[ Register | Login ]

Home PHP Scripts Contact News Articles RSS Readers Donations

Software Vulnerability

	Enter your search terms Submit search form
	Web www.amigura.co.uk

Main

Software Alerts

Software and Script Bug Exploits
Software Vulnerability
Random Feeds

Archives

| Jan 2012 | Dec 2011 | Nov 2011 | Oct 2011 | Sep 2011 | Aug 2011 | Jul 2011 | Jun 2011 | May 2011 | Apr 2011 | Mar 2011 | Feb 2011 | Jan 2011 | Dec 2010 | Nov 2010 | Oct 2010 | Sep 2010 | Aug 2010 | Jul 2010 | Jun 2010 | May 2010 | Apr 2010 | Mar 2010 | Feb 2010 | Jan 2010 | Dec 2009 | Nov 2009 | Oct 2009 | Sep 2009 | Aug 2009 | Jul 2009 | Jun 2009 | May 2009 | Apr 2009 | Mar 2009 | Feb 2009 | Jan 2009 | Dec 2008 | Nov 2008 | Oct 2008 | Sep 2008 | Aug 2008 | Jul 2008 | Jun 2008 | May 2008 | Apr 2008 | Mar 2008 | Feb 2008 | Jan 2008 | Dec 2007 | Nov 2007 |

Thu, 27 May 10
CVE-2009-4875 (fckeditor.java)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4875
FCKeditor.Java 2.4 allows remote attackers to cause a denial of service (infinite loop) via a malformed request parameter that contains "ctrl" characters.

Thu, 27 May 10
talkback
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4874
TalkBack 2.3.14 does not properly restrict access to the edit comment feature (comments.php), which allows remote attackers to modify comments.

Thu, 27 May 10
serv-u
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4873
Stack-based buffer overflow in the HTTP server in Rhino Software Serv-U Web Client 9.0.0.5 allows remote attackers to cause a denial of service (server crash) or execute arbitrary code via a long Session cookie.

Tue, 25 May 10
lokomedia_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2019
SQL injection vulnerability in downlot.php in Lokomedia CMS 1.4.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the file parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Tue, 25 May 10
lokomedia_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2018
Directory traversal vulnerability in downlot.php in Lokomedia CMS 1.4.1 and 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

Tue, 25 May 10
lokomedia_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2017
Cross-site scripting (XSS) vulnerability in hasil-pencarian.html in Lokomedia CMS 1.4.1 and 2.0 allows remote attackers to inject arbitrary web script or HTML via the kata parameter. NOTE: some of these details are obtained from third party information.

Tue, 25 May 10
iceberg_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2016
SQL injection vulnerability in details.php in Iceberg CMS allows remote attackers to execute arbitrary SQL commands via the p_id parameter.

Tue, 25 May 10
lisk_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2015
Multiple SQL injection vulnerabilities in LiSK CMS 4.4 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter in a view_inbox action to cp/cp_messages.php or (2) the id parameter to cp/edit_email.php.

Tue, 25 May 10
lisk_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2014
Cross-site scripting (XSS) vulnerability in cp/list_content.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the cl or possibly id parameter.

Tue, 25 May 10
lisk_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2013
Cross-site scripting (XSS) vulnerability in cp/edit_email.php in LiSK CMS 4.4 allows remote attackers to inject arbitrary web script or HTML via the id parameter.

Tue, 25 May 10
migascms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2012
SQL injection vulnerability in function.php in MigasCMS 1.1, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the categorie parameter in a catalogo action. NOTE: some of these details are obtained from third party information.

Thu, 20 May 10
context
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1584
Cross-site scripting (XSS) vulnerability in the Context module before 6.x-2.0-rc4 for Drupal allows remote authenticated users, with Administer Blocks privileges, to inject arbitrary web script or HTML via a block description.

Thu, 20 May 10
phpgroupware
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0404
Multiple SQL injection vulnerabilities in phpGroupWare (phpgw) before 0.9.16.016 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to (1) class.sessions_db.inc.php, (2) class.translation_sql.inc.php, or (3) class.auth_sql.inc.php in phpgwapi/inc/.

Thu, 20 May 10
phpgroupware
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0403
Directory traversal vulnerability in about.php in phpGroupWare (phpgw) before 0.9.16.016 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the app parameter.

Thu, 20 May 10
capsuite_patchmeister
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1943
Unspecified vulnerability in NEC CapsSuite Small Edition PatchMeister 2.0 Update2 and earlier allows remote attackers to cause a denial of service (OS shutdown or restart) via vectors related to Client Service for PTM and crafted packets to port 56015.

Thu, 20 May 10
interstage_application_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1942
Unspecified vulnerability in the Servlet service in Fujitsu Limited Interstage Application Server 3.0 through 7.0, as used in Interstage Application Framework Suite, Interstage Business Application Server, and Interstage List Manager, allows attackers to obtain sensitive information or force invalid requests to be processed via unknown vectors related to unspecified invalid requests and settings on the load balancing device.

Thu, 20 May 10
CVE-2010-1941 (bladesystemcenter, expresssystemcenter, sigmasystemcenter, virtualpccenter, websa...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1941
Unspecified vulnerability in NEC WebSAM DeploymentManager 5.13 and earlier, as used in SigmaSystemCenter 2.1 Update2 and earlier, BladeSystemCenter, ExpressSystemCenter, and VirtualPCCenter 2.2 and earlier, allows remote attackers to cause a denial of service (OS shutdown or restart) via unknown vectors related to Client Service for DPM and crafted packets to port 56010.

Thu, 20 May 10
openfoncier
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1948
Directory traversal vulnerability in scr/soustab.php in openMairie Openfoncier 2.00, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter, a related issue to CVE-2007-2069.

Thu, 20 May 10
openregistrecil
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1947
Directory traversal vulnerability in scr/soustab.php in openMairie Openregistrecil 1.02, when register_globals is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the dsn[phptype] parameter. NOTE: this may be related to CVE-2007-2069.

Thu, 20 May 10
openregistrecil
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1946
Multiple PHP remote file inclusion vulnerabilities in openMairie Openregistrecil 1.02, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) autorisation_normale.class.php, (2) collectivite.class.php, (3) dossier.class.php, (4) norme_simplifiee.class.php, (5) registre.class.php, (6) autorisation_unique.class.php, (7) demande_avis.class.php, (8) droit.class.php, (9) organisme.class.php, (10) service.class.php, (11) cate...

Thu, 20 May 10
openfoncier
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1945
Multiple PHP remote file inclusion vulnerabilities in openMairie Openfoncier 2.00, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) action.class.php, (2) architecte.class.php, (3) avis.class.php, (4) bible.class.php, and (5) blocnote.class.php in obj/.

