DTC
by Gplhost
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2011-5276 | 0.00 | — | 0.01 | Mar 21, 2014 | SQL injection vulnerability in the drawAdminTools_PackageInstaller function in shared/inc/forms/packager.php in Domain Technologie Control (DTC) before 0.32.11 allows remote authenticated users to execute arbitrary SQL commands via the database_name parameter. | |||
| CVE-2011-5275 | 0.00 | — | 0.01 | Mar 21, 2014 | The install script in Domain Technologie Control (DTC) before 0.34.1 gives sudo permissions for chrootuid to the dtc user, which makes it easier for context-dependent users to gain privileges. | |||
| CVE-2011-5274 | 0.00 | — | 0.02 | Mar 21, 2014 | The drawAdminTools_PackageInstaller function in shared/inc/forms/packager.php in Domain Technologie Control (DTC) before 0.32.11 allows remote attackers to execute arbitrary commands via shell metacharacters in the dtcpkg_directory parameter in a do_install action to dtc/. | |||
| CVE-2011-5273 | 0.00 | — | 0.01 | Mar 21, 2014 | Directory traversal vulnerability in shared/package-installer in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary PHP code via a .. (dot dot) in the pkg parameter in a do_install action to dtc/. | |||
| CVE-2011-5272 | 0.00 | — | 0.01 | Mar 21, 2014 | SQL injection vulnerability in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary SQL commands via the vps_note parameter to dtcadmin/logPushlet.php. NOTE: this issue was originally part of CVE-2011-3197, but that ID was SPLIT… | |||
| CVE-2011-3199 | 0.00 | — | 0.01 | Mar 21, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Domain Technologie Control (DTC) before 0.34.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) message body of a support ticket or unspecified vectors to the (2) DNS and (3) MX form, as… | |||
| CVE-2011-3197 | 0.00 | — | 0.01 | Mar 21, 2014 | SQL injection vulnerability in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary SQL commands via the addrlink parameter to shared/inc/forms/domain_info.php. NOTE: CVE-2011-3197 has been SPLIT due to findings by different… | |||
| CVE-2011-3196 | 0.00 | — | 0.00 | Mar 21, 2014 | The setup script in Domain Technologie Control (DTC) before 0.34.1 uses world-readable permissions for /etc/apache2/apache2.conf, which allows local users to obtain the dtcdaemons MySQL password by reading the file. | |||
| CVE-2011-3195 | 0.00 | — | 0.02 | Mar 21, 2014 | shared/inc/sql/lists.php in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in mailing list tunable options. | |||
| CVE-2011-0437 | 0.00 | — | 0.02 | Mar 7, 2011 | shared/inc/sql/ssh.php in the SSH accounts management implementation in Domain Technologie Control (DTC) before 0.32.9 allows remote authenticated users to delete arbitrary accounts via the edssh_account parameter in a deletesshaccount Delete action. | |||
| CVE-2011-0436 | 0.00 | — | 0.02 | Mar 7, 2011 | The register_user function in client/new_account_form.php in Domain Technologie Control (DTC) before 0.32.9 includes a cleartext password in an e-mail message, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. | |||
| CVE-2009-0402 | 0.00 | — | 0.01 | Feb 3, 2009 | SQL injection vulnerability in client/new_account.php in Domain Technologie Control (DTC) before 0.29.16 allows remote attackers to execute arbitrary SQL commands via the (1) familyname, (2) christname, (3) company_name, (4) is_company, (5) email, (6) phone, (7) fax, (8) addr1,… | |||
| CVE-2008-4951 | 0.00 | — | 0.00 | Nov 5, 2008 | dtc 0.29.6 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/awstats.log, (b) /tmp/spam.log.#####, and (c) /tmp/spam_err.log temporary files, related to the (1) accesslog.php and (2) sa-wrapper scripts. |
- CVE-2011-5276Mar 21, 2014risk 0.00cvss —epss 0.01
SQL injection vulnerability in the drawAdminTools_PackageInstaller function in shared/inc/forms/packager.php in Domain Technologie Control (DTC) before 0.32.11 allows remote authenticated users to execute arbitrary SQL commands via the database_name parameter.
- CVE-2011-5275Mar 21, 2014risk 0.00cvss —epss 0.01
The install script in Domain Technologie Control (DTC) before 0.34.1 gives sudo permissions for chrootuid to the dtc user, which makes it easier for context-dependent users to gain privileges.
- CVE-2011-5274Mar 21, 2014risk 0.00cvss —epss 0.02
The drawAdminTools_PackageInstaller function in shared/inc/forms/packager.php in Domain Technologie Control (DTC) before 0.32.11 allows remote attackers to execute arbitrary commands via shell metacharacters in the dtcpkg_directory parameter in a do_install action to dtc/.
- CVE-2011-5273Mar 21, 2014risk 0.00cvss —epss 0.01
Directory traversal vulnerability in shared/package-installer in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary PHP code via a .. (dot dot) in the pkg parameter in a do_install action to dtc/.
- CVE-2011-5272Mar 21, 2014risk 0.00cvss —epss 0.01
SQL injection vulnerability in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary SQL commands via the vps_note parameter to dtcadmin/logPushlet.php. NOTE: this issue was originally part of CVE-2011-3197, but that ID was SPLIT…
- CVE-2011-3199Mar 21, 2014risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in Domain Technologie Control (DTC) before 0.34.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) message body of a support ticket or unspecified vectors to the (2) DNS and (3) MX form, as…
- CVE-2011-3197Mar 21, 2014risk 0.00cvss —epss 0.01
SQL injection vulnerability in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary SQL commands via the addrlink parameter to shared/inc/forms/domain_info.php. NOTE: CVE-2011-3197 has been SPLIT due to findings by different…
- CVE-2011-3196Mar 21, 2014risk 0.00cvss —epss 0.00
The setup script in Domain Technologie Control (DTC) before 0.34.1 uses world-readable permissions for /etc/apache2/apache2.conf, which allows local users to obtain the dtcdaemons MySQL password by reading the file.
- CVE-2011-3195Mar 21, 2014risk 0.00cvss —epss 0.02
shared/inc/sql/lists.php in Domain Technologie Control (DTC) before 0.34.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in mailing list tunable options.
- CVE-2011-0437Mar 7, 2011risk 0.00cvss —epss 0.02
shared/inc/sql/ssh.php in the SSH accounts management implementation in Domain Technologie Control (DTC) before 0.32.9 allows remote authenticated users to delete arbitrary accounts via the edssh_account parameter in a deletesshaccount Delete action.
- CVE-2011-0436Mar 7, 2011risk 0.00cvss —epss 0.02
The register_user function in client/new_account_form.php in Domain Technologie Control (DTC) before 0.32.9 includes a cleartext password in an e-mail message, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.
- CVE-2009-0402Feb 3, 2009risk 0.00cvss —epss 0.01
SQL injection vulnerability in client/new_account.php in Domain Technologie Control (DTC) before 0.29.16 allows remote attackers to execute arbitrary SQL commands via the (1) familyname, (2) christname, (3) company_name, (4) is_company, (5) email, (6) phone, (7) fax, (8) addr1,…
- CVE-2008-4951Nov 5, 2008risk 0.00cvss —epss 0.00
dtc 0.29.6 allows local users to overwrite arbitrary files via a symlink attack on (a) /tmp/awstats.log, (b) /tmp/spam.log.#####, and (c) /tmp/spam_err.log temporary files, related to the (1) accesslog.php and (2) sa-wrapper scripts.