MidnightBSD

Advisories for positive_software

CVE-2003-1247 HIGH

Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
positive_software h-sphere 2.3_rc3
CVE-2003-1248 HIGH

H-Sphere WebShell 2.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) mode and (2) zipfile parameters in a URL request.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
positive_software h-sphere 2.3_rc3
CVE-2005-1605 MEDIUM

Cross-site scripting (XSS) vulnerability in the guestbook for SiteStudio 1.6 allows remote attackers to inject arbitrary web script or HTML via the name field to (1) psoft.guestbook.GuestBookServ in Standalone Site Studio or (2) E-Guest_sign.pl in Integrated Site Studio with H-Sphere.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
positive_software sitestudio 1.6_patch_1
positive_software sitestudio 1.6_final
CVE-2005-1606 MEDIUM

H-Sphere Winbox 2.4.2 and 2.4.3 RC1 stores sensitive information such as username and password in plaintext in world-readable log files, which allows local users to gain privileges.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
positive_software h-sphere_winbox 2.4.2_patch_4
positive_software h-sphere_winbox 2.4.3_rc1
CVE-2005-4261 HIGH

Unspecified vulnerability in Positive Software Corporation CP+ (cpplus) before 2.5.5 allows attackers to have unknown impact and attack vectors, related to "a possible security flaw caused by a bug in Perl." NOTE: unless CP+ includes its own copy of Perl with CVE-2005-3962, this is a different vulnerability than CVE-2005-3962; however, there is insufficient information to be sure.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
positive_software cp+ 2.5.2
positive_software cp+ 2.5.1
positive_software cp+ 2.5.3
positive_software cp+ 2.5.4
positive_software cp+ 2.5.5
positive_software cp+ 2.5
CVE-2006-0193 MEDIUM

Cross-site scripting (XSS) vulnerability in the Hosting Control Panel (psoft.hsphere.CP) in Positive Software H-Sphere 2.4.3 Patch 8 and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter in a login action.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
positive_software h-sphere 2.4.2_patch_5
positive_software h-sphere 2.4.3_patch_3
positive_software h-sphere 2.4.1_patch_7
positive_software h-sphere 2.4.1_patch_1
positive_software h-sphere 2.4.2_patch_4
positive_software h-sphere 2.4.3_patch_4
positive_software h-sphere 2.4.2_patch_2
positive_software h-sphere 2.4.2_rc2
positive_software h-sphere 2.4.3_patch_2
positive_software h-sphere 2.4.3_patch_5
positive_software h-sphere 2.4.3_patch_1
positive_software h-sphere 2.4.1_patch_4
positive_software h-sphere 2.4.2_patch_3
positive_software h-sphere 2.4.2_beta_1
positive_software h-sphere 2.4.2_beta_3
positive_software h-sphere 2.4.2_patch_1
positive_software h-sphere 2.4.3_patch_8
positive_software h-sphere 2.4.3_beta_1
positive_software h-sphere 2.4.2_rc1
positive_software h-sphere 2.4.2_beta_2
positive_software h-sphere 2.4.1_patch_6
positive_software h-sphere 2.4.3_rc2
positive_software h-sphere 2.4.3_patch_6
positive_software h-sphere 2.4.1_patch_3
positive_software h-sphere 2.4.3_rc1
positive_software h-sphere 2.4.2
positive_software h-sphere 2.4.1
positive_software h-sphere 2.4.1_patch_5
positive_software h-sphere 2.4.3_patch_7
positive_software h-sphere 2.4.3
positive_software h-sphere 2.4.3_beta_2
positive_software h-sphere 2.4.1_patch_2
CVE-2006-3278 LOW

Cross-site scripting (XSS) vulnerability in H-Sphere 2.5.1 Beta 1 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) next_template, (2) start, (3) curr_menu_id, and (4) arid parameters in psoft/servlet/resadmin/psoft.hsphere.CP when using the mailman/massmail.html template_name.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
positive_software h-sphere 2.5_rc_3
positive_software h-sphere 2.5_patch_2
positive_software h-sphere 2.5
positive_software h-sphere *
positive_software h-sphere 2.5_patch_1