CVE

Id
24006  
CVE No.
CVE-2007-0649  
Status
Candidate  
Description
Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitrary program variables and conduct other unauthorized activities, such as conduct (a) remote file inclusion attacks via the srcdir parameter in custom/import_xml.php or (b) cross-site scripting (XSS) attacks via the rootdir parameter in interface/login/login_frame.php, via vectors associated with extract operations on the (1) POST and (2) GET superglobal arrays. NOTE: this issue was originally disputed before the extract behavior was identified in post-disclosure analysis. Also, the original report identified "Open Conference Systems," but this was an error.  
Phase
Assigned (20070131)  
Votes
None (candidate not yet proposed)  
Comments
 

Actions

Related CVE References

Id CVE Id CVE No. Reference Actions
233958 24006 CVE-2007-0649 BUGTRAQ:20070127 Open Conference Systems = 2.8.2 Remote File Inclusion  View
233959 24006 CVE-2007-0649 URL:http://www.securityfocus.com/archive/1/archive/1/458306/100/0/threaded  View
233960 24006 CVE-2007-0649 BUGTRAQ:20070127 Re: Open Conference Systems = 2.8.2 Remote File Inclusion  View
233961 24006 CVE-2007-0649 URL:http://www.securityfocus.com/archive/1/archive/1/458426/100/0/threaded  View
233962 24006 CVE-2007-0649 BUGTRAQ:20070128 Re: Open Conference Systems = 2.8.2 Remote File Inclusion  View
233963 24006 CVE-2007-0649 URL:http://www.securityfocus.com/archive/1/archive/1/458486/100/0/threaded  View
233964 24006 CVE-2007-0649 BUGTRAQ:20070129 Fake: Open Conference Systems = 2.8.2 Remote File Inclusion  View
233965 24006 CVE-2007-0649 URL:http://www.securityfocus.com/archive/1/archive/1/458456/100/0/threaded  View
233966 24006 CVE-2007-0649 BUGTRAQ:20070129 Re: Fake: Open Conference Systems = 2.8.2 Remote File Inclusion  View
233967 24006 CVE-2007-0649 URL:http://www.securityfocus.com/archive/1/archive/1/458476/100/0/threaded  View
233968 24006 CVE-2007-0649 BUGTRAQ:20070130 Re: Fake: Open Conference Systems = 2.8.2 Remote File Inclusion  View
233969 24006 CVE-2007-0649 URL:http://www.securityfocus.com/archive/1/archive/1/458565/100/0/threaded  View
233970 24006 CVE-2007-0649 VIM:20070129 [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion] (fwd)  View
233971 24006 CVE-2007-0649 URL:http://attrition.org/pipermail/vim/2007-January/001254.html  View
233972 24006 CVE-2007-0649 VIM:20070131 VERIFY of RFI and XSS in OpenEMR 2.8.2 (was [still bogus] V [mike at carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion])  View
233973 24006 CVE-2007-0649 URL:http://attrition.org/pipermail/vim/2007-January/001258.html  View
233974 24006 CVE-2007-0649 BID:22346  View
233975 24006 CVE-2007-0649 URL:http://www.securityfocus.com/bid/22346  View
233976 24006 CVE-2007-0649 BID:22348  View
233977 24006 CVE-2007-0649 URL:http://www.securityfocus.com/bid/22348  View
233978 24006 CVE-2007-0649 OSVDB:33609  View
233979 24006 CVE-2007-0649 URL:http://osvdb.org/33609  View
233980 24006 CVE-2007-0649 OSVDB:33603  View
233981 24006 CVE-2007-0649 URL:http://osvdb.org/33603  View
233982 24006 CVE-2007-0649 SREASON:2202  View

Related JVN

Id JVN No. Title Summary CVE No. CVE Id CVSS_v2 CVSS_v3 JVN URL Actions
54614 JVNDB-2007-003306 MailEnable Professional におけるクロスサイトスクリプティングの脆弱性 MailEnable Professional には、クロスサイトスクリプティングの脆弱性が存在します。 CVE-2007-0651 24006 4.3 http://jvndb.jvn.jp/ja/contents/2007/JVNDB-2007-003306.html  View