Max CVSS 10.0 Min CVSS 1.9 Total Count1730
IDCVSSSummaryLast (major) updatePublished
CVE-2018-11656 4.3
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function ReadDCMImage in coders/dcm.c, which allows attackers to cause a denial of service via a crafted DCM image file.
01-06-2018 - 11:29 01-06-2018 - 11:29
CVE-2018-11655 4.3
In ImageMagick 7.0.7-20 Q16 x86_64, a memory leak vulnerability was found in the function GetImagePixelCache in MagickCore/cache.c, which allows attackers to cause a denial of service via a crafted CALS image file.
01-06-2018 - 11:29 01-06-2018 - 11:29
CVE-2018-11625 6.8
In ImageMagick 7.0.7-37 Q16, SetGrayscaleImage in the quantize.c file allows attackers to cause a heap-based buffer over-read via a crafted file.
31-05-2018 - 12:29 31-05-2018 - 12:29
CVE-2018-6493 6.5
SQL Injection in HP Network Operations Management Ultimate, version 2017.07, 2017.11, 2018.02 and in Network Automation, version 10.00, 10.10, 10.11, 10.20, 10.30, 10.40, 10.50. This vulnerability could be remotely exploited to allow Remote SQL Injec
22-05-2018 - 15:29 22-05-2018 - 15:29
CVE-2018-6492 4.3
Persistent Cross-Site Scripting, and non-persistent HTML Injection in HP Network Operations Management Ultimate, version 2017.07, 2017.11, 2018.02 and in Network Automation, version 10.00, 10.10, 10.11, 10.20, 10.30, 10.40, 10.50. This vulnerability
22-05-2018 - 15:29 22-05-2018 - 15:29
CVE-2018-6494 5.5
Remote SQL Injection against the HP Service Manager Software Web Tier, version 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, 9.41, 9.50, 9.51, may lead to unauthorized disclosure of data.
22-05-2018 - 14:29 22-05-2018 - 14:29
CVE-2018-4923 6.4
Adobe Connect versions 9.7 and earlier have an exploitable OS Command Injection. Successful exploitation could lead to arbitrary file deletion.
19-05-2018 - 13:29 19-05-2018 - 13:29
CVE-2018-4921 4.3
Adobe Connect versions 9.7 and earlier have an exploitable unrestricted SWF file upload vulnerability. Successful exploitation could lead to information disclosure.
19-05-2018 - 13:29 19-05-2018 - 13:29
CVE-2018-11251 4.3
In ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24, there is a heap-based buffer over-read in ReadSUNImage in coders/sun.c, which allows attackers to cause a denial of service (application crash in SetGrayscaleImage in MagickCore/quantize.c) via a crafted
18-05-2018 - 15:29 18-05-2018 - 15:29
CVE-2017-18273 7.1
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadTXTImage in coders/txt.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted image file that is mishandled in
18-05-2018 - 15:29 18-05-2018 - 15:29
CVE-2017-18271 7.1
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted MIFF image file.
18-05-2018 - 15:29 18-05-2018 - 15:29
CVE-2018-10805 4.3
ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
08-05-2018 - 03:29 08-05-2018 - 03:29
CVE-2018-10804 4.3
ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage in coders/tiff.c.
08-05-2018 - 03:29 08-05-2018 - 03:29
CVE-2018-0258 10.0
A vulnerability in the Cisco Prime File Upload servlet affecting multiple Cisco products could allow a remote attacker to upload arbitrary files to any directory of a vulnerable device (aka Path Traversal) and execute those files. This vulnerability
02-05-2018 - 18:29 02-05-2018 - 18:29
CVE-2018-10177 4.3
In ImageMagick 7.0.7-28, there is an infinite loop in the ReadOneMNGImage function of the coders/png.c file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted mng file.
16-04-2018 - 19:29 16-04-2018 - 19:29
CVE-2018-9843 7.5
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute arbitrary code via a serialized .NET object in an Authorization HTTP header.
16-04-2018 - 05:58 12-04-2018 - 11:29
CVE-2018-9133 4.3
ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage and EncodeLabImage functions (coders/tiff.c), which results in a hang (tens of minutes) with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial
30-03-2018 - 04:29 30-03-2018 - 04:29
CVE-2017-18254 4.3
An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function WriteGIFImage in coders/gif.c, which allow remote attackers to cause a denial of service via a crafted file.
26-03-2018 - 23:29 26-03-2018 - 23:29
CVE-2017-18252 4.3
An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList function in MagickWand/mogrify.c allows attackers to cause a denial of service (assertion failure and application exit in ReplaceImageInList) via a crafted file.
26-03-2018 - 23:29 26-03-2018 - 23:29
CVE-2017-18251 4.3
An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerability was found in the function ReadPCDImage in coders/pcd.c, which allow remote attackers to cause a denial of service via a crafted file.
26-03-2018 - 23:29 26-03-2018 - 23:29
CVE-2018-8960 6.8
The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-26 Q16 does not properly restrict memory allocation, leading to a heap-based buffer over-read.
23-03-2018 - 17:29 23-03-2018 - 17:29
CVE-2018-8804 6.8
WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote attackers to cause a denial of service (MagickCore/memory.c double free and application crash) or possibly have unspecified other impact via a crafted file.
20-03-2018 - 01:29 20-03-2018 - 01:29
CVE-2018-8721 4.3
Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has Stored XSS related to the index2.do?url=editAlertForm&tab=alert&alert=profile URI and the Edit Alert Profile screen
15-03-2018 - 00:29 15-03-2018 - 00:29
CVE-2018-8045 6.5
In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable in a SQL statement leads to a SQL injection vulnerability in the User Notes list view.
14-03-2018 - 21:29 14-03-2018 - 21:29
CVE-2017-18211 7.5
In ImageMagick 7.0.7, a NULL pointer dereference vulnerability was found in the function saveBinaryCLProgram in magick/opencl.c because a program-lookup result is not checked, related to CacheOpenCLKernel.
01-03-2018 - 16:29 01-03-2018 - 16:29
CVE-2017-18209 6.8
In the GetOpenCLCachedFilesDirectory function in magick/opencl.c in ImageMagick 7.0.7, a NULL pointer dereference vulnerability occurs because a memory allocation result is not checked, related to GetOpenCLCacheDirectory.
01-03-2018 - 16:29 01-03-2018 - 16:29
CVE-2018-7443 4.3
The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16 does not properly validate the amount of image data in a file, which allows remote attackers to cause a denial of service (memory allocation failure in the AcquireMagickMemory fu
23-02-2018 - 17:29 23-02-2018 - 17:29
CVE-2017-8952 5.0
A Disclosure of Sensitive Information vulnerability in HPE SiteScope version v11.2x, v11.3x was found.
15-02-2018 - 17:29 15-02-2018 - 17:29
CVE-2017-8951 4.6
A Disclosure of Sensitive Information vulnerability in HPE SiteScope version v11.2x, v11.3x was found.
15-02-2018 - 17:29 15-02-2018 - 17:29
CVE-2017-8950 2.1
A Disclosure of Sensitive Information vulnerability in HPE SiteScope version v11.2x, v11.3x was found.
15-02-2018 - 17:29 15-02-2018 - 17:29
CVE-2017-8949 2.1
A Disclosure of Sensitive Information vulnerability in HPE SiteScope version v11.2x, v11.3x was found.
15-02-2018 - 17:29 15-02-2018 - 17:29
CVE-2017-12542 10.0
A authentication bypass and execution of code vulnerability in HPE Integrated Lights-out 4 (iLO 4) version prior to 2.53 was found.
15-02-2018 - 17:29 15-02-2018 - 17:29
CVE-2018-6551 7.5
The malloc implementation in the GNU C Library (aka glibc or libc6), from version 2.24 to 2.26 on powerpc, and only in version 2.26 on i386, did not properly handle malloc calls with arguments close to SIZE_MAX and could return a pointer to a heap re
02-02-2018 - 09:29 02-02-2018 - 09:29
CVE-2018-6485 7.5
An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to
01-02-2018 - 09:29 01-02-2018 - 09:29
CVE-2017-1000409 6.9
A buffer overflow in glibc 2.5 (released on September 29, 2006) and can be triggered through the LD_LIBRARY_PATH environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
31-01-2018 - 23:29 31-01-2018 - 23:29
CVE-2017-1000408 7.2
A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.
31-01-2018 - 23:29 31-01-2018 - 23:29
CVE-2018-1000001 7.2
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
31-01-2018 - 09:29 31-01-2018 - 09:29
CVE-2018-6405 4.3
In the ReadDCMImage function in coders/dcm.c in ImageMagick before 7.0.7-23, each redmap, greenmap, and bluemap variable can be overwritten by a new pointer. The previous pointer is lost, which leads to a memory leak. This allows remote attackers to
30-01-2018 - 16:29 30-01-2018 - 16:29
CVE-2017-18029 4.3
In ImageMagick 7.0.6-10 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file.
12-01-2018 - 15:29 12-01-2018 - 15:29
CVE-2017-18028 7.1
In ImageMagick 7.0.7-1 Q16, a memory exhaustion vulnerability was found in the function ReadTIFFImage in coders/tiff.c, which allow remote attackers to cause a denial of service via a crafted file.
12-01-2018 - 15:29 12-01-2018 - 15:29
CVE-2017-18027 4.3
In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allow remote attackers to cause a denial of service via a crafted file.
12-01-2018 - 15:29 12-01-2018 - 15:29
CVE-2018-5358 4.3
ImageMagick 7.0.7-22 Q16 has memory leaks in the EncodeImageAttributes function in coders/json.c, as demonstrated by the ReadPSDLayersInternal function in coders/psd.c.
12-01-2018 - 04:29 12-01-2018 - 04:29
CVE-2018-5357 4.3
ImageMagick 7.0.7-22 Q16 has memory leaks in the ReadDCMImage function in coders/dcm.c.
12-01-2018 - 04:29 12-01-2018 - 04:29
CVE-2018-5248 6.8
In ImageMagick 7.0.7-17 Q16, there is a heap-based buffer over-read in coders/sixel.c in the ReadSIXELImage function, related to the sixel_decode function.
05-01-2018 - 14:29 05-01-2018 - 14:29
CVE-2018-5247 4.3
In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadRLAImage in coders/rla.c.
05-01-2018 - 14:29 05-01-2018 - 14:29
CVE-2018-5246 4.3
In ImageMagick 7.0.7-17 Q16, there are memory leaks in ReadPATTERNImage in coders/pattern.c.
05-01-2018 - 14:29 05-01-2018 - 14:29
CVE-2017-18022 4.3
In ImageMagick 7.0.7-12 Q16, there are memory leaks in MontageImageCommand in MagickWand/montage.c.
05-01-2018 - 14:29 05-01-2018 - 14:29
CVE-2018-0803 5.8
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to access information from one domain and inject it into another domain, due to how Microsoft Edge enforces cross-domain policies, aka "Mi
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0781 7.6
Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memor
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0780 2.6
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the scripting engine handles objects in memory, aka "Scripting E
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0777 7.6
Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memor
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0776 7.6
Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memor
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0772 7.6
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 all
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0770 7.6
Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memor
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0769 7.6
Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memor
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0767 2.6
Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the scripting engine handles objects in memory, aka "Scripting Engine
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0766 4.3
Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to obtain information to further compromise the user's system, due to how the Microsoft Edge PDF Reader handles objects in memory, aka "Mi
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0762 7.6
Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, and Internet Explorer and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 all
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0758 7.6
Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Server 2016 allows an attacker to execute arbitrary code in the context of the current user, due to how the scripting engine handles objects in memory, aka "Scripting Engine Memor
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0754 2.1
The Windows Adobe Type Manager Font Driver (Atmfd.dll) in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, versi
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0753 7.1
Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allow a denial of service vulnerability due to the way objects are handled in memory, aka "Windows IP
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0752 4.6
The Windows Kernel API in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Kernel AP
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0751 3.6
The Windows Kernel API in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Kernel AP
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0749 4.6
The Microsoft Server Message Block (SMB) Server in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0748 4.6
The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privi
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0747 1.9
The Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclo
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0746 1.9
The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an information disclosure vulnerability due to the way memory addresses
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2018-0744 4.4
The Windows kernel in Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703 and 1709, Windows Server 2016 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way objects are handl
04-01-2018 - 09:29 04-01-2018 - 09:29
CVE-2017-5754 4.7
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
04-01-2018 - 08:29 04-01-2018 - 08:29
CVE-2017-5753 4.7
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
04-01-2018 - 08:29 04-01-2018 - 08:29
CVE-2017-5715 4.7
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
04-01-2018 - 08:29 04-01-2018 - 08:29
CVE-2017-1000476 7.1
ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in the function ReadDDSInfo in coders/dds.c, which allows attackers to cause a denial of service.
03-01-2018 - 13:29 03-01-2018 - 13:29
CVE-2017-1000445 4.3
ImageMagick 7.0.7-1 and older version are vulnerable to null pointer dereference in the MagickCore component and might lead to denial of service
02-01-2018 - 10:29 02-01-2018 - 10:29
CVE-2017-18008 4.3
In ImageMagick 7.0.7-17 Q16, there is a Memory Leak in ReadPWPImage in coders/pwp.c.
01-01-2018 - 03:29 01-01-2018 - 03:29
CVE-2017-17934 5.0
ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, related to MSLPopImage and ProcessMSLScript, and associated with mishandling of MSLPushImage calls.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17914 7.1
In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service (ReadOneMNGImage large loop) via a crafted mng image file.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17887 4.3
In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in the function GetImagePixelCache in magick/cache.c, which allows attackers to cause a denial of service via a crafted MNG image file that is processed by ReadOneMNGImage.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17886 4.3
In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadPSDChannelZip in coders/psd.c, which allows attackers to cause a denial of service via a crafted psd image file.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17885 4.3
In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadPICTImage in coders/pict.c, which allows attackers to cause a denial of service via a crafted PICT image file.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17884 4.3
In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in the function WriteOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted PNG image file.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17882 4.3
In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadXPMImage in coders/xpm.c, which allows attackers to cause a denial of service via a crafted XPM image file.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17881 4.3
In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted MAT image file.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-17879 6.8
In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based buffer over-read in ReadOneMNGImage in coders/png.c, related to length calculation and caused by an off-by-one error.
27-12-2017 - 12:08 27-12-2017 - 12:08
CVE-2017-16997 9.3
elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the cu
17-12-2017 - 20:29 17-12-2017 - 20:29
CVE-2017-17682 7.1
In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in the function ExtractPostscript in coders/wpg.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted wpg image file that triggers a ReadWPGImage call.
14-12-2017 - 01:29 14-12-2017 - 01:29
CVE-2017-17681 7.1
In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found in the function ReadPSDChannelZip in coders/psd.c, which allows attackers to cause a denial of service (CPU exhaustion) via a crafted psd image file.
14-12-2017 - 01:29 14-12-2017 - 01:29
CVE-2017-17680 4.3
In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in the function ReadXPMImage in coders/xpm.c, which allows attackers to cause a denial of service via a crafted xpm image file.
14-12-2017 - 01:29 14-12-2017 - 01:29
CVE-2017-17504 4.3
ImageMagick before 7.0.7-12 has a coders/png.c Magick_png_read_raw_profile heap-based buffer over-read via a crafted file, related to ReadOneMNGImage.
10-12-2017 - 21:29 10-12-2017 - 21:29
CVE-2017-17499 7.5
ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-free in Magick::Image::read in Magick++/lib/Image.cpp.
10-12-2017 - 21:29 10-12-2017 - 21:29
CVE-2017-16562 7.5
The UserPro plugin before 4.9.17.1 for WordPress, when used on a site with the "admin" username, allows remote attackers to bypass authentication and obtain administrative access via a "true" value for the up_auto_log parameter in the QUERY_STRING to
09-11-2017 - 21:29 09-11-2017 - 21:29
CVE-2015-7501 10.0
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x
09-11-2017 - 12:29 09-11-2017 - 12:29
CVE-2017-16546 6.8
The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does not properly validate the colormap index in a WPG palette, which allows remote attackers to cause a denial of service (use of uninitialized data or invalid memory allocation) or po
05-11-2017 - 17:29 05-11-2017 - 17:29
CVE-2012-4378 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki before 1.18.5 and 1.19.x before 1.19.2, when unspecified JavaScript gadgets are used, allow remote attackers to inject arbitrary web script or HTML via the userlang parameter to w/index
26-10-2017 - 16:29 26-10-2017 - 16:29
CVE-2012-4377 4.3
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 and 1.19.x before 1.19.2 allows remote attackers to inject arbitrary web script or HTML via a File: link to a nonexistent image.
26-10-2017 - 16:29 26-10-2017 - 16:29
CVE-2017-15804 7.5
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.
22-10-2017 - 16:29 22-10-2017 - 16:29
CVE-2017-15671 4.3
The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (mem
20-10-2017 - 13:29 20-10-2017 - 13:29
CVE-2017-15670 7.5
The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.
20-10-2017 - 13:29 20-10-2017 - 13:29
CVE-2012-4382 4.0
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.
19-10-2017 - 17:29 19-10-2017 - 17:29
CVE-2012-4380 5.0
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 allows remote attackers to bypass GlobalBlocking extension IP address blocking and create an account via unspecified vectors.
19-10-2017 - 17:29 19-10-2017 - 17:29
CVE-2012-4379 4.3
MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via an embedded API response in an IFRAME element.
19-10-2017 - 17:29 19-10-2017 - 17:29
CVE-2017-15281 6.8
ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to "Conditional jump or move depends on uninitialised v
12-10-2017 - 04:29 12-10-2017 - 04:29
CVE-2017-15277 4.3
ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process
12-10-2017 - 04:29 12-10-2017 - 04:29
CVE-2017-8994 7.5
A input validation vulnerability in HPE Operations Orchestration product all versions prior to 10.80, allows for the execution of code remotely.
10-10-2017 - 17:29 10-10-2017 - 17:29
CVE-2017-15218 4.3
ImageMagick 7.0.7-2 has a memory leak in ReadOneJNGImage in coders/png.c.
10-10-2017 - 16:29 10-10-2017 - 16:29
CVE-2017-15217 4.3
ImageMagick 7.0.7-2 has a memory leak in ReadSGIImage in coders/sgi.c.
10-10-2017 - 16:29 10-10-2017 - 16:29
CVE-2017-15033 5.0
ImageMagick version 7.0.7-2 contains a memory leak in ReadYUVImage in coders/yuv.c.
05-10-2017 - 03:29 05-10-2017 - 03:29
CVE-2017-15032 7.5
ImageMagick version 7.0.7-2 contains a memory leak in ReadYCBCRImage in coders/ycbcr.c.
05-10-2017 - 03:29 05-10-2017 - 03:29
CVE-2017-15017 7.5
ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in ReadOneMNGImage in coders/png.c.
04-10-2017 - 21:29 04-10-2017 - 21:29
CVE-2017-15016 7.5
ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in ReadEnhMetaFile in coders/emf.c.
04-10-2017 - 21:29 04-10-2017 - 21:29
CVE-2017-15015 7.5
ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability in PDFDelegateMessage in coders/pdf.c.
04-10-2017 - 21:29 04-10-2017 - 21:29
CVE-2017-14989 4.3
A use-after-free in RenderFreetype in MagickCore/annotate.c in ImageMagick 7.0.7-4 Q16 allows attackers to crash the application via a crafted font file, because the FT_Done_Glyph function (from FreeType 2) is called at an incorrect place in the Imag
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2015-6576 6.5
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
02-10-2017 - 21:29 02-10-2017 - 21:29
CVE-2017-14741 4.3
The ReadCAPTIONImage function in coders/caption.c in ImageMagick 7.0.7-3 allows remote attackers to cause a denial of service (infinite loop) via a crafted font file.
25-09-2017 - 22:29 25-09-2017 - 22:29
CVE-2017-14739 5.0
The AcquireResampleFilterThreadSet function in magick/resample-private.h in ImageMagick 7.0.7-4 mishandles failed memory allocation, which allows remote attackers to cause a denial of service (NULL Pointer Dereference in DistortImage in MagickCore/di
25-09-2017 - 22:29 25-09-2017 - 22:29
CVE-2017-14684 7.1
In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in the function ReadVIPSImage in coders/vips.c, which allows attackers to cause a denial of service (memory consumption in ResizeMagickMemory in MagickCore/memory.c) via a crafted file
21-09-2017 - 21:29 21-09-2017 - 21:29
CVE-2017-14682 6.8
GetNextToken in MagickCore/token.c in ImageMagick 7.0.6 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted SVG document, a different vulnerab
21-09-2017 - 19:29 21-09-2017 - 19:29
CVE-2017-14626 7.5
ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability in the function sixel_decode in coders/sixel.c.
21-09-2017 - 01:29 21-09-2017 - 01:29
CVE-2017-14625 7.5
ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability in the function sixel_output_create in coders/sixel.c.
21-09-2017 - 01:29 21-09-2017 - 01:29
CVE-2017-14624 7.5
ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability in the function PostscriptDelegateMessage in coders/ps.c.
21-09-2017 - 01:29 21-09-2017 - 01:29
CVE-2017-14607 5.8
In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to ReadTIFFImage has been reported in coders/tiff.c. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash.
20-09-2017 - 13:29 20-09-2017 - 13:29
CVE-2017-14533 4.3
ImageMagick 7.0.6-6 has a memory leak in ReadMATImage in coders/mat.c.
17-09-2017 - 21:29 17-09-2017 - 21:29
CVE-2017-14532 7.5
ImageMagick 7.0.7-0 has a NULL Pointer Dereference in TIFFIgnoreTags in coders/tiff.c.
17-09-2017 - 21:29 17-09-2017 - 21:29
CVE-2017-14531 7.1
ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in coders/sun.c.
17-09-2017 - 21:29 17-09-2017 - 21:29
CVE-2017-14505 4.3
DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 mishandles certain NULL arrays, which allows attackers to perform Denial of Service (NULL pointer dereference and application crash in AcquireQuantumMemory within MagickCore/memory.
17-09-2017 - 15:29 17-09-2017 - 15:29
CVE-2017-14400 4.3
In ImageMagick 7.0.7-1 Q16, the PersistPixelCache function in magick/cache.c mishandles the pixel cache nexus, which allows remote attackers to cause a denial of service (NULL pointer dereference in the function GetVirtualPixels in MagickCore/cache.c
12-09-2017 - 17:29 12-09-2017 - 17:29
CVE-2017-14343 4.3
ImageMagick 7.0.6-6 has a memory leak vulnerability in ReadXCFImage in coders/xcf.c via a crafted xcf image file.
12-09-2017 - 13:29 12-09-2017 - 13:29
CVE-2017-14342 4.3
ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in ReadWPGImage in coders/wpg.c via a crafted wpg image file.
12-09-2017 - 13:29 12-09-2017 - 13:29
CVE-2017-14341 7.1
ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in coders/wpg.c, causing CPU exhaustion via a crafted wpg image file.
