Directory traversal vulnerability in index.php in In-Portal 4.3.1, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the env parameter.
SQL injection vulnerability in main.php in CBAuthority allows remote attackers to execute arbitrary SQL commands via the id parameter in a view_product action.
Directory traversal vulnerability in loadpanel.php in Interspire ActiveKB allows remote attackers to read arbitrary files and possibly have unspecified other impact via directory traversal sequences in the Panel parameter.