Thu, 20 May 10
opencimetiere
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1944
Multiple PHP remote file inclusion vulnerabilities in openMairie openCimetiere 2.01, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the path_om parameter to (1) autorisation.class.php, (2) courrierautorisation.class.php, (3) droit.class.php, (4) profil.class.php, (5) temp_defunt_sansemplacement.class.php, (6) utils.class.php, (7) cimetiere.class.php, (8) defunt.class.php, (9) emplacement.class.php, (10) tab_emplacement.class.php, (11) temp_...

Thu, 20 May 10
com_lovefactory
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1957
Directory traversal vulnerability in the Love Factory (com_lovefactory) component 1.3.4 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

Thu, 20 May 10
com_gadgetfactory
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1956
Directory traversal vulnerability in the Gadget Factory (com_gadgetfactory) component 1.0.0 and 1.5.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information.

Thu, 20 May 10
com_blogfactory
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1955
Directory traversal vulnerability in the Deluxe Blog Factory (com_blogfactory) component 1.1.2 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

Thu, 20 May 10
com_multiroot
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1954
Directory traversal vulnerability in the iNetLanka Multiple root (com_multiroot) component 1.0 and 1.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information.

Thu, 20 May 10
com_multimap
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1953
Directory traversal vulnerability in the iNetLanka Multiple Map (com_multimap) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

Thu, 20 May 10
com_beeheard, com_beeheardlite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1952
Directory traversal vulnerability in the BeeHeard (com_beeheard) and BeeHeard Lite (com_beeheardlite) component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

Thu, 20 May 10
60cyclecms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1951
Multiple directory traversal vulnerabilities in 60cycleCMS allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the DOCUMENT_ROOT parameter to (1) news.php, (2) submitComment.php, and (3) sqlConnect.php.

Thu, 20 May 10
com_jnewspaper
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1950
SQL injection vulnerability in the Online News Paper Manager (com_jnewspaper) component 1.0 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the date_info parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Thu, 20 May 10
com_jnewspaper
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1949
SQL injection vulnerability in the Online News Paper Manager (com_jnewspaper) component 1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter to index.php. NOTE: some of these details are obtained from third party information.

Thu, 13 May 10
gnustep_base
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1620
Integer overflow in the load_iface function in Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 might allow context-dependent attackers to execute arbitrary code via a (1) file or (2) socket that provides configuration data with many entries, leading to a heap-based buffer overflow.

Thu, 13 May 10
gnustep_base
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1457
Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 allows local users to read arbitrary files via a (1) -c or (2) -a option, which prints file contents in an error message.

Thu, 13 May 10
outlook_express, windows_live_mail, windows_mail
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0816
Integer overflow in inetcomm.dll in Microsoft Outlook Express 5.5 SP2, 6, and 6 SP1; Windows Live Mail on Windows XP SP2 and SP3, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7; and Windows Mail on Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows remote e-mail servers and man-in-the-middle attackers to execute arbitrary code via a crafted (1) POP3 or (2) IMAP response, as demonstrated by a certain +OK response on TCP port ...

Thu, 13 May 10
visual_basic_for_applications, visual_basic_sdk, office
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0815
VBE6.DLL in Microsoft Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Visual Basic for Applications (VBA), and VBA SDK 6.3 through 6.5 does not properly search for ActiveX controls that are embedded in documents, which allows remote attackers to execute arbitrary code via a crafted document, aka "VBE6.DLL Stack Memory Corruption Vulnerability."

Thu, 13 May 10
efront
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1918
SQL injection vulnerability in ask_chat.php in eFront 3.6.2 and earlier allows remote attackers to execute arbitrary SQL commands via the chatrooms_ID parameter.

Thu, 13 May 10
php
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1917
Stack consumption vulnerability in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to cause a denial of service (PHP crash) via a crafted first argument to the fnmatch function, as demonstrated using a long string.

Thu, 13 May 10
serendipity, wysiwyg_editor
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1916
The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2)...

Thu, 13 May 10
php
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1915
The preg_quote function in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information (memory contents) by causing a userspace interruption of an internal function, related to the call time pass by reference feature, modification of ZVALs whose values are not updated in the associated local variables, and access of previously-freed memory.

Thu, 13 May 10
php
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1914
The Zend Engine in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 allows context-dependent attackers to obtain sensitive information by interrupting the handler for the (1) ZEND_BW_XOR opcode (shift_left_function), (2) ZEND_SL opcode (bitwise_xor_function), or (3) ZEND_SR opcode (shift_right_function), related to the convert_to_long_base function.

Thu, 13 May 10
gpl_ghostscript
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1869
Stack-based buffer overflow in the parser function in GhostScript 8.70 and 8.64 allows context-dependent attackers to execute arbitrary code via a crafted PostScript file.

Thu, 13 May 10
consona_dynamic_agent, consona_live_assistance, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1913
The default configuration of pluginlicense.ini for the SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance, when downloaded from a server operated by Telefonica or possibly other companies, contains an incorrect DNS whitelist that includes the DNS hostnames of home computers of many persons, which allows remote attackers to bypass intended restrictions on ActiveX execution by hosting an ActiveX control on an applicable home web server.

Thu, 13 May 10
consona_dynamic_agent, consona_live_assistance, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1912
The SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to bypass intended restrictions on ActiveX execution via "instantiation/free attacks."

Thu, 13 May 10
consona_dynamic_agent, consona_live_assistance, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1911
The site-locking implementation in the SdcWebSecureBase interface in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance relies on a list of server domain names to restrict execution of ActiveX controls, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a DNS hijacking attack.

Thu, 13 May 10
consona_dynamic_agent, consona_live_assistance, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1910
The Forgot Password implementation in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to reset passwords of accounts with blank Hint questions and Hint answers by sending an empty value for each of these two Hint fields.

Thu, 13 May 10
consona_dynamic_agent, consona_live_assistance, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1909
Buffer overflow in the RunCmd method in the SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to execute arbitrary code via vectors involving "CreateProcess params." NOTE: some of these details are obtained from third party information.

Thu, 13 May 10
consona_dynamic_agent, consona_live_assistance, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1908
The SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance does not properly restrict access to the HTTPDownloadFile, HTTPGetFile, Install, and RunCmd methods, which allows remote attackers to execute arbitrary programs via a URL in the url argument to (1) HTTPDownloadFile or (2) HTTPGetFile.

