You can use the form below to search our site. Just enter the
keywords to search.
|
|
 |
| Title |
WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
|
| Info |
WordPress is a very popular personal publishing platform aka blog
software, and is used by everyone from celebrities, to government
officials, to non technical average joe's. There are a number of
vulnerabilities in WordPress that may allow an attacker to ultimately
run arbitrary code on the vulnerable system. These vulnerabilities
include SQL Injection, Cross Site Scripting, and also issues that may
aid an attacker in social engineering. An updated version of WordPress
is available and users are strongly advised to. |
| Date |
June 28, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Infopop UBB Threads Multiple Vulnerabilities
|
| Info |
UBB Threads is a very popular forum system developed by Infopop.
There are a number of vulnerabilities in UBB Threads that may allow
an attacker to execute cross site scripting, http response splitting,
and cross site request forgery attacks. Also, an attacker may include,
execute, or read arbitrary local files. These vulnerabilities may allow
for an attacker to completely compromise an installation of UBB Threads
and possibly more. Users are encouraged to upgrade as soon as possible
to the latest UBB Threads release. |
| Date |
June 23, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
paFaq Multiple Vulnerabilities
|
| Info |
paFAQ is a FAQ/Knowledge base system that allows webmasters to
keep an organized database of Frequently Asked Questions; a
Knowledge Database for problems and solutions. There are a number
of vulnerabilities in paFaq. These vulnerabilities include
arbitrary unauthorized access to the entire paFaq database, as
well as admin authentication bypass, sql injection, arbitrary
code execution and cross site scripting. An attacker can gain a
remote shell on a vulnerable system using these vulnerabilities. |
| Date |
June 20, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
paFileDB Multiple Vulnerabilities
|
| Info |
paFileDB is a popular open source web application offered by
php Arena. paFileDB allows webmasters to open up an interactive
file repository on their website. There are a number of
vulnerabilities in paFileDB that may allow for an attacker to
include arbitrary files, retrieve sensitive user and/or database
information, and completely bypass admin, and team member
authentication. Users should upgrade immediately. |
| Date |
June 14, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
FusionBB Multiple Vulnerabilities
|
| Info |
FusionBB is a popular online message board written in php and
developed by InteractivePHP, INC. There are several vulnerabilities
in FusionBB such as SQL Injection and Arbitrary Local File Inclusion.
These issues could allow for an attacker to execute arbitrary scripts
residing on the web server, retrieve sensitive data from the underlying
database, or bypass the FusionBB authentication mechanisms. |
| Date |
June 13, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
osCommerce HTTP Response Splitting
|
| Info |
osCommerce is a very popular eCommerce application that allows for
individuals to host their own online shop. All current versions of
osCommerce are vulnerable to HTTP Response Splitting. These HTTP
Response Splitting vulnerabilities may allow for an attacker to
steal sensitive user information, or cause temporary web site
defacement. The suggested fix for this issue is to make sure that
CRLF sequences are not passed to the application. |
| Date |
June 10, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Invision Gallery Vulnerabilities
|
| Info |
Invision Gallery is a community based gallery software that can be
integrated into Invision Power Board. There are several security
issues in Invision Gallery that may allow for an attacker to force
a user into unknowingly / unwillingly perform actions on behalf of an
attacker, or an attacker may influence SQL queries and retrieve
sensitive information contained within the underlying database. An
upgrade has been released for several weeks now and all users should
upgrade their gallery installations as soon as possible. |
| Date |
June 09, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Invision Community Blog Vulnerabilities
|
| Info |
Invision Blog is a community based blogging software that can be
integrated into Invision Power Board. There are several dangerous
SQL Injection vulnerabilities, as well as a cross site scripting
vulnerability. These vulnerabilities could allow for an attacker
to gain access to sensitive data such as password information and
render hostile script in the context of a victims browser which
could lead to disclosure of sensitive data such as cookie data. |
| Date |
June 07, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Format String Vulnerability In Peercast
|
| Info |
Peercast is a popular p2p streaming media server (similar to
shoutcast). There is a serious security issue in peercast versions
0.1211 and earlier that may allow for an attacker to execute
arbitrary code on the remote target with the privileges of the user
running peercast (usually administrator) or crash the vulnerable
