Total
5222 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2008-2343 | 1 News Manager | 1 News Manager | 2024-02-28 | 7.5 HIGH | N/A |
News Manager 2.0 allows remote attackers to bypass restrictions and obtain sensitive information via a direct request to (1) db/connect_str.php and (2) login/info.php. | |||||
CVE-2009-1821 | 1 Dmxready | 1 Registration Manager | 2024-02-28 | 5.0 MEDIUM | N/A |
DMXReady Registration Manager 1.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for databases/webblogmanager.mdb. | |||||
CVE-2008-7062 | 1 Lovecms | 1 Lovecms | 2024-02-28 | 6.8 MEDIUM | N/A |
Unrestricted file upload vulnerability in admin/index.php in Download Manager module 1.0 for LoveCMS 1.6.2 Final allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/. | |||||
CVE-2008-4245 | 1 Rianxosencabos Cms | 1 Rianxosencabos Cms | 2024-02-28 | 6.5 MEDIUM | N/A |
The Admin Control Panel in Rianxosencabos CMS 0.9 does not require administrator privileges, which allows remote authenticated users to (1) change a user's privileges, (2) delete a user account, or perform unspecified other administrative actions via vectors involving an admin lista action to the default URI, possibly related to useradmin.php. | |||||
CVE-2009-1077 | 1 Sun | 1 Java System Identity Manager | 2024-02-28 | 6.5 MEDIUM | N/A |
The Change My Password implementation in the admin interface in Sun Java System Identity Manager (IdM) 7.0 through 8.0 does not enforce the RequiresChallenge property setting, which allows remote authenticated users to change the passwords of other users, as demonstrated by changing the administrator's password. | |||||
CVE-2009-0809 | 2 3ds, Ibm | 2 Enovia Smarteam, Catia | 2024-02-28 | 3.5 LOW | N/A |
The Web Editor in Dassault Systemes ENOVIA SmarTeam V5 before Release 18 Service Pack 8, and possibly CATIA and other products, allows remote authenticated users to read the profile card of an object in the document class via a link that is sent from the owner of the document object. | |||||
CVE-2009-2574 | 1 Bioscripts | 1 Minitwitter | 2024-02-28 | 6.5 MEDIUM | N/A |
index.php in MiniTwitter 0.2 beta allows remote authenticated users to modify certain options of arbitrary accounts via an opt action. | |||||
CVE-2008-6613 | 1 Abweb | 1 Minimal-ablog | 2024-02-28 | 7.5 HIGH | N/A |
uploader.php in minimal-ablog 0.4 does not properly restrict access, which allows remote attackers to gain administrative privileges via a direct request. | |||||
CVE-2009-0872 | 1 Sun | 2 Opensolaris, Solaris | 2024-02-28 | 6.8 MEDIUM | N/A |
The NFS server in Sun Solaris 10, and OpenSolaris before snv_111, does not properly implement the AUTH_NONE (aka sec=none) security mode in combination with other security modes, which allows remote attackers to bypass intended access restrictions and read or modify files, as demonstrated by a combination of the AUTH_NONE and AUTH_SYS security modes. | |||||
CVE-2007-5289 | 1 Hp | 2 Mercury Quality Center, Testdirector | 2024-02-28 | 7.6 HIGH | N/A |
HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only. | |||||
CVE-2008-6963 | 1 Turnkeyforms | 1 Text Link Sales | 2024-02-28 | 7.5 HIGH | N/A |
admin.php in TurnkeyForms Text Link Sales allows remote attackers to bypass authentication and gain administrative privileges via a direct request. | |||||
CVE-2008-3527 | 1 Linux | 1 Linux Kernel | 2024-02-28 | 4.6 MEDIUM | N/A |
arch/i386/kernel/sysenter.c in the Virtual Dynamic Shared Objects (vDSO) implementation in the Linux kernel before 2.6.21 does not properly check boundaries, which allows local users to gain privileges or cause a denial of service via unspecified vectors, related to the install_special_mapping, syscall, and syscall32_nopage functions. | |||||
CVE-2008-4451 | 1 Eset Software | 1 System Analyzer Tool | 2024-02-28 | 7.2 HIGH | N/A |
The SysInspector AntiStealth driver (esiasdrv.sys) 3.0.65535.0 in ESET System Analyzer Tool 1.1.1.0 allows local users to execute arbitrary code via a certain METHOD_NEITHER IOCTL request to \Device\esiasdrv that overwrites a pointer. | |||||
CVE-2008-6355 | 1 Thenetguys | 1 Aspired2protect | 2024-02-28 | 5.0 MEDIUM | N/A |
The Net Guys ASPired2Protect stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database containing the username and password via a direct request to ASPired2Protect.mdb. | |||||
CVE-2008-5896 | 1 Codeavalanche | 1 Ratemysite | 2024-02-28 | 7.5 HIGH | N/A |
CodeAvalanche RateMySite stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file containing the administrator password via a direct request for _private/CARateMySite.mdb. NOTE: some of these details are obtained from third party information. | |||||
CVE-2008-7216 | 1 Wordpress | 1 Peter\'s Math Anti-spam For Wordpress | 2024-02-28 | 4.3 MEDIUM | N/A |
Peter's Math Anti-Spam Spinoff plugin for WordPress generates audio CAPTCHA clips by concatenating static audio files without any additional distortion, which allows remote attackers to bypass CAPTCHA protection by reading certain bytes from the generated clip. | |||||
CVE-2008-3046 | 1 Typo3 | 1 Packman Extension | 2024-02-28 | 7.5 HIGH | N/A |
Incomplete blacklist vulnerability in the Packman (kb_packman) extension 0.2.1 and earlier for TYPO3 has unknown impact and attack vectors. | |||||
CVE-2009-0419 | 1 Microsoft | 1 Xml Core Services | 2024-02-28 | 5.0 MEDIUM | N/A |
Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033. | |||||
CVE-2009-2770 | 1 Powerupload | 1 Powerupload | 2024-02-28 | 7.5 HIGH | N/A |
PowerUpload 2.4 allows remote attackers to bypass authentication and gain administrative access via a MIME encoded value of admin for the myadminname cookie. | |||||
CVE-2009-2602 | 1 R2newsletter | 3 R2 Newsletter Lite, R2 Newsletter Pro, R2 Newsletter Stats | 2024-02-28 | 5.0 MEDIUM | N/A |
R2 Newsletter Lite, Pro, and Stats stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for admin.mdb. |