| OSVDB ID | Disclosure Date | Title |
|---|
|
74983
Description:
Unknown / Incomplete
|
2011-03-31
|
Joomla! FLEXIcontent Component Cahce Insecure Permissions File Manipulation Privilege Escalation
|
|
71706
Description:
PHPBoost contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a direct request for a predictable filename to cache/backup occurs, which will disclose backup SQL files to a remote attacker.
|
2011-03-31
|
PHPBoost cache/backup/ Predictable Filename Direct Request Backup File Disclosure
|
|
72300
Description:
WebSphere contains a flaw related to the Application Server on z/OS. The issue is triggered when incorrect permissions are set, which may grant users unintended access to WebSphere applications.
|
2011-03-31
|
IBM WebSphere Application Server for z/OS Permissions Weakness Access Restriction Bypass
|
|
75047
Description:
(Description Provided by CVE) : The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.
|
2011-03-31
|
Perl Multiple Function Taint Protection Mechanism Bypass
|
|
74277
Description:
(Description Provided by CVE) : jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application.
|
2011-03-31
|
JBoss Seam jboss-seam.jar FacesMessages Expression Language Statement Remote Java Code Execution
|
|
75029
Description:
InTerra Blog Machine contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the actions/add.php script does not validate the 'subject' parameter upon submission to post_url/edit. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-31
|
InTerra Blog Machine actions/add.php post_url/edit subject Parameter XSS
|
|
71468
Description:
IBM WEBi contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-31
|
IBM WEBi Unspecified XSS
|
|
71464
Description:
InTerra Blog Machine contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for multiple administrator functions, such as adding entries or inserting script. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.
|
2011-03-31
|
InTerra Blog Machine Arbitrary Entry Addition CSRF
|
|
71467
Description:
IBM WEBi contains an unspecified flaw that may allow an attacker to have an unspecified impact. No further details have been provided.
|
2011-03-31
|
IBM WEBi Unspecified Issue
|
|
71472
Description:
Feng Office Community Edition contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the manipulation of administrative user data. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.
|
2011-03-31
|
Feng Office Community Edition Admin Manipulation CSRF
|
|
72017
Description:
Tine contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a direct request to the Crm/Controller.php, Calendar/Model/Attender.php or Crm/Export/Csv.php script, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
|
2011-03-31
|
Tine Multiple Script Direct Request Path Disclosure
|
|
73757
Description:
(Description Provided by CVE) : vmware-hgfsmounter in VMware Open Virtual Machine Tools (aka open-vm-tools) 8.4.2-261024 and earlier attempts to append to the /etc/mtab file without first checking whether resource limits would interfere, which allows local users to trigger corruption of this file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.
|
2011-03-31
|
VMware Open Virtual Machine Tools vmware-hgfsmounter /etc/mtab Append RLIMIT_FSIZE Local File Corruption
|
|
75466
Description:
Unknown / Incomplete
|
2011-03-31
|
Collabtive thumb.php pic Parameter Traversal Arbitrary Image Access
|
|
75467
Description:
Unknown / Incomplete
|
2011-03-31
|
Collabtive managetimetracker.php id Parameter XSS
|
|
75468
Description:
Unknown / Incomplete
|
2011-03-31
|
Collabtive manageuser.php id Parameter XSS
|
|
75469
Description:
Unknown / Incomplete
|
2011-03-31
|
Collabtive manageproject.php Multiple Parameter XSS
|
|
75470
Description:
Unknown / Incomplete
|
2011-03-31
|
Collabtive admin.php Multiple Parameter XSS
|
|
75471
Description:
Unknown / Incomplete
|
2011-03-31
|
Windows Media Player AVI File Handling Overflow DoS
|
|
75472
Description:
Unknown / Incomplete
|
2011-03-31
|
Movie Player AVI File Handling Overflow DoS
|
|
87695
Description:
Tine 2.0 contains a flaw that may lead to an unauthorized information disclosure. The issue is due to the tine20.log file storing passwords in plaintext, which may allow a local attacker to gain access to password information.
|
2011-03-31
|
Tine 2.0 tine20.log Plaintext Passwords Local Disclosure
|
|
72608
Description:
(Description Provided by CVE) : The default configuration of the RADIUS authentication feature on the Cisco Network Access Control (NAC) Guest Server with software before 2.0.3 allows remote attackers to bypass intended access restrictions and obtain network connectivity via unspecified vectors, aka Bug ID CSCtj66922.
|
2011-03-30
|
Cisco Network Admission Control (NAC) Guest Server RADIUS Unspecified Authentication Bypass
|
|
73756
Description:
(Description Provided by CVE) : Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned.
|
2011-03-30
|
KVM qemu-kvm hw/virtio-blk.c Multiple Function Local DoS
|
|
71585
Description:
HP Network Node Manager i (NNMi) contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an unspecified condition occurs, which will disclose unspecified information to a remote attacker.
|
2011-03-30
|
HP Network Node Manager i (NNMi) Unspecified Remote Information Disclosure
|
|
73147
Description:
(Description Provided by CVE) : SQL injection vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
|
2011-03-30
|
Translation Management Module for Drupal Unspecified SQL Injection
|
|
73148
Description:
(Description Provided by CVE) : Cross-site request forgery (CSRF) vulnerability in the Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
|
2011-03-30
|
Translation Management Module for Drupal Unspecified CSRF
|
|
71298
Description:
RunCMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input appended to the URL upon submission to the modules/forum/topicmanager.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-30
|
RunCMS modules/forum/topicmanager.php URI XSS
|
|
71310
Description:
RunCMS contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the addition of news articles. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. This vulnerability has been reported to also allow the execution of XSS attacks.
|
2011-03-30
|
RunCMS News Article Addition CSRF
|
|
71299
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/forum/post.php script not properly sanitizing user-supplied input to the 'topic_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/forum/post.php topic_id Parameter SQL Injection
|
|
71300
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/forum/search.php script not properly sanitizing user-supplied input to the 'forum' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/forum/search.php forum Parameter SQL Injection
|
|
71301
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/forum/post.php script not properly sanitizing user-supplied input to the 'forum' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/forum/post.php forum Parameter SQL Injection
|
|
71302
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/forum/index.php script not properly sanitizing user-supplied input to the 'FORumLastVisit' cookie. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/forum/index.php FORumLastVisit Cookie SQL Injection
|
|
71304
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/pm/index.php script not properly sanitizing user-supplied input to the 'sort' and 'by' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/pm/index.php Multiple Parameter SQL Injection
|
|
71303
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/pm/pmsend.php script not properly sanitizing user-supplied input to the 'sort' and 'by' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/pm/pmsend.php Multiple Parameter SQL Injection
|
|
71305
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/banners/index.php script not properly sanitizing user-supplied input to the 'bid', 'cid' and 'url' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/banners/index.php Multiple Parameter SQL Injection
|
|
71306
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/links/viewcat.php script not properly sanitizing user-supplied input to the 'orderby' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/links/viewcat.php orderby Parameter SQL Injection
|
|
71307
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/galleri/carte.php script not properly sanitizing user-supplied input to the 'key' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/galleri/carte.php key Parameter SQL Injection
|
|
71308
Description:
RunCMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the modules/galleri/index.php script not properly sanitizing user-supplied input to the 'orderby' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
RunCMS modules/galleri/index.php orderby Parameter SQL Injection
|
|
71309
Description:
RunCMS contains a flaw related to the modules/galleri/uploaduser.php script failing to properly validate uploaded files. The issue is triggered when a remote attacker appends a .gif or .jpg file extension to a PHP file when uploading it. This may allow an attacker to execute arbitrary PHP code.
|
2011-03-30
|
RunCMS modules/galleri/uploaduser.php File Upload Arbitrary PHP Code Execution
|
|
71291
Description:
YaCOMAS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'S_login', 'S_nombrep', 'S_apellidos', 'S_mail', 'S_org' and 'S_ciudad' parameters upon submission to the asistente/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-30
|
YaCOMAS asistente/index.php Multiple Parameter XSS
|
|
71292
Description:
YaCOMAS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'S_login' parameter upon submission to the admin/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-30
|
YaCOMAS admin/index.php S_login Parameter XSS
|
