RSS   Vulnerabilities for 'Employee timeclock software'   RSS

2010-02-25
 
CVE-2010-0707

CWE-352
 

 
Cross-site request forgery (CSRF) vulnerability in add_user.php in Employee Timeclock Software 0.99 allows remote attackers to hijack the authentication of an administrator for requests that create new administrative users. NOTE: some of these details are obtained from third party information.

 
2010-03-15
 
CVE-2010-0124

CWE-255
 

 
Employee Timeclock Software 0.99 places the database password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.

 
 
CVE-2010-0123

CWE-264
 

 
The database backup implementation in Employee Timeclock Software 0.99 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for a "semi-predictable file name."

 
 
CVE-2010-0122

CWE-89
 

 
Multiple SQL injection vulnerabilities in Employee Timeclock Software 0.99 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter to (a) auth.php or (b) login_action.php.

 


Copyright 2024, cxsecurity.com

 

Back to Top