Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2006-3494 | 1 Vastal I-tech | 1 Buddy Zone | 2018-10-18 | 6.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Buddy Zone 1.0.1 allow remote attackers to inject arbitrary HTML and web script via the (1) cat_id parameter to (a) view_classifieds.php; (2) id parameter in (b) view_ad.php; (3) event_id parameter in (c) view_event.php, (d) delete_event.php, and (e) edit_event.php; and (4) group_id in (f) view_group.php. | |||||
| CVE-2006-3514 | 1 Phpblogger | 1 Php-blogger | 2018-10-18 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in admin/actions.php in PHP-Blogger 2.2.5, and possibly earlier versions, allow remote attackers to execute arbitrary web script or HTML via the (1) name, (2) title, (3) news, (4) description, and (5) sitename parameters. | |||||
| CVE-2006-3515 | 1 Myiosoft.com | 1 Ajaxportal | 2018-10-18 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the loginADP function in ajaxp.php in AjaxPortal 3.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username or (2) password parameters. | |||||
| CVE-2006-3516 | 1 Freehost | 1 Freehost | 2018-10-18 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in FreeHost allow remote attackers to execute arbitrary SQL commands via (1) readme parameter to FreeHost/misc.php or (2) index parameter to FreeHost/news.php. | |||||
| CVE-2006-3517 | 1 Rwscripts.com | 1 Rw Download | 2018-10-18 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in stats.php in RW::Download, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter. | |||||
| CVE-2006-3518 | 1 Webvizyon.net | 1 Webvizyon Portal | 2018-10-18 | 7.5 HIGH | N/A |
| SQL injection vulnerability in SayfalaAltList.asp in Webvizyon Portal 2006 allows remote attackers to execute arbitrary SQL commands via the ID parameter. | |||||
| CVE-2006-3519 | 1 Native Solutions | 1 The Banner Engine | 2018-10-18 | 5.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in The Banner Engine (tbe) 4.0 allow remote attackers to execute arbitrary web script or HTML via the (1) text parameter in a search action to (a) top.php, and the (2) adminpass or (3) adminlogin parameter to (b) signup.php. | |||||
| CVE-2006-3522 | 1 Clearswift | 1 Mimesweeper For Web | 2018-10-18 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Clearswift MIMEsweeper for Web before 5.1.15 Hotfix allows remote attackers to inject arbitrary web script or HTML via the URL, which is reflected back in an error message when trying to access a blocked web site. | |||||
| CVE-2006-3524 | 1 Sipfoundry | 1 Sipxtapi | 2018-10-18 | 7.5 HIGH | N/A |
| Buffer overflow in SIPfoundry sipXtapi released before 20060324 allows remote attackers to execute arbitrary code via a long CSeq field value in an INVITE message. | |||||
| CVE-2006-3526 | 1 Sport-slo | 1 Sport-slo Advanced Guestbook | 2018-10-18 | 5.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in guestbook.php in Sport-slo Advanced Guestbook 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) name and (2) form parameters. | |||||
| CVE-2006-3528 | 1 Mamboxchange | 1 Simpleboard | 2018-10-18 | 6.8 MEDIUM | N/A |
| Multiple PHP remote file inclusion vulnerabilities in Simpleboard Mambo module 1.1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the sbp parameter to (1) image_upload.php and (2) file_upload.php. | |||||
| CVE-2006-3530 | 1 Joomla | 1 Pc Cookbook | 2018-10-18 | 6.8 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in com_pccookbook/pccookbook.php in the PccookBook Component for Mambo and Joomla 0.3 and possibly up to 1.3.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the mosConfig_absolute_path parameter. | |||||
| CVE-2006-3531 | 1 Pivot | 1 Pivot | 2018-10-18 | 7.5 HIGH | N/A |
| includes/editor/insert_image.php in Pivot 1.30 RC2 and earlier creates the authentication credentials from parameters, which allows remote attackers to obtain privileges and upload arbitrary files via modified (1) pass and (2) session parameters, and (3) pass and (4) userlevel indices of the (a) Pivot_Vars[] or (b) Users[] array parameters. | |||||
| CVE-2006-3532 | 1 Pivot | 1 Pivot | 2018-10-18 | 5.1 MEDIUM | N/A |
| PHP file inclusion vulnerability in includes/edit_new.php in Pivot 1.30 RC2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a FTP URL or full file path in the Paths[extensions_path] parameter. | |||||
