C-SAM oneWallet forget password Cross Site Scripting vulnerability

A XSS vulnerability is identified in C-SAM oneWallet web admin interface. This vulnerability exists in the forget password page. http://myserver:myport/tp/web/oneWallet/user/forgotPassStep2.jsp?loginID=null223e3cscript3ealert22XSS!223c2fscript3e Sucessfully tested with Version 21007062007;1.0...

CVE-2005-4856

The admin interface in eZ publish 3.5 before 3.5.7, 3.6 before 3.6.5, 3.7 before 3.7.3, and 3.8 before 20051110 does not properly handle authorization errors, which allows remote attackers to obtain sensitive information and see the admin pagelayout and associated templates via a request with 1...

[Full-disclosure] Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability

netVigilance Security Advisory 13 Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability Description: Advanced Guestbook is a PHP-based guestbook script. It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , html tags handlin...

ag-traverse.txt

netVigilance Security Advisory 13 Advanced Guestbook version 2.4.2 Directory Traversal Vulnerability Description: Advanced Guestbook is a PHP-based guestbook script. It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , html tags handlin...

Advanced Guestbook version 2.4.2 Multiple Error Information Leak Vulnerabilities

netVigilance Security Advisory 11 Advanced Guestbook version 2.4.2 Multiple Error Information Leak Vulnerabilities Description: Advanced Guestbook is a PHP-based guestbook script. It includes many useful features such as preview, templates, e-mail notification, picture upload, page spanning , htm...

CVE-2007-2001

Multiple direct static code injection vulnerabilities in admin/configurer2.php in Crea-Book 1.0 and earlier allow remote authenticated administrators to execute arbitrary PHP code via the "Fond de la page" background color field and other unspecified fields, which injects into config.inc.php3...

CVE-2007-2000

Multiple SQL injection vulnerabilities in admin/admin.php in Crea-Book 1.0 and earlier allow remote attackers to execute arbitrary SQL commands via the 1 pseudo or 2 passe parameter...

CVE-2007-1622

Cross-site scripting XSS vulnerability in wp-admin/vars.php in WordPress before 2.0.10 RC2, and before 2.1.3 RC2 in the 2.1 series, allows remote authenticated users with theme privileges to inject arbitrary web script or HTML via the PATHINFO in the administration interface, related to loose...

Nullsoft ShoutcastServer Persistant XSS - 0day

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +--------------------------------------- - -- - | SaMuschie Research Labs proudly presents . . . +------------------------------------------- -- - - | Application: Nullsoft ShoutcastServer | Version: 1.9.7/Win32 other versions/platforms not tested |...

Powerschool 404 Admin Exposure

Powerschool 4.3.6 and possibly other versions expose the admin interface when requesting any file with .js This allows one to see some directory and file names inside the admin folder. POC: http://powerschoolip/admin/.js Product's website does not provide email contact?...

Advanced Poll <= 2.0.5-dev Remote Code Execution Exploit

Exploit for unknown platform in category web applications ======================================================== Advanced Poll = 2.0.5-dev textfile RCE. date: 30/07/06 PHCKSEC c 2001-2006. Hey, what a mad world! use strict; use warnings; use LWP::UserAgent; use MD5; args: http://url/apollpath c...

phplinkdirectory_070121.txt

Smilehouse Oy -= Security Advisory =- Advisory: PHP Link Directory XSS Vulnerability Release Date: 2007/01/21 Last Modified: 2007/01/21 Authors: Jussi Vuokko, CISSP [email protected] Henri Lindberg, Associate of ISC² [email protected] Application: PHP Link Directory = 3.0.6...

CVE-2007-0402

Cross-site scripting XSS vulnerability in admin/editmember.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter...

CVE-2006-5515

Cross-site scripting XSS vulnerability in lib-history.inc.php in phpAdsNew and phpPgAds before 2.0.8-pr1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to injected data that is stored by a delivery script and displayed by the admin interface...

CVE-2006-5515

Cross-site scripting XSS vulnerability in lib-history.inc.php in phpAdsNew and phpPgAds before 2.0.8-pr1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to injected data that is stored by a delivery script and displayed by the admin interface...

PT-2006-5910 · Buffalo · Buffalo Terastation Hd-Htgl

Name of the Vulnerable Software and Affected Versions: Buffalo TeraStation HD-HTGL firmware versions prior to 2.05 beta 1 Description: A cross-site request forgery issue exists in the administrative interface, allowing remote attackers to modify configurations or delete arbitrary data...

CVE-2006-4910

The CVE affects Cisco IDS/IPS web administration interfaces. Specifically, Cisco IDS before 4.1(5c) and Cisco IPS before 5.0(6p1) and 5.1 before 5.1(2) are vulnerable to a denial-of-service via a crafted SSLv2 Client Hello that causes the mainApp web management process to become unresponsive. The...

CVE-2006-3830

The Languages selection in the admin interface in Kailash Nadh boastMachine formerly bMachine 3.1 and earlier allows remote authenticated administrators to upload files with arbitrary extensions to the bmc/Inc/Lang directory. NOTE: because the uploaded files cannot be accessed through HTTP, this...

CVE-2006-3826

Multiple cross-site scripting XSS vulnerabilities in Kailash Nadh boastMachine formerly bMachine 3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the 1 userlogin, 2 fullname, and 3 URL parameters in register.php; and allow remote authenticated administrators to...

CVE-2006-3826

CVE-2006-3826: XSS in Kailash Nadh boastMachine (3.1 and earlier) allows remote injection via register.php parameters (user_login, full_name, URL) and via admin interface parameters (cat_list, key); no exploitation status or patch details are provided in the connected documents.