miniBB is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities. Successful exploits could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. miniBB 3.0.0 is vulnerable; other versions may also be affected. As seen above, parameter 'id' is used in SQL query without any sanitization, which leads to SQL Injection vulnerability. Tests: Log in as user with posting privileges and use shortcode as below: [Spider_Catalog_Product id="0' UNION SELECT 1,2,3,@@version,5,6,7,8,9,10,11,12#"] Now open page with this shortcode and check the source code.
Mintboard is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Cryptocat is prone to an arbitrary script-injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary script code within the context of the application.
Cryptocat is prone to an information disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. The vulnerability is triggered when an attacker embeds malicious code in an image file and uploads it to the application. The malicious code is then executed when the image is loaded.
iVote is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Air Drive Plus is prone to multiple input validation vulnerabilities including a local file-include vulnerability, an arbitrary file-upload vulnerability, and an HTML-injection vulnerability. An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, obtain sensitive information, execute arbitrary script code within the context of the browser, and steal cookie-based authentication credentials.
Intelligent Platform Management Interface is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid password guessing attacks. Intelligent Platform Management Interface 2.0 is vulnerable; other versions may also be affected.
Multiple Zoom Telephonics devices are prone to an information-disclosure vulnerability, multiple authentication bypass vulnerabilities and an SQL-injection vulnerability. Exploiting these issues could allow an attacker to gain unauthorized access and perform arbitrary actions, obtain sensitive information, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. All administrative items can be accessed through two URLs, and example commands that can be executed remotely through a web browser URL, or a modified HTTP GET/POST requests include changing passwords for admin accounts, clearing logs, remotely rebooting to default factory settings, and creating new admin or intermediate accounts.
McAfee Data Loss Prevention is prone to multiple information-disclosure vulnerabilities. Attackers can exploit these issues to disclose contents of arbitrary files and obtain sensitive information. This may aid in launching further attacks.
phpVibe is prone to an information-disclosure vulnerability and multiple remote file-include vulnerabilities. An attacker can exploit these issues to obtain potentially sensitive information or execute malicious PHP code in the context of the web server process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
Services By CQR