Application: php Help Agent
Affected Version: version 1.1 Full and other versions.
Vendor’s URL: php Help Agent
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

File Inclusion

Application: Drupal
Affected Version: prior to 5x.-1.2.
Vendor’s URL: Drupal OpenID Module
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5x.-1.2.
http://drupal.org/node/280593

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: version 5.x and 6.x.
Vendor’s URL: Drupal
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to the latest versions or apply patch for version 5.7 or 6.2.

Drupal 5.x:
Update to version 5.8.
http://ftp.drupal.org/files/projects/drupal-5.8.tar.gz

Drupal 6.x
Update to version 6.3.
http://ftp.drupal.org/files/projects/drupal-6.3.tar.gz

Drupal 5.7:
Apply patch.
http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch

Drupal 6.2:
Apply patch.
http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch

Content Management, Cross Site Scripting

Application: vbDrupal
Affected Version:
Vendor’s URL: vbDrupal
Bug Type: SQL Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 5.8.0.

Content Management, Cross Site Scripting, Session Hijacking, SQL Injection

Application: PHP-Nuke
Affected Version: version 0.91.
Vendor’s URL: PHP-Nuke 4ndvddb Module
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Content Management, SQL Injection

Application: Joomla
Affected Version:
Vendor’s URL: Joomla Brightcode Weblinks Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Content Management, SQL Injection

Application: Joomla
Affected Version: prior to 1.5.4.
Vendor’s URL: Joomla
Bug Type: Security Bypass
Risk Level: Critical

Solution:
Update to version 1.5.4.
http://joomlacode.org/gf/project/joom…ReleaseBrowse&frs_package_id=3786

Access Bypass, Content Management

Application: vBulletin
Affected Version: version 3.7.2 and 3.6.10 PL2
Vendor’s URL: vBulletin
Bug Type: Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 3.7.2 PL1 or 3.6.10 PL3.

Cross Site Scripting, Discussion Boards

Application: Dolphin
Affected Version: version 6.1.2 and other versions.
Vendor’s URL: Dolphin
Bug Type: File Inclusion
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly verified.

File Inclusion

Application: Moodle
Affected Version: prior to 1.8.5.
Vendor’s URL: Moodle KSES
Bug Type: Security Bypass
Risk Level: Medium

Solution:
Update to version 1.8.5 or upgrade to version 1.9.

The vendor recommends to use the option “Use HTML Purifier” in version 1.9.

Access Bypass, Content Management

Application: Drupal
Affected Version: prior to 5.x-1.8
Vendor’s URL: Drupal Taxonomy Autotagger
Bug Type: SQL Injection and Cross Site Scripting
Risk Level: Critical

Solution:
Update to version 5.x-1.8.
http://drupal.org/node/277684

Content Management, Cross Site Scripting, SQL Injection

Application: Drupal
Affected Version: prior to 5.x-1.10-1.
Vendor’s URL: Drupal Tinytax taxonomy block
Bug Type: Cross Site Scripting
Risk Level: Medium

Solution:
Update to version 5.x-1.10-1.
http://drupal.org/node/277682

Content Management, Cross Site Scripting

Application: Drupal
Affected Version: prior to 5.x-7.3 and 6.x-1.0-RC1.
Vendor’s URL: Drupal Organic groups
Bug Type: Information Disclosure and Script Insertion
Risk Level: Medium

Solution:
Update to the fixed versions.

5.x-7.3:
http://drupal.org/node/277854

6.x-1.0-RC1:
http://drupal.org/node/277869

Content Management, Information Disclosure

Application: emuCMS
Affected Version: version 0.3 and other versions.
Vendor’s URL: emuCMS
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.
Restrict access to the “admin/fckeditor/editor/filemanager/upload/php/upload.php” script (e.g. with “.htaccess”).

Content Management, SQL Injection

Application: Joomla
Affected Version: version 1.0 and other versions.
Vendor’s URL: Joomla EXP Shop Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Content Management, SQL Injection

Application: FubarForum
Affected Version: version 1.5 and prior versions.
Vendor’s URL: FubarForum
Bug Type: Local File Inclusion
Risk Level: Critical

Solution:
Update to version 1.6.

Discussion Boards, File Inclusion

Application: CiBlog
Affected Version: version 3.1 and other versions.
Vendor’s URL: CiBlog
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Blogs, SQL Injection

Application: Joomla
Affected Version: version 1.2.0 SP1 and other version.
Vendor’s URL: Joomla nBill Component
Bug Type: SQL Injection
Risk Level: Critical

Solution:
Apply patch.
http://www.nbill.co.uk/forum-smf/index.php/topic,716.0.html

Content Management, SQL Injection

Application: Drupal
Affected Version: prior to 5.x-1.2
Vendor’s URL: Drupal Suggested Terms Module
Bug Type: Script Insertion
Risk Level: Medium

Solution:
Update to version 5.x-1.2.

Content Management, Cross Site Scripting

Application: OpenCart
Affected Version: version 0.7.7 and other version.
Vendor’s URL: OpenCart
Bug Type: Script Insertion and Cross Site Scripting
Risk Level: Critical

Solution:
Edit the source code to ensure that input is properly sanitized.

Cross Site Scripting, E-Commerce