|
CVE-2009-3533 (meeting_room_booking_system) |
 |
 |
 |
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
SQL injection vulnerability in report.php in Meeting Room Booking System (MRBS) before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the typematch parameter. NOTE: some of these details are obtained from third party information.
Read More |
|
CVE-2009-3542 (littlesite.php) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Directory traversal vulnerability in ls.php in LittleSite (aka LS or LittleSite.php) 0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php. NOTE: in some environments, this can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL.
Read More |
|
CVE-2009-3535 (clear_content) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Directory traversal vulnerability in image.php in Clear Content 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter. NOTE: the researcher also suggests an analogous PHP remote file inclusion vulnerability, but this may be incorrect.
Read More |
|
CVE-2009-3541 (phpgenealogy) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
PHP remote file inclusion vulnerability in CoupleDB.php in PHPGenealogy 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the DataDirectory parameter.
Read More |
|
CVE-2009-3531 (universe_cms) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
SQL injection vulnerability in vnews.php in Universe CMS 1.0.6 allows remote attackers to execute arbitrary SQL commands via the id parameter.
Read More |
|
CVE-2009-3540 (ultra_classifieds_pro) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Cross-site scripting (XSS) vulnerability in listads.php in YourFreeWorld Ultra Classifieds Pro allows remote attackers to inject arbitrary web script or HTML via the cn parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Read More |
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Multiple stack-based buffer overflows in EpicDJSoftware EpicVJ 1.2.8.0 and 1.3.1.2 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a (1) .m3u or (2) .mpl playlist file.
Read More |
|
CVE-2009-3539 (ultra_classifieds_pro) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Multiple cross-site scripting (XSS) vulnerabilities in YourFreeWorld Ultra Classifieds Pro allow remote attackers to inject arbitrary web script or HTML via the (1) cname parameter to subclass.php and the (2) sn parameter to listads.php.
Read More |
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Directory traversal vulnerability in index.php in LionWiki 3.0.3, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter.
Read More |
|
CVE-2009-3538 (clear_content) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Directory traversal vulnerability in thumb.php in Clear Content 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Read More |
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Multiple SQL injection vulnerabilities in login.asp (aka the login screen) in LogRover 2.3 and 2.3.3 on Windows allow remote attackers to execute arbitrary SQL commands via the (1) uname and (2) pword parameters. NOTE: some of these details are obtained from third party information.
Read More |
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Multiple stack-based buffer overflows in EpicDJSoftware EpicDJ 1.3.9.1 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a (1) .m3u or (2) .mpl playlist file.
Read More |
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
Cross-site scripting (XSS) vulnerability in storefront.php in RadScripts RadBids Gold 4 allows remote attackers to inject arbitrary web script or HTML via the mode parameter.
Read More |
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
SQL injection vulnerability in Profile.php in MyMsg 1.0.3 allows remote authenticated users to execute arbitrary SQL commands via the uid parameter in a show action.
Read More |
|
CVE-2009-3543 (phenotype_cms) |
|
|
|
|
Written by Administrator
|
|
Friday, 02 October 2009 00:00 |
SQL injection vulnerability in _phenotype/admin/login.php in Phenotype CMS before 2.9 allows remote attackers to execute arbitrary SQL commands via the user parameter (aka the login name).
Read More |
|
CVE-2009-3509 (cj_dynamic_poll) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Cross-site scripting (XSS) vulnerability in admin/admin_index.php in CJ Dynamic Poll PRO 2.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Read More |
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Directory traversal vulnerability in modules.php in CMSphp 0.21 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the mod_file parameter.
Read More |
|
CVE-2009-3513 (pg_etraining) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple cross-site scripting (XSS) vulnerabilities in Pilot Group (PG) eTraining allow remote attackers to inject arbitrary web script or HTML via (1) the cat_id parameter to courses_login.php, the id parameter to (2) news_read.php or (3) lessons_login.php, or (4) the cur parameter in a start action to lessons_login.php.
Read More |
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
nfs.ext in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does not properly use the nfs_portmon setting, which allows remote attackers to bypass intended access restrictions for NFSv4 shares via unspecified vectors.
Read More |
|
CVE-2009-3515 (d.net_cms) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Directory traversal vulnerability in dnet_admin/index.php in d.net CMS allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the type parameter.
Read More |
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
A certain Red Hat modification to the ChrootDirectory feature in OpenSSH 4.8, as used in sshd in OpenSSH 4.3 in Red Hat Enterprise Linux (RHEL) 5.4 and Fedora 11, allows local users to gain privileges via hard links to setuid programs that use configuration files within the chroot directory, related to requirements for directory ownership.
Read More |
|
CVE-2009-3511 (justvisual) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple PHP remote file inclusion vulnerabilities in justVisual 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the fs_jVroot parameter to (1) sites/site/pages/index.php, (2) sites/test/pages/contact.php, (3) system/pageTemplate.php, and (4) system/utilities.php.
Read More |
|
CVE-2009-3521 (tivoli_composite_application_manager_for_wesbsphere) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple cross-site scripting (XSS) vulnerabilities in the Visualization Engine (VE) in IBM Tivoli Composite Application Manager for WebSphere (ITCAM) 6.1.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Read More |
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
gssd in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does not properly handle the NFSv4 Kerberos credential cache, which allows local users to bypass intended access restrictions for Kerberized NFSv4 shares via unspecified vectors.
