[CLOSE] OSVDB ID : 81322 - Disclosed: 2012-04-23

Description:

A memory corruption flaw exists in SumatraPDF. The program fails to sanitize user-supplied input, resulting in memory corruption. With a specially crafted CHM or MOBI, a context-dependent attacker can execute arbitrary code.

[CLOSE] OSVDB ID : 82026 - Disclosed: 2012-04-23

Description:

PolarSSL contains a flaw that is triggered by a weakness in the encryption of Diffie-Hellman and RSA when generating keys. This may allow an attacker to brute force a private value and master secret as well as perform a man in the middle attack and disclose the communication channel.

[CLOSE] OSVDB ID : 82252 - Disclosed: 2012-04-23

Description:

Google Chrome contains a flaw related to the plug-in V8 JavaScript bindings. With a specially crafted web page, a context-dependent attacker can corrupt memory and potentially execute arbitrary code.

[CLOSE] OSVDB ID : 84756 - Disclosed: 2012-04-23

Description:

SPIP contains multiple unspecified flaws. No further details have been provided.

[CLOSE] OSVDB ID : 86727 - Disclosed: 2012-04-23

Description:

TreasonSMS and WiFiSMS contain a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the Send Messages module before returning it to the user. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 87741 - Disclosed: 2012-04-23

Description:

Havalite CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the 'input' or 'output' fields upon submission to the havalite/findReplace.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 87740 - Disclosed: 2012-04-23

Description:

Havalite CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'username' parameter upon submission to the havalite/hava_login.php script. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81713 - Disclosed: 2012-04-22

Description:

Serendipity contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'serendipity[textarea]' parameter upon submission to the serendipity_admin_image_selector.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81527 - Disclosed: 2012-04-22

Description:

phpMyBible contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'version' and 'chapter' parameters upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81581 - Disclosed: 2012-04-22

Description:

concrete5 contains a flaw when input passed via multiple parameters is not properly verified before being used in the index.php/search script, which may allow an attacker to gain access to potentially sensitive information. No further details have been provided.

[CLOSE] OSVDB ID : 81299 - Disclosed: 2012-04-22

Description:

The Dogma Soft CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the news.php script not properly sanitizing user-supplied input to the 'id' and 'nid' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81300 - Disclosed: 2012-04-22

Description:

Cox Web contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the shop.php script not properly sanitizing user-supplied input to the 'id' and 'maincatid' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81301 - Disclosed: 2012-04-22

Description:

Net-Shops contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' and 'search_product' parameters upon submission to the index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81302 - Disclosed: 2012-04-22

Description:

Mega File Manager contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the cimages.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'name' parameter. This directory traversal attack would allow the attacker to read arbitrary files.

[CLOSE] OSVDB ID : 81582 - Disclosed: 2012-04-22

Description:

concrete5 contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input to the 'fID' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 82817 - Disclosed: 2012-04-22

Description:

OpenConnect is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a buffer overflow. When processing a greeting banner, a remote attacker can potentially cause a denial of service.

[CLOSE] OSVDB ID : 85267 - Disclosed: 2012-04-22

Description:

FFmpeg contains an unspecified double-free flaw related to libavcodec/mpeg12.c that is triggered when parsing extradata. No further details have been provided.

[CLOSE] OSVDB ID : 81451 - Disclosed: 2012-04-21

Description:

NET-i viewer contains a flaw related to the STWConfigNVR and STWConfig ActiveX controls. The issue is triggered when and error occurs in the ConnectDDNS() method, which may allow a remote attacker to execute arbitrary code.

[CLOSE] OSVDB ID : 81452 - Disclosed: 2012-04-21

Description:

NET-i ware services contains a flaw that may allow a remote denial of service. The issue is triggered when an endless loop occurs when parsing negative 32-bit fields. This will result in loss of availability for the services.

[CLOSE] OSVDB ID : 81453 - Disclosed: 2012-04-21

Description:

NET-i viewer is prone to an overflow condition related to the UMS_Ctrl and UMS_Ctrl_STW ActiveX controls. The BackupToAvi() method fails to properly sanitize user-supplied input submitted to the 'fname' parameter resulting in a stack-based buffer overflow. With a specially crafted string, a remote attacker can potentially execute arbitrary code.

[CLOSE] OSVDB ID : 81291 - Disclosed: 2012-04-20

Description:

Liferay Portal contains a flaw related to the JSON webservices. This issue may allow an attacker to create a new user with administrator privileges.

[CLOSE] OSVDB ID : 81448 - Disclosed: 2012-04-20

Description:

Zingiri Web Shop Plugin for WordPress contains multiple unspecified flaws. No further details have been provided.

[CLOSE] OSVDB ID : 81290 - Disclosed: 2012-04-20

Description:

Kaseya contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'adminName' parameter before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81293 - Disclosed: 2012-04-20

Description:

Anchor CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'user' parameter upon submission to the /admin/users/login script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81294 - Disclosed: 2012-04-20

Description:

Anchor CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'email' parameter upon submission to the /admin/users/amnesia script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81295 - Disclosed: 2012-04-20

Description:

Anchor CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'title' and 'slug' parameters upon submission to the /admin/posts/add script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81296 - Disclosed: 2012-04-20

Description:

Anchor CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'name' and 'title' parameters upon submission to the /admin/pages/add script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81297 - Disclosed: 2012-04-20

Description:

Anchor CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'real_name', 'email', and 'username' parameters upon submission to the /admin/users/add script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81298 - Disclosed: 2012-04-20

Description:

Anchor CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'description', 'sitename', and 'twitter' parameters upon submission to the /admin/metadata script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81331 - Disclosed: 2012-04-20

Description:

Microsoft Visual Studio Incremental Linker is prone to an overflow condition. The ConvertRgImgSymToRgImgSymEx function fails to properly sanitize user-supplied input resulting in a integer overflow. With a specially crafted COFF symbol table embedded in executables, a context-dependent attacker can potentially cause a denial of service or execute arbitrary code.

[CLOSE] OSVDB ID : 81444 - Disclosed: 2012-04-20

Description:

RubyGems contains a flaw related to the validation of SSL certificates when accessing certain services and APIs. This may allow a man-in-the-middle attacker to spoof a valid server.

[CLOSE] OSVDB ID : 81447 - Disclosed: 2012-04-20

Description:

TwitRocker2 for Android contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered by an unspecified error in the webview class, which will disclose sensitive information to a remote attacker.

[CLOSE] OSVDB ID : 81463 - Disclosed: 2012-04-20

Description:

WordPress contains a weakness that makes it easier to perform a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input upon submission to the wp-includes/formatting.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81464 - Disclosed: 2012-04-20

Description:

WordPress contains a weakness that may make it easier to perform a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input upon submission to the wp-comments-post.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81617 - Disclosed: 2012-04-20

Description:

Argyll Color Management System contains a Use-after-free flaw that occurs when handling ICC profile image files, which may allow a remote attacker to execute arbitrary code.

[CLOSE] OSVDB ID : 81279 - Disclosed: 2012-04-20

Description:

Waylu CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' parameter upon submission to the WebApps/products_xx.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 81280 - Disclosed: 2012-04-20

Description:

Waylu CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the WebApps/products_xx.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81281 - Disclosed: 2012-04-20

Description:

Trend Joinery contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the subcats.php script not properly sanitizing user-supplied input to the 'catkey' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81282 - Disclosed: 2012-04-20

Description:

JA-Programacao CMS contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the lerNoticia.php script not properly sanitizing user-supplied input to the 'id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 81283 - Disclosed: 2012-04-20

Description:

JA-Programacao CMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' parameter upon submission to the lerNoticia.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.