Thu, 13 May 10
consona_dynamic_agent, consona_live_assistance, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1907
The SdcUser.TgConCtl ActiveX control in tgctlcm.dll in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allows remote attackers to discover the username of the client user, and consequently determine a pathname to a certain user directory, via a call to the GetUserName method.

Thu, 13 May 10
CVE-2010-1906 (consona_dynamic_agent, consona_repair_manager, consona_subscriber_activation, con...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1906
tgsrv.exe in the Repair Service in Consona Dynamic Agent, Repair Manager, Subscriber Activation, and Subscriber Agent relies on a predictable timestamp field to validate input to the \\.\pipe\__RepairService_pipe__company named pipe, which allows remote authenticated users to execute arbitrary code by obtaining the current time from (1) tcpip.sys or (2) an SMB2 service.

Thu, 13 May 10
consona_live_assistance, consona_dynamic_agent, consona_subscriber_assistance
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1905
Multiple cross-site scripting (XSS) vulnerabilities in Consona Live Assistance, Dynamic Agent, and Subscriber Assistance allow remote attackers to inject arbitrary web script or HTML via crafted input to ASP pages, as demonstrated using the backurl parameter to sdccommon/verify/asp/n6plugindestructor.asp.

Thu, 13 May 10
pmwiki
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1481
Cross-site scripting (XSS) vulnerability in the table feature in PmWiki 2.2.15 allows remote authenticated users to inject arbitrary web script or HTML via the width attribute.

Thu, 13 May 10
ethereal, wireshark
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1455
The DOCSIS dissector in Wireshark 0.9.6 through 1.0.12 and 1.2.0 through 1.2.7 allows user-assisted remote attackers to cause a denial of service (application crash) via a malformed packet trace file.

Thu, 13 May 10
enterprise_linux, enterprise_linux_desktop
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0730
The MMIO instruction decoder in the Xen hypervisor in the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows guest OS users to cause a denial of service (32-bit guest OS crash) via vectors that trigger an unspecified instruction emulation.

Thu, 13 May 10
com_orgchart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1878
Directory traversal vulnerability in the OrgChart (com_orgchart) component 1.0.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

Thu, 13 May 10
com_jtm
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1877
SQL injection vulnerability in the JTM Reseller (com_jtm) component 1.9 Beta for Joomla! allows remote attackers to execute arbitrary SQL commands via the author parameter in a search action to index.php.

Thu, 13 May 10
aj_shopping_cart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1876
SQL injection vulnerability in index.php in AJ Shopping Cart 1.0 allows remote attackers to execute arbitrary SQL commands via the maincatid parameter in a showmaincatlanding action.

Thu, 13 May 10
com_properties
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1875
Directory traversal vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php. NOTE: some of these details are obtained from third party information.

Thu, 13 May 10
com_properties
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1874
SQL injection vulnerability in the Real Estate Property (com_properties) component 3.1.22-03 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information.

Thu, 13 May 10
com_jvehicles
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1873
SQL injection vulnerability in the Jvehicles (com_jvehicles) component 1.0, 2.0, and 2.1111 for Joomla! allows remote attackers to execute arbitrary SQL commands via the aid parameter in an agentlisting action to index.php. NOTE: some of these details are obtained from third party information.

Thu, 13 May 10
flashcard
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1872
Cross-site scripting (XSS) vulnerability in cPlayer.php in FlashCard 2.6.5 and 3.0.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: some of these details are obtained from third party information.

Wed, 12 May 10
logoshows_bbs
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4872
Multiple SQL injection vulnerabilities in globepersonnel_login.asp in Logoshows BBS 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password fields.

Wed, 12 May 10
logoshows_bbs
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4871
SQL injection vulnerability in globepersonnel_forum.asp in Logoshows BBS 2.0 allows remote attackers to execute arbitrary SQL commands via the forumid parameter.

Wed, 12 May 10
phpcityportal
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4870
Multiple SQL injection vulnerabilities in login.php in PHPCityPortal allow remote attackers to execute arbitrary SQL commands via the (1) req_username (aka Username) and (2) req_password (aka Password) parameters. NOTE: some of these details are obtained from third party information.

Wed, 12 May 10
nasim_guest_book
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4869
Cross-site scripting (XSS) vulnerability in index.php in Nasim Guest Book 1.2 allows remote attackers to inject arbitrary web script or HTML via the page parameter.

Wed, 12 May 10
answer_me
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4868
Cross-site scripting (XSS) vulnerability in Hitron Soft Answer Me 1.0 allows remote attackers to inject arbitrary web script or HTML via the q_id parameter to the answers script (aka answers.php). NOTE: some of these details are obtained from third party information.

Wed, 12 May 10
tuniac
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4867
Buffer overflow in Tuniac 090517c allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long URL in a .m3u playlist file.

Wed, 12 May 10
simple_search
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4866
Cross-site scripting (XSS) vulnerability in search.cgi in Matt's Script Archive (MSA) Simple Search 1.0 allows remote attackers to inject arbitrary web script or HTML via the terms parameter. NOTE: some of these details are obtained from third party information.

Wed, 12 May 10
i-escorts_agency_script, i-escorts_directory_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4865
Multiple SQL injection vulnerabilities in escorts_search.php in I-Escorts Directory Script and Agency Script, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) search_name and (2) languages parameters. NOTE: some of these details are obtained from third party information.

Wed, 12 May 10
i-escorts_agency_script, i-escorts_directory_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4864
Multiple cross-site scripting (XSS) vulnerabilities in escorts_search.php in I-Escorts Directory Script and Agency Script allow remote attackers to inject arbitrary web script or HTML via the (1) search_name and (2) languages parameters. NOTE: some of these details are obtained from third party information.

Wed, 12 May 10
ultraplayer_media_player
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4863
Stack-based buffer overflow in UltraPlayer Media Player 2.112 allows remote attackers to execute arbitrary code via a long string in a .usk file.

Wed, 12 May 10
alwasel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4862
Multiple SQL injection vulnerabilities in Alwasel 1.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) show.php and (2) xml.php.

Wed, 12 May 10
supportdesk
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4861
Cross-site scripting (XSS) vulnerability in shownews.php in SupportPRO SupportDesk 3.0 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.

Wed, 12 May 10
typing_pal
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4860
SQL injection vulnerability in demo.php in Typing Pal 1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the idTableProduit parameter.

Wed, 12 May 10
owos_lite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4859
Multiple cross-site scripting (XSS) vulnerabilities in Online Work Order Suite (OWOS) Lite Edition 3.10 allow remote attackers to inject arbitrary web script or HTML via the show parameter to (1) default.asp and (2) report.asp, and the (3) go parameter to login.asp.

