Monthly Archive: April 2010

Cross-site scripting (XSS) vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to inject arbitrary web script or HTML via the userid parameter in a...

SQL injection vulnerability in ts_other.php in the Teamsite Hack plugin 3.0 and earlier for WoltLab Burning Board allows remote attackers to execute arbitrary SQL commands via the userid parameter in a modboard action. Date...

Multiple PHP remote file inclusion vulnerabilities in definitions.php in Lussumo Vanilla 1.1.10, and possibly 0.9.2 and other versions, allow remote attackers to execute arbitrary PHP code via a URL in the (1) include and...

Multiple SQL injection vulnerabilities in INVOhost 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) id and (2) newlanguage parameters to site.php, (3) search parameter to manuals.php, and (4) unspecified vectors...

Multiple PHP remote file inclusion vulnerabilities in Insky CMS 006-0111, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the ROOT parameter to (1) city.get/city.get.php, (2) city.get/index.php,...

Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.4 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension followed by a safe extension, then accessing it via...

Multiple cross-site scripting (XSS) vulnerabilities in Almas Inc. Compiere J300_A02 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2010-04-09 http://www.compiere-japan.com/products/release/patch.html http://jvn.jp/en/jp/JVN38687002/index.html

Cross-site scripting (XSS) vulnerability in PrettyBook PrettyFormMail allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2010-04-09 http://jvn.jp/en/jp/JVN41842181/index.html http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000007.html

SQL injection vulnerability in Heartlogic HL-SiteManager allows remote attackers to execute arbitrary SQL commands via unknown vectors. Date published : 2010-04-09 http://www.heartlogic.jp/docs/free_cgi/hl-sitemanager.html http://jvn.jp/en/jp/JVN60969543/index.html

Unrestricted file upload vulnerability in Pulse CMS Basic 1.2.2 and 1.2.3, and possibly Pulse Pro before 1.3.2, allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then...

Multiple cross-site request forgery (CSRF) vulnerabilities in Pulse CMS Basic 1.2.2 and 1.2.3, and possibly Pulse Pro before 1.3.2, allow remote attackers to hijack the authentication of users for requests that (1) upload image...

Directory traversal vulnerability in weberpcustomer.php in the webERPcustomer (com_weberpcustomer) component 1.2.1 and 1.x before 1.06.02 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to...

Directory traversal vulnerability in the Highslide JS (com_hsconfig) component 1.5 and 2.0.9 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter to index.php. NOTE: some...

Directory traversal vulnerability in the Seber Cart (com_sebercart) component 1.0.0.12 and 1.0.0.13 for Joomla!, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the view parameter...