| OSVDB ID | Disclosure Date | Title |
|---|
|
65315
Description:
WebKit contains a flaw that allows a universal cross-site scripting (UXSS) attack, as script tags and attributes are allowed to be copied and pasted from one page to another. This may allow an attacker to create a specially crafted web page that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2010-01-18
|
WebKit Script Tags / Attributes Copy-Pasting XSS
|
|
87721
Description:
IBM WebSphere Application Server (WAS) contains a flaw related to the EJB feature pack that may lead to an unauthorized information disclosure. The issue is due to passwords being stored in property files in plaintext. This may allow a local attacker to gain access to password information.
|
2010-01-18
|
IBM WebSphere Application Server (WAS) EJB Feature Pack Property File Plaintext Password Local Disclosure
|
|
61895
Description:
(Description Provided by CVE) : Stack-based buffer overflow in VideoLAN VLC Media Player 0.8.6 allows user-assisted remote attackers to execute arbitrary code via an ogg file with a crafted Advanced SubStation Alpha Subtitle (.ass) file, probably involving the Dialogue field.
|
2010-01-17
|
VLC Media Player OGG / ASS File Handling Overflow
|
|
61828
Description:
Thelia contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'motcle' parameter upon submission to the 'recherche.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2010-01-17
|
Thelia recherche.php motcle Parameter XSS
|
|
61829
Description:
Thelia contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'ref' parameter upon submission to the 'panier.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2010-01-17
|
Thelia panier.php ref Parameter XSS
|
|
61830
Description:
Thelia contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'ref' parameter upon submission to the 'produit.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2010-01-17
|
Thelia produit.php ref Parameter XSS
|
|
61899
Description:
libros Component for Joomla! contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2010-01-17
|
libros Component for Joomla! index.php id Parameter SQL Injection
|
|
61957
Description:
Unknown / Incomplete
|
2010-01-17
|
sudosh src/replay.c replay() Function Local Overflow
|
|
63190
Description:
(Description Provided by CVE) : Directory traversal vulnerability in news/include/customize.php in Web Server Creator - Web Portal 0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the l parameter.
|
2010-01-17
|
Web Server Creator - Web Portal news/include/customize.php l Parameter Traversal Arbitrary File Access
|
|
63191
Description:
Web Server Creator - Web Portal contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input supplied to the 'pg' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2010-01-17
|
Web Server Creator - Web Portal index.php pg Parameter Remote File Inclusion
|
|
63192
Description:
Web Server Creator - Web Portal contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'news/form.php' script not properly sanitizing user input supplied to the 'path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.
|
2010-01-17
|
Web Server Creator - Web Portal news/form.php path Parameter Remote File Inclusion
|
|
63193
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in the forum page in Web Server Creator - Web Portal 0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to index.php.
|
2010-01-17
|
Web Server Creator - Web Portal index.php Forum Page XSS
|
|
64383
Description:
Unknown / Incomplete
|
2010-01-17
|
QvodPlayer ColorFilter Codec ActiveX Arbitrary Code Execution
|
|
92278
Description:
sudosh3 contains an overflow condition in replay.c. The issue is triggered as user-supplied input is not properly validated when the program attempts to read outside of the allotted memory in replays. This may allow a local attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
|
2010-01-17
|
sudosh3 replay.c Local Overflow
|
|
62182
Description:
Unknown / Incomplete
|
2010-01-16
|
Oracle Internet Directory oidldapd Remote Heap Corruption
|
|
61802
Description:
Unknown / Incomplete
|
2010-01-16
|
SemanticScuttle tags.php/ URI SQL Injection
|
|
61926
Description:
Unknown / Incomplete
|
2010-01-16
|
Novatel MiFi Unspecified Setting Modification CSRF
|
|
61927
Description:
Unknown / Incomplete
|
2010-01-16
|
Novatel MiFi config.xml.sav Direct Request Information Disclosure
|
|
61833
Description:
Multiple Rockwell Automation MicroLogix controllers contain a flaw related to the authentication mechanism. The issue is triggered when a remote attacker intercepts the controller password which may allow an attacker to bypass the authentication mechanism and gain full access to the device.
|
2010-01-15
|
Rockwell Automation MicroLogix Controller Multiple Products Authentication Mechanism Access Bypass
|
|
61700
Description:
Unknown / Incomplete
|
2010-01-15
|
TestLink lib/usermanagement/userInfo.php locale Parameter Traversal Local File Inclusion
|
|
61701
Description:
Testlink contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'order_by_role_dir', 'order_by_login_dir', and 'user_order_by' parameters upon submission to the 'lib/usermanagement/usersView.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2010-01-15
|
TestLink lib/usermanagement/usersView.php Multiple Parameter XSS
|
|
61832
Description:
(Description Provided by CVE) : Multiple unspecified vulnerabilities on the Rockwell Automation AB Micrologix 1100 and 1400 controllers allow remote attackers to obtain privileged access or cause a denial of service (halt) via unknown vectors.