Wed, 12 May 10
yahoo-answers-clone
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4858
Cross-site scripting (XSS) vulnerability in questiondetail.php in Yahoo Answers Clone allows remote attackers to inject arbitrary web script or HTML via the questionid parameter.

Wed, 12 May 10
CVE-2009-4857 (php_photo_vote1.3f)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4857
Cross-site scripting (XSS) vulnerability in login.php in PHP Photo Vote 1.3F allows remote attackers to inject arbitrary web script or HTML via the page parameter.

Wed, 12 May 10
php_easy_shopping_cart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4856
Cross-site scripting (XSS) vulnerability in subitems.php in PHP Easy Shopping Cart 3.1R allows remote attackers to inject arbitrary web script or HTML via the name parameter.

Wed, 12 May 10
typo3
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4855
SQL injection vulnerability in index.php in TYPO3 4.0 allows remote attackers to execute arbitrary SQL commands via the showUid parameter.

Sat, 8 May 10
tex_live, tetex
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0827
Integer overflow in dvips in TeX Live 2009 and earlier, and teTeX, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted virtual font (VF) file associated with a DVI file.

Sat, 8 May 10
virtualiq
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4845
The configuration page in ToutVirtual VirtualIQ Pro 3.2 build 7882 contains cleartext SSH credentials, which allows remote attackers to obtain sensitive information by reading the username and password fields.

Sat, 8 May 10
virtualiq
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4844
ToutVirtual VirtualIQ Pro 3.2 build 7882 does not restrict access to the /status URI on port 9080, which allows remote attackers to obtain sensitive Tomcat information via a direct request.

Sat, 8 May 10
virtualiq
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4843
ToutVirtual VirtualIQ Pro before 3.5 build 8691 does not require administrative authentication for JBoss console access, which allows remote attackers to execute arbitrary commands via requests to (1) the JMX Management Console or (2) the Web Console.

Sat, 8 May 10
virtualiq
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4842
Multiple cross-site scripting (XSS) vulnerabilities in ToutVirtual VirtualIQ Pro 3.5 build 8691 allow remote attackers to inject arbitrary web script or HTML via the (1) addNewDept, (2) deptId, or (3) deptDesc parameter to tvserver/server/user/addDepartment.jsp; or the (4) firstName, (5) lastName, or (6) email parameter in a save action to tvserver/user/user.do. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Fri, 7 May 10
chrome
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1731
Google Chrome on the HTC Hero allows remote attackers to cause a denial of service (application crash) via JavaScript that writes sequences in an infinite loop.

Fri, 7 May 10
dolphin_browser
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1730
Dolphin Browser 2.5.0 on the HTC Hero allows remote attackers to cause a denial of service (application crash) via JavaScript that writes sequences in an infinite loop.

Fri, 7 May 10
safari
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1729
WebKit.dll in WebKit, as used in Safari.exe 4.531.9.1 in Apple Safari, allows remote attackers to cause a denial of service (application crash) via JavaScript that writes sequences in an infinite loop.

Fri, 7 May 10
opera_browser
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1728
Opera before 10.53 on Windows and Mac OS X does not properly handle a series of document modifications that occur asynchronously, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via JavaScript that writes sequences in an infinite loop, leading to attempted use of uninitialized memory. NOTE: this might overlap CVE-2006-6955.

Fri, 7 May 10
jobpost
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1727
SQL injection vulnerability in type.asp in JobPost 1.0 allows remote attackers to execute arbitrary SQL commands via the iType parameter. NOTE: some of these details are obtained from third party information.

Fri, 7 May 10
ec21_clone
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1726
SQL injection vulnerability in offers_buy.php in EC21 Clone 3.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.

Fri, 7 May 10
alibaba_clone_platinum
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1725
SQL injection vulnerability in offers_buy.php in Alibaba Clone Platinum allows remote attackers to execute arbitrary SQL commands via the id parameter.

Fri, 7 May 10
zikula_application_framework
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1724
Multiple cross-site scripting (XSS) vulnerabilities in Zikula Application Framework 1.2.2, and possibly earlier, allow remote attackers to inject arbitrary web script or HTML via the (1) func parameter to index.php, or the (2) lang parameter to index.php, which is not properly handled by ZLanguage.php.

Fri, 7 May 10
webapplication_finger_printer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1438
Web Application Finger Printer (WAFP) 0.01-26c3 uses fixed pathnames under /tmp for temporary files and directories, which (1) allows local users to cause a denial of service (application outage) by creating a file with a pathname that the product expects is available for its own internal use, (2) allows local users to overwrite arbitrary files via symlink attacks on certain files in /tmp, (3) might allow local users to delete arbitrary files and directories via a symlink attack on a director...

Fri, 7 May 10
internet_download_manager
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0995
Stack-based buffer overflow in Internet Download Manager (IDM) before 5.19 allows remote attackers to execute arbitrary code via a crafted FTP URI that causes unspecified "test sequences" to be sent from client to server.

Fri, 7 May 10
windows_2000, windows_2003_server, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1735
The SfnLOGONNOTIFY function in win32k.sys in the kernel in Microsoft Windows 2000, XP, and Server 2003 allows local users to cause a denial of service (system crash) via a 0x4c value in the second argument (aka the Msg argument) of a PostMessage function call for the DDEMLEvent window.

Fri, 7 May 10
windows_2000, windows_2003_server, windows_xp
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1734
The SfnINSTRING function in win32k.sys in the kernel in Microsoft Windows 2000, XP, and Server 2003 allows local users to cause a denial of service (system crash) via a 0x18d value in the second argument (aka the Msg argument) of a PostMessage function call for the DDEMLEvent window.

Fri, 7 May 10
ocs_inventory_ng
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1733
Multiple SQL injection vulnerabilities in OCS Inventory NG before 1.02.3 allow remote attackers to execute arbitrary SQL commands via (1) multiple inventory fields to the search form, reachable through index.php; or (2) the "Software name" field to the "All softwares" search form, reachable through index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Fri, 7 May 10
zikula_application_framework
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1732
Cross-site request forgery (CSRF) vulnerability in the users module in Zikula Application Framework before 1.2.3 allows remote attackers to hijack the authentication of administrators for requests that change the administrator email address (updateemail action).

Fri, 7 May 10
visio
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1681
Buffer overflow in VISIODWG.DLL before 10.0.6880.4 in Microsoft Office Visio allows user-assisted remote attackers to execute arbitrary code via a crafted DXF file, a different vulnerability than CVE-2010-0254 and CVE-2010-0256.

