Monday February 16, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XMB Forums Multiple Vulnerabilities
  3 Mambo Multiple Vulnerabilities
  4 MySQL Eventum Multiple Vulnerabilities
  5 Multiple Invision Power Board Vulnerabilities
  6 Geeklog Remote Code Execution
  7 Gallery 2 Multiple Vulnerabilities
  8 RunCMS Multiple Vulnerabilities
  9 Kayako LiveResponse Multiple Vulnerabilities
10 phpRPC Library Remote Code Execution
Need Secure Web Apps?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Research Services About Contact
1 2 3 - Next Results per-page: 5 | 10 | 20 | 50
Results 1 - 50 of 125 Page 1 of 3
Title WebSVN <= 2.0 Multiple Vulnerabilities
Info WebSVN is an online SVN repository viewer. The description taken from the project website reads "WebSVN offers a view onto your subversion repositories that's been designed to reflect the Subversion methodology. You can view the log of any file or directory and see a list of all the files changed, added or deleted in any given revision. You can also view the differences between 2 versions of a file so as to see exactly what was changed in a particular revision." Unfortunately there are a several issues in WebSVN may allow for an attacker to conduct cross site scripting attacks, and create arbitrary files. There is also a code execution issue in the v1 branch.
Date October 20, 2021
BID Not Available  
Credit James Bercegay
Title AEF Forum <= 1.0.6 Remote Code Execution
Info Advanced Electron Forum also known as AEF Forum is a full featured online forum system written in php that allows webmasters and site owners to host their own discussion forums within their website. The Advanced Electron Forum software comes bundled with the popular MKPortal package, but is also available as a free stand alone forum. Unfortunately there are multiple remote code execution issues within AEF that allow for an attacker to execute arbitrary php code with privileges of the affected webserver. This is due to the improper handling of evaluated bbcode within AEF Forum. Users should upgrade their forums as soon as possible.
Date September 20, 2021
BID Not Available  
Credit James Bercegay
Title UBB.threads <= 7.3.1 SQL Injection
Info UBB.threads is a popular online forum system written in php that allows webmasters and site owners to host their own discussion forums within their website. Unfortunately UBB.threads is vulnerable to an SQL Injection in it's search functionality that may allow for an attacker to execute arbitrary SQL queries on the underlying database. An updated version of UBB.threads has been released to address this issue and users should upgrade as soon as possible.
Date September 8, 2021
BID Not Available  
Credit James Bercegay
Title Zen Cart <= 1.3.8a SQL Injection
Info Zen Cart is a full featured open source ecommerce web application written in php that allows users to build, run and promote their own online store. Unfortunately there are multiple SQL Injection issues in Zen Cart that may allow an attacker to execute arbitrary SQL queries on the underlying database. This may allow for an attacker to gather username and password information, among other things. An updated version of Zen Cart has been released to address these issues and users are encouraged to upgrade as soon as possible.
Date September 4, 2021
BID Not Available  
Credit James Bercegay
Title CS-Cart <= 1.3.5 SQL Injection
Info CS-Cart Cart is a full featured online ecommerce application written in php that allows users to build, run and promote an online store. There is unfortunately a fairly serious SQL Injection issue within CS-Cart that can be used to easily take over user and administrator accounts, as well as used to retrieve arbitrary data from the database. The CS-Cart team have released an updated version of CS-Cart to resolve this issue, and users should upgrade as soon as possible.
Date September 2, 2021
BID Not Available  
Credit James Bercegay
Title Crafty Syntax Live Help <= 2.14.6 SQL Injection
Info Crafty Syntax Live Help is a full featured, open source, online support system written in php that allows the visitors of a website to interact in real time with the site owners. There is a couple of high risk SQL Injections in Crafty Syntax Live Help that allows for an attacker to read arbitrary database contents such as user credentials, or administrator credentials. An updated version of Crafty Syntax Live Help is now available and users should upgrade as soon as possible.
