[VIM] PluggedOut Product Vulnerabilities (fwd)

Steven M. Christey coley at linus.mitre.org
Sun Dec 11 02:47:58 EST 2005



---------- Forwarded message ----------
Date: Sun, 11 Dec 2005 02:28:30 -0500 (EST)
From: Steven M. Christey <coley at mitre.org>
To: jonbeckett at pluggedout.com
Cc: coley at mitre.org
Subject: PluggedOut Product Vulnerabilities


Hello,

I am a computer security professional and the editor for the Common
Vulnerabilities and Exposures (CVE) project.  CVE is a list of
software vulnerabilities, and it is widely used in the computer
security industry.  It is sponsored by the US Department of Homeland
Security.

Recently, some vulnerability in PluggedOut products were reported to
public sources.  References and descriptions are included below.

Are these vulnerability reports accurate?  If so, then is the problem
fixed, and in which versions?


Thank you,
Steve Christey
Principal Information Security Engineer
CVE Editor
The MITRE Corporation



======================================================
Name: CVE-2005-4054
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4054
Reference: MISC:http://pridels.blogspot.com/2005/12/pluggedout-blog-sql-vuln.html
Reference: BID:15746
Reference: URL:http://www.securityfocus.com/bid/15746
Reference: FRSIRT:ADV-2005-2750
Reference: URL:http://www.frsirt.com/english/advisories/2005/2750
Reference: OSVDB:21480
Reference: URL:http://www.osvdb.org/21480
Reference: SECUNIA:17911
Reference: URL:http://secunia.com/advisories/17911

SQL injection vulnerability in index.php in PluggedOut Blog 1.9.5 and
earlier allows remote attackers to execute arbitrary SQL commands via
the (1) categoryid, (2) entryid, (3) year, (4) month, and (5) day
parameter.


======================================================
Name: CVE-2005-4056
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4056
Reference: MISC:http://pridels.blogspot.com/2005/12/pluggedout-nexus-sqlxss-vuln_06.html
Reference: FRSIRT:ADV-2005-2751
Reference: URL:http://www.frsirt.com/english/advisories/2005/2751

SQL injection vulnerability in search.php in PluggedOut Nexus 0.1
allows remote attackers to execute arbitrary SQL commands via the (1)
Location, (2) Last Name, and (3) First Name parameters.


======================================================
Name: CVE-2005-4057
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4057
Reference: MISC:http://pridels.blogspot.com/2005/12/pluggedout-nexus-sqlxss-vuln_06.html
Reference: FRSIRT:ADV-2005-2751
Reference: URL:http://www.frsirt.com/english/advisories/2005/2751

Cross-site scripting (XSS) vulnerability in search.php in PluggedOut
Nexus 0.1 allows remote attackers to inject arbitrary web script or
HTML via the (1) Location, (2) Last Name, and (3) First Name
parameters.




More information about the VIM mailing list