server. There is an updated version of peercast available and all
users should upgrade as soon as possible. |
| Date |
May 28, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Help Center Live Vulnerabilities
|
| Info |
Help Center Live is a `Live` help desk system written in PHP using
a MySql database backend that features Live Support, Trouble Tickets
and FAQ within one project. This is a very popular application,
especially with webhosts and other services. Unfortunately Help Center
Live is vulnerable to Sql injection, Script Injection, and Cross Site
Scripting attacks, but the most serious of the vulnerabilities mentioned
(The SQL Injection attacks) require magic_quotes_gpc to be set to off. |
| Date |
May 17, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Woltlab Burning Board SQL Injection Vulnerability
|
| Info |
Burning Board is a popular, multi purpose forum / community software
offered by WoltLab GmbH. There is an SQL Injection vulnerability in
Burning Board 2.* and earlier that allows for an attacker to influence
SQL Queries and possibly query arbitrary data from the database, such
as admin password hashes. The developers are said to have made a patch
available as of late last week, and all users should upgrade their
Burning Board installations as soon as possible. |
| Date |
May 16, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Yappa-NG Multiple Vulnerabilities
|
| Info |
Yappa-NG is the second generation (new and improved) version
of Yappa (yet another php photo album). There are several
vulnerabilities in Yappa-NG that may allow an attacker to
possibly take control of the vulnerable server. In order to
exploit these vulnerabilities register_globals must be on. An
updated version of Yappa-NG is available, and users should
upgrade as soon as possible. |
| Date |
May 11, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Invision Power Board Vulnerabilities
|
| Info |
Invision Power Board (IPB) is a professional forum system that
has been built from the ground up with speed and security in
mind. It is used by a great many people all over the world. All
versions of Invision Power Board are vulnerable to a serious
SQL Injection vulnerability.
An attacker does not have to be logged in, or even have access
or permission to view the forums in order to exploit this
vulnerability. Users should upgrade immediately. |
| Date |
May 5, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple SitePanel2 Vulnerabilities
|
| Info |
SitePanel2 is a helpdesk / trouble ticket / support system used
by businesses and individuals alike. There are a number of
vulnerabilities in SitePanel2, some of which are fairly serious.
If an attacker is able to successfully exploit these vulnerabilities
in SitePanel2 he may be able to successfully compromise user accounts
or completely compromise the target web server. A security patch has
been released to address these issues and all users are strongly
encouraged to upgrade their SitePanel2 installations as soon as
possible. |
| Date |
May 3, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In osTicket
|
| Info |
osTicket is a widely-used open source support ticket system. It is a
lightweight support ticket tool written mainly using PHP scripting
language. There are several vulnerabilities in the osTicket software
that may allow for an attacker to take control of the affected web
server, disclose sensitive data from the database, or read arbitrary
files. These issues have been reported to the developers and a new
updated version of osTicket is available for download. All affected
users should upgrade their osTicket installations immediately. |
| Date |
May 2, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
phpBB Notes Mod SQL Injection Vulnerability
|
| Info |
oxpus.de author many popular modules and hacks for the amazingly
popular phpBB software. One of these modules allows users to keep
their own personal memo pad of sorts in the usercp. This particular
mod comes standard with packages like orion_phpbb and others. This
"notes" module is vulnerable to a serious SQL Injection vulnerability
that will allow for an attacker to pull sensitive information from
the underlying database, and possibly compromise the integrity of
the affected phpBB installation. |
| Date |
April 27, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple eGroupware Vulnerabilities
|
| Info |
eGroupware is a very popular open source web based collaboration
software that can be used within an intranet, or externally via
the internet to build a community and/or help coordinate large
projects. eGroupware also comes pre packaged in some linux
distributions. GulfTech Security Research has found a few high
risk SQL Injection vulnerabilities as well as Cross Site Scripting
vulnerabilities. A new version of eGroupware is now available and
all eGroupware users should upgrade immediately. Not only does the
new eGroupware release address these security issues, but it also
includes a number of bugfixes! |
| Date |
April 20, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Security Issues Found In AZBB
|
| Info |
azbb is a forum that was written with a primary focus on security.