|
2010-01-15
|
Rockwell Automation MicroLogix Controller Multiple Products Communications Protocol Password Disclosure
|
|
61697
Description:
Internet Explorer contains a flaw that may allow a context-dependent attacker to execute arbitrary code. The issue is triggered when a specially crafted website causes mshtml.dll to access memory that has been freed, allowing code execution.
|
2010-01-15
|
Microsoft IE mshtml.dll Use-After-Free Arbitrary Code Execution (Aurora)
|
|
61708
Description:
(Description Provided by CVE) : Multiple cross-site request forgery (CSRF) vulnerabilities in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25c allow remote attackers to hijack the authentication of administrators for requests that modify access control rules, and other unspecified requests, via unknown vectors.
|
2010-01-15
|
DokuWiki plugins/acl/ajax.php Access Control Rule Manipulation CSRF
|
|
61699
Description:
(Description Provided by CVE) : Buffer overflow in the SSLv2 support in Zeus Web Server before 4.3r5 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long string in an invalid Client Hello message.
|
2010-01-15
|
Zeus Web Server SSLv2 Support Client Hello Message Handling Overflow
|
|
61698
Description:
Xforum contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'nbpageliste' parameter upon submission to the 'liste.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2010-01-15
|
Xforum liste.php nbpageliste Parameter XSS
|
|
61715
Description:
(Description Provided by CVE) : Multiple integer overflows in LibThai before 0.1.13 might allow context-dependent attackers to execute arbitrary code via long strings that trigger heap-based buffer overflows, related to (1) thbrk/thbrk.c and (2) thwbrk/thwbrk.c. NOTE: some of these details are obtained from third party information.
|
2010-01-15
|
LibThai Unspecified String Handling Overflows
|
|
61710
Description:
(Description Provided by CVE) : A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the wild in January 2010.
|
2010-01-15
|
DokuWiki lib/plugins/acl/ajax.php Access Control Rule Authentication Bypass
|
|
62034
Description:
Unknown / Incomplete
|
2010-01-15
|
Oracle Internet Directory oidldapd NULL Dereference gslsbnrNormalizeString Function Remote DoS
|
|
61834
Description:
(Description Provided by CVE) : Directory traversal vulnerability in op/op.Login.php in LetoDMS (formerly MyDMS) 1.7.2 and earlier allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in the lang parameter.
|
2010-01-15
|
LetoDMS op/op.Login.php lang Parameter Traversal Local File Inclusion
|
|
61835
Description:
(Description Provided by CVE) : Multiple cross-site request forgery (CSRF) vulnerabilities in LetoDMS (formerly MyDMS) 1.7.2 and earlier allow remote attackers to hijack the authentication of administrators for requests that use (1) op/op.EditUserData.php, (2) op/op.UsrMgr.php, (3) out/out.RemoveVersion.php, (4) op/op.RemoveFolder.php, (5) op/op.DefaultKeywords.php, (6) op/op.GroupMgr.php, (7) op/op.FolderAccess.php, (8) op/op.FolderNotify.php, or (9) op.MoveFolder.php in mydms.
|
2010-01-15
|
LetoDMS Multiple Script CSRF
|
|
61859
Description:
(Description Provided by CVE) : libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors.
|
2010-01-15
|
phpMyAdmin libraries/File.class.php Temporary Directory Permission Weakness Unspecified Issue
|
|
61860
Description:
(Description Provided by CVE) : libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors.
|
2010-01-15
|
phpMyAdmin libraries/File.class.php Temporary File Predictible Filename Weakness Unspecified Issue
|
|
61861
Description:
(Description Provided by CVE) : scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
|
2010-01-15
|
phpMyAdmin scripts/setup.php unserialize Function Multiple Parameter CSRF
|
|
61889
Description:
Unknown / Incomplete
|
2010-01-15
|
SafeCentral shdrv.sys IOCTL Handling Memory Corruption Local Privilege Escalation
|
|
61918
Description:
Unknown / Incomplete
|
2010-01-15
|
FreePBX admin/config.php Cleartext Password Disclosure
|
|
61919
Description:
FreePBX contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'admin/config.php' script not properly sanitizing user-supplied input to the 'extdisplay' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2010-01-15
|
FreePBX admin/config.php extdisplay Parameter SQL Injection
|
|
61920
Description:
Unknown / Incomplete
|
2010-01-15
|
FreePBX Inbound Route Description XSS
|
|
63257
Description:
(Description Provided by CVE) : The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.
|
2010-01-15
|
Linux Kernel SCTP Implementation Chunk Handling Infinite Loop Remote DoS
|
|
64216
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in lib/LXR/Common.pm in LXR Cross Referencer before 0.9.8 allows remote attackers to inject arbitrary web script or HTML via vectors related to a string in the search page's TITLE element, a different vulnerability than CVE-2009-4497 and CVE-2010-1625.
|
2010-01-15
|
LXR Cross Referencer lib/LXR/Common.pm Title String XSS
|