12-09-2017 - 13:29 12-09-2017 - 13:29
CVE-2014-9635 5.0
Jenkins before 1.586 does not set the HttpOnly flag in a Set-Cookie header for session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
12-09-2017 - 10:29 12-09-2017 - 10:29
CVE-2014-9634 5.0
Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
12-09-2017 - 10:29 12-09-2017 - 10:29
CVE-2017-14326 4.3
In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted file.
12-09-2017 - 04:29 12-09-2017 - 04:29
CVE-2017-14325 7.1
In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in the function PersistPixelCache in magick/cache.c, which allows attackers to cause a denial of service (memory consumption in ReadMPCImage in coders/mpc.c) via a crafted file.
12-09-2017 - 04:29 12-09-2017 - 04:29
CVE-2017-14249 4.3
ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in coders/mpc.c, leading to division by zero in GetPixelCacheTileSize in MagickCore/cache.c, allowing remote attackers to cause a denial of service via a crafted file.
11-09-2017 - 05:29 11-09-2017 - 05:29
CVE-2017-14224 6.8
A heap-based buffer overflow in WritePCXImage in coders/pcx.c in ImageMagick 7.0.6-8 Q16 allows remote attackers to cause a denial of service or code execution via a crafted file.
08-09-2017 - 21:29 08-09-2017 - 21:29
CVE-2017-14175 7.1
In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted XBM file, which claims large rows and columns fields in the header but does not contain suf
07-09-2017 - 02:29 07-09-2017 - 02:29
CVE-2017-14174 7.1
In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "length" field in the header but does not contain s
07-09-2017 - 02:29 07-09-2017 - 02:29
CVE-2017-14173 4.3
In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, an integer overflow might occur for the addition operation "GetQuantumRange(depth)+1" when "depth" is large, producing a smaller value than expected. As a result, an infinite loo
07-09-2017 - 02:29 07-09-2017 - 02:29
CVE-2017-14172 7.1
In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "extent" field in the header but does not contain sufficient b
07-09-2017 - 02:29 07-09-2017 - 02:29
CVE-2017-12693 7.1
The ReadBMPImage function in coders/bmp.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted BMP file.
01-09-2017 - 17:29 01-09-2017 - 17:29
CVE-2017-12692 7.1
The ReadVIFFImage function in coders/viff.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted VIFF file.
01-09-2017 - 17:29 01-09-2017 - 17:29
CVE-2017-12691 7.1
The ReadOneLayer function in coders/xcf.c in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.
01-09-2017 - 17:29 01-09-2017 - 17:29
CVE-2017-14062 7.5
Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
31-08-2017 - 12:29 31-08-2017 - 12:29
CVE-2017-14060 4.3
In ImageMagick 7.0.6-10, a NULL Pointer Dereference issue is present in the ReadCUTImage function in coders/cut.c that could allow an attacker to cause a Denial of Service (in the QueueAuthenticPixelCacheNexus function within the MagickCore/cache.c f
31-08-2017 - 11:29 31-08-2017 - 11:29
CVE-2017-13769 4.3
The WriteTHUMBNAILImage function in coders/thumbnail.c in ImageMagick through 7.0.6-10 allows an attacker to cause a denial of service (buffer over-read) by sending a crafted JPEG file.
30-08-2017 - 05:29 30-08-2017 - 05:29
CVE-2017-13768 4.3
Null Pointer Dereference in the IdentifyImage function in MagickCore/identify.c in ImageMagick through 7.0.6-10 allows an attacker to perform denial of service by sending a crafted image file.
30-08-2017 - 05:29 30-08-2017 - 05:29
CVE-2017-13758 4.3
In ImageMagick 7.0.6-10, there is a heap-based buffer overflow in the TracePoint() function in MagickCore/draw.c.
29-08-2017 - 19:29 29-08-2017 - 19:29
CVE-2017-12875 7.1
The WritePixelCachePixels function in ImageMagick 7.0.6-6 allows remote attackers to cause a denial of service (CPU consumption) via a crafted file.
29-08-2017 - 11:29 29-08-2017 - 11:29
CVE-2017-12877 4.3
Use-after-free vulnerability in the DestroyImage function in image.c in ImageMagick before 7.0.6-6 allows remote attackers to cause a denial of service via a crafted file.
28-08-2017 - 15:29 28-08-2017 - 15:29
CVE-2017-13145 4.3
In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image function in coders/jp2.c does not properly validate the channel geometry, leading to a crash.
23-08-2017 - 02:29 23-08-2017 - 02:29
CVE-2017-13144 4.3
In ImageMagick before 6.9.7-10, there is a crash (rather than a "width or height exceeds limit" error report) if the image dimensions are too large, as demonstrated by use of the mpc coder.
23-08-2017 - 02:29 23-08-2017 - 02:29
CVE-2017-13143 5.0
In ImageMagick before 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage function in coders/mat.c uses uninitialized data, which might allow remote attackers to obtain sensitive information from process memory.
23-08-2017 - 02:29 23-08-2017 - 02:29
CVE-2017-13142 4.3
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG file could trigger a crash because there was an insufficient check for short files.
23-08-2017 - 02:29 23-08-2017 - 02:29
CVE-2017-13139 7.5
In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGImage function in coders/png.c has an out-of-bounds read with the MNG CLIP chunk.
23-08-2017 - 02:29 23-08-2017 - 02:29
CVE-2017-13134 4.3
In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer over-read was found in the function SFWScan in coders/sfw.c, which allows attackers to cause a denial of service via a crafted file.
22-08-2017 - 23:29 22-08-2017 - 23:29
CVE-2017-13131 4.3
In ImageMagick 7.0.6-8, a memory leak vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service (memory consumption in NewLinkedList in MagickCore/linked-list.c) via a crafted file.
22-08-2017 - 23:29 22-08-2017 - 23:29
CVE-2015-2857 7.5
Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter.
22-08-2017 - 11:29 22-08-2017 - 11:29
CVE-2017-13062 4.3
In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the function formatIPTC in coders/meta.c, which allows attackers to cause a denial of service (WriteMETAImage memory consumption) via a crafted file.
22-08-2017 - 02:29 22-08-2017 - 02:29
CVE-2017-13061 4.3
In ImageMagick 7.0.6-5, a length-validation vulnerability was found in the function ReadPSDLayersInternal in coders/psd.c, which allows attackers to cause a denial of service (ReadPSDImage memory exhaustion) via a crafted file.
22-08-2017 - 02:29 22-08-2017 - 02:29
CVE-2017-13060 4.3
In ImageMagick 7.0.6-5, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted file.
22-08-2017 - 02:29 22-08-2017 - 02:29
CVE-2017-13059 4.3
In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the function WriteOneJNGImage in coders/png.c, which allows attackers to cause a denial of service (WriteJNGImage memory consumption) via a crafted file.
22-08-2017 - 02:29 22-08-2017 - 02:29
CVE-2017-13058 4.3
In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the function WritePCXImage in coders/pcx.c, which allows attackers to cause a denial of service via a crafted file.
22-08-2017 - 02:29 22-08-2017 - 02:29
CVE-2017-12983 6.8
Heap-based buffer overflow in the ReadSFWImage function in coders/sfw.c in ImageMagick 7.0.6-8 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file.
21-08-2017 - 03:29 21-08-2017 - 03:29
CVE-2017-12674 7.1
In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service.
07-08-2017 - 17:29 07-08-2017 - 17:29
CVE-2017-12670 4.3
In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, leading to an assertion failure in the function DestroyImage in MagickCore/image.c, which allows attackers to cause a denial of service.
07-08-2017 - 17:29 07-08-2017 - 17:29
CVE-2017-12644 6.8
ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadDCMImage in coders\dcm.c.
07-08-2017 - 11:29 07-08-2017 - 11:29
CVE-2017-12643 7.1
ImageMagick 7.0.6-1 has a memory exhaustion vulnerability in ReadOneJNGImage in coders\png.c.
07-08-2017 - 11:29 07-08-2017 - 11:29
CVE-2017-12640 6.8
ImageMagick 7.0.6-1 has an out-of-bounds read vulnerability in ReadOneMNGImage in coders/png.c.
07-08-2017 - 11:29 07-08-2017 - 11:29
CVE-2017-12587 6.8
ImageMagick 7.0.6-1 has a large loop vulnerability in the ReadPWPImage function in coders\pwp.c.
06-08-2017 - 10:29 06-08-2017 - 10:29
CVE-2017-12563 7.1
In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in the function ReadPSDImage in coders/psd.c, which allows attackers to cause a denial of service.
05-08-2017 - 14:29 05-08-2017 - 14:29
CVE-2017-12435 7.8
In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadSUNImage in coders/sun.c, which allows attackers to cause a denial of service.
04-08-2017 - 06:29 04-08-2017 - 06:29
CVE-2017-12433 4.3
In ImageMagick 7.0.6-1, a memory leak vulnerability was found in the function ReadPESImage in coders/pes.c, which allows attackers to cause a denial of service, related to ResizeMagickMemory in memory.c.
04-08-2017 - 06:29 04-08-2017 - 06:29
CVE-2017-12432 7.1
In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadPCXImage in coders/pcx.c, which allows attackers to cause a denial of service.
04-08-2017 - 06:29 04-08-2017 - 06:29
CVE-2017-12431 4.3
In ImageMagick 7.0.6-1, a use-after-free vulnerability was found in the function ReadWMFImage in coders/wmf.c, which allows attackers to cause a denial of service.
04-08-2017 - 06:29 04-08-2017 - 06:29
CVE-2017-12430 7.8
In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadMPCImage in coders/mpc.c, which allows attackers to cause a denial of service.
04-08-2017 - 06:29 04-08-2017 - 06:29
CVE-2017-12429 7.8
In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in the function ReadMIFFImage in coders/miff.c, which allows attackers to cause a denial of service.
04-08-2017 - 06:29 04-08-2017 - 06:29
CVE-2017-12418 5.0
ImageMagick 7.0.6-5 has memory leaks in the parse8BIMW and format8BIM functions in coders/meta.c, related to the WriteImage function in MagickCore/constitute.c.
03-08-2017 - 20:29 03-08-2017 - 20:29
CVE-2015-2560 5.0
Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.
02-08-2017 - 15:29 02-08-2017 - 15:29
CVE-2017-12140 7.1
The ReadDCMImage function in coders\dcm.c in ImageMagick 7.0.6-1 has an integer signedness error leading to excessive memory consumption via a crafted DCM file.
02-08-2017 - 01:29 02-08-2017 - 01:29
CVE-2017-12132 4.3
The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.
01-08-2017 - 12:29 01-08-2017 - 12:29
CVE-2017-11640 4.3
When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to an address access exception in the WritePTIFImage() function in coders/tiff.c.
26-07-2017 - 04:29 26-07-2017 - 04:29
CVE-2017-11639 4.3
When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WriteCIPImage() function in coders/cip.c, related to the GetPixelLuma function in MagickCore/pixel-accessor.h.
26-07-2017 - 04:29 26-07-2017 - 04:29
CVE-2017-11537 4.3
When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a Floating Point Exception (FPE) in the WritePALMImage() function in coders/palm.c, related to an incorrect bits-per-pixel calculation.
22-07-2017 - 23:29 22-07-2017 - 23:29
CVE-2017-11535 4.3
When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WritePSImage() function in coders/ps.c.
22-07-2017 - 23:29 22-07-2017 - 23:29
CVE-2017-11533 4.3
When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WriteUILImage() function in coders/uil.c.
22-07-2017 - 23:29 22-07-2017 - 23:29
CVE-2017-11352 4.3
In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-9144.
17-07-2017 - 09:18 17-07-2017 - 09:18
CVE-2017-10995 4.3
The mng_get_long function in coders/png.c in ImageMagick 7.0.6-0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted MNG image.
07-07-2017 - 12:29 07-07-2017 - 12:29
CVE-2015-5180 5.0
res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).
27-06-2017 - 16:29 27-06-2017 - 16:29
CVE-2017-1092 10.0
IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unauthorized user to execute arbitrary code as system admin on Windows servers. IBM X-Force ID: 120390.
22-05-2017 - 16:29 22-05-2017 - 16:29
CVE-2017-8804 7.8
The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an ove
10-05-2017 - 21:29 07-05-2017 - 14:29
CVE-2017-3066 7.5
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code executi
09-05-2017 - 20:39 27-04-2017 - 10:59
CVE-2016-0635 9.0
Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.4, 12.2.2, and 12.3.2; the Oracle Health Sciences Information Manager component in Oracle Health Sciences Applications 1.2.8.3, 2.
24-04-2017 - 21:59 21-07-2016 - 06:12
CVE-2012-5883 4.3
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.9.0, as used in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to i
20-04-2017 - 21:59 16-11-2012 - 07:24
CVE-2015-2794 7.5
The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.
01-03-2017 - 21:59 06-02-2017 - 10:59
CVE-2008-1855 5.0
FrameworkService.exe in McAfee Common Management Agent (CMA) 3.6.0.574 Patch 3 and earlier, as used by ePolicy Orchestrator (ePO) and ProtectionPilot (PrP), allows remote attackers to corrupt memory and cause a denial of service (CMA Framework servic
19-02-2017 - 00:22 16-04-2008 - 15:05
CVE-2006-0565 7.5
PHP remote file include vulnerability in inc/backend_settings.php in Loudblog 0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the $GLOBALS[path] parameter.
19-02-2017 - 00:11 06-02-2006 - 18:02
CVE-2014-0050 7.5
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that b
16-02-2017 - 21:59 01-04-2014 - 02:27
CVE-2015-5254 7.5
Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.
07-02-2017 - 21:59 08-01-2016 - 14:59
CVE-2016-9081 7.5
Joomla! 3.4.4 through 3.6.3 allows attackers to reset username, password, and user group assignments and possibly perform other user account modifications via unspecified vectors.
26-01-2017 - 10:07 23-01-2017 - 16:59
CVE-2014-5243 4.3
MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 does not enforce an IFRAME protection mechanism for transcluded pages, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted we
06-01-2017 - 22:00 22-08-2014 - 13:55
CVE-2014-5241 6.8
The JSONP endpoint in includes/api/ApiFormatJson.php in MediaWiki before 1.19.18, 1.20.x through 1.22.x before 1.22.9, and 1.23.x before 1.23.2 accepts certain long callback values and does not restrict the initial bytes of a JSONP response, which al
06-01-2017 - 22:00 22-08-2014 - 13:55
CVE-2014-4756 3.5
The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 allows remote authenticated users to hijack sessions via unspecified vectors.
06-01-2017 - 22:00 10-09-2014 - 06:55
CVE-2014-3079 2.1
The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 allows remote authenticated users to bypass authorization checks and visit unspecified URLs with license-usage data via a DESCRIBE clause in a SPAR
06-01-2017 - 21:59 10-09-2014 - 06:55
CVE-2014-2614 7.5
Unspecified vulnerability in HP SiteScope 11.1x through 11.13 and 11.2x through 11.24 allows remote attackers to bypass authentication via unknown vectors, aka ZDI-CAN-2140.
06-01-2017 - 21:59 07-07-2014 - 07:01
CVE-2014-1609 7.5
Multiple SQL injection vulnerabilities in MantisBT before 1.2.16 allow remote attackers to execute arbitrary SQL commands via unspecified parameters to the (1) mc_project_get_attachments function in api/soap/mc_project_api.php; the (2) news_get_limit
06-01-2017 - 21:59 20-03-2014 - 12:55
CVE-2014-1608 7.5
SQL injection vulnerability in the mci_file_get function in api/soap/mc_file_api.php in MantisBT before 1.2.16 allows remote attackers to execute arbitrary SQL commands via a crafted envelope tag in a mc_issue_attachment_get SOAP request.
06-01-2017 - 21:59 18-03-2014 - 13:03
CVE-2014-1546 4.3
The response function in the JSONP endpoint in WebService/Server/JSONRPC.pm in jsonrpc.cgi in Bugzilla 3.x and 4.x before 4.0.14, 4.1.x and 4.2.x before 4.2.10, 4.3.x and 4.4.x before 4.4.5, and 4.5.x before 4.5.5 accepts certain long callback values
06-01-2017 - 21:59 14-08-2014 - 07:15
CVE-2014-0909 5.0
The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4.x before 8.1.4.4 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by inter
06-01-2017 - 21:59 10-09-2014 - 06:55
CVE-2014-0600 7.8
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.
06-01-2017 - 21:59 29-08-2014 - 05:55
CVE-2014-0160 5.0
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer ov
06-01-2017 - 21:59 07-04-2014 - 18:55
CVE-2014-0113 7.5
CookieInterceptor in Apache Struts before 2.3.16.2, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a cr
06-01-2017 - 21:59 29-04-2014 - 06:37
CVE-2014-0112 7.5
ParametersInterceptor in Apache Struts before 2.3.16.2 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability
06-01-2017 - 21:59 29-04-2014 - 06:37
CVE-2014-0094 5.0
The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
06-01-2017 - 21:59 11-03-2014 - 09:00
CVE-2014-9296 5.0
The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets.
02-01-2017 - 21:59 19-12-2014 - 21:59
CVE-2014-9295 7.5
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata func
02-01-2017 - 21:59 19-12-2014 - 21:59
CVE-2014-9294 7.5
util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
02-01-2017 - 21:59 19-12-2014 - 21:59
CVE-2014-9293 7.5
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
02-01-2017 - 21:59 19-12-2014 - 21:59
CVE-2014-9281 4.3
Cross-site scripting (XSS) vulnerability in admin/copy_field.php in MantisBT before 1.2.18 allows remote attackers to inject arbitrary web script or HTML via the dest_id field.
02-01-2017 - 21:59 09-12-2014 - 18:59
CVE-2014-9280 7.5
The current_user_get_bug_filter function in core/current_user_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary PHP code via the filter parameter.
02-01-2017 - 21:59 08-12-2014 - 11:59
CVE-2014-9272 4.3
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.
02-01-2017 - 21:59 09-01-2015 - 13:59
CVE-2014-9271 4.3
Cross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated
02-01-2017 - 21:59 09-01-2015 - 13:59
CVE-2014-9270 4.3
Cross-site scripting (XSS) vulnerability in the projax_array_serialize_for_autocomplete function in core/projax_api.php in MantisBT 1.1.0a3 through 1.2.17 allows remote attackers to inject arbitrary web script or HTML via the "profile/Platform" field
02-01-2017 - 21:59 08-12-2014 - 11:59
CVE-2014-9269 2.6
Cross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.
02-01-2017 - 21:59 09-01-2015 - 13:59
CVE-2014-9217 5.0
Graylog2 before 0.92 allows remote attackers to bypass LDAP authentication via crafted wildcards.
02-01-2017 - 21:59 08-12-2014 - 06:59
CVE-2014-9117 5.0
MantisBT before 1.2.18 uses the public_key parameter value as the key to the CAPTCHA answer, which allows remote attackers to bypass the CAPTCHA protection mechanism by leveraging knowledge of a CAPTCHA answer for a public_key parameter value, as dem
02-01-2017 - 21:59 06-12-2014 - 16:59
CVE-2014-9089 7.5
Multiple SQL injection vulnerabilities in view_all_bug_page.php in MantisBT before 1.2.18 allow remote attackers to execute arbitrary SQL commands via the (1) sort or (2) dir parameter to view_all_set.php.
02-01-2017 - 21:59 28-11-2014 - 10:59
CVE-2014-8988 4.0
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict
02-01-2017 - 21:59 24-11-2014 - 10:59
CVE-2014-8986 3.5
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted
02-01-2017 - 21:59 24-11-2014 - 10:59
CVE-2014-8630 6.5
Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a tw
02-01-2017 - 21:59 01-02-2015 - 10:59
CVE-2014-8598 6.4
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined wi
02-01-2017 - 21:59 18-11-2014 - 10:59
CVE-2014-8554 7.5
SQL injection vulnerability in the mc_project_get_attachments function in api/soap/mc_project_api.php in MantisBT before 1.2.18 allows remote attackers to execute arbitrary SQL commands via the project_id parameter. NOTE: this vulnerability exists b
02-01-2017 - 21:59 13-11-2014 - 16:32
CVE-2014-8553 5.0
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_ge
02-01-2017 - 21:59 17-12-2014 - 14:59
CVE-2014-7882 5.5
Unspecified vulnerability in HP SiteScope 11.1x and 11.2x allows remote authenticated users to gain privileges via unknown vectors.
02-01-2017 - 21:59 01-02-2015 - 20:59
CVE-2014-7146 7.5
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_repla
02-01-2017 - 21:59 18-11-2014 - 10:59
CVE-2014-6316 5.8
core/string_api.php in MantisBT before 1.2.18 does not properly categorize URLs when running under the web root, which allows remote attackers to conduct open redirect and phishing attacks via a crafted URL in the return parameter to login_page.php.
02-01-2017 - 21:59 12-12-2014 - 06:59
CVE-2015-2051 10.0
The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.
30-12-2016 - 21:59 23-02-2015 - 12:59
CVE-2013-6017 4.3
Cross-site scripting (XSS) vulnerability in Atmail Webmail Server before 7.2 allows remote attackers to inject arbitrary web script or HTML via the body of an e-mail message, as demonstrated by the SRC attribute of an IFRAME element.
30-12-2016 - 21:59 12-01-2014 - 13:34
CVE-2013-5589 7.5
SQL injection vulnerability in cacti/host.php in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
30-12-2016 - 21:59 29-08-2013 - 08:07
CVE-2013-5573 4.3
Cross-site scripting (XSS) vulnerability in the default markup formatter in Jenkins 1.523 allows remote attackers to inject arbitrary web script or HTML via the Description field in the user configuration.
30-12-2016 - 21:59 31-12-2013 - 11:04
CVE-2013-4568 4.3
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via certain non-ASCII characters in CSS, as dem
30-12-2016 - 21:59 13-12-2013 - 13:07
CVE-2013-4567 4.3
Incomplete blacklist vulnerability in Sanitizer::checkCss in MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a \b (backspace) character in CSS.
30-12-2016 - 21:59 13-12-2013 - 13:07
CVE-2013-2031 4.3
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting (XSS) attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted a
30-12-2016 - 21:59 17-11-2013 - 21:55
CVE-2014-2327 6.8
Cross-site request forgery (CSRF) vulnerability in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to hijack the authentication of users for unspecified commands, as demonstrated by requests that (1) modify binary files, (2) modify configur
27-12-2016 - 21:59 23-04-2014 - 11:55
CVE-2016-6277 9.3
NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta, R8000 before 1.0.3.26.Beta, D6220, D6
23-12-2016 - 21:59 14-12-2016 - 11:59
CVE-2016-5535 7.5
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, 12.2.1.0, and 12.2.1.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
23-12-2016 - 21:59 25-10-2016 - 10:30
CVE-2014-5340 9.3
The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.
23-12-2016 - 21:59 02-09-2014 - 10:55
CVE-2014-5339 4.9
Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allows remote authenticated users to write check_mk config files (.mk files) to arbitrary locations via vectors related to row selections.
