You can use the form below to search our site. Just enter the
keywords to search.
|
|
 |
| Title |
CubeCart Multiple Vulnerabilities
|
| Info |
CubeCart is a very popular web application written in php that
allows for an individual to open up a fully functioning online
ecommerce service. Unfortunately CubeCart is vulnerable to Cross
Site Scripting attacks, SQL Injection attacks, and possible remote
code execution due to an attacker being able to include arbitrary
php code. An updated version of CubeCart has been released and all
users are encouraged to upgrade as soon as possible. |
| Date |
August 28, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
osCommerce Multiple Vulnerabilities
|
| Info |
osCommerce is one of the most popular open source ecommerce web applications
ever written. osCommerce allows webmasters to open a fully functioning online
marketplace with little effort. Unfortunately there have been several new
vulnerabilities discovered in the latest versions of osCommerce. These issues
may allow for an attacker to gather arbitrary information from the database
such as credit card information, user login information, or personal information.
There are also issues with some of osCommerce's file handling functionality
that may allow an attacker to gain access to sensitive data. The osCommerce
team have released updates to address these vulnerabilities and all users are
encouraged to upgrade their osCommerce installations as soon as possible. |
| Date |
August 17, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Zen Cart Multiple Vulnerabilities
|
| Info |
Zen Cart is a descendant of the popular osCommerce project, and like
osCommerce Zen Cart is one of the most popular open source ecommerce
systems in the world. Unfortunately Zen Cart is vulnerable to quite
a number of different attacks, and in some circumstances may allow an
attacker to execute arbitrary code on the underlying web server with
the rights of the httpd process. In addition to remote code execution
several different SQL Injection attacks may be possible. The Zen Cart
developers have commited fixes for these issues to CVS and an updated
version of Zen Cart will be released soon to address the issues. All
users should upgrade their Zen Cart installation as soon as possible. |
| Date |
August 15, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
SquirrelMail Arbitrary Variable Overwriting
|
| Info |
SquirrelMail is a standards-based webmail package written in php. It includes built-in pure PHP support for the IMAP and SMTP protocols. Unfortunately there is a fairly serious variable handling issue in one of the core SquirrelMail scripts that can allow an attacker to take control of variables used within the script, and influence functions and actions within the script. This is due to the unsafe handling of "expired sessions" when composing a message. An updated version of SquirrelMail can be downloaded from their official website. Users are advised to update their SquirrelMail installations as soon as possible.
|
| Date |
August 11, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
PHPLib Remote Code Execution
|
| Info |
The PHP Base Library aka PHPLib is a toolkit for PHP developers supporting
them in the development of Web applications. The phpLib codebase can be
found in a number of applications available today. Unfortunately some of
the session emulation code is vulnerable to SQL Injection issues that in
a worst case scenario can lead to remote code execution by using UNION and
selecting arbitrary php code into an eval call. A new version og PHPLib has
been released and users should upgrade their PHPLib libraries as soon as
possible.
|
| Date |
March 5, 2022 |
| BID |
16801
|
| Credit |
James Bercegay |
| Title |
Gallery 2 Multiple Vulnerabilities
|
| Info |
Gallery2, the open source web based photo album organizer is
one of the most popular php web applications available today.
Gallery2 suffers from a number of vulnerabilities including
IP Spoofing via X_FORWARDED_FOR that may allow a malicious
user to hide their identity, script injection via the faulty
X_FORWARDED_FOR implementation, and also arbitrary file access
which could ultimately lead to the deletion of arbitrary files
on the webserver. A new version of Gallery 2 has been released
and users should upgrade their Gallery 2 installations. |
| Date |
March 2, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
phpRPC Library Remote Code Execution
|
| Info |
phpRPC is meant to be an easy to use xmlrpc library. phpRPC
is greatly simplified with the use of database/rpc-protocol
abstraction. It should run on any php server with most data
bases. Unfortunately, there is a easily exploitable remote php
code execution vulnerability in the phpRPC library that allows
an attacker to execute arbitrary code on the affected webserver.
This vulnerability, like previously discovered vulnerabilities
in various implementations of the XMLRPC protocol is possible
because of unsanitized data being passed to an eval call. This
of course could ultimately lead to a compromise of the under
lying web server, and disclosure of sensitive data. |
| Date |
February 26, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Mambo Multiple Vulnerabilities
|
| Info |
Mambo is a popular Open Source Content Management System
released under the GNU General Public license (GNU GPL).
