A remote HTTP response splitting vulnerability reportedly affects Phorum. This issue is due to a failure of the application to properly sanitize user-supplied input. A remote attacker may exploit this vulnerability to influence or misrepresent how web content is served, cached or interpreted.
Kayako ESupport is prone to a cross-site scripting vulnerability. Multiple parameters of the 'index.php' script can be exploited to pass malicious HTML and script code to the application. This would occur in the security context of the affected Web site and may allow for theft of cookie-based authentication credentials or other attacks.
Multiple FUN labs games are affected by remote denial of service vulnerabilities. A remote attacker can cause a game server to stop responding by sending an empty UDP packet. Another vulnerability can allow a remote attacker to send a malformed join packet and crash the server.
betaparticle blog is reported prone to multiple vulnerabilities. It is reported that betaparticle blog fails to sufficiently secure the authentication credential database, allowing a remote attacker to download and disclose the contents of the credential database. Additionally, several betaparticle blog scripts may be accessed by a remote unauthenticated attacker and may be employed to upload and delete arbitrary Web server accessible files, allowing a remote attacker to deny service for legitimate users or potentially compromise a target computer.
CzarNews is prone to a remote file-include vulnerability. An attacker may leverage this issue to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
A remote file include vulnerability affects TRG News. This issue is due to a failure of the application to properly sanitize user-supplied input prior to using it to carry out critical functionality. Remote attackers could potentially exploit this issue to include a remote, malicious PHP script. Execution of remote scripts would take place in the context of the Web server hosting the vulnerable application. This will facilitate unauthorized access.
Ciamos is reported prone to a file disclosure vulnerability. The full scope of this vulnerability is not currently known, however, it is demonstrated that this issue may be leveraged to disclose the source of PHP files contained in a Ciamos installation. A remote attacker may exploit this vulnerability to reveal files that contain potentially sensitive information. Information that is harvested in this manner may then be used to aid in further attacks against the software and the computer that is hosting the software.
PHP-Fusion is reportedly affected by a HTML injection vulnerability. This issue is due to the application failing to properly sanitize user-supplied input passed to the 'setuser.php' script before using it in dynamically generated content. This vulnerability is reported to affect PHP-Fusion version 5.01, however the vendor reports that the vulnerability might exist in an alteration that is planned for version 5.02. This alteration was recently released to the PHP-Fusion community as a mod for version 5.01.
Multiple remote input validation vulnerabilities affect CoolForum. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using it to carry out critical functionality. Multiple SQL injection vulnerabilities have been reported and a cross-site scripting vulnerability is also reported. An attacker may leverage these issues to manipulate and view arbitrary database contents by exploiting the SQL injection issues, and to have arbitrary script code executed in the browser of an unsuspecting user by exploiting the cross-site scripting vulnerabilities.
Icecast is reported to be prone to a buffer overflow vulnerability due to a lack of sufficient boundary checks performed on certain XSL tag values before copying these values into a finite buffer in process memory. It is also reported to be prone to an information disclosure vulnerability due to the parser failing to parse XSL files when a request for such a file is appended with a dot '.' character.
Services By CQR