23-12-2016 - 21:59 02-09-2014 - 10:55
CVE-2014-5338 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the multisite component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors to the (1) render_statu
23-12-2016 - 21:59 22-08-2014 - 10:55
CVE-2015-1830 5.0
Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.
21-12-2016 - 21:59 19-08-2015 - 11:59
CVE-2014-5026 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input M
21-12-2016 - 21:59 20-10-2014 - 13:55
CVE-2014-5025 3.5
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action.
21-12-2016 - 21:59 20-10-2014 - 13:55
CVE-2014-4002 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_t
21-12-2016 - 21:59 03-07-2014 - 10:55
CVE-2014-2709 7.5
lib/rrd.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified parameters.
21-12-2016 - 21:59 23-04-2014 - 11:55
CVE-2014-2708 7.5
Multiple SQL injection vulnerabilities in graph_xport.php in Cacti 0.8.7g, 0.8.8b, and earlier allow remote attackers to execute arbitrary SQL commands via the (1) graph_start, (2) graph_end, (3) graph_height, (4) graph_width, (5) graph_nolegend, (6)
21-12-2016 - 21:59 10-04-2014 - 16:29
CVE-2014-2328 6.5
lib/graph_export.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote authenticated users to execute arbitrary commands via shell metacharacters in unspecified vectors.
21-12-2016 - 21:59 23-04-2014 - 11:55
CVE-2014-2326 4.3
Cross-site scripting (XSS) vulnerability in cdef.php in Cacti 0.8.7g, 0.8.8b, and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
21-12-2016 - 21:59 27-03-2014 - 12:55
CVE-2013-1434 7.5
Multiple SQL injection vulnerabilities in (1) api_poller.php and (2) utility.php in Cacti before 0.8.8b allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
07-12-2016 - 22:03 23-08-2013 - 12:55
CVE-2005-3390 7.5
The RFC1867 file upload feature in PHP 4.x up to 4.4.0 and 5.x up to 5.0.5, when register_globals is enabled, allows remote attackers to modify the GLOBALS array and bypass security protections of PHP applications via a multipart/form-data POST reque
07-12-2016 - 22:00 01-11-2005 - 07:47
CVE-2015-8562 7.5
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.
07-12-2016 - 13:28 16-12-2015 - 16:59
CVE-2015-8358 9.0
Directory traversal vulnerability in the bitrix.mpbuilder module before 1.0.12 for Bitrix allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the element name of the "work" array parameter to admin/bitrix.m
07-12-2016 - 13:27 16-12-2015 - 16:59
CVE-2015-7858 7.5
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297.
07-12-2016 - 13:25 29-10-2015 - 16:59
CVE-2015-7857 7.5
SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.p
07-12-2016 - 13:25 29-10-2015 - 16:59
CVE-2015-7297 7.5
SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7858.
07-12-2016 - 13:23 29-10-2015 - 16:59
CVE-2015-2942 7.1
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an (1) SVG file or (2) XMP me
07-12-2016 - 13:11 13-04-2015 - 10:59
CVE-2015-2941 4.3
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to inject arbitrary web script or HTML via an invalid parameter in a wddx format request to a
07-12-2016 - 13:11 13-04-2015 - 10:59
CVE-2015-2940 6.8
Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors.
07-12-2016 - 13:11 13-04-2015 - 10:59
CVE-2015-2939 4.3
Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace.
07-12-2016 - 13:11 13-04-2015 - 10:59
CVE-2015-2938 4.3
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a custom JavaScript file, which is not properly handled when preview
07-12-2016 - 13:11 13-04-2015 - 10:59
CVE-2015-2937 7.1
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM or Zend PHP, allows remote attackers to cause a denial of service ("quadratic blowup" and memory consumption) via an XML file containing an entity declaration wit
07-12-2016 - 13:11 13-04-2015 - 10:59
CVE-2015-2936 7.1
MediaWiki 1.24.x before 1.24.2, when using PBKDF2 for password hashing, allows remote attackers to cause a denial of service (CPU consumption) via a long password.
07-12-2016 - 13:10 13-04-2015 - 10:59
CVE-2015-2935 5.0
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."
07-12-2016 - 13:10 13-04-2015 - 10:59
CVE-2015-2934 4.3
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted
07-12-2016 - 13:10 13-04-2015 - 10:59
CVE-2015-2933 4.3
Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using
07-12-2016 - 13:10 13-04-2015 - 10:59
CVE-2015-2932 4.3
Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element.
07-12-2016 - 13:10 13-04-2015 - 10:59
CVE-2015-2931 4.3
Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a neste
07-12-2016 - 13:10 13-04-2015 - 10:59
CVE-2013-4316 10.0
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
07-12-2016 - 12:34 30-09-2013 - 17:55
CVE-2006-1786 2.6
Cross-site scripting (XSS) vulnerability in Adobe Document Server for Reader Extensions 6.0 allows remote attackers to inject arbitrary web script or HTML via (1) the actionID parameter in ads-readerext and (2) the op parameter in AlterCast. NOTE: it
06-12-2016 - 21:59 13-04-2006 - 18:02
CVE-2014-3120 6.8
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended se
06-12-2016 - 13:13 28-07-2014 - 15:55
CVE-2016-0763 6.5
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, wh
05-12-2016 - 22:05 24-02-2016 - 20:59
CVE-2016-0714 6.5
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restric
05-12-2016 - 22:05 24-02-2016 - 20:59
CVE-2016-0706 4.0
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote aut
05-12-2016 - 22:05 24-02-2016 - 20:59
CVE-2015-6005 3.5
Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names
05-12-2016 - 22:03 26-12-2015 - 22:59
CVE-2015-6004 6.5
Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device
05-12-2016 - 22:03 26-12-2015 - 22:59
CVE-2015-5351 6.8
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protec
05-12-2016 - 22:02 24-02-2016 - 20:59
CVE-2016-4004 4.0
Directory traversal vulnerability in Dell OpenManage Server Administrator (OMSA) 8.2 allows remote authenticated administrators to read arbitrary files via a ..\ (dot dot backslash) in the file parameter to ViewFile.
02-12-2016 - 22:27 12-04-2016 - 13:59
CVE-2015-2859 5.8
Intel McAfee ePolicy Orchestrator (ePO) 4.x through 4.6.9 and 5.x through 5.1.2 does not validate server names and Certification Authority names in X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obt
02-12-2016 - 22:07 23-06-2015 - 17:59
CVE-2013-0169 2.6
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding,
02-12-2016 - 22:00 08-02-2013 - 14:55
CVE-2013-0166 5.0
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) vi
02-12-2016 - 22:00 08-02-2013 - 14:55
CVE-2016-0902 5.0
CRLF injection vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
30-11-2016 - 22:03 07-05-2016 - 06:59
CVE-2016-0901 4.3
Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-0900.
30-11-2016 - 22:03 07-05-2016 - 06:59
CVE-2016-0900 4.3
Cross-site scripting (XSS) vulnerability in EMC RSA Authentication Manager before 8.1 SP1 P14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-0901.
30-11-2016 - 22:03 07-05-2016 - 06:59
CVE-2015-2109 7.5
Unspecified vulnerability in HP Operations Orchestration 10.x allows remote attackers to bypass authentication, and obtain sensitive information or modify data, via unknown vectors.
29-11-2016 - 22:01 31-03-2015 - 06:59
CVE-2015-2108 3.5
Unspecified vulnerability in Powershell Operations in HP Operations Orchestration 9.x and 10.x allows remote authenticated users to obtain sensitive information via unknown vectors.
29-11-2016 - 22:01 31-03-2015 - 06:59
CVE-2015-2053 4.3
The log viewer in McAfee Agent (MA) before 4.8.0 Patch 3 and 5.0.0, when the "Accept connections only from the ePO server" option is disabled, allows remote attackers to conduct clickjacking attacks via a crafted web page, aka an "http-generic-click-
29-11-2016 - 22:00 23-02-2015 - 12:59
CVE-2016-5601 3.3
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 12.1.3.0, 12.2.1.0, and 12.2.1.1 allows local users to affect confidentiality and integrity via vectors related to CIE Related Components.
28-11-2016 - 15:27 25-10-2016 - 10:31
CVE-2016-5531 7.5
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS-WebServices.
28-11-2016 - 15:26 25-10-2016 - 10:30
CVE-2016-5488 5.0
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.3.0 allows remote attackers to affect availability via vectors related to Web Container, a different vulnerability than CVE-2016-3445.
28-11-2016 - 15:26 25-10-2016 - 10:29
CVE-2016-3505 9.0
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to JavaServer
28-11-2016 - 15:10 25-10-2016 - 10:29
CVE-2014-1573 4.3
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not ensure that a scalar context is used for certain CGI parameters, which allows remote attackers to conduct cross-sit
28-11-2016 - 14:10 12-10-2014 - 21:55
CVE-2014-1572 5.0
The confirm_create_account function in the account-creation feature in token.cgi in Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 does not specify a scalar context for th
28-11-2016 - 14:10 12-10-2014 - 21:55
CVE-2013-2186 7.5
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name i
28-11-2016 - 14:09 28-10-2013 - 17:55
CVE-2006-3601 10.0
** UNVERIFIABLE ** Unspecified vulnerability in an unspecified DNN Modules module for DotNetNuke (.net nuke) allows remote attackers to gain privileges via unspecified vectors, as used in an attack against the Microsoft France web site. NOTE: due t
28-11-2016 - 14:06 18-07-2006 - 11:37
CVE-2011-3156 10.0
Unspecified vulnerability in HP Data Protector Notebook Extension 6.20 and Data Protector for Personal Computers 7.0 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1222.
22-11-2016 - 15:12 19-10-2011 - 11:55
CVE-2006-6367 7.5
Multiple SQL injection vulnerabilities in detail.asp in DUware DUdownload 1.1, and possibly earlier, allow remote attackers to execute arbitrary SQL commands via the (1) iFile or (2) action parameter. NOTE: the iType parameter is already covered by
18-11-2016 - 12:24 07-12-2006 - 06:28
CVE-2016-8869 7.5
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2016-8870 6.8
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Al
07-11-2016 - 14:15 04-11-2016 - 17:59
CVE-2013-2032 5.0
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 does not allow extensions to prevent password changes without using both Special:PasswordReset and Special:ChangePassword, which allows remote attackers to bypass the intended restrictions of an extens
18-10-2016 - 11:11 17-11-2013 - 21:55
CVE-2006-5219 5.1
SQL injection vulnerability in blog/index.php in the blog module in Moodle 1.6.2 allows remote attackers to execute arbitrary SQL commands via a double-encoded tag parameter.
17-10-2016 - 23:41 10-10-2006 - 00:06
CVE-2006-3094 5.1
Multiple SQL injection vulnerabilities in Calendarix Basic 0.7.20060401 and earlier, with magic_quotes_gpc disabled, allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) cal_event.php and (2) cal_popup.php.
17-10-2016 - 23:40 19-06-2006 - 17:02
CVE-2006-2113 6.4
The embedded HTTP server in Fuji Xerox Printing Systems (FXPS) print engine, as used in products including (1) Dell 3000cn through 5110cn and (2) Fuji Xerox DocuPrint firmware before 20060628 and Network Option Card firmware before 5.13, does not pro
17-10-2016 - 23:39 24-08-2006 - 21:04
CVE-2005-4439 7.8
Buffer overflow in ELOG elogd 2.6.0-beta4 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a URL with a long (1) cmd or (2) mode parameter.
17-10-2016 - 23:38 20-12-2005 - 20:03
CVE-2005-4428 4.3
Cross-site scripting (XSS) vulnerability in index.php in Cerberus Helpdesk allows remote attackers to inject arbitrary web script or HTML via the kb_ask parameter.
17-10-2016 - 23:38 20-12-2005 - 18:03
CVE-2005-4427 7.5
Multiple SQL injection vulnerabilities in Cerberus Helpdesk allow remote attackers to execute arbitrary SQL commands via the (1) file_id parameter to attachment_send.php, (2) the $addy variable in email_parser.php, (3) $address variable in email_pars
17-10-2016 - 23:38 20-12-2005 - 18:03
CVE-2005-3648 7.5
Multiple SQL injection vulnerabilities in the get_record function in datalib.php in Moodle 1.5.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) category.php and (2) info.php.
17-10-2016 - 23:36 17-11-2005 - 06:02
CVE-2005-3571 5.0
PHP file inclusion vulnerability in protection.php in CodeGrrl (a) PHPCalendar 1.0, (b) PHPClique 1.0, (c) PHPCurrently 2.0, (d) PHPFanBase 2.1, and (e) PHPQuotes 1.0 allows remote attackers to include arbitrary local files via the siteurl parameter
17-10-2016 - 23:36 16-11-2005 - 02:42
CVE-2005-3521 7.5
SQL injection vulnerability in resetcore.php in e107 0.617 through 0.6173 allows remote attackers to execute arbitrary SQL commands, bypass authentication, and inject HTML or script via the (1) a_name parameter or (2) user field of the login page.
17-10-2016 - 23:36 06-11-2005 - 06:03
CVE-2005-3405 7.5
ATutor 1.4.1 through 1.5.1-pl1 allows remote attackers to execute arbitrary PHP functions via a direct request to forum.inc.php with a modified addslashes parameter with either the (1) asc or (2) desc parameters set, possibly due to an eval injection
17-10-2016 - 23:35 01-11-2005 - 07:47
CVE-2005-3404 7.5
Multiple PHP file inclusion vulnerabilities in ATutor 1.4.1 through 1.5.1-pl1 allow remote attackers to include arbitrary files via the section parameter followed by a null byte (%00) in (1) body_header.inc.php and (2) print.php.
17-10-2016 - 23:35 01-11-2005 - 07:47
CVE-2005-3403 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.1 through 1.5.1-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the _base_href parameter in translate.php, (2) the _base_path parameter in news.inc.php, and (
17-10-2016 - 23:35 01-11-2005 - 07:47
CVE-2005-3369 7.5
Multiple SQL injection vulnerabilities in the Info-DB module (info_db.php) in Woltlab Burning Board 2.7 and earlier allow remote attackers to execute arbitrary SQL commands and possibly upload files via the (1) fileid and (2) subkatid parameters.
17-10-2016 - 23:34 30-10-2005 - 09:34
CVE-2005-3365 7.5
Multiple SQL injection vulnerabilities in DCP-Portal 6 and earlier allow remote attackers to execute arbitrary SQL commands, possibly requiring encoded characters, via (1) the name parameter in register.php, (2) the email parameter in lostpassword.ph
17-10-2016 - 23:34 30-10-2005 - 09:34
CVE-2005-3133 5.0
Multiple directory traversal vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to (1) delete arbitrary files or directories via a relative path to the id parameter to logou
17-10-2016 - 23:32 04-10-2005 - 18:02
CVE-2005-3132 5.0
MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to bwlist_inc.html, which reveals the path in an error message.
17-10-2016 - 23:32 04-10-2005 - 18:02
CVE-2005-3131 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MERAK Mail Server 8.2.4r with Icewarp Web Mail 5.5.1, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to blank.html, or the c
17-10-2016 - 23:32 04-10-2005 - 18:02
CVE-2005-3090 4.3
Cross-site scripting (XSS) vulnerability in bug_actiongroup_page.php in Mantis 0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary web script or HTML via the summary of the bug, which is not quoted when view_all_bug_page.php is used
17-10-2016 - 23:32 28-09-2005 - 18:03
CVE-2005-3063 7.5
SQL injection vulnerability in MailGust 1.9 allows remote attackers to execute arbitrary SQL commands via the email field on the password reminder page.
17-10-2016 - 23:32 27-09-2005 - 15:03
CVE-2005-2987 7.5
SQL injection vulnerability in login.php in Digital Scribe 1.4 allows remote attackers to execute arbitrary SQL commands via the username parameter.
17-10-2016 - 23:32 19-09-2005 - 20:03
CVE-2005-2954 7.5
SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field.
17-10-2016 - 23:31 16-09-2005 - 18:03
CVE-2005-2888 7.5
Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) Preview Release 2 allow remote attackers to execute arbitrary SQL commands via the (1) fid parameter to misc.php or (2) Content-Disposition field in the HTTP header to newreply.php.
17-10-2016 - 23:31 14-09-2005 - 16:03
CVE-2005-2884 4.3
Cross-site scripting (XSS) vulnerability in events.php in Land Down Under (LDU) 801 and earlier allows remote attackers to inject arbitrary web script or HTML via the Description field in an event.
17-10-2016 - 23:31 14-09-2005 - 16:03
CVE-2005-2865 7.5
Multiple PHP remote file inclusion vulnerabilities in aMember Pro 2.3.4 allow remote attackers to execute arbitrary PHP code via the config[root_dir] parameter to (1) mysql.inc.php, (2) efsnet.inc.php, (3) theinternetcommerce.inc.php, (4) cdg.inc.php
17-10-2016 - 23:30 08-09-2005 - 19:03
CVE-2005-2848 5.0
Directory traversal vulnerability in img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter.
17-10-2016 - 23:30 08-09-2005 - 06:03
CVE-2005-2847 7.5
img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.
17-10-2016 - 23:30 08-09-2005 - 06:03
CVE-2005-2846 7.5
PHP remote file inclusion vulnerability in lang.php in CMS Made Simple 0.10 and earlier allows remote attackers to execute arbitrary PHP code via the nls[file][vx][vxsfx] parameter.
17-10-2016 - 23:30 08-09-2005 - 06:03
CVE-2005-2788 7.5
Multiple SQL injection vulnerabilities in Land Down Under (LDU) 801 and earlier allow remote attackers to execute arbitrary SQL commands via the c parameter to (1) events.php, (2) index.php, or (3) list.php.
17-10-2016 - 23:30 02-09-2005 - 19:03
CVE-2005-2782 7.5
PHP remote file inclusion vulnerability in al_initialize.php for AutoLinks Pro 2.1 allows remote attackers to execute arbitrary PHP code via an "ftp://" URL in the alpath parameter, which bypasses the incomplete blacklist that only checks for "http"
17-10-2016 - 23:30 02-09-2005 - 19:03
CVE-2005-2781 7.5
The Avatar upload feature in FUD Forum before 2.7.0 does not properly verify uploaded files, which allows remote attackers to execute arbitrary PHP code via a file with a .php extension that contains image data followed by PHP code.
17-10-2016 - 23:30 02-09-2005 - 19:03
CVE-2005-2780 4.3
Cross-site scripting (XSS) vulnerability in Land Down Under (LDU) allows remote attackers to inject arbitrary web script or HTML via a signature.
17-10-2016 - 23:30 02-09-2005 - 19:03
CVE-2005-2777 7.5
Looking Glass 20040427 allows remote attackers to execute arbitrary commands via shell metacharacters in the DNS lookup query field.
17-10-2016 - 23:30 02-09-2005 - 19:03
CVE-2005-2776 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Looking Glass 20040427 allow remote attackers to inject arbitrary web script or HTML via the (1) version[fullname], (2) version[homepage], or (3) version[no] parameter to footer.php, or the (4) v
17-10-2016 - 23:30 02-09-2005 - 19:03
CVE-2005-2675 7.5
** DISPUTED ** Note: the vendor has disputed this issue. Multiple SQL injection vulnerabilities in Land Down Under (LDU) 800 allow remote attackers to execute arbitrary SQL commands via the (1) s or (2) m parameter to forums.php, (3) o, (4) w, (5) s,
17-10-2016 - 23:29 23-08-2005 - 00:00
CVE-2005-2674 4.3
** DISPUTED ** Note: the vendor has disputed this issue. Multiple cross-site scripting (XSS) vulnerabilities in Land Down Under (LDU) 800 allow remote attackers to inject arbitrary web script or HTML via the (1) c or (2) m parameters to index.php or
17-10-2016 - 23:29 23-08-2005 - 00:00
CVE-2005-2565 5.0
Gravity Board X (GBX) 1.1 allows remote attackers to obtain sensitive information via (1) a 1 in the perm parameter to deletethread.php or a direct request to (2) ban.php, (3) addnews.php, (4) banned.php, (5) boardstats.php, (6) adminform.php, (7) /f
17-10-2016 - 23:28 16-08-2005 - 00:00
CVE-2005-2564 7.5
Direct static code injection vulnerability in editcss.php in Gravity Board X (GBX) 1.1 allows remote attackers to execute arbitrary PHP code, HTML, and script via the csscontent parameter, which is directly inserted into the gbxfinal.css file.
17-10-2016 - 23:28 16-08-2005 - 00:00
CVE-2005-2563 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Gravity Board X (GBX) 1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the board_id parameter to deletethread.php or (2) the template.
17-10-2016 - 23:28 16-08-2005 - 00:00
CVE-2005-2562 7.5
SQL injection vulnerability in Gravity Board X (GBX) 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the login field.
17-10-2016 - 23:28 16-08-2005 - 00:00
CVE-2005-2559 7.5
doping.php in ePing plugin 1.02 and earlier for e107 portal allows remote attackers to execute arbitrary code or overwrite files via (1) shell metacharacters in the eping_count parameter or (2) restricted shell metacharacters such as ">" and "&" in t
17-10-2016 - 23:28 16-08-2005 - 00:00
CVE-2005-2557 4.3
Cross-site scripting (XSS) vulnerability in view_all_set.php in Mantis 0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary web script or HTML via the dir parameter, as identified by bug#0005959, and a different vulnerability than CVE
17-10-2016 - 23:28 28-09-2005 - 17:03
CVE-2005-2556 7.5
core/database_api.php in Mantis 0.19.0a1 through 1.0.0a3, with register_globals enabled, allows remote attackers to connect to internal databases by modifying the g_db_type variable and monitoring the speed of responses, as identified by bug#0005956.
17-10-2016 - 23:28 24-08-2005 - 00:00
CVE-2005-2544 5.0
PHP remote file inclusion vulnerability in config.php in Comdev eCommerce 3.0 allows remote attackers to execute arbitrary PHP code via the path[docroot] parameter.
17-10-2016 - 23:28 10-08-2005 - 00:00
CVE-2005-2543 5.0
Directory traversal vulnerability in wce.download.php in Comdev eCommerce 3.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the download parameter.
17-10-2016 - 23:28 10-08-2005 - 00:00
CVE-2005-2540 5.0
CRLF injection vulnerability in FlatNuke 2.5.5 and possibly earlier versions allows remote attackers to execute arbitrary PHP commands via an ASCII char 13 (carriage return) in the signature field, which is injected into a PHP script without a preced
17-10-2016 - 23:28 10-08-2005 - 00:00
CVE-2005-2539 4.3
Multiple cross-site scripting (XSS) vulnerabilities in FlatNuke 2.5.5 and possibly earlier versions allow remote attackers to inject arbitrary web script or HTML via the (1) bodycolor, (2) backimage, (3) theme, or (4) logo parameter to structure.php,
17-10-2016 - 23:28 10-08-2005 - 00:00
CVE-2005-2538 5.0
FlatNuke 2.5.5 and possibly earlier versions allows remote attackers to obtain sensitive information via (1) a null byte or (2) an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1 in the mod parameter.
17-10-2016 - 23:28 10-08-2005 - 00:00
CVE-2005-2537 5.0
FlatNuke 2.5.5 and possibly earlier versions allows remote attackers to obtain sensitive information via a direct request to structure.php.
17-10-2016 - 23:28 10-08-2005 - 00:00
CVE-2005-2463 6.4
Kayako liveResponse 2.x allows remote attackers to obtain sensitive information via a direct request to addressbook.php and other include scripts, which reveals the path in an error message.
17-10-2016 - 23:27 31-12-2005 - 00:00
CVE-2005-2462 2.1
Kayako liveResponse 2.x, when logging in a user, records the password in plaintext in the URL, which allows local users and possibly remote attackers to gain privileges.
17-10-2016 - 23:27 31-12-2005 - 00:00
CVE-2005-2461 6.4
Multiple SQL injection vulnerabilities in the calendar feature in Kayako liveResponse 2.x allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) date parameter.
17-10-2016 - 23:27 31-12-2005 - 00:00
CVE-2005-2460 5.8
Multiple cross-site scripting (XSS) vulnerabilities in Kayako liveResponse 2.x allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter or (2) name field when entering a session or sending a message.
17-10-2016 - 23:27 31-12-2005 - 00:00
CVE-2005-2420 10.0
flsearch.pl in FtpLocate 2.02 allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTP GET request.
17-10-2016 - 23:26 03-08-2005 - 00:00
CVE-2005-2413 5.0
PHP remote file inclusion vulnerability in apa_phpinclude.inc.php in Atomic Photo Album (APA) allows remote attackers to execute arbitrary PHP code via the apa_module_basedir parameter.
17-10-2016 - 23:26 03-08-2005 - 00:00
CVE-2005-2191 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Comersus shopping cart allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to comersus_backoffice_listAssignedPricesToCustomer.asp or (2) message parameter to
17-10-2016 - 23:25 11-07-2005 - 00:00
CVE-2005-2190 7.5
Multiple SQL injection vulnerabilities in Comersus shopping cart allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to comersus_optAffiliateRegistrationExec.asp or (2) idProduct parameter to comersus_optReviewReadExe
17-10-2016 - 23:25 11-07-2005 - 00:00
CVE-2005-2111 7.5
login.cgi in Community Link Pro Web Editor allows remote attackers to execute arbitrary commands via the file parameter.
17-10-2016 - 23:25 05-07-2005 - 00:00
CVE-2005-2106 5.0
Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.
17-10-2016 - 23:24 05-07-2005 - 00:00
CVE-2005-2049 7.5
Multiple SQL injection vulnerabilities in DUware DUclassmate 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) iState parameter to default.asp or (2) iPro parameter to edit.asp.
17-10-2016 - 23:24 22-06-2005 - 00:00
CVE-2005-2048 7.5
Multiple SQL injection vulnerabilities in DUware DUforum 3.1, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via the (1) iMsg parameter to messages.asp, iFor parameter to (2) post.asp or (3) forums.asp, or (4) i
17-10-2016 - 23:24 22-06-2005 - 00:00
CVE-2005-2047 7.5
Multiple SQL injection vulnerabilities in DUware DUpaypal Pro 3.0 allow remote attackers to execute arbitrary SQL commands via the (1) iCat parameter to cat.asp, (2) iPro parameter to detail.asp, (3) iSub parameter to sub.asp, (4) iCat parameter to c
17-10-2016 - 23:24 22-06-2005 - 00:00
CVE-2005-2046 7.5
Multiple SQL injection vulnerabilities in DUware DUamazon Pro 3.0 and 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) iCat parameter to cat.asp, (2) iSub parameter to sub.asp, (3) iSub parameter to detail.asp, (4) iPro parame
17-10-2016 - 23:24 22-06-2005 - 00:00
CVE-2005-2045 7.5
Multiple SQL injection vulnerabilities in DUware DUportal PRO 3.4.3 allow remote attackers to execute arbitrary SQL commands via the (1) iChannel parameter to default.asp, (2) iData parameter to detail.asp, (3) iMem parameter to members.asp, (4) iCat
17-10-2016 - 23:24 22-06-2005 - 00:00
CVE-2005-2034 4.3
Cross-site scripting (XSS) vulnerability in folderview.asp for BlueCollar iGallery 3.3 allows remote attackers to inject arbitrary web script or HTML via the folder parameter.
17-10-2016 - 23:24 20-06-2005 - 00:00
CVE-2005-2033 5.0
Directory traversal vulnerability in folderview.asp for Blue-Collar Productions i-Gallery 3.3 allows remote attackers to read arbitrary files and directories via the folder parameter.
17-10-2016 - 23:24 20-06-2005 - 00:00
CVE-2005-2028 7.5
SQL injection vulnerability in index.php for MercuryBoard 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.
17-10-2016 - 23:24 21-06-2005 - 00:00
CVE-2005-2006 5.0
JBOSS 3.2.2 through 3.2.7 and 4.0.2 allows remote attackers to obtain sensitive information via a GET request (1) with a "%." (percent dot), which reveals the installation path or (2) with a % (percent) before a filename, which reveals the contents o
17-10-2016 - 23:24 17-06-2005 - 00:00
CVE-2005-2002 7.5
SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user_rating parameter.
17-10-2016 - 23:23 15-06-2005 - 00:00
CVE-2005-1966 7.5
The eTrace_validaddr function in eTrace plugin for e107 portal allows remote attackers to execute arbitrary commands via shell metacharacters after a valid argument to the etrace_host parameter.
17-10-2016 - 23:23 10-06-2005 - 00:00
CVE-2005-1948 7.5
Multiple SQL injection vulnerabilities in Invision Gallery before 1.3.1 allow remote attackers to execute arbitrary SQL commands via (1) the comment parameter in an editcomment action or (2) the rating parameter when voting on a photo.
17-10-2016 - 23:23 09-06-2005 - 00:00
CVE-2005-1946 7.5
Multiple SQL injection vulnerabilities in Invision Blog before 1.1.2 Final allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to an editentry, replyentry, or editcomment action, or (2) the mid parameter to an aboutme a
17-10-2016 - 23:23 09-06-2005 - 00:00
CVE-2005-1945 4.3
Cross-site scripting (XSS) vulnerability in the convert_highlite_words function in Invision Blog before 1.1.2 Final allows remote attackers to inject arbitrary web script or HTML via double hex encoded highlight data.
17-10-2016 - 23:23 09-06-2005 - 00:00
CVE-2005-1875 7.5
Multiple SQL injection vulnerabilities in list.php in Exhibit Engine (EE) 1.22 allow remote attackers to execute arbitrary SQL commands via the (1) search_row, (2) sort_row, (3) order or (4) perpage parameter.
17-10-2016 - 23:23 02-06-2005 - 00:00
CVE-2005-1871 7.5
Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly."
17-10-2016 - 23:23 09-06-2005 - 00:00
CVE-2005-1773 7.5
Multiple unknown vulnerabilities in L-Soft LISTSERV 14.3, 1.8e, and 1.8d allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: this candidate may be SPLIT in the future when more precise technical details become availa
17-10-2016 - 23:22 31-05-2005 - 00:00
CVE-2005-1598 7.5
SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable.
17-10-2016 - 23:21 16-05-2005 - 00:00
CVE-2005-1597 4.3
Cross-site scripting (XSS) vulnerability in (1) search.php and (2) topics.php for Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the highlite parameter.
17-10-2016 - 23:21 16-05-2005 - 00:00
CVE-2005-1565 5.0
Bugzilla 2.17.1 through 2.18, 2.19.1, and 2.19.2, when a user is prompted to log in while attempting to view a chart, displays the password in the URL, which may allow local users to gain sensitive information from web logs or browser history.
17-10-2016 - 23:21 12-05-2005 - 00:00
CVE-2005-1564 7.5
post_bug.cgi in Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 allows remote authenticated users to "enter bugs into products that are closed for bug entry" by modifying the URL to specify the name of the product.
17-10-2016 - 23:21 12-05-2005 - 00:00
CVE-2005-1563 5.0
Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 displays a different error message depending on whether a product exists or not, which allows remote attackers to determine hidden products.
17-10-2016 - 23:20 14-05-2005 - 00:00
CVE-2005-1562 7.5
Multiple SQL injection vulnerabilities in MaxWebPortal 1.3.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fpassword parameter to inc_functions.asp, (2) txtAddress, (3) message, or (4) subject parameter to post_info
17-10-2016 - 23:20 11-05-2005 - 00:00
CVE-2005-1561 4.3
Multiple cross-site scripting (XSS) vulnerabilities in post.asp in MaxWebPortal 1.3.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) mod, (2) M, or (3) type parameter.
17-10-2016 - 23:20 11-05-2005 - 00:00
CVE-2005-1507 5.0
Buffer overflow in the Tomcat plugin in 4d WebSTAR 5.33 and 5.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL.
17-10-2016 - 23:20 11-05-2005 - 00:00
CVE-2005-1483 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ArticleLive 2005 allow remote attackers to inject arbitrary web script or HTML via the (1) Query, (2) Username, (3) LastName, (4) Biography, or (5) BlogId parameter.
17-10-2016 - 23:19 11-05-2005 - 00:00
CVE-2005-1482 7.5
ArticleLive 2005 allows remote attackers to gain privileges by modifying the (1) auth and (2) userId fields in a cookie.
17-10-2016 - 23:19 11-05-2005 - 00:00
CVE-2005-1377 7.5
Multiple PHP remote file inclusion vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary PHP code via unknown vectors.
17-10-2016 - 23:19 03-05-2005 - 00:00
CVE-2005-1376 7.5
Multiple directory traversal vulnerabilities in (1) document.php or (2) insertMyDoc.php in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote project administrators to upload arbitrary files.
17-10-2016 - 23:19 03-05-2005 - 00:00
CVE-2005-1375 7.5
Multiple SQL injection vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary SQL commands via (1) learningPath.php, (2) learningPathAdmin.php, (3) learnPath_details.php, (
17-10-2016 - 23:19 03-05-2005 - 00:00
CVE-2005-1374 6.8
Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to inject arbitrary web script or HTML via (1) exercise_result.php, (2) exercice_submit.php, (3) agend
17-10-2016 - 23:19 03-05-2005 - 00:00
CVE-2005-1373 7.5
Multiple SQL injection vulnerabilities in index.php in Dream4 Koobi CMS 4.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) q or (2) p parameters.
17-10-2016 - 23:19 03-05-2005 - 00:00
CVE-2005-1284 7.5
The addnew script in Argosoft Mail Server Pro 1.8.7.6 allows remote attackers to create arbitrary accounts, even if "Allow Creation of Accounts From the Web Interface" is disabled, via a direct HTTP POST request.
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1283 7.5
Multiple directory traversal vulnerabilities in Argosoft Mail Server Pro 1.8.7.6 allow remote authenticated users to (1) read arbitrary files via the UIDL parameter to the msg script or (2) copy or move the user's .eml file to arbitrary locations via
17-10-2016 - 23:18 22-04-2005 - 00:00
CVE-2005-1282 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Argosoft Mail Server Pro 1.8.7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the src parameter in an IMG tag, (2) User settings, or (3) Address book input boxes in the w
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1226 7.5
Coppermine Photo Gallery 1.3.2 stores passwords in plaintext, which allows remote attackers to obtain sensitive information.
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1225 7.5
SQL injection vulnerability in Coppermine Photo Gallery 1.3.2 allows remote attackers to execute arbitrary SQL commands via the favs parameter to (1) init.inc.php or (2) zipdownload.php.
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1224 7.5
Multiple SQL injection vulnerabilities in DUware DUportal Pro 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) nChannel parameter to default.asp, cat.asp, or detail.asp, (2) the iChannel parameter to search.asp, default.asp, r
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1222 7.5
cat_for_gen.php in Annuaire Netref 4.2 allows remote attackers to execute arbitrary PHP code by setting the ad_direct parameter to reference cat_for_gen.php, then including the code in the m_for_racine parameter, which is then written to cat_for_gen.
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1203 7.5
Multiple SQL injection vulnerabilities in index.php in eGroupware before 1.0.0.007 allow remote attackers to execute arbitrary SQL commands via the (1) filter or (2) cats_app parameter.
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1202 6.8
Multiple cross-site scripting (XSS) vulnerabilities in eGroupware before 1.0.0.007 allow remote attackers to inject arbitrary web script or HTML via the (1) ab_id, (2) page, (3) type, or (4) lang parameter to index.php or (5) category_id parameter.
17-10-2016 - 23:18 02-05-2005 - 00:00
CVE-2005-1101 7.5
Multiple buffer overflows in Lotus Domino Server 6.0.5 and 6.5.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via large amounts of data in certain (1) time or (2) date fields.
17-10-2016 - 23:17 02-05-2005 - 00:00
CVE-2005-1054 7.5
PHP remote file inclusion vulnerability in news.php in ModernBill 4.3.0 and earlier allows remote attackers to execute arbitrary PHP code by modifying the DIR parameter to reference a URL on a remote web server that contains the code.
17-10-2016 - 23:16 02-05-2005 - 00:00
CVE-2005-1053 4.3
Multiple cross-site scripting (XSS) vulnerabilities in orderwiz.php in ModernBill 4.3.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) c_code or (2) aid parameters.
17-10-2016 - 23:16 02-05-2005 - 00:00
CVE-2005-1033 5.0
CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHPSESSID parameter to index.php, (3) product parameter to tellafriend.php, (4) add parameter to view_cart.php, or (5) prod
17-10-2016 - 23:16 02-05-2005 - 00:00
CVE-2005-1030 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Active Auction House allow remote attackers to inject arbitrary web script or HTML via the (1) ReturnURL, (2) password, (3) username parameter, (4) ReturnURL parameter to account.asp, (5) Table,
17-10-2016 - 23:16 02-05-2005 - 00:00
CVE-2005-1029 7.5
Multiple SQL injection vulnerabilities in Active Auction House allow remote attackers to execute arbitrary SQL commands via the (1) catid, (2) SortDir, or (3) Sortby parameter to default.asp, (4) itemID parameter to ItemInfo.asp, or (5) Email field t
17-10-2016 - 23:16 06-04-2005 - 00:00
CVE-2005-0694 5.0
Hosting Controller 6.1 Hotfix 1.7 and earlier stores log files under the web root, which allows remote attackers to obtain sensitive information via a direct request to HCDiskQuotaService.csv.
17-10-2016 - 23:13 07-03-2005 - 00:00
CVE-2005-0689 7.5
includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the URL or (2) the template parameter.
17-10-2016 - 23:13 07-03-2005 - 00:00
CVE-2005-0657 6.4
Directory traversal vulnerability in Computalynx CProxy 3.3.x and 3.4.x through 3.4.4 allows remote attackers to read arbitrary files or cause a denial of service (application crash) via a .. (dot dot) in an HTTP request.
17-10-2016 - 23:13 02-05-2005 - 00:00
CVE-2005-0493 5.0
CRLF injection vulnerability in bizmail.cgi in Biz Mail Form before 2.2 allows remote attackers to bypass the email check and send spam e-mail via CRLF sequences and forged mail headers in the email parameter.
17-10-2016 - 23:12 02-05-2005 - 00:00
CVE-2005-0454 7.5
Multiple SQL injection vulnerabilities in DCP-Portal 6.1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the lcat, doc, or uid parameters to index.php, or (2) the mid or bid parameters to forums.php.
17-10-2016 - 23:11 02-05-2005 - 00:00
CVE-2005-0443 4.3
index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message.
17-10-2016 - 23:11 02-05-2005 - 00:00
CVE-2005-0442 5.0
Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language parameter.
17-10-2016 - 23:11 02-05-2005 - 00:00
CVE-2005-0368 7.5
Multiple SQL injection vulnerabilities in CMScore allow remote attackers to execute arbitrary SQL commands via the (1) EntryID or (2) searchterm parameter to index.php, or (3) username parameter to authenticate.php.
17-10-2016 - 23:11 02-05-2005 - 00:00
CVE-2005-0367 4.6
Multiple directory traversal vulnerabilities in ArGoSoft Mail Server 1.8.7.3 allow remote authenticated users to read, delete, or upload arbitrary files via a .. (dot dot) in (1) the filename of an e-mail attachment, (2) the _msgatt.rec file, (3) and
17-10-2016 - 23:11 09-02-2005 - 00:00
CVE-2005-0324 5.0
Infinite Mobile Delivery Webmail 2.6 allows remote attackers to gain sensitive information via an HTTP request that contains invalid characters for a Windows foldername, which reveals the path in an error message.
17-10-2016 - 23:10 02-05-2005 - 00:00
CVE-2005-0323 4.3
Cross-site scripting (XSS) vulnerability in Infinite Mobile Delivery Webmail 2.6 allows remote attackers to inject arbitrary web script or HTML via the URL.
17-10-2016 - 23:10 02-05-2005 - 00:00
CVE-2005-0321 2.1
MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote authenticated users to gain sensitive information via an HTTP request to (1) calendar_d.html, (2) calendar_m.html, (3) calendar_w.html, or (4) calendar_y.html, which reveal the install
17-10-2016 - 23:10 02-05-2005 - 00:00
CVE-2005-0320 5.0
Multiple cross-site scripting vulnerabilities in MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to login.html, (2) accountid parameter to accountsetting
17-10-2016 - 23:10 28-01-2005 - 00:00
CVE-2005-0319 4.3
Direct remote injection vulnerability in modalfram.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to load external webpages that appear to come from the WebAdmin server, which allows remote attackers to inject arbitrary HTML or web script to fac
17-10-2016 - 23:10 28-01-2005 - 00:00
CVE-2005-0318 2.1
useredit_account.wdm in Alt-N WebAdmin 3.0.4 does not properly validate account edits by the logged in user, which allows remote authenticated users to edit other users' account information via a modified user parameter.
17-10-2016 - 23:10 28-01-2005 - 00:00
CVE-2005-0317 4.3
Cross-site scripting (XSS) vulnerability in useredit_account.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter.
17-10-2016 - 23:10 28-01-2005 - 00:00
CVE-2005-0310 5.0
Exponent 0.95 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) search.info.php, (2) permissions.info.php, (3) security.info.php, (4) formcontrol.php, or (5) file_modules.php, which reveals the path in an error
17-10-2016 - 23:10 02-05-2005 - 00:00
CVE-2005-0299 5.0
Directory traversal vulnerability in GForge 3.3 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the (1) dir parameter to controller.php or (2) dir_name parameter to controlleroo.php.
17-10-2016 - 23:09 02-05-2005 - 00:00
CVE-2005-0296 5.0
** DISPUTED ** NOTE: this issue has been disputed by the vendor. The error module in Novell GroupWise WebAccess allows remote attackers who have not authenticated to read potentially sensitive information, such as the version, via an incorrect logi
17-10-2016 - 23:09 17-01-2005 - 00:00
CVE-2005-0293 5.0
Directory traversal vulnerability in minis.php in Minis 0.2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the month parameter.
17-10-2016 - 23:09 02-05-2005 - 00:00
CVE-2005-0268 7.5
Direct code injection vulnerability in FlatNuke 2.5.1 allows remote attackers to execute arbitrary PHP code by placing the code into the url_avatar field.
17-10-2016 - 23:09 03-01-2005 - 00:00
CVE-2005-0267 7.5
index.php in FlatNuke 2.5.1 allows remote attackers to create an administrator account via carriage returns and #10 in the url_avatar field, which is interpreted as a sensitive directive.
17-10-2016 - 23:09 02-05-2005 - 00:00
CVE-2005-0217 7.5
SQL injection vulnerability in index.php in Invision Community Blog allows remote attackers to execute arbitrary SQL commands via the eid parameter.
17-10-2016 - 23:08 02-05-2005 - 00:00
CVE-2004-2124 5.0
The register_globals simulation capability in Gallery 1.3.1 through 1.4.1 allows remote attackers to modify the HTTP_POST_VARS variable and conduct a PHP remote file inclusion attack via the GALLERY_BASEDIR parameter, a different vulnerability than C
17-10-2016 - 23:06 31-12-2004 - 00:00
CVE-2004-2063 4.3
Cross-site scripting (XSS) vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to inject arbitrary HTML or web script via the feedback parameter.
17-10-2016 - 23:05 31-12-2004 - 00:00
CVE-2004-2062 7.5
SQL injection vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to execute arbitrary SQL via the (1) thread_id, (2) parent_id, or (3) mode parameters.
17-10-2016 - 23:05 31-12-2004 - 00:00
CVE-2004-2060 5.0
ASPRunner 2.4 stores the database under the web root in the db directory, which may allow remote attackers to obtain the database via a direct request to the database filename, which is predictable based on table and field names.
17-10-2016 - 23:05 31-12-2004 - 00:00
CVE-2004-2059 5.0
Multiple cross-site scripting vulnerabilities in ASPRunner 2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) SearchFor parameter in [TABLE-NAME]_search.asp, (2) SQL parameter in [TABLE-NAME]_edit.asp, (3) SearchFor paramet
17-10-2016 - 23:05 31-12-2004 - 00:00
CVE-2004-2058 5.0
ASPRunner 2.4 allows remote attackers to gain sensitive information via (1) hidden form fields or (2) error messages.
17-10-2016 - 23:05 31-12-2004 - 00:00
CVE-2004-2057 7.5
SQL injection vulnerability in ASPRunner 2.4 allows remote attackers to execute arbitrary SQL statements.
17-10-2016 - 23:05 31-12-2004 - 00:00
CVE-2004-2056 7.5
SQL injection vulnerability in action.php in Nucleus CMS 3.01 allows remote attackers to execute arbitrary SQL statements via the itemid parameter.
17-10-2016 - 23:05 31-12-2004 - 00:00
CVE-2004-2047 5.0
Directory traversal vulnerability in EasyWeb FileManager 1.0 RC-1 for PostNuke allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the pathext parameter.
17-10-2016 - 23:05 23-07-2004 - 00:00
CVE-2004-2036 7.5
SQL injection vulnerability in the art_print function in print.inc.php in unknown versions of jPortal before 2.3.1 allows remote attackers to inject arbitrary SQL commands via the id parameter.
17-10-2016 - 23:05 28-05-2004 - 00:00
CVE-2004-1937 5.0
Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1.5b allow remote attackers to read or include arbitrary files via .. sequences in (1) the user_langue parameter to index.php or (2) the langue parameter to update.php, or modify arb
17-10-2016 - 23:03 31-12-2004 - 00:00
CVE-2004-1888 7.5
display.cgi in Aborior Encore WebForum allows remote to execute arbitrary commands via shell metacharacters in the file variable.
17-10-2016 - 23:02 31-12-2004 - 00:00
CVE-2004-1882 4.3
Cross-site scripting (XSS) vulnerability in popuplargeimage.asp in CactuShop 5.x allows remote attackers to inject arbitrary web script or HTML via the strImageTag parameter.
