Monthly Archive: April 2008

Unrestricted file upload vulnerability in the ajout_cat mode in admin/main.php in Tr Script News 2.1 allows remote authenticated users to execute arbitrary code by uploading a file with a .php extension. Date published :...

SQL injection vulnerability in news.php in Tr Script News 2.1 allows remote attackers to execute arbitrary SQL commands via the nb parameter in voir mode. Date published : 2008-04-25 http://www.securityfocus.com/bid/28876 https://www.exploit-db.com/exploits/5483

Cross-site scripting (XSS) vulnerability in index.php in Wikepage Opus 13 2007.2 allows remote attackers to inject arbitrary web script or HTML via the wiki parameter. Date published : 2008-04-25 http://www.securityfocus.com/bid/28842 http://www.securityfocus.com/archive/1/491065/100/0/threaded

Cross-site scripting (XSS) vulnerability in rep.php in Martin BOUCHER MyBoard 1.0.12 allows remote attackers to inject arbitrary web script or HTML via the id parameter. information. Date published : 2008-04-25 http://www.securityfocus.com/bid/28823 http://www.z0rlu.ownspace.org/index.php?/archives/52-MyBoard-1.0.12-XSS.html

SQL injection vulnerability in one_day.php in Web Calendar Pro 4.1 and earlier allows remote attackers to execute arbitrary SQL commands via the user_id parameter. Date published : 2008-04-25 http://www.securityfocus.com/bid/28921 https://www.exploit-db.com/exploits/5485

Cross-site scripting (XSS) vulnerability in the Sitedesigner before 1.1.5 search template in Magnolia Enterprise Edition allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this...

Unspecified vulnerability in the HP HPeDiag (aka eSupportDiagnostics) ActiveX control in hpediag.dll in HP Software Update 4.000.009.002 and earlier allows remote attackers to execute arbitrary code or obtain sensitive information via unspecified vectors. NOTE:...

Foxit Reader 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PDF file with (1) a malformed ExtGState resource containing a /Font resource, or (2)...

Cross-site scripting (XSS) vulnerability in the profile update feature in Akiva WebBoard 8.0 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors in the form field. NOTE: the provenance...

The RBAC functionality in grsecurity before 2.1.11-2.6.24.5 and 2.1.11-2.4.36.2 does not enforce user_transition_deny and user_transition_allow rules for the (1) sys_setfsuid and (2) sys_setfsgid calls, which allows local users to bypass restrictions for those calls....

Multiple SQL injection vulnerabilities in W1L3D4 Philboard 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) topic parameters to (a) philboard_reply.asp, and the (3) forumid parameter to (b)...

Sony Mylo COM-2 Japanese model firmware before 1.002 does not properly verify web server SSL certificates, which allows remote attackers to obtain sensitive information and conduct spoofing attacks. Date published : 2008-04-24 http://www.securityfocus.com/bid/28905 http://esupport.sony.com/perl/news-item.pl?news_id=262&mdl=COM2

The user form processing (userform.py) in MoinMoin before 1.6.3, when using ACLs or a non-empty superusers list, does not properly manage users, which allows remote attackers to gain privileges. Date published : 2008-04-24 http://www.securityfocus.com/bid/28869...

SQL injection vulnerability in index.php in Classifieds Caffe allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in an add action. NOTE: this issue might be site-specific. Date published : 2008-04-24...