Search
Total
25555 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-3657 | 1 Mozilla | 1 Firefox | 2008-11-15 | 4.3 MEDIUM | N/A |
| ** DISPUTED ** Mozilla Firefox 2.0.0.4 allows remote attackers to cause a denial of service by opening multiple tabs in a popup window. NOTE: this issue has been disputed by third party researchers, stating that "this does not crash on me, and I can't see a likely mechanism of action that would lead to a DoS condition." | |||||
| CVE-2007-3718 | 1 Apple | 1 Safari | 2008-11-15 | 7.5 HIGH | N/A |
| Multiple unspecified vulnerabilities in the SVG parsing engine in Apple Safari 3 Beta for Windows have unspecified remote attack vectors and impact. NOTE: this issue contains no actionable information, but it was released by a reliable researcher. | |||||
| CVE-2007-3723 | 1 Sun | 1 Solaris | 2008-11-15 | 2.1 LOW | N/A |
| The process scheduler in the Sun Solaris kernel does not make use of the process statistics kept by the kernel and performs scheduling based upon CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption), as described in "Secretly Monopolizing the CPU Without Superuser Privileges." | |||||
| CVE-2007-3719 | 1 Linux | 1 Linux Kernel | 2008-11-15 | 2.1 LOW | N/A |
| The process scheduler in the Linux kernel 2.6.16 gives preference to "interactive" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in "Secretly Monopolizing the CPU Without Superuser Privileges." | |||||
| CVE-2007-3720 | 1 Linux | 1 Linux Kernel | 2008-11-15 | 2.1 LOW | N/A |
| The process scheduler in the Linux kernel 2.4 performs scheduling based on CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption) by performing voluntary nanosecond sleeps that result in the process not being active during a clock interrupt, as described in "Secretly Monopolizing the CPU Without Superuser Privileges." | |||||
| CVE-2007-3664 | 1 Eltima Software | 1 Runservice | 2008-11-15 | 5.0 MEDIUM | N/A |
| Multiple unspecified vulnerabilities in Eltima Software RunService ActiveX control (RunService.dll) allow remote attackers to cause a denial of service via certain functions when "improperly used", as demonstrated by the AcceptControls subroutine. | |||||
| CVE-2007-3543 | 1 Wordpress | 2 Wordpress, Wordpress Mu | 2008-11-15 | 6.0 MEDIUM | N/A |
| Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php. | |||||
| CVE-2007-3418 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 6.5 MEDIUM | N/A |
| The displaypost function in cgi-bin/cgi-lib/forum_display.pl in web-app.org WebAPP before 0.9.9.7 does not display usernames in conjunction with real names, which makes it easier for remote authenticated users to impersonate other users. | |||||
| CVE-2007-3424 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 7.5 HIGH | N/A |
| The moveim function in cgi-bin/cgi-lib/instantmessage.pl in web-app.org WebAPP before 0.9.9.7 uses the tocat parameter as a subdirectory name when moving an instant message, which has unknown impact and remote attack vectors. | |||||
| CVE-2007-3423 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 7.5 HIGH | N/A |
| cgi-bin/cgi-lib/instantmessage.pl in web-app.org WebAPP before 0.9.9.7 uses the From field of an instant message as the beginning of the .dat file name when the (1) imview2 or (2) imview3 function reads (a) an internal IM, or a message from a (b) guest or (c) removed member, which has unknown impact and remote attack vectors. | |||||
| CVE-2007-3438 | 1 Nortel | 1 Sip Softphone | 2008-11-15 | 7.8 HIGH | N/A |
| Buffer overflow in the SIP header parsing module in the Nortel PC Client SIP Soft Phone 4.1 3.5.208[20051015] allows remote attackers to execute arbitrary code via a malformed message, a different vulnerability than CVE-2007-3361. | |||||
| CVE-2007-3440 | 1 Snom | 2 320 Sip Phone, Snom 320 Linux | 2008-11-15 | 6.4 MEDIUM | N/A |
| The Snom 320 SIP Phone, running snom320 linux 3.25, snom320-SIP 6.2.3, and snom320 jffs23.36, allows remote attackers to place calls to arbitrary phone numbers via certain requests to the web server on port 1800. | |||||
| CVE-2007-3422 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 7.5 HIGH | N/A |