17-10-2016 - 23:02 31-12-2004 - 00:00
CVE-2004-1881 7.5
SQL injection vulnerability in (1) mailorder.asp or (2) payonline.asp in CactuShop 5.x allows remote attackers to execute arbitrary SQL commands via the strItems parameter.
17-10-2016 - 23:02 31-12-2004 - 00:00
CVE-2004-1865 1.9
Cross-site scripting (XSS) vulnerability in the administration panel in bBlog 0.7.2 allows remote authenticated users with superuser privileges to inject arbitrary web script or HTML via a blog name ($blogname). NOTE: if administrators are normally
17-10-2016 - 23:01 26-03-2004 - 00:00
CVE-2004-1806 7.5
SQL injection vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to execute SQL commands via the (1) category_id, (2) product_id, or (3) feature_id parameters.
17-10-2016 - 23:00 31-12-2004 - 00:00
CVE-2004-1770 10.0
The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter.
17-10-2016 - 23:00 11-03-2004 - 00:00
CVE-2004-1769 10.0
The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.
17-10-2016 - 23:00 11-03-2004 - 00:00
CVE-2004-1734 7.5
PHP remote file inclusion vulnerability in Mantis 0.19.0a allows remote attackers to execute arbitrary PHP code by modifying the (1) t_core_path parameter to bug_api.php or (2) t_core_dir parameter to relationship_api.php to reference a URL on a remo
17-10-2016 - 23:00 31-12-2004 - 00:00
CVE-2004-1733 5.0
Directory traversal vulnerability in MyDMS 1.4.2 and other versions allows remote registered users to read arbitrary files via .. (dot dot) sequences in the URL.
17-10-2016 - 23:00 20-08-2004 - 00:00
CVE-2004-1732 7.5
SQL injection vulnerability in out.ViewFolder.php in MyDMS before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the folderid parameter.
17-10-2016 - 23:00 20-08-2004 - 00:00
CVE-2004-1731 5.0
signup_page.php in Mantis bugtracker allows remote attackers to send e-mail bombs by creating multiple users and providing the same e-mail address.
17-10-2016 - 23:00 20-08-2004 - 00:00
CVE-2004-1730 4.3
Cross-site scripting (XSS) vulnerability in Mantis bugtracker allows remote attackers to inject arbitrary web script or HTML via (1) the return parameter to login_page.php, (2) e-mail field in signup.php, (3) action parameter to login_select_proj_pag
17-10-2016 - 23:00 31-12-2004 - 00:00
CVE-2004-1722 7.5
SQL injection vulnerability in calendar.html in Merak Mail Server 5.2.7 allows remote attackers to execute arbitrary SQL statements via the schedule parameter.
17-10-2016 - 22:59 17-08-2004 - 00:00
CVE-2004-1721 5.0
The (1) function.php or (2) function.view.php scripts in Merak Mail Server 5.2.7 allow remote attackers to read arbitrary PHP files via a direct HTTP request to port 32000.
17-10-2016 - 22:59 17-08-2004 - 00:00
CVE-2004-1720 5.0
The (1) address.html and possibly (2) calendar.html pages in Merak Mail Server 5.2.7 allow remote attackers to gain sensitive information via an invalid HTTP request, which reveals the installation path. NOTE: it is unclear whether the calendar.html
17-10-2016 - 22:59 17-08-2004 - 00:00
CVE-2004-1719 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Merak Webmail Server 5.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) category, (2) cserver, (3) ext, (4) global, (5) showgroups, (6) or showlite parameters to addr
17-10-2016 - 22:59 17-08-2004 - 00:00
CVE-2004-1696 5.0
EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to cause a denial of service (application crash) via a sequence of carriage returns sent to TCP port 66.
17-10-2016 - 22:59 21-09-2004 - 00:00
CVE-2004-1695 10.0
EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to bypass authentication for the remote administration feature via a URL that contains an extra leading / (slash).
17-10-2016 - 22:59 20-09-2004 - 00:00
CVE-2004-1674 7.5
viewaction.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to (1) delete arbitrary files via the originalfolder parameter or (2) move arbitrary files via the messageid parameter.
17-10-2016 - 22:58 12-10-2004 - 00:00
CVE-2004-1673 7.5
accountsettings_add.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allow remote attackers to create text files with arbitrary content via the accountid parameter.
17-10-2016 - 22:58 12-10-2004 - 00:00
CVE-2004-1672 7.5
attachment.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to view other users' attachments by specifying the username and message ID in an HTTP request.
17-10-2016 - 22:58 12-10-2004 - 00:00
CVE-2004-1671 5.0
Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to gain sensitive information via a direct request to (1) accountsettings_add.html or (2) topmenu.html.
17-10-2016 - 22:58 12-10-2004 - 00:00
CVE-2004-1670 7.5
Multiple directory traversal vulnerabilities Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7, and possibly other versions, allow remote attackers to (1) create arbitrary directories via a .. (dot dot) in the user parameter to viewaction.html or (
17-10-2016 - 22:58 10-09-2004 - 00:00
CVE-2004-1669 4.3
Cross-site scripting (XSS) vulnerability in MERAK Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to execute arbitrary web script or HTML via the (1) User name parameter to accountsettings.html or (2)
17-10-2016 - 22:58 10-09-2004 - 00:00
CVE-2004-1635 5.0
Bugzilla 2.17.1 through 2.18rc2 and 2.19 from cvs, when using the insidergroup feature, does not sufficiently protect private attachments when there are changes to the metadata, such as filename, description, MIME type, or review flags, which allows
17-10-2016 - 22:58 24-10-2004 - 00:00
CVE-2004-1634 5.0
show_bug.cgi in Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, when using the insidergroup feature and exporting a bug to XML, shows comments and attachment summaries which are marked as private, which allows remote attackers to gain sensitive in
17-10-2016 - 22:58 25-10-2004 - 00:00
CVE-2004-1582 7.5
PHP remote file inclusion vulnerability in BlackBoard 1.5.1 allows remote attackers to execute arbitrary PHP code by modifying the libpath parameter (incorrectly called "libpach") to reference a URL on a remote web server that contains _more.php, as
17-10-2016 - 22:57 31-12-2004 - 00:00
CVE-2004-1580 7.5
SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1570 7.5
SQL injection vulnerability in bBlog 0.7.2 and 0.7.3 allows remote attackers to execute arbitrary SQL commands via the p parameter.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1554 7.5
PHP remote file inclusion vulnerability in livre_include.php in @lex Guestbook allows remote attackers to execute arbitrary PHP code by modifying the chem_absolu parameter to reference a URL on a remote web server that contains the code.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1552 7.5
SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1543 5.0
Directory traversal vulnerability in viewimg.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the path parameter.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1536 7.5
SQL injection vulnerability in index.php in the ibProArcade module for Invision Power Board (IPB) 1.x and 2.x allows remote attackers to execute arbitrary SQL commands via the cat parameter.
17-10-2016 - 22:56 31-12-2004 - 00:00
CVE-2004-1531 7.5
SQL injection vulnerability in post.php in Invision Power Board (IPB) 2.0.0 through 2.0.2 allows remote attackers to execute arbitrary SQL commands via the qpid parameter.
17-10-2016 - 22:55 31-12-2004 - 00:00
CVE-2004-1456 7.5
filediff in CVStrac allows remote attackers to execute arbitrary commands via shell metacharacters in rcsinfo.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1430 7.5
SQL injection vulnerability in the show_stats module in Arcade.php in IbProArcade allows remote attackers to execute arbitrary SQL code via the gameid parameter.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1427 7.5
PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2-cvs and earlier allows remote attackers to execute arbitrary PHP code by modifying the G_PATH parameter to reference a URL on a remote web server that contains the code, as demons
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1426 5.0
Directory traversal vulnerability in index.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to read arbitrary files and execute arbitrary PHP files via .. (dot dot) sequences in the lng parameter.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1425 5.0
Directory traversal vulnerability in file.php in Moodle 1.4.2 and earlier allows remote attackers to read arbitrary session files for known session IDs via a .. (dot dot) in the file parameter.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1424 4.3
Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1415 5.0
SQL injection vulnerability in (1) disp_album.php and possibly (2) disp_img.php in 2Bgal 2.4 and 2.5.1 allows remote attackers to execute arbitrary SQL commands via the id_album parameter.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1406 7.5
SQL injection vulnerability in ikonboard.cgi in Ikonboard 3.1.0 through 3.1.3 allows remote attackers to inject arbitrary SQL commands via the (1) st or (2) keywords parameter.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1405 7.5
MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1403 7.5
PHP remote file inclusion vulnerability in index.php in GNUBoard 3.39 and earlier allows remote attackers to execute arbitrary PHP code by modifying the doc parameter to reference a URL on a remote web server that contains the code.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1402 10.0
SQL injection vulnerability in iWebNegar allows remote attackers to execute arbitrary SQL commands via (1) the string parameter for index.php, (2) comments.php, or (3) the administrator login page.
17-10-2016 - 22:54 31-12-2004 - 00:00
CVE-2004-1223 5.0
The Management Agent in F-Secure Policy Manager 5.11.2810 allows remote attackers to gain sensitive information, such as the absolute path for the web server, via an HTTP request to fsmsh.dll without any parameters.
17-10-2016 - 22:52 10-01-2005 - 00:00
CVE-2004-0707 7.5
SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allows remote attackers with privileges to grant membership to any group to execute arbitrary SQL.
17-10-2016 - 22:48 27-07-2004 - 00:00
CVE-2004-0706 2.1
Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, which could allow local users to view the password in the web server log files.
17-10-2016 - 22:48 27-07-2004 - 00:00
CVE-2004-0705 6.8
Multiple cross-site scripting (XSS) vulnerabilities in (1) editcomponents.cgi, (2) editgroups.cgi, (3) editmilestones.cgi, (4) editproducts.cgi, (5) editusers.cgi, and (6) editversions.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, al
17-10-2016 - 22:48 27-07-2004 - 00:00
CVE-2004-0704 5.0
Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in Bugzilla 2.16.x before 2.16.6, 2.18 before 2.18rc1, when configured to hide products, allows remote attackers to view hidden products.
17-10-2016 - 22:48 27-07-2004 - 00:00
CVE-2004-0703 7.5
Unknown vulnerability in the administrative controls in Bugzilla 2.17.1 through 2.17.7 allows users with "grant membership" privileges to grant memberships to groups that the user does not control.
17-10-2016 - 22:48 27-07-2004 - 00:00
CVE-2004-0702 5.0
DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password in an error message when the SQL server is not running, which could allow remote attackers to gain sensitive information.
17-10-2016 - 22:48 27-07-2004 - 00:00
CVE-2004-0682 7.5
comersus_gatewayPayPal.asp in Comersus Cart 5.09, and possibly other versions before 5.098, allows remote attackers to change the prices of items by directly modifying them in the URL.
17-10-2016 - 22:47 06-08-2004 - 00:00
CVE-2004-0681 6.8
Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_customerAuthenticateForm.asp, (2) comersus_backoffice_message.asp, (3) comersus_supportError.asp, or (4) comersus_message.asp in Comersus Cart 5.09 allow remote attackers to execute
17-10-2016 - 22:47 06-08-2004 - 00:00
CVE-2004-0300 10.0
SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_br
17-10-2016 - 22:43 23-11-2004 - 00:00
CVE-2004-0237 5.0
Directory traversal vulnerability in index.php in Aprox PHP Portal allows remote attackers to read arbitrary files via a full pathname in the show parameter.
17-10-2016 - 22:42 23-11-2004 - 00:00
CVE-2004-0200 9.3
Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to
17-10-2016 - 22:41 28-09-2004 - 00:00
CVE-2004-0073 7.5
PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server th
17-10-2016 - 22:40 17-02-2004 - 00:00
CVE-2003-0770 7.5
FUNC.pm in IkonBoard 3.1.2a and earlier, including 3.1.1, does not properly cleanse the "lang" cookie when it contains illegal characters, which allows remote attackers to execute arbitrary code when the cookie is inserted into a Perl "eval" statemen
17-10-2016 - 22:37 22-09-2003 - 00:00
CVE-2003-0528 10.0
Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CV
17-10-2016 - 22:35 17-09-2003 - 00:00
CVE-2003-0509 10.0
SQL injection vulnerability in Cyberstrong eShop 4.2 and earlier allows remote attackers to steal authentication information and gain privileges via the ProductCode parameter in (1) 10expand.asp, (2) 10browse.asp, and (3) 20review.asp.
17-10-2016 - 22:34 07-08-2003 - 00:00
CVE-2003-0488 5.1
Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module.
17-10-2016 - 22:34 07-08-2003 - 00:00
CVE-2003-0487 7.5
Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add
17-10-2016 - 22:34 07-08-2003 - 00:00
CVE-2003-0394 7.5
objects.inc.php4 in BLNews 2.1.3 allows remote attackers to execute arbitrary PHP code via a Server[path] parameter that points to malicious code on an attacker-controlled web site.
17-10-2016 - 22:33 02-07-2003 - 00:00
CVE-2003-0377 7.5
SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName va
17-10-2016 - 22:33 16-06-2003 - 00:00
CVE-2003-0272 10.0
admin.php in miniPortail allows remote attackers to gain administrative privileges by setting the miniPortailAdmin cookie to an "adminok" value.
17-10-2016 - 22:31 27-05-2003 - 00:00
CVE-2003-0169 5.0
hpnst.exe in the GoAhead-Webs webserver for HP Instant TopTools before 5.55 allows remote attackers to cause a denial of service (CPU consumption) via a request to hpnst.exe that calls itself, which causes an infinite loop.
17-10-2016 - 22:30 11-04-2003 - 00:00
CVE-2003-0162 7.5
Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows remote attackers to reset passwords of other users and gain privileges by modifying hidden form fields in the HTML page.
17-10-2016 - 22:30 02-04-2003 - 00:00
CVE-2003-0156 5.0
Directory traversal vulnerability in Cross-Referencing Linux (LXR) allows remote attackers to read arbitrary files via .. (dot dot) sequences in the v parameter.
17-10-2016 - 22:30 24-03-2003 - 00:00
CVE-2003-0154 6.8
Cross-site scripting vulnerabilities (XSS) in bonsai Mozilla CVS query tool allow remote attackers to execute arbitrary web script via (1) the file, root, or rev parameters to cvslog.cgi, (2) the file or root parameters to cvsblame.cgi, (3) various p
17-10-2016 - 22:30 02-04-2003 - 00:00
CVE-2003-0153 5.0
bonsai Mozilla CVS query tool leaks the absolute pathname of the tool in certain error messages generated by (1) cvslog.cgi, (2) cvsview2.cgi, or (3) multidiff.cgi.
17-10-2016 - 22:30 02-04-2003 - 00:00
CVE-2003-0118 7.5
SQL injection vulnerability in the Document Tracking and Administration (DTA) website of Microsoft BizTalk Server 2000 and 2002 allows remote attackers to execute operating system commands via a request to (1) rawdocdata.asp or (2) RawCustomSearchFie
17-10-2016 - 22:29 12-05-2003 - 00:00
CVE-2003-0117 7.5
Buffer overflow in the HTTP receiver function (BizTalkHTTPReceive.dll ISAPI) of Microsoft BizTalk Server 2002 allows attackers to execute arbitrary code via a certain request to the HTTP receiver.
17-10-2016 - 22:29 12-05-2003 - 00:00
CVE-2003-0025 7.5
Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities and possibly gain privileges via certain database functions such as check_prefs() in db.pgsql, as demonstrated using ma
17-10-2016 - 22:28 17-01-2003 - 00:00
CVE-2003-0013 7.5
The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remo
17-10-2016 - 22:28 17-01-2003 - 00:00
CVE-2003-0012 2.1
The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data.
17-10-2016 - 22:28 17-01-2003 - 00:00
CVE-2002-2260 4.3
Cross-site scripting (XSS) vulnerability in the quips feature in Mozilla Bugzilla 2.10 through 2.17 allows remote attackers to inject arbitrary web script or HTML via the "show all quips" page.
17-10-2016 - 22:27 31-12-2002 - 00:00
CVE-2002-1361 10.0
overflow.cgi CGI script in Sun Cobalt RaQ 4 with the SHP (Security Hardening Patch) installed allows remote attackers to execute arbitrary code via a POST request with shell metacharacters in the email parameter.
17-10-2016 - 22:26 23-12-2002 - 00:00
CVE-2002-1198 7.5
Bugzilla 2.16.x before 2.16.1 does not properly filter apostrophes from an email address during account creation, which allows remote attackers to execute arbitrary SQL via a SQL injection attack.
17-10-2016 - 22:24 28-10-2002 - 00:00
CVE-2002-1197 7.5
bugzilla_email_append.pl in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, allows remote attackers to execute arbitrary code via shell metacharacters in a system call to processmail.
17-10-2016 - 22:24 28-10-2002 - 00:00
CVE-2002-1196 7.5
editproducts.cgi in Bugzilla 2.14.x before 2.14.4, and 2.16.x before 2.16.1, when the "usebuggroups" feature is enabled and more than 47 groups are specified, does not properly calculate bit values for large numbers, which grants extra permissions to
17-10-2016 - 22:24 28-10-2002 - 00:00
CVE-2002-1116 7.5
The "View Bugs" page (view_all_bug_page.php) in Mantis 0.17.4a and earlier includes summaries of private bugs for users that do not have access to any projects.
17-10-2016 - 22:23 04-10-2002 - 00:00
CVE-2002-1115 5.0
Mantis 0.17.4a and earlier allows remote attackers to view private bugs by modifying the f_id bug ID parameter to (1) bug_update_advanced_page.php, (2) bug_update_page.php, (3) view_bug_advanced_page.php, or (4) view_bug_page.php.
17-10-2016 - 22:23 04-10-2002 - 00:00
CVE-2002-1114 7.5
config_inc2.php in Mantis before 0.17.4 allows remote attackers to execute arbitrary code or read arbitrary files via the parameters (1) g_bottom_include_page, (2) g_top_include_page, (3) g_css_include_file, (4) g_meta_include_file, or (5) a cookie.
17-10-2016 - 22:23 04-10-2002 - 00:00
CVE-2002-1113 7.5
summary_graph_functions.php in Mantis 0.17.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the g_jpgraph_path parameter to reference the location of the PHP code.
17-10-2016 - 22:23 04-10-2002 - 00:00
CVE-2002-1112 5.0
Mantis before 0.17.4 allows remote attackers to list project bugs without authentication by modifying the cookie that is used by the "View Bugs" page.
17-10-2016 - 22:23 04-10-2002 - 00:00
CVE-2002-1111 5.0
print_all_bug_page.php in Mantis 0.17.3 and earlier does not verify the limit_reporters option, which allows remote attackers to view bug summaries for bugs that would otherwise be restricted.
17-10-2016 - 22:23 04-10-2002 - 00:00
CVE-2002-1110 10.0
Multiple SQL injection vulnerabilities in Mantis 0.17.2 and earlier, when running without magic_quotes_gpc enabled, allows remote attackers to gain privileges or perform unauthorized database operations via modified form fields, e.g. to account_updat
17-10-2016 - 22:23 04-10-2002 - 00:00
CVE-2002-0282 5.0
DCP-Portal 3.7 through 4.5 allows remote attackers to obtain the physical path of the server via (1) a direct request to add_user.php, or via an invalid new_language parameter in (2) contents.php, (3) categories.php, or (4) files.php, which leaks the
17-10-2016 - 22:18 31-05-2002 - 00:00
CVE-2002-0273 4.6
Buffer overflow in CWMail.exe in NetWin before 2.8a allows remote authenticated users to execute arbitrary code via a long item parameter.
17-10-2016 - 22:18 31-05-2002 - 00:00
CVE-2002-0232 5.0
Directory traversal vulnerability in Multi Router Traffic Grapher (MRTG) allows remote attackers to read portions of arbitrary files via a .. (dot dot) in the cfg parameter for (1) 14all.cgi, (2) 14all-1.1.cgi, (3) traffic.cgi, or (4) mrtg.cgi.
17-10-2016 - 22:17 29-05-2002 - 00:00
CVE-2002-0177 7.5
Buffer overflows in icecast 1.3.11 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request from an MP3 client.
17-10-2016 - 22:16 22-04-2002 - 00:00
CVE-2002-0098 7.5
Buffer overflow in index.cgi administration interface for Boozt! Standard 0.9.8 allows local users to execute arbitrary code via a long name field when creating a new banner.
17-10-2016 - 22:16 25-03-2002 - 00:00
CVE-2001-0924 5.0
Directory traversal vulnerability in ifx CGI program in Informix Web DataBlade allows remote attackers to read arbitrary files via a .. (dot dot) in the LO parameter.
17-10-2016 - 22:13 22-11-2001 - 00:00
CVE-2001-0899 7.5
Network Tools 0.2 for PHP-Nuke allows remote attackers to execute commands on the server via shell metacharacters in the $hostinput variable.
17-10-2016 - 22:12 16-11-2001 - 00:00
CVE-2001-0871 7.5
Directory traversal vulnerability in HTTP server for Alchemy Eye and Alchemy Network Monitor allows remote attackers to execute arbitrary commands via an HTTP request containing (1) a .. in versions 2.0 through 2.6.18, or (2) a DOS device name follow
17-10-2016 - 22:12 21-12-2001 - 00:00
CVE-2001-0857 7.5
Cross-site scripting vulnerability in status.php3 in Imp Webmail 2.2.6 and earlier allows remote attackers to gain access to the e-mail of other users by hijacking session cookies via the message parameter.
17-10-2016 - 22:12 06-12-2001 - 00:00
CVE-2001-0839 7.5
ibillpm.pl in iBill password management system generates weak passwords based on a client's MASTER_ACCOUNT, which allows remote attackers to modify account information in the .htpasswd file via brute force password guessing.
17-10-2016 - 22:12 06-12-2001 - 00:00
CVE-2001-0834 6.4
htsearch CGI program in htdig (ht://Dig) 3.1.5 and earlier allows remote attackers to use the -c option to specify an alternate configuration file, which could be used to (1) cause a denial of service (CPU consumption) by specifying a large file such
17-10-2016 - 22:12 06-12-2001 - 00:00
CVE-2001-0614 7.5
Carello E-Commerce 1.2.1 and earlier allows a remote attacker to gain additional privileges and execute arbitrary commands via a specially constructed URL.
17-10-2016 - 22:11 22-08-2001 - 00:00
CVE-2001-0154 7.5
HTML e-mail feature in Internet Explorer 5.5 and earlier allows attackers to execute attachments by setting an unusual MIME type for the attachment, which Internet Explorer does not process correctly.
17-10-2016 - 22:10 03-05-2001 - 00:00
CVE-2000-1050 5.0
Allaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF directory via a URL request that contains an extra "/" in the beginning of the request (aka the "extra leading slash").
17-10-2016 - 22:08 11-12-2000 - 00:00
CVE-2000-1024 10.0
eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands.
