Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2006-3419 | 1 Tor | 1 Tor | 2008-09-05 | 5.0 MEDIUM | N/A |
| Tor before 0.1.1.20 uses OpenSSL pseudo-random bytes (RAND_pseudo_bytes) instead of cryptographically strong RAND_bytes, and seeds the entropy value at start-up with 160-bit chunks without reseeding, which makes it easier for attackers to conduct brute force guessing attacks. | |||||
| CVE-2006-3597 | 1 Ubuntu | 1 Ubuntu Linux | 2008-09-05 | 7.2 HIGH | N/A |
| passwd before 1:4.0.13 on Ubuntu 6.06 LTS leaves the root password blank instead of locking it when the administrator selects the "Go Back" option after the final "Installation complete" message and uses the main menu, which causes the password to be zeroed out in the installer's memory. | |||||
| CVE-2006-3483 | 1 Phpmaillist | 1 Phpmaillist | 2008-09-05 | 5.0 MEDIUM | N/A |
| PHPMailList 1.8.0 stores sensitive information under the web document root iwth insufficient access control, which allows remote attackers to obtain email addresses of subscribers, configuration information, and the admin username and password via direct requests to (1) list.dat or (2) ml_config.dat. | |||||
| CVE-2006-3661 | 1 Cutephp | 1 Cutenews | 2008-09-05 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in Index.PHP in CuteNews 1.4.5 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | |||||
| CVE-2006-3488 | 1 Virtuastore | 1 Virtuastore | 2008-09-05 | 5.0 MEDIUM | N/A |
| Absolute path traversal vulnerability in administrador.asp in VirtuaStore 2.0 allows remote attackers to possibly read arbitrary directories or files via an absolute path with Windows drive letter in the Pasta parameter when link=util, acao=ftp, and acaba=sim. | |||||
| CVE-2006-3579 | 1 Fujitsu | 1 Serverview | 2008-09-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Fujitsu ServerView 2.50 up to 3.60L98 and 4.10L11 up to 4.11L81 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2006-3416 | 1 Tor | 1 Tor | 2008-09-05 | 5.0 MEDIUM | N/A |
| ** DISPUTED ** Tor before 0.1.1.20 kills the circuit when it receives an unrecognized relay command, which causes network circuits to be disbanded. NOTE: while this item is listed under the "Security fixes" section of the developer changelog, the developer clarified on 20060707 that this is only a self-DoS. Therefore this issue should not be included in CVE. | |||||
| CVE-2006-3378 | 1 Ubuntu | 1 Ubuntu Linux | 2008-09-05 | 7.2 HIGH | N/A |
| passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called with the -f, -g, or -s flag, does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits. | |||||
| CVE-2006-3263 | 1 Mambo | 1 Mambo | 2008-09-05 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Weblinks module (weblinks.php) in Mambo 4.6rc1 and earlier allows remote attackers to execute arbitrary SQL commands via the catid parameter. | |||||
| CVE-2006-3355 | 1 Mpg123 | 1 Mpg123 | 2008-09-05 | 7.5 HIGH | N/A |
| Heap-based buffer overflow in httpdget.c in mpg123 before 0.59s-rll allows remote attackers to execute arbitrary code via a long URL, which is not properly terminated before being used with the strncpy function. NOTE: This appears to be the result of an incomplete patch for CVE-2004-0982. | |||||
| CVE-2006-3108 | 1 Emailarchitect | 1 Email Server | 2008-09-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in EmailArchitect Email Server 6.1 allows remote attackers to inject arbitrary Javascript via an HTML div tag with a carriage return between the onmouseover attribute and its value, which bypasses the mail filter. | |||||
| CVE-2006-3025 | 1 Lucid Designs | 1 Lucid Calendar | 2008-09-05 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Cal.PHP3 in Chris Lea Lucid Calendar 0.22 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | |||||
| CVE-2006-3069 | 1 Iglooweb | 1 Doublespeak | 2008-09-05 | 7.5 HIGH | N/A |
