Archive

Archive for December, 2010

WordPress KSES Library Script Insertion

December 30th, 2010
Comments Off

Application: WordPress
Affected Version: versions prior to 3.0.4
Vendor’s URL: WordPress KSES Library
Bug Type: Cross SIte Scripting
Risk Level: Medium

Solution:
Update to version 3.0.4.

Content Management, Cross Site Scripting

CubeCart Cross-Site Request Forgery

December 30th, 2010
Comments Off

Application: CubeCart
Affected Version: version 4.4.3 and other versions
Vendor’s URL: CubeCart
Bug Type: Cross-Site Request Forgery
Risk Level: Critical

Solution:
Do not browse untrusted websites while being logged in to the application.

Cross Site Scripting, E-Commerce

WordPress Accept Signups Plugin “email” Script Insertion

December 30th, 2010
Comments Off

Application: WordPress
Affected Version: version 0.1 and other versions
Vendor’s URL: Accept Signups Plugin
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Joomla! JE Auto Component “view” Local File Inclusion

December 30th, 2010
Comments Off

Application: Joomla!
Affected Version: version 1.1 and other versions.
Vendor’s URL: JE Auto Component
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Update to version 1.2.

Content Management, File Inclusion

MH Products Easy Online Shop “kat” SQL Injection

December 30th, 2010
Comments Off

Application: MH Products Easy Online Shop
Affected Version:
Vendor’s URL: MH Products Easy Online Shop
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Filter malicious characters or character sequences via a proxy.

E-Commerce, SQL Injection

Joomla! JRadio Component Local File Inclusion and SQL Injection

December 30th, 2010
Comments Off

Application: Joomla!
Affected Version: version 1.5.0 and other versions.
Vendor’s URL: -
Bug Type: File Inclusion and SQL Injection
Risk Level: Critical

Solution:
Update to version 1.5.1.

Content Management, File Inclusion, SQL Injection

Joomla JE Auto Component SQL Injection

December 30th, 2010
Comments Off

Application: Joomla
Affected Version: versions prior to 1.1.
Vendor’s URL: JE Auto Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.1.

Content Management, SQL Injection

Joomla! Billy Portfolio Component “catid” SQL Injection

December 30th, 2010
Comments Off

Application: Joomla!
Affected Version: version 1.1 and other versions
Vendor’s URL: Billy Portfolio Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Joomla JE Messenger Component Arbitrary File Upload Security Issue

December 30th, 2010
Comments Off

Application: Joomla
Affected Version: version 1.0 and other versions.
Vendor’s URL: JE Messenger Component
Bug Type: File Upload
Risk Level: Critical

Solution:
Restrict access to the “Compose Mail” page to trusted users only.

Content Management, File Inclusion

Exponent CMS “module” Local File Inclusion

December 30th, 2010
Comments Off

Application: Exponent CMS
Affected Version: version 2.0.0pr2 or other versions.
Vendor’s URL: Exponent CMS
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Content Management, File Inclusion

Ecommercemax Solutions Digital-goods seller (DGS) “d” SQL Injection

December 30th, 2010
Comments Off

Application: Ecommercemax Solutions Digital-goods seller (DGS)
Affected Version:
Vendor’s URL: Ecommercemax Solutions Digital-goods seller (DGS)
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

E-Commerce, SQL Injection

Pulse CMS “p” Local File Inclusion

December 30th, 2010
Comments Off

Application: Pulse CMS
Affected Version: version 1.2.8 and prior to this version
Vendor’s URL: Pulse CMS
Bug Type: Local File Inclusion
Risk Level: Critical

Solution:
Update to version 1.2.9.

Content Management, File Inclusion

Joomla! sh404SEF Component Multiple Vulnerabilities

December 30th, 2010
Comments Off

Application: Joomla!
Affected Version: versions prior to 2.1.8.777
Vendor’s URL: sh404SEF Component
Bug Type: Cross Site Scripting and SQL Injection
Risk Level: Critical

Solution:
Update to 2.1.8.777 or later.

Content Management, Cross Site Scripting, SQL Injection

WordPress SQL Injection

December 30th, 2010
Comments Off

Application: WordPress
Affected Version: versions prior to 3.0.2
Vendor’s URL: WordPress
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 3.0.2.

Content Management, SQL Injection

Enano CMS “email” SQL Injection

December 30th, 2010
Comments Off

Application: Enano CMS
Affected Version: version 1.0.6pl2
Vendor’s URL: Enano CMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.0.6pl3.

Content Management, SQL Injection