| OSVDB ID | Disclosure Date | Title |
|---|
|
72857
Description:
Podcast Generator contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'L_failedopentheme' parameter upon submission to the themes.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-03
|
Podcast Generator themes.php L_failedopentheme Parameter XSS
|
|
72856
Description:
Podcast Generator contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker directs malformed input to the episode.php script via the 'name' parameter, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
|
2011-02-03
|
Podcast Generator episode.php Malformed name Parameter Path Disclosure
|
|
72450
Description:
ReOS contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the jobs.php not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'lang' parameter. This directory traversal attack would allow the attacker to read arbitrary files.
|
2011-02-03
|
ReOS jobs.php lang Parameter Traversal Arbitrary File Access
|
|
72556
Description:
SigPlus Pro ActiveX is prone to multiple overflow conditions. The ActiveX fails to properly sanitize user-supplied input passed to the "KeyString" property and the "SetLocalIniFilePath()" and "SetTabletPortPath()" methods, resulting in heap-based buffer overflows. With a specially crafted web page instantiating the ActiveX, a remote attacker can compromise a user's system.
|
2011-02-03
|
SigPlus Pro ActiveX Multiple Method Remote Overflow
|
|
70864
Description:
CiviCRM Component for Joomla! contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'defaultPath' parameter upon submission to the administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Component for Joomla! administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php defaultPath Parameter XSS
|
|
70865
Description:
CiviCRM Component for Joomla! contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'lang' parameter upon submission to the administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_dropin.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Component for Joomla! administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_dropin.php lang Parameter XSS
|
|
70866
Description:
CiviCRM Component for Joomla! contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'lang' parameter upon submission to the administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_fallback.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Component for Joomla! administrator/components/com_civicrm/civicrm/packages/PHPgettext/examples/pigs_fallback.php lang Parameter XSS
|
|
70867
Description:
CiviCRM Component for Joomla! contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'class' upon submission to the administrator/components/com_civicrm/civicrm/packages/amfphp/browser/methodTable.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Component for Joomla! administrator/components/com_civicrm/civicrm/packages/amfphp/browser/methodTable.php class Parameter XSS
|
|
70860
Description:
CiviCRM Module for Drupal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'defaultPath' parameter upon submission to the sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Module for Drupal sites/all/modules/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php defaultPath Parameter XSS
|
|
70861
Description:
CiviCRM Module for Drupal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'class' parameter upon submission to the sites/all/modules/civicrm/packages/amfphp/browser/details.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Module for Drupal sites/all/modules/civicrm/packages/amfphp/browser/details.php class Parameter XSS
|
|
70862
Description:
CiviCRM Module for Drupal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'class' parameter upon submission to the sites/all/modules/civicrm/packages/amfphp/browser/methodTable.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Module for Drupal sites/all/modules/civicrm/packages/amfphp/browser/methodTable.php class Parameter XSS
|
|
70863
Description:
CiviCRM Module for Drupal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'class' parameter upon submission to the sites/all/modules/civicrm/packages/amfphp/browser/code.phpscript. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
CiviCRM Module for Drupal sites/all/modules/civicrm/packages/amfphp/browser/code.php class Parameter XSS
|
|
79064
Description:
Unknown / Incomplete
|
2011-02-02
|
iPhone Mail (Exchange) Server / Email Local Disclosure
|
|
79063
Description:
Unknown / Incomplete
|
2011-02-02
|
Hushmail for Android / iPhone Personal / Security Information Local Disclosure
|
|
79051
Description:
Unknown / Incomplete
|
2011-02-02
|
Android Mail (Hotmail) Cleartext Credentials / Email Local Disclosure
|
|
79050
Description:
Unknown / Incomplete
|
2011-02-02
|
Android Mail (Exchange) Cleartext Credentials / Email Local Disclosure
|
|
79065
Description:
Unknown / Incomplete
|
2011-02-02
|
iPhone Mail (Gmail) Server / Email Local Disclosure
|
|
79062
Description:
Unknown / Incomplete
|
2011-02-02
|
HTC Mail (Exchange) for Android Personal / Server Information Local Disclosure
|
|
79060
Description:
Unknown / Incomplete
|
2011-02-02
|
GMail for Android Emails Local Disclosure
|
|
79090
Description:
Unknown / Incomplete
|
2011-02-02
|
Yahoo! Mail for Android / iPhone Email Local Disclosure
|
|
79088
Description:
Unknown / Incomplete
|
2011-02-02
|
Windows Live Messenger (Hotmail) for iPhone Username Local Disclosure
|
|
71045
Description:
WSN Guest contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the member() function in the classes/member.php script not properly sanitizing user-supplied input to the 'wsnuser' cookie. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-02-02
|
WSN Guest classes/member.php member() Function wsnuser Cookie SQL Injection
|
|
70749
Description:
Terminal Server Client is prone to an overflow condition. The the 'tsc_launch_remote()'function, 'src/support.c', suffers from a boundary error when processing a 'hostname', 'username', 'password' or 'domain' parameter, resulting in a stack-based buffer overflow. With a specially crafted overly long string in an RDP file, a context-dependent attacker can potentially execute arbitrary code.
