Vulnerabilities > AJ Square > AJ Auction > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2009-08-13 | CVE-2008-6966 | Permissions, Privileges, and Access Controls vulnerability in AJ Square AJ Auction 1.0 AJ Square AJ Auction Pro Platinum Skin #1 sends a redirect but does not exit when it is called directly, which allows remote attackers to bypass authentication via a direct request to admin/user.php. | 7.5 |
| 2009-08-13 | CVE-2008-6965 | Improper Authentication vulnerability in AJ Square AJ Auction 1.0/2.0/Web2.0 AJ Square AJ Auction OOPD, Pro Platinum Skin #1, Pro Platinum Skin #2, and Web 2.0 send a redirect but do not exit when certain scripts are called directly, which allows remote attackers to bypass authentication via a direct request to (1) site.php, (2) auction.php, (3) mail.php, (4) fee_setting.php, (5) earnings.php, (6) insertion_fee_settings.php, (7) custom_category.php, (8) subcategory.php, (9) category.php, (10) report.php, (11) store_manager.php, and (12) choose_sell_format.php in admin/, and possibly other vectors. | 7.5 |
| 2009-03-06 | CVE-2008-6414 | SQL Injection vulnerability in AJ Square AJ Auction 2.0 SQL injection vulnerability in detail.php in AJ Auction Pro Platinum Skin 2 allows remote attackers to execute arbitrary SQL commands via the item_id parameter. | 7.5 |
| 2009-01-28 | CVE-2008-6003 | SQL Injection vulnerability in AJ Square AJ Auction 2.0 SQL injection vulnerability in sellers_othersitem.php in AJ Auction Pro Platinum 2 allows remote attackers to execute arbitrary SQL commands via the seller_id parameter. | 7.5 |
| 2008-11-24 | CVE-2008-5212 | SQL Injection vulnerability in AJ Square AJ Auction 1.0/Web2.0 SQL injection vulnerability in classifide_ad.php in AJ Auction 6.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the item_id parameter. | 7.5 |
| 2008-06-25 | CVE-2008-2860 | SQL Injection vulnerability in AJ Square AJ Auction Web2.0 SQL injection vulnerability in category.php in AJSquare AJ Auction Pro web 2.0 allows remote attackers to execute arbitrary SQL commands via the cate_id parameter. | 7.5 |