Total
266239 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2008-6001 | 1 Adnforum | 1 Adnforum | 2024-02-28 | 7.5 HIGH | N/A |
index.php in ADN Forum 1.0b and earlier allows remote attackers to bypass authentication and gain sysop access via a fpusuario cookie composed of an initial sysop: string, an arbitrary password field, and a final :sysop:0 string. | |||||
CVE-2008-2020 | 8 E107, Labgab, My123tkshop and 5 more | 8 E107, Labgab, E-commerce-suite and 5 more | 2024-02-28 | 6.8 MEDIUM | 7.5 HIGH |
The CAPTCHA implementation as used in (1) Francisco Burzi PHP-Nuke 7.0 and 8.1, (2) my123tkShop e-Commerce-Suite (aka 123tkShop) 0.9.1, (3) phpMyBitTorrent 1.2.2, (4) TorrentFlux 2.3, (5) e107 0.7.11, (6) WebZE 0.5.9, (7) Open Media Collectors Database (aka OpenDb) 1.5.0b4, and (8) Labgab 1.1 uses a code_bg.jpg background image and the PHP ImageString function in a way that produces an insufficient number of different images, which allows remote attackers to pass the CAPTCHA test via an automated attack using a table of all possible image checksums and their corresponding digit strings. | |||||
CVE-2008-3684 | 1 Emc | 1 Documentum Applicationxtender | 2024-02-28 | 10.0 HIGH | N/A |
Heap-based buffer overflow in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to execute arbitrary code via crafted packet data to TCP port 2606. | |||||
CVE-2008-5035 | 1 Ibm | 1 Hardware Management Console | 2024-02-28 | 5.0 MEDIUM | N/A |
The Resource Monitoring and Control (RMC) daemon in IBM Hardware Management Console (HMC) 7 release 3.2.0 SP1 and 3.3.0 SP2 allows remote attackers to cause a denial of service (daemon crash or hang) via a packet with an invalid length. | |||||
CVE-2008-6254 | 1 Jadu | 1 Jadu Galaxies | 2024-02-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in scripts/documents.php in Jadu Galaxies allows remote attackers to execute arbitrary SQL commands via the categoryID parameter. | |||||
CVE-2008-0925 | 1 Novell | 1 Edirectory | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the iMonitor interface in Novell eDirectory 8.7.3.x before 8.7.3 sp10, and 8.8.x before 8.8.2 ftf2, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters that are used within "error messages of the HTTP stack." | |||||
CVE-2008-3316 | 1 Portalparts | 1 Forum Plugin | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the search feature in the Forum plugin before 2.7.1 for Geeklog allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably related to (1) public_html/index.php, (2) config.php, and (3) functions.inc. | |||||
CVE-2008-2267 | 1 Cms Made Simple | 1 Cms Made Simple | 2024-02-28 | 7.5 HIGH | N/A |
Incomplete blacklist vulnerability in javaUpload.php in Postlet in the FileManager module in CMS Made Simple 1.2.4 and earlier allows remote attackers to execute arbitrary code by uploading a file with a name ending in (1) .jsp, (2) .php3, (3) .cgi, (4) .dhtml, (5) .phtml, (6) .php5, or (7) .jar, then accessing it via a direct request to the file in modules/FileManager/postlet/. | |||||
CVE-2008-3326 | 1 Moodle | 1 Moodle | 2024-02-28 | 2.6 LOW | N/A |
Cross-site scripting (XSS) vulnerability in blog/edit.php in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the etitle parameter (blog entry title). | |||||
CVE-2009-2978 | 1 Sugarcrm | 1 Sugarcrm | 2024-02-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in SugarCRM 4.5.1o and earlier, 5.0.0k and earlier, and 5.2.0g and earlier, allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
CVE-2009-1212 | 1 Precisionid | 1 Data Matrix Barcode Activex Control | 2024-02-28 | 7.8 HIGH | N/A |
Multiple insecure method vulnerabilities in PRECIS~2.DLL in the PrecisionID Datamatrix ActiveX control (DMATRIXLib.Datamatrix) allow remote attackers to overwrite arbitrary files via the (1) SaveBarCode and (2) SaveEnhWMF methods. | |||||
CVE-2009-3720 | 4 A M Kuchling, Apache, Libexpat Project and 1 more | 4 Pyxml, Http Server, Libexpat and 1 more | 2024-02-28 | 5.0 MEDIUM | N/A |
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625. | |||||
CVE-2009-2473 | 1 Webdav | 1 Neon | 2024-02-28 | 4.3 MEDIUM | N/A |
neon before 0.28.6, when expat is used, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | |||||
CVE-2009-2721 | 1 Sun | 1 Java Se | 2024-02-28 | 10.0 HIGH | N/A |
Multiple unspecified vulnerabilities in the Provider class in Sun Java SE 5.0 before Update 20 have unknown impact and attack vectors, aka BugId 6406003. | |||||
CVE-2009-3261 | 1 Livestreet | 1 Livestreet | 2024-02-28 | 7.5 HIGH | N/A |
update/update_0.1.2_to_0.2.php in LiveStreet 0.2 does not require administrative authentication, which allows remote attackers to perform DROP TABLE operations via unspecified vectors. | |||||
CVE-2009-3017 | 1 Orcabrowser | 1 Orca Browser | 2024-02-28 | 4.3 MEDIUM | N/A |
Orca Browser 1.2 build 5 does not properly block data: URIs in Refresh and Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI, (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header, (3) injecting a Location header that contains JavaScript sequences in a data:text/html URI, or (4) entering a data:text/html URI with JavaScript sequences when specifying the content of a Location header; and does not properly handle javascript: URIs in HTML links within 302 error documents sent from web servers, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (5) injecting a Location HTTP response header or (6) specifying the content of a Location HTTP response header. | |||||
CVE-2008-2034 | 1 Wordpress | 1 Download Monitor Plugin | 2024-02-28 | 7.5 HIGH | N/A |
SQL injection vulnerability in wp-download_monitor/download.php in the Download Monitor 2.0.6 plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
CVE-2009-4090 | 1 Telepark | 1 Telepark.wiki | 2024-02-28 | 7.5 HIGH | N/A |
Unrestricted file upload vulnerability in ajax/addComment.php in telepark.wiki 2.4.23 and earlier script allows remote attackers to execute arbitrary code by uploading a file with a name containing a NULL byte. | |||||
CVE-2008-7108 | 1 Phpcart | 1 Phpcart | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Carmosa phpCart 3.4 through 4.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) quantity or (2) Add Engraving fields to the default URI; (3) Quantity field to phpcart.php; (4) Name, (5) Company, (6) Address, (7) City, and (8) Province/State fields in a checkout action to phpcart.php; and other unspecified vectors. | |||||
CVE-2008-6643 | 1 Lokicms | 1 Lokicms | 2024-02-28 | 5.0 MEDIUM | N/A |
LokiCMS 0.3.4 and possibly earlier versions does not properly restrict access to administrative functions, which allows remote attackers to bypass intended restrictions and modify configuration settings via the LokiACTION parameter in a direct request to admin.php. |