|
2011-02-02
|
Terminal Server Client (tsclient) src/support.c tsc_launch_remote() Function Multiple Parameter RDP File Handling Overflows
|
|
70753
Description:
Plone contains an unspecified flaw that may allow a remote attacker to gain administrative privileges and modify the site. No further details have been provided.
|
2011-02-02
|
Plone Unspecified Remote Privilege Escalation
|
|
70764
Description:
Droptor Module for Drupal contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to input passed via the URL not being properly sanitised before being used in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-02-02
|
Droptor Module for Drupal Unspecified SQL Injection
|
|
70761
Description:
Betsy contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'ress.php' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'page' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.
|
2011-02-02
|
Betsy ress.php page Parameter Traversal Local File Inclusion
|
|
70765
Description:
Flag Page Module for Drupal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the flag title when creating or editing flags before it is used. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
Flag Page Module for Drupal Flag Title XSS
|
|
70766
Description:
Userpoints Module for Drupal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before it is used. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
Userpoints Module for Drupal Unspecified XSS
|
|
70767
Description:
AES Module for Drupal contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the module saves user passwords in a text file, which will disclose the password to a remote attacker who directly requests the file.
|
2011-02-02
|
AES Module for Drupal Text File Direct Request User Password Disclosure
|
|
70768
Description:
Chatroom Module for Drupal contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the execution of certain administrative tasks. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.
|
2011-02-02
|
Chatroom Module for Drupal Multiple Admin Function CSRF
|
|
70769
Description:
Chatroom Module for Drupal contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not properly sanitise input passed via chat messages before it is used. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-02-02
|
Chatroom Module for Drupal Chat Messages XSS
|
|
75748
Description:
(Description Provided by CVE) : BIGACE 2.7.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by system/libs/javascript.inc.php and certain other files.
|
2011-02-02
|
BIGACE Multiple Script Direct Request Path Disclosure
|
|
75751
Description:
(Description Provided by CVE) : ClanTiger 1.1.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by widgets/statistics/statistics.php and certain other files.
|
2011-02-02
|
ClanTiger Multiple Script Direct Request Path Disclosure
|
|
75757
Description:
conceptcms contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a direct request to one of the multiple scripts in the testing section, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
|
2011-02-02
|
conceptcms Multiple Script Direct Request Path Disclosure
|
|
82285
Description:
GR Board contains a flaw that may allow an unauthorized remote attacker to insert, delete, update or create arbitrary databases via a request sent to the mod_rewrite.php, comment_write_ok.php, poll/index.php, update/index.php, or trackback.php scripts.
|
2011-02-02
|
GR Board (grboard) Multiple Script Unauthorized Database Manipulation
|
|
87501
Description:
MySQL contains a flaw that may allow a local denial of service. The issue is triggered when an error occurs in optimizer_switch during the processing of a malformed value. This may allow a local attacker to cause a loss of availability for the server.
|
2011-02-02
|
Oracle MySQL optimizer_switch Malformed Value Processing Local DoS
|
|
72552
Description:
(Description Provided by CVE) : Multiple unspecified vulnerabilities in TIBCO Rendezvous 8.2.1 through 8.3.0, Enterprise Message Service (EMS) 5.1.0 through 6.0.0, Runtime Agent (TRA) 5.6.2 through 5.7.0, Silver BPM Service before 1.0.4, Silver CAP Service vebefore 1.0.2, and Silver BusinessWorks Service 1.0.0, when running on Unix systems, allow local users to gain root privileges via unknown vectors related to SUID and (1) Rendezvous Routing Daemon (rvrd), (2) Rendezvous Secure Daemon (rvsd), (3) Rendezvous Secure Routing Daemon (rvsrd), and (4) EMS Server (tibemsd).
|
2011-02-01
|
TIBCO Multiple Products on Unix Multiple Unspecified Privilege Escalation
|
|
73332
Description:
Unknown / Incomplete
|
2011-02-01
|
NVIDIA CUDA Linux Driver cudaHostAlloc/cuMemHostAlloc API Arbitrary File Chunk Disclosure
|
|
82237
Description:
GR Board contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the write_ok.php script not properly sanitizing user-supplied input to the 'isReported' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-02-01
|
GR Board (grboard) write_ok.php isReported Parameter SQL Injection
|
|
70751
Description:
Zikula Application Framework contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the modification of user permissions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.
|
2011-02-01
|
Zikula Application Framework User Permissions Modification CSRF
|