azbb does not require a database such as MySQL, PostGres or MSSQL
and can even be used as a blog, or portal of sorts. Unfortunately
there are a number of security issues in AZBB versions prior to
1.0.08, but none of these issues are considered "high risk". However,
the developer has addressed these issues and all users should upgrade
to the current 1.0.08 version. These vulnerabilities include file
enumeration, arbitrary file deletion, and file inclusion. |
| Date |
April 19, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple ModernBill 4.3.0 And Earlier Vulnerabilities
|
| Info |
ModernBill is a widely used billing and management software used
by webhosts to manage billing and financial data. ModernBill is
prone to remote file inclusion and cross site scripting in version
prior to 4.3.1. These vulnerabilities could allow for an attacker to
execute client side code in the context of the victims web browser,
steal sensitive user data, and run system commands remotely on the
affected web server. A fixed version is available and users are advised
to upgrade immediately. |
| Date |
April 10, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Double Choco Latte Vulnerabilities
|
| Info |
Double Choco Latte is a GNU Enterprise package that provides basic
project management capabilities, time tracking on tasks, call
tracking, email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It can be displayed inside of a phpGroupWare
installation or be used stand-alone. It is licensed under the GPL
(GNU Public License), which means it is free to study, distribute,
modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone
to php code execution vulnerabilities which allows an attacker to run
php code with privileges of the webserver. |
| Date |
April 8, 2022 |
| BID |
12894
|
| Credit |
James Bercegay |
| Title |
phpCoin Multiple Vulnerabilities
|
| Info |
phpCoin is a free software package originally designed for
web-hosting resellers to handle clients, orders, invoices,
notes and helpdesk. phpCoin versions 1.2.1b and earlier are
prone to multiple vulnerabilities such as SQL Injection and
File Inclusion vulnerabilities. A new version has been released,
and users should upgrade as soon as possible. Updated packages can be found at the official phpCoin website, located at http://www.phpcoin.com Thanks to the developers for a quick resolution to these issues! |
| Date |
March 29, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In PhotoPost Pro
|
| Info |
PhotoPost was designed to help you give your users exactly
what they want. Your users will be thrilled to finally be
able to upload and display their photos for your entire
community to view and discuss, all with no more effort than
it takes to post a text message to a forum. If you already
have a forum (vBulletin, UBB Threads, phpBB, DCForum, or
InvisionBoard), you'll appreciate that PhotoPost was designed
to seamlessly integrate into your site without the need for
your users to register twice and maintain two logins. PhotoPost
Pro is vulnerable to some serious SQL Injection issues as well as
cross site scripting. An update is available and all users should
upgrade now. |
| Date |
January 3, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Serious Vulnerabilities In PhotoPost ReviewPost
|
| Info |
Your community of users represents a wealth of knowledge. Now
your users can help build and maintain your site by writing
reviews of any product imaginable. With ReviewPost, you will
quickly amass a valuable collection of user opinions about
products that relate to your site. ReviewPost can even use
your existing forum login system (if you have one) to keep your
users from having to register twice, and makes an excellent
companion to ReviewPost. PhotoPost ReviewPost are vulnerable to cross site
scripting, SQL Injection, and Arbitrary File Upload. There is a new
version of the software available and users are encouraged to upgrade. |
| Date |
January 2, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Serious Vulnerabilities In PhotoPost Classifieds
|
| Info |
Add a full-featured user-to-user classified ads system to your
website to connect buyers with sellers. No matter what your users
interestes may be, they likely want to buy and sell items related
to your site's topic, and PhotoPost Classifieds makes it easy.
PhotoPost Classifieds is designed to integrate seamlessly into
your current site design, and can even use your existing forum
user database (if you have one) for one central login. PhotoPost Classifieds are vulnerable to cross site scripting, SQL Injection, and Arbitrary File Upload. There is a new version of the software available and users are encouraged to upgrade. |
| Date |
January 1, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
File Include Vulnerability In php-Calendar
|
| Info |
I was searching for a decent calendar which my group at school could
use to keep track of events, etc. We were previously using localendar,
which I didn't like and it had some problems. I found CST-Calendar which
did most of what I wanted, but was rather ugly and missed some features
others in the group wanted. So, I gradually re-wrote CST-Calendar since
that project seems to have stopped work entirely.
[ As quoted from their website ] This program includes several potentially
very dangerous file include vulnerabilities. Since php-calendar is an open
source calendar it has been said that some developers use the php-calendar
in their own projects, thus potentially making their applications vulnerable as well. |
| Date |
December 29, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Vulnerabilities In WHM Autopilot
|
| Info |
Started by a webhost looking for more out of a simple managment
script, Brandee Diggs (Owner of Spinn A Web Cafe, Founder of
Benchmark Designs) setout to build an internal management system
that could handle the day to day operations of a normal hosting
company. The key was to remove the need to constantly watch your
orders and manage the installs. Alas, WHM AutoPilot was born.
