Archive

Archive for May, 2010

Joomla JE Ajax Event Calendar Component “view” File Inclusion

May 26th, 2010
Comments Off

Application: Joomla
Affected Version: version 1.0.1 and other versions.
Vendor’s URL: JE Ajax Event Calendar Component
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Content Management, File Inclusion

Joomla Components “controller” File Inclusion Vulnerability

May 26th, 2010
Comments Off

Application: Joomla
Vendor’s URL:
Joomla Graphics Component “controller” File Inclusion Vulnerability (version 1.5.0)
Solutions:- Edit the source code to ensure that input is properly verified.
Joomla SmartSite Component “controller” File Inclusion Vulnerability (version 1.0.0)
Solutions:- Edit the source code to ensure that input is properly verified.
Joomla NoticeBoard Component “controller” File Inclusion Vulnerability (version 1.3)
Solutions:- Edit the source code to ensure that input is properly verified.
Joomla Dione Form Wizard Component “controller” File Inclusion Vulnerability (version 1.0.2)
Solutions:- Reportedly fixed in version 1.0.3. Contact the vendor for further information.
Joomla SimpleDownload Component “controller” File Inclusion Vulnerability (version 0.9.5)
Solutions: – Update to version 0.9.6 or later.
Joomla Percha Multicategory Article Component “controller” File Inclusion (version 0.6)
Solutions:- Edit the source code to ensure that input is properly verified.

Bug Type: File Inclusion
Risk Level: Critical

Content Management

WordPress Simple:Press Plugin Multiple Vulnerabilities

May 26th, 2010
Comments Off

Application: WordPress
Affected Version: versions prior to 4.1.3.
Vendor’s URL: Simple:Press Plugin
Bug Type: Security Bypass and System access
Risk Level: Critical

Solution:
Update to version 4.1.3 or later.

Access Bypass, Content Management

Drupal WordPress Import Module Arbitrary File Upload

May 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-2.1.
Vendor’s URL: WordPress Import Module
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 6.x-2.1.

Content Management, File Inclusion

Drupal Panels Module PHP Code Execution

May 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-3.4.
Vendor’s URL: Panels Module
Bug Type: Code Execution
Risk Level: Critical

Solution:
Update to version 6.x-3.4.

Content Management, Remote Command Execution

Drupal Chaos Tool Suite Module Multiple Vulnerabilities

May 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-1.4.
Vendor’s URL: Chaos Tool Suite Module
Bug Type: Cross Site Scripting and Access Bypass
Risk Level: Critical

Solution:
Update to version 6.x-1.4

Content Management, Cross Site Scripting

Drupal Heartbeat Module Script Insertion

May 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-4.9.
Vendor’s URL: Heartbeat Module
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to Heartbeat 6.x-4.9.

Content Management, Cross Site Scripting

MigasCMS “categorie” SQLi

May 26th, 2010
Comments Off

Application: MigasCMS
Affected Version: version 1.1 and other versions.
Vendor’s URL: MigasCMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Joomla Konsultasi Component “sid” SQLi

May 26th, 2010
Comments Off

Application: Joomla
Affected Version: version 1.0.0 and other versions.
Vendor’s URL: Konsultasi Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Invision Power Board Image Disclosure

May 26th, 2010
Comments Off

Application: Invision Power Board
Affected Version: version 3.0.5
Vendor’s URL: Invision Power Board
Bug Type: Information Disclosure
Risk Level: Critical

Solution:
Apply the patch.

Discussion Boards, Information Disclosure

Invision Power Board Script Insertion

May 26th, 2010
Comments Off

Application: Invision Power Board
Affected Version: version 2.3.6 and 3.0.5
Vendor’s URL: Invision Power Board
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Apply the patch.

Original Advisory:
http://community.invisionpower.com/topic/306221-ipboard-236-and-305-security-update/

Cross Site Scripting, Discussion Boards

Drupal CiviRegister Module Script Insertion

May 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-1.1.
Vendor’s URL: CiviRegister Module
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 6.x-1.1.

Content Management, Cross Site Scripting

Joomla Camp26 VisitorData Module Shell Command Injection

May 26th, 2010
Comments Off

Application: Joomla
Affected Version: version 1.1 and other versions.
Vendor’s URL: Camp26 VisitorData Module
Bug Type: Command Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Remote Command Execution

CF Image Host File Upload

May 26th, 2010
Comments Off

Application: CF Image Host
Affected Version: version 1.1 and other versions.
Vendor’s URL: CF Image Host
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 1.1.1.

File Inclusion

Drupal FileField Module Arbitrary File Upload

May 26th, 2010
Comments Off

Application: Drupal
Affected Version: versions prior to 6.x-3.3.
Vendor’s URL: FileField Module
Bug Type: File Upload
Risk Level: Critical

Solution:
Update to version 6.x-3.3 or later.

Content Management, File Inclusion

Joomla! DJ-Classifieds Component Script Insertion and File Upload

May 26th, 2010
Comments Off

Application: Joomla!
Affected Version: version 0.9.1
Vendor’s URL: DJ-Classifieds Component
Bug Type: Cross Site Scripting and File Upload
Risk Level: Critical

Solution:
Grant only trusted users access to the affected component.

Content Management, Cross Site Scripting, File Inclusion

Joomla ABC Component “sectionid” SQLi

May 26th, 2010
Comments Off

Application: Joomla
Affected Version: version 1.1.7 and other versions.
Vendor’s URL: ABC Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection