payment software vulnerabilities
vulnerabilities.aspcode.net
Searching payment software vulnerabilities
Infonautics getdoc.cgi allows remote attackers
Infonautics
|
documents
|
attackers
|
getdoccgi
|
accessing
|
variable
|
modified
|
payment
|
allows
|
remote
|
bypass
|
phase
|
form
|
via
|
Infonautics getdoc.cgi allows remote attackers to bypass the payment phase for accessing documents via a modified form variable.
Webseries Payment Application does not properly
authenticated
|
Application
|
operations
|
privileged
|
privileges
|
Webseries
|
accessing
|
directly
|
properly
|
restrict
|
certain
|
Payment
|
allows
|
remote
|
which
|
users
|
does
|
URLs
|
gain
|
not
|
Webseries Payment Application does not properly restrict privileged operations, which allows remote authenticated users to gain privileges by directly accessing certain URLs.
Bottomline Webseries Payment Application allows
Application
|
ReportPath
|
Bottomline
|
ReportName
|
attackers
|
arbitrary
|
Webseries
|
template
|
modified
|
network
|
Payment
|
report
|
allows
|
remote
|
values
|
files
|
read
|
via
|
Bottomline Webseries Payment Application allows remote attackers to read arbitrary files on the network via a report template with modified ReportPath or ReportName values.
The change password functionality in Bottomline
functionality
|
authenticated
|
Application
|
Bottomline
|
passwords
|
Webseries
|
password
|
require
|
Payment
|
remote
|
users'
|
change
|
could
|
allow
|
which
|
users
|
enter
|
other
|
does
|
not
|
old
|
new
|
The change password functionality in Bottomline Webseries Payment Application does not require the old password when users enter a new password, which could allow remote authenticated users to change other users' passwords.
Multiple cross-site scripting (XSS) vulnerabili
cross-site
|
scripting
|
Multiple
|
Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft EPay Pro 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) payment or (2) send parameter.
PHP remote file inclusion vulnerability in paym
payment_paypalphp
|
vulnerability
|
AlstraSoft
|
inclusion
|
Template
|
Seller
|
remote
|
file
|
Pro
|
PHP
|
PHP remote file inclusion vulnerability in payment_paypal.php in AlstraSoft Template Seller Pro 3.25 allows remote attackers to execute arbitrary PHP code via the config[basepath] parameter.
Dave Nielsen and Patrick Breitenbach PayPal Web
Breitenbach
|
Services
|
Patrick
|
Nielsen
|
PayPal
|
Dave
|
Web
|
Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php.
Dave Nielsen and Patrick Breitenbach PayPal Web
Breitenbach
|
Services
|
Patrick
|
Nielsen
|
PayPal
|
Dave
|
Web
|
Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50 and possibly earlier has (1) world-readable permissions for ipn/logs/ipn_success.txt, which allows local users to view sensitive information (payment data), and (2) world-writable permissions for ipn/logs, which allows local users to delete or replace payment data.
** DISPUTED ** Kwik-Pay Payroll 4.2.20, and po
Kwik-Pay
|
DISPUTED
|
Payroll
|
** DISPUTED ** Kwik-Pay Payroll 4.2.20, and possibly other versions, stores the KwikPay.mdb database file with insecure permissions, which allows local users to obtain sensitive information such as employment and payment data. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this vulnerability, stating that "The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. When a user payroll database is opened, the encryption of the database is checked and if the database is not encrypted, the user is prompted to encrypt the database, but the choice is the customers."