[ as quoted from their official website ] WHM Autopilot is vulnerable
to a number of vulnerabilities such as cross site scripting, file
inclusion, and information disclosure. |
| Date |
December 27, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Critical Vulnerability In Help Center Live
|
| Info |
Help Center Live is a `Live` help desk system written in PHP using a MySql database
backend that features Live Support, Trouble Tickets and FAQ within one project. This
is a very popular application, especially with webhosts and other services. There
lies two file include vulnerabilities (both remote and local) that could allow an
attacker to execute malicious server side code on your webserver. Aditionally a cross
site scripting issue was found in Help Center Live.
|
| Date |
December 24, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Cross Site Scripting In Psychostats
|
| Info |
PsychoStats is a statistics generator for games. Currently there is support
for a handful of Half-Life "MODs" including Counter-Strike, Day of Defeat,
and Natural Selection. PsychoStats gathers statistics from the log files that
game servers create by reading through the logs and then calculating detailed
statistics for players, maps, weapons and clans. These detailed statistics
are stored in a MySQL database which are then viewed online from your website
using a set of PHP web pages. Cross site scripting exists in Jason Morriss
PsychoStats. This vulnerability exists due to user supplied input not being
checked properly. This vulnerability could be used to steal cookie based
authentication credentials within the scope of the current domain, or render
hostile code in a victim's browser. |
| Date |
December 22, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Kayako eSupport Vulnerabilities
|
| Info |
Kayako eSupport is one of the most feature packed support systems. This program is used by
many online businesses and webhosts to help with technical support and other various
support issues. This application is vulnerable to both Cross Site Scripting and SQL Injection
vulnerabilities. The SQL Injection vulnerabilities are fairly serious and may allow for an
attacker to influence SQL queries. Full details inside. |
| Date |
December 18, 2021 |
| BID |
12037
|
| Credit |
James Bercegay |
| Title |
Multiple phpGroupWare Vulnerabilities
|
| Info |
phpGroupWare (formerly known as webdistro) is a multi-user
groupware suite written in PHP. It provides a Web-based calendar,
todo-list, addressbook, email, news headlines, and a file manager.
The calendar supports repeating events. The email system supports
inline graphics and file attachments. The system as a whole supports
user preferences, themes, user permissions, multi-language support,
an advanced API, and user groups. There have been a number of vulnerabilities found in phpGroupWare, including Cross Site Scripting, SQL Injection, and Full Path Disclosure. This application comes with some linux distributions, so check to see if you have it installed. The SQL Injection can be fairly critical. |
| Date |
December 14, 2021 |
| BID |
11952
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In SugarCRM
|
| Info |
Sugar Sales Professional is the solution for companies who use Sugar Sales in a production environment for
mission-critical sales knowledge management. Sugar Sales Professional is a visible source CRM application
that offers more features than the open source application. It also includes support by SugarCRM staff.
Sugar Sales Professional expands the open source application benefits so that your company experiences better
performance, integration and support. Multiple vulnerabilities (some high risk) have been discovered in SugarCRM.