Date August 25, 2021
BID Not Available  
Credit James Bercegay
Title Vanilla <= 1.1.4 Input Validation Vulnerabilities
Info Vanilla is an open-source, standards-compliant, multi-lingual, fully extensible web based discussion forum. Unfortunately there are a couple of issues within Vanilla that allow for a malicious user to steal client based credentials such as cookies. These issues include both script injection and cross site scripting. An updated version of Vanilla has been released and users should upgrade their Vanilla installation as soon as possible.
Date August 19, 2021
BID Not Available  
Credit James Bercegay
Title SunShop <= 4.1.4 SQL Injection
Info SunShop shopping cart is a full featured ecommerce solution written in php that allows for web masters to run their own online ecommerce operation. Unfortunately there are a number of SQL Injection issues in SunShop that allow for an attacker to have arbitrary access to the SunShop database where they can access information such as customer and administrator details. An updated version of SunShop has been released to address these issues, and users should upgrade soon.
Date August 18, 2021
BID Not Available  
Credit James Bercegay
Title PHP Live Helper Multiple Vulnerabilities
Info PHP Live Helper is an online support system written in php that allows the visitors of a website to interact in real time with the site owners. There are a number of issues in PHP Live Helper that allow for several different attacks such as SQL Injection, Variable Overwriting, and remote code execution. The issues require no authentication to exploit, and users are encouraged to upgrade as soon as possible.
Date August 16, 2021
BID Not Available  
Credit James Bercegay
Title Kayako SupportSuite <= 3.20.02 Multiple Vulnerabilities
Info Kayako SupportSuite is a very popular online eSupport application that consists of several well known Kayako products such as Kayako LiveResponse and Kayako eSupport. Unfortunately there are several security issues in Kayako SupportSuite that may allow for an attacker to gain access to a staff account and then escalate their privileges to administrator. These issues include Cross Site Scripting, Script Injection, and SQL Injection. All of these issues are resolved in Kayako SupportSuite 3.30 and users should upgrade as soon as possible.
Date August 9, 2021
BID Not Available  
Credit James Bercegay
Title e107 <= 0.7.11 Arbitrary Variable Overwriting
Info e107 is a popular full featured content management system written in php. Unfortunately e107 suffers from an arbitrary variable overwriting issue within it's download.php file that allows a number of possible attacks to happen including, but possibly not limited to, arbitrary php code execution and SQL Injection. No authentication is required to exploit the issue and it can be exploited regardless of php magic quotes settings. All users are encouraged to upgrade their e107 installations as soon as possible.
Date August 7, 2021
BID Not Available  
Credit James Bercegay
Title Plogger <= 3.0 SQL Injection
Info Plogger is a popular online gallery tool written in php that allows users to create an online gallery. It is vulnerable to SQL Injection issues, which also allow for arbitrary file disclosure since certain data from the returned SQL results is used as a filename argument when calling file_get_contents(). Together these issues can be used to completely take over the vulnerable Plogger application. All users should upgrade thier Plogger installations as soon as possible.
Date August 4, 2021
BID Not Available  
Credit James Bercegay
Title Pligg <= 9.9.0 Multiple Vulnerabilities
Info Pligg is a popular open source, full featured, content management system written in php. There are a number of vulnerabilities within Pligg that allow for remote file enumeration, file inclusion, cross site scripting, and sql injection. When combined these issues allow for remote code execution on the affected installation via arbitrary php code placed within template files once admin credentials are gained via SQL Injection.
Date July 31, 2021
BID Not Available  
Credit James Bercegay
Title Gregarius <= 0.5.4 SQL Injection
Info Gregarius is a popular web-based RSS/RDF/ATOM feed aggregator written in php. There are some SQL Injection issues in Gregarius that allow for the disclosure of database contents and ultimately the complete compromise of the Gregarius installation via exposed admin credentials. It is advised that Gregarius users update their Gregarius installations as soon as possible.
