Monthly Archive: March 2009

SQL injection vulnerability in main.asp in Jbook allows remote attackers to execute arbitrary SQL commands via the username (user parameter). Date published : 2009-03-02 https://exchange.xforce.ibmcloud.com/vulnerabilities/47033

SQL injection vulnerability in login.asp in Ocean12 Membership Manager Pro allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: the provenance of this information is unknown; the details are obtained...

SQL injection vulnerability in asadmin/default.asp in Rae Media Contact Management Software SOHO, Standard, and Enterprise allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: some of these details are obtained...

Rapid Classified 3.1 and 3.15 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to cldb.mdb. Date published :...

Quick Tree View .NET 3.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to qtv.mdb. Date published :...

Cross-site scripting (XSS) vulnerability in showads.php in Z1Exchange 1.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. Date published : 2009-03-02 http://www.securityfocus.com/bid/32598 http://packetstormsecurity.org/0812-exploits/z1exchange-sqlxss.txt

Cross-site scripting (XSS) vulnerability in index.php in W3matter RevSense 1.0 allows remote attackers to inject arbitrary web script or HTML via the section parameter. Date published : 2009-03-02 http://packetstorm.linuxsecurity.com/0812-exploits/revsense-sqlxss.txt http://secunia.com/advisories/32996

Multiple cross-site request forgery (CSRF) vulnerabilities in Comment Mail 5.x before 5.x-1.1, a module for Drupal, allow remote attackers to hijack the authentication of administrators. Date published : 2009-03-02 http://drupal.org/node/339495 http://osvdb.org/50206

SQL injection vulnerability in SpeedTech Organization and Resource Manager (Storm) 5.x before 5.x-1.14 and 6.x before 6.x-1.18, a module for Drupal, allows remote authenticated users with storm project access to execute arbitrary SQL commands...

ASP Portal 3.2.5 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request to ASPPortal.mdb. Date published : 2009-03-02 https://www.exploit-db.com/exploits/7316...

SQL injection vulnerability in modules/adresses/viewcat.php in bcoos 1.0.13, and possibly earlier, allows remote authenticated users with Addresses module permissions to execute arbitrary SQL commands via the cid parameter. Date published : 2009-03-02 http://www.securityfocus.com/bid/32561 https://www.exploit-db.com/exploits/7317

SQL injection vulnerability in default.aspx in Active Web Helpdesk 2.0 allows remote attackers to execute arbitrary SQL commands via the CategoryID parameter. Date published : 2009-03-02 http://www.securityfocus.com/bid/32548 https://www.exploit-db.com/exploits/7298

SQL injection vulnerability in pics_pre.asp in Gallery MX 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. Date published : 2009-03-02 http://www.securityfocus.com/bid/32607 https://www.exploit-db.com/exploits/7326

SQL injection vulnerability in calendar_Eventupdate.asp in Calendar Mx Professional 2.0.0 allows remote attackers to execute arbitrary SQL commands via the ID parameter. Date published : 2009-03-02 http://www.securityfocus.com/bid/32609 https://www.exploit-db.com/exploits/7327