17-10-2016 - 22:08 11-12-2000 - 00:00
CVE-2000-0538 5.0
ColdFusion Administrator for ColdFusion 4.5.1 and earlier allows remote attackers to cause a denial of service via a long login password.
17-10-2016 - 22:07 07-06-2000 - 00:00
CVE-2000-0429 7.5
A backdoor password in Cart32 3.0 and earlier allows remote attackers to execute arbitrary commands.
17-10-2016 - 22:07 27-04-2000 - 00:00
CVE-2000-0401 7.5
Buffer overflows in redirect.exe and changepw.exe in PDGSoft shopping cart allow remote attackers to execute arbitrary commands via a long query string.
17-10-2016 - 22:06 01-05-2000 - 00:00
CVE-2000-0239 5.0
Buffer overflow in the MERCUR WebView WebMail server allows remote attackers to cause a denial of service via a long mail_user parameter in the GET request.
17-10-2016 - 22:06 15-03-2000 - 00:00
CVE-2000-0138 5.0
A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft.
17-10-2016 - 22:06 02-05-2000 - 00:00
CVE-2000-0113 7.5
The SyGate Remote Management program does not properly restrict access to its administration service, which allows remote attackers to cause a denial of service, or access network traffic statistics.
17-10-2016 - 22:06 27-01-2000 - 00:00
CVE-1999-1550 5.0
bigconf.conf in F5 BIG/ip 2.1.2 and earlier allows remote attackers to read arbitrary files by specifying the target file in the "file" parameter.
17-10-2016 - 22:05 08-11-1999 - 00:00
CVE-1999-1530 3.6
cgiwrap as used on Cobalt RaQ 2.0 and RaQ 3i does not properly identify the user for running certain scripts, which allows a malicious site administrator to view or modify data located at another virtual site on the same system.
17-10-2016 - 22:05 08-11-1999 - 00:00
CVE-1999-1508 10.0
Web server in Tektronix PhaserLink Printer 840.0 and earlier allows a remote attacker to gain administrator access by directly calling undocumented URLs such as ncl_items.html and ncl_subjects.html.
17-10-2016 - 22:05 16-11-1999 - 00:00
CVE-1999-1376 10.0
Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands.
17-10-2016 - 22:03 14-01-1999 - 00:00
CVE-1999-1030 5.0
counter.exe 2.70 allows a remote attacker to cause a denial of service (hang) via an HTTP request that ends in %0A (newline), which causes a malformed entry in the counter log that produces an access violation.
17-10-2016 - 22:00 19-05-1999 - 00:00
CVE-1999-0947 7.5
AN-HTTPd provides example CGI scripts test.bat, input.bat, input2.bat, and envout.bat, which allow remote attackers to execute commands via shell metacharacters.
17-10-2016 - 21:59 02-11-1999 - 00:00
CVE-2012-5653 6.0
The file upload feature in Drupal 6.x before 6.27 and 7.x before 7.18 allows remote authenticated users to bypass the protection mechanism and execute arbitrary PHP code via a null byte in a file name.
21-09-2016 - 09:45 02-01-2013 - 20:55
CVE-2013-3437 6.5
SQL injection vulnerability in the management application in Cisco Unified Operations Manager allows remote authenticated users to execute arbitrary SQL commands via an entry field, aka Bug ID CSCud80179.
16-09-2016 - 14:03 23-07-2013 - 07:03
CVE-2014-7883 5.0
HP Universal CMDB (UCMDB) Probe 9.05, 10.01, and 10.11 enables the HTTP TRACE method, which allows remote attackers to obtain sensitive information by reading the headers of a response.
06-09-2016 - 10:28 15-02-2015 - 15:59
CVE-2006-0818 4.0
Absolute path directory traversal vulnerability in (1) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (2) VisNetic MailServer before 8.5.0.5 allows remote authenticated users to include arbitrary files via a modified lang
30-08-2016 - 21:59 21-07-2006 - 10:03
CVE-2006-0817 5.0
Absolute path directory traversal vulnerability in (a) MERAK Mail Server for Windows 8.3.8r with before IceWarp Web Mail 5.6.1 and (b) VisNetic MailServer before 8.5.0.5 allows remote attackers to include arbitrary files via a full Windows path and d
30-08-2016 - 21:59 21-07-2006 - 10:03
CVE-2016-6909 10.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9 and FortiSwitch before 3.4.3 allows remote attackers to execute arbitrary code via a crafted HTTP request, aka EGREGIOUSBLUNDER.
24-08-2016 - 16:27 24-08-2016 - 12:30
CVE-2008-5077 5.8
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
22-08-2016 - 21:59 07-01-2009 - 12:30
CVE-2014-3679 5.0
The Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to obtain sensitive information by accessing unspecified pages.
15-07-2016 - 11:01 16-10-2014 - 15:55
CVE-2014-3678 4.3
Cross-site scripting (XSS) vulnerability in the Monitoring plugin before 1.53.0 for Jenkins allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
15-07-2016 - 11:01 10-10-2014 - 10:55
CVE-2013-2034 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allow remote attackers to hijack the authentication of administrators for re
15-07-2016 - 10:32 14-05-2014 - 15:55
CVE-2013-2033 2.1
Cross-site scripting (XSS) vulnerability in Jenkins before 1.514, LTS before 1.509.1, and Enterprise 1.466.x before 1.466.14.1 and 1.480.x before 1.480.4.1 allows remote authenticated users with write permission to inject arbitrary web script or HTML
15-07-2016 - 10:30 10-04-2014 - 16:29
CVE-2013-0158 2.6
Unspecified vulnerability in Jenkins before 1.498, Jenkins LTS before 1.480.2, and Jenkins Enterprise 1.447.x before 1.447.6.1 and 1.466.x before 1.466.12.1, when a slave is attached and anonymous read access is enabled, allows remote attackers to ob
15-07-2016 - 10:29 24-02-2013 - 17:55
CVE-2016-0792 9.0
Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
14-07-2016 - 16:42 07-04-2016 - 19:59
CVE-2016-0791 7.5
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify CSRF tokens, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force approach.
14-07-2016 - 16:42 07-04-2016 - 19:59
CVE-2016-0790 5.0
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.
14-07-2016 - 16:41 07-04-2016 - 19:59
CVE-2016-0789 4.3
CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
14-07-2016 - 16:41 07-04-2016 - 19:59
CVE-2016-0788 10.0
The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
14-07-2016 - 15:03 07-04-2016 - 19:59
CVE-2014-9583 10.0
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass au
30-06-2016 - 13:54 08-01-2015 - 15:59
CVE-2013-5588 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the step parameter to install/index.php or (2) the id parameter to cacti/host.php.
29-06-2016 - 10:12 29-08-2013 - 08:07
CVE-2014-3681 4.3
Cross-site scripting (XSS) vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
28-06-2016 - 13:17 15-10-2014 - 10:55
CVE-2014-9714 4.3
Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveAddVar function in HHVM (aka the HipHop Virtual Machine) before 3.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddx_serialize_value
24-06-2016 - 11:55 13-04-2015 - 10:59
CVE-2007-4629 7.5
Buffer overflow in the processLine function in maptemplate.c in MapServer before 4.10.3 allows attackers to cause a denial of service and possibly execute arbitrary code via a mapfile with a long layer name, group name, or metadata entry name.
15-06-2016 - 12:28 30-08-2007 - 21:17
CVE-2014-3680 4.0
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.
15-06-2016 - 10:34 16-10-2014 - 15:55
CVE-2014-3667 4.0
Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code.
15-06-2016 - 10:34 16-10-2014 - 15:55
CVE-2014-3666 7.5
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to execute arbitrary code via a crafted packet to the CLI channel.
15-06-2016 - 10:33 16-10-2014 - 15:55
CVE-2014-3664 4.0
Directory traversal vulnerability in Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Overall/READ permission to read arbitrary files via unspecified vectors.
15-06-2016 - 10:33 15-10-2014 - 10:55
CVE-2014-3663 6.0
Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/CONFIGURE permission to bypass intended restrictions and create or destroy arbitrary jobs via unspecified vectors.
15-06-2016 - 09:36 16-10-2014 - 15:55
CVE-2014-3662 5.0
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts.
14-06-2016 - 14:48 16-10-2014 - 15:55
CVE-2014-3661 5.0
Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to cause a denial of service (thread consumption) via vectors related to a CLI handshake.
13-06-2016 - 19:45 16-10-2014 - 15:55
CVE-2014-2068 3.5
The doIndex function in hudson/util/RemotingDiagnostics.java in CloudBees Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users with the ADMINISTER permission to obtain sensitive information via vectors related to heapDump.
13-06-2016 - 19:43 17-10-2014 - 11:55
CVE-2014-2066 6.8
Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.
13-06-2016 - 19:40 17-10-2014 - 11:55
CVE-2014-2065 4.3
Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.
13-06-2016 - 19:39 17-10-2014 - 11:55
CVE-2014-2064 5.0
The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts.
13-06-2016 - 19:38 17-10-2014 - 11:55
CVE-2014-2063 7.5
Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
13-06-2016 - 19:36 17-10-2014 - 11:55
CVE-2014-2062 6.5
Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.
13-06-2016 - 19:36 17-10-2014 - 11:55
CVE-2014-2061 5.0
The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.
13-06-2016 - 19:35 17-10-2014 - 11:55
CVE-2014-2060 5.0
The Winstone servlet container in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack sessions via unspecified vectors.
13-06-2016 - 19:34 17-10-2014 - 11:55
CVE-2014-2058 6.5
BuildTrigger in Jenkins before 1.551 and LTS before 1.532.2 allows remote authenticated users to bypass access restrictions and execute arbitrary jobs by configuring a job to trigger another job. NOTE: this vulnerability exists because of an incomple
13-06-2016 - 19:32 17-10-2014 - 11:55
CVE-2013-7330 4.0
Jenkins before 1.502 allows remote authenticated users to configure an otherwise restricted project via vectors related to post-build actions.
13-06-2016 - 19:27 17-10-2014 - 11:55
CVE-2013-0331 4.0
Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to cause a denial of service via a crafted payload.
13-06-2016 - 19:25 19-03-2013 - 10:55
CVE-2013-0330 4.0
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote authenticated users with write access to build arbitrary jobs via unknown attack vectors.
13-06-2016 - 19:24 19-03-2013 - 10:55
CVE-2013-0329 7.5
Unspecified vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to bypass the CSRF protection mechanism via unknown attack vectors.
13-06-2016 - 18:01 19-03-2013 - 10:55
CVE-2013-0328 4.3
Cross-site scripting (XSS) vulnerability in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
13-06-2016 - 11:47 19-03-2013 - 10:55
CVE-2013-0327 6.8
Cross-site request forgery (CSRF) vulnerability in Jenkins master in Jenkins before 1.502 and LTS before 1.480.3 allows remote attackers to hijack the authentication of users via unknown vectors.
13-06-2016 - 11:45 19-03-2013 - 10:55
CVE-2014-9402 7.8
The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive
10-06-2016 - 17:24 24-02-2015 - 10:59
CVE-2001-0780 5.0
Directory traversal vulnerability in cosmicpro.cgi in Cosmicperl Directory Pro 2.0 allows remote attackers to gain sensitive information via a .. (dot dot) in the SHOW parameter.
25-05-2016 - 13:38 18-10-2001 - 00:00
CVE-1999-1462 5.0
Vulnerability in bb-hist.sh CGI History module in Big Brother 1.09b and 1.09c allows remote attackers to read portions of arbitrary files.
25-05-2016 - 13:08 31-12-1999 - 00:00
CVE-2014-1610 6.0
MediaWiki 1.22.x before 1.22.2, 1.21.x before 1.21.5, and 1.19.x before 1.19.11, when DjVu or PDF file upload support is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the page parameter to includes/med
25-05-2016 - 11:01 30-01-2014 - 18:55
CVE-2014-7228 7.5
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through
09-05-2016 - 11:36 03-11-2014 - 17:55
CVE-2016-0710 7.5
Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/.
20-04-2016 - 14:24 11-04-2016 - 10:59
CVE-2014-1571 4.0
Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient,
07-04-2016 - 16:57 12-10-2014 - 21:55
CVE-2014-2242 4.3
includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting (XSS) attacks
04-04-2016 - 13:41 01-03-2014 - 23:57
CVE-2014-1517 4.0
The login form in Bugzilla 2.x, 3.x, 4.x before 4.4.3, and 4.5.x before 4.5.3 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arr
04-04-2016 - 13:41 19-04-2014 - 21:55
CVE-2014-3704 7.5
The expandArguments function in the database abstraction API in Drupal core 7.x before 7.32 does not properly construct prepared statements, which allows remote attackers to conduct SQL injection attacks via an array containing crafted keys.
31-03-2016 - 13:36 15-10-2014 - 20:55
CVE-2014-1869 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ZeroClipboard.swf in ZeroClipboard before 1.3.2, as maintained by Jon Rohan and James M. Greene, allow remote attackers to inject arbitrary web script or HTML via vectors related to certain SWF q
23-03-2016 - 10:55 07-02-2014 - 19:55
CVE-2015-8261 7.5
The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.
08-01-2016 - 14:06 07-01-2016 - 21:59
CVE-2015-8565 7.5
Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via unknown vectors.
17-12-2015 - 12:30 16-12-2015 - 16:59
CVE-2015-8564 7.5
Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory traversal sequences in the XML install file in an extension package archive.
17-12-2015 - 12:30 16-12-2015 - 16:59
CVE-2015-8563 6.8
Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
17-12-2015 - 12:28 16-12-2015 - 16:59
CVE-2014-2238 6.5
SQL injection vulnerability in the manage configuration page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.16 allows remote authenticated administrators to execute arbitrary SQL commands via the filter_config_id parameter.
27-11-2015 - 12:17 05-03-2014 - 11:37
CVE-2014-5266 5.0
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption
25-11-2015 - 15:39 18-08-2014 - 07:15
CVE-2014-5265 5.0
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of
25-11-2015 - 15:38 18-08-2014 - 07:15
CVE-2014-7140 7.5
Unspecified vulnerability in the management interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.x before 10.1-129.11 and 10.5 before 10.5-50.10 allows remote attackers to execute arbitrary code via unknown vec
25-11-2015 - 15:35 21-10-2014 - 10:55
CVE-2011-0961 4.3
Cross-site scripting (XSS) vulnerability in cwhp/device.center.do in the Help servlet in Cisco CiscoWorks Common Services 3.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the device parameter, aka Bug ID CSCto12704.
24-11-2015 - 13:08 20-05-2011 - 18:55
CVE-2015-7859 5.0
The com_contenthistory component in Joomla! 3.2 before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
30-10-2015 - 15:40 29-10-2015 - 16:59
CVE-2015-7899 5.0
The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
30-10-2015 - 15:37 29-10-2015 - 16:59
CVE-2015-7765 9.0
ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.
09-10-2015 - 13:42 09-10-2015 - 10:59
CVE-2013-7262 6.8
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filte
08-10-2015 - 10:45 05-01-2014 - 15:55
CVE-2011-4048 4.3
The Dell KACE K2000 System Deployment Appliance has a default username and password for the read-only reporting account, which makes it easier for remote attackers to obtain sensitive information from the database by leveraging the default credential
02-10-2015 - 21:59 11-11-2011 - 19:55
CVE-2013-0140 7.9
SQL injection vulnerability in the Agent-Handler component in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to execute arbitrary SQL commands via a crafted request over the Agent-Server communication ch
29-09-2015 - 14:46 01-05-2013 - 08:00
CVE-2014-5242 4.3
Cross-site scripting (XSS) vulnerability in mediawiki.page.image.pagination.js in MediaWiki 1.22.x before 1.22.9 and 1.23.x before 1.23.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving the multipageimagenavbox cl
08-09-2015 - 13:55 22-08-2014 - 13:55
CVE-2014-2332 5.5
Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allows remote authenticated users to delete arbitrary files via a request to an unspecified link, related to "Insecure Direct Object References." NOTE: this can be exploited by remote attackers by lev
01-09-2015 - 13:27 31-08-2015 - 14:59
CVE-2014-2329 3.5
Multiple cross-site scripting (XSS) vulnerabilities in Check_MK before 1.2.2p3 and 1.2.3x before 1.2.3i5 allow remote authenticated users to inject arbitrary web script or HTML via the (1) agent string for a check_mk agent, a (2) crafted request to a
01-09-2015 - 10:55 31-08-2015 - 14:59
CVE-2014-3913 10.0
Stack-based buffer overflow in AccessServer32.exe in Ericom AccessNow Server allows remote attackers to execute arbitrary code via a request for a non-existent file.
31-08-2015 - 14:29 04-06-2014 - 10:55
CVE-2014-3828 10.0
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter
31-08-2015 - 14:25 22-10-2014 - 21:55
CVE-2014-8987 3.5
Cross-site scripting (XSS) vulnerability in the "set configuration" box in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via the config_opti
25-08-2015 - 15:36 24-08-2015 - 11:59
CVE-2014-2210 7.5
Multiple directory traversal vulnerabilities in CA ERwin Web Portal 9.5 allow remote attackers to obtain sensitive information, bypass intended access restrictions, cause a denial of service, or possibly execute arbitrary code via unspecified vectors
13-08-2015 - 14:25 04-04-2014 - 11:10
CVE-2014-2244 4.3
Cross-site scripting (XSS) vulnerability in the formatHTML function in includes/api/ApiFormatBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 allows remote attackers to inject arbitrary web script or HTM
07-08-2015 - 14:15 01-03-2014 - 23:57
CVE-2013-6028 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Atmail Webmail Server before 7.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add user accounts, (2) modify user accounts, (3) delete user ac
07-08-2015 - 13:40 12-01-2014 - 13:34
CVE-2014-3115 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in the web administration console in Fortinet FortiWeb before 5.2.0 allow remote attackers to hijack the authentication of administrators via system/config/adminadd and other unspecified vect
31-07-2015 - 21:37 08-05-2014 - 10:29
CVE-2014-2314 4.3
Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers to create arbitrary files via unspecified vectors.
29-07-2015 - 12:21 09-03-2014 - 09:16
CVE-2015-1560 7.5
SQL injection vulnerability in the isUserAdmin function in include/common/common-Func.php in Centreon (formerly Merethis Centreon) 2.5.4 and earlier allows remote attackers to execute arbitrary SQL commands via the sid parameter to include/common/Xml
14-07-2015 - 14:02 14-07-2015 - 12:59
CVE-2015-0779 10.0
Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11.3.2 allows remote attackers to execute arbitrary code via a crafted directory name in the uid parameter, in conjunction with a WA
08-06-2015 - 14:40 07-06-2015 - 19:59
CVE-2015-1397 6.5
SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the
11-05-2015 - 22:03 29-04-2015 - 18:59
CVE-2014-0116 5.8
CookieInterceptor in Apache Struts 2.x before 2.3.16.3, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a
16-04-2015 - 21:59 08-05-2014 - 06:55
CVE-2013-2184 7.5
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.
27-03-2015 - 13:43 27-03-2015 - 10:59
CVE-2014-9371 10.0
The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
06-03-2015 - 22:30 16-12-2014 - 13:59
CVE-2014-8419 7.2
Wibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read and write access for all users) for codemeter.exe, which allows local users to gain privileges via a Trojan horse file.
24-02-2015 - 11:54 26-11-2014 - 10:59
CVE-2014-8272 5.0
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-f
05-02-2015 - 15:13 19-12-2014 - 06:59
CVE-2014-9331 6.8
Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to S
04-02-2015 - 12:29 04-02-2015 - 11:59
CVE-2014-9277 7.5
The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-d
06-01-2015 - 11:46 04-01-2015 - 16:59
CVE-2014-9276 5.1
Cross-site request forgery (CSRF) vulnerability in the Special:ExpandedTemplates page in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7, when $wgRawHTML is set to true, allows remote attackers to hijack the a
06-01-2015 - 09:16 04-01-2015 - 16:59
CVE-2014-9015 6.8
Drupal 6.x before 6.34 and 7.x before 7.34 allows remote attackers to hijack sessions via a crafted request, as demonstrated by a crafted request to a server that supports both HTTP and HTTPS sessions.
30-12-2014 - 16:12 24-11-2014 - 10:59
CVE-2014-9016 5.0
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
30-12-2014 - 16:11 24-11-2014 - 10:59
CVE-2014-5217 6.8
Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentication of administrators for requests that change th
23-12-2014 - 14:10 23-12-2014 - 06:59
CVE-2014-5216 4.3
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in a dev.Empty action to nps/servlet/webacc, (2) the e
23-12-2014 - 14:07 23-12-2014 - 06:59
CVE-2014-5215 4.0
NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated administrators to discover service-account passwords via a request to (1) roma/jsp/volsc/monitoring/dev_services.jsp or (2) roma/jsp/debug/debug.jsp.
23-12-2014 - 14:07 23-12-2014 - 06:59
CVE-2014-5214 4.0
nps/servlet/webacc in iManager in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated novlwww users to read arbitrary files via a query parameter containing an XML external entity declarati
23-12-2014 - 14:04 23-12-2014 - 06:59
CVE-2014-9279 5.0
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent
09-12-2014 - 13:26 08-12-2014 - 11:59
CVE-2014-5445 5.0
Multiple absolute path traversal vulnerabilities in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allow remote attackers or remote authenticated users to read arbitrary files via a full pathname in the schFilePath parameter to th
05-12-2014 - 08:50 04-12-2014 - 12:59
CVE-2014-5446 5.0
Directory traversal vulnerability in the DisplayChartPDF servlet in ZOHO ManageEngine Netflow Analyzer 8.6 through 10.2 and IT360 10.3 allows remote attackers and remote authenticated users to read arbitrary files via a .. (dot dot) in the filename p
05-12-2014 - 08:48 04-12-2014 - 12:59
CVE-2014-7867 7.5
SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to
05-12-2014 - 08:30 04-12-2014 - 12:59
CVE-2014-8580 4.9
Citrix NetScaler Application Delivery Controller and NetScaler Gateway 10.5.50.10 before 10.5-52.11, 10.1.122.17 before 10.1-129.11, and 10.1-120.1316.e before 10.1-129.1105.e, when using unspecified configurations, allows remote authenticated users
02-12-2014 - 22:03 07-11-2014 - 14:55
CVE-2014-6387 5.0
gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.
23-10-2014 - 09:37 22-10-2014 - 10:55
CVE-2014-7982 4.3
Cross-site scripting (XSS) vulnerability in Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
09-10-2014 - 21:50 08-10-2014 - 15:55
CVE-2014-7984 7.5
Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication.
09-10-2014 - 21:49 08-10-2014 - 15:55
CVE-2014-7229 5.0
Unspecified vulnerability in Joomla! before 2.5.4 before 2.5.26, 3.x before 3.2.6, and 3.3.x before 3.3.5 allows attackers to cause a denial of service via unspecified vectors.