Read More |
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Cross-site request forgery (CSRF) vulnerability in the Your_account module in CMSphp 0.21 allows remote attackers to hijack the authentication of administrators for requests that change an administrator password via the pseudo, pwd, and uid parameters in an admin_info_user_verif action.
Read More |
|
CVE-2009-0209 (pi_server) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
PI Server in OSIsoft PI System before 3.4.380.x does not properly use encryption in the default authentication process, which allows remote attackers to read or modify information in databases via unspecified vectors.
Read More |
|
CVE-2009-3519 (opensolaris) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple memory leaks in the IP module in the kernel in Sun Solaris 8 through 10, and OpenSolaris before snv_109, allow local users to cause a denial of service (memory consumption) via vectors related to (1) M_DATA, (2) M_PROTO, (3) M_PCPROTO, and (4) M_SIG STREAMS messages.
Read More |
|
CVE-2009-3514 (d.net_cms) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple SQL injection vulnerabilities in d.net CMS allow remote attackers to execute arbitrary SQL commands via (1) the page parameter to index.php; and allow remote authenticated administrators to execute arbitrary SQL commands via the (2) edit_id and (3) _p parameter in a news action to dnet_admin/index.php.
Read More |
|
CVE-2009-3518 (installation_manager) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Argument injection vulnerability in the iim: URI handler in IBMIM.exe in IBM Installation Manager 1.3.2 and earlier, as used in IBM Rational Robot and Rational Team Concert, allows remote attackers to load arbitrary DLL files via the -vm option, as demonstrated by a reference to a UNC share pathname.
Read More |
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple cross-site scripting (XSS) vulnerabilities in MyWeight 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) date parameter to user_addfood.php, info parameter to (2) user_forgot_pwd_form.php and (3) user_login.php, and (4) return parameter to user_login.php.
Read More |
|
CVE-2009-3524 (avast_antivirus_home, avast_antivirus_professional) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Unspecified vulnerability in ashWsFtr.dll in avast! Home and Professional for Windows before 4.8.1356 has unknown impact and local attack vectors.
Read More |
|
CVE-2009-3510 (linkspheric) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
SQL injection vulnerability in viewListing.php in linkSpheric 0.74 Beta 6 allows remote attackers to execute arbitrary SQL commands via the listID parameter.
Read More |
|
CVE-2009-3523 (avast_antivirus_home, avast_antivirus_professional) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
aavmKer4.sys in avast! Home and Professional for Windows before 4.8.1356 does not properly validate input to IOCTLs (1) 0xb2d6000c and (2) 0xb2d60034, which allows local users to gain privileges via IOCTL requests using crafted kernel addresses that trigger memory corruption, a different vulnerability than CVE-2008-1625.
Read More |
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple directory traversal vulnerabilities in MUJE CMS 1.0.4.34 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the (1) _class parameter to admin.php and the (2) url parameter to install/install.php; and allow remote authenticated administrators to read arbitrary files via a .. (dot dot) in the (3) _htmlfile parameter to admin.php.
Read More |
|
CVE-2009-3522 (avast_antivirus_home, avast_antivirus_professional) |
|
|
|
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Stack-based buffer overflow in aswMon2.sys in avast! Home and Professional for Windows 4.8.1351, and possibly other versions before 4.8.1356, allows local users to cause a denial of service (system crash) and possibly gain privileges via a crafted IOCTL request to IOCTL 0xb2c80018.
Read More |
|
Written by Administrator
|
|
Thursday, 01 October 2009 00:00 |
Multiple cross-site scripting (XSS) vulnerabilities in CMSphp 0.21 allow remote attackers to inject arbitrary web script or HTML via the (1) cook_user parameter to index.php and the (2) name parameter to modules.php.
Read More |
|
CVE-2009-2589 (hutscripts_php_website_script) |
|
|
|
|
Written by Administrator
|
|
Friday, 24 July 2009 00:00 |
Multiple cross-site scripting (XSS) vulnerabilities in Hutscripts PHP Website Script allow remote attackers to inject arbitrary web script or HTML via the msg parameter to (1) feedback.php, (2) index.php, and (3) lostpassword.php.
Read More |
|
Written by Administrator
|
|
Friday, 24 July 2009 00:00 |
Cross-site scripting (XSS) vulnerability in productSearch.html in Censura 2.0.4 and 2.1.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter in a ProductSearch action.
Read More |
|
Written by Administrator
|
|
Friday, 24 July 2009 00:00 |
SQL injection vulnerability in index.php in Mlffat 2.2 allows remote attackers to execute arbitrary SQL commands via a member cookie in an account editprofile action, a different vector than CVE-2009-1731.
Read More |
|
Written by Administrator
|
|
Friday, 24 July 2009 00:00 |
Cross-site scripting (XSS) vulnerability in censura.php in Censura 1.16.04 allows remote attackers to inject arbitrary web script or HTML via the itemid parameter in a details action.
Read More |
|
3G Security Overview
GPRS Security Issues and Solutions