| CVE-2006-3533 | 1 Pivot | 1 Pivot | 2018-10-18 | 5.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Pivot 1.30 RC2 and earlier, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) fg, (2) line1, (3) line2, (4) bg, (5) c1, (6) c2, (7) c3, and (8) c4 parameters in (a) includes/blogroll.php; (9) name and (10) js_name parameters in (b) includes/editor/edit_menu.php; and, even if register_globals is not enabled, the (11) h and (12) w parameters in (c) includes/photo.php. | |||||
| CVE-2006-3537 | 1 Randshop | 1 Randshop | 2018-10-18 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in index.php in Randshop before 1.2 allows remote attackers to execute arbitrary PHP code via the dateiPfad parameter, a different vector than CVE-2006-3375. | |||||
| CVE-2006-3538 | 1 Beatificfaith | 1 Eprayer | 2018-10-18 | 5.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in demo.php in BeatificFaith Eprayer Alpha allow remote attackers to inject arbitrary web script or HTML via the SRC attribute of a SCRIPT element in the (1) "Your name" field and (2) "Enter Prayer Request here" field. | |||||
| CVE-2006-3539 | 1 Dkscript | 1 Dragons Kingdom Script | 2018-10-18 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in DKScript.com Dragon's Kingdom Script 1.0 allow remote attackers to inject arbitrary web script or HTML via a javascript URI in the SRC attribute of an IMG element in the (1) Subject and (2) Message fields in a do=write (aka Send Mail Message) action in gamemail.php; the (3) Gender, (4) Country/Location, (5) MSN Messenger, (6) AOL Instant Messenger, (7) Yahoo Instant Messenger, and (8) ICQ fields in a do=onlinechar (aka Edit your Profile) action in index.php, as accessed by dk.php; a javascript URI in the SRC attribute of an IMG element in the (9) Title and (10) Message fields in a do=new (aka Create Thread) action in general.php; and a javascript URI in the SRC attribute of an IMG element in unspecified fields in (11) other Forum posts and (12) Forum replies. | |||||
| CVE-2006-3540 | 1 Zonelabs | 1 Zonealarm Security Suite | 2018-10-18 | 4.9 MEDIUM | N/A |
| Check Point Zone Labs ZoneAlarm Internet Security Suite 6.5.722.000, 6.1.737.000, and possibly other versions do not properly validate RegSaveKey, RegRestoreKey, and RegDeleteKey function calls, which allows local users to cause a denial of service (system crash) via a certain combination of these function calls with an HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VETFDDNT\Enum argument. | |||||
| CVE-2006-3541 | 1 Kyberna | 1 Ky2help | 2018-10-18 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in Meine Links (aka My Links) in Kyberna ky2help allows remote authenticated users to execute arbitrary SQL commands via unspecified "textboxes." | |||||
| CVE-2006-3542 | 1 Boxcar Media | 1 Shopping Cart | 2018-10-18 | 5.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Garry Glendown Shopping Cart 0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) shop name field in (a) editshop.php, (b) edititem.php, and (c) index.php; and via the (2) item field in editshop.php and edititem.php. | |||||
| CVE-2006-3543 | 1 Invision Power Services | 1 Invision Power Board | 2018-10-18 | 7.5 HIGH | N/A |
| ** DISPUTED ** Multiple SQL injection vulnerabilities in Invision Power Board (IPB) 1.x and 2.x allow remote attackers to execute arbitrary SQL commands via the (1) idcat and (2) code parameters in a ketqua action in index.php; the id parameter in a (3) Attach and (4) ref action in index.php; the CODE parameter in a (5) Profile, (6) Login, and (7) Help action in index.php; and the (8) member_id parameter in coins_list.php. NOTE: the developer has disputed this issue, stating that the "CODE attribute is never present in an SQL query" and the "'ketqua' [action] and file 'coin_list.php' are not standard IPB 2.x features". It is unknown whether these vectors are associated with an independent module or modification of IPB. | |||||
| CVE-2006-3544 | 1 Invision Power Services | 1 Invision Board | 2018-10-18 | 7.5 HIGH | N/A |
| ** DISPUTED ** Multiple SQL injection vulnerabilities in Invision Power Board (IPB) 1.3 Final allow remote attackers to execute arbitrary SQL commands via the CODE parameter in a (1) Stats, (2) Mail, and (3) Reg action in index.php. NOTE: the developer has disputed this issue, stating that "At no point does the CODE parameter touch the database. The CODE parameter is used in a SWITCH statement to determine which function to run." | |||||
| CVE-2006-3546 | 1 Ada | 1 Imgsvr | 2018-10-18 | 5.0 MEDIUM | N/A |
| Patrice Freydiere ImgSvr (aka ADA Image Server) allows remote attackers to cause a denial of service (daemon crash) via a long HTTP POST request. NOTE: this might be the same issue as CVE-2004-2463. | |||||
| CVE-2006-3547 | 1 Vmware | 1 Player | 2018-10-18 | 2.6 LOW | N/A |
| ** DISPUTED ** EMC VMware Player allows user-assisted attackers to cause a denial of service (unrecoverable application failure) via a long value of the ide1:0.fileName parameter in the .vmx file of a virtual machine. NOTE: third parties have disputed this issue, saying that write access to the .vmx file enables other ways of stopping the virtual machine, so no privilege boundaries are crossed. | |||||
| CVE-2006-3548 | 1 Horde | 1 Horde | 2018-10-18 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 allow remote attackers to inject arbitrary web script or HTML via a (1) javascript URI or an external (2) http, (3) https, or (4) ftp URI in the url parameter in services/go.php (aka the dereferrer), (5) a javascript URI in the module parameter in services/help (aka the help viewer), and (6) the name parameter in services/problem.php (aka the problem reporting screen). | |||||
| CVE-2006-3549 | 1 Horde | 1 Horde Application Framework | 2018-10-18 | 5.0 MEDIUM | N/A |
| services/go.php in Horde Application Framework 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1 does not properly restrict its image proxy capability, which allows remote attackers to perform "Web tunneling" attacks and use the server as a proxy via (1) http, (2) https, and (3) ftp URL in the url parameter, which is requested from the server. | |||||
| CVE-2006-3550 | 1 F5 | 1 Firepass 4100 | 2018-10-18 | 2.6 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in F5 Networks FirePass 4100 5.x allow remote attackers to inject arbitrary web script or HTML via unspecified "writable form fields and hidden fields," including "authentication frontends." | |||||
| CVE-2006-3553 | 1 Planet Concept | 1 Planetnews | 2018-10-18 | 10.0 HIGH | N/A |
| PlaNet Concept planetNews allows remote attackers to bypass authentication and execute arbitrary code via a direct request to news/admin/planetnews.php. | |||||
| CVE-2006-3554 | 1 Mkportal | 1 Mkportal | 2018-10-18 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in index.php in MKPortal 1.0.1 Final allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the language cookie, as demonstrated by using a gl_session cookie to inject PHP sequences into the error.log file, which is then included by index.php with malicious commands accessible by the ind parameter. | |||||
| CVE-2006-3555 | 1 Php Fusion | 1 Php Fusion | 2018-10-18 | 5.8 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in submit.php in PHP-Fusion before 6.01.3 allow remote attackers to inject arbitrary web script or HTML by using edit_profile.php to upload a (1) avatar or (2) forum image attachment that has a .gif or .jpg extension, and begins with a GIF header followed by JavaScript code, which is executed by Internet Explorer. | |||||
| CVE-2006-3556 | 1 Extcalendar | 1 Extcalendar | 2018-10-18 | 6.8 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in extcalendar.php in Mohamed Moujami ExtCalendar 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. | |||||
| CVE-2006-3557 | 1 Mt Orumcek | 1 Mt Orumcek Toplist | 2018-10-18 | 5.0 MEDIUM | N/A |
| MT Orumcek Toplist 2.2 stores DB/orumcektoplist.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request. | |||||
| CVE-2006-3558 | 1 Arif Supriyanto | 1 Auracms | 2018-10-18 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Arif Supriyanto auraCMS 1.62 allow remote attackers to inject arbitrary web script or HTML via (1) the judul_artikel parameter in teman.php and (2) the title of an article sent to admin, which is displayed when unauthenticated users visit index.php. | |||||
| CVE-2006-3559 | 1 Arif Supriyanto | 1 Auracms | 2018-10-18 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Arif Supriyanto auraCMS 1.62 allow remote attackers to execute arbitrary SQL commands and delete all shoutbox messages via the (1) name and (2) pesan parameters. | |||||
| CVE-2006-3560 | 1 Blue Dojo | 1 Graffiti Forums | 2018-10-18 | 7.5 HIGH | N/A |
| SQL injection vulnerability in topics.php in Blue Dojo Graffiti Forums 1.0 allows remote attackers to execute arbitrary SQL commands via the f parameter. | |||||
| CVE-2006-3561 | 1 Bt | 1 Voyager 2091 Wireless Adsl Router | 2018-10-18 | 5.0 MEDIUM | N/A |
| BT Voyager 2091 Wireless firmware 2.21.05.08m_A2pB018c1.d16d and earlier, and 3.01m and earlier, allow remote attackers to bypass the authentication process and gain sensitive information, such as configuration information via (1) /btvoyager_getconfig.sh, PPP credentials via (2) btvoyager_getpppcreds.sh, and decode configuration credentials via (3) btvoyager_decoder.c. | |||||
| CVE-2006-3128 | 1 Easy-cms | 1 Easy-cms | 2018-10-18 | 4.6 MEDIUM | N/A |
| choose_file.php in easy-CMS 0.1.2, when mod_mime is installed, does not restrict uploads of filenames with multiple extensions, which allows remote attackers to execute arbitrary PHP code by uploading a PHP file with a GIF file extension, then directly accessing that file in the Repositories directory. | |||||
| CVE-2006-3132 | 1 Qto | 1 Qtofilemanager | 2018-10-18 | 5.8 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in qtofm.php4 in QTOFileManager 1.0 allows remote attackers to inject arbitrary web script or HTML via the msg parameter, as originally reported for index.php. | |||||
| CVE-2006-3136 | 1 Nucleus Group | 1 Nucleus Cms | 2018-10-18 | 7.5 HIGH | N/A |
| ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in Nucleus 3.23 allow remote attackers to execute arbitrary PHP code via a URL the DIR_LIBS parameter in (1) path/action.php, and to files in path/nucleus including (2) media.php, (3) /xmlrpc/server.php, and (4) /xmlrpc/api_metaweblog.inc.php. NOTE: this is a similar vulnerability to CVE-2006-2583. NOTE: this issue has been disputed by third parties, who state that the DIR_LIBS parameter is defined in an include file before being used. | |||||
| CVE-2006-3139 | 1 Vwar | 1 Virtual War | 2018-10-18 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in war.php in Virtual War (VWar) 1.5.0 R14 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) s, (2) showgame, (3) sortorder, and (4) sortby parameters. | |||||
| CVE-2006-3142 | 1 Vbzoom | 1 Vbzoom | 2018-10-18 | 7.5 HIGH | N/A |
| SQL injection vulnerability in forum.php in VBZooM 1.11 allows remote attackers to execute arbitrary SQL commands via the MainID parameter. | |||||
| CVE-2006-3143 | 1 Maximus | 1 Schoolmax | 2018-10-18 | 4.0 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in icue_login.asp in Maximus SchoolMAX 4.0.1 and earlier iCue and iParent applications allows remote attackers to inject arbitrary web script or HTML via the error_msg parameter. | |||||
| CVE-2006-3144 | 1 Ibd | 1 Micro Cms | 2018-10-18 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in micro_cms_files/microcms-include.php in Implied By Design (IBD) Micro CMS 3.5 (aka 0.3.5) and earlier allows remote attackers to execute arbitrary PHP code via a URL in the microcms_path parameter. NOTE: it was later reported that this can also be leveraged to include and execute arbitrary local files via .. (dot dot) sequences. | |||||
| CVE-2006-3146 | 2 Microsoft, Toshiba | 2 Windows, Bluetooth Stack | 2018-10-18 | 5.0 MEDIUM | N/A |
| The TOSRFBD.SYS driver for Toshiba Bluetooth Stack 4.00.29 and earlier on Windows allows remote attackers to cause a denial of service (reboot) via a L2CAP echo request that triggers an out-of-bounds memory access, similar to "Ping o' Death" and as demonstrated by BlueSmack. NOTE: this issue was originally reported for 4.00.23. | |||||
| CVE-2006-3158 | 1 Eduha Meeting | 1 Eduha Meeting | 2018-10-18 | 7.5 HIGH | N/A |
| index.php in Eduha Meeting does not properly restrict file extensions before permitting a file upload, which allows remote attackers to bypass security checks and upload or execute arbitrary php code via the add action. | |||||
| CVE-2006-3160 | 1 Onedotoh | 1 Simple File Manager | 2018-10-18 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in fm.php in ONEdotOH Simple File Manager (SFM) 0.24a and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter. | |||||
| CVE-2006-3161 | 1 Saphp | 1 Saphplesson | 2018-10-18 | 7.5 HIGH | N/A |
| SQL injection vulnerability in misc.php in SaphpLesson 1.1 and earlier allows remote attackers to execute arbitrary SQL commands via the action parameter. | |||||
| CVE-2006-3168 | 1 Comscripts | 1 Cs-forum | 2018-10-18 | 7.5 HIGH | N/A |
| SQL injection vulnerability in CS-Forum before 0.82 allows remote attackers to execute arbitrary SQL commands via the (1) id and (2) debut parameters in (a) read.php, and the (3) search and (4) debut parameters in (b) index.php. | |||||
| CVE-2006-3169 | 1 Comscripts | 1 Cs-forum | 2018-10-18 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in CS-Forum 0.81 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) msg_result and (2) rep_titre parameters in (a) read.php; and the (3) id and (4) parent parameters and (5) CSForum_nom, (6) CSForum_mail, and (7) CSForum_url cookie parameters in (b) ajouter.php. | |||||