CVE’s

PHP remote file inclusion vulnerability in include/plugins/jrBrowser/payment.php in Jamroom 3.3.0 through 3.3.5 allows remote attackers to execute arbitrary PHP code via a URL in the jamroom[jm_dir] parameter. NOTE: some of these details are obtained from third party information.

upgrade.asp in sHibby sHop 2.2 and earlier does not require administrative authentication, which allows remote attackers to update a file or have unspecified other impact via a direct request.

Relative Real Estate Systems 3.0 and earlier stores passwords in cleartext in a MySQL database, which allows context-dependent attackers to obtain sensitive information.

Heap-based buffer overflow in the IBM AFP Viewer Plug-in 2.0.7.1 and 3.2.1.1 allows remote attackers to execute arbitrary code via a long SRC property value. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Benja CMS 0.1 does not require authentication for access to admin/, which allows remote attackers to add or delete a menu.

Open redirect vulnerability in rss_getfile.php in Academic Web Tools (AWT YEKTA) 1.4.3.1, and 1.4.2.8 and earlier, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the file parameter.

PHP remote file inclusion vulnerability in admin/include/lib.module.php in cmsWorks 2.2 RC4, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mod_root parameter.

Directory traversal vulnerability in index.php in mUnky 0.0.1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the zone parameter.

SQL injection vulnerability in index.php in Webdevindo-CMS 1.0.0 allows remote attackers to execute arbitrary SQL commands via the hal parameter.

SQL injection vulnerability in index.php in Softbiz Jokes & Funny Pics Script allows remote attackers to execute arbitrary SQL commands via the sbjoke_id parameter, a different vector than CVE-2008-1050.