[CLOSE] OSVDB ID : 93421 - Disclosed: 2013-05-14

Description:

Newsletter Plugin for WordPress contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'alert' parmaeter upon submission to the /wp-content/plugins/newsletter/subscription/page.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93259 - Disclosed: 2013-05-11

Description:

Securimage-WP Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the siwp_test.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93439 - Disclosed: 2013-05-10

Description:

Securimage contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the URL upon submission to the example_form.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93143 - Disclosed: 2013-05-08

Description:

Symantec Brightmail Gateway contains a flaw that allows multiple persistent cross-site scripting (XSS) attacks in administrative-interface pages in the management console. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93185 - Disclosed: 2013-05-07

Description:

isco Unified Presence (CUP) contains a flaw in the Web Framework that may allow a remote denial of service. The issue is due to the program failing to properly handle memory allocation during the handling of a saturation of malformed TCP packets. This may allow a remote attacker to consume memory resources indefinitely, even after the attack has ceased. The memory will not release until the system has been rebooted.

[CLOSE] OSVDB ID : 93234 - Disclosed: 2013-05-07

Description:

MoinMoin WikiSandbox contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'target' parameter. This directory traversal attack would allow a remote attacker to overwrite an arbitrary file.

[CLOSE] OSVDB ID : 92988 - Disclosed: 2013-05-02

Description:

EMC NetWorker contains a flaw that leads to unauthorized privileges being gained. The issue is triggered when the nsprush process sets weak permissions on certain unspecified files. This may allow a local attacker to to gain elevated privileges.

[CLOSE] OSVDB ID : 92989 - Disclosed: 2013-05-02

Description:

EMC Avamar Server contains a flaw in the web based file restore interface that is triggered during the handling of a specially crafted URL. This may allow a remote attacker to gain access to arbitrary files.

[CLOSE] OSVDB ID : 92990 - Disclosed: 2013-05-02

Description:

EMC Avamar Client contains a flaw related to certificate validation. The issue is due to the server hostname not being verified to match a domain name in the Subject's Common Name (CN) or SubjectAltName field of the X.509 certificate. This may allow a man-in-the-middle attacker to spoof SSL servers via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream.

[CLOSE] OSVDB ID : 92844 - Disclosed: 2013-04-26

Description:

IBM SPSS SamplePower contains an unspecified flaw in the Vsflex8l ActiveX control that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided by the vendor.

[CLOSE] OSVDB ID : 92845 - Disclosed: 2013-04-26

Description:

IBM SPSS SamplePower contains an unspecified flaw in the c1sizer ActiveX control that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided by the vendor.

[CLOSE] OSVDB ID : 92846 - Disclosed: 2013-04-26

Description:

IBM SPSS SamplePower contains an unspecified flaw in the vsflex7l ActiveX control that may allow a context-dependent attacker to potentially execute arbitrary code. No further details have been provided by the vendor.

[CLOSE] OSVDB ID : 92798 - Disclosed: 2013-04-25

Description:

IBM Application Support Facility contains a flaw in the the 'Document Connect for ASF' feature that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92799 - Disclosed: 2013-04-25

Description:

IBM Application Support Facility contains an unspecified flaw in the 'Document Connect for ASF' feature. This may allow a context-dependent attacker to inject links. No further details have been provided by the vendor.

[CLOSE] OSVDB ID : 92694 - Disclosed: 2013-04-23

Description:

ERDAS ER Viewer contains an overflow condition in the ERM_convert_to_correct_webpath() function in ermapper_u.dll. The issue is triggered as user-supplied input is not properly validated during the handling of a specially crafted ERS file. This may allow a context-dependent attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

[CLOSE] OSVDB ID : 92512 - Disclosed: 2013-04-17

Description:

Cisco Network Admission Control (NAC) Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input to the sortColumn or filter URL parameters before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the execution of arbitrary code.