Date July 30, 2021
BID Not Available  
Credit James Bercegay
Title ViArt Shop <= 3.5 SQL Injection
Info ViArt Shop is a full featured online ecommerce solution written in php. There is a high risk SQL Injection in ViArt that allows for an attacker to take over the ViArt installation. This vulnerability is present regardless of magic_quotes configuration. An updated version of ViArt has been released and all users are encouraged to upgrade thier ViArt installation as soon as possible.
Date July 29, 2021
BID Not Available  
Credit James Bercegay
Title JamRoom Authentication Bypass
Info Jamroom is a popular online social media cms used to host artist sites and create music communities. It is vulnerable to a flaw in datatype comparison that allows for an attacker to bypass the authentication process completely and gain access to any account with only a username. This vulnerability has been patched in the latest version of JamRoom and all users are encouraged to upgrade as soon as possible.
Date July 28, 2021
BID Not Available  
Credit James Bercegay
Title Mambo Authentication Bypass
Info Mambo is a popular Open Source Content Management System released under the GNU General Public license (GNU GPL). There are unfortunately some serious flaws in Mambo's login feature that allow for authentication bypass. This can be used to access arbitrary accounts, but even worse can be used to eventually install harmful modules and execute arbitrary php code on the server running Mambo. The Mambo team have committed fixes for these issues to SVN, and patches are available from the official Mambo website. Users are encouraged to patch the vulnerable functionality or update their Mambo installation as soon as possible.
Date October 4, 2021
BID Not Available  
Credit James Bercegay
Title HAMweather Remote Code Execution
Info HAMWeather is a popular weather forecasting software that allows webmasters to display detailed weather forecasts and statistics on their websites. Unfortunately some of the features within HAMweather allow for an attacker to inject arbitrary php into the application and successfully execute arbitrary code. Also, because magic_quotes_gpc and register_globals settings are irrelevant when exploiting this issue it makes it that much easier for an attacker to get a remote shell on the host and possibly mount further attacks on the underlying server. An updated version of HAMweather has been released and all users are encouraged to upgrade as soon as possible.
Date September 30, 2021
BID Not Available  
Credit James Bercegay
Title CakePHP Framework Arbitrary File Access
Info CakePHP is a RAD (Rapid Application Framework) framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Unfortunately CakePHP is vulnerable to an arbitrary file access vulnerability due to unsafe use of the readfile function that allows for an attacker to read any file on the system that the webserver has read access to. This could be used to read password files or sensitive configuration data etc. An updated version of CakePHP has been released and users encouraged to upgrade their CakePHP installations as soon as possible.
Date September 21, 2021
BID Not Available  
Credit James Bercegay
Title X-Cart Arbitrary Code Execution
Info X-Cart is a commercial web based eCommerce solution written in PHP and MySQL that allows for webmasters to host an online marketplace. Unfortunately an attacker may be able to execute arbitrary php code on an X-Cart installation by overwriting key configuration variables. However, because the vulnerability allows for any variables to be overwritten other attacks such as SQL Injection are probably possible as well. Qualiteam have released an updated version of their X-Cart software, and users are strongly encouraged to upgrade as soon as possible or delete the cmpi.php script that resides within the payments directory.
Date September 18, 2021
BID Not Available  
Credit James Bercegay
Title Claroline Arbitrary File Inclusion
Info Claroline is a popular online Open Source e-Learning application used to allow teachers or education organizations to create and administrate courses through the web. Claroline is also used as the framework for other e-Learning applications such as Dokeos. Unfortunately Claroline is vulnerable to a file inclusion issue when register globals is on which may allow for an attacker to read or execute arbitrary files. Some frameworks that use Claroline (such as Dokeos) are also vulnerable to the issues mentioned here. An updated version of Claroline has been released and users should upgrade immediately and disable register_globals if possible.
