Search
Total
25555 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-2380 | 1 Microsoft | 1 Atlas Framework | 2008-11-13 | 5.0 MEDIUM | N/A |
| The Microsoft Atlas framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | |||||
| CVE-2007-2381 | 1 Mochikit | 1 Mochikit Framework | 2008-11-13 | 5.0 MEDIUM | N/A |
| The MochiKit framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | |||||
| CVE-2007-2384 | 1 Script.aculo.us | 1 Script.aculo.us | 2008-11-13 | 7.8 HIGH | N/A |
| The Script.aculo.us framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | |||||
| CVE-2007-2385 | 1 Yahoo | 1 Ui Library | 2008-11-13 | 5.0 MEDIUM | N/A |
| The Yahoo! UI framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking." | |||||
| CVE-2007-2423 | 1 Moinmoin | 1 Moinmoin | 2008-11-13 | 5.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in MoinMoin 1.5.7 allows remote attackers to inject arbitrary web script or HTML via the do parameter in an AttachFile action, a different vulnerability than CVE-2007-0857. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-2429 | 1 Manageengine | 1 Passwordmanager Pro | 2008-11-13 | 10.0 HIGH | N/A |
| ManageEngine PasswordManager Pro (PMP) allows remote attackers to obtain administrative access to a database by injecting a certain command line for the mysql program, as demonstrated by the "-port 2345" and "-u root" arguments. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-2195 | 1 Alvaro | 1 Alvaros Messenger | 2008-11-13 | 5.0 MEDIUM | N/A |
| aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers to cause a denial of service (application crash) by sending invalid data to TCP port 31337. | |||||
| CVE-2007-1955 | 1 Signkorea | 1 Skcommax Activex Control | 2008-11-13 | 10.0 HIGH | N/A |
| Multiple stack-based buffer overflows in the SignKorea SKCrypAX ActiveX control module 5.4.1.2 allow remote attackers to execute arbitrary code via a long string in unspecified arguments to the (1) DownloadCert, (2) DecryptFileByKey, and (3) EncryptFileByKey functions, a different module and vectors than CVE-2007-1722. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-2023 | 1 Secustick | 1 Secustick Usb Flash Drive | 2008-11-13 | 7.2 HIGH | N/A |
| USB20.dll in Secustick USB flash drive decouples the authorization and file access routines, which allows local users to bypass authentication requirements by altering the return value of the VerifyPassWord function. | |||||
| CVE-2007-2073 | 1 Ivan Gallery Script | 1 Ivan Gallery Script | 2008-11-13 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in index.php in Ivan Gallery Script 0.3 allows remote attackers to execute arbitrary PHP code via a URL in the gallery parameter in a new session. | |||||
| CVE-2007-1823 | 1 T-mobile | 1 Voice Mail Systems | 2008-11-13 | 10.0 HIGH | N/A |
| T-Mobile voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID). | |||||
| CVE-2007-1822 | 1 Alcatel-lucent | 1 Voice Mail System | 2008-11-13 | 10.0 HIGH | N/A |
| Alcatel-Lucent Lucent Technologies voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID). | |||||
| CVE-2007-1821 | 1 Sprint | 1 Sprint Voice | 2008-11-13 | 10.0 HIGH | N/A |
| Sprint Nextel Sprint voice mail systems allow remote attackers to retrieve or remove messages, or reconfigure mailboxes, by spoofing Calling Number Identification (CNID, aka Caller ID). | |||||
| CVE-2007-1775 | 1 Jbrowser | 1 Jbrowser | 2008-11-13 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in upload.php3 in JBrowser 2.4 and earlier allows remote attackers to upload and execute arbitrary PHP code via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-1829 | 1 Web-app.net | 1 Webapp | 2008-11-13 | 7.5 HIGH | N/A |
| Multiple unspecified vulnerabilities in web-app.net WebAPP have unknown impact and attack vectors, described as "[having] other [security] issues too, not as bad as letting users take over your admin account, but bad too." | |||||
| CVE-2007-1830 | 1 Web-app.org | 1 Webapp | 2008-11-13 | 4.3 MEDIUM | N/A |
| Unspecified vulnerability in the Username Hijacking Patch 20070312 for web-app.org WebAPP 0.9.9.6 allows remote attackers to obtain administrative access via unknown vectors, related to "something overlooked in the original that was still overlooked in the patch", and possibly related to copying files to the user-lib and the "XSS and cookies exploit." | |||||
| CVE-2007-1820 | 1 Nortel | 2 Callpilot, Meridian Mail | 2008-11-13 | 9.3 HIGH | N/A |
| Nortel Networks CallPilot and Meridian Mail voicemail systems, when a mailbox has auto logon enabled, allow remote attackers to retrieve or remove messages, or reconfigure the mailbox, by spoofing Calling Number Identification (CNID, aka Caller ID). | |||||
| CVE-2007-1742 | 1 Apache | 1 Http Server | 2008-11-13 | 3.7 LOW | N/A |
| suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using "html_backup" and "htmleditor" under an "html" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root." | |||||
| CVE-2007-1651 | 1 Openid | 1 Openid | 2008-11-13 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in OpenID allows remote attackers to restore the login session of a user on an OpenID enabled site via unspecified vectors related to an arbitrary remote web site and cached tokens, after the user has signed into an OpenID server, logged into the OpenID enabled site, and then logged out of the OpenID enabled site. | |||||
| CVE-2007-1653 | 1 Glowworm | 1 Glowworm | 2008-11-13 | 7.8 HIGH | N/A |
| GlowWorm FW before 1.5.3b4 allows remote attackers to cause a denial of service (kernel panic) via certain DNS responses that trigger infinite recursion in TrueDNS packet parsing, as originally observed with certain login.yahoo.com responses. | |||||
| CVE-2007-1652 | 1 Openid | 1 Openid | 2008-11-13 | 7.5 HIGH | N/A |
| OpenID allows remote attackers to forcibly log a user into an OpenID enabled site, divulge the user's personal information to this site, and add it site to the trusted sites list via a crafted web page, related to cached tokens. | |||||
| CVE-2007-1494 | 1 Nukescripts | 1 Nukesentinel | 2008-11-13 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in NukeSentinel before 2.5.06 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to the "filters for https:// and http://". | |||||
| CVE-2007-1492 | 1 Microsoft | 1 Windows Xp | 2008-11-13 | 7.1 HIGH | N/A |
| winmm.dll in Microsoft Windows XP allows user-assisted remote attackers to cause a denial of service (infinite loop) via a large cch argument value to the mmioRead function, as demonstrated by a crafted WAV file. | |||||
| CVE-2007-1574 | 1 Care2x | 1 Care2x | 2008-11-13 | 5.0 MEDIUM | N/A |
| CARE2X 2.2, and possibly earlier, allows remote attackers to obtain configuration information via a direct request to phpinfo.php, which calls the phpinfo function. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-1354 | 1 Jboss | 1 Jboss Application Server | 2008-11-13 | 6.0 MEDIUM | N/A |
| The Access Control functionality (JMXOpsAccessControlFilter) in JMX Console in JBoss Application Server 4.0.2 and 4.0.5 before 20070416 uses a member variable to store the roles of the current user, which allows remote authenticated administrators to trigger a race condition and gain privileges by logging in during a session by a more privileged administrator, as demonstrated by privilege escalation from Read Mode to Write Mode. | |||||
| CVE-2007-1341 | 1 Simple Invoices | 1 Simple Invoices | 2008-11-13 | 5.0 MEDIUM | N/A |
| include/auth/auth.php in Simple Invoices before 2007 03 05 does not use the login system to protect print preview pages for invoices, which might allow attackers to obtain sensitive information. | |||||
| CVE-2007-1435 | 1 D-link | 1 Tftp Server | 2008-11-13 | 10.0 HIGH | N/A |
| Buffer overflow in D-Link TFTP Server 1.0 allows remote attackers to cause a denial of service (crash) via a long (1) GET or (2) PUT request, which triggers memory corruption. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-0641 | 1 Shaffer Solutions Corp | 1 Dapcnfsd.dll | 2008-11-13 | 7.5 HIGH | N/A |
| Buffer overflow in the EnumPrintersA function in dapcnfsd.dll 0.6.4.0 in Shaffer Solutions (SSC) DiskAccess NFS Client allows remote attackers to execute arbitrary code via a long argument, an issue similar to CVE-2006-5854 and CVE-2007-0444. | |||||
| CVE-2007-0574 | 1 Spoonlabs | 1 Vivvo Article Management Cms | 2008-11-13 | 7.5 HIGH | N/A |
| SQL injection vulnerability in rss/show_webfeed.php in SpoonLabs Vivvo Article Management CMS (aka phpWordPress) 3.40 allows remote attackers to execute arbitrary SQL commands via the wcHeadlines parameter, a different vector than CVE-2006-4715. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2007-0461 | 1 Dazuko | 1 Dazuko | 2008-11-13 | 5.0 MEDIUM | N/A |
| Multiple memory leaks in the Dazuko anti-virus helper module before 2.3.2 allow attackers to cause a denial of service (memory consumption) via unknown vectors. | |||||
| CVE-2007-0378 | 1 Docman | 1 Docman | 2008-11-13 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in DocMan 1.3 RC2 allow attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2007-0380 | 1 Docman | 1 Docman | 2008-11-13 | 5.0 MEDIUM | N/A |
| DocMan 1.3 RC2 allows remote attackers to obtain sensitive information (the full path) via unspecified vectors. | |||||
| CVE-2007-0379 | 1 Docman | 1 Docman | 2008-11-13 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in DocMan 1.3 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2007-0381 | 1 Adaptive Technology Resource Centre | 1 Atutor | 2008-11-13 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these issues. | |||||
