Archive

Archive for August, 2008

vbDrupal Multiple Vulnerabilities

August 25th, 2008
Comments Off

Application: vbDrupal
Affected Version: all 5.x versions prior to 5.10.0.
Vendor’s URL: vbDrupal
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5.10.0 or later.

Cross Site Scripting, Discussion Boards

Mambo Two XSS Vulnerabilities

August 25th, 2008
Comments Off

Application: Mambo
Affected Version: version 4.6.5 and reported in version 4.6.2 and other versions.
Vendor’s URL: Mambo
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Vanilla Multiple Vulnerabilities

August 25th, 2008
Comments Off

Application: Vanilla
Affected Version: version 1.1.4 and other versions.
Vendor’s URL: Vanilla
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
All vulnerabilities except for the “Value” form field in #2 are fixed in version 1.1.5-rc1.
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted web sites while logged on to the application.

Cross Site Scripting, Discussion Boards

PHP Live Helper Multiple Vulnerabilities

August 25th, 2008
Comments Off

Application: PHP Live Helper
Affected Version: version 2.0.1 and other versions.
Vendor’s URL: PHP Live Helper
Bug Type: SQL Injection
Risk Level: Critcal

Solution:
Update to version 2.1.0.

Customer Relationship, SQL Injection

vBulletin Private Message Subject Script Insertion

August 25th, 2008
Comments Off

Application: vBulletin
Affected Version: 3.7.2 PL1 and 3.6.10 PL3 and prior versions.
Vendor’s URL: vBulletin
Bug Type: Script Insertion
Risk Level: Medium

Solution:
Update to version 3.7.2 PL2 or 3.6.10 PL4.

Discussion Boards

TinyCMS “config[template]” Local File Inclusion

August 25th, 2008
Comments Off

Application: TinyCMS
Affected Version: version 1.1.2 and other versions.
Vendor’s URL: TinyCMS
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Content Management, File Inclusion

Kayako SupportSuite Multiple Vulnerabilities

August 25th, 2008
Comments Off

Application: Kayako
Affected Version: version 3.20.02 and prior versions
Vendor’s URL: SupportSuite
Bug Type: SQL Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Fixed in version 3.30.00 RC3.

Filter malicious characters and character sequences in a web proxy.

Cross Site Scripting, Customer Relationship, SQL Injection

Drupal XSRF and Security Bypass

August 25th, 2008
Comments Off

Application: Drupal
Affected Version: all 6.x versions prior to 6.4
Vendor’s URL: Drupal
Bug Type: Cross Site Scripting and Security Bypass
Risk Level: Medium

Solution:
Update to version 6.4.

Access Bypass, Content Management,