| ** DISPUTED ** PHP remote file inclusion vulnerability in DoubleSpeak 0.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the config[private] parameter in multiple files, as demonstrated by (1) index.php, (2) faq.php, and (3) hardware.php. NOTE: this issue has been disputed by multiple third-party researchers, who state that config[private] is initialized in an include file before being used. | |||||
| CVE-2006-3118 | 1 Canonical | 1 Spread | 2008-09-05 | 1.2 LOW | N/A |
| spread uses a temporary file with a static filename based on the port number, which allows local users to cause a denial of service by creating the file during a race condition between unlink and bind function calls. NOTE: spread deletes this temporary file before use, which could cause conflicts with other programs that use the same filename, but this is not a distinct issue. | |||||
| CVE-2006-2795 | 1 Xiti | 1 Xiti Tracking Script | 2008-09-05 | 6.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in XiTi Tracking Script 6 and 7 RC allow remote attackers to inject arbitrary web script or HTML via (1) the xtref parameter in xiti.js and (2) an HTTP Referer header field. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2006-2846 | 1 Visiongate | 1 Visiongate Portal System | 2008-09-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Print.PHP in VisionGate Portal System allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2006-2692 | 1 Amule | 1 Amule | 2008-09-05 | 5.0 MEDIUM | N/A |
| Multiple unspecified vulnerabilities in aMuleWeb for AMule before 2.1.2 allow remote attackers to read arbitrary image, HTML, or PHP files via unknown vectors, probably related to directory traversal. | |||||
| CVE-2006-2759 | 1 Jetty | 1 Jetty | 2008-09-05 | 5.0 MEDIUM | N/A |
| jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary script source code via a capital P in the .jsp extension, and probably other mixed case manipulations. | |||||
| CVE-2006-2758 | 1 Jetty | 1 Jetty | 2008-09-05 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a %2e%2e%5c (encoded ../) in the URL. NOTE: this might be the same issue as CVE-2005-3747. | |||||
| CVE-2006-2805 | 1 Jelsoft | 1 Vbulletin | 2008-09-05 | 5.0 MEDIUM | N/A |
| SQL injection vulnerability in VBulletin 3.0.10 allows remote attackers to execute arbitrary SQL commands via the featureid parameter. | |||||
| CVE-2006-2981 | 1 Arantius | 1 Vice Stats | 2008-09-05 | 7.5 HIGH | N/A |
| SQL injection vulnerability in vs_search.php in Arantius Vice Stats before 1.0.1 allows remote attackers to execute arbitrary SQL commands via unknown vectors, a different issue than CVE-2006-2972. | |||||
| CVE-2006-2957 | 1 Skoom | 1 I.list | 2008-09-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in i.List 1.5 beta and earlier allows remote attackers to inject arbitrary web script or HTML via the banurl parameter to add.php. NOTE: the provenance of this information is unknown; the details are obtained from third party information. | |||||
| CVE-2006-2463 | 1 Out Of The Trees Web Design | 1 Selectapix | 2008-09-05 | 5.0 MEDIUM | N/A |
| view_album.php in SelectaPix 1.31 and earlier allows remote attackers to obtain the installation path via a certain request, which displays the path in an error message, possibly due to an invalid or missing parameter. | |||||
| CVE-2006-2443 | 1 Knowledgetree | 1 Knowledgetree | 2008-09-05 | 4.6 MEDIUM | N/A |
| The Debian package of knowledgetree 2.0.7 creates environment.php with world-readable permissions, which allows local users to obtain sensitive information such as the username and password for the KnowledgeTree database. | |||||
| CVE-2006-2365 | 1 Vizra | 1 Vizra | 2008-09-05 | 5.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in a_login.php in Vizra allows remote attackers to inject arbitrary web script or HTML via the message parameter. | |||||
| CVE-2006-2441 | 1 Pioneers | 1 Pioneers Meta-server | 2008-09-05 | 5.0 MEDIUM | N/A |
| Pioneers meta-server before 0.9.55, when the server-console is not installed, allows remote attackers to cause a denial of service (crash) via certain requests from an older gnocatan client to create a new game. | |||||
