VPMi Enterprise Service_Requests.asp UpdateID0 Variable SQL Injection

Network Security News – Monday, February 27, 2006 Events

VPMi Enterprise Service_Requests.asp UpdateID0 Variable SQL Injection

VPMi Enterprise contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the Service_Requests.asp script not properly sanitizing user-supplied input to the 'UpdateID0' variable. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/23479

WEBInsta Limbo Contact Form Arbitrary HTML Injection

Limbo CMS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'message' variable in the Contact form upon submission to the index.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23469

Ipswitch WhatsUp Professional NmService.exe Malformed Request CPU Consumption DoS

WhatsUp Professional contains a flaw that may allow a remote denial of service. The issue is triggered when the Login.asp script receives a NULL parameter setting for parameters that the script expects to receive, and will result in loss of availability for the platform.. Read more at osvdb.org/23494

Oi! Email Marketing System Login Username Field SQL Injection

Oi! Email Marketing System contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'username' input field in the login screen. This may allow an attacker to inject or manipulate SQL queries in the backend database.. Read more at osvdb.org/23462

PEAR Archive_Tar Traversal Arbitrary File Overwrite

PEAR Archive_Tar contains a flaw that may allow a malicious user to overwrite arbitrary files. The issue is triggered when a PHP script unarchives a crafted tar file. It is possible that the flaw may allow the overwriting of any file for which the web process has write permission, resulting in a loss of integrity.. Read more at osvdb.org/23481

iCal New Event Calendar Text Field XSS

iCal contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'Calendar Text' field upon creating a new event. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23472

DEV web management system register.php mesto Variable XSS

DEV web management system contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'mesto' variable ("City/Region" field) upon submission to the register.php script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.. Read more at osvdb.org/23468