[CLOSE] OSVDB ID : 92509 - Disclosed: 2013-04-16

Description:

aiContactSafe Component for Joomla! contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92319 - Disclosed: 2013-04-14

Description:

Todoo Forum contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id_post' and 'pg' parameters upon submission to the todooforum.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92318 - Disclosed: 2013-04-14

Description:

Todoo Forum contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the todooforum.php script not properly sanitizing user-supplied input to the 'id_post' and 'pg' parameters. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 92264 - Disclosed: 2013-04-11

Description:

Spider Video Player Plugin for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /wp-content/plugins/player/settings.php script not properly sanitizing user-supplied input to the 'theme' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 92265 - Disclosed: 2013-04-11

Description:

RT has been reported to contain a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /Approvals/ script not properly sanitizing user-supplied input to the 'ShowPending' parameter. Subsequent examination by the vendor, and apparently the researcher, has found that the reported vulnerability is incorrect.

[CLOSE] OSVDB ID : 92218 - Disclosed: 2013-04-10

Description:

Cisco AnyConnect VPN Client contains multiple unspecified flaws that may allow a local attacker to gain elevated privileges. No further details have been provided by the vendor.

[CLOSE] OSVDB ID : 92219 - Disclosed: 2013-04-10

Description:

Cisco AnyConnect VPN client contains an overflow condition in the ciscod.exe file. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to cause a heap overflow, which may allow the attacker to gain elevated privileges.

[CLOSE] OSVDB ID : 92261 - Disclosed: 2013-04-10

Description:

JBoss Enterprise Portal Platform contains a flaw in the GateIn Portal component that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into performing multiple unspecified actions in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 92258 - Disclosed: 2013-04-10

Description:

Spiffy XSPF Player Plugin for WordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /wp-content/plugins/spiffy/playlist.php script not properly sanitizing user-supplied input to the 'playlist_id' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 92197 - Disclosed: 2013-04-09

Description:

Traffic Analyzer Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'aoid' parameter upon submission to the /wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92236 - Disclosed: 2013-04-09

Description:

ZAPms contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /products script not properly sanitizing user-supplied input to the 'pid' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 92157 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'atrSeq', 'fieldName', 'listld', and 'parentListld' parameters upon submission to the /html/en/default/listEditor/listValuePicker.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92151 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'fieldName' parameter upon submission to the /html/en/default/smartobject/dateConversion.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92152 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'fieldName' parameter upon submission to the /html/en/default/smartobject/dateTimeConversion.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92158 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'specTypeId', 'parentSOCategoryId', 'parentSOTypeId', 'rowNo', 'parentSOId', 'refSpecTypeId', and 'parentSOSubCategoryId' parameters upon submission to the /html/en/default/appsecurity/addGroups.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92153 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'objectName' parameter upon submission to the /html/en/default/common/objectUsage.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92154 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'reportTemplId' parameter upon submission to the /html/en/default/reportTemplate/assocFilterList.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92159 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'recordState', 'oldName', and 'associatedField' parameters upon submission to the /html/en/default/reportTemplate/reportTemplateDesc.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92155 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'specClassType' parameter upon submission to the /html/en/default/docmgmt/objectupload/upload.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92156 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'parentSOId' and 'parentSOSubCategoryId' parameters upon submission to the /html/en/default/docmgmt/objectupload/dd/index.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92160 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'name', 'type', 'label', and 'description' parameters upon submission to the html/en/default/listEditor/listEditorMgrListType.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92161 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'moduleId', 'assBO', and 'propertyId' parameters upon submission to the /html/en/default/smartobjecttype/associateBOLoad.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92162 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'propertyId' parameter upon submission to the /html/en/default/smartobjecttype/associateBOModuleTree.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 92163 - Disclosed: 2013-04-08

Description:

IBM TRIRIGA Application Platform contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'tempSpecId' parameter upon submission to the /html/en/default/om2/omComparisonReport.jsp script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.