Fri, 7 May 10
taskfreak
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1583
SQL injection vulnerability in the loadByKey function in the TznDbConnection class in tzn_mysql.php in Tirzen (aka TZN) Framework 1.5, as used in TaskFreak! before 0.6.3, allows remote attackers to execute arbitrary SQL commands via the username field in a login action.

Fri, 7 May 10
cineplayer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4841
Heap-based buffer overflow in the SonicMediaPlayer ActiveX control in SonicMediaPlayer.dll in Roxio CinePlayer 3.2 allows remote attackers to execute arbitrary code via a long argument to the DiskType method. NOTE: this might overlap CVE-2007-1559.

Fri, 7 May 10
cineplayer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4840
Heap-based buffer overflow in the IAManager ActiveX control in IAManager.dll in Roxio CinePlayer 3.2 allows remote attackers to execute arbitrary code via a long argument to the SetIAPlayerName method.

Fri, 7 May 10
basic_analysis_and_security_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4839
Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis and Security Engine (BASE), possibly 1.4.4 and earlier, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) admin/base_roleadmin.php, (2) admin/base_useradmin.php, (3) base_conf_contents.php, (4) base_qry_sqlcalls.php, and (5) base_ag_main.php.

Fri, 7 May 10
basic_analysis_and_security_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4838
SQL injection vulnerability in base_ag_common.php in Basic Analysis and Security Engine (BASE) before 1.4.3.1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: some of these details are obtained from third party information.

Fri, 7 May 10
basic_analysis_and_security_engine
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4837
Multiple cross-site scripting (XSS) vulnerabilities in Basic Analysis and Security Engine (BASE) before 1.4.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sig[1] parameter to base/base_qry_main.php, or the time[0][1] parameter to (2) base/base_stat_alerts.php or (3) base/base_stat_uaddr.php. NOTE: some of these details are obtained from third party information.

Fri, 7 May 10
movie_php_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4836
Eval injection vulnerability in system/services/init.php in Movie PHP Script 2.0 allows remote attackers to execute arbitrary PHP code via the anticode parameter.

Fri, 7 May 10
libsndfile
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4835
The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, (5) float32_init, and (6) sds_read_header functions in libsndfile 1.0.20 allow context-dependent attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted audio file.

Thu, 6 May 10
abc_backup, urgent_backup
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1686
Stack-based buffer overflow in (1) Urgent Backup 3.20, and (2) ABC Backup Pro 5.20 and ABC Backup 5.50, allows user-assisted remote attackers to execute arbitrary code via a crafted ZIP archive.

Thu, 6 May 10
photoshop_cs4
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1279
Multiple unspecified vulnerabilities in Adobe Photoshop CS4 11.x before 11.0.1 allow user-assisted remote attackers to execute arbitrary code via a crafted TIFF file.

Thu, 6 May 10
openttd
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0406
OpenTTD before 1.0.1 allows remote attackers to cause a denial of service (file-descriptor exhaustion and daemon crash) by performing incomplete downloads of the map.

Thu, 6 May 10
openttd
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0402
OpenTTD before 1.0.1 does not properly validate index values of certain items, which allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted in-game command.

Thu, 6 May 10
openttd
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0401
OpenTTD before 1.0.1 accepts a company password for authentication in response to a request for the server password, which allows remote authenticated users to bypass intended access restrictions or cause a denial of service (daemon crash) by sending a company password packet.

Wed, 5 May 10
piwigo
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1707
Multiple cross-site scripting (XSS) vulnerabilities in register.php in Piwigo 2.0.9 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) login and (2) mail_address parameters.

Wed, 5 May 10
auction_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1706
Multiple SQL injection vulnerabilities in login.php in 2daybiz Auction Script allow remote attackers to execute arbitrary SQL commands via (1) the login field (aka the username parameter), and possibly (2) the password field, to index.php. NOTE: some of these details are obtained from third party information.

Wed, 5 May 10
modelbook
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1705
SQL injection vulnerability in casting_view.php in Modelbook allows remote attackers to execute arbitrary SQL commands via the adnum parameter.

Wed, 5 May 10
polls_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1704
Multiple SQL injection vulnerabilities in 2daybiz Polls (aka Advanced Poll) Script allow remote attackers to execute arbitrary SQL commands via (1) the password field to login.php, (2) the login field (aka email parameter) to login.php, (3) the password field (aka pass parameter) to the default URI under admin/, and possibly (4) the login field to the default URI under admin/. NOTE: some of these details are obtained from third party information.

Wed, 5 May 10
polls_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1703
Multiple cross-site scripting (XSS) vulnerabilities in index_search.php in 2daybiz Polls (aka Advanced Poll) Script allow remote attackers to inject arbitrary web script or HTML via the (1) category parameter or (2) search field.

Wed, 5 May 10
whmcs
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1702
SQL injection vulnerability in submitticket.php in WHMCompleteSolution (WHMCS) 4.2 allows remote attackers to execute arbitrary SQL commands via the deptid parameter.

Wed, 5 May 10
php_video_battle_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1701
SQL injection vulnerability in browse.html in PHP Video Battle Script allows remote attackers to execute arbitrary SQL commands via the cat parameter.

Wed, 5 May 10
zipwrangler
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1685
Stack-based buffer overflow in CursorArts ZipWrangler 1.20 allows user-assisted remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename.

Wed, 5 May 10
cacti
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1431
SQL injection vulnerability in templates_export.php in Cacti 0.8.7e and earlier allows remote attackers to execute arbitrary SQL commands via the export_item_id parameter.

Wed, 5 May 10
router_and_security_device_manager
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0594
Cross-site scripting (XSS) vulnerability in Cisco Router and Security Device Manager (SDM) allows remote attackers to inject arbitrary web script or HTML via unknown vectors, aka Bug ID CSCtb38467.

Wed, 5 May 10
CVE-2010-0101 (e260, e360d, e360dn, e450, e460, e462, n4000, n4050e, n70xxe, n8120, n8130, t64x,...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0101
The embedded HTTP server in multiple Lexmark laser and inkjet printers and MarkNet devices, including X94x, W840, T656, N4000, E462, C935dn, 25xxN, and other models, allows remote attackers to cause a denial of service (operating system halt) via a malformed HTTP Authorization header.

Wed, 5 May 10
zeroboard
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4834
lib.php in Zeroboard 4.1 pl7 allows remote attackers to execute arbitrary PHP code via a crafted parameter name, possibly related to now_connect.php.

Sat, 1 May 10
moodle
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1619
Cross-site scripting (XSS) vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library (weblib.php), as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities.

Sat, 1 May 10
phpcas_client_library, moodle
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1618
Cross-site scripting (XSS) vulnerability in the phpCAS client library before 1.1.0, as used in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8, allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message.

Sat, 1 May 10
moodle
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1617
user/view.php in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page.

Sat, 1 May 10
moodle
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1616
Moodle 1.8.x and 1.9.x before 1.9.8 can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability.

Sat, 1 May 10
moodle
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1615
Multiple SQL injection vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) the add_to_log function in mod/wiki/view.php in the wiki module, or (2) "data validation in some forms elements" related to lib/form/selectgroups.php.

Sat, 1 May 10
moodle
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1614
Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.8.x before 1.8.12 and 1.9.x before 1.9.8 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the Login-As feature or (2) when the global search feature is enabled, unspecified global search forms in the Global Search Engine. NOTE: vector 1 might be resultant from a cross-site request forgery (CSRF) vulnerability.

Sat, 1 May 10
moodle
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1613
Moodle 1.8.x and 1.9.x before 1.9.8 does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks.

Sat, 1 May 10
CVE-2010-1166 (x.org)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1166
The fbComposite function in fbpict.c in the Render extension in the X server in X.Org X11R7.1 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted request, related to an incorrect macro definition.

Sat, 1 May 10
sharepoint_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0817
Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 12.0.0.6421, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter.

Sat, 1 May 10
CVE-2010-1612 (websphere_datapower_xml_accelerator_xa35, websphere_datapower_xml_security_gatewa...)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1612
The IBM WebSphere DataPower XML Accelerator XA35, Low Latency Appliance XM70, Integration Appliance XI50, B2B Appliance XB60, and XML Security Gateway XS40 SOA Appliances before 3.8.0.0, when a QLOGIC Ethernet interface is used, allow remote attackers to cause a denial of service (interface outage) via malformed ICMP packets to the 0.0.0.0 destination IP address.

Sat, 1 May 10
alegrocart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1611
Cross-site request forgery (CSRF) vulnerability in AlegroCart 1.1 allows remote attackers to hijack the authentication of the administrator for requests that reset the administrator password via a POST to admin/ with an update action.

Sat, 1 May 10
opencart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1610
Cross-site request forgery (CSRF) vulnerability in index.php in OpenCart 1.4 allows remote attackers to hijack the authentication of an application administrator for requests that create an administrative account via a POST request with the route parameter set to "user/user/insert." NOTE: some of these details are obtained from third party information.

Sat, 1 May 10
CVE-2009-4833 (mysql_connector/net)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4833
MySQL Connector/NET before 6.0.4, when using encryption, does not verify SSL certificates during connection, which allows remote attackers to perform a man-in-the-middle attack with a spoofed SSL certificate.

Sat, 1 May 10
deslock+
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4832
The dlpcrypt.sys kernel driver 0.1.1.27 in DESlock+ 4.0.2 allows local users to gain privileges via a crafted IOCTL 0x80012010 request to the DLPCryptCore device.

Sat, 1 May 10
trillian
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4831
Cerulean Studios Trillian 3.1 Basic does not check SSL certificates during MSN authentication, which allows remote attackers to obtain MSN credentials via a man-in-the-middle attack with a spoofed SSL certificate.

Sat, 1 May 10
netweaver
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1609
Cross-site scripting (XSS) vulnerability in SAP NetWeaver 2004 before SP21 and 2004s before SP13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Sat, 1 May 10
lotus_notes
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1608
Stack-based buffer overflow in IBM Lotus Notes 8.5 and 8.5fp1, and possibly other versions, allows remote attackers to execute arbitrary code via unknown attack vectors, as demonstrated by the vd_ln module in VulnDisco 9.0. NOTE: as of 20100222, this disclosure has no actionable information. However, because the VulnDisco author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes.

Sat, 1 May 10
com_wmi
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1607
Directory traversal vulnerability in wmi.php in the Webmoney Web Merchant Interface (aka WMI or com_wmi) component 1.5.0 for Joomla! allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the controller parameter to index.php.

Sat, 1 May 10
nct_jobs_portal_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1606
Multiple cross-site scripting (XSS) vulnerabilities in NCT Jobs Portal Script allow remote attackers to inject arbitrary web script or HTML via the (1) search, (2) Keywords, (3) Tags, or (4) Desired City field.

Sat, 1 May 10
nct_jobs_portal_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1605
Multiple SQL injection vulnerabilities in isearch.php in NCT Jobs Portal Script allow remote attackers to execute arbitrary SQL commands via the (1) anyword and (2) cityname parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Sat, 1 May 10
nct_jobs_portal_script
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1604
Multiple SQL injection vulnerabilities in admin_login.php in NCT Jobs Portal Script allow remote attackers to execute arbitrary SQL commands via the (1) user parameter (aka login field) and (2) passwd parameter (aka password field). NOTE: some of these details are obtained from third party information.

Sat, 1 May 10
com_zimbcore
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1603
Directory traversal vulnerability in the ZiMB Core (aka ZiMBCore or com_zimbcore) component 0.1 in the ZiMB Manager collection for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.

Sat, 1 May 10
com_zimbcomment
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1602
Directory traversal vulnerability in the ZiMB Comment (com_zimbcomment) component 0.8.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.

Sat, 1 May 10
com_jacomment
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1601
Directory traversal vulnerability in the JA Comment (com_jacomment) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.

Sat, 1 May 10
com_mediamall
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1600
SQL injection vulnerability in the Media Mall Factory (com_mediamall) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category parameter to index.php.

Sat, 1 May 10
nkinfoweb
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1599
SQL injection vulnerability in loadorder.php in NKInFoWeb 2.5 and 5.2.2.0 allows remote attackers to execute arbitrary SQL commands via the id_sp parameter.

Sat, 1 May 10
CVE-2010-1598 (phpthumb())
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1598
phpThumb.php in phpThumb() 1.7.9 and possibly other versions, when ImageMagick is installed, allows remote attackers to execute arbitrary commands via the fltr[] parameter, as discovered in the wild in April 2010. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Sat, 1 May 10
zipgenius
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1597
Stack-based buffer overflow in zgtips.dll in ZipGenius 6.3.1.2552 allows user-assisted remote attackers to execute arbitrary code via a ZIP file containing an entry with a long filename.

Sat, 1 May 10
support_incident_tracker
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1596
Support Incident Tracker before 3.51, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.

Sat, 1 May 10
ocs_inventory_ng
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1595
Multiple SQL injection vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to execute arbitrary SQL commands via the (1) c, (2) val_1, or (3) onglet_bis parameter.

Sat, 1 May 10
ocs_inventory_ng
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1594
Multiple cross-site scripting (XSS) vulnerabilities in ocsreports/index.php in OCS Inventory NG 1.02.1 allow remote attackers to inject arbitrary web script or HTML via (1) the query string, (2) the BASE parameter, or (3) the ega_1 parameter. NOTE: some of these details are obtained from third party information.

Sat, 1 May 10
silverstripe
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1593
Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (2) the Search parameter to forums/search (aka the search script).

Sat, 1 May 10
sandra
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1592
sandra.sys 15.18.1.1 and earlier in the Sandra Device Driver in SiSoftware Sandra 16.10.2010.1 and earlier allows local users to gain privileges or cause a denial of service (system crash) via unspecified vectors involving "Model-Specific Registers."

Sat, 1 May 10
rising_antivirus
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1591
Beijing Rising International Rising Antivirus 2008 through 2010 does not properly validate input to certain IOCTLs, including 0x83003C07, which allows local users to gain privileges via crafted IOCTL requests to the (1) HookCont.sys, (2) HookNtos.sys, (3) HOOKREG.sys, or (4) HookSys.sys device driver; or the (5) RsNTGdi.sys kernel module, reachable through \Device\RSNTGDI.

Sat, 1 May 10
vp-asp_shopping_cart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1590
Cross-site scripting (XSS) vulnerability in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier might allow remote attackers to inject arbitrary web script or HTML via the client's DNS hostname (aka the REMOTE_HOST variable), related to the CookielessGenerateFilename and CookielessReadFile functions.

Sat, 1 May 10
vp-asp_shopping_cart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1589
Directory traversal vulnerability in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier might allow remote attackers to determine the existence of arbitrary files via directory traversal sequences in the client's DNS hostname (aka the REMOTE_HOST variable), related to the CookielessGenerateFilename and CookielessReadFile functions.

Sat, 1 May 10
vp-asp_shopping_cart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1588
SQL injection vulnerability in the Getwebsess function in shopsessionsubs.asp in Rocksalt International VP-ASP Shopping Cart 6.50 and earlier allows remote attackers to execute arbitrary SQL commands via the websess parameter.

Sat, 1 May 10
activemq
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1587
The Jetty ResourceHandler in Apache ActiveMQ 5.x before 5.3.2 and 5.4.x before 5.4.0 allows remote attackers to read JSP source code via a // (slash slash) initial substring in a URI for (1) admin/index.jsp, (2) admin/queues.jsp, or (3) admin/topics.jsp.

Sat, 1 May 10
system_management_homepage
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1586
Open redirect vulnerability in red2301.html in HP System Management Homepage (SMH) 2.x.x.x allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the RedirectUrl parameter.

Sat, 1 May 10
firefox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1585
The nsIScriptableUnescapeHTML.parseFragment method in Mozilla Firefox does not properly sanitize HTML, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element.

Sat, 1 May 10
jboss_enterprise_application_platform
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1429
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.

Sat, 1 May 10
jboss_enterprise_application_platform
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1428
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.

Sat, 1 May 10
systems_insight_manager
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1038
Unspecified vulnerability in HP System Insight Manager before 6.0 allows remote authenticated users to gain privileges via unknown vectors.

Sat, 1 May 10
systems_insight_manager
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1037
Cross-site request forgery (CSRF) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Sat, 1 May 10
systems_insight_manager
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1036
Cross-site scripting (XSS) vulnerability in HP System Insight Manager before 6.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Sat, 1 May 10
jboss_enterprise_application_platform
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0738
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.

Sat, 1 May 10
db2
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1560
Buffer overflow in the REPEAT function in IBM DB2 9.1 before FP9 allows remote authenticated users to cause a denial of service (trap) via unspecified vectors.

Sat, 1 May 10
com_sermonspeaker
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1559
SQL injection vulnerability in the SermonSpeaker (com_sermonspeaker) component before 3.2.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a speakerpopup action to index.php. NOTE: some of these details are obtained from third party information.

Sat, 1 May 10
websphere_mq
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0772
Unspecified vulnerability in the channel process in IBM WebSphere MQ 7.0 before 7.0.1.2 allows remote authenticated users to cause a denial of service (daemon crash) via "incorrect channel control data."

Sat, 1 May 10
mac_os_x
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0105
The hfs implementation in Apple Mac OS X 10.6.2 and 10.6.3 supports hard links to directories and does not prevent certain deeply nested directory structures, which allows local users to cause a denial of service (filesystem corruption) via a crafted application that calls the mkdir and link functions.

Sat, 1 May 10
openx
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4830
Unspecified vulnerability in OpenX 2.8.1 and 2.8.2 allows remote attackers to bypass authentication and obtain access to an Administrator account via unknown vectors, possibly related to www/admin/install.php, www/admin/install-plugins.php, and other www/admin/ files.

Sat, 1 May 10
autologout
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4829
Cross-site scripting (XSS) vulnerability in the Automated Logout module 6.x-1.x before 6.x-1.7 and 6.x-2.x before 6.x-2.3 for Drupal allows remote authenticated users with administer autologout privileges to inject arbitrary web script or HTML via unspecified vectors.

Sat, 1 May 10
ad_manager_pro
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4828
Cross-site request forgery (CSRF) vulnerability in administration/admins.php in Ad Manager Pro (aka AdManagerPro) 3.0 allows remote attackers to hijack the authentication of administrators for requests that create new administrative users via an admin_created action. NOTE: some of these details are obtained from third party information.

Sat, 1 May 10
mail_manager_pro
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4827
Cross-site request forgery (CSRF) vulnerability in admin.php in Mail Manager Pro allows remote attackers to hijack the authentication of administrators for requests that change the admin password via a change action.

Sat, 1 May 10
mini_hosting_panel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4826
Cross-site request forgery (CSRF) vulnerability in hosting/admin_ac.php in ScriptsEz Mini Hosting Panel allows remote attackers to hijack the authentication of administrators for requests that alter administrative settings via a cp action.

Sat, 1 May 10
simple_blog
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4825
8pixel.net Blog 4 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for App_Data/sb.mdb.

Sat, 1 May 10
kolab_server
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4824
Unspecified vulnerability in Kolab Webclient before 1.2.0 in Kolab Server before 2.2.3 allows attackers to have an unspecified impact via vectors related to an "image upload form."

Sat, 1 May 10
cpanel
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4823
Cross-site scripting (XSS) vulnerability in frontend/x3/files/fileop.html in cPanel 11.0 through 11.24.7 allows remote attackers to inject arbitrary web script or HTML via the fileop parameter.

Sat, 1 May 10
kasseler_cms
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4822
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Kasseler CMS 1.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) do, (2) id, and (3) uname parameters.

Sat, 1 May 10
dir-615
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4821
The D-Link DIR-615 with firmware 3.10NA does not require administrative authentication for apply.cgi, which allows remote attackers to (1) change the admin password via the admin_password parameter, (2) disable the security requirement for the Wi-Fi network via unspecified vectors, or (3) modify DNS settings via unspecified vectors.

Sat, 1 May 10
angelo-emlak
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4820
Angelo-Emlak 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for veribaze/angelo.mdb.

Sat, 1 May 10
phphotoalbum
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4819
Multiple unrestricted file upload vulnerabilities in upload.php in PHPhotoalbum allow remote attackers to execute arbitrary code by uploading a file with a (1) .php.pgif or (2) .php.pjpeg double extension, then accessing it via a direct request to the file in albums/userpics/.

Sat, 1 May 10
simplicity_of_upload
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4818
Unrestricted file upload vulnerability in upload.php in PHPSimplicity Simplicity oF Upload 1.3.2 allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, as demonstrated by .php.gif.

Sat, 1 May 10
ultimate_uploader
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4817
Unrestricted file upload vulnerability in Element-IT Ultimate Uploader 1.3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/.

Sat, 1 May 10
the_uploader
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4816
Directory traversal vulnerability in api/download_checker.php in MegaLab The Uploader 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter.

Sat, 1 May 10
serv-u
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4815
Directory traversal vulnerability in Serv-U before 9.2.0.1 allows remote authenticated users to read arbitrary files via unspecified vectors.

Sat, 1 May 10
webmathematica
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4814
Cross-site scripting (XSS) vulnerability in Wolfram Research webMathematica allows remote attackers to inject arbitrary web script or HTML via the URI to the MSP script.

Sat, 1 May 10
mybb
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4813
Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.

Sat, 1 May 10
webmathematica
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4812
Wolfram Research webMathematica allows remote attackers to obtain sensitive information via a direct request to the MSP script, which reveals the installation path in an error message.

Sat, 1 May 10
ace, player, server, workstation
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4811
VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Authorization Service in VMware Workstation 7.0 before 7.0.1 build 227600 and 6.5.x before 6.5.4 build 246459, VMware Player 3.0 before 3.0.1 build 227600 and 2.5.x before 2.5.4 build 246459, VMware ACE 2.6 before 2.6.1 build 227600 and 2.5.x before 2.5.4 build 246459, and VMware Server 2.x allows remote attackers to cause a denial of service (process crash) via a \x25\x90 sequence in the USER and PASS commands, a related issu...

Sat, 1 May 10
digital_cable_modem, micro_httpd
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1544
micro_httpd on the RCA DCM425 cable modem allows remote attackers to cause a denial of service (device reboot) via a long string to TCP port 80.

Sat, 1 May 10
etracker
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1543
Cross-site scripting (XSS) vulnerability in the eTracker module before 6.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML by appending a crafted string to an arbitrary URL associated with the Drupal site.

Sat, 1 May 10
dfd_cart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1542
Multiple cross-site request forgery (CSRF) vulnerabilities in admin/configure.php in DFD Cart 1.198, 1.197, and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks or (2) change unspecified settings.

Sat, 1 May 10
dfd_cart
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1541
Multiple cross-site scripting (XSS) vulnerabilities in DFD Cart 1.198, 1.197, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) category and (2) list_quantity parameters to index.php, and the (3) category parameter to your.order.php.

Sat, 1 May 10
myblog
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1540
Directory traversal vulnerability in index.php in the MyBlog (com_myblog) component 3.0.329 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the task parameter. NOTE: some of these details are obtained from third party information.

Sat, 1 May 10
workflow
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1539
Cross-site scripting (XSS) vulnerability in the Workflow module 5.x-2.x before 5.x-2.6 and 6.x-1.x before 6.x-1.4 for Drupal, when used with the Token module, might allow remote authenticated users to inject arbitrary web script or HTML via a certain Comment field.

Sat, 1 May 10
phpraincheck
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1538
SQL injection vulnerability in print_raincheck.php in phpRAINCHECK 1.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.

Sat, 1 May 10
phpcdb
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1537
Multiple directory traversal vulnerabilities in phpCDB 1.0 and earlier allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang_global parameter to (1) firstvisit.php, (2) newfolder.php, (3) showfolders.php, (4) newlang.php, (5) showinnerfolder.php, (6) writecode.php, and (7) showcode.php.

Sat, 1 May 10
addthis
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1536
Cross-site scripting (XSS) vulnerability in the AddThis Button module 5.x before 5.x-2.2 and 6.x before 6.x-2.9 for Drupal allows remote authenticated users, with administer addthis privileges, to inject arbitrary web script or HTML via unspecified vectors.

Sat, 1 May 10
travelbook
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1535
Directory traversal vulnerability in the TRAVELbook (com_travelbook) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.

Sat, 1 May 10
com_shoutbox
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1534
Directory traversal vulnerability in the Shoutbox Pro (com_shoutbox) component for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

Sat, 1 May 10
tweetla
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1533
Directory traversal vulnerability in the TweetLA (com_tweetla) component 1.0.1 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php.

Sat, 1 May 10
com_powermail
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1532
Directory traversal vulnerability in the givesight PowerMail Pro (com_powermail) component 1.5.3 for Joomla! allows remote attackers to read arbitrary files and possibly have unspecified other impact via a .. (dot dot) in the controller parameter to index.php.

Sat, 1 May 10
redshop
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1531
Directory traversal vulnerability in the redSHOP (com_redshop) component 1.0.x for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter to index.php.

Sat, 1 May 10
i18n
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1530
Multiple cross-site scripting (XSS) vulnerabilities in the Internationalization module 6.x before 6.x-1.4 for Drupal allow remote authenticated users, with translate interface or administer blocks privileges, to inject arbitrary web script or HTML via (1) strings used in block translation or (2) the untranslated input.

Sat, 1 May 10
faqs_lite
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1529
SQL injection vulnerability in the Freestyle FAQs Lite (com_fsf) component, possibly 1.3, for Joomla! allows remote attackers to execute arbitrary SQL commands via the faqid parameter in an faq action to index.php.

Sat, 1 May 10
proxy
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1528
PHP remote file inclusion vulnerability in include/template.php in Uiga Proxy, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the content parameter.

 

Home | Contact | PHP Scripts | Sitemap | News | Articles | Advertise | Jobs | RSS Readers | Donations | Api Projects

© amigura.co.uk All Rights Reserved.