The Sidebar gadget in ITN News Gadget (aka ITN Hub Gadget) 1.06 for Windows Vista, and possibly other versions before 1.23, allows remote web servers or man-in-the-middle attackers to execute arbitrary commands via script in a short_title response.

SQL injection vulnerability in admin.php in sun-jester OpenNews 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the username parameter.

Static code injection vulnerability in admin.php in sun-jester OpenNews 1.0 allows remote authenticated administrators to inject arbitrary PHP code into config.php via the "Overall Width" field in a setconfig action.

Xigla Software Absolute News Feed 1.0 and possibly 1.5 allows remote attackers to bypass authentication and gain administrative access by setting a certain cookie.

Directory traversal vulnerability in admin.php in Potato News 1.0.0 allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the user cookie parameter.

Static code injection vulnerability in post.php in Simple PHP News 1.0 final allows remote attackers to inject arbitrary PHP code into news.txt via the post parameter, and then execute the code via a direct request to display.php. NOTE: some of these details are obtained from third party information.

Multiple static code injection vulnerabilities in post.php in Simple PHP News 1.0 final allow remote attackers to inject arbitrary PHP code into news.txt via the (1) title or (2) date parameter, and then execute the code via a direct request to display.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Cross-site scripting (XSS) vulnerability in the Simplenews module 5.x before 5.x-1.5 and 6.x before 6.x-1.0-beta4, a module for Drupal, allows remote authenticated users, with "administer taxonomy" permissions, to inject arbitrary web script or HTML via a Newsletter category field.

The isLoggedIn function in fastnews-code.php in phpFastNews 1.0.0 allows remote attackers to bypass authentication and gain administrative access by setting the fn-loggedin cookie to 1.

Cross-site scripting (XSS) vulnerability in install.php in C-News.fr C-News 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the etape parameter.