| The getcgi function in cgi-bin/cgi-lib/subs.pl in web-app.org WebAPP before 0.9.9.7 attempts to parse query strings that contain (1) non-printing characters, (2) certain printing characters that do not commonly occur in URLs, or (3) invalid URL encoding sequences, which has unknown impact and remote attack vectors. | |||||
| CVE-2007-3421 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 7.5 HIGH | N/A |
| The (1) login, (2) admin profile edit, (3) reminder, (4) edit profile, (5) profile view, (6) gallery view, (7) gallery comment, and (8) gallery feedback capabilities in web-app.org WebAPP before 0.9.9.7 do not verify presence of users in memberlist.dat, which has unknown impact and remote attack vectors. | |||||
| CVE-2007-3296 | 1 Xunlei | 1 Web Thunderbolt | 2008-11-15 | 9.3 HIGH | N/A |
| The ThunderServer.webThunder.1 ActiveX control in xunlei Web Thunderbolt 1.7.3.109 allows remote attackers to download arbitrary files and conduct other unauthorized actions by invoking dangerous methods. | |||||
| CVE-2007-3428 | 1 Zoneo-soft | 1 Phptraffica | 2008-11-15 | 7.5 HIGH | N/A |
| Multiple unspecified vulnerabilities in phpTrafficA before 1.4.2 allow remote attackers to have an unknown impact via the file parameter to (1) plotStatBar.php or (2) plotStatPie.php, different vectors than CVE-2007-1076. | |||||
| CVE-2007-3359 | 1 Iptel | 1 Serweb | 2008-11-15 | 6.8 MEDIUM | N/A |
| Multiple PHP remote file inclusion vulnerabilities in SerWeb 0.9.6 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the _SERWEB[serwebdir] parameter to (1) html/load_apu.php or (2) html/mail_prepend.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-3485 | 1 Yandex | 1 Yandex.server | 2008-11-15 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Yandex.Server allow remote attackers to inject arbitrary web script or HTML via the (1) query or (2) within parameter to the default URI. | |||||
| CVE-2007-3439 | 1 Snom | 2 320 Sip Phone, Snom 320 Linux | 2008-11-15 | 5.0 MEDIUM | N/A |
| The Snom 320 SIP Phone, running snom320 linux 3.25, snom320-SIP 6.2.3, and snom320 jffs23.36, allows remote attackers to read a list of missed calls, received calls, and dialed numbers via a direct request to the web server on port 1800. | |||||
| CVE-2007-3486 | 1 Altavista | 1 Search Engine | 2008-11-15 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in AltaVista search engine allows remote attackers to inject arbitrary web script or HTML via the text parameter to the default URI. | |||||
| CVE-2007-3420 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 7.5 HIGH | N/A |
| The Random Cookie Password functionality in the loaduser function in cgi-bin/cgi-lib/subs.pl in web-app.org WebAPP before 0.9.9.7 does not clear the (1) username, (2) password, (3) usertheme, and (4) userlang cookies for unauthorized users, which has unknown impact and remote attack vectors. | |||||
| CVE-2007-3499 | 1 Slackroll | 1 Slackroll | 2008-11-15 | 6.4 MEDIUM | N/A |
| SlackRoll before 8 accepts gpg exit codes other than 0 and 1 as evidence of a valid signature, which allows remote Slackware mirror sites or man-in-the-middle attackers to cause a denial of service (data inconsistency) or possibly install Trojan horse packages via malformed gpg signatures. | |||||
| CVE-2007-3419 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 7.5 HIGH | N/A |
| The editprofile3 function in cgi-bin/cgi-lib/user.pl in web-app.org WebAPP before 0.9.9.7 does not properly check the (1) themes.dat, (2) languages.dat, (3) profession.dat, (4) gen.dat, (5) marstat.dat, (6) states.dat, and (7) ages.dat files before saving profile settings of members, which has unknown impact and remote attack vectors. | |||||
| CVE-2007-3417 | 1 Web-app.org | 1 Webapp | 2008-11-15 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in cgi-bin/cgi-lib/search.pl in web-app.org WebAPP before 0.9.9.7 allow remote attackers to inject arbitrary web script or HTML via a search string, which is not sanitized when an HREF attribute is printed by the (1) process_search or (2) show_recent_searches function. | |||||
| CVE-2007-3397 | 1 Ibm | 1 Websphere Application Server | 2008-11-15 | 5.0 MEDIUM | N/A |