There are a number of security issues in Mambo which allows
for SQL Injection, Authentication Bypass, and possible remote
code execution via local file inclusion. There has been an
updated version of Mambo released and all users are advised
to upgrade as soon as possible. Also, please note that these
vulnerabilities are NOT related to any worms currently taking
advantage of vulnerable Mambo installations. |
| Date |
February 24, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
PEAR LiveUser File Access Vulnerabilities
|
| Info |
LiveUser is a user authentication and permission management
framework that is part of php's PEAR Library. LiveUser has
many different features, including the ability to remember
a user via cookies. Unfortunately there is an issue with
how extracted cookie data is handled by the LiveUser library
within the remember feature which makes it possible for an
attacker to gain access to, and even delete potentially
sensitive files on the webserver. An updated version of the
LiveUser framework has been released, and users are advised
to upgrade to LiveUser 0.16.9
|
| Date |
February 21, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Geeklog Remote Code Execution
|
| Info |
Geeklog is one of the most popular content management systems
available today. Geeklog unfortunately is vulnerable to a
number of different attacks such as SQL Injection, and
arbitrary file inclusion. These attacks can be combined to
ultimately execute code on the vulnerable web server in a very
reliable manner. According to the developers these issues
affect pretty much every version of Geeklog ever released, so
users are strongly encouraged to upgrade to the latest version
of Geeklog which is Geeklog 1.4.0sr1 and 1.3.11sr4 |
| Date |
February 19, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
ADOdb Library Cross Site Scripting
|
| Info |
ADOdb is a database abstraction library for php used by a
great deal of projects to provide support for a number of
well known database api's. ADOdb also comes with various
functions to perform routine database related tasks. One
of the more useful of these functions is ADOdb's ability
to paginate the retrieved database records by using the
ADODB_Pager class. However, there are several cross site
scripting issues within the ADODB_Pager class that may
allow for an attacker to render malicious client side code
in the victims browser. An updated version of ADOdb has been
released, and users should update their ADOdb library. |
| Date |
February 18, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
XMB Forums Multiple Vulnerabilities
|
| Info |
XMB Forums is a popular forum software written in php and mysql
that allows you to open up your own online community or
messageboard. There are a number of security issues in XMB Forums
that may allow for an attacker to perform SQL injection attacks
or cross site scripting attacks against the vulnerable web
application. These types of attacks may allow for disclosure of
sensitive data such as cookie information or contents from the
underlying database. |
| Date |
February 12, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
DB_eSession deleteSession() SQL injection
|
| Info |
DB_eSession is a feature-packed PHP class that stores the
session data in a MySQL database rather than files. It is
powerful, designed with security in mind, and is easy to
utilize. The DB_eSession library is used in a number of
popular web applications, and private projects alike.
DB_eSession is vulnerable to SQL Injection attacks due to
unsafe use of cookie data in an SQL query, and can allow an
attacker to craft malicious SQL Queries and have them then
successfully executed. |
| Date |
February 11, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
HiveMail Multiple Vulnerabilities
|
| Info |
HiveMail is a powerful web-based email program that allows
you to offer personal email accounts to your visitors. This
makes HiveMail a popular choice for business and individuals
alike. Unfortunately there are a number of remote code
execution vulnerabilities in HiveMail due to unsafe eval
calls that may allow an attacker to compromise the underlying
web server. In addition there are also vulnerabilities that
allow an attacker to perform SQL Injection and Cross Site
Scripting attacks. |
| Date |
February 10, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
CPAINT AJAX Library Cross Site Scripting
|
| Info |
CPAINT (Cross-Platform Asynchronous INterface Toolkit) is a
multi-language toolkit that helps web developers design and
implement AJAX web applications with ease and flexibility.
CPAINT does not sanitize all user supplied data properly
which leads to cross site scripting. This makes not only
CPAINT vulnerable, but the applications that use CPAINT as
a third party library are vulnerable as well. |
| Date |
February 9, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
eyeOS Remote Code Execution
|
| Info |
eyeOS is a "web based operating system" written in php, that lets you
access your data and your applications from anywhere with an internet
connection. There is a very easy to exploit Remote Code Execution
issue in one of the core eyeOS files that affects eyeOS 0.8.9 and
earlier. A new version of eyeOS has been released and all users are
encouraged to upgrade immediately to eyeOS 0.8.10 |
| Date |
February 7, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
RunCMS Multiple Vulnerabilities
|
| Info |
RunCMS is a very popular, full featured content management system based
on the XOOPS content management system. There are a number of fairly
serious vulnerabilities in RunCMS that may allow an attacker to overwrite
very important variables used by RunCMS and conduct SQL Injection attacks.
A new version of RunCMS has been released some time ago, and all users are
advised to upgrade immediately. |
| Date |
August 19, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
MySQL Eventum Multiple Vulnerabilities
|
| Info |
Eventum is a user-friendly and flexible issue tracking system that can
be used by a support department to track incoming technical support
requests, or by a software development team to quickly organize tasks
and bugs. Eventum is used by the MySQL AB Technical Support team.
Unfortunately Eventum is vulnerable to some highly exploitable SQL
Injection issues as well as cross site scripting issues. A new version
of Eventum has been released and users are strongly advised to upgrade
their Eventum installations. |
| Date |
July 31, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Kayako LiveResponse Multiple Vulnerabilities
|
| Info |
Kayako liveResponse is a web based application aimed at providing live
support for websites and businesses. There are a number of vulnerabilities
in Kayako liveResponse that range from Cross Site Request Forgeries, Cross
Site Scripting, Information Disclosure, Script Injection, and SQL Injection
vulnerabilities which can lead to disclosure of sensitive data. Users are
suggested to update as soon as a secured version becomes available. |
| Date |
July 30, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Mozilla XPCOM Library Race Condition
|
| Info |
xpcom, or cross platform component object model is a framework for
writing cross-platform, modular software. The xpcom library is used
in many applications including a majority of the popular browsers
such as FireFox, NetScape, Mozilla, Galeon, etc. It seems that
there is a race condition of sorts in xpcom that makes it possible
for an attacker to crash a victims browser by having them view a
malformed html document. This issue is not believed to be exploitable
by the Mozilla dev team, and will likely be addressed in full at a
later date by the development team. |
| Date |
July 21, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
SquirrelMail Arbitrary Variable Overwriting
|
| Info |
SquirrelMail is a standards-based webmail package written in php. It
includes built-in pure PHP support for the IMAP and SMTP protocols.
Unfortunately there is a fairly serious variable handling issue in one
of the core SquirrelMail scripts that can allow an attacker to take
control of variables used within the script, and influence functions
and actions within the script. An updated version of SquirrelMail can
be downloaded from their official website. Users are advised to update
their SquirrelMail installations as soon as possible. |
| Date |
July 14, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Simple Machines Forum SQL Injection
|
| Info |
SMF or Simple Machines Forum as it is probably better known as
is a very popular forum system, and developed by members of the
YaBB SE development team. Simple Machine Forums versions prior
to the recently released 1.0.5 are vulnerable to a very serious
SQL Injection hole, as well as a more obscure, harder to exploit
SQL Injection hole. Both vulnerabilities have been resolved and
users should upgrade to the latest version of SMF immediately. |
| Date |
July 03, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
PHPXMLRPC Library Remote Code Execution
|
| Info |
PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC
web RPC protocol, and was originally developed by Edd Dumbill of Useful
Information Company. As of the 1.0 stable release, the project has been
opened to wider involvement and moved to SourceForge. PHPXMLRPC is used
in a large number of popular web applications such as PostNuke, Drupal,
b2evolution, and TikiWiki. Unfortunately PHPXMLRPC is vulnerable to a
remote php code execution vulnerability that may be exploited by an
attacker to compromise a vulnerable system. |
| Date |
July 02, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
PEAR XML_RPC Library Remote Code Execution
|
| Info |
PEAR XML_RPC is a PHP implementation of the XML-RPC web RPC protocol,
and used by many different developers across the world. PEAR XML_RPC
was originally developed by Edd Dumbill of Useful Information Company,
but has since been expanded by several individuals. Unfortunately PEAR
XML_RPC is vulnerable to a remote php code execution vulnerability that
may allow for an attacker to compromise a vulnerable server. Version
1.3.1 has been released to address these issues. |
| Date |
July 01, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
|
| Info |
XOOPS is a very popular dynamic web content management system written
in Object Oriented PHP. One of the features of XOOPS is it's own XMLRPC
server that handles incoming XMLRPC requests. This particular feature
is vulnerable to a highly critical SQL Injection issue. Additionally
there are several cross site scripting issues in XOOPS as well which
could allow for theft of user data or client side code execution in the
context of the victim's web browser. |
| Date |
June 29, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
WordPress 1.5.1.2 And Earlier Multiple Vulnerabilities
|
| Info |
WordPress is a very popular personal publishing platform aka blog
software, and is used by everyone from celebrities, to government
officials, to non technical average joe's. There are a number of
vulnerabilities in WordPress that may allow an attacker to ultimately
run arbitrary code on the vulnerable system. These vulnerabilities
include SQL Injection, Cross Site Scripting, and also issues that may
aid an attacker in social engineering. An updated version of WordPress
is available and users are strongly advised to. |
| Date |
June 28, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Infopop UBB Threads Multiple Vulnerabilities
|
| Info |
UBB Threads is a very popular forum system developed by Infopop.
