Monthly Archive: December 2013

NovaTech Orion Substation Automation Platform OrionLX DNP Master 1.27.38 and DNP Slave 1.23.10 and earlier and Orion5/Orion5r DNP Master 1.27.38 and DNP Slave 1.23.10 and earlier allow remote attackers to cause a denial of...

Multiple cross-site scripting (XSS) vulnerabilities in www/administrator.php in eFront 3.6.14 (build 18012) allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) Last name, (2) Lesson name, or (3) Course...

Multiple SQL injection vulnerabilities in C2C Forward Auction Creator 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) pa parameter to auction/asp/list.asp, or the (2) UserID or (3) Password to auction/casp/admin.asp....

Multiple SQL injection vulnerabilities in Dynamic Biz Website Builder (QuickWeb) allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/news-events/newdetail.asp, or the (2) UserID or (3) Password to login.asp....

Cross-site scripting (XSS) vulnerability in Tenmiles Helpdesk Pilot allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI for a ticket. Date published : 2013-12-20 http://makthepla.net/blog/=/helpdesk-pilot-add-admin http://secunia.com/advisories/55797

Multiple directory traversal vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to read arbitrary files via the (1) tmpid parameter to websitebuilder/showtemplateimage.php, (2) fname parameter to admin/downloadfile.php, or (3) id parameter to support/admin/csvdownload.php;...

Multiple SQL injection vulnerabilities in iScripts AutoHoster, possibly 2.4, allow remote attackers to execute arbitrary SQL commands via the cmbdomain parameter to (1) checktransferstatus.php, (2) checktransferstatusbck.php, or (3) additionalsettings.php; or (4) invno parameter to...

Cross-site scripting (XSS) vulnerability in KBKP Software HostBill before 2013-12-14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2013-12-20 http://extras.hostbillapp.com/security-advisory-hostbill-version-2013-12-14/ http://hostbillapp.com/changelog

SQL injection vulnerability in form.php in the FormCraft plugin 1.3.7 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. Date published : 2013-12-20 http://www.securityfocus.com/bid/64183 http://www.exploit-db.com/exploits/30002

Buffer overflow in Steinberg MyMp3PRO 5.0 (Build 5.1.0.21) allows remote attackers to execute arbitrary code via a long string in a .m3u file. Date published : 2013-12-20 http://www.exploit-db.com/exploits/30032 http://packetstormsecurity.com/files/124282

Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow (formerly FLOW3) 1.1.x before 1.1.1 and 2.0.x before 2.0.1 allows remote attackers to inject arbitrary web script or...

Cross-site scripting (XSS) vulnerability in the Backend User Administration Module in TYPO3 6.0.x before 6.0.12 and 6.1.x before 6.1.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published...

Cross-site scripting (XSS) vulnerability in Extension Manager in TYPO3 4.5.x before 4.5.32 and 4.7.x before 4.7.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Date published : 2013-12-20 http://www.securityfocus.com/bid/64247...

Multiple cross-site scripting (XSS) vulnerabilities in Content Editing Wizards in TYPO3 4.5.x before 4.5.32, 4.7.x before 4.7.17, 6.0.x before 6.0.12, 6.1.x before 6.1.7, and the development versions of 6.2 allow remote authenticated users to...