Archive

Archive for May, 2011

Joomla! JE Story submit Component Unspecified File Inclusion

May 26th, 2011
Comments Off

Application: Joomla!
Affected Version: versions prior to 1.8.
Vendor’s URL: JE Story submit Component
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Update to version 1.8.

Content Management, File Inclusion

Joomla! Map Locator “cid” SQL Injection

May 26th, 2011
Comments Off

Application: Joomla!
Affected Version: version 1.0 and other versions.
Vendor’s URL: Map Locator
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Tugux CMS Cross-Site Scripting and SQL Injection

May 26th, 2011
Comments Off

Application: Tugux CMS
Affected Version: version 1.2 and other versions.
Vendor’s URL: Tugux CMS
Bug Type: Cross-Site Scripting and SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting, SQL Injection

Joomla! jDownloads Component Arbitrary File Upload

May 26th, 2011
Comments Off

Application: Joomla!
Affected Version: version 1.8.1 and other versions.
Vendor’s URL: Downloads Component
Bug Type: File Upload
Risk Level: Critical

Solution:
Restrict access to the jdownloads directory (e.g. via .htaccess).

Access Bypass, Content Management

Drupal Webform Module Script Insertion

May 26th, 2011
Comments Off

Application: Drupal
Affected Version: version 6.x-2.10 and confirmed in version 6.x-3.9 and 7.x-3.9
Vendor’s URL: Webform Module
Bug Type: Script Insertion
Risk Level: Critical

Solution:
Update to a patched version

Content Management, Cross Site Scripting

WordPress is_human() Plugin “type” Code Injection

May 26th, 2011
Comments Off

Application: WordPress
Affected Version: version 1.4.2
Vendor’s URL: WordPress is_human() Plugin
Bug Type: Code Injection
Risk Level: Critical

Solution:
Use a different plugin.

Access Bypass, Content Management

PHPCalendar Cross-Site Scripting and Script Insertion

May 26th, 2011
Comments Off

Application: PHPCalendar
Affected Version: version 2.3 and other versions
Vendor’s URL: PHPCalendar
Bug Type: Cross-Site Scripting and Script Insertion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Joomla! DOCman Component SQL Injection

May 26th, 2011
Comments Off

Application: Joomla!
Affected Version: versions prior to 1.4.2 and 1.5.10.
Vendor’s URL: DOCman Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.4.2 or 1.5.10.

Content Management, SQL Injection

WordPress WP-DBManager Plugin Two Vulnerabilities

May 26th, 2011
Comments Off

Application: WordPress
Affected Version: versions prior to 2.61
Vendor’s URL: WP-DBManager Plugin
Bug Type: Cross Site Scripting and file download
Risk Level: Critical

Solution:
Update to version 2.62.

Content Management, Cross Site Scripting

WordPress Arbitrary File Upload

May 26th, 2011
Comments Off

Application: WordPress
Affected Version: version 3.1.2
Vendor’s URL: WordPress
Bug Type: File Upload
Risk Level: Critical

Solution:
Restrict access to the wp-content/uploads directory (e.g. via .htaccess).

Content Management, File Inclusion