| CVE-2006-2406 | 1 Unclassified Newsboard | 1 Unclassified Newsboard | 2008-09-05 | 2.6 LOW | N/A |
| Directory traversal vulnerability in bb_lib/abbc.css.php in Unclassified NewsBoard (UNB) 1.5.3-d and possibly earlier versions, when register_globals is enabled, allows remote attackers to include arbitrary files via .. (dot dot) sequences and a trailing null byte (%00) in the design_path parameter. NOTE: this is closely related, but a different vulnerability than the ABBC[Config][smileset] parameter. | |||||
| CVE-2006-1948 | 1 Ibm | 1 Lotus Notes | 2008-09-05 | 4.0 MEDIUM | N/A |
| The "Add Sender to Address Book" operation (AddSenderToAddressBook.lss) and NameHelper.lss in IBM Lotus Notes 6.0 and 6.5 before 20060331 do not properly store information in the Personal Address Book when multiple messages are checked and a message uses AltFrom, which might allow user-assisted remote attackers to trick a user into sending e-mail to an unauthorized recipient. | |||||
| CVE-2006-1910 | 1 S9y | 1 Serendipity | 2008-09-05 | 7.5 HIGH | N/A |
| config.php in S9Y Serendipity 1.0 beta 2 allows remote attackers to inject arbitrary PHP code by editing values that are stored in config.php and later executed. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2006-2217 | 1 Invision Power Services | 1 Invision Power Board | 2008-09-05 | 7.5 HIGH | N/A |
| SQL injection vulnerability in index.php in Invision Power Board allows remote attackers to execute arbitrary SQL commands via the pid parameter in a reputation action. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2006-1915 | 1 Dbbs | 1 Dbbs | 2008-09-05 | 5.0 MEDIUM | N/A |
| SQL injection vulnerability in topics.php in DbbS 2.0-alpha and earlier allows remote attackers to execute arbitrary SQL commands via the fcategoryid parameter. | |||||
| CVE-2006-1974 | 1 Mybulletinboard | 1 Mybulletinboard | 2008-09-05 | 7.5 HIGH | N/A |
| SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter. | |||||
| CVE-2006-1975 | 1 Stadtaus.com | 1 Php-gastebuch | 2008-09-05 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in guestbook_newentry.php in PHP-Gastebuch 1.61 allows remote attackers to inject arbitrary web script or HTML via the Kommentar field. | |||||
| CVE-2006-1976 | 1 Geekforgod.net | 1 Prayer Request Board | 2008-09-05 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in addRequest.php in Prayer Request Board (PRB) Beta 1 before 20060320 allows remote attackers to inject arbitrary web script or HTML via the Request field. | |||||
| CVE-2006-2098 | 1 Php Thumbnail Autoindex | 1 Php Thumbnail Autoindex | 2008-09-05 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in Thumbnail AutoIndex before 2.0 allows remote attackers to execute arbitrary PHP code via (1) README.html or (2) HEADER.html. | |||||
| CVE-2006-2105 | 1 Jupiter Cms | 1 Jupiter Cms | 2008-09-05 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in index.php in Jupiter CMS 1.1.4 and 1.1.5 allows remote attackers to read arbitrary files via ".." sequences terminated by a %00 (null) character in the n parameter. | |||||
| CVE-2006-2132 | 1 Duware | 1 Duclassified | 2008-09-05 | 6.4 MEDIUM | N/A |
| SQL injection vulnerability in detail.asp in DUclassified allows remote attackers to execute arbitrary SQL commands via the iPro parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2006-1656 | 1 Vserver | 1 Util-vserver | 2008-09-05 | 7.2 HIGH | N/A |
| vserver in util-vserver 0.30.209 executes a command as root when the suexec userid parameter is invalid and non-numeric, which might cause local users to inadvertently execute dangerous commands as root. | |||||
| CVE-2006-1744 | 1 Joey Hess | 1 Bsdgames | 2008-09-05 | 4.6 MEDIUM | N/A |
| Buffer overflow in pl_main.c in sail in BSDgames before 2.17-7 allows local users to execute arbitrary code via a long player name that is used in a scanf function call. | |||||
