CVE-2006-3494

CVE-2006-3494 affects Buddy Zone 1.0.1 and is described in multiple sources as cross-site scripting (XSS) vulnerabilities. The affected functionality involves user-supplied parameters that can be manipulated to inject arbitrary HTML/script: (1) cat_id in view_classifieds.php; (2) id in view_ad.ph...

CVE-2006-3429

CVE-2006-3429 describes a cross‑site scripting (XSS) vulnerability in TigerTom TTCalc 1.0. The flaw allows remote attackers to inject arbitrary web script or HTML through the currency parameter in the pages loan.php and mortgage.php. The affected component is TTCalc’s web interface; the root caus...

CVE-2006-3388

Cross-site scripting XSS vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter...

CVE-2006-3305

CVE-2006-3305 affects UebiMiau Webmail versions 2.7.10, 2.7.2 and earlier, with multiple XSS via parameters f_user (index.php), pag (messages.php), and lid, tid, sid (error.php). The vulnerability allows remote injection of arbitrary script/HTML. The connected documents do not provide exploit det...

CVE-2006-3029

This CVE (CVE-2006-3029) concerns a Cross-site scripting (XSS) vulnerability in ClickTech Clickcart 6.0 and earlier, exploitable via the cat parameter in default.asp. The affected app/function is default.asp of Clickcart; the underlying issue is input handling that allows injection of arbitrary s...

CVE-2006-2846

Cross-site scripting XSS vulnerability in Print.PHP in VisionGate Portal System allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information...

CVE-2006-2850

The CVE-2006-2850 entry concerns a cross-site scripting (XSS) vulnerability in recentchanges.php of PHP Labware LabWiki 1.0 and earlier. The flaw allows remote attackers to inject arbitrary web script or HTML via the help parameter. Affected software is LabWiki (Labware) versions up to 1.0, with ...

CVE-2006-2785

Cross-site scripting XSS vulnerability in Mozilla Firefox before 1.5.0.4 allows user-assisted remote attackers to inject arbitrary web script or HTML by tricking a user into 1 performing a "View Image" on a broken image in which the SRC attribute contains a Javascript URL, or 2 selecting "Show on...

FreeBSD : postnuke -- multiple vulnerabilities (0274a9f1-0759-11da-bc08-0001020eed82)

Postnuke Security Announcementss reports of the following vulnerabilities : - missing input validation within /modules/Messages/readpmsg.php - possible path disclosure within /user.php - possible path disclosure within /modules/News/article.php - possible remote code injection within...

CVE-2006-2243

Multiple cross-site scripting XSS vulnerabilities in Web4Future News Portal allow remote attackers to inject arbitrary web script or HTML via the ID parameter to 1 comentarii.php or 2 view.php. NOTE: this issue might be resultant from SQL injection...

CVE-2006-2258

The CVE-2006-2258 entry describes a Cross-site scripting (XSS) vulnerability in Logon.asp of MaxxSchedule 1.0, exploitable via the Error parameter to inject arbitrary script/HTML. The issue affects the Logon.asp component of MaxxSchedule 1.0 and arises from improper handling of the Error paramete...

CVE-2006-2178

CVE-2006-2178 affects CyberBuild with multiple cross-site scripting (XSS) vulnerabilities. The affected components are the login.asp page (SessionID parameter), browse0.htm (ProductIndex parameter), and result.asp (rowcolor and heading parameters). The description notes that vectors 1 and 2 may b...

CVE-2006-1908

Cross-site scripting vulnerability in addevent.php in myEvent 1.x allows remote attackers to inject arbitrary web script or HTML via the eventdesc parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information...

CVE-2006-1910

This CVE affects S9Y Serendipity 1.0 beta 2, where config.php values stored by the application can be edited to inject and later execute arbitrary PHP code. The underlying issue is PHP code execution triggered by manipulated config.php content, enabling remote code execution with likely impact to...

CVE-2006-1910

config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to inject arbitrary PHP code by editing values that are stored in config.php and later executed. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information...

CVE-2006-1841

Cross-site scripting XSS vulnerability in search.php in boastMachine bMachine 2.7, and possibly other versions before 2.9b, allows remote attackers to inject arbitrary web script or HTML via the key parameter, as used by the search field...

pajax-0.5.1.txt

Advisory: PAJAX Remote Code Injection and File Inclusion Vulnerability RedTeam has identified two security flaws in PAJAX. It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in ".class.php". Details...

CVE-2005-4780

Cross-site scripting XSS vulnerability in Fidra Lighthouse CMS 1.1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a querystring to the home page. NOTE: The vendor disputes this issue, saying "Lighthouse does not in any way make use of the...

[Full-disclosure] PAJAX Remote Code Injection and File Inclusion Vulnerability

Advisory: PAJAX Remote Code Injection and File Inclusion Vulnerability RedTeam has identified two security flaws in PAJAX. It is possible to execute arbitrary PHP code from unchecked user input. Additionally, it is possible to include arbitrary files on the server ending in ".class.php". Details...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Advanced Poll 2.02 allow remote attackers to inject arbitrary web script or HTML via the 1 id parameter to comments.php or 2 pollid parameter to page.php. NOTE: it is possible that this issue is resultant from CVE-2006-1616...