| The web container in IBM WebSphere Application Server (WAS) before 6.0.2.21, and 6.1.x before 6.1.0.9, sends response data intended for a different request in certain circumstances after a closed connection error, which might allow remote attackers to obtain sensitive information. | |||||
| CVE-2007-3046 | 1 Advanced Software Production Line | 1 Vortex Library | 2008-11-15 | 5.0 MEDIUM | N/A |
| Buffer overflow in Advanced Software Production Line Vortex Library before 1.0.3 allows remote attackers to cause a denial of service (listener crash) via unspecified vectors related to the select I/O implementation and the file set buffer. NOTE: some of these details are obtained from third party information. | |||||
| CVE-2007-3197 | 1 Jelsoft | 1 Vbsupport Integrated Ticket System | 2008-11-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in vBSupport.php in vBSupport 1.1 before 1.1a allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2007-3150 | 1 Google | 1 Desktop | 2008-11-15 | 9.3 HIGH | N/A |
| Google Desktop allows user-assisted remote attackers to execute arbitrary programs via a man-in-the-middle attack that injects JavaScript, a www.google.com search IFRAME, and a META HTTP-EQUIV="refresh" that targets a www.google.com search for a local .exe file, which is displayed in the "results stored on your computer" portion of the search results, and when clicked invokes Google Desktop to execute this file. | |||||
| CVE-2007-2885 | 1 Microsoft | 1 Visual Database Tools Database Designer | 2008-11-15 | 4.3 MEDIUM | N/A |
| The NotSafe function in the MSVDTDatabaseDesigner7 ActiveX control in VDT70.DLL in Microsoft Visual Database Tools (MSVDT) Database Designer 7.0 allows remote attackers to cause a denial of service (Internet Explorer 6 crash) via a long argument. | |||||
| CVE-2007-2912 | 1 Jelsoft | 1 Vbulletin | 2008-11-15 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in Jelsoft vBulletin before 3.6.6, when unauthenticated User Infraction Permissions is disabled, allows remote attackers to see the infraction "red flag" for a deleted user. | |||||
| CVE-2007-2806 | 1 Galix | 1 Galix | 2008-11-15 | 5.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in index.php in GaliX 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) galix_cat_detail, (2) galix_gal_detail, and (3) galix_cat_detail_sort parameters. | |||||
| CVE-2007-2843 | 1 Apple | 1 Safari | 2008-11-15 | 10.0 HIGH | N/A |
| Cross-domain vulnerability in Apple Safari 2.0.4 allows remote attackers to access restricted information from other domains via Javascript, as demonstrated by a js script that accesses the location information of cross-domain web pages, probably involving setTimeout and timed events. | |||||
| CVE-2007-2904 | 1 Sun | 1 Java System Messaging Server | 2008-11-15 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Sun Java System Messaging Server 6.0 through 6.3, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly a related issue to CVE-2006-5653. | |||||
| CVE-2007-2557 | 1 Mambo | 1 Mambo | 2008-11-15 | 4.0 MEDIUM | N/A |
| MOStlyDB Admin in Mambo 4.6.1 does not properly check privileges, which allows remote authenticated administrators to have an unknown impact via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-2454 | 1 Parallels | 1 Parallels Desktop | 2008-11-15 | 6.8 MEDIUM | N/A |
| Heap-based buffer overflow in the VGA device in Parallels allows local users, with root access to the guest operating system, to terminate the virtual machine and possibly execute arbitrary code in the host operating system via unspecified vectors related to bitblt operations. | |||||
| CVE-2007-2455 | 1 Parallels | 1 Parallels Desktop | 2008-11-15 | 6.1 MEDIUM | N/A |
| Parallels allows local users to cause a denial of service (virtual machine abort) via (1) certain INT instructions, as demonstrated by INT 0xAA; (2) an IRET instruction when an invalid address is at the top of the stack; (3) a malformed MOVNTI instruction, as demonstrated by using a register as a destination; or a write operation to (4) SEGR6 or (5) SEGR7. | |||||
| CVE-2007-1588 | 1 Myserver | 1 Myserver | 2008-11-15 | 7.5 HIGH | N/A |