| CVE-2007-0383 | 1 Wdaemon | 1 Wdaemon | 2008-11-13 | 5.0 MEDIUM | N/A |
| ** DISPUTED ** WDaemon 9.5.4 allows remote attackers to access the /WorldClient.dll URI on TCP port 3000, which has unknown impact. NOTE: The researcher reports that the vendor response was "this is not a security bug." | |||||
| CVE-2007-0384 | 1 Postnuke Software Foundation | 1 Postnuke | 2008-11-13 | 5.1 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in preview in the reviews section in PostNuke 0.764 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2007-0385 | 1 Postnuke Software Foundation | 1 Postnuke | 2008-11-13 | 7.8 HIGH | N/A |
| The faq section in PostNuke 0.764 allows remote attackers to obtain sensitive information (the full path) via "unvalidated output" in FAQ/index.php, possibly involving an undefined id_cat variable. | |||||
| CVE-2007-0386 | 1 Postnuke Software Foundation | 1 Postnuke | 2008-11-13 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the rating section in PostNuke 0.764 has unknown impact and attack vectors, related to "an interesting bug." | |||||
| CVE-2007-0434 | 1 Bea | 1 Aqualogic Enterprise Security | 2008-11-13 | 4.6 MEDIUM | N/A |
| BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2 does not properly set the severity level of audit events when the system load is high, which might make it easier for attackers to avoid detection. | |||||
| CVE-2007-0432 | 1 Bea | 1 Aqualogic Service Bus | 2008-11-13 | 7.5 HIGH | N/A |
| BEA AquaLogic Service Bus 2.0, 2.1, and 2.5 does not properly reject malformed request messages to a proxy service, which might allow remote attackers to bypass authorization policies and route requests to back-end services or conduct other unauthorized activities. | |||||
| CVE-2007-0433 | 1 Bea | 1 Aqualogic Service Bus | 2008-11-13 | 6.5 MEDIUM | N/A |
| Unspecified vulnerability in BEA AquaLogic Enterprise Security 2.0 through 2.0 SP2, 2.1 through 2.1 SP1, and 2.2, when using Active Directory LDAP for authentication, allows remote authenticated users to access the server even after the account has been disabled. | |||||
| CVE-2006-6980 | 1 Magnatune.com | 1 Album Browser | 2008-11-13 | 2.6 LOW | N/A |
| The magnatune.com album browser in Amarok allows attackers to cause a denial of service (application crash) via unspecified vectors. | |||||
| CVE-2006-5674 | 1 Minibb | 1 Minibb | 2008-11-13 | 7.5 HIGH | N/A |
| Multiple PHP remote file inclusion vulnerabilities in miniBB 2.0.2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the pathToFiles parameter to (1) bb_func_forums.php, (2) bb_functions.php, or (3) the RSS plugin. | |||||
| CVE-2006-4492 | 1 Cybozu | 1 Cybozu Office | 2008-11-11 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in Cybozu Office 6.5 Build 1.2 for Windows allows remote attackers to obtain sensitive information, including users and groups, via unspecified vectors. | |||||
| CVE-2006-4491 | 1 Cybozu | 5 Collaborex, Cybozu Ag, Cybozu Pocket and 2 more | 2008-11-11 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in Cybozu Collaborex, AG before 1.2(1.5), AG Pocket before 5.2(0.8), Mailwise before 3.0(0.3), and Garoon 1 before 1.5(4.1) allows remote authenticated users to read arbitrary files via unspecified vectors. | |||||
| CVE-2005-3421 | 1 Hyper Estraier | 1 Hyper Estraier | 2008-11-11 | 5.0 MEDIUM | N/A |
| estcmd in Hyper Estraier 1.0.1 on Windows systems allows remote attackers to read unauthorized files via a crafted search request for a filename that contains Unicode characters. | |||||
| CVE-2005-2803 | 1 Hiki | 1 Hiki | 2008-11-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Hiki 0.8.1 to 0.8.2 allows remote attackers to inject arbitrary web script or HTML via a page name in a Login link, a different vulnerability than CVE-2005-2336. | |||||
| CVE-2005-2336 | 1 Hiki | 1 Hiki | 2008-11-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Hiki 0.8.0 to 0.8.2 allows remote attackers to inject arbitrary web script or HTML via "missing pages" in which the page name is not properly escaped, a different vulnerability than CVE-2005-2803. | |||||
| CVE-2003-0308 | 2 Debian, Sendmail | 2 Debian Linux, Sendmail | 2008-11-11 | 7.2 HIGH | N/A |
| The Sendmail 8.12.3 package in Debian GNU/Linux 3.0 does not securely create temporary files, which could allow local users to gain additional privileges via (1) expn, (2) checksendmail, or (3) doublebounce.pl. | |||||
| CVE-2006-2690 | 1 Eva-web | 1 Eva-web | 2008-11-09 | 7.8 HIGH | N/A |
| An unspecified script in EVA-Web 2.1.2 and earlier, probably index.php, allows remote attackers to obtain the full path of the web server via invalid (1) perso or (2) aide parameters. | |||||