Monthly Archive: April 2005

Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the...

Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option....

McAfee Internet Security Suite 2005 uses insecure default ACLs for installed files, which allows local users to gain privileges or disable protection by modifying certain files. Date published : 2005-04-18 http://www.idefense.com/application/poi/display?id=233&type=vulnerabilities

AppleWebKit (WebCore and WebKit), as used in multiple products such as Safari 1.2 and OmniGroup OmniWeb 5.1, allows remote attackers to read arbitrary files via the XMLHttpRequest Javascript component, as demonstrated using automatically mounted...

The Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote attackers to execute arbitrary code via a javascript: URL in the PLUGINSPAGE attribute of an EMBED tag. Date published : 2005-04-18 http://www.securityfocus.com/bid/13228 http://www.mozilla.org/security/announce/mfsa2005-34.html

Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlier, when running on Windows systems, allows attackers to cause a denial of service (hang). Date published : 2005-04-16 http://www.osvdb.org/15504 http://secunia.com/advisories/14961

SQL injection vulnerability in admin/login.asp in aspclick.it ACNews 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters. Date published : 2005-04-16 http://www.securityfocus.com/bid/13148 http://www.osvdb.org/15494

calendar.pl in CalendarScript 3.21 allows remote attackers to obtain sensitive information via invalid (1) year or (2) month parameters, which leaks the full pathname and debug information. Date published : 2005-04-16 http://www.snkenjoi.com/secadv/secadv3.txt http://securitytracker.com/id?1013705

calendar.pl in CalendarScript 3.20 allows remote attackers to obtain sensitive information via invalid (1) calendar or (2) template parameters, which leaks the full pathname and debug information. Date published : 2005-04-16 http://www.snkenjoi.com/secadv/secadv3.txt http://www.osvdb.org/15546

** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in the login command in calendar.pl in CalendarScript 3.21 allows remote attackers to inject arbitrary web script or...

** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in calendar.pl in CalendarScript 3.20 allows remote attackers to inject arbitrary web script or HTML via the template...

popup.php in EasyPHPCalendar before 6.2.8 allows remote attackers to obtain sensitive information via an invalid ev parameter, which reveals the full pathname of the web server in a PHP error message. Date published :...

Cross-site scripting (XSS) vulnerability in index.php in EasyPHPCalendar before 6.2.8 allows remote attackers to inject arbitrary web script or HTML via the yr parameter. Date published : 2005-04-16 http://docs.easyphpcalendar.com/Change%20Log/changeLog.htm http://www.snkenjoi.com/secadv/secadv4.txt

Heap-based buffer overflow in the readpgm function in pnm.c for GOCR 0.40, when it is not using netpbm, allows remote attackers to execute arbitrary code via a P3 format PNM file with more data...