65358 - Disclosed: 2010-05-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65357 - Disclosed: 2010-05-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65356 - Disclosed: 2010-05-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 65385 - Disclosed: 2010-05-22

Description:

BigAce contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the user-defined input upon submission to the create style sheet module URI. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.