[CLOSE] OSVDB ID : 81610 - Disclosed: 2012-04-27

Description:

MySQLDumper contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'page' and 'phase' parameters upon submission to the install.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81611 - Disclosed: 2012-04-27

Description:

MySQLDumper contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'bid' and 'tablename' parameters upon submission to the sql.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81615 - Disclosed: 2012-04-27

Description:

MySQLDumper contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the filemanagement.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'f' parameter. This directory traversal attack would allow the attacker to read arbitrary files.

[CLOSE] OSVDB ID : 81616 - Disclosed: 2012-04-27

Description:

MySQLDumper contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a direct request is sent to the functions.php, restore.php or dump.php scripts, which will disclose sensitive information to a remote attacker.

[CLOSE] OSVDB ID : 82212 - Disclosed: 2012-04-27

Description:

Feather CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the contact.asp script not properly sanitizing user-supplied input to the 'type' and 'show' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 82211 - Disclosed: 2012-04-27

Description:

Feather CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the company.asp script not properly sanitizing user-supplied input to the 'type' and 'show' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 82210 - Disclosed: 2012-04-27

Description:

Feather CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the events.asp script not properly sanitizing user-supplied input to the 'type' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81494 - Disclosed: 2012-04-27

Description:

PHP Volunteer Management contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' parameter upon submission to the get_hours.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81589 - Disclosed: 2012-04-27

Description:

ASP-DEv XM Diary contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the default.asp script not properly sanitizing user-supplied input to the 'view_date' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81590 - Disclosed: 2012-04-27

Description:

ASP-DEv XM Diary contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the diary_view.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81591 - Disclosed: 2012-04-27

Description:

ASP-DEv XM Forums contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the profile.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81592 - Disclosed: 2012-04-27

Description:

ASP-DEv XM Forums contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the forum.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81593 - Disclosed: 2012-04-27

Description:

ASP-DEv XM Forums contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the topic.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81599 - Disclosed: 2012-04-27

Description:

BBSXP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ShowPost.asp script not properly sanitizing user-supplied input to the 'ThreadID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81600 - Disclosed: 2012-04-27

Description:

BBSXP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the blog.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81605 - Disclosed: 2012-04-27

Description:

Fabran CMS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the index.php script not properly sanitizing user input supplied to the 'p' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 82112 - Disclosed: 2012-04-27

Description:

FlirtPortal Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the rub.php script not properly sanitizing user-supplied input to the 'rub' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81613 - Disclosed: 2012-04-27

Description:

MySQLDumper contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the deletion of application protection, dropping of databases, uninstallation of applications, manipulation of passwords, or execution of SQL commands. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 81614 - Disclosed: 2012-04-27

Description:

MySQLDumper contains a flaw that allows a remote user to execute arbitrary PHP code. This flaw exists because the program does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the user to execute the script.

[CLOSE] OSVDB ID : 81640 - Disclosed: 2012-04-27

Description:

Quest Toad for Data Analysts contains a flaw related to the %CommonProgramFiles%\Quest Shared directory and some of its child objects. The issue is triggered by the 'Everyone' group being given 'Full Control' by default, which may allow a local attacker to remove, manipulate, or delete files.

[CLOSE] OSVDB ID : 82208 - Disclosed: 2012-04-27

Description:

Feather CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the case.asp script not properly sanitizing user-supplied input to the 'type' and 'show' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 82209 - Disclosed: 2012-04-27

Description:

Feather CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the service.asp script not properly sanitizing user-supplied input to the 'type' and 'show' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 82217 - Disclosed: 2012-04-27

Description:

FlirtPortal Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index_start.php script not properly sanitizing user-supplied input to the 'trefferid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 82324 - Disclosed: 2012-04-27

Description:

ALO EasyMail Newsletter Plugin for WordPress contains multiple flaws that may allow a remote cross-site scripting (XSS) attack. These flaws exist because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 85540 - Disclosed: 2012-04-27

Description:

ubiquity-slideshow-ubuntu contains a flaw that is triggered when the application fails to properly validate twitter feeds during system installation. This may allow a remote attacker to spoof a twitter feed via a man-in-the-middle (MitM) attack.

[CLOSE] OSVDB ID : 81495 - Disclosed: 2012-04-27

Description:

PHP Volunteer Management contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the get_hours.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81562 - Disclosed: 2012-04-27

Description:

DiY-CMS contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for the manipulation of accounts. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 81497 - Disclosed: 2012-04-27

Description:

Axous contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the page.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81498 - Disclosed: 2012-04-27

Description:

Nokia PC Suite Video Manager contains a flaw that may allow a remote denial of service. The issue is triggered when handling MP4 files, and will result in loss of availability for the application.

[CLOSE] OSVDB ID : 81594 - Disclosed: 2012-04-27

Description:

Amauta Consultores CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the node_events.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81595 - Disclosed: 2012-04-27

Description:

Amauta Consultores CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the node_news.php script not properly sanitizing user-supplied input to the 'idnew' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81596 - Disclosed: 2012-04-27

Description:

Amauta Consultores CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the node.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81597 - Disclosed: 2012-04-27

Description:

Amauta Consultores CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the photos.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81598 - Disclosed: 2012-04-27

Description:

Amauta Consultores CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.asp script not properly sanitizing user-supplied input to the 'p' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81601 - Disclosed: 2012-04-27

Description:

BBSXP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the ShowForum.asp script not properly sanitizing user-supplied input to the 'ForumID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81602 - Disclosed: 2012-04-27

Description:

BBSXP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the Profile.asp script not properly sanitizing user-supplied input to the 'UserName' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81603 - Disclosed: 2012-04-27

Description:

BBSXP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the print.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81604 - Disclosed: 2012-04-27

Description:

DreamArticle CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'keyword' parameter upon submission to the search.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 82111 - Disclosed: 2012-04-27

Description:

Feather CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the products.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 82206 - Disclosed: 2012-04-27

Description:

Feather CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the recommend.asp script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.