MidnightBSD

Advisories for softbiz

CVE-2005-3817 HIGH

Multiple SQL injection vulnerabilities in Softbiz Web Host Directory Script 1.1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) cid parameter in search_result.php, (2) sbres_id parameter in review.php, (3) cid parameter in browsecats.php, (4) h_id parameter in email.php, and (5) an unspecified parameter to the search module.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
softbiz web_hosting_directory_script *
CVE-2005-3937 HIGH

SQL injection vulnerability in Softbiz B2B Trading Marketplace Script 1.1 and earler allows remote attackers to execute arbitrary SQL commands via the cid parameter in (1) selloffers.php, (2) buyoffers.php, (3) products.php, or (4) profiles.php.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
softbiz b2b_trading_marketplace_script *
CVE-2005-3938 HIGH

SQL injection vulnerability in Softbiz FAQ Script 1.1 and earler allows remote attackers to execute arbitrary SQL commands via the id parameter in (1) index.php, (2) faq_qanda.php, (3) refer_friend.php, (4) print_article.php, or (5) add_comment.php.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
softbiz faq *
softbizscripts faq_script *
CVE-2006-3607 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Banner Exchange Script (aka Banner Exchange Network Script) 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the city parameter in (a) insertmember.php, and (2) a PHPSESSID cookie in (b) lostpassword.php, (c) gen_confirm_mem.php, and (d) index.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
softbiz banner_exchange 1.0
CVE-2007-5449 HIGH

SQL injection vulnerability in searchresult.php in Softbiz Recipes Portal Script allows remote attackers to execute arbitrary SQL commands via the sbcat_id parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
softbiz recipes_portal_script *
CVE-2007-6124 MEDIUM

Cross-site scripting (XSS) vulnerability in signin.php in Softbiz Freelancers Script 1 allows remote attackers to inject arbitrary web script or HTML via the errmsg parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
softbiz freelancers_script 1.0
CVE-2007-6125 HIGH

SQL injection vulnerability in search_form.php in Softbiz Freelancers Script 1 allows remote attackers to execute arbitrary SQL commands via the sb_protype parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
softbiz freelancers_script 1.0
CVE-2008-1050 HIGH

SQL injection vulnerability in index.php in Softbiz Jokes & Funny Pics Script allows remote attackers to execute arbitrary SQL commands via the sbcat_id parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
softbiz jokes_and_funny_pictures_script *
CVE-2008-2087 MEDIUM

SQL injection vulnerability in search_result.php in Softbiz Web Host Directory Script, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the host_id parameter, a different vector than CVE-2005-3817.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
softbiz web_hosting_directory_script *
CVE-2008-3511 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Softbiz Image Gallery (Photo Gallery) allow remote attackers to inject arbitrary web script or HTML via the (1) latest parameter to (a) index.php, (b) images.php, (c) suggest_image.php, and (d) image_desc.php; and the (2) msg parameter to index.php, images.php, and suggest_image.php, and (e) index.php, (f) adminhome.php, (g) config.php, (h) changepassword.php, (i) cleanup.php, (j) browsecats.php, and (k) images.php in admin/. NOTE: the image_desc.php/msg vector is covered by CVE-2006-1660. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
softbiz image_gallery *
CVE-2009-2790 HIGH

SQL injection vulnerability in cat_products.php in SoftBiz Dating Script allows remote attackers to execute arbitrary SQL commands via the cid parameter. NOTE: this might overlap CVE-2006-3271.4.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
softbiz dating_script *