A recet version was released recently, and was believed to include security fixes, but several of the vulnerabilities
still exist in the recently released version 2.0 |
| Date |
December 1, 2021 |
| BID |
11740
|
| Credit |
James Bercegay |
| Title |
dbPowerAmp Buffer Overflow And DoS Vulnerabilities
|
| Info |
Often called the Swiss Army knife of audio, dMC can digitally
rip sound from audio CDs to a multitude of formats. Convert
from one format to another while preserving ID tags. Nearly
every audio type is supported, including MP3, MP4, Windows Media
Audio (WMA), OGG Vorbis, AAC, Monkey's Audio, and FLAC (with
optional installs from Codec Central). For Windows Explorer
integration, right-click Convert To to pop up useful information
on audio files (such as bit rate and length). Record from LPs with
an optional Auxiliary Input install. dBpowerAmp Audio Player (dAP)
has a digital conditioning equalizer and an advanced music
collection. It's skinnable and has a cross-fader, a playlist
editor, and a tag editor. dAP plays MP3s, WMA, Ogg Vorbis, Monkeys
Audio, Real Audio, WAV, MIDI, and many more. These programs are vulnerable to buffer overflow as well as denial of service vulnerabilities. |
| Date |
September 27, 2021 |
| BID |
11266
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In EmuLive Server4
|
| Info |
Server4 is real-time media broadcasting software that works
in conjunction with Emulive producer software to create
digital television-like channels on the Internet. To web
browsers, Server4 appears as a standard web server. Visitors
to a Server4 system can browse and view available channels,
chat with other users, remotely control cameras, remotely
control devices, create user accounts, extend user accounts,
purchase time and access controlled subscriptions, purchase
one-to-one exclusive conferences, tip channel hosts, purchase
additional time and more. Server4 is prone to unauthorized remote administrative access as well as a vulnerability that will allow an attacker to crash a Server4 instalattion remotely. Proof Of Concept code is included. |
| Date |
September 20, 2021 |
| BID |
11226
|
| Credit |
James Bercegay |
| Title |
RhinoSoft DNS4ME HTTP Server Vulnerabilities
|
| Info |
DNS4Me is the dynamic DNS service that you need to
start hosting your own Internet services. When you have
a dynamic IP address, you need something to associate a
static domain name with it to make it easier for visitors
to access the services you provide. With DNS4Me, you can
take control of your Web site by running your own HTTP
server. Without a hosting company, you've eliminated the
cost of hosting as well as a layer of contact between you
and your Web site. This gives you unparalleled control
overits configuration, content, and delivery. But the
benefits of dynamic DNS aren't just for HTTP servers. Any
service that can make use of a domain name can benefit from
DNS4Me. This includes FTP servers, e-mail servers, daemons
for today's popular computer games, NetMeeting… With the
reliability and excellent support you've come to expect of
RhinoSoft.com backing up DNS4Me, you'll get a powerful, no
hassle dynamic DNS solution. The RhinoSoft DNS4ME HTTP server
is prone to multiple vulnerabilities, and users are encouraged
to upgrade as soon as possible.
|
| Date |
September 16, 2021 |
| BID |
11213
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In phpWebsite
|
| Info |
phpWebSite provides a complete web site content management
solution. All client output is valid XHTML 1.0 and meets the
W3C's Web Accessibility Initiative requirements. Currently
features: announcement posting, form generator, user
management with granulated administration, calendar, poll,
faq, photoalbum, bulletin board, rss feeds, user
customizable theme support and more. It is one of the most
popular content managment systems in the world. However, it
is vulnerabile to a number of attacks, some of which allow an
attacker to completely take control of a vulnerable phpWebsite
installation. Other vulnerabilties in phpWebsite include script
injection, SQL injection, forced command execution, and cross
site scripting. A security update is available and all phpWebsite
users should upgrade their installation as soon as possible. |
| Date |
August 31, 2021 |
| BID |
11088
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In Xedus Webserver
|
| Info |
Xedus is a Peer-to-Peer web server and provides you with the
ability to share files, music, and any other media, as well
as create robust and dynamic web sites, which can feature
database access, file system access, with full .net support.
Powered by a built in server-side, Microsoft C#, scripting
language; Xedus boasts the ability to create sites that can
rival web applications built on any other enterprise servers
like Apache, IIS, Iplanet… With Xedus, you will never need
to pay to host your sites again. Using the peer-to-peer mode,
other members of LIVE can access you site by keyword using
Internet Explorer even if you do not have a static IP address!
Xedus is prone to a number of vulnerabilities, which include
Denial Of Service, Cross Site Scripting, and Directory Traversal
attacks. These vulnerabilities can allow an attacker to retrieve
arbitrary files from the host machine, as well as deny legitimate
users access to the webserver. |
| Date |
August 30, 2021 |
| BID |
11071
|
| Credit |
James Bercegay |
| Title |
Keene Digital Media Server Directory Traversal
|
| Info |
Keene Digital Media Server is an easy and affordable way to
share all things digital with friends, family, and customers
over your broadband connection. DMS turns your computer into
a highly secure Web server that automatically converts your
files and folders into Web pages, thumbnails, and media shows
with no Web programming required. Integrated user and file
access security management provide the ultimate control over
your content. Keene Digital Media Server allows an attacker
to traverse out of the web directory, and retrieve arbitrary
files. |
| Date |
August 25, 2021 |
| BID |
11057
|
| Credit |
James Bercegay |
| Title |
Easy File Sharing Webserver v1.25 Vulnerabilities
|
| Info |
Easy File Sharing Web Server is a file sharing software
that allows visitors to upload/download files easily
through a Web Browser (IE,Netscape,Opera etc.). It can help
you share files with your friends and colleagues. They can
download files from your computer or upload files from
theirs. They will not be required to install this software
or any other software because an internet browser is enough.
