| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| AlstraSoft Template Seller Pro 3.25 and earlier sends a redirect to the web browser but does not exit when administrative credentials are missing, which allows remote attackers to inject a credential variable setting and obtain administrative access via a direct request to admin/changeinfo.php. |
| SQL injection vulnerability in paypal.php in AlstraSoft E-Friends 4.21 and earlier allows remote attackers to execute arbitrary SQL commands via the pack parameter in a paypal action for index.php. |
| Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft Text Ads Enterprise allow remote attackers to inject arbitrary web script or HTML via the (1) r parameter to (a) forgot_uid.php, the (2) query or (3) sk parameter to (b) search_results.php, or (4) the pageId parameter to (c) website_page.php. |
| Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft AskMe Pro allow remote attackers to inject arbitrary web script or HTML via (1) the cat_id parameter to search.php or the (2) typ parameter to register.php. |
| SQL injection vulnerability in msg.php in AlstraSoft Video Share Enterprise allows remote authenticated users to execute arbitrary SQL commands via the id parameter. |
| Unrestricted file upload vulnerability in admin/addsptemplate.php in AlstraSoft Template Seller Pro 3.25 and earlier allows remote attackers to execute arbitrary PHP code via an arbitrary .php filename in the zip parameter, which is created under sptemplates/. |
| AlstraSoft Web Host Directory stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a backup database via a direct request for admin/backup/db. |
| AlstraSoft Web Host Directory allows remote attackers to obtain sensitive information by requesting any invalid URI, which reveals the path in an error message, a different vulnerability than CVE-2006-2617. |
| AlstraSoft Web Host Directory allows remote attackers to bypass authentication and change the admin password via a direct request to admin/config. |
| Cross-site scripting (XSS) vulnerability in index.php AlstraSoft E-Friends allows remote attackers to inject arbitrary web script or HTML via the p_id parameter in a people_card action. NOTE: this might overlap CVE-2006-2564. |
| AlstraSoft Video Share Enterprise allows remote attackers to obtain sensitive information (the full path) via (1) a ' (quote) character in the category parameter to view_video.php, or (2) an XSS sequence in the UID parameter to (a) uprofile.php, (b) channel_detail.php, (c) uvideos.php, (d) groups_home.php, or (e) ufriends.php. |
| AlstraSoft Forum Pay Per Post Exchange 2.0 stores passwords in cleartext, which makes it easier for attackers to access user accounts. |
| SQL injection vulnerability in index.php in AlstraSoft Forum Pay Per Post Exchange allows remote attackers to execute arbitrary SQL commands via the cat parameter in a showcat action. |
| Directory traversal vulnerability in index.php in Alstrasoft Epay Pro 2.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the read parameter. |
| PHP remote file inclusion vulnerability in index.php in AlstraSoft E-Friends 4.0 allows remote attackers to execute arbitrary PHP code via the mode parameter. |
| Multiple SQL injection vulnerabilities in AlstraSoft Affiliate Network Pro 7.2 allow remote attackers to bypass authentication and execute arbitrary SQL commands via the (1) username or (2) password to admin/admin_validate_login, or the (3) login, (4) password, and (5) flag parameters to login_validate.php. |
| SQL injection vulnerability in admin/index.php in AlstraSoft Template Seller Pro 3.25 allows remote attackers to execute arbitrary SQL commands via the username field. |
| SQL injection vulnerability in index.php in AlstraSoft EPay Pro 2.0 allows remote attackers to execute arbitrary SQL commands via the pmodule parameter. |
| Alstrasoft Article Manager Pro 1.6 allows remote attackers to obtain sensitive information via (1) a quote character or possibly an invalid value in the action parameter in a request to mrarticles.php or (2) a login QUERY_STRING to admin.php without any additional parameters, which reveal the path in various error messages. |
| SQL injection vulnerability in Alstrasoft Article Manager Pro 1.6 allows remote attackers to execute arbitrary SQL commands via (1) the author_id parameter in profile.php and (2) the aut_id parameter in userarticles.php. NOTE: the aut_id vector can produce resultant path disclosure if the SQL manipulation is invalid. |