There are a number of vulnerabilities in UBB Threads that may allow
an attacker to execute cross site scripting, http response splitting,
and cross site request forgery attacks. Also, an attacker may include,
execute, or read arbitrary local files. These vulnerabilities may allow
for an attacker to completely compromise an installation of UBB Threads
and possibly more. Users are encouraged to upgrade as soon as possible
to the latest UBB Threads release. |
| Date |
June 23, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
paFaq Multiple Vulnerabilities
|
| Info |
paFAQ is a FAQ/Knowledge base system that allows webmasters to
keep an organized database of Frequently Asked Questions; a
Knowledge Database for problems and solutions. There are a number
of vulnerabilities in paFaq. These vulnerabilities include
arbitrary unauthorized access to the entire paFaq database, as
well as admin authentication bypass, sql injection, arbitrary
code execution and cross site scripting. An attacker can gain a
remote shell on a vulnerable system using these vulnerabilities. |
| Date |
June 20, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
paFileDB Multiple Vulnerabilities
|
| Info |
paFileDB is a popular open source web application offered by
php Arena. paFileDB allows webmasters to open up an interactive
file repository on their website. There are a number of
vulnerabilities in paFileDB that may allow for an attacker to
include arbitrary files, retrieve sensitive user and/or database
information, and completely bypass admin, and team member
authentication. Users should upgrade immediately. |
| Date |
June 14, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
FusionBB Multiple Vulnerabilities
|
| Info |
FusionBB is a popular online message board written in php and
developed by InteractivePHP, INC. There are several vulnerabilities
in FusionBB such as SQL Injection and Arbitrary Local File Inclusion.
These issues could allow for an attacker to execute arbitrary scripts
residing on the web server, retrieve sensitive data from the underlying
database, or bypass the FusionBB authentication mechanisms. |
| Date |
June 13, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
osCommerce HTTP Response Splitting
|
| Info |
osCommerce is a very popular eCommerce application that allows for
individuals to host their own online shop. All current versions of
osCommerce are vulnerable to HTTP Response Splitting. These HTTP
Response Splitting vulnerabilities may allow for an attacker to
steal sensitive user information, or cause temporary web site
defacement. The suggested fix for this issue is to make sure that
CRLF sequences are not passed to the application. |
| Date |
June 10, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Invision Gallery Vulnerabilities
|
| Info |
Invision Gallery is a community based gallery software that can be
integrated into Invision Power Board. There are several security
issues in Invision Gallery that may allow for an attacker to force
a user into unknowingly / unwillingly perform actions on behalf of an
attacker, or an attacker may influence SQL queries and retrieve
sensitive information contained within the underlying database. An
upgrade has been released for several weeks now and all users should
upgrade their gallery installations as soon as possible. |
| Date |
June 09, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Invision Community Blog Vulnerabilities
|
| Info |
Invision Blog is a community based blogging software that can be
integrated into Invision Power Board. There are several dangerous
SQL Injection vulnerabilities, as well as a cross site scripting
vulnerability. These vulnerabilities could allow for an attacker
to gain access to sensitive data such as password information and
render hostile script in the context of a victims browser which
could lead to disclosure of sensitive data such as cookie data. |
| Date |
June 07, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Format String Vulnerability In Peercast
|
| Info |
Peercast is a popular p2p streaming media server (similar to
shoutcast). There is a serious security issue in peercast versions
0.1211 and earlier that may allow for an attacker to execute
arbitrary code on the remote target with the privileges of the user
running peercast (usually administrator) or crash the vulnerable
server. There is an updated version of peercast available and all
users should upgrade as soon as possible. |
| Date |
May 28, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Help Center Live Vulnerabilities
|
| Info |
Help Center Live is a `Live` help desk system written in PHP using
a MySql database backend that features Live Support, Trouble Tickets
and FAQ within one project. This is a very popular application,