Date September 14, 2021
BID Not Available  
Credit James Bercegay
Title CubeCart Multiple Vulnerabilities
Info CubeCart is a very popular web application written in php that allows for an individual to open up a fully functioning online ecommerce service. Unfortunately CubeCart is vulnerable to Cross Site Scripting attacks, SQL Injection attacks, and possible remote code execution due to an attacker being able to include arbitrary php code. An updated version of CubeCart has been released and all users are encouraged to upgrade as soon as possible.
Date August 28, 2021
BID Not Available  
Credit James Bercegay
Title osCommerce Multiple Vulnerabilities
Info osCommerce is one of the most popular open source ecommerce web applications ever written. osCommerce allows webmasters to open a fully functioning online marketplace with little effort. Unfortunately there have been several new vulnerabilities discovered in the latest versions of osCommerce. These issues may allow for an attacker to gather arbitrary information from the database such as credit card information, user login information, or personal information. There are also issues with some of osCommerce's file handling functionality that may allow an attacker to gain access to sensitive data. The osCommerce team have released updates to address these vulnerabilities and all users are encouraged to upgrade their osCommerce installations as soon as possible.
Date August 17, 2021
BID Not Available  
Credit James Bercegay
Title Zen Cart Multiple Vulnerabilities
Info Zen Cart is a descendant of the popular osCommerce project, and like osCommerce Zen Cart is one of the most popular open source ecommerce systems in the world. Unfortunately Zen Cart is vulnerable to quite a number of different attacks, and in some circumstances may allow an attacker to execute arbitrary code on the underlying web server with the rights of the httpd process. In addition to remote code execution several different SQL Injection attacks may be possible. The Zen Cart developers have commited fixes for these issues to CVS and an updated version of Zen Cart will be released soon to address the issues. All users should upgrade their Zen Cart installation as soon as possible.
Date August 15, 2021
BID Not Available  
Credit James Bercegay
Title SquirrelMail Arbitrary Variable Overwriting
Info SquirrelMail is a standards-based webmail package written in php. It includes built-in pure PHP support for the IMAP and SMTP protocols. Unfortunately there is a fairly serious variable handling issue in one of the core SquirrelMail scripts that can allow an attacker to take control of variables used within the script, and influence functions and actions within the script. This is due to the unsafe handling of "expired sessions" when composing a message. An updated version of SquirrelMail can be downloaded from their official website. Users are advised to update their SquirrelMail installations as soon as possible.
Date August 11, 2021
BID Not Available  
Credit James Bercegay
Title PHPLib Remote Code Execution
Info The PHP Base Library aka PHPLib is a toolkit for PHP developers supporting them in the development of Web applications. The phpLib codebase can be found in a number of applications available today. Unfortunately some of the session emulation code is vulnerable to SQL Injection issues that in a worst case scenario can lead to remote code execution by using UNION and selecting arbitrary php code into an eval call. A new version og PHPLib has been released and users should upgrade their PHPLib libraries as soon as possible.
Date March 5, 2022
BID 16801  
Credit James Bercegay
Title Gallery 2 Multiple Vulnerabilities
Info Gallery2, the open source web based photo album organizer is one of the most popular php web applications available today. Gallery2 suffers from a number of vulnerabilities including IP Spoofing via X_FORWARDED_FOR that may allow a malicious user to hide their identity, script injection via the faulty X_FORWARDED_FOR implementation, and also arbitrary file access which could ultimately lead to the deletion of arbitrary files on the webserver. A new version of Gallery 2 has been released and users should upgrade their Gallery 2 installations.
Date March 2, 2022
BID Not Available  
Credit James Bercegay
Title phpRPC Library Remote Code Execution
Info phpRPC is meant to be an easy to use xmlrpc library. phpRPC is greatly simplified with the use of database/rpc-protocol abstraction. It should run on any php server with most data bases. Unfortunately, there is a easily exploitable remote php code execution vulnerability in the phpRPC library that allows an attacker to execute arbitrary code on the affected webserver. This vulnerability, like previously discovered vulnerabilities in various implementations of the XMLRPC protocol is possible because of unsanitized data being passed to an eval call. This of course could ultimately lead to a compromise of the under lying web server, and disclosure of sensitive data.