Easy File Sharing Web Server also provides a Bulletin Board
System (Forum). The Easy File Sharing Web Server is vulnerable
to both Denial Of Service attacks, and unauthorized access to
the virtual folders used by the webserver. These vulnerabilities
could allow an attacker to crash/DoS the server, or gain read
access to arbitrary folders on the server.
|
| Date |
August 24, 2021 |
| BID |
11034
11036
|
| Credit |
James Bercegay |
| Title |
Possible Security Issues In LiveWorld Products
|
| Info |
LiveWorld provides collaborative services for online meetings,
customer care, and loyalty marketing. Supporting communication
between a company and its customers, employees, or partners
and among those people themselves - our services help corporations
cut costs, increase revenue, and solidify relationships
with groups critical to their success. The affected products
are beleived to be prone to Cross Site Scripting issues which allow
a malicious user to steal sensitive data, temporarily deface a page,
or render any malicious script in the context of the victim's browser.
The software believed to be vulnerable is LiveForum, LiveQ&A;, and
LiveFocusGroups. LiveWorld products are used on major websites
such as HBO, eBay, and others. |
| Date |
August 23, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
BadBlue Web Server Denial of Service Vulnerability
|
| Info |
BadBlue lets you run a no-hassle Web site on your own PC for free,
including a domain name you can choose. Within seconds, you can
transform your PC into a friendly, file-sharing Web server with
all the power of a real server on the Internet. Remote users can
search for files, explore your shared folders, and run full-blown
applications created in HTML, PHP, Perl, and so on. This HTTP
server is vulnerable to a Denial of Service attack. This attack can
take place when a malicious user makes a certain number of connections
to the server. Included is proof of concept code. |
| Date |
August 20, 2021 |
| BID |
10983
|
| Credit |
James Bercegay |
| Title |
Invision Power Board IP Spoofing Vulnerability
|
| Info |
Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world. There lies a vulnerability in all version of Invision Power Board that allow a user to spoof his/her IP address by creating a bogus X_FORWARDED_FOR HTTP Header entry. This condition can also be caused by a user unknowingly if they use a proxy to access the internet. For example, private LAN based IP's will be logged which are impossible to trace.
|
| Date |
June 16, 2022 |
| BID |
10559
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In PHPX 3.26 And Earlier
|
| Info |
PHPX is a constantly evolving and changing Content Management System (CMS). PHPX is highly customizable and high powered all in one system. PHPX provides content management combined with the power of a portal by including in the core package modules such as FAQ, polls, and forums. PHPX uses dynamic-template-design, what this means is that you have the power to control what your site will look like. Themes are included, but not required. You can create the page however you want, and PHPX will just insert code where you want it. No more 3 columns if you don’t want it! Written in the powerful server language, PHP, and utilizing the amazingly fast and secure database MySQL, PHPX is a great solution for all size website communities, at the best price possible…free! Vulnerabilities are present in version(s) 3.2.6 and earlier and present themselves in the form of cross site scripting, path disclosure, and arbitrary command execution. Users are advised to upgrade immeadiately. |
| Date |
May 04, 2022 |
| BID |
10283
10284
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In OpenBB
|
| Info |
OpenBB is a fast, lightweight, powerful bulletin board written in PHP/MySQL. Main features include: full customization via styles templates, instant messaging, private messaging, categories, member ranks, poll based threads, moderation, BB codes, thread notifications, Avatars, member lists, private forums and more. OpenBB is prone to several security issues such as SQL Injection, XSS, arbitrary command execution and more. |
| Date |
April 24, 2022 |
| BID |
10214
|
| Credit |
James Bercegay |
| Title |
phpBugTracker Multiple Vulnerabilities
|
| Info |
phpBugTracker is meant to be a replacement for Bugzilla. Simplicity in use and installation, Use templates to achieve presentation independence, Use a database abstraction layer to achieve database independence. phpBugTracker is a portable and powerful web-based bug tracking system. It is vulnerable to several issues including XSS, SQL injection and Script Injection. These issues can be used to expose and alter database information. |