| server.cpp in MyServer 0.8.5 calls Process::setuid before calling Process::setgid and thus does not properly drop privileges, which might allow remote attackers to execute CGI programs with unintended privileges. | |||||
| CVE-2007-1462 | 2 Conga, Redhat | 2 Conga, Linux | 2008-11-15 | 4.3 MEDIUM | N/A |
| The luci server component in conga preserves the password between page loads for the Add System/Cluster task flow by storing the password in the Value attribute of a password entry field, which allows attackers to steal the password by performing a "view source" or other operation to obtain the web page. NOTE: there are limited circumstances under which such an attack is feasible. | |||||
| CVE-2007-1442 | 1 Oracle | 1 Database Server | 2008-11-15 | 7.2 HIGH | N/A |
| Oracle Database 10g uses a NULL pDacl parameter when calling the SetSecurityDescriptorDacl function to create discretionary access control lists (DACLs), which allows local users to gain privileges. | |||||
| CVE-2007-1402 | 1 Rediff | 1 Toolbar | 2008-11-15 | 7.5 HIGH | N/A |
| The Rediff Toolbar 2.0 ActiveX control in redifftoolbar.dll allows remote attackers to cause a denial of service via unspecified manipulations, possibly involving improper initialization or blank arguments. | |||||
| CVE-2007-1197 | 1 Epiware | 1 Epiware | 2008-11-15 | 9.3 HIGH | N/A |
| Multiple unspecified vulnerabilities in Epiware before 4.7.5 have unknown impact and attack vectors, possibly related to cross-site scripting (XSS) and other unspecified issues. | |||||
| CVE-2007-1190 | 1 Bsalsa | 1 Embeddedwb Web Browser | 2008-11-15 | 6.8 MEDIUM | N/A |
| Unspecified vulnerability in the EmbeddedWB Web Browser ActiveX control allows remote attackers to execute arbitrary code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-1222 | 2 Apple, Parallels | 2 Mac Os X, Parallels Desktop | 2008-11-15 | 7.2 HIGH | N/A |
| Parallels Desktop for Mac before 20070216 implements Drag and Drop by sharing the entire host filesystem as the .psf share, which allows local users of the guest operating system to write arbitrary files to the host filesystem, and execute arbitrary code via launchd by writing a plist file to a LaunchAgents directory. | |||||
| CVE-2007-1103 | 1 Tor | 1 Tor | 2008-11-15 | 4.3 MEDIUM | N/A |
| Tor does not verify a node's uptime and bandwidth advertisements, which allows remote attackers who operate a low resource node to make false claims of greater resources, which places the node into use for many circuits and compromises the anonymity of traffic sources and destinations. | |||||
| CVE-2007-1192 | 1 Hyperbook | 1 Guestbook | 2008-11-15 | 5.0 MEDIUM | N/A |
| Thomas R. Pasawicz HyperBook Guestbook 1.30 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download an admin password hash via a direct request for data/gbconfiguration.dat. | |||||
| CVE-2007-1098 | 1 Scrymud | 1 Scrymud | 2008-11-15 | 7.8 HIGH | N/A |
| Multiple unspecified vulnerabilities in ScryMUD before 2.1.11 have unknown impact and attack vectors, possibly related to denial of service caused by a search that begins with a .* sequence. | |||||
| CVE-2007-1117 | 1 Microsoft | 1 Publisher | 2008-11-15 | 10.0 HIGH | N/A |
| Unspecified vulnerability in Publisher 2007 in Microsoft Office 2007 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "file format vulnerability." NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source. | |||||
| CVE-2007-1077 | 1 Design4online | 1 Userpages2 | 2008-11-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in page.asp in Design4Online UserPages2 2.0 allows remote attackers to execute arbitrary SQL commands via the art_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-1198 | 1 Taskfreak | 1 Taskfreak | 2008-11-15 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in TaskFreak! before 0.5.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly a variant of CVE-2007-0982. | |||||
| CVE-2007-0821 | 1 Cedric | 1 Claire Portailphp | 2008-11-15 | 5.0 MEDIUM | N/A |
| Multiple directory traversal vulnerabilities in Cedric CLAIRE PortailPhp 2 allow remote attackers to read arbitrary files via a .. (dot dot) in the chemin parameter to (1) mod_news/index.php or (2) mod_news/goodies.php. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | |||||