Application: vbDrupal
Affected Version: all 5.x versions prior to 5.10.0.
Vendor’s URL: vbDrupal
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5.10.0 or later.

Cross Site Scripting, Discussion Boards

Application: Mambo
Affected Version: version 4.6.5 and reported in version 4.6.2 and other versions.
Vendor’s URL: Mambo
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Application: Vanilla
Affected Version: version 1.1.4 and other versions.
Vendor’s URL: Vanilla
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
All vulnerabilities except for the “Value” form field in #2 are fixed in version 1.1.5-rc1.
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted web sites while logged on to the application.

Cross Site Scripting, Discussion Boards

Application: PHP Live Helper
Affected Version: version 2.0.1 and other versions.
Vendor’s URL: PHP Live Helper
Bug Type: SQL Injection
Risk Level: Critcal

Solution:
Update to version 2.1.0.

Customer Relationship, SQL Injection

Application: vBulletin
Affected Version: 3.7.2 PL1 and 3.6.10 PL3 and prior versions.
Vendor’s URL: vBulletin
Bug Type: Script Insertion
Risk Level: Medium

Solution:
Update to version 3.7.2 PL2 or 3.6.10 PL4.

Discussion Boards

Application: TinyCMS
Affected Version: version 1.1.2 and other versions.
Vendor’s URL: TinyCMS
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Content Management, File Inclusion

Application: Kayako
Affected Version: version 3.20.02 and prior versions
Vendor’s URL: SupportSuite
Bug Type: SQL Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Fixed in version 3.30.00 RC3.

Filter malicious characters and character sequences in a web proxy.

Cross Site Scripting, Customer Relationship, SQL Injection

Application: Drupal
Affected Version: all 6.x versions prior to 6.4
Vendor’s URL: Drupal
Bug Type: Cross Site Scripting and Security Bypass
Risk Level: Medium

Solution:
Update to version 6.4.

Access Bypass, Content Management, Cross Site Scripting

Application: Drupal
Affected Version: all 5.x versions prior to 5.10 and all 6.x versions prior to 6.4
Vendor’s URL: Drupal
Bug Type: Cross Site Scripting, Script Insertion
Risk Level: Critical

Solution:
Update to version 5.10 or 6.4.

Content Management, Cross Site Scripting

Application: IceBB
Affected Version: version 1.0-rc9.2 and prior versions.
Vendor’s URL: IceBB
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.0-rc9.3.

Discussion Boards, SQL Injection

Application: PunBB
Affected Version: prior to 1.2.19
Vendor’s URL: PunBB
Bug Type: Command Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 1.2.19.
http://punbb.informer.com/downloads.php

Cross Site Scripting, Discussion Boards, Remote Command Execution

Application: SiteAdmin
Affected Version:
Vendor’s URL: SiteAdmin
Bug Type: SQL injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: MyBB
Affected Version: All 1.2.x versions prior to 1.2.14
Vendor’s URL: MyBB
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 1.2.14.

Cross Site Scripting, Discussion Boards

Application: Coppermine
Affected Version: version 1.4.18 and other versions.
Vendor’s URL: Photo Gallery
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Update to version 1.4.19.

File Inclusion, Image Galleries

Application: E-Store Kit
Affected Version: E-Store Kit-1, E-Store Kit-2, E-Store Kit-1 Pro PayPal Edition, and E-Store Kit-2 PayPal Edition
Vendor’s URL: E-Store Kit
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Filter malicious characters and character sequences in a web proxy.

E-Commerce, SQL Injection

Application: Gallery
Affected Version: prior to 1.5.8
Vendor’s URL: Gallery
Bug Type:
Risk Level: Security Bypass, Cross Site Scripting

Solution:
Update to version 1.5.8.

Access Bypass, Cross Site Scripting, Image Galleries

Application: Xoops
Affected Version: version 2.22 and other versions.
Vendor’s URL: Kshop Module
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Application: Zoph
Affected Version: prior to 0.7.0.5.
Vendor’s URL: Zoph
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 0.7.0.5.

Image Galleries, SQL Injection

Application: Geeklog
Affected Version:
Vendor’s URL: Geeklog Forum Plugin
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 2.7.1.

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: all 5.x versions prior to 5.9 and all 6.x versions prior to 6.3
Vendor’s URL: Drupal
Bug Type: Hijack
Risk Level: Medium

Solution:
Update to version 5.9 or 6.3.
Apply patch to 5.8:
http://drupal.org/files/sa-2008-046/SA-2008-046-5.8.patch

Content Management