Archive

Archive for April, 2011

WordPress Universal Post Manager Plugin Cross-Site Scripting and SQL Injection

April 27th, 2011
Comments Off

Application: WordPress
Affected Version: version 1.0.9 and other versions.
Vendor’s URL: Universal Post Manager Plugin
Bug Type: Cross Site Scripting and SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting, SQL Injection

WordPress WP-StarsRateBox Plugin Cross-Site Scripting and SQL Injection

April 27th, 2011
Comments Off

Application: WordPress
Affected Version: version 1.1 and other versions.
Vendor’s URL: WP-StarsRateBox Plugin
Bug Type: Cross-Site Scripting and SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting, SQL Injection

MyBB Information Disclosure and SQL Injection

April 27th, 2011
Comments Off

Application: MyBB
Affected Version: version 1.6.2 and version 1.4.15 and other versions.
Vendor’s URL: MyBB
Bug Type: Information Disclosure and SQL Injection
Risk Level: Critical

Solution:
Update to version 1.6.3 or 1.4.16.

Discussion Boards, Information Disclosure, SQL Injection

Joomla! Multiple Vulnerabilities

April 27th, 2011
Comments Off

Application: Joomla!
Affected Version: version 1.6.0 and 1.6.1 and other versions.
Vendor’s URL: Joomla!
Bug Type: Cross Site Scripting, Security Bypass, SQL Injection
Risk Level: Critical

Solution:
Update to version 1.6.2.

Access Bypass, Content Management, Cross Site Scripting, SQL Injection

EZ-Shop “specialid” SQL Injection

April 27th, 2011
Comments Off

Application: EZ-Shop
Affected Version: version 1.0.2 and other versions.
Vendor’s URL: EZ-Shop
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

E-Commerce, SQL Injection

PHP Album Multiple Vulnerabilities

April 27th, 2011
Comments Off

Application: PHP Album
Affected Version: version 0.4.1.14.fix06 and other versions.
Vendor’s URL: PHP Album
Bug Type: Cross Site Scripting and system access
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised. Do not browse untrusted sites or follow untrusted links while being logged-in to the application.

Access Bypass, Cross Site Scripting, Image Galleries

TinyBB “post” SQL Injection

April 27th, 2011
Comments Off

Application: TinyBB
Affected Version: version 1.4 released before April 11th 2011.
Vendor’s URL: TinyBB
Bug Type: SQL Injection
Risk Level: Critical

Solution:
The vendor has released an updated version 1.4 on April 11th, 2011, which fixes the vulnerability.

Discussion Boards, SQL Injection

vBulletin Search UI Unspecified SQL Injection

April 27th, 2011
Comments Off

Application: vBulletin
Affected Version: all versions of vBulletin 4.X
Vendor’s URL: vBulletin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Upgrade to the latest patch.

Content Management, SQL Injection

WordPress Cross-Site Scripting and Denial of Service

April 27th, 2011
Comments Off

Application: WordPress
Affected Version: versions prior to 3.1.1.
Vendor’s URL: WordPress
Bug Type: Cross-Site Scripting and Denial of Service
Risk Level: Critical

Solution:
Update to version 3.1.1.

Content Management, Cross Site Scripting, Denial Of Service

Joomla! FLEXIcontent Component Insecure Permissions and Command Injection

April 27th, 2011
Comments Off

Application: Joomla!
Affected Version: versions prior to 1.5.
Vendor’s URL: FLEXIcontent Component
Bug Type: Insecure Permissions and Command Injection
Risk Level:

Solution:
Update to version 1.5.

Content Management, Remote Command Execution

WordPress WP Custom Pages “url” File Disclosure

April 27th, 2011
Comments Off

Application: WordPress
Affected Version: version 0.5.0.1 and other versions.
Vendor’s URL: WP Custom Pages
Bug Type: File Disclosure
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Content Management, Information Disclosure

Joomla! Joomanager Component Unspecified SQL Injection

April 27th, 2011
Comments Off

Application: Joomla!
Affected Version: versions prior to 1.3.
Vendor’s URL: Joomanager Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.3.

Content Management, SQL Injection