Network Security News – Thursday, December 29, 2005 Events
FatWire UpdateEngine Multiple Variable XSS
FatWire UpdateEngine contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'FUELAP_TEMPLATENAME', 'EMAIL' and 'COUNTRYNAME' variables upon submission to the 'UpdateEngine' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/21936
Cerberus Helpdesk GUI display.php thread Variable SQL Injection
Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'display.php' script not properly sanitizing user-supplied input to the 'thread' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21994
Cerberus Helpdesk GUI display_ticket_thread.php ticket Variable SQL Injection
Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'display_ticket_thread.php' script not properly sanitizing user-supplied input to the 'ticket' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21995
Cerberus Helpdesk GUI email_parser.php Multiple Variable SQL Injection
Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'email_parser.php' script not properly sanitizing user-supplied input to the 'addy' and 'address' variables in the 'is_queue_address', 'is_banned_address' and 'is_admin_address' functions. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21990
MarmaraWeb E-commerce index.php page Variable Arbitrary Command Execution
MarmaraWeb E-commerce contains a flaw that allows a remote arbitrary code execution attack. This flaw exists because the application does not validate the 'page' variable upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code, leading to a loss of integrity.. Read more at osvdb.org/21903
Cerberus Helpdesk GUI structs.php cer_email_address_struct Function SQL Injection
Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'structs.php' script not properly sanitizing user-supplied input to the 'cer_email_address_struct' function. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21991
MarmaraWeb E-commerce index.php page Variable XSS
MarmaraWeb E-commerce contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'page' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/21902
Cerberus Helpdesk GUI addresses_export.php queues Variable SQL Injection
Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'addresses_export.php' script not properly sanitizing user-supplied input to the 'queues' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21993
Cerberus Helpdesk GUI cer_KnowledgebaseHandler.class.php _load_article_details Function SQL Injection
Cerberus Helpdesk contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'cer_KnowledgebaseHandler.class.php' script not properly sanitizing user-supplied input to the 'mode', 'root', 'sid' and 'kbid' variables of the '_load_article_details' function. This may allow an attacker to fetch the "superuser" md5 password by manipulating SQL queries in the backend database.. Read more at osvdb.org/21992
Quicksilver Forums HTTP_USER_AGENT SQL Injection
Quicksilver Forums contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the input passed to HTTP_USER_AGENT header not being properly sanitized. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21443
Vuln: Koobi BBCode URL Tag Script Injection Vulnerability
Koobi BBCode URL Tag Script Injection Vulnerability. Read more at securityfocus.com/bid/16078
Leave a Reply