Computer Security
[EN] securityvulns.ru no-pyccku


Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:27.06.2007
Source:
SecurityVulns ID:7855
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:QUICKTICKET : QuickTicket 1.2
 QUICKTALK : QuickTalk guestbook 1.2
 RAINWORX : rwAuction Pro 5.0
 XYTHOS : Xythos Enterprise Document Manager 5.0
 XYTHOS : Xythos Enterprise Document Manager 6.0
 XYTHOS : Xythos Digital Locker 6.0
 XYTHOS : Xythos Digital Locker 5.0
CVE:CVE-2007-3256 (Xythos Enterprise Document Manager (XEDM), Digital Locker (XDL), and possibly WebFile Server before 6.0.46.1 allow remote authenticated users to associate arbitrary Content-Type HTTP headers with documents, which might facilitate malware distribution.)
 CVE-2007-3255 (Multiple cross-site request forgery (CSRF) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to execute commands as arbitrary users via (1) a saved Workflow name or (2) the Content-Type HTTP header. NOTE: item 2 also affects the same version numbers of Xythos Digital Locker (XDL). One or both vectors might also affect Xythos WebFile Server.)
 CVE-2007-3254 (Multiple cross-site scripting (XSS) vulnerabilities in Xythos Enterprise Document Manager (XEDM) before 5.0.25.8, and 6.x before 6.0.46.1, allow remote authenticated users to inject arbitrary web script or HTML via (1) a saved Workflow name; (2) a Workflow name, related to deletion of a Workflow template; (3) the Content-Type HTTP header; or (4) the name of an uploaded file. NOTE: items 3 and 4 also affect the same version numbers of Xythos Digital Locker (XDL). Some or all vectors might also affect Xythos WebFile Server.)
Original documentdocumentTimothy Redaelli, [Full-disclosure] deviantArt does not check authorization for image download (27.06.2007)
 documentSYMANTEC, SYMSA-2007-004: Multiple Vulnerabilities in Xythos Server Products (27.06.2007)
 documentr0t, rwAuction Pro XSS vuln. (27.06.2007)
 documentr0t, QuickTalk guestbook sql inj. (27.06.2007)
 documentr0t, QuickTicket multiple sql inj. (27.06.2007)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod