Vulnerabilities (CVE)

Filtered by CWE-74
Total 961 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-0116 1 Ibm 1 Leads 2024-02-28 3.5 LOW N/A
IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 does not properly restrict the addition of links, which makes it easier for remote authenticated users to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
CVE-2015-7466 1 Ibm 1 Jazz Reporting Service 2024-02-28 4.0 MEDIUM 3.1 LOW
Lifecycle Query Engine (LQE) in IBM Jazz Reporting Service (JRS) 6.0 before 6.0.0-Rational-CLM-ifix005 allows remote authenticated users to conduct LDAP injection attacks, and consequently bypass intended query restrictions or modify the LDAP directory, via unspecified vectors.
CVE-2016-5701 2 Opensuse, Phpmyadmin 3 Leap, Opensuse, Phpmyadmin 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
setup/frames/index.inc.php in phpMyAdmin 4.0.10.x before 4.0.10.16, 4.4.15.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI.
CVE-2015-3205 1 Libmimedir Project 1 Libmimedir 2024-02-28 7.5 HIGH N/A
libmimedir allows remote attackers to execute arbitrary code via a VCF file with two NULL bytes at the end of the file, related to "free" function calls in the "lexer's memory clean-up procedure."
CVE-2016-0881 1 Emc 1 Documentum Xcp 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
EMC Documentum xCP 2.1 before patch 23 and 2.2 before patch 11 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and obtain sensitive repository information by appending a query to a REST request.
CVE-2014-7287 1 Symantec 2 Encryption Management Server, Pgp Universal Server 2024-02-28 5.0 MEDIUM N/A
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.
CVE-2013-6435 2 Debian, Rpm 2 Debian Linux, Rpm 2024-02-28 7.6 HIGH N/A
Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.
CVE-2013-6501 2 Php, Suse 2 Php, Linux Enterprise Server 2024-02-28 4.6 MEDIUM N/A
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.
CVE-2015-1592 2 Debian, Sixapart 2 Debian Linux, Movable Type 2024-02-28 7.5 HIGH N/A
Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and execute arbitrary local Perl files and possibly execute arbitrary code via unspecified vectors.
CVE-2014-8423 1 Arris 1 Vap2500 Firmware 2024-02-28 10.0 HIGH N/A
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.
CVE-2015-1169 1 Apereo 1 Central Authentication Service 2024-02-28 7.5 HIGH N/A
Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication.
CVE-2015-0931 1 Ektron 1 Ektron Content Management System 2024-02-28 6.8 MEDIUM N/A
Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1, when the Saxon XSLT parser is used, allows remote attackers to execute arbitrary code via a crafted XSLT document, related to a "resource injection" issue.
CVE-2011-2805 2 Apple, Google 3 Iphone Os, Safari, Chrome 2024-02-28 6.8 MEDIUM N/A
Google Chrome before 13.0.782.107 allows remote attackers to bypass the Same Origin Policy and conduct script injection attacks via unspecified vectors.
CVE-2011-2855 2 Apple, Google 4 Iphone Os, Itunes, Safari and 1 more 2024-02-28 6.8 MEDIUM N/A
Google Chrome before 14.0.835.163 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale node."
CVE-2009-1781 1 Frax 1 Php Recommend 2024-02-28 7.5 HIGH N/A
Static code injection vulnerability in admin.php in Frax.dk Php Recommend 1.3 and earlier allows remote attackers to inject arbitrary PHP code into phpre_config.php via the form_aula parameter.
CVE-2007-4190 1 Joomla 1 Joomla\! 2024-02-28 4.3 MEDIUM N/A
CRLF injection vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to inject arbitrary HTTP headers and probably conduct HTTP response splitting attacks via CRLF sequences in the url parameter. NOTE: this can be leveraged for cross-site scripting (XSS) attacks. NOTE: some of these details are obtained from third party information.
CVE-2008-0456 2 Apache, Redhat 4 Http Server, Enterprise Linux Desktop, Enterprise Linux Server and 1 more 2024-02-28 2.6 LOW N/A
CRLF injection vulnerability in the mod_negotiation module in the Apache HTTP Server 2.2.6 and earlier in the 2.2.x series, 2.0.61 and earlier in the 2.0.x series, and 1.3.39 and earlier in the 1.3.x series allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by uploading a file with a multi-line name containing HTTP header sequences and a file extension, which leads to injection within a (1) "406 Not Acceptable" or (2) "300 Multiple Choices" HTTP response when the extension is omitted in a request for the file.
CVE-2005-3007 1 Opera 1 Opera Browser 2024-02-28 2.6 LOW N/A
Opera before 8.50 allows remote attackers to spoof the content type of files via a filename with a trailing "." (dot), which might allow remote attackers to trick users into processing dangerous content.
CVE-2004-1157 1 Opera 1 Opera Browser 2024-02-28 7.5 HIGH N/A
Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.
CVE-2004-2570 1 Opera 1 Opera Browser 2024-02-28 5.0 MEDIUM N/A
Opera before 7.54 allows remote attackers to modify properties and methods of the location object and execute Javascript to read arbitrary files from the client's local filesystem or display a false URL to the user.