Application: WordPress
Affected Version: version 4.3.1 and other versions.
Vendor’s URL: Simple:Press Plugin
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: WordPress
Affected Version: Version 2.62 and other versions
Vendor’s URL: WP-UserOnline Plugin
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 2.70 or later.

Content Management, Cross Site Scripting

Application: Joomla
Affected Version: version 1.5 and other versions.
Vendor’s URL: BookLibrary From Same Author Module
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.5_2010_06_25.

Content Management, SQL Injection

Application: phpaaCMS
Affected Version: version 0.3.1 UTF-8 and other versions
Vendor’s URL: phpaaCMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, SQL Injection

Application: Joomla
Affected Version: version 2.0.2 and other versions
Vendor’s URL: JoomDOC Component
Bug Type: File Disclosure
Risk Level: Medium

Solution:
Restrict access for accounts with “upload” and “edit” permissions to trusted users only.

Content Management, Information Disclosure

Application: Joomla
Affected Version: version 1.3.4 and other versions
Vendor’s URL: CKForms Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised. Change the “Uploaded files path” setting to a directory outside of the web root.

Content Management, SQL Injection

Application: Joomla
Affected Version: version 1.5.3 Basic and other versions.
Vendor’s URL: BookLibrary Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.5.3_2010_06_20.

Content Management, SQL Injection

Application: Bigforum
Affected Version: version 5.2 and other versions.
Vendor’s URL: Bigforum
Bug Type: SQL Injection and Arbitrary File Upload
Risk Level:

Solution:
Edit the source code to ensure that input is properly sanitised. Restrict access to the “images/avatar/” directory (e.g. via .htaccess).

Discussion Boards, File Inclusion, SQL Injection

Application: Joomla
Affected Version: version 1.5.0 and other versions.
Vendor’s URL: E-portfolio Component
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

Content Management, File Inclusion

Application: Ultimate PHP Board
Affected Version: version 2.2.6 and other versions.
Vendor’s URL: Ultimate PHP Board
Bug Type: Security Bypass and File Disclosure
Risk Level: Medium

Solution:
Restrict access to the admin_restore.php script (e.g. via .htaccess). Edit the source code to ensure that input is properly verified.

Access Bypass, Discussion Boards, Information Disclosure

Application: Joomla
Affected Version: version 1.2 and other versions.
Vendor’s URL: JFaq Component
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Application: Moodle
Affected Version:
Vendor’s URL: Moodle
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 1.8.13 or 1.9.9 or apply patches (see vendor’s advisories for details).

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: versions prior to 6.x-1.2.
Vendor’s URL: Ubercart MIGS Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 6.x-1.2 or later.

Access Bypass, Content Management

Application: Drupal
Affected Version: versions prior to 5.x-1.6 and 6.x-1.5.
Vendor’s URL: Ogone | Ubercart Module
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 5.x-1.6 or later, or 6.x-1.5 or later.

Access Bypass, Content Management

Application: CubeCart
Affected Version: CubeCart 4.3.9 and other versions.
Vendor’s URL: CubeCart
Bug Type: SQL Injection
Risk Level:

Solution:
Update to CubeCart 4.4.0 or greater.

E-Commerce, SQL Injection

Application: Joomla
Affected Version: version 1.0 and other versions.
Vendor’s URL: My Car Component
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

Content Management, Cross Site Scripting

Application: Joomla
Affected Version: version 1.3.0 and other versions
Vendor’s URL: BF Quiz Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Update to version 1.3.1.

Content Management, SQL Injection

Application: osCommerce
Affected Version: version 3.2.1 and other versions.
Vendor’s URL: Visitor Web Stats Module
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitised.

E-Commerce, SQL Injection

Application: MultiShop CMS
Affected Version:
Vendor’s URL: MultiShop CMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Filter malicious characters and character sequences using a proxy.

Content Management, SQL Injection

Application: Drupal
Affected Version: versions prior to 6.x-1.2.
Vendor’s URL: AddonChat Module
Bug Type: Security Bypass and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 6.x-1.2.

Access Bypass, Content Management, Cross Site Scripting