| OSVDB ID | Disclosure Date | Title |
|---|
|
72289
Description:
Cisco ACS contains a flaw related to the web interface. The issue is triggered when a remote attacker uses a malformed URL to change any user password to an arbitrary value. This may allow an attacker to reset any user password.
|
2011-03-30
|
Cisco Secure Access Control System Arbitrary User Password Modification
|
|
73146
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Translation Management module 6.x before 6.x-1.21 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
2011-03-30
|
Translation Management Module for Drupal Unspecified XSS
|
|
72186
Description:
Cyrus IMAP Server contains a flaw related to the TLS implementation failing to properly clear transport layer buffers when changing from plaintext to ciphertext upon receipt of the 'STARTTLS' command. This may allow a remote attacker to inject arbitrary plaintext data which will be executed upon transition to ciphertext.
|
2011-03-30
|
Cyrus IMAP Server STARTTLS Arbitrary Plaintext Command Injection
|
|
73652
Description:
(Description Provided by CVE) : Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.
|
2011-03-30
|
Liferay Portal Community Edition XSL Content Portlet Unspecified Remote Code Execution
|
|
71488
Description:
Data Dynamics Reports contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'traceLevel', 'reportName' and 'uniqueId' parameters upon submission to the CoreHandler.ashx script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-30
|
Data Dynamics Reports CoreHandler.ashx Multiple Parameter XSS
|
|
73408
Description:
An unspecified component to ICJobSite contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to an unspecified script not properly sanitizing user-supplied input to the 'pid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-30
|
ICJobSite Unspecified Component pid Parameter SQL Injection
|
|
74015
Description:
WebKit contains a use-after-free error in the 'isDeletableElement' function in WebCore/editing/DeleteButtonController.cpp when focusing a styled, editable element. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
|
2011-03-30
|
WebKit isDeletableElement Use-after-free Arbitrary Code Execution
|
|
92061
Description:
WebKit contains a typecasting flaw that is triggered when removing an inline style from a node that is not an HTML element. With a specially crafted web page, a context-dependent attacker can corrupt memory to cause a denial of service or potentially execute arbitrary code.
|
2011-03-30
|
WebKit Non-HTML Element Inline Style Removal Bad Cast Memory Corruption
|
|
72295
Description:
WebSphere DataPower Appliance contains a flaw related to the included Java version. No further details have been provided.
|
2011-03-29
|
IBM WebSphere DataPower XC10 Appliance Unspecified Java Issue
|
|
73648
Description:
(Description Provided by CVE) : Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka XXE) issue.
|
2011-03-29
|
Liferay Portal Community Edition XML External Entity (XXE) Declaration / Reference Arbitrary File Access
|
|
71288
Description:
Froxlor contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain input passed to the ticket reply functionality before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-29
|
Froxlor Ticket Reply Unspecified XSS
|
|
71289
Description:
Froxlor contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to certain input passed to the ticket search functionality not being properly sanitized before use in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-29
|
Froxlor Ticket Search Unspecified SQL Injection
|
|
73651
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability than CVE-2004-2030.
|
2011-03-29
|
Liferay Portal Community Edition Message Title XSS
|
|
73650
Description:
(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA allows remote authenticated users to inject arbitrary web script or HTML via a blog title.
|
2011-03-29
|
Liferay Portal Community Edition Blog Title XSS
|
|
73649
Description:
(Description Provided by CVE) : The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL.
|
2011-03-29
|
Liferay Portal Community Edition XSL Content Portlet file:/// URL Arbitrary File Access
|
|
71352
Description:
Tracks contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because input appended to the URL after todos/tag/ is not properly validated by app/controllers/todos_controller.rb. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-29
|
Tracks todos/tag/ URI XSS
|
|
71586
Description:
Unknown / Incomplete
|
2011-03-29
|
Easy File Sharing Web Server UserID Cookie Authentication Bypass
|
|
71290
Description:
Ays Blog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
|
2011-03-29
|
Ays Blog index.php id SQL Injection
|
|
74842
Description:
WebKit contains a flaw in the 'counterToCSSValue' function in WebCore/css/CSSComputedStyleDeclaration.cpp. With a specially crafted web page, a context-dependent attacker can cause a crash.
|
2011-03-29
|
WebKit counterToCSSValue NULL Pointer Dereference DoS Weakness
|
|
71426
Description:
HP Operations for UNIX contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-29
|
HP Operations for UNIX Unspecified XSS
|
|
71427
Description:
HP Operations for UNIX contains an unspecified flaw that may allow an attacker to bypass access restrictions. No further details have been provided.