09-10-2014 - 16:52 08-10-2014 - 15:55
CVE-2014-3092 5.0
IBM Jazz Team Server, as used in Rational Collaborative Lifecycle Management; Rational Quality Manager 3.x before 3.0.1.6 iFix 3, 4.x before 4.0.7, and 5.x before 5.0.1; and other Rational products, does not set the secure flag for the session cookie
12-09-2014 - 14:58 11-09-2014 - 21:55
CVE-2014-5377 5.0
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
08-09-2014 - 10:47 04-09-2014 - 13:55
CVE-2013-6398 2.8
The virtual router in Apache CloudStack before 4.2.1 does not preserve the source restrictions in firewall rules after being restarted, which allows remote attackers to bypass intended restrictions via a request.
04-09-2014 - 01:25 15-01-2014 - 11:08
CVE-2014-5350 5.0
Multiple directory traversal vulnerabilities in Bitdefender GravityZone before 5.1.11.432 allow remote attackers to read arbitrary files via a (1) .. (dot dot) in the id parameter to webservice/CORE/downloadFullKitEpc/a/1 in the Web Console or (2) %2
20-08-2014 - 13:55 19-08-2014 - 15:55
CVE-2014-4347 5.0
Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) before 9.3-62.4 and 10.x before 10.1-126.12 allows attackers to obtain sensitive information via vectors related to a cookie.
01-08-2014 - 01:10 16-07-2014 - 10:19
CVE-2014-4346 4.3
Cross-site scripting (XSS) vulnerability in administration user interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (formerly Access Gateway Enterprise Edition) 10.1 before 10.1-126.12 allows remote attackers to
01-08-2014 - 01:10 16-07-2014 - 10:19
CVE-2014-5022 4.3
Cross-site scripting (XSS) vulnerability in the Ajax system in Drupal 7.x before 7.29 allows remote attackers to inject arbitrary web script or HTML via vectors involving forms with an Ajax-enabled textfield and a file field.
22-07-2014 - 15:21 22-07-2014 - 10:55
CVE-2014-5021 2.1
Cross-site scripting (XSS) vulnerability in the Form API in Drupal 6.x before 6.32 and possibly 7.x before 7.29 allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via an option group lab
22-07-2014 - 15:10 22-07-2014 - 10:55
CVE-2014-5020 4.9
The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file
22-07-2014 - 15:03 22-07-2014 - 10:55
CVE-2014-5019 5.0
The multisite feature in Drupal 6.x before 6.32 and 7.x before 7.29 allows remote attackers to cause a denial of service via a crafted HTTP Host header, related to determining which configuration file to use.
22-07-2014 - 15:00 22-07-2014 - 10:55
CVE-2014-1955 4.3
Cross-site scripting (XSS) vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
18-07-2014 - 14:38 30-04-2014 - 10:22
CVE-2014-1956 5.0
CRLF injection vulnerability in FortiGuard FortiWeb before 5.0.3 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
18-07-2014 - 14:38 30-04-2014 - 10:22
CVE-2014-1957 6.5
FortiGuard FortiWeb before 5.0.3 allows remote authenticated users to gain privileges via unspecified vectors.
18-07-2014 - 14:32 30-04-2014 - 10:22
CVE-2013-6221 10.0
Directory traversal vulnerability in CommunicationServlet in HP Service Virtualization 3.x before 3.50.1, when the AutoPass license server is enabled, allows remote attackers to create arbitrary files and consequently execute arbitrary code via unspe
18-07-2014 - 01:18 18-06-2014 - 12:55
CVE-2014-2969 8.3
NETGEAR GS108PE Prosafe Plus switches with firmware 1.2.0.5 have a hardcoded password of debugpassword for the ntgruser account, which allows remote attackers to upload firmware or read or modify memory contents, and consequently execute arbitrary co
07-07-2014 - 15:14 07-07-2014 - 07:01
CVE-2014-2967 10.0
Autodesk VRED Professional 2014 before SR1 SP8 allows remote attackers to execute arbitrary code via Python os library calls in Python API commands to the integrated web server.
07-07-2014 - 15:10 07-07-2014 - 07:01
CVE-2014-2933 5.0
Directory traversal vulnerability in dirmng/index.php in Caldera 9.20 allows remote attackers to access arbitrary directories via a crafted pathname.
01-07-2014 - 13:56 08-05-2014 - 06:55
CVE-2013-7034 7.5
The setCookieValue function in _lib/functions.global.inc.php in LiveZilla before 5.1.2.1 allows remote attackers to execute arbitrary PHP code via a serialized PHP object in a cookie.
30-06-2014 - 18:05 05-05-2014 - 13:06
CVE-2013-7003 4.3
Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla before 5.1.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) full name field, (2) company field, or (3) filename to chat.php.
30-06-2014 - 14:33 05-05-2014 - 13:06
CVE-2013-6223 2.1
LiveZilla before 5.1.1.0 stores the admin Base64 encoded username and password in a 1click file, which allows local users to obtain access by reading the file.
24-06-2014 - 11:03 09-06-2014 - 15:55
CVE-2014-0220 4.0
Cloudera Manager before 4.8.3 and 5.x before 5.0.1 allows remote authenticated users to obtain sensitive configuration information via the API.
24-06-2014 - 10:45 10-06-2014 - 10:55
CVE-2014-0007 7.5
The Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the path parameter to tftp/fetch_boot_file.
23-06-2014 - 10:45 20-06-2014 - 10:55
CVE-2013-1818 5.0
maintenance/mwdoc-filter.php in MediaWiki before 1.20.3 allows remote attackers to read arbitrary files via unspecified vectors.
03-06-2014 - 08:44 02-06-2014 - 11:55
CVE-2012-5395 6.8
Session fixation vulnerability in the CentralAuth extension for MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the centralauth_Session cookie.
03-06-2014 - 08:09 02-06-2014 - 11:55
CVE-2012-5391 6.8
Session fixation vulnerability in Special:UserLogin in MediaWiki before 1.18.6, 1.19.x before 1.19.3, and 1.20.x before 1.20.1 allows remote attackers to hijack web sessions via the session_id.
03-06-2014 - 08:00 02-06-2014 - 11:55
CVE-2013-1883 5.0
Mantis Bug Tracker (aka MantisBT) 1.2.12 before 1.2.15 allows remote attackers to cause a denial of service (resource consumption) via a filter using a criteria, text search, and the "any condition" match type.
28-05-2014 - 12:11 27-05-2014 - 10:55
CVE-2014-3220 9.0
F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote authenticated users to change the password of arbitrary users via the name parameter in a request to the user's page in mgmt/shared/authz/users/.
23-05-2014 - 00:08 05-05-2014 - 13:06
CVE-2013-7033 4.3
LiveZilla before 5.1.2.1 includes the operator password in plaintext in Javascript code that is generated by lz/mobile/chat.php, which might allow remote attackers to obtain sensitive information and gain privileges by accessing the loginName and log
20-05-2014 - 08:03 19-05-2014 - 10:55
CVE-2013-1810 2.1
Multiple cross-site scripting (XSS) vulnerabilities in core/summary_api.php in MantisBT 1.2.12 allow remote authenticated users with manager or administrator permissions to inject arbitrary web script or HTML via a (1) category name in the summary_pr
16-05-2014 - 08:51 15-05-2014 - 10:55
CVE-2013-0197 4.3
Cross-site scripting (XSS) vulnerability in the filter_draw_selection_area2 function in core/filter_api.php in MantisBT 1.2.12 before 1.2.13 allows remote attackers to inject arbitrary web script or HTML via the match_type parameter to bugs/search.ph
16-05-2014 - 08:44 15-05-2014 - 10:55
CVE-2014-2935 10.0
costview3/xmlrpc_server/xmlrpc.php in CostView in Caldera 9.20 allows remote attackers to execute arbitrary commands via shell metacharacters in a methodCall element in a PHP XMLRPC request.
16-05-2014 - 00:26 08-05-2014 - 06:55
CVE-2014-3454 6.8
Cross-site request forgery (CSRF) vulnerability in Special:CreateCategory in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to hijack the authentication of users for requ
13-05-2014 - 13:53 12-05-2014 - 10:55
CVE-2013-6472 5.0
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to obtain information about deleted page via the (1) log API, (2) enhanced RecentChanges, and (3) user watchlists.
13-05-2014 - 10:43 12-05-2014 - 10:55
CVE-2013-6454 4.3
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via a -o-link attribute.
13-05-2014 - 10:21 12-05-2014 - 10:55
CVE-2013-6453 7.5
MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 does not properly sanitize SVG files, which allows remote attackers to have unspecified impact via invalid XML.
13-05-2014 - 10:01 12-05-2014 - 10:55
CVE-2013-6452 4.3
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via crafted XSL in an SVG file.
13-05-2014 - 09:36 12-05-2014 - 10:55
CVE-2013-4574 4.3
Cross-site scripting (XSS) vulnerability in the TimeMediaHandler extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to inject arbitrary web script or HTML via vectors related to videos.
12-05-2014 - 12:38 12-05-2014 - 10:55
CVE-2013-4571 7.5
Buffer overflow in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 has unspecified impact and remote vectors.
12-05-2014 - 12:32 12-05-2014 - 10:55
CVE-2013-4570 5.0
The zend_inline_hash_func function in php-luasandbox in the Scribuntu extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via v
12-05-2014 - 12:13 12-05-2014 - 10:55
CVE-2013-7032 4.3
Multiple cross-site scripting (XSS) vulnerabilities in the web based operator client in LiveZilla before 5.1.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) name of an uploaded file or (2) customer name in a resource cre
09-05-2014 - 23:59 14-02-2014 - 14:55
CVE-2013-0141 4.3
Directory traversal vulnerability in McAfee ePolicy Orchestrator (ePO) before 4.5.7 and 4.6.x before 4.6.6 allows remote attackers to upload arbitrary files via a crafted request over the Agent-Server communication channel, as demonstrated by writing
09-05-2014 - 23:49 01-05-2013 - 08:00
CVE-2013-6372 2.1
The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.
09-05-2014 - 10:24 08-05-2014 - 10:29
CVE-2014-2602 6.5
Unspecified vulnerability in HP OneView 1.0 and 1.01 allows remote authenticated users to gain privileges via unknown vectors.
08-05-2014 - 09:50 08-05-2014 - 06:55
CVE-2014-2601 7.8
The server in HP Integrated Lights-Out 2 (aka iLO 2) 2.23 and earlier allows remote attackers to cause a denial of service via crafted HTTPS traffic, as demonstrated by traffic from a CVE-2014-0160 vulnerability-assessment tool.
05-05-2014 - 01:34 24-04-2014 - 19:55
CVE-2014-2983 4.3
Drupal 6.x before 6.31 and 7.x before 7.27 does not properly isolate the cached data of different anonymous users, which allows remote anonymous users to obtain sensitive interim form input information in opportunistic situations via unspecified vect
24-04-2014 - 13:26 23-04-2014 - 11:55
CVE-2014-2665 4.0
includes/specials/SpecialChangePassword.php in MediaWiki before 1.19.14, 1.20.x and 1.21.x before 1.21.8, and 1.22.x before 1.22.5 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authe
24-04-2014 - 01:06 19-04-2014 - 21:55
CVE-2014-0053 5.0
The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 before 2.3.6 does not properly restrict access to files in the WEB-INF directory, which allows remote attackers to obtain sensitive information via a direct
22-04-2014 - 13:54 15-04-2014 - 19:55
CVE-2014-2857 5.0
The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 does not properly restrict access to files in the META-INF directory, which allows remote attackers to obtain sensitive information via a dire
22-04-2014 - 13:54 15-04-2014 - 19:55
CVE-2014-2858 5.0
Directory traversal vulnerability in the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 allows remote attackers to obtain sensitive information via unspecified vectors related to a "configured block." NOTE: this issue was
22-04-2014 - 13:53 15-04-2014 - 19:55
CVE-2013-1808 4.3
Cross-site scripting (XSS) vulnerability in ZeroClipboard.swf and ZeroClipboard10.swf in ZeroClipboard before 1.0.8, as used in em-shorty, RepRapCalculator, Fulcrum, Django, aCMS, and other products, allows remote attackers to inject arbitrary web sc
19-04-2014 - 00:34 01-04-2013 - 23:23
CVE-2014-0644 7.8
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) i
17-04-2014 - 11:06 16-04-2014 - 21:55
CVE-2014-2874 10.0
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to execute arbitrary code via shell metacharacters in an unspecified context.
16-04-2014 - 10:47 15-04-2014 - 19:13
CVE-2014-2873 5.0
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not require authentication for access to log files, which allows remote attackers to obtain sensitive server information by using a predictable name in a request for a file.
16-04-2014 - 10:43 15-04-2014 - 19:13
CVE-2014-2872 5.0
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain potentially sensitive information from a directory listing via unspecified vectors.
16-04-2014 - 10:41 15-04-2014 - 19:13
CVE-2014-2871 5.0
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on an HTTP session for entering credentials on login pages, which allows remote attackers to obtain sensitive information by sniffing the network.
16-04-2014 - 10:40 15-04-2014 - 19:13
CVE-2014-2870 5.0
The default configuration of PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 uses cleartext for storage of credentials in a database, which makes it easier for context-dependent attackers to obtain sensitive information via unspecified vectors
16-04-2014 - 10:38 15-04-2014 - 19:13
CVE-2014-2869 5.0
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain sensitive information via requests to unspecified URIs, as demonstrated by pathname, SQL server, e-mail address, and IP address information.
16-04-2014 - 10:37 15-04-2014 - 19:13
CVE-2014-2868 7.5
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to modify the flow of execution of ColdFusion code by using an HTTP GET request to set a ColdFusion variable.
16-04-2014 - 10:35 15-04-2014 - 19:13
CVE-2014-2867 10.0
Unrestricted file upload vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to execute arbitrary code by uploading a ColdFusion page, and then accessing it via unspecified vectors.
16-04-2014 - 10:26 15-04-2014 - 19:13
CVE-2014-2866 10.0
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on client JavaScript code for access restrictions, which allows remote attackers to perform unspecified operations by modifying this code.
16-04-2014 - 10:22 15-04-2014 - 19:13
CVE-2014-2865 7.5
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a '\0' character, as demonstrated by using this character within a pathname on the drive containing the web root directory of a
16-04-2014 - 10:20 15-04-2014 - 19:13
CVE-2014-2864 10.0
Multiple directory traversal vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to have an unspecified impact via a filename parameter containing directory traversal sequences.
16-04-2014 - 10:18 15-04-2014 - 19:13
CVE-2014-2863 10.0
Multiple absolute path traversal vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to have an unspecified impact via a full pathname in a parameter.
16-04-2014 - 10:16 15-04-2014 - 19:13
CVE-2014-2862 6.5
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check authorization in unspecified situations, which allows remote authenticated users to perform actions via unknown vectors.
16-04-2014 - 10:14 15-04-2014 - 19:13
CVE-2014-2861 4.3
Incomplete blacklist vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string, as demonstrated by bypassing a protection mechanism that removes
16-04-2014 - 10:08 15-04-2014 - 19:13
CVE-2014-2860 4.3
Multiple cross-site scripting (XSS) vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to inject arbitrary web script or HTML via a crafted HTTP request to a (1) ColdFusion or (2) JavaScript component.
16-04-2014 - 09:58 15-04-2014 - 19:13
CVE-2014-2859 7.5
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a direct request.
16-04-2014 - 09:58 15-04-2014 - 19:13
CVE-2013-5117 7.5
SQL injection vulnerability in the RSS page (DNNArticleRSS.aspx) in the ZLDNN DNNArticle module before 10.1 for DotNetNuke allows remote attackers to execute arbitrary SQL commands via the categoryid parameter.
13-03-2014 - 12:06 12-03-2014 - 10:55
CVE-2013-7335 4.3
Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
13-03-2014 - 11:56 12-03-2014 - 10:55
CVE-2013-4649 4.3
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote attackers to inject arbitrary web script or HTML via the __dnnVariable parameter to the default URI.
13-03-2014 - 11:29 12-03-2014 - 10:55
CVE-2013-3943 3.5
Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 6.2.9 and 7.x before 7.1.1 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the Display Name field in the Manage Profile.
13-03-2014 - 11:24 12-03-2014 - 10:55
CVE-2014-2321 10.0
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
11-03-2014 - 12:22 11-03-2014 - 09:01
CVE-2013-6207 9.4
Unspecified vulnerability in the loadFileContents function in the SOAP implementation in HP SiteScope 10.1x, 11.1x, and 11.21 allows remote attackers to read arbitrary files or cause a denial of service via unknown vectors, aka ZDI-CAN-2084.
11-03-2014 - 10:25 11-03-2014 - 09:01
CVE-2013-6031 4.3
The Huawei E355 adapter with firmware 21.157.37.01.910 does not require authentication for API pages, which allows remote attackers to change passwords and settings, or obtain sensitive information, via a direct request to (1) api/wlan/security-setti
11-03-2014 - 10:11 11-03-2014 - 09:00
CVE-2014-2313 4.3
Directory traversal vulnerability in the Importers plugin in Atlassian JIRA before 6.0.5 allows remote attackers to create arbitrary files via unspecified vectors.
10-03-2014 - 12:38 09-03-2014 - 09:16
CVE-2013-0245 2.1
The printer friendly version functionality in the Book module in Drupal 6.x before 6.28 and 7.x before 7.19 does not properly restrict access to node that are part of a book outline, which allows remote authenticated users with the "access printer-fr
08-03-2014 - 00:02 16-07-2013 - 14:55
CVE-2013-0244 2.6
Cross-site scripting (XSS) vulnerability in Drupal 6.x before 6.28 and 7.x before 7.19, when running with older versions of jQuery that are vulnerable to CVE-2011-4969, allows remote attackers to inject arbitrary web script or HTML via vectors involv
08-03-2014 - 00:02 19-01-2014 - 12:16
CVE-2012-5652 5.0
Drupal 6.x before 6.27 allows remote attackers to obtain sensitive information about uploaded files via a (1) RSS feed or (2) search result.
08-03-2014 - 00:00 02-01-2013 - 20:55
CVE-2012-5651 5.0
Drupal 6.x before 6.27 and 7.x before 7.18 displays information for blocked users, which might allow remote attackers to obtain sensitive information by reading the search results.
08-03-2014 - 00:00 02-01-2013 - 20:55
CVE-2013-3242 5.5
plugins/system/remember/remember.php in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 does not properly handle an object obtained by unserializing a cookie, which allows remote authenticated users to conduct PHP object injection attacks and caus
07-03-2014 - 08:46 03-05-2013 - 07:57
CVE-2014-2243 5.8
includes/User.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 terminates validation of a user token upon encountering the first incorrect character, which makes it easier for remote attackers to obtain acces
03-03-2014 - 15:55 01-03-2014 - 23:57
CVE-2013-7288 4.3
Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs.
25-02-2014 - 09:47 10-01-2014 - 11:47
CVE-2013-7275 4.3
Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup.
25-02-2014 - 09:03 08-01-2014 - 10:29
CVE-2014-1476 4.0
The Taxonomy module in Drupal 7.x before 7.26, when upgraded from an earlier version of Drupal, does not properly restrict access to unpublished content, which allows remote authenticated users to obtain sensitive information via a listing page.
21-02-2014 - 00:06 24-01-2014 - 13:55
CVE-2014-1475 7.5
The OpenID module in Drupal 6.x before 6.30 and 7.x before 7.26 allows remote OpenID users to authenticate as other users via unspecified vectors.
21-02-2014 - 00:06 24-01-2014 - 13:55
CVE-2014-1671 6.5
Multiple SQL injection vulnerabilities in Dell KACE K1000 5.4.76847 and possibly earlier allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the macAddress element in a (1) getUploadPath or (2) getKBot SOAP requ
31-01-2014 - 01:08 25-01-2014 - 20:55
CVE-2013-7002 4.3
Cross-site scripting (XSS) vulnerability in mobile/php/translation/index.php in LiveZilla before 5.1.1.0 allows remote attackers to inject arbitrary web script or HTML via the g_language parameter.
31-01-2014 - 01:07 20-12-2013 - 19:55
CVE-2013-4304 7.5
The CentralAuth extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 caches a valid CentralAuthUser object in the centralauth_User cookie even when a user has not successfully logged in, which allows remote att
27-01-2014 - 13:09 26-01-2014 - 15:55
CVE-2013-7104 9.0
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands by specifying them in the value attribute in a (1) Command or (2) Script XML element. NOTE: this issue can be combined with CVE-2013-7092 to allow remo
17-01-2014 - 00:20 14-12-2013 - 12:21
CVE-2013-7103 9.0
McAfee Email Gateway 7.6 allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the value attribute in a (1) TestFile XML element or the (2) hostname. NOTE: this issue can be combined with CVE-2013-7092
17-01-2014 - 00:20 14-12-2013 - 12:21
CVE-2013-7092 6.5
Multiple SQL injection vulnerabilities in /admin/cgi-bin/rpc/doReport/18 in McAfee Email Gateway 7.6 allow remote authenticated users to execute arbitrary SQL commands via the (1) events_col, (2) event_id, (3) reason, (4) events_order, (5) emailstatu
17-01-2014 - 00:20 13-12-2013 - 13:07
CVE-2013-4835 7.5
The APISiteScopeImpl SOAP service in HP SiteScope 10.1x and 11.x before 11.22 allows remote attackers to bypass authentication and execute arbitrary code via a direct request to the issueSiebelCmd method, aka ZDI-CAN-1765.
17-01-2014 - 00:18 04-11-2013 - 11:55
CVE-2012-2686 5.0
crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.
17-01-2014 - 00:06 08-02-2013 - 14:55
CVE-2013-6386 6.8
Drupal 6.x before 6.29 and 7.x before 7.24 uses the PHP mt_rand function to generate random numbers, which uses predictable seeds and allows remote attackers to predict security strings and bypass intended restrictions via a brute force attack.
13-01-2014 - 23:28 07-12-2013 - 16:55
CVE-2013-6385 5.1
The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such
13-01-2014 - 23:28 07-12-2013 - 16:55
CVE-2013-5034 10.0
Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2, has unknown impact and attack vectors, a different vulnerability than CVE-2013-5031, CVE-2013-5032, and CVE-2013-5033.
13-01-2014 - 11:19 12-01-2014 - 13:34
CVE-2013-5033 10.0
Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2, has unknown impact and attack vectors, a different vulnerability than CVE-2013-5031, CVE-2013-5032, and CVE-2013-5034.
13-01-2014 - 11:18 12-01-2014 - 13:34
CVE-2013-5032 10.0
Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2, has unknown impact and attack vectors, a different vulnerability than CVE-2013-5031, CVE-2013-5033, and CVE-2013-5034.
13-01-2014 - 11:16 12-01-2014 - 13:34
CVE-2013-5031 10.0
Unspecified vulnerability in Atmail before 6.6.4, and 7.x before 7.1.2, has unknown impact and attack vectors, a different vulnerability than CVE-2013-5032, CVE-2013-5033, and CVE-2013-5034.
