[CLOSE] OSVDB ID : 93100 - Disclosed: 2013-05-07

Description:

NetApp OnCommand System Manager contains a flaw that allows a persistent cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'comment' parameter upon submission to the group management interface. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93099 - Disclosed: 2013-05-07

Description:

NetApp OnCommand System Manager contains a flaw that allows a persistent cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'comment' parameter upon submission to the share management interface. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93103 - Disclosed: 2013-05-07

Description:

NetApp OnCommand System Manager contains a flaw that is triggered when retrieving log files through the SnapMirror interface. This may allow a remote attacker to gain access to arbitrary files by manipulating the file path.

[CLOSE] OSVDB ID : 93102 - Disclosed: 2013-05-07

Description:

NetApp OnCommand System Manager contains a flaw that is triggered when using the Halt/Reboot interface, which may allow a remote attacker to execute arbitrary commands. No further details have been provided by the researcher.

[CLOSE] OSVDB ID : 93185 - Disclosed: 2013-05-07

Description:

isco Unified Presence (CUP) contains a flaw in the Web Framework that may allow a remote denial of service. The issue is due to the program failing to properly handle memory allocation during the handling of a saturation of malformed TCP packets. This may allow a remote attacker to consume memory resources indefinitely, even after the attack has ceased. The memory will not release until the system has been rebooted.

[CLOSE] OSVDB ID : 93364 - Disclosed: 2013-05-07

Description:

Related Posts by Zemanta Plugin for WordPress contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into changing plugin settings in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 93529 - Disclosed: 2013-05-07

Description:

Moodle contains a flaw that is due to the program failing to properly check for permissions when viewing comments on blog posts. This may allow a remote attacker to potentially gain unauthorized access.

[CLOSE] OSVDB ID : 93074 - Disclosed: 2013-05-07

Description:

SAP ERP Central Component (ECC) contains a flaw in the remote function module. The issue is triggered when handling RFC or SOAP-RFC calls. This may allow a remote attacker to execute arbitrary code.

[CLOSE] OSVDB ID : 93077 - Disclosed: 2013-05-07

Description:

Invensys Wonderware Information Server (WIS) contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93076 - Disclosed: 2013-05-07

Description:

Invensys Wonderware Information Server (WIS) contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 93096 - Disclosed: 2013-05-07

Description:

WP-PostViews Plugin for WordPress contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into changing plugin settings in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 93097 - Disclosed: 2013-05-07

Description:

NetApp OnCommand System Manager contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'comment' parameter upon submission to the LUN management interface. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93094 - Disclosed: 2013-05-07

Description:

Red Hat OpenShift Origin contains a flaw that is due to the program failing to properly validate input during the handling of a specially crafted URL. This may allow a context-dependent attacker to execute arbitrary commands.

[CLOSE] OSVDB ID : 93114 - Disclosed: 2013-05-07

Description:

Adobe ColdFusion contains a flaw that allows an attacker to traverse outside of a restricted path. The issue is due to administrator/mail/download.cfm not properly sanitizing user input, specifically directory traversal style attacks (e.g. '../../') supplied via the 'filename' parameter. This directory traversal attack would allow a remote attacker to read arbitrary files.

[CLOSE] OSVDB ID : 93363 - Disclosed: 2013-05-07

Description:

Related Posts Plugin for WordPress contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into changing plugin settings in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 93362 - Disclosed: 2013-05-07

Description:

WordPress Related Posts Plugin for WordPress contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into changing plugin settings in the context of their session with the application, without further prompting or verification.

[CLOSE] OSVDB ID : 93037 - Disclosed: 2013-05-07

Description:

nginx contains an overflow condition in the ngx_http_parse_chunked() function in /http/ngx_http_parse.c. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted request. This may allow a remote attacker to cause a stack-based buffer overflow in a worker process, resulting in a denial of service or potentially allowing the execution of arbitrary code.

[CLOSE] OSVDB ID : 93527 - Disclosed: 2013-05-07

Description:

Moodle contains a flaw that may lead to the unauthorized disclosure of sensitive information. The issue is due to the Gradebook's overview report showing grade totals that may potentially incorrectly include hidden grades. This may allow a remote attacker to gain access to hidden grade information.