| CVE-2006-1792 | 1 Mailenable | 3 Mailenable Enterprise, Mailenable Professional, Mailenable Standard | 2008-09-05 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the POP service in MailEnable Standard Edition before 1.94, Professional Edition before 1.74, and Enterprise Edition before 1.22 has unknown attack vectors and impact related to "authentication exploits". NOTE: this is a different set of affected versions, and probably a different vulnerability than CVE-2006-1337. | |||||
| CVE-2006-1775 | 1 Phpbb Group | 1 Phpbb | 2008-09-05 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.19 allow remote attackers to inject arbitrary web script or HTML via the (1) Site Description field in (a) admin_board.php, the (2) Group name and (3) Group description fields in (b) admin_groups.php and (c) groupcp.php, the (4) Theme Name field in (d) admin_styles.php, and the (5) Rank Title field in (e) admin_ranks.php. NOTE: the profile.php/Current password vector is already covered by CVE-2006-1603. | |||||
| CVE-2006-1646 | 1 Internet Key Exchange | 1 Internet Key Exchange | 2008-09-05 | 5.0 MEDIUM | N/A |
| The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in the Shoichi Sakane KAME Project racoon, as used by NetBSD 1.6, 2.x before 20060119, certain FreeBSD releases, and possibly other distributions of BSD or Linux operating systems, when running in aggressive mode, allows remote attackers to cause a denial of service (daemon crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. | |||||
| CVE-2006-1793 | 1 Runcms | 1 Runcms | 2008-09-05 | 7.6 HIGH | N/A |
| Directory traversal vulnerability in runCMS 1.2 and earlier allows remote attackers to read arbitrary files via the bbPath[path] parameter to (1) class.forumposts.php and (2) forumpollrenderer.php. NOTE: this issue is closely related to CVE-2006-0659. | |||||
| CVE-2006-1700 | 1 Aweb | 1 Scripts Seller | 2008-09-05 | 7.5 HIGH | N/A |
| Buy.php in Aweb Scripts Seller uses predictable cookies for authentication based on the time and the script number, which allows remote attackers to bypass authentication. | |||||
| CVE-2006-1674 | 1 Phpwebgallery | 1 Phpwebgallery | 2008-09-05 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in search.php in PHPWebGallery 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a different vulnerability than CVE-2006-1675. | |||||
| CVE-2006-1796 | 1 Wordpress | 1 Wordpress | 2008-09-05 | 6.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the paging links functionality in template-functions-links.php in Wordpress 1.5.2, and possibly other versions before 2.0.1, allows remote attackers to inject arbitrary web script or HTML to Internet Explorer users via the request URI ($_SERVER['REQUEST_URI']). | |||||
| CVE-2006-1772 | 1 Debian | 1 Debian Linux | 2008-09-05 | 7.2 HIGH | N/A |
| debconf in Debian GNU/Linux, when configuring mnogosearch in the mnogosearch-common 3.2.31-1 package, uses the world-readable config.dat file instead of the restricted passwords.dat for storing the cleartext database administrator password in the mnogosearch-common/database_admin_pass record, which allows local users to view the password. | |||||
| CVE-2006-1253 | 1 Glftpd | 1 Glftpd | 2008-09-05 | 7.5 HIGH | N/A |
| Unspecified vulnerability in glFTPd before 2.01 RC5 allows remote attackers to bypass IP checks via a crafted DNS hostname, possibly a hostname that appears to be an IP address. | |||||
| CVE-2006-1164 | 1 Nodez | 1 Nodez | 2008-09-05 | 7.5 HIGH | N/A |
| Nodez 4.6.1.1 and earlier stores sensitive data in the list.gtdat file under the web document root with insufficient access control, which allows remote attackers to obtain usernames and password hashes by directly accessing list.gtdat. | |||||
| CVE-2006-1216 | 1 Runcms | 1 Runcms | 2008-09-05 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in bigshow.php in Runcms 1.x allows remote attackers to inject arbitrary web script or HTML via the id parameter. | |||||