This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor 2500mhz First view 2008-12-30
Product Worksimple Last view 2008-12-30
Version 1.2.1 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:2500mhz:worksimple

Activity : Overall

Related : CVE

  Date Alert Description
5 2008-12-30 CVE-2008-5765

WorkSimple 1.2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing usernames and passwords via a direct request for data/usr.txt.

9.3 2008-12-30 CVE-2008-5764

PHP remote file inclusion vulnerability in calendar.php in WorkSimple 1.2.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the lang parameter.

CWE : Common Weakness Enumeration

%idName
50% (1) CWE-264 Permissions, Privileges, and Access Controls
50% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')

CAPEC : Common Attack Pattern Enumeration & Classification

id Name
CAPEC-13 Subverting Environment Variable Values
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-72 URL Encoding
CAPEC-76 Manipulating Input to File System Calls
CAPEC-78 Using Escaped Slashes in Alternate Encoding
CAPEC-79 Using Slashes in Alternate Encoding
CAPEC-80 Using UTF-8 Encoding to Bypass Validation Logic

Open Source Vulnerability Database (OSVDB)

id Description
50726 WorkSimple calendar.php lang Parameter Remote File Inclusion
50725 WorkSimple data/usr.txt Direct Request Credentials Disclosure