Date February 26, 2022
BID Not Available  
Credit James Bercegay
Title Mambo Multiple Vulnerabilities
Info Mambo is a popular Open Source Content Management System released under the GNU General Public license (GNU GPL). There are a number of security issues in Mambo which allows for SQL Injection, Authentication Bypass, and possible remote code execution via local file inclusion. There has been an updated version of Mambo released and all users are advised to upgrade as soon as possible. Also, please note that these vulnerabilities are NOT related to any worms currently taking advantage of vulnerable Mambo installations.
Date February 24, 2022
BID Not Available  
Credit James Bercegay
Title PEAR LiveUser File Access Vulnerabilities
Info LiveUser is a user authentication and permission management framework that is part of php's PEAR Library. LiveUser has many different features, including the ability to remember a user via cookies. Unfortunately there is an issue with how extracted cookie data is handled by the LiveUser library within the remember feature which makes it possible for an attacker to gain access to, and even delete potentially sensitive files on the webserver. An updated version of the LiveUser framework has been released, and users are advised to upgrade to LiveUser 0.16.9
Date February 21, 2022
BID Not Available  
Credit James Bercegay
Title Geeklog Remote Code Execution
Info Geeklog is one of the most popular content management systems available today. Geeklog unfortunately is vulnerable to a number of different attacks such as SQL Injection, and arbitrary file inclusion. These attacks can be combined to ultimately execute code on the vulnerable web server in a very reliable manner. According to the developers these issues affect pretty much every version of Geeklog ever released, so users are strongly encouraged to upgrade to the latest version of Geeklog which is Geeklog 1.4.0sr1 and 1.3.11sr4
Date February 19, 2022
BID Not Available  
Credit James Bercegay
Title ADOdb Library Cross Site Scripting
Info ADOdb is a database abstraction library for php used by a great deal of projects to provide support for a number of well known database api's. ADOdb also comes with various functions to perform routine database related tasks. One of the more useful of these functions is ADOdb's ability to paginate the retrieved database records by using the ADODB_Pager class. However, there are several cross site scripting issues within the ADODB_Pager class that may allow for an attacker to render malicious client side code in the victims browser. An updated version of ADOdb has been released, and users should update their ADOdb library.
Date February 18, 2022
BID Not Available  
Credit James Bercegay
Title XMB Forums Multiple Vulnerabilities
Info XMB Forums is a popular forum software written in php and mysql that allows you to open up your own online community or messageboard. There are a number of security issues in XMB Forums that may allow for an attacker to perform SQL injection attacks or cross site scripting attacks against the vulnerable web application. These types of attacks may allow for disclosure of sensitive data such as cookie information or contents from the underlying database.
Date February 12, 2022
BID Not Available  
Credit James Bercegay
Title DB_eSession deleteSession() SQL injection
Info DB_eSession is a feature-packed PHP class that stores the session data in a MySQL database rather than files. It is powerful, designed with security in mind, and is easy to utilize. The DB_eSession library is used in a number of popular web applications, and private projects alike. DB_eSession is vulnerable to SQL Injection attacks due to unsafe use of cookie data in an SQL query, and can allow an attacker to craft malicious SQL Queries and have them then successfully executed.
Date February 11, 2022
BID Not Available  
Credit James Bercegay
Title HiveMail Multiple Vulnerabilities
Info HiveMail is a powerful web-based email program that allows you to offer personal email accounts to your visitors. This makes HiveMail a popular choice for business and individuals alike. Unfortunately there are a number of remote code execution vulnerabilities in HiveMail due to unsafe eval calls that may allow an attacker to compromise the underlying web server. In addition there are also vulnerabilities that allow an attacker to perform SQL Injection and Cross Site Scripting attacks.
