Archive

Archive for December, 2007

TikiWiki Multiple Vulnerabilities

December 28th, 2007

Application: Tikiwiki
Affected Version: Tikiwiki 1.x
Vendor’s URL: Application download page
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 1.9.9.

Cross Site Scripting

SineCms SQL Injection and Script Insertion

December 28th, 2007

Application: SineCms
Affected Version: SineCms 2.x
Vendor’s URL: Module download page
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 2.2.6 of the Guestbook module and version 2.2.4 of the Calendar module.

Cross Site Scripting, SQL Injection

Drupal Shoutbox Module Script Insertion Vulnerabilities

December 28th, 2007

Application: Drupal Shoutbox Module
Affected Version: Drupal Shoutbox Module 5.x
Vendor’s URL: Module download page
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Update to version 5.x-1.1.

Cross Site Scripting

vbDrupal SQL Injection

December 28th, 2007

Application: vbDrupal
Affected Version: vbDrupal 4.x / 5.x
Vendor’s URL: Application download page
Bug Type: SQL Injection
Risk Level: High

Solution:
Update to version 4.7.9.0 or 5.4.0.

SQL Injection

wpQuiz Two SQL Injection Vulnerabilities

December 28th, 2007

Application: wpQuiz
Affected Version: wpQuiz 2.x
Vendor’s URL: Application download page
Bug Type: SQL Injection
Risk Level: High

Solution:
Consult the developer for proper action.

SQL Injection

vBTube Cross-Site Scripting Vulnerability

December 28th, 2007

Application: vBTube (module for vBulletin)
Affected Version: vBTube 1.x
Vendor’s URL: Application page
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Consult the developer for proper action.

Cross Site Scripting

PHP_CON File Inclusion

December 28th, 2007

Application: PHP_CON
Affected Version: PHP_CON 1.x
Vendor’s URL: Application download page
Bug Type: Exposure of system /sensitive information
Risk Level: High

Solution:
Consult the developer for proper action.

File Inclusion

Charray’s CMS File Inclusion

December 28th, 2007

Application: Charray’s CMS
Affected Version: Charray’s CMS 0.x
Vendor’s URL: Application download page
Bug Type: SQL Injection
Risk Level: Low

Solution:
Consult the developer for proper action.

File Inclusion

VU Case Manager SQL Injection Vulnerabilities

December 28th, 2007

Application: VU Case Manager
Affected Version: VU Case Manager 3.x
Vendor’s URL: Application download page
Bug Type: SQL Injection
Risk Level: High

Solution:
Consult the developer for proper action.

SQL Injection

DevMass Shopping Cart File Inclusion

December 28th, 2007

Application: DevMass Shopping Cart
Affected Version: DevMass Shopping Cart 1.x
Vendor’s URL: Application download page
Bug Type: Exposure of system / sensitive information
Risk Level: High

Solution:
Edit the source code or consult to developer.

File Inclusion

Content Injector SQL Injection Vulnerability

December 28th, 2007

Application: Content Injector
Affected Version: Content Injector 1.x
Vendor’s URL: Application download page
Bug Type: SQL Injection
Risk Level: Low

Solution:
Update to version 1.53 or latest.

SQL Injection

PHPKIT SQL Injection Vulnerability

December 28th, 2007

Application: PHPKIT
Affected Version: PHPKIT 1.x
Vendor’s URL: Application site
Bug Type: Manipulation of data
Risk Level: High

Solution:
Edit the source code to ensure that input is sanitised or consult with provider for proper action.

SQL Injection

SimpleForum “searchkey” Cross-Site Scripting Vulnerability

December 28th, 2007

Application: SimpleForum
Affected Version: SimpleForum 4.x
Vendor’s URL: Application site
Bug Type: Cross Site Scripting
Risk Level: Low

Solution:
Edit the source code or consult to developer.

Cross Site Scripting

mBlog File Inclusion Vulnerability

December 28th, 2007

Application: mBlog
Affected Version: mBlog 1.x
Vendor’s URL: Application download site
Bug Type: Exposure of sensitive and system information
Risk Level: Critical

Solution:
Edit the source code to ensure that input is sanitised or consult with provider for proper action.

File Inclusion

NmnNewsletter “output” File Inclusion Vulnerability

December 28th, 2007

Application: NmnNewsletter
Affected Version: NmnNewsletter 1.x
Vendor’s URL: Application site
Bug Type: File Inclusion
Risk Level: High

Solution:
Edit the source code or consult to developer.

File Inclusion

Limbo “com_option” Cross-Site Scripting

December 28th, 2007

Application: Limbo
Affected Version: Limbo 1.x
Vendor’s URL: Application site
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is sanitised or consult with provider for proper action.

Cross Site Scripting

Gallery Multiple Vulnerabilities

December 28th, 2007

Application: Gallery
Affected Version: Gallery 2.x
Vendor’s URL: Application site
Bug Type: Exposure of sensitive information, Cross Site Scripting, Security Bypass
Risk Level: Critical

Solution:
Update to version 2.2.4.

Access Bypass, Cross Site Scripting

MailMachinePRO “id” SQL Injection Vulnerability

December 28th, 2007

Application: MailMachinePRO
Affected Version: MailMachinePRO 2.x
Vendor’s URL: MailMachinePRO site
Bug Type: Exposure of sensitive information, manipulation of data
Risk Level: Critical

Solution:
Edit the source code to ensure that input is sanitised or consult with provider for proper action.
*Update – User are advise to update the version of MailMachinePRO to Version 2.2.6 .

File Inclusion

PMOS Help Desk PHP Code Execution and Security Bypass

December 28th, 2007

Application: PMOS Help Desk
Affected Version: PMOS Help Desk 2.x
Vendor’s URL: Application site
Bug Type: Cross Site Scripting, System bypass
Risk Level: Critical

Solution:
Consult with provider for proper action.

Access Bypass, Cross Site Scripting

Dokeos “My productions” File Upload and Cross-Site Scripting Vulnerabilities

December 28th, 2007

Application: Dokeos
Affected Version: Dokeos 1.x
Vendor’s URL: Application site
Bug Type: Cross Site Scripting, System bypass
Risk Level: Critical

Solution:
Edit the source code to ensure that input is sanitised or consult with provider for proper action.

Access Bypass, Cross Site Scripting