Network Security News – Wednesday, December 07, 2005 Events
vTiger CRM Account Name XSS
vTiger CRM contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Account Name' field upon submission to the index.php. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/21232
phpYellow print_me.php ckey Variable SQL Injection
phpYellow contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the print_me.php script not properly sanitizing user-supplied input to the 'ckey' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21429
phpYellow search_result.php haystack Variable SQL Injection
phpYellow contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search_result.php script not properly sanitizing user-supplied input to the 'haystack' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21428
QualityEBiz Quality PPC Search Module REQ Variable XSS
Quality PPC contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'REQ' variable upon submission to the search module query. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/21387
PluggedOut Nexus search.php Multiple Variable XSS
Nexus contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'firstname', 'lastname' and 'location' variables upon submission to the search.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/21479
PluggedOut Nexus search.php Multiple Variable SQL Injection
Nexus contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the 'firstname', 'lastname' and 'location' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21478
PluggedOut Blog index.php Multiple Variable SQL Injection
Blog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the index.php script not properly sanitizing user-supplied input to the 'categoryid', 'entryid', 'year', 'month' and 'day' variables. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21480
Trac Search Module SQL Injection
Trac contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search module not properly sanitizing user-supplied input to an unspecified variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21459
FileLister definesearch.jsp searchwhat Variable XSS
FileLister contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'searchwhat' variables upon submission to the definesearch.jsp script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/21476
FileLister definesearch.jsp searchwhat Variable SQL Injection
FileLister contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the definesearch.jsp script not properly sanitizing user-supplied input to the 'searchwhat' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/21416
Vuln: Ipswitch Collaboration Suite and IMail Server SMTPD Remote Format String Vulnerability
Ipswitch Collaboration Suite and IMail Server SMTPD Remote Format String Vulnerability. Read more at securityfocus.com/bid/15752
Vuln: Ipswitch Collaboration Suite and IMail Server IMAPD LIST Command Denial Of Service Vulnerability
Ipswitch Collaboration Suite and IMail Server IMAPD LIST Command Denial Of Service Vulnerability. Read more at securityfocus.com/bid/15753
Vuln: Multiple Vendor BIOS Password Persistence Weakness
Multiple Vendor BIOS Password Persistence Weakness. Read more at securityfocus.com/bid/15751
Vuln: e107 Website System Voting Manipulation Vulnerability
e107 Website System Voting Manipulation Vulnerability. Read more at securityfocus.com/bid/15748
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf StreamPredictor Heap Overflow Vulnerability. Read more at securityfocus.com/archive/1/418741
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf DCTStream Progressive Heap Overflow
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf DCTStream Progressive Heap Overflow. Read more at securityfocus.com/archive/1/418739
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf DCTStream Baseline Heap Overflow Vulnerability. Read more at securityfocus.com/archive/1/418738
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability
iDefense Security Advisory 12.05.05: Multiple Vendor xpdf JPX Stream Reader Heap Overflow Vulnerability. Read more at securityfocus.com/archive/1/418740
Leave a Reply