NPDS does not sufficiently filter potentially malicious HTML code from news posts, allowing an attacker to inject malicious JavaScript code into a news post. When a user views the post, the code is executed in the browser of the vulnerable user in the context of the site running the NPDS software.
PHPNuke does not sufficiently filter potentially malicious HTML code from news posts. As a result, when a user views a news posting that contains malicious HTML code, the code contained in the posted message would be executed in the browser of the vulnerable user. This will occur in the context of the site running the PHPNuke software.
acWEB is vulnerable to Cross-Site Scripting attacks. An attacker can construct a malicious link containing arbitrary script code and send it to a victim. When the victim visits the link, the script code will be executed in the context of the webserver.
Monkey HTTP server is prone to a directory-traversal bug that may allow attackers to access sensitive files. By passing a malicious query to a vulnerable server, an attacker can potentially gain access to arbitrary webserver-readable files. This issue occurs because the application fails to sufficiently validate the user-supplied input.
A vulnerability in the UCX POP server used by OpenVMS allows a malicious local user to overwrite arbitrary files on the filesystem. This can be done by running the UCX POP server with a logfile argument pointing to a file the user should not be able to write to.
PHPNuke 6.0 is prone to cross-site scripting attacks. HTML tags are not filtered from links to the 'modules.php' script. Reportedly, the problem lies in the 'Search' page of the 'modules.php' script. It is possible for a malicious attacker to submit a search string that contains HTML code. The value of this search string is not sanitized before it is included in PHP generated HTML and output to the client. This attack may be used to steal a user's cookie-based authentication credentials for the vulnerable PHPNuke site.
Apache is prone to a denial of service condition when an excessive amount of data is written to stderr. This condition reportedly occurs when the amount of data written to stderr is over the default amount allowed by the operating system. This may potentially be an issue in web applications that write user-supplied data to stderr. Additionally, locally based attackers may exploit this issue.
The servlet 'org.apache.catalina.servlets.DefaultServlet' is included with Apache Tomcat by default. It is possible to use this servlet to view contents of files within the webroot. This includes JSP source code, which may contain sensitive data such as database usernames and passwords.
projectbutler-0.8.4 is vulnerable to Remote File Inclusion. An attacker can exploit this vulnerability by sending a malicious URL to the vulnerable application. The malicious URL contains a script which is then executed on the vulnerable server.
XOOPS is vulnerable to HTML injection attacks due to insufficient filtering of potentially malicious HTML code from posted messages. When a user views a message posting that contains malicious HTML code, the code contained in the message would be executed in the browser of the vulnerable user. This can be exploited to execute arbitrary script code in a vulnerable client's browser.
Services By CQR