especially with webhosts and other services. Unfortunately Help Center
Live is vulnerable to Sql injection, Script Injection, and Cross Site
Scripting attacks, but the most serious of the vulnerabilities mentioned
(The SQL Injection attacks) require magic_quotes_gpc to be set to off. |
| Date |
May 17, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Woltlab Burning Board SQL Injection Vulnerability
|
| Info |
Burning Board is a popular, multi purpose forum / community software
offered by WoltLab GmbH. There is an SQL Injection vulnerability in
Burning Board 2.* and earlier that allows for an attacker to influence
SQL Queries and possibly query arbitrary data from the database, such
as admin password hashes. The developers are said to have made a patch
available as of late last week, and all users should upgrade their
Burning Board installations as soon as possible. |
| Date |
May 16, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Yappa-NG Multiple Vulnerabilities
|
| Info |
Yappa-NG is the second generation (new and improved) version
of Yappa (yet another php photo album). There are several
vulnerabilities in Yappa-NG that may allow an attacker to
possibly take control of the vulnerable server. In order to
exploit these vulnerabilities register_globals must be on. An
updated version of Yappa-NG is available, and users should
upgrade as soon as possible. |
| Date |
May 11, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Invision Power Board Vulnerabilities
|
| Info |
Invision Power Board (IPB) is a professional forum system that
has been built from the ground up with speed and security in
mind. It is used by a great many people all over the world. All
versions of Invision Power Board are vulnerable to a serious
SQL Injection vulnerability.
An attacker does not have to be logged in, or even have access
or permission to view the forums in order to exploit this
vulnerability. Users should upgrade immediately. |
| Date |
May 5, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple SitePanel2 Vulnerabilities
|
| Info |
SitePanel2 is a helpdesk / trouble ticket / support system used
by businesses and individuals alike. There are a number of
vulnerabilities in SitePanel2, some of which are fairly serious.
If an attacker is able to successfully exploit these vulnerabilities
in SitePanel2 he may be able to successfully compromise user accounts
or completely compromise the target web server. A security patch has
been released to address these issues and all users are strongly
encouraged to upgrade their SitePanel2 installations as soon as
possible. |
| Date |
May 3, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In osTicket
|
| Info |
osTicket is a widely-used open source support ticket system. It is a
lightweight support ticket tool written mainly using PHP scripting
language. There are several vulnerabilities in the osTicket software
that may allow for an attacker to take control of the affected web
server, disclose sensitive data from the database, or read arbitrary
files. These issues have been reported to the developers and a new
updated version of osTicket is available for download. All affected
users should upgrade their osTicket installations immediately. |
| Date |
May 2, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
phpBB Notes Mod SQL Injection Vulnerability
|
| Info |
oxpus.de author many popular modules and hacks for the amazingly
popular phpBB software. One of these modules allows users to keep
their own personal memo pad of sorts in the usercp. This particular
mod comes standard with packages like orion_phpbb and others. This
"notes" module is vulnerable to a serious SQL Injection vulnerability
that will allow for an attacker to pull sensitive information from
the underlying database, and possibly compromise the integrity of
the affected phpBB installation. |
| Date |
April 27, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple eGroupware Vulnerabilities
|
| Info |
eGroupware is a very popular open source web based collaboration
software that can be used within an intranet, or externally via
the internet to build a community and/or help coordinate large
projects. eGroupware also comes pre packaged in some linux
distributions. GulfTech Security Research has found a few high
risk SQL Injection vulnerabilities as well as Cross Site Scripting
vulnerabilities. A new version of eGroupware is now available and
all eGroupware users should upgrade immediately. Not only does the
new eGroupware release address these security issues, but it also
includes a number of bugfixes! |
| Date |
April 20, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Security Issues Found In AZBB
|
| Info |
azbb is a forum that was written with a primary focus on security.
