[CLOSE] OSVDB ID : 71235 - Disclosed: 2011-03-15

Description:

Nostromo contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the URL. This directory traversal attack would allow the attacker to access arbitrary files or execute arbitrary shell commands.

[CLOSE] OSVDB ID : 72532 - Disclosed: 2011-03-15

Description:

(Description Provided by CVE) : Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call.

[CLOSE] OSVDB ID : 75089 - Disclosed: 2011-03-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 71192 - Disclosed: 2011-03-15

Description:

b2evolution contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'p' parameter upon submission to the blogs/htsrv/comment_post.php script when commenting on a blog. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71230 - Disclosed: 2011-03-15

Description:

LotusCMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'title' parameter upon submission to the core/model/GeneralSettingsModel.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71231 - Disclosed: 2011-03-15

Description:

LotusCMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'seodescription' parameter upon submission to the core/model/SEOModel.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71232 - Disclosed: 2011-03-15

Description:

LotusCMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'page' parameter upon submission to the core/model/PageModel.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71233 - Disclosed: 2011-03-15

Description:

LotusCMS contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the core/model/UsersModel.php script does not require multiple steps or explicit confirmation for sensitive transactions for the addition of administrator users. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 71237 - Disclosed: 2011-03-15

Description:

LotusCMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'title' parameter upon submission to the modules/Menu/MenuModuleAdmin.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 72036 - Disclosed: 2011-03-15

Description:

xt:Commerce contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a direct request to the xtFramework/admin/default_lang_definitions.inc.php, xtFramework/library/adodb/contrib/toxmlrpc.inc.php or xtFramework/library/PhpExt/AutoLoadConfigObject.php script, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 72039 - Disclosed: 2011-03-15

Description:

OXID eShop contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a direct request to the config.inc.php, admin/actions.php, views/search.php or core/oxarticle.php script, which discloses the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

[CLOSE] OSVDB ID : 73748 - Disclosed: 2011-03-15

Description:

(Description Provided by CVE) : ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

[CLOSE] OSVDB ID : 73706 - Disclosed: 2011-03-15

Description:

(Description Provided by CVE) : The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/.

[CLOSE] OSVDB ID : 75332 - Disclosed: 2011-03-15

Description:

LotusCMS contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the core/model/PageModel.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'page' parameter. This directory traversal attack would allow the attacker to access arbitrary files.

[CLOSE] OSVDB ID : 79391 - Disclosed: 2011-03-15

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 87693 - Disclosed: 2011-03-15

Description:

CodeIgniter contains a flaw that is triggered when the program fails to set the secure flag for the session cookie in an HTTPS session. Without this flag, a web browser may transmit the cookie in cleartext (i.e., unencrypted) potentially allowing it to be intercepted.

[CLOSE] OSVDB ID : 87942 - Disclosed: 2011-03-15

Description:

IBM WebSphere Message Broker is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a stack overflow. With a specially crafted HTTP request node, a remote attacker can potentially execute arbitrary code or cause a denial of service.

[CLOSE] OSVDB ID : 92867 - Disclosed: 2011-03-15

Description:

Memcached contains a flaw that may allow a remote denial of service. The issue is triggered during the handling of a malformed packet. This may allow a remote attacker to crash the program.

[CLOSE] OSVDB ID : 71121 - Disclosed: 2011-03-14

Description:

Qualitynet CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the dynamic-menu.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 71122 - Disclosed: 2011-03-14

Description:

Qualitynet CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the content_page.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 75100 - Disclosed: 2011-03-14

Description:

(Description Provided by CVE) : /etc/init.d/boot.localfs in the aaa_base package before 11.2-43.48.1 in SUSE openSUSE 11.2, and before 11.3-8.7.1 in openSUSE 11.3, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/mtab.

[CLOSE] OSVDB ID : 71331 - Disclosed: 2011-03-14

Description:

Xen contains a flaw that may allow a local denial of service. The issue is triggered when the 'arch_set_info_guest()' function in 'xen/arch/x86/domain.c' fails to properly verify the presence of a valid usermode pagetable, resulting in a loss of availability.

[CLOSE] OSVDB ID : 71254 - Disclosed: 2011-03-14

Description:

A memory corruption flaw exists in Adobe Flash Player and AIR, and the Authplay.dll component in Reader and Acrobat. The ActionScript Virtual Machine 2 component fails to sanitize user-supplied input when handling certain instruction sequences, resulting in memory corruption. With a specially crafted .swf file, a context-dependent attacker can execute arbitrary code.

[CLOSE] OSVDB ID : 75095 - Disclosed: 2011-03-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 75096 - Disclosed: 2011-03-14

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 74380 - Disclosed: 2011-03-14

Description:

(Description Provided by CVE) : Google Chrome 11 does not block use of a cross-domain image as a WebGL texture, which allows remote attackers to obtain approximate copies of arbitrary images via a timing attack involving a crafted WebGL fragment shader.

[CLOSE] OSVDB ID : 75282 - Disclosed: 2011-03-14

Description:

(Description Provided by CVE) : login.aspx in the SmarterTools SmarterStats 6.0 web server does not include the HTTPOnly flag in a Set-Cookie header for the loginsettings cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

[CLOSE] OSVDB ID : 75283 - Disclosed: 2011-03-14

Description:

(Description Provided by CVE) : Login.aspx in the SmarterTools SmarterStats 6.0 web server generates a ctl00$MPH$txtPassword password form field without disabling the autocomplete feature, which makes it easier for remote attackers to bypass authentication by leveraging an unattended workstation.

[CLOSE] OSVDB ID : 75313 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'browsesubmit' parameter upon submission to the /administrator/archives/index.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75314 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'dsn' parameter upon submission to the /administrator/datasources/derbyEmbedded.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75315 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the /administrator/extensions/corbaedit.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75316 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'logfile' parameter upon submission to the /administrator/logviewer/searchlog.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75318 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'browsesubmit' parameter upon submission to the /administrator/settings/jvm.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75317 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'fontPath' and 'browsesubmit' parameters upon submission to the /administrator/settings/fonts.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75319 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'browsesubmit' parameter upon submission to the /administrator/settings/mappings.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75320 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'browsesubmit' parameter upon submission to the /administrator/settings/version.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75321 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'browsesubmit' parameter upon submission to the /administrator/analyzer/index.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75322 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'browsesubmit' parameter upon submission to the /administrator/archives/index.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75323 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the /administrator/extensions/corbaedit.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 75324 - Disclosed: 2011-03-14

Description:

The Administrator Console in Adobe ColdFusion contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'logfile' parameter upon submission to the /administrator/logviewer/searchlog.cfm script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.