Date February 10, 2022
BID Not Available  
Credit James Bercegay
Title CPAINT AJAX Library Cross Site Scripting
Info CPAINT (Cross-Platform Asynchronous INterface Toolkit) is a multi-language toolkit that helps web developers design and implement AJAX web applications with ease and flexibility. CPAINT does not sanitize all user supplied data properly which leads to cross site scripting. This makes not only CPAINT vulnerable, but the applications that use CPAINT as a third party library are vulnerable as well.
Date February 9, 2022
BID Not Available  
Credit James Bercegay
Title eyeOS Remote Code Execution
Info eyeOS is a "web based operating system" written in php, that lets you access your data and your applications from anywhere with an internet connection. There is a very easy to exploit Remote Code Execution issue in one of the core eyeOS files that affects eyeOS 0.8.9 and earlier. A new version of eyeOS has been released and all users are encouraged to upgrade immediately to eyeOS 0.8.10
Date February 7, 2022
BID Not Available  
Credit James Bercegay
Title RunCMS Multiple Vulnerabilities
Info RunCMS is a very popular, full featured content management system based on the XOOPS content management system. There are a number of fairly serious vulnerabilities in RunCMS that may allow an attacker to overwrite very important variables used by RunCMS and conduct SQL Injection attacks. A new version of RunCMS has been released some time ago, and all users are advised to upgrade immediately.
Date August 19, 2021
BID Not Available  
Credit James Bercegay
Title MySQL Eventum Multiple Vulnerabilities
Info Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs. Eventum is used by the MySQL AB Technical Support team. Unfortunately Eventum is vulnerable to some highly exploitable SQL Injection issues as well as cross site scripting issues. A new version of Eventum has been released and users are strongly advised to upgrade their Eventum installations.
Date July 31, 2021
BID Not Available  
Credit James Bercegay
Title Kayako LiveResponse Multiple Vulnerabilities
Info Kayako liveResponse is a web based application aimed at providing live support for websites and businesses. There are a number of vulnerabilities in Kayako liveResponse that range from Cross Site Request Forgeries, Cross Site Scripting, Information Disclosure, Script Injection, and SQL Injection vulnerabilities which can lead to disclosure of sensitive data. Users are suggested to update as soon as a secured version becomes available.
Date July 30, 2021
BID Not Available  
Credit James Bercegay
Title Mozilla XPCOM Library Race Condition
Info xpcom, or cross platform component object model is a framework for writing cross-platform, modular software. The xpcom library is used in many applications including a majority of the popular browsers such as FireFox, NetScape, Mozilla, Galeon, etc. It seems that there is a race condition of sorts in xpcom that makes it possible for an attacker to crash a victims browser by having them view a malformed html document. This issue is not believed to be exploitable by the Mozilla dev team, and will likely be addressed in full at a later date by the development team.
Date July 21, 2021
BID Not Available  
Credit James Bercegay
Title SquirrelMail Arbitrary Variable Overwriting
Info SquirrelMail is a standards-based webmail package written in php. It includes built-in pure PHP support for the IMAP and SMTP protocols. Unfortunately there is a fairly serious variable handling issue in one of the core SquirrelMail scripts that can allow an attacker to take control of variables used within the script, and influence functions and actions within the script. An updated version of SquirrelMail can be downloaded from their official website. Users are advised to update their SquirrelMail installations as soon as possible.
Date July 14, 2021
BID Not Available  
Credit James Bercegay
Title Simple Machines Forum SQL Injection
Info SMF or Simple Machines Forum as it is probably better known as is a very popular forum system, and developed by members of the YaBB SE development team. Simple Machine Forums versions prior to the recently released 1.0.5 are vulnerable to a very serious SQL Injection hole, as well as a more obscure, harder to exploit SQL Injection hole. Both vulnerabilities have been resolved and users should upgrade to the latest version of SMF immediately.
Date July 03, 2022
BID Not Available  
Credit James Bercegay
Title PHPXMLRPC Library Remote Code Execution
Info PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC web RPC protocol, and was originally developed by Edd Dumbill of Useful Information Company. As of the 1.0 stable release, the project has been opened to wider involvement and moved to SourceForge. PHPXMLRPC is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, and TikiWiki. Unfortunately PHPXMLRPC is vulnerable to a remote php code execution vulnerability that may be exploited by an attacker to compromise a vulnerable system.
Date July 02, 2022
BID Not Available  
Credit James Bercegay
Title PEAR XML_RPC Library Remote Code Execution
Info PEAR XML_RPC is a PHP implementation of the XML-RPC web RPC protocol, and used by many different developers across the world. PEAR XML_RPC was originally developed by Edd Dumbill of Useful Information Company, but has since been expanded by several individuals. Unfortunately PEAR XML_RPC is vulnerable to a remote php code execution vulnerability that may allow for an attacker to compromise a vulnerable server. Version 1.3.1 has been released to address these issues.
Date July 01, 2022
BID Not Available  
Credit James Bercegay
Title XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
Info XOOPS is a very popular dynamic web content management system written in Object Oriented PHP. One of the features of XOOPS is it's own XMLRPC server that handles incoming XMLRPC requests. This particular feature is vulnerable to a highly critical SQL Injection issue. Additionally there are several cross site scripting issues in XOOPS as well which could allow for theft of user data or client side code execution in the context of the victim's web browser.
Date June 29, 2022
BID Not Available  
Credit James Bercegay
Title WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
Info WordPress is a very popular personal publishing platform aka blog software, and is used by everyone from celebrities, to government officials, to non technical average joe's. There are a number of vulnerabilities in WordPress that may allow an attacker to ultimately run arbitrary code on the vulnerable system. These vulnerabilities include SQL Injection, Cross Site Scripting, and also issues that may aid an attacker in social engineering. An updated version of WordPress is available and users are strongly advised to.
Date June 28, 2022
BID Not Available  
Credit James Bercegay
Title Infopop UBB Threads Multiple Vulnerabilities
Info UBB Threads is a very popular forum system developed by Infopop. There are a number of vulnerabilities in UBB Threads that may allow an attacker to execute cross site scripting, http response splitting, and cross site request forgery attacks. Also, an attacker may include, execute, or read arbitrary local files. These vulnerabilities may allow for an attacker to completely compromise an installation of UBB Threads and possibly more. Users are encouraged to upgrade as soon as possible to the latest UBB Threads release.
Date June 23, 2022
BID Not Available  
Credit James Bercegay
Title paFaq Multiple Vulnerabilities
Info paFAQ is a FAQ/Knowledge base system that allows webmasters to keep an organized database of Frequently Asked Questions; a Knowledge Database for problems and solutions. There are a number of vulnerabilities in paFaq. These vulnerabilities include arbitrary unauthorized access to the entire paFaq database, as well as admin authentication bypass, sql injection, arbitrary code execution and cross site scripting. An attacker can gain a remote shell on a vulnerable system using these vulnerabilities.
Date June 20, 2022
BID Not Available  
Credit James Bercegay
Title paFileDB Multiple Vulnerabilities
Info paFileDB is a popular open source web application offered by php Arena. paFileDB allows webmasters to open up an interactive file repository on their website. There are a number of vulnerabilities in paFileDB that may allow for an attacker to include arbitrary files, retrieve sensitive user and/or database information, and completely bypass admin, and team member authentication. Users should upgrade immediately.
Date June 14, 2022
BID Not Available  
Credit James Bercegay
1 2 3 - Next Results per-page: 5 | 10 | 20 | 50
Results 1 - 50 of 125 Page 1 of 3