Multiple cross-site scripting (XSS) vulnerabili
cross-site
|
scripting
|
Multiple
|
Multiple cross-site scripting (XSS) vulnerabilities in Leadhound Full and LITE 2.1, and probably the Network Version "Full Version", allow remote attackers to inject arbitrary web script or HTML via the login parameter in (1) agent_affil.pl, (2) agent_help.pl, (3) agent_faq.pl, (4) agent_help_insert.pl, (5) sign_out.pl, (6) members.pl, (7) modify_agent_1.pl, (8) modify_agent_2.pl, (9) modify_agent.pl, (10) agent_links.pl, (11) agent_stats_pending_leads.pl, (12) agent_logoff.pl, (13) agent_rev_det.pl, (14) agent_subaffiliates.pl, (15) agent_stats_pending_leads.pl, (16) agent_transactions.pl, (17) agent_payment_history.pl, (18) agent_summary.pl, (19) agent_camp_all.pl, (20) agent_camp_new.pl, (21) agent_camp_notsub.pl, (22) agent_campaign.pl, (23) agent_camp_expired.pl, (24) agent_stats_det.pl, (25) agent_stats.pl, (26) agent_camp_det.pl, (27) agent_camp_sub.pl, (28) agent_affil_list.pl, and (29) agent_affil_code.pl; the logged parameter in (30) agent_faq.pl, (31) agent_help_insert.pl, (32) members.pl, (33) modify_agent_1.pl, (34) modify_agent_2.pl, (35) modify_agent.pl, (36) agent_links.pl, (37) agent_subaffiliates.pl, (38) agent_stats_pending_leads.pl, (39) agent_transactions.pl, (40) agent_summary.pl, (41) agent_camp_all.pl, (42) agent_camp_new.pl, (43) agent_camp_notsub.pl, (44) agent_campaign.pl, (45) agent_camp_expired.pl, (46) agent_stats.pl, (47) agent_camp_det.pl, (48) agent_camp_sub.pl, (49) agent_affil_list.pl, and (50) agent_affil_code.pl; the camp_id parameter in (51) agent_links.pl, (52) agent_subaffiliates.pl, and (53) agent_camp_det.pl; the (54) banner parameter in agent_links.pl; the offset parameter in (55) agent_links.pl, (56) agent_subaffiliates.pl, (57) agent_transactions.pl, and (58) agent_summary.pl; the date parameter in (59) agent_subaffiliates.pl, (60) agent_transactions.pl, and (61) agent_summary.pl; the dates parameter in (62) agent_rev_det.pl and (63) agent_stats_det.pl; the (64) page parameter in agent_camp_det.pl; the (65) agent_id parameter in agent_commission_statement.pl; and the (66) lost password field in lost_pwd.pl.
Cross-site scripting (XSS) vulnerability in ind
Cross-site
|
scripting
|
Cross-site scripting (XSS) vulnerability in index.php in OnlyScript.info Online Universal Payment System Script allows remote attackers to inject arbitrary web script or HTML via the read parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Also, this issue might be resultant from directory traversal.
Directory traversal vulnerability in index.php
OnlyScriptinfo
|
vulnerability
|
attackers
|
Universal
|
arbitrary
|
sequences
|
traversal
|
Directory
|
parameter
|
indexphp
|
Payment
|
remote
|
Script
|
System
|
allows
|
Online
|
files
|
read
|
via
|
Directory traversal vulnerability in index.php in OnlyScript.info Online Universal Payment System Script allows remote attackers to read arbitrary files via directory traversal sequences in the read parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Multiple PHP remote file inclusion vulnerabilit
vulnerabilities
|
attackers
|
inclusion
|
parameter
|
arbitrary
|
Shopping
|
abs_path
|
Multiple
|
Turnkey
|
execute
|
SunShop
|
remote
|
Tools
|
allow
|
code
|
Cart
|
file
|
PHP
|
Web
|
via
|
URL
|
Multiple PHP remote file inclusion vulnerabilities in Turnkey Web Tools SunShop Shopping Cart 4.0 allow remote attackers to execute arbitrary PHP code via a URL in the abs_path parameter to (1) include/payment/payflow_pro.php, (2) global.php, or (3) libsecure.php, different vectors than CVE-2007-2070.
Unspecified vulnerability in the subscriptions
subscriptions
|
vulnerability
|
Unspecified
|
Invision
|
manager
|
Board
|
Power
|
Unspecified vulnerability in the subscriptions manager in Invision Power Board (IPB or IP.Board) 2.3.1 before Wednesday, September 12, 2007 allows remote authenticated users to change the member ID and reduce the privilege level of arbitrary users via a crafted payment form, related to (1) class_gw_2checkout.php, (2) class_gw_authorizenet.php, (3) class_gw_nochex.php, (4) class_gw_paypal.php, and (5) class_gw_safshop.php in sources/classes/paymentgateways/.
The ewirePC_Decrypt function in ewirepcfunction
ewirepcfunctionsphp
|
ewirePC_Decrypt
|
function
|
Payment
|
Client
|
eWire
|
The ewirePC_Decrypt function in ewirepcfunctions.php in eWire Payment Client (ePC) 1.60 and 1.70 allows remote attackers to execute arbitrary commands via shell metacharacters in the paymentinfo parameter to simplePHPLinux/3payment_receive.php.
Software vulnerabilities results 1 to 16 of 16
Page:
1