Vulnerabilities > Hosting Controller
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2007-12-20 | CVE-2007-6504 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller Unspecified vulnerability in IIS/iibind.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the headers of arbitrary hosts via an unspecified parameter. | 5.5 |
| 2007-12-20 | CVE-2007-6503 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller Multiple unspecified vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to (1) import an arbitrary plan via a request to hosting/importhostingplans.asp; or (2) change an arbitrary plan via a request to hosting/AutoSignUpPlans.asp with the (a) save, (b) 30, and (c) d_30 parameters. | 5.5 |
| 2007-12-20 | CVE-2007-6502 | Information Exposure vulnerability in Hosting Controller Hosting Controller Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to obtain sensitive information via (1) the AdminName and AdminLevel parameters to fp2000/NEWSRVR.asp, which discloses usernames; and (2) certain XML HTTP requests to hosting/css.asp using Microsoft.XMLHTTP or MSXML2.XMLHTTP objects, which trigger a response with the setup directory pathname in the HTML source; and (3) might allow remote attackers to obtain sensitive information via a request for /admin/forum/, which reveals the path in an error message when a forum is not found. | 5.5 |
| 2007-12-20 | CVE-2007-6501 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to enable or disable "pay type" via a request to adminsettings/choosetranstype.asp. | 5.5 |
| 2007-12-20 | CVE-2007-6500 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to delete "gateway information" via a request to OpenApi/GatewayVariables.asp. | 4.9 |
| 2007-12-20 | CVE-2007-6499 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to uninstall the FrontPage extensions of an arbitrary account via a request to fp2002/UNINSTAL.asp with a "host id (IIS) value." | 5.5 |
| 2007-12-20 | CVE-2007-6498 | SQL Injection vulnerability in Hosting Controller Hosting Controller 6.1Hotfix3.3 Multiple SQL injection vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) email and (2) loginname parameters to Hosting/Addreseller.asp, (3) the sortfield parameter to accounts/accountmanager.asp, (4) the GateWayID parameter to OpenApi/GatewayVariables.asp, and possibly (5) unspecified vectors to IIS/iibind.asp. | 7.5 |
| 2007-12-20 | CVE-2007-6497 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller Hosting Controller 6.1 Hot fix 3.3 and earlier (1) allows remote attackers to change arbitrary user profiles via a request to Hosting/Addreseller.asp with modified loginname and email parameters; and (2) allows remote authenticated users to change a credit amount and increase a discount via an UpdateUser action to Accounts/AccountActions.asp with modified UserName, FullName, CreditLimit, and DefaultDiscount parameters, a related issue to CVE-2005-2219. | 7.5 |
| 2007-12-20 | CVE-2007-6496 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller 6.1Hotfix3.3 Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers to register arbitrary users via a request to hosting/addsubsite.asp with the loginname and password parameters set, when preceded by certain requests to hosting/default.asp and hosting/selectdomain.asp, a related issue to CVE-2005-1654. | 6.8 |
| 2007-12-20 | CVE-2007-6495 | Permissions, Privileges, and Access Controls vulnerability in Hosting Controller Hosting Controller 6.1Hotfix3.3 inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp. | 6.5 |