|
2011-03-29
|
HP Operations for UNIX Unspecified Access Restriction Bypass
|
|
71297
Description:
Spitfire contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'username' parameter upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-29
|
Spitfire index.php username Parameter XSS
|
|
71783
Description:
(Description Provided by CVE) : VMware vmrun, as used in VIX API 1.x before 1.10.3 and VMware Workstation 6.5.x and 7.x before 7.1.4 build 385536 on Linux, might allow local users to gain privileges via a Trojan horse shared library in an unspecified directory.
|
2011-03-29
|
VMware Workstation vmrun Unspecified Shared Library Local Privilege Escalation
|
|
72031
Description:
WordPress contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a direct request to multiple scripts, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. Consult the testing notes for a full list of affected scripts.
|
2011-03-29
|
WordPress Multiple Script Direct Request Path Disclosure
|
|
72019
Description:
bbPress contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a direct request to the /bb-templates/kakumei/edit-form.php, /bb-templates/kakumei/edit-post.php, /bb-templates/kakumei/footer.php or /bb-templates/kakumei/favorites.php script, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.
|
2011-03-29
|
bbPress Multiple Script Direct Request Path Disclosure
|
|
75370
Description:
Unknown / Incomplete
|
2011-03-29
|
WESPA PHP Newsletter admin.php Administrator Password Manipulation
|
|
75388
Description:
Unknown / Incomplete
|
2011-03-29
|
Adobe Omniture Cookie Forcing Weakness
|
|
93207
Description:
MaxSite Anti Spam Image for WordPress contains a flaw that may allow an attacker to bypass the anti-automated CAPTCHA test. This flaw is triggered when an attacker supplies the same value for the '4e2342ffffc8' parameter on multiple pages allowing an attacker to bypass CAPTCHA testing.
|
2011-03-29
|
MaxSite Anti Spam Image for WordPress 4e2342ffffc8 Parameter Replay CAPTCHA Bypass
|
|
72551
Description:
(Description Provided by CVE) : GNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to change the ownership of arbitrary files via a symlink attack on a (1) dmrc or (2) face icon file under /var/cache/gdm/.
|
2011-03-28
|
GNOME Display Manager (gdm) /var/cache/gdm/ Multiple File Symlink Local Privilege Escalation
|
|
71353
Description:
HP Diagnostics contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-28
|
HP Diagnostics Unspecified XSS
|
|
72182
Description:
Wonderware InBatch is prone to an overflow condition. The BatchField ActiveX control fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. This may be exploited by a remote attacker to cause a denial of service or allow the execution of arbitrary code.
|
2011-03-28
|
Invensys Wonderware InBatch BatchField ActiveX Unspecified Overflow
|
|
75361
Description:
Aklacon OpenCMS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the HTTPOnly attribute is not set on multiple cookies, allowing the value to be read or set, allowing a remote attacker to obtain sensitive information via accessing the cookie.
|
2011-03-28
|
Aklacon OpenCMS Cookie HTTPOnly Flag Weakness
|
|
71420
Description:
Zend Server contains a flaw related to the Java Bridge Component. The issue is triggered when a remote attacker sends specially crafted messages to the javamw.jar service on TCP port 10001. This may allow an attacker to execute arbitrary code.
|
2011-03-28
|
Zend Server Java Bridge Component Remote Code Execution
|
|
71284
Description:
Alkacon OpenCMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'resourcelist' and 'includerelated' parameters upon submission to the opencms/opencms/system/workplace/commons/report-locks.jsp script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-28
|
Alkacon OpenCMS opencms/opencms/system/workplace/commons/report-locks.jsp Multiple Parameter XSS
|
|
71285
Description:
Alkacon OpenCMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'acttarget' parameter upon submission to the opencms/opencms/system/workplace/views/explorer/contextmenu.jsp script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-28
|
Alkacon OpenCMS opencms/opencms/system/workplace/views/explorer/contextmenu.jsp acttarget Parameter XSS
|
|
71838
Description:
ikiwiki contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the input passed via the 'meta stylesheet' directive before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
|
2011-03-28
|
ikiwiki meta stylesheet XSS
|
|
75362
Description:
Unknown / Incomplete
|
2011-03-28
|
Aklacon OpenCMS Multiple Password Field Autocomplete XSS Disclosure
|
|
75363
Description:
Unknown / Incomplete
|
2011-03-28
|
DotCloud account/create next Parameter Arbitrary Site Redirect
|
|
75364
Description:
Unknown / Incomplete
|
2011-03-28
|
DotCloud account/login next Parameter Arbitrary Site Redirect
|
|
75365
Description:
Unknown / Incomplete
|
2011-03-28
|
DotCloud Cleartext Credential Information Disclosure
|
