[CLOSE] OSVDB ID : 21232 - Disclosed: 2005-11-25

Description:

vTiger CRM contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Account Name' field upon submission to the index.php. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21115 - Disclosed: 2005-11-25

Description:

HelpDesk Issue Manager contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the find.php script not properly sanitizing user-supplied input to several variables (id, detail[], orderdir and orderby). This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21095 - Disclosed: 2005-11-25

Description:

OASYS Lite contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'keyword' variable upon submission to the 'search.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21101 - Disclosed: 2005-11-25

Description:

SupportTrio contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to index.php' not properly sanitizing user input supplied to the 'page' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 21116 - Disclosed: 2005-11-25

Description:

Online Work Order Suite Lite Edition contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.asp script not properly sanitizing user-supplied input to the 'keyword' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21110 - Disclosed: 2005-11-25

Description:

phpWordPress contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the "poll", "category", and "ctg" variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21099 - Disclosed: 2005-11-25

Description:

Pdjk-support Suite contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'rowstart', 'news_id' and 'faq_id' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21103 - Disclosed: 2005-11-25

Description:

AgileBill contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 24113 - Disclosed: 2005-11-25

Description:

(Description Provided by CVE) : The Users module in vTiger CRM 4.2 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary file in the templatename parameter, which is passed to the eval function.

[CLOSE] OSVDB ID : 21090 - Disclosed: 2005-11-25

Description:

SmartPPC Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'username' variable upon submission to the 'directory.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21091 - Disclosed: 2005-11-25

Description:

SmartPPC Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'username' variable upon submission to the 'frames.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21092 - Disclosed: 2005-11-25

Description:

SmartPPC Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'username' variable upon submission to the 'search.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21163 - Disclosed: 2005-11-25

Description:

Clientexec contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'billshowid', 'billdetailid', 'fuse' and 'frmClientID' variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21162 - Disclosed: 2005-11-25

Description:

Fantastic News contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'news.php' script not properly sanitizing user-supplied input to the 'category' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21369 - Disclosed: 2005-11-25

Description:

EZI contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'invoices.php' script not properly sanitizing user-supplied input to the 'i' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21100 - Disclosed: 2005-11-24

Description:

(Description Provided by CVE) : PHP remote file inclusion vulnerability in support/index.php in DeskLance 2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the main parameter.

[CLOSE] OSVDB ID : 24118 - Disclosed: 2005-11-24

Description:

(Description Provided by CVE) : SQL injection vulnerability in DeskLance 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the announce parameter.

[CLOSE] OSVDB ID : 21096 - Disclosed: 2005-11-24

Description:

KnowledgeBuilder contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'article' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21098 - Disclosed: 2005-11-24

Description:

KnowledgeBuilder contains a flaw that may allow a remote denial of service. The issue is triggered when a large amount of SQL queries are sent to the 'category' parameter in 'index.php' script, and will result in loss of availability for the service.

[CLOSE] OSVDB ID : 21094 - Disclosed: 2005-11-24

Description:

OKBSYS Lite contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'q' variable upon submission to the 'search.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21102 - Disclosed: 2005-11-24

Description:

Support Center contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the "lorder", "Priority", "Status", "Category", "searchvalue", and "field" variables. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21117 - Disclosed: 2005-11-24

Description:

iDesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the faq.php script not properly sanitizing user-supplied input to the 'cat_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21085 - Disclosed: 2005-11-24

Description:

Orca Forum contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'forum.php' script not properly sanitizing user-supplied input to the 'msg' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21073 - Disclosed: 2005-11-24

Description:

A local overflow exists in SpeedCommander, Squeez, and ZipStar. The products fail to safely use the "lstrcat()" function in the "CxZIP60.dll", "CxZIP60u.dll", "CxUux60.dll", "CxUux60u.dll" modules while processing filename pathnames resulting in a stack-based overflow. With a specially crafted archive, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

[CLOSE] OSVDB ID : 21108 - Disclosed: 2005-11-24

Description:

(Description Provided by CVE) : freeFTPd 1.0.10 allows remote authenticated users to cause a denial of service (null dereference and crash) via a PORT command with missing arguments.

[CLOSE] OSVDB ID : 21319 - Disclosed: 2005-11-24

Description:

SupportTrio contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'page' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21303 - Disclosed: 2005-11-23

Description:

digiSHOP contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search query not properly sanitizing user-supplied input to unspecified variable(s). This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21077 - Disclosed: 2005-11-23

Description:

Omnistar Live contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'kb.php' script not properly sanitizing user-supplied input to the 'id' and 'category_id' variables. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21075 - Disclosed: 2005-11-23

Description:

Ezyhelpdesk contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'edit_id', 'faq_id', and 'c_id' variables. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21076 - Disclosed: 2005-11-23

Description:

Ezyhelpdesk contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the search engine not properly sanitizing user-supplied input to the 'search_string' variable. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21074 - Disclosed: 2005-11-23

Description:

1-2-3 Music Store contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'process.php' script not properly sanitizing user-supplied input to the 'AlbumID' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21107 - Disclosed: 2005-11-23

Description:

(Description Provided by CVE) : SQL injection vulnerability in PHP Labs Top Auction allows remote attackers to execute arbitrary SQL commands via the (1) category and (2) type parameters to viewcat.php, or (3) certain search parameters. NOTE: later a disclosure reported the affected version as 1.0.

[CLOSE] OSVDB ID : 21070 - Disclosed: 2005-11-23

Description:

AFFCommerce contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'SubCategory.php' script not properly sanitizing user-supplied input to the 'cl' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21071 - Disclosed: 2005-11-23

Description:

AFFCommerce contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'ItemInfo.php' script not properly sanitizing user-supplied input to the 'item_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21072 - Disclosed: 2005-11-23

Description:

AFFCommerce contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'ItemReview.php' script not properly sanitizing user-supplied input to the 'item_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21069 - Disclosed: 2005-11-23

Description:

kPlaylist contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate "searchfor" variable upon submission to the kPlaylist script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21062 - Disclosed: 2005-11-23

Description:

Tunez contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'songinfo.php' script not properly sanitizing user-supplied input to the 'song_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 21089 - Disclosed: 2005-11-23

Description:

sCssBoard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'search_term' variables upon submission to the Search Module script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21088 - Disclosed: 2005-11-23

Description:

SupportPro SupportDesk contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the post and view tickets parameters upon submission to the Ticket script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 21087 - Disclosed: 2005-11-23

Description:

Vote Caster contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'campaign_id' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.