CVE-2009-2618

CVE-2009-2618 is an SQL injection vulnerability in the MDPro Surveys Module (MDPro) 1.083.x. The issue allows remote attackers to execute arbitrary SQL commands via the pollID parameter in a results action to modules.php. OpenVAS entries corroborate MDPro SQLi vulnerability in this module and pro...

CVE-2007-3938

The CVE-2007-3938 entry concerns MAXdev MDPro (MD-Pro) prior to version 1.0.8x (before 20070720) where the index.php topicid parameter in the Topics module is not properly sanitized. The flaw allows an unauthenticated remote attacker to influence SQL queries executed by topics_userapi.php, potent...

CVE-2007-0623

The CVE-2007-0623 entry documents an SQL injection vulnerability in the MAXdev MDPro product, specifically in index.php (version 1.0.76). The root cause is improper handling of the startrow parameter, allowing remote attackers to execute arbitrary SQL commands. The vulnerability affects the web a...

CVE-2007-5222

CVE-2007-5222 is a SQL injection vulnerability in MAXdev MDPro (MD-Pro) 1.0.76 via a Referer header containing the substring "Firefox ID=", enabling remote attackers to inject arbitrary SQL. The affected component is index.php; root cause is crafted input in Referer header. Impact is partial disc...

CVE-2006-7112

MD-Pro before 1.0.77 (MD-Pro 1.0.76 and earlier) contains a directory traversal vulnerability in error.php exploitable via the PNSVlang cookie. Remote authenticated users can read and include arbitrary files by uploading a GIF via AddDownload or injecting PHP into a log file, then accessing it. T...

CVE-2007-0624

The CVE-2007-0624 issue affects MAXdev MDPro 1.0.76 (user.php) where the uname parameter in a userinfo operation can be crafted to reveal the server’s full filesystem path by injecting a quote character and possibly other invalid values. The vulnerability could enable information disclosure (part...