Monthly Archive: January 2009

Directory traversal vulnerability in index.php in eDreamers eDContainer 2.22, when magic_quotes_gpc is disabled, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lg parameter. NOTE: some...

Multiple SQL injection vulnerabilities in index.php in Web Scribble Solutions webClassifieds 2005 allow remote attackers to execute arbitrary SQL commands via the (1) user and (2) password fields in a sign_in action. Date published...

SQL injection vulnerability in repository.php in ILIAS 3.7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ref_id parameter. Date published : 2009-01-02 http://www.securityfocus.com/bid/33006 https://www.exploit-db.com/exploits/7570

SQL injection vulnerability in Acomment.php in phpAlumni allows remote attackers to execute arbitrary SQL commands via the id parameter. Date published : 2009-01-02 http://www.securityfocus.com/bid/33055 https://www.exploit-db.com/exploits/7621

Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details,...

SQL injection vulnerability in inc/rubriques.php in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 allows remote attackers to execute arbitrary SQL commands via the ID parameter. NOTE: some of these details...

Multiple unspecified vulnerabilities in SPIP 1.8 before 1.8.3b, 1.9 before 1.9.2g, and 2.0 before 2.0.2 have unknown impact and attack vectors. Date published : 2009-01-02 http://www.securityfocus.com/bid/33061 http://www.spip-contrib.net/SPIP-1-8-3b-1-9-2g-2-2

SQL injection vulnerability in the PaxGallery (com_paxgallery) component 0.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the gid parameter in a table action to index.php. Date published : 2009-01-02 http://www.securityfocus.com/bid/33035...

WBPublish (aka WBPublish.exe) in Fujitsu-Siemens WebTransactions 7.0, 7.1, and possibly other versions allows remote attackers to execute arbitrary commands via shell metacharacters in input that is sent through HTTP and improperly used during temporary...

futomi CGI Cafe Access Analyzer CGI Standard 4.0.1 and earlier and Access Analyzer CGI Professional 4.11.3 and earlier use a predictable session id, which makes it easier for remote attackers to hijack sessions, and...

Cross-site scripting (XSS) vulnerability in Six Apart Movable Type Enterprise (MTE) 1.x before 1.56; Movable Type (MT) 3.x before 3.38; and Movable Type, Movable Type Open Source (MTOS), and Movable Type Enterprise 4.x before...

CRLF injection vulnerability in xterm allows user-assisted attackers to execute arbitrary commands via LF (aka n) characters surrounding a command name within a Device Control Request Status String (DECRQSS) escape sequence in a text...

SQL injection vulnerability in the create function in common/include/GroupJoinRequest.class in GForge 4.5 and 4.6 allows remote attackers to execute arbitrary SQL commands via the comments variable. Date published : 2009-01-02 http://www.securityfocus.com/bid/33086 http://gforge.org/scm/viewvc.php/branches/Branch_4_5/gforge/common/include/GroupJoinRequest.class?root=gforge&r1=4590&r2=6709