Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:07.04.2010
Source:
SecurityVulns ID:10748
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:MAHARA : mahara 1.2
 CA : XOsoft 12.0
 CA : XOsoft 12.5
 NEXTGEN : NextGEN Gallery 1.5
CVE:CVE-2010-1223 (Multiple buffer overflows in CA XOsoft r12.0 and r12.5 allow remote attackers to execute arbitrary code via (1) a malformed request to the ws_man/xosoapapi.asmx SOAP endpoint or (2) a long string to the entry_point.aspx service.)
 CVE-2010-1222 (CA XOsoft r12.5 does not properly perform authentication, which allows remote attackers to obtain potentially sensitive information via a SOAP request.)
 CVE-2010-1221 (CA XOsoft r12.0 and r12.5 does not properly perform authentication, which allows remote attackers to enumerate usernames via a SOAP request.)
 CVE-2010-1186 (Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter.)
 CVE-2010-0400 (SQL injection vulnerability in lib/user.php in mahara 1.0.4 allows remote attackers to execute arbitrary SQL commands via a username.)
Original documentdocumentCORE SECURITY TECHNOLOGIES ADVISORIES, CORE-2010-0323: XSS Vulnerability in NextGEN Gallery Wordpress Plugin (07.04.2010)
 documentZDI, ZDI-10-065: CA XOsoft xosoapapi.asmx Multiple Remote Code Execution Vulnerabilities (07.04.2010)
 documentZDI, ZDI-10-066: CA XOsoft Control Service entry_point.aspx Remote Code Execution Vulnerability (07.04.2010)
 documentCA, CA20100406-01: Security Notice for CA XOsoft (07.04.2010)
 documentDEBIAN, [SECURITY] [DSA 2030-1] New mahara packages fix sql injection (07.04.2010)
 documentMustLive, New vulnerabilities in CMS SiteLogic (07.04.2010)
 documentInj3ct0r.com, MKPortal lenta module XSS Vulnerability (07.04.2010)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod