Computer Security
[EN] securityvulns.ru no-pyccku


Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
Published:24.10.2011
Source:
SecurityVulns ID:11995
Type:remote
Threat Level:
5/10
Description:PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.
Affected:SITEATSCHOOL : Site@School 2.4
 OPENENGINE : openEngine 2.0
 TINE20 : Tine 2.0
 OCSINVENTORYNG : OCS Inventory NG 2.0
 YETANOTHERCMS : Yet Another CMS 1.0
 DOLPHIN : Dolphin 7.0
 WORDPRESS : BackWPUp 2.1
 BUGFREE : BugFree 2.1
 WORDPRESS : Pretty Link 1.4
 LEDGERSMB : LedgerSMB 1.3
 ZOHO : ADSelfService Plus 4.5
 JOOMLA : JCE 2.0
 KAIBB : KaiBB 2.0
 CONTAO : Contao 2.10
 ACTIVEDEV : Active CMS 1.2
 SIMPLEPRESS : Simple:Press Forum 4.4
CVE:CVE-2011-4024 (Cross-site scripting (XSS) vulnerability in ocsinventory in OCS Inventory NG 2.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.)
 CVE-2011-1364 (Cross-site request forgery (CSRF) vulnerability in _ah/admin/interactive/execute (aka the Interactive Console) in the SDK Console (aka Admin Console) in the Google App Engine Python SDK before 1.5.4 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary Python code via the code parameter.)
 CVE-2009-3580 (Cross-site request forgery (CSRF) vulnerability in am.pl in SQL-Ledger 2.8.24 allows remote attackers to hijack the authentication of arbitrary users for requests that change a password via the login, new_password, and confirm_password parameters in a preferences action.)
Original documentdocumentMustLive, Code Execution and FPD vulnerabilities in Simple:Press Forum for WordPress (24.10.2011)
 documentBHG Security Center, Joomla Component (com_sgicatalog) <= SQL Injection Vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, Active CMS 1.2.0 'mod' Cross-site Scripting Vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, Contao 2.10.1 Cross-site scripting vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, openEngine 2.0 'key' Blind SQL Injection vulnerability (24.10.2011)
 documentsschurtz_(at)_t-online.de, KaiBB 2.0.1 XSS and SQL Injection vulnerabilities (24.10.2011)
 documentadmin_(at)_bugreport.ir, msgid:20111011124445.o20ddea800k00084@mail.bugreport.ir?to=bugtraq@securityfocus.com&from=admin@bugreport.ir&folder=\\3APA3A\Bugtraq&subject=Related%20POC%20for%20JCE%20Joomla%20Extension%20<%3D2 (24.10.2011)
 documentroberto.paleari_(at)_emaze.net, ZOHO ManageEngine ADSelfService Plus Administrative Access (24.10.2011)
 documentAdi Sharabani, Google App Enging SDK Code Execution Vulnerability (CVE 2011-1364) (24.10.2011)
 documentChris Travers, LedgerSMB 1.3.0 released, includes anti-XSRF framework (24.10.2011)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in BugFree (24.10.2011)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Pretty Link WordPress Plugin (24.10.2011)
 documentDrew Calcott, Security-Assessment.com Advisory: Destination Search Admin Console Access Control Bypass (24.10.2011)
 documentlists_(at)_senseofsecurity.com, WordPress Plugin BackWPUp 2.1.4 - Security Advisory - SOS-11-012 (24.10.2011)
 documentnoreply_(at)_ptsecurity.ru, [PT-2011-14] SQL injection vulnerability in BoonEx Dolphin (24.10.2011)
 documentsschurtz_(at)_t-online.de, Site@School 2.4.10 SQL Injection & XSS vulnerabilities (24.10.2011)
 documentn0b0d13s_(at)_gmail.com, Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection (24.10.2011)
 documentsschurtz_(at)_t-online.de, Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities (24.10.2011)
 documentHigh-Tech Bridge Security Research, Multiple vulnerabilities in Tine 2.0 (24.10.2011)
 documentNicolas DEROUET, OCS Inventory NG 2.0.1 Persistent XSS (CVE-2011-4024) (24.10.2011)
 documentsschurtz_(at)_t-online.de, Metasploit 4.1.0 Web UI stored XSS vulnerability (24.10.2011)
 documentmd.r00t.defacer_(at)_gmail.com, inCommand Technologies, Inc. Cross-site Scripting Vulnerability (24.10.2011)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod