CVE
Vendors
Products
Updated
CVSS v2
CVSS v3
Collabtive 0.4.8 allows remote attackers to bypass authentication and create new users, including administrators, via unspecified vectors associated with the added mode in a users action to admin.php.
Cross-site scripting (XSS) vulnerability in manageproject.php in Collabtive 0.4.8 allows user-assisted remote attackers to inject arbitrary web script or HTML via the project Name, which is not properly handled when the administrator performs an editform action, related to admin.php.
Multiple cross-site scripting (XSS) vulnerabilities in Interchange 5.7 before 5.7.1, 5.6 before 5.6.1, and 5.4 before 5.4.3 allow remote attackers to inject arbitrary web script or HTML via (1) the mv_order_item CGI variable parameter in Core, (2) the country-select widget, or (3) possibly the value specifier when used in the UserTag feature.
Auto_classifieds, Business_directory_software, Dating_software, Realtor_classifieds_system, Recipes_listing_portal, Scripts_directory
2017-09-29
N/A
N/A
Unrestricted file upload vulnerability in ScriptsFeed Auto Classifieds allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a profile logo, then accessing it via a direct request to the file in cars_images/.
Auto_classifieds, Business_directory_software, Dating_software, Realtor_classifieds_system, Recipes_listing_portal, Scripts_directory
2017-09-29
N/A
N/A
Unrestricted file upload vulnerability in ScriptsFeed Recipes Listing Portal allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a recipe photo, then accessing it via a direct request to the file in pictures/.
Auto_classifieds, Business_directory_software, Dating_software, Realtor_classifieds_system, Recipes_listing_portal, Scripts_directory
2017-09-29
N/A
N/A
Unrestricted file upload vulnerability in ScriptsFeed Realtor Classifieds System (aka Real Estate Classifieds) allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension as a profile logo, then accessing it via a direct request to the file in re_images/.
Business_survey_pro, Entertainment_portal, Local_classifieds, Text_link_sales, Web_hosting_directory, Yahoo-answers-clone
2017-09-29
N/A
N/A
SQL injection vulnerability in the login functionality in TurnkeyForms Web Hosting Directory allows remote attackers to execute arbitrary SQL commands via the password field.
Business_survey_pro, Entertainment_portal, Local_classifieds, Text_link_sales, Web_hosting_directory, Yahoo-answers-clone
2017-09-29
N/A
N/A
TurnkeyForms Web Hosting Directory stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain a database backup via a direct request to admin/backup/db.
Business_survey_pro, Entertainment_portal, Local_classifieds, Text_link_sales, Web_hosting_directory, Yahoo-answers-clone
2017-09-29
N/A
N/A
TurnkeyForms Web Hosting Directory allows remote attackers to bypass authentication and (1) gain administrative privileges by setting the adm cookie to 1 or (2) gain privileges as another user by setting the logged cookie to the target username.
Pi3Web 2.0.3 before PL2, when installed on Windows as a desktop application and without using the Pi3Web/Conf/Intenet.pi3, allows remote attackers to cause a denial of service (crash or hang) and obtain the full pathname of the server via a request to a file in the ISAPI directory that is not an executable DLL, which triggers the crash when the DLL load fails, as demonstrated using Isapiusers.txt.