 |
|
|
|
| Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | | Published: |  | 27.06.2007 | | Source: |  | | | SecurityVulns ID: |  | 7855 | | Type: |  | remote | | Level: |  | 5/10 | | Description: |  | PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc. |
| Affected: |  | QUICKTICKET : QuickTicket 1.2 | | | | QUICKTALK : QuickTalk guestbook 1.2 | | | | RAINWORX : rwAuction Pro 5.0 | | | | XYTHOS : Xythos Enterprise Document Manager 5.0 | | | | XYTHOS : Xythos Enterprise Document Manager 6.0 | | | | XYTHOS : Xythos Digital Locker 6.0 | | | | XYTHOS : Xythos Digital Locker 5.0 | | CVE: |  | CVE-2007-3256 (Xythos Enterprise Document Manager (XEDM), Digital Locker (XDL), and possibly WebFile Server before 6.0.46.1 allow remote authenticated users to associate arbitrary Content-Type HTTP headers with documents, which might facilitate malware distribution.) | | | | CVE-2007-3255 (Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server.) | | | | CVE-2007-3254 (Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to inject arbitrary web script or HTML via (1) a saved Workflow name; (2) a Workflow name, related to deletion of a Workflow template; (3) the Content-Type HTTP header; or (4) the name of an uploaded file. NOTE: items 3 and 4 also affect the same version numbers of Xythos Digital Locker (XDL). Some or all vectors might also affect Xythos WebFile Server.) |
|
|
|
|
|
|
|
|