azbb does not require a database such as MySQL, PostGres or MSSQL
and can even be used as a blog, or portal of sorts. Unfortunately
there are a number of security issues in AZBB versions prior to
1.0.08, but none of these issues are considered "high risk". However,
the developer has addressed these issues and all users should upgrade
to the current 1.0.08 version. These vulnerabilities include file
enumeration, arbitrary file deletion, and file inclusion. |
| Date |
April 19, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple ModernBill 4.3.0 And Earlier Vulnerabilities
|
| Info |
ModernBill is a widely used billing and management software used
by webhosts to manage billing and financial data. ModernBill is
prone to remote file inclusion and cross site scripting in version
prior to 4.3.1. These vulnerabilities could allow for an attacker to
execute client side code in the context of the victims web browser,
steal sensitive user data, and run system commands remotely on the
affected web server. A fixed version is available and users are advised
to upgrade immediately. |
| Date |
April 10, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Double Choco Latte Vulnerabilities
|
| Info |
Double Choco Latte is a GNU Enterprise package that provides basic
project management capabilities, time tracking on tasks, call
tracking, email notifications, online documents, statistical reports,
a report engine, and more features are either working or being
developed/planned. It can be displayed inside of a phpGroupWare
installation or be used stand-alone. It is licensed under the GPL
(GNU Public License), which means it is free to study, distribute,
modify, and use. Double Choco Latte 0.9.4 .3 and earlier are prone
to php code execution vulnerabilities which allows an attacker to run
php code with privileges of the webserver. |
| Date |
April 8, 2022 |
| BID |
12894
|
| Credit |
James Bercegay |
| Title |
phpCoin Multiple Vulnerabilities
|
| Info |
phpCoin is a free software package originally designed for
web-hosting resellers to handle clients, orders, invoices,
notes and helpdesk. phpCoin versions 1.2.1b and earlier are
prone to multiple vulnerabilities such as SQL Injection and
File Inclusion vulnerabilities. A new version has been released,
and users should upgrade as soon as possible. Updated packages can be found at the official phpCoin website, located at http://www.phpcoin.com Thanks to the developers for a quick resolution to these issues! |
| Date |
March 29, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Multiple Vulnerabilities In PhotoPost Pro
|
| Info |
PhotoPost was designed to help you give your users exactly
what they want. Your users will be thrilled to finally be
able to upload and display their photos for your entire
community to view and discuss, all with no more effort than
it takes to post a text message to a forum. If you already
have a forum (vBulletin, UBB Threads, phpBB, DCForum, or
InvisionBoard), you'll appreciate that PhotoPost was designed
to seamlessly integrate into your site without the need for
your users to register twice and maintain two logins. PhotoPost
Pro is vulnerable to some serious SQL Injection issues as well as
cross site scripting. An update is available and all users should
upgrade now. |
| Date |
January 3, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Serious Vulnerabilities In PhotoPost ReviewPost
|
| Info |
Your community of users represents a wealth of knowledge. Now
your users can help build and maintain your site by writing
reviews of any product imaginable. With ReviewPost, you will
quickly amass a valuable collection of user opinions about
products that relate to your site. ReviewPost can even use
your existing forum login system (if you have one) to keep your
users from having to register twice, and makes an excellent
companion to ReviewPost. PhotoPost ReviewPost are vulnerable to cross site
scripting, SQL Injection, and Arbitrary File Upload. There is a new
version of the software available and users are encouraged to upgrade. |
| Date |
January 2, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
Serious Vulnerabilities In PhotoPost Classifieds
|
| Info |
Add a full-featured user-to-user classified ads system to your
website to connect buyers with sellers. No matter what your users
interestes may be, they likely want to buy and sell items related
to your site's topic, and PhotoPost Classifieds makes it easy.
PhotoPost Classifieds is designed to integrate seamlessly into
your current site design, and can even use your existing forum
user database (if you have one) for one central login. PhotoPost Classifieds are vulnerable to cross site scripting, SQL Injection, and Arbitrary File Upload. There is a new version of the software available and users are encouraged to upgrade. |
| Date |
January 1, 2022 |
| BID |
Not Available
|
| Credit |
James Bercegay |
| Title |
File Include Vulnerability In php-Calendar
|
| Info |
I was searching for a decent calendar which my group at school could
use to keep track of events, etc. We were previously using localendar,
which I didn't like and it had some problems. I found CST-Calendar which
did most of what I wanted, but was rather ugly and missed some features
others in the group wanted. So, I gradually re-wrote CST-Calendar since
that project seems to have stopped work entirely.
[ As quoted from their website ] This program includes several potentially
very dangerous file include vulnerabilities. Since php-calendar is an open
source calendar it has been said that some developers use the php-calendar
in their own projects, thus potentially making their applications vulnerable as well. |
| Date |
December 29, 2021 |
| BID |
Not Available
|
| Credit |
James Bercegay |
|
|