[CLOSE] OSVDB ID : 93066 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'kind' parameter upon submission to the /fax/copy_settings.html script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93011 - Disclosed: 2013-05-06

Description:

RSA Archer GRC contains a flaw that allows multiple remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate certain unspecified input before returning it to the user. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93093 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via an arbitrarily supplied URL parameter or the 'kind' parameter upon submission to the /fax/general_setup.html script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93032 - Disclosed: 2013-05-06

Description:

Xen contains a flaw related to the qemu guest agent creating the /var/log/qemu-ga.log, /var/run/qga.state, and /var/log/qga-fsfreeze-hook.log files insecurely. This may allow a local attacker to use a symlink attack against these files to gain elevated privileges.

[CLOSE] OSVDB ID : 93067 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'id' parameter upon submission to the /admin/log_to_net.htm script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93073 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains a flaw that may lead to unauthorized disclosure of sensitive information. The issue is due to the program transmitting password information as cleartext across the network. This may allow a remote attacker to gain access to password information.

[CLOSE] OSVDB ID : 93072 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains a flaw that is due to the login page having auto-complete on for the password field by default. This may allow a physically present attacker to more easily gain access to a user's account.

[CLOSE] OSVDB ID : 93071 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains an unspecified leakage flaw that may allow a remote attacker to gain access to cross-domain referers. No further details have been provided by the researcher.

[CLOSE] OSVDB ID : 93070 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains a flaw in multiple scripts that may allow a context-dependent attacker to have an load content from a page under their control within an iframe, which may allow them to cause a user's actions to have impacts unexpected to the user.

[CLOSE] OSVDB ID : 93064 - Disclosed: 2013-05-06

Description:

Cisco Linksys E4200 contains a flaw that may lead to unauthorized disclosure of sensitive information. The issue is due to the program transmitting password information as cleartext across the network. This may allow a remote attacker to gain access to password information.

[CLOSE] OSVDB ID : 93063 - Disclosed: 2013-05-06

Description:

Cisco Linksys E4200 contains a flaw that is due to the login page having auto-complete on for the password field by default. This may allow a physically present attacker to more easily gain access to a user's account.

[CLOSE] OSVDB ID : 93061 - Disclosed: 2013-05-06

Description:

Cisco Linksys E4200 contains an unspecified clickjacking issue that may allow a remote attacker to have an unspecified impact. No further details have been provided by the researcher.

[CLOSE] OSVDB ID : 93062 - Disclosed: 2013-05-06

Description:

Cisco Linksys E4200 contains an unspecified flaw that may allow a remote attacker to gain access to the private IP address. No further details have been provided by the researcher.

[CLOSE] OSVDB ID : 93065 - Disclosed: 2013-05-06

Description:

Cisco Linksys E4200 contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the device does not specify the HTML charset. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93091 - Disclosed: 2013-05-06

Description:

Cisco IOS contains a flaw in the ISM module for ISR G2 that may allow a remote denial of service. The issue is triggered during the processing of a malformed authenticated header packet via an established IPSec security association. This may allow an authenticated remote attacker to cause a device reload.

[CLOSE] OSVDB ID : 93092 - Disclosed: 2013-05-06

Description:

Brother MFC-9970CDW contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via the, 'id' or 'val' parameters, or another arbitrarily supplied URL parameter, upon submission to the /admin/profile_settings_net.html script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93438 - Disclosed: 2013-05-06

Description:

Jojo CMS contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'search' parameter upon submission to /forgot-password/. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93033 - Disclosed: 2013-05-06

Description:

WP Photo Album Plus Plugin for WordPress contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'commentid' parameter upon submission to the wp-admin/admin.php script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 93010 - Disclosed: 2013-05-06

Description:

RSA Archer GRC contains a flaw that allows a remote user to execute arbitrary PHP code. This flaw exists because the program does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the user to execute the script with the privileges of the web server.

[CLOSE] OSVDB ID : 93012 - Disclosed: 2013-05-06

Description:

RSA Archer GRC contains an unspecified flaw that may allow an authenticated remote attacker to modify global reports. No further details have been provided by the vendor.

[CLOSE] OSVDB ID : 93008 - Disclosed: 2013-05-06

Description:

Apache VCL contains an unspecified flaw in the web GUI that may allow a remote attacker to gain elevated privileges. No further details have been provided by the vendor.

[CLOSE] OSVDB ID : 93009 - Disclosed: 2013-05-06

Description:

Apache VCL contains an unspecified flaw in an unspecified function in the XMLRPC API that may allow a remote attacker to gain elevated privileges. No further details have been provided by the vendor.