| Date |
April 14, 2022 |
| BID |
10153
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities in TikiWiki CMS Groupware
|
| Info |
Tiki CMS/Groupware (aka TikiWiki) is a powerful open-source
Content Management System (CMS) and Groupware that can be
used to create all sorts of Web applications, Sites, Portals,
Intranets and Extranets. TikiWiki also works great as a Web-based
collaboration tool. TikiWiki is a multi-purpose package with a
lot of native options and sections that you can enable/disable
as you need them. It is designed to be international, clean and
extensible. TikiWiki incorporates all the features present in
several excellent wiki systems available today plus a lot of
new features and options, allowing your wiki application to be
whatever you want it to be--from a simple wiki to a complex site
for a whole user community with many intermediate steps. You can
use TikiWiki as a forums site, a chatroom, for poll taking, and
much more! There lies a number of vulnerabilities in TikiWiki
though. These vulnerabilities include SQL Injection, Directory
Traversal, Information Disclosre, Arbitrary File Upload, XSS,
Script Injection and more. |
| Date |
April 11, 2022 |
| BID |
10100
|
| Credit |
James Bercegay |
| Title |
PhotoPost PHP Pro Multiple Vulnerabilities
|
| Info |
PhotoPost PHP Pro is a photo gallery script that allows users to share, upload and manage their photos. PhotoPost also integrates seamlessly into a number of large name forum systems such as Invision Power Board, phpBB, vBulletin, and many more. It is prone to a number of security issues which allow for attack on not only the PhotoPost installation, but also the forum it is integrated into. These vulnerabilities include SQL Injection, XSS, Denial Of Service and Script Injection. Most of the issues seem to be resolved in 4.7 |
| Date |
March 28, 2022 |
| BID |
9994
|
| Credit |
James Bercegay |
| Title |
Invision Gallery SQL Injection Vulnerabilities
|
| Info |
Invision Gallery is a fully featured, powerful gallery system that
is easy and fun to use! It plugs right into your existing Invision
Power Board to create a seamless browsing experience for the users
of your forum. Unfortunately Invision Gallery comes up very short
in regards to user supplied input validation. Because of this an
attacker can influence queries, and even use these issues to launch
an attack against the IPB instalattion on which the gallery resides. |
| Date |
March 22, 2022 |
| BID |
9944
|
| Credit |
James Bercegay |
| Title |
Invision Power Top Site List SQL Injection Vulnerability
|
| Info |
Invision Power Top Site List is a flexible site ranking script written in PHP, the popular programming choice for web developers. Featuring an impressive feature set with a user-friendly interface your community will feel at home using the system. It is vulnerable to attack though through a fairly serious SQL Injection issue which may allow an attacker to query arbitrary information such as hashed admin credentials and more. |
| Date |
March 21, 2022 |
| BID |
9945
|
| Credit |
James Bercegay |
| Title |
phpBB 2.0.7a And Earlier Security Issues
|
| Info |
phpBB 2.0.7 and earlier have a number of security issues. One of
these issues is SQL Injection and Cross Site Scripting in the admin
panel. This is an issue that would take either admin access or a bit
of social engineering for an attacker to use. But there is a far more
serious problem in phpBB and that problem is lack of session
authentication in certain parts of phpBB. This could allow for a
malicious user to have an admin unknowingly execute undo-able actions
in both the admin panel and the forum itself. This issue also affects
users. Read this for more details. |
| Date |
March 20, 2022 |
| BID |
9942
|
| Credit |
James Bercegay |
| Title |
Mambo Open Source Multiple Vulnerabilities
|
| Info |
Mambo Open Source is the finest open source Web Content Management
System available today. Mambo Open Source makes communicating via
the Web easy. Have you always wanted to have your own site but never
understood how? Well Mambo Open Source is just the ticket! With Mambo
Open Source there is no need for HTML, XML or DHTML skills, just enter
your content, add a picture and then through the easy to use
administrator web-interface ...click Publish! Simple ... Quick ... And
easy! With the in-built editor Mambo Open Source allows you to design
and create your content without the need for HTML code. Maintaining a
website has never been easier. Mambo Open Source is vulnerable to
several attacks including cross site scripting as well as SQL Injection
vulnerabilities.
|
| Date |
March 16, 2022 |
| BID |
9890
9891
|
| Credit |
James Bercegay |
|
|
