phpGroupWare多个输入验证漏洞

BUGTRAQ ID: 35761 CVE ID: CVE-2009-4414,CVE-2009-4415,CVE-2009-4416 phpGroupWare是一个用PHP编写的多用户的网络组件，为开发其他程序提供了一个API。 phpGroupWare的多个组件中存在输入验证错误，远程攻击者可以通过提交恶意请求泄露敏感信息、执行跨站脚本或SQL注入攻击。 1 没有正确地验证传送给csvfile参数的输入便在addressbook/csvimport.php中使用，这可能导致在受影响系统上读取任意文件的内容。 2...

Unfixed XSS vulnerability at prati.ba

Security researcher Ravac, has submitted on 25/10/2009 a cross-site-scripting XSS vulnerability affecting prati.ba, which at the time of submission ranked 577552 on the web according to Alexa. We manually validated and published a mirror of this vulnerability on 07/07/2010. It is currently unfixe...

Sql injection

SQL injection vulnerability in the UnbDbEncode function in unblib/database.lib.php in Unclassified NewsBoard UNB 1.6.4 allows remote attackers to execute arbitrary SQL commands via the Query parameter in a search action to forum.php, a different vector than CVE-2005-3686...

CVE-2009-1367

Cross-site scripting XSS vulnerability in index.php in moziloCMS 1.11 allows remote attackers to inject arbitrary web script or HTML via the query parameter in search action, a different issue than CVE-2008-6127.2a...

Cross site scripting

Cross-site scripting XSS vulnerability in the search feature in XMLPortal 3.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter...

CVE-2008-6600

Cross-site scripting XSS vulnerability in the search feature in XMLPortal 3.0 allows remote attackers to inject arbitrary web script or HTML via the query parameter...

CVE-2008-6295

Multiple cross-site scripting XSS vulnerabilities in Camera Life 2.6.2b8 allow remote attackers to inject arbitrary web script or HTML via the q parameter to 1 search.php and 2 rss.php; the query string after the image name in 3 photos/photo; the path parameter to 4 folder.php; page parameter and...

Code injection

Observer 0.3.2.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the query parameter to 1 whois.php or 2 netcmd.php...

CVE-2008-4318

Observer 0.3.2.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the query parameter to 1 whois.php or 2 netcmd.php...

Cross site scripting

Cross-site scripting XSS vulnerability in index.php in PHPizabi before 848 Core HotFix Pack 3 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a blogs.search action...

CVE-2008-2839

Cross-site scripting XSS vulnerability in the search module in Traindepot 0.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to index.php...

Cross site scripting

Cross-site scripting XSS vulnerability in the search module in Traindepot 0.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to index.php...

CVE-2008-2839

Cross-site scripting XSS vulnerability in the search module in Traindepot 0.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to index.php...

Unfixed XSS vulnerability at www.desertluxuryrealty.com

Security researcher mckt, has submitted on 06/10/2008 a cross-site-scripting XSS vulnerability affecting www.desertluxuryrealty.com, which at the time of submission ranked 21840023 on the web according to Alexa. We manually validated and published a mirror of this vulnerability on 01/09/2009. It ...

dotCMS search-results.dot search_query Parameter XSS

The remote host is using dotCMS, an open source J2EE / Java web content management system. The version of dotCMS installed on the remote host fails to sanitize input to the 'searchquery' parameter of the 'search-results.dot' script before using it to generate dynamic HTML output. An attacker may ...

Cross site scripting

Cross-site scripting XSS vulnerability in searchresults.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is...

Sphider query参数跨站脚本漏洞

BUGTRAQ ID: 29074 Sphider是基于PHP的开源搜索引擎爬虫程序。 Sphider支持搜索建议功能，如果用户在搜索输入中存在笔误的话，该功能会返回“Did you mean xyz?”。当启用了搜索建议功能的时候，Sphider的search.php文件中没有正确地过滤对query参数的输入便返回给了用户，这允许攻击者通过提交恶意的查询请求执行跨站脚本攻击。 Ando Saabas Sphider 1.3.4 Ando Saabas ----------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：...

CVE-2008-1953

Cross-site scripting XSS vulnerability in the Sitedesigner before 1.1.5 search template in Magnolia Enterprise Edition allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from...

CVE-2008-1953

Cross-site scripting XSS vulnerability in the Sitedesigner before 1.1.5 search template in Magnolia Enterprise Edition allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from...

Cross site scripting

Cross-site scripting XSS vulnerability in Search.do in ManageEngine Applications Manager 8.x allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information...