31 matches found
EUVD-2002-0574
Malware in sbrugna...
EUVD-2002-0579
Malware in sbrugna...
EUVD-2002-0576
Malware in sbrugna...
EUVD-2002-0483
Malware in sbrugna...
WorkforceROI Xpede 4.1/7.0 Weak Password Encryption Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/4344/info An issue has been reported in Xpede, which could lead to a compromise of user authentication information. Reportedly, Xpede cookies containing username and password data is stored using a weak encryption method...
CVE-2002-0487
Intellisol Xpede 4.1 stores passwords in plaintext in a Javascript "session timeout" re-authentication capability, which could allow local users with access to gain privileges of other Xpede users by reading the password from the source file, e.g. from the browser's cache...
CVE-2002-0486
Intellisol Xpede 4.1 uses weak encryption to store authentication information in cookies, which could allow local users with access to the cookies to gain privileges...
CVE-2002-0579
WorkforceROI Xpede 4.1 allows remote attackers to gain privileges as an Xpede administrator via a direct HTTP request to the /admin/adminproc.asp script, which does not prompt for a password...
CVE-2002-0583
WorkforceROI Xpede 4.1 uses a small random namespace 5 alphanumeric characters for temporary expense claim reports in the /reports/temp directory, which allows remote attackers to read the reports via a brute force attack...
CVE-2002-0584
WorkforceROI Xpede 4.1 allows remote attackers to read user timesheets by modifying the TSN ID parameter to the tsappprocess.asp script, which is easily guessable because it is incremented by 1 for each new timesheet...
CVE-2002-0581
WorkforceROI Xpede 4.1 allows remote attackers to execute arbitrary SQL commands and read, modify, or steal credentials from the database via the Qry parameter in the sprc.asp script...
CVE-2002-0580
WorkforceROI Xpede 4.1 allows remote attackers to obtain the database username via a request to datasource.asp, which leaks the username in a form and allows the attacker to more easily conduct brute force password guessing attacks...
CVE-2002-0582
WorkforceROI Xpede 4.1 stores temporary expense claim reports in a world-readable and indexable /reports/temp directory, which allows remote attackers to read the reports by accessing the directory...
CVE-2002-0583
WorkforceROI Xpede 4.1 uses a small random namespace 5 alphanumeric characters for temporary expense claim reports in the /reports/temp directory, which allows remote attackers to read the reports via a brute force attack...
CVE-2002-0580
The CVE-2002-0580 entry concerns WorkforceROI Xpede 4.1. The provided materials indicate that remote attackers can obtain the database username by requesting datasource.asp, which leaks the username in a form. This exposure can facilitate easier brute-force password guessing attacks against the d...
CVE-2002-0581
The CVE-2002-0581 entry concerns WorkforceROI Xpede 4.1. The vulnerability is a SQL injection in the sprc.asp script, exploited via the Qry parameter, allowing remote attackers to execute arbitrary SQL commands and read, modify, or steal credentials from the database. Root cause: unsafely concate...
CVE-2002-0582
WorkforceROI Xpede 4.1 stores temporary expense claim reports in a world-readable and indexable /reports/temp directory, which allows remote attackers to read the reports by accessing the directory...
CVE-2002-0582
CVE-2002-0582 affects WorkforceROI Xpede 4.1. The vulnerability stems from storing temporary expense claim reports in a world-readable and indexable /reports/temp directory, enabling remote readers to access the reports. The NVD entry lists a CVSS v2 base score of 5.0 (Medium) with network attack...
CVE-2002-0579
WorkforceROI Xpede 4.1 allows remote attackers to gain privileges as an Xpede administrator via a direct HTTP request to the /admin/adminproc.asp script, which does not prompt for a password...
CVE-2002-0584
The CVE-2002-0584 entry concerns WorkforceROI Xpede 4.1. The vulnerability allows remote attackers to read user timesheets by tampering with the TSN ID parameter in the ts_app_process.asp script. The TSN ID is easily guessable because it is incremented by 1 for each new timesheet, enabling an att...