Easy Chat Server 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download certain files via direct requests to files such as (1) ServerKey.pem and (2) AcceptIP.txt. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.

Eval injection vulnerability in 123 Flash Chat Server 5.0 and 5.1 allows attackers to execute arbitrary code via a crafted username.

Directory traversal vulnerability in Shanghai TopCMM 123 Flash Chat Server Software 5.1 allows attackers to create or overwrite arbitrary files on the server via ".." (dot dot) sequences in the username field.

Adventia Chat 3.1 and Server Pro 3.0 allows remote attackers to inject arbitrary web script or HTML into the chat space, which leaves other users vulnerable to cross-site scripting (XSS) attacks.

Cross-site scripting (XSS) vulnerability in chat.ghp in Easy Chat Server 1.2 allows remote attackers to inject arbitrary web script or HTML via the username parameter.

Directory traversal vulnerability in ParaChat Server 5.5 allows remote attackers to read arbitrary files via a ..%5C (hex-encoded dot dot) in the URL.

chat.ghp in Easy Chat Server 1.2 allows remote attackers to cause a denial of service (server crash) via a long username parameter, possibly due to a buffer overflow. NOTE: it was later reported that 2.2 is also affected.

chat.ghp in Easy Chat Server 1.2 allows remote attackers to add a large number of fake users, then eventually cause a denial of service (server crash).

Bird Chat 1.61 allows remote attackers to cause a denial of service (crash) via invalid users.

Cross-site scripting (XSS) in one2planet.infolet.InfoServlet in 12Planet Chat Server 2.9 allows remote attackers to execute arbitrary script as other users via the page parameter.