13-01-2014 - 11:14 12-01-2014 - 13:34
CVE-2013-4460 3.5
Cross-site scripting (XSS) vulnerability in account_sponsor_page.php in MantisBT 1.0.0 through 1.2.15 allows remote authenticated users to inject arbitrary web script or HTML via a project name.
10-01-2014 - 13:11 10-01-2014 - 10:55
CVE-2013-6389 5.8
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.24 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
03-01-2014 - 23:50 07-12-2013 - 16:55
CVE-2013-6388 4.3
Cross-site scripting (XSS) vulnerability in the Color module in Drupal 7.x before 7.24 allows remote attackers to inject arbitrary web script or HTML via vectors related to CSS.
03-01-2014 - 23:50 24-12-2013 - 15:55
CVE-2013-6387 2.1
Cross-site scripting (XSS) vulnerability in the Image module in Drupal 7.x before 7.24 allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the description field.
03-01-2014 - 23:50 24-12-2013 - 15:55
CVE-2013-5398 3.3
Unspecified vulnerability in the Webservice Axis Gateway in IBM Rational Focal Point 6.4 before devfix1, 6.4.1.3 before devfix1, 6.5.1 before devfix1, 6.5.2 before devfix4, 6.5.2.3 before devfix9, 6.6 before devfix5, 6.6.0.1 before devfix2, and 6.6.1
18-12-2013 - 13:39 18-12-2013 - 11:04
CVE-2013-5397 3.3
Unspecified vulnerability in the Webservice Axis Gateway in IBM Rational Focal Point 6.4 before devfix1, 6.4.1.3 before devfix1, 6.5.1 before devfix1, 6.5.2 before devfix4, 6.5.2.3 before devfix9, 6.6 before devfix5, 6.6.0.1 before devfix2, and 6.6.1
18-12-2013 - 13:38 18-12-2013 - 11:04
CVE-2013-4569 4.3
The CleanChanges extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3, when "Group changes by page in recent changes and watchlist" is enabled, allows remote attackers to obtain sensitive information (revision-deleted
16-12-2013 - 10:54 13-12-2013 - 13:07
CVE-2012-5394 6.8
Cross-site request forgery (CSRF) vulnerability in the CentralAuth extension for MediaWiki before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to hijack the authentication of users for requests that login via vectors
16-12-2013 - 10:24 13-12-2013 - 13:07
CVE-2013-2751 10.0
Eval injection vulnerability in frontview/lib/np_handler.pl in the FrontView web interface in NETGEAR ReadyNAS RAIDiator before 4.1.12 and 4.2.x before 4.2.24 allows remote attackers to execute arbitrary Perl code via a crafted request, related to th
13-12-2013 - 12:19 12-12-2013 - 13:55
CVE-2013-1080 10.0
The web server in Novell ZENworks Configuration Management (ZCM) 10.3 and 11.2 before 11.2.4 does not properly perform authentication for zenworks/jsp/index.jsp, which allows remote attackers to conduct directory traversal attacks, and consequently u
13-12-2013 - 00:12 29-03-2013 - 12:09
CVE-2013-0786 5.0
The Bugzilla::Search::build_subselect function in Bugzilla 2.x and 3.x before 3.6.13 and 3.7.x and 4.0.x before 4.0.10 generates different error messages for invalid product queries depending on whether a product exists, which allows remote attackers
13-12-2013 - 00:11 24-02-2013 - 06:48
CVE-2013-0785 4.3
Cross-site scripting (XSS) vulnerability in show_bug.cgi in Bugzilla before 3.6.13, 3.7.x and 4.0.x before 4.0.10, 4.1.x and 4.2.x before 4.2.5, and 4.3.x and 4.4.x before 4.4rc2 allows remote attackers to inject arbitrary web script or HTML via the
13-12-2013 - 00:11 24-02-2013 - 06:48
CVE-2012-6081 6.0
Multiple unrestricted file upload vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to execute arbitrary cod
13-12-2013 - 00:08 02-01-2013 - 20:55
CVE-2012-4199 4.3
template/en/default/bug/field-events.js.tmpl in Bugzilla 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 generates JavaScript function calls containing private product names or private
13-12-2013 - 00:04 16-11-2012 - 07:24
CVE-2012-4198 4.0
The User.get method in Bugzilla/WebService/User.pm in Bugzilla 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 has a different outcome for a groups request depending on whether a group exists, which allow
13-12-2013 - 00:04 16-11-2012 - 07:24
CVE-2012-4197 5.0
Bugzilla/Attachment.pm in attachment.cgi in Bugzilla 2.x and 3.x before 3.6.12, 3.7.x and 4.0.x before 4.0.9, 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1 allows remote attackers to read attachment descriptions from private bugs vi
13-12-2013 - 00:04 16-11-2012 - 07:24
CVE-2012-4189 4.3
Cross-site scripting (XSS) vulnerability in Bugzilla 4.1.x and 4.2.x before 4.2.4, and 4.3.x and 4.4.x before 4.4rc1, allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of
13-12-2013 - 00:04 16-11-2012 - 07:24
CVE-2012-3981 5.0
Auth/Verify/LDAP.pm in Bugzilla 2.x and 3.x before 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 does not restrict the characters in a username, which might allow remote attackers to inject data into an LD
13-12-2013 - 00:04 04-09-2012 - 07:04
CVE-2012-1969 4.3
The get_attachment_link function in Template.pm in Bugzilla 2.x and 3.x before 3.6.10, 3.7.x and 4.0.x before 4.0.7, 4.1.x and 4.2.x before 4.2.2, and 4.3.x before 4.3.2 does not check whether an attachment is private before presenting the attachment
12-12-2013 - 23:59 30-07-2012 - 09:55
CVE-2013-6224 4.3
Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla before 5.1.1.0 allow remote attackers to inject arbitrary web script or HTML via (1) a name in the call administrator feature, (2) unspecified vectors to the admins visitor information
12-12-2013 - 10:00 10-12-2013 - 11:11
CVE-2013-4302 5.0
(1) ApiBlock.php, (2) ApiCreateAccount.php, (3) ApiLogin.php, (4) ApiMain.php, (5) ApiQueryDeletedrevs.php, (6) ApiTokens.php, and (7) ApiUnblock.php in includes/api/ in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 a
08-12-2013 - 01:00 26-10-2013 - 20:55
CVE-2013-4573 4.3
Cross-site scripting (XSS) vulnerability in the ZeroRatedMobileAccess extension for MediaWiki 1.19.x before 1.19.9, 1.20.x before 1.20.8, and 1.21.x before 1.21.3 allows remote attackers to inject arbitrary web script or HTML via the "to" parameter t
27-11-2013 - 11:30 25-11-2013 - 14:55
CVE-2013-6875 7.5
SQL injection vulnerability in functions/prepend_adm.php in Nagios Core Config Manager in Nagios XI before 2012R2.4 allows remote attackers to execute arbitrary SQL commands via the tfPassword parameter to nagiosql/index.php.
27-11-2013 - 09:58 26-11-2013 - 11:55
CVE-2013-3499 7.5
GroundWork Monitor Enterprise 6.7.0 performs authentication on the basis of the HTTP Referer header, which allows remote attackers to obtain administrative privileges or access files via a crafted header.
24-11-2013 - 23:34 08-05-2013 - 08:09
CVE-2013-1084 5.0
Directory traversal vulnerability in the GetFle method in the umaninv service in Novell ZENworks Configuration Management (ZCM) 11.2.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename parameter in a GetFile action to
21-11-2013 - 13:32 02-11-2013 - 15:55
CVE-2013-2114 6.8
Unrestricted file upload vulnerability in the chunk upload API in MediaWiki 1.19 through 1.19.6 and 1.20.x before 1.20.6 allows remote attackers to execute arbitrary code by uploading a file with an executable extension.
21-11-2013 - 12:32 17-11-2013 - 21:55
CVE-2013-6826 6.8
cgi-bin/module//sysmanager/admin/SYSAdminUserDialog in Fortinet FortiAnalyzer before 5.0.5 does not properly validate the csrf_token parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks.
20-11-2013 - 12:10 20-11-2013 - 09:12
CVE-2013-4843 6.8
Unspecified vulnerability in HP Integrated Lights-Out 4 (iLO4) with firmware before 1.32 allows remote authenticated users to obtain sensitive information via unknown vectors.
19-11-2013 - 13:12 17-11-2013 - 22:55
CVE-2013-4842 4.3
Cross-site scripting (XSS) vulnerability in HP Integrated Lights-Out 4 (iLO4) with firmware before 1.32 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
19-11-2013 - 13:10 17-11-2013 - 22:55
CVE-2013-4055 3.5
Cross-site scripting (XSS) vulnerability in webadmin.nsf in Domino Web Administrator in IBM Domino 8.5 and 9.0 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-4
14-11-2013 - 14:58 07-11-2013 - 23:47
CVE-2013-4051 3.5
Cross-site scripting (XSS) vulnerability in webadmin.nsf in Domino Web Administrator in IBM Domino 8.5 and 9.0 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-4
08-11-2013 - 11:03 07-11-2013 - 23:47
CVE-2013-4050 6.0
Cross-site request forgery (CSRF) vulnerability in webadmin.nsf in Domino Web Administrator in IBM Domino 8.5 and 9.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
08-11-2013 - 11:03 07-11-2013 - 23:47
CVE-2013-3336 5.0
Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.
06-11-2013 - 23:39 09-05-2013 - 08:31
CVE-2013-5688 5.5
Multiple directory traversal vulnerabilities in index.php in AjaXplorer 5.0.2 and earlier allow remote authenticated users to read arbitrary files via a ../%00 (dot dot backslash encoded null byte) in the file parameter in a (1) download or (2) get_c
06-11-2013 - 13:55 05-11-2013 - 16:55
CVE-2013-6344 4.3
The ZCC page in Novell ZENworks Configuration Management (ZCM) before 11.2.4 allows attackers to conduct cross-frame scripting attacks via unknown vectors.
04-11-2013 - 19:04 02-11-2013 - 16:55
CVE-2013-6345 10.0
Unspecified vulnerability in the ZCC page in Novell ZENworks Configuration Management (ZCM) before 11.2.4 has unknown impact and attack vectors related to an "Application Exception."
04-11-2013 - 19:03 02-11-2013 - 16:55
CVE-2013-6346 6.8
Cross-site request forgery (CSRF) vulnerability in the ZCC page in Novell ZENworks Configuration Management (ZCM) before 11.2.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
04-11-2013 - 18:59 02-11-2013 - 16:55
CVE-2013-6347 6.8
Session fixation vulnerability in Novell ZENworks Configuration Management (ZCM) before 11.2.4 allows remote attackers to hijack web sessions via unspecified vectors.
04-11-2013 - 18:58 02-11-2013 - 16:55
CVE-2013-6349 8.5
McAfee Email Gateway (MEG) 7.0 before 7.0.4 and 7.5 before 7.5.1 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
04-11-2013 - 18:53 02-11-2013 - 17:55
CVE-2013-4301 5.0
includes/resourceloader/ResourceLoaderContext.php in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to obtain sensitive information via a "<" (open angle bracket) character in the lang parameter
28-10-2013 - 14:43 26-10-2013 - 20:55
CVE-2013-1733 6.8
Cross-site request forgery (CSRF) vulnerability in process_bug.cgi in Bugzilla 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users for requests that modify bugs via vectors involving a midair-collision token.
24-10-2013 - 19:29 24-10-2013 - 06:53
CVE-2013-1742 4.3
Multiple cross-site scripting (XSS) vulnerabilities in editflagtypes.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via t
24-10-2013 - 19:29 24-10-2013 - 06:53
CVE-2013-1743 4.3
Multiple cross-site scripting (XSS) vulnerabilities in report.cgi in Bugzilla 4.1.x and 4.2.x before 4.2.7 and 4.3.x and 4.4.x before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled d
24-10-2013 - 19:28 24-10-2013 - 06:53
CVE-2013-1734 6.8
Cross-site request forgery (CSRF) vulnerability in attachment.cgi in Bugzilla 2.x, 3.x, and 4.0.x before 4.0.11; 4.1.x and 4.2.x before 4.2.7; and 4.3.x and 4.4.x before 4.4.1 allows remote attackers to hijack the authentication of arbitrary users fo
24-10-2013 - 12:35 24-10-2013 - 06:53
CVE-2013-6026 10.0
The web interface on D-Link DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers; Planex BRL-04R, BRL-04UR, and BRL-04CW routers; and Alpha Networks routers allows remote attackers to bypass authentication and modify
21-10-2013 - 12:40 19-10-2013 - 06:36
CVE-2013-4306 6.8
Cross-site request forgery (CSRF) vulnerability in api/ApiQueryCheckUser.php in the CheckUser extension for MediaWiki, possibly Checkuser before 2.3, allows remote attackers to hijack the authentication of arbitrary users for requests that "perform s
15-10-2013 - 10:27 11-10-2013 - 17:55
CVE-2013-4305 4.3
Cross-site scripting (XSS) vulnerability in contrib/example.php in the SyntaxHighlight GeSHi extension for MediaWiki, possibly as downloaded before September 2013, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
15-10-2013 - 10:23 11-10-2013 - 17:55
CVE-2010-5191 9.3
Multiple cross-site request forgery (CSRF) vulnerabilities on the Blue Coat ProxyAV appliance before 3.2.6.1 allow remote attackers to hijack the authentication of administrators for requests that (1) change a password, (2) modify a policy, or (3) re
11-10-2013 - 10:48 26-08-2012 - 15:55
CVE-2013-2240 7.5
lib/flowplayer.swf.php in Gallery 3 before 3.0.9 does not properly remove query fragments, which allows remote attackers to have an unspecified impact via a replay attack, a different vulnerability than CVE-2013-2138.
10-10-2013 - 16:27 09-10-2013 - 20:55
CVE-2013-2241 5.0
modules/gallery/helpers/data_rest.php in Gallery 3 before 3.0.9 allows remote attackers to bypass intended access restrictions and obtain sensitive information (image files) via the "full" string in the size parameter.
10-10-2013 - 16:26 09-10-2013 - 20:55
CVE-2013-3627 5.0
FrameworkService.exe in McAfee Framework Service in McAfee Managed Agent (MA) before 4.5.0.1927 and 4.6 before 4.6.0.3258 allows remote attackers to cause a denial of service (service crash) via a malformed HTTP request.
07-10-2013 - 13:11 05-10-2013 - 06:55
CVE-2012-1968 4.3
Bugzilla 4.1.x and 4.2.x before 4.2.2 and 4.3.x before 4.3.2 uses bug-editor privileges instead of bugmail-recipient privileges during construction of HTML bugmail documents, which allows remote attackers to obtain sensitive description information b
03-10-2013 - 14:50 30-07-2012 - 09:55
CVE-2002-1005 5.0
ArGoSoft Mail Server 1.8.1.7 and earlier allows a webmail user to cause a denial of service (CPU consumption) by forwarding the email to the user while autoresponse is enabled, which creates an infinite loop.
30-09-2013 - 21:22 04-10-2002 - 00:00
CVE-2013-4785 10.0
The web interface on the Dell iDRAC6 with firmware before 1.95 allows remote attackers to modify the CLP interface for arbitrary users and possibly have other impact via a request to an unspecified form that is accessible from testurls.html. NOTE: t
26-09-2013 - 23:47 08-07-2013 - 18:55
CVE-2010-2861 7.5
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/sett
23-09-2013 - 23:39 11-08-2010 - 14:47
CVE-2013-4308 4.3
Cross-site scripting (XSS) vulnerability in pages/TalkpageHistoryView.php in the LiquidThreads (LQT) extension 2.x and possibly 3.x for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allows remote attackers to inject a
13-09-2013 - 14:31 12-09-2013 - 09:31
CVE-2013-4307 4.3
Multiple cross-site scripting (XSS) vulnerabilities in repo/includes/EntityView.php in the Wikibase extension for MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 allow (1) remote attackers to inject arbitrary web script
13-09-2013 - 12:04 12-09-2013 - 09:30
CVE-2007-1819 9.3
Stack-based buffer overflow in the SPIDERLib.Loader ActiveX control (Spider90.ocx) 9.1.0.4353 in TestDirector (TD) for Mercury Quality Center 9.0 before Patch 12.1, and 8.2 SP1 before Patch 32, allows remote attackers to execute arbitrary code via a
06-09-2013 - 01:21 02-04-2007 - 19:19
CVE-2013-1435 7.5
(1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.
30-08-2013 - 02:38 23-08-2013 - 12:55
CVE-2006-0147 7.5
Dynamic code evaluation vulnerability in tests/tmssql.php test script in ADOdb for PHP before 4.70, as used in multiple products including (1) Mantis, (2) PostNuke, (3) Moodle, (4) Cacti, (5) Xaraya, (6) PhpOpenChat, possibly (7) MAXdev MD-Pro, and (
30-08-2013 - 00:52 09-01-2006 - 18:03
CVE-2004-2557 5.0
NetGear WG602 (aka WG602v1) Wireless Access Point 1.7.14 has a hardcoded account of username "superman" and password "21241036", which allows remote attackers to modify the configuration.
25-08-2013 - 00:37 31-12-2004 - 00:00
CVE-2013-4807 7.8
Unspecified vulnerability on the HP LaserJet Pro P1102w, P1606dn, M1212nf MFP, M1213nf MFP, M1214nfh MFP, M1216nfh MFP, M1217nfw MFP, M1218nfs MFP, and CP1025nw with firmware before 2013-07-26 20130703 allows remote attackers to modify data via unkno
22-08-2013 - 02:54 05-08-2013 - 09:22
CVE-2012-5523 5.5
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing perm
22-08-2013 - 02:46 15-11-2012 - 19:55
CVE-2012-5522 5.5
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a
22-08-2013 - 02:46 15-11-2012 - 19:55
CVE-2010-0288 7.5
A typo in the administrator permission check in the ACL Manager plugin (plugins/acl/ajax.php) in DokuWiki before 2009-12-25b allows remote attackers to gain privileges and access closed wikis by editing current ACL statements, as demonstrated in the
21-08-2013 - 23:27 15-02-2010 - 13:30
CVE-2013-5319 4.3
Cross-site scripting (XSS) vulnerability in secure/admin/user/views/deleteuserconfirm.jsp in the Admin Panel in Atlassian JIRA before 6.0.5 allows remote attackers to inject arbitrary web script or HTML via the name parameter to secure/admin/user/Del
21-08-2013 - 10:05 20-08-2013 - 10:55
CVE-2010-0696 5.0
Directory traversal vulnerability in includes/download.php in the JoomlaWorks AllVideos (Jw_allVideos) plugin 3.0 through 3.2 for Joomla! allows remote attackers to read arbitrary files via a ./../.../ (modified dot dot) in the file parameter.
21-08-2013 - 02:18 23-02-2010 - 13:30
CVE-2010-3313 7.5
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows
18-08-2013 - 02:14 22-09-2010 - 15:00
CVE-2013-4879 7.5
SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php.
14-08-2013 - 13:53 14-08-2013 - 09:49
CVE-2011-0277 6.8
Cross-site request forgery (CSRF) vulnerability in HP Power Manager (HPPM) 4.3.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts.
03-08-2013 - 03:29 08-02-2011 - 20:00
CVE-2013-2367 10.0
Multiple unspecified vulnerabilities in HP SiteScope 11.20 and 11.21, when SOAP is used, allow remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1678.
31-07-2013 - 00:00 31-07-2013 - 09:20
CVE-2011-0049 5.0
Directory traversal vulnerability in the _list_file_get function in lib/Majordomo.pm in Majordomo 2 before 20110131 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the help command, as demonstrated using (1) a crafted em
25-07-2013 - 12:29 03-02-2011 - 20:00
CVE-2013-0246 4.3
The Image module in Drupal 7.x before 7.19, when a private file system is used, does not properly restrict access to derivative images, which allows remote attackers to read derivative images of otherwise restricted images via unspecified vectors.
16-07-2013 - 00:00 16-07-2013 - 14:55
CVE-2013-2352 9.4
LeftHand OS (aka SAN iQ) 10.5 and earlier on HP StoreVirtual Storage devices does not provide a mechanism for disabling the HP Support challenge-response root-login feature, which makes it easier for remote attackers to obtain administrative access b
11-07-2013 - 00:00 10-07-2013 - 18:55
CVE-2013-3925 5.8
Atlassian Crowd 2.5.x before 2.5.4, 2.6.x before 2.6.3, 2.3.8, and 2.4.9 allows remote attackers to read arbitrary files and send HTTP requests to intranet servers via a request to (1) /services/2 or (2) services/latest with a DTD containing an XML e
02-07-2013 - 00:00 01-07-2013 - 17:55
CVE-2013-4614 2.1
English/pages_MacUS/wls_set_content.html on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers shows the Wi-Fi PSK passphrase in cleartext, which allows physically proximate attackers to obtain sensitive informati
24-06-2013 - 18:30 21-06-2013 - 17:55
CVE-2013-4613 7.5
The default configuration of the administrative interface on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers does not require authentication, which allows remote attackers to modify the configuration by visitin
24-06-2013 - 18:28 21-06-2013 - 17:55
CVE-2013-2338 10.0
Unspecified vulnerability on HP Integrated Lights-Out 3 (aka iLO3) cards with firmware before 1.57 and 4 (aka iLO4) cards with firmware before 1.22, when Single-Sign-On (SSO) is used, allows remote attackers to execute arbitrary code via unknown vect
17-06-2013 - 00:00 14-06-2013 - 15:55
CVE-2012-6096 7.5
Multiple stack-based buffer overflows in the get_history function in history.cgi in Nagios Core before 3.4.4, and Icinga 1.6.x before 1.6.2, 1.7.x before 1.7.4, and 1.8.x before 1.8.4, might allow remote attackers to execute arbitrary code via a long
04-06-2013 - 23:40 22-01-2013 - 18:55
CVE-2013-0136 8.5
Multiple directory traversal vulnerabilities in the EditDocument servlet in the Frontend in Mutiny before 5.0-1.11 allow remote authenticated users to upload and execute arbitrary programs, read arbitrary files, or cause a denial of service (file del
03-06-2013 - 00:00 01-06-2013 - 10:21
CVE-2013-1389 10.0
Unspecified vulnerability in Adobe ColdFusion 9.0 before Update 11, 9.0.1 before Update 10, 9.0.2 before Update 5, and 10 before Update 10 allows remote attackers to execute arbitrary code via unknown vectors.
16-05-2013 - 09:56 16-05-2013 - 07:45
CVE-2013-1088 6.8
Cross-site request forgery (CSRF) vulnerability in Novell iManager 2.7 before SP6 Patch 1 allows remote attackers to hijack the authentication of arbitrary users by leveraging improper request validation by iManager code deployed within an Apache Tom
16-05-2013 - 00:00 24-04-2013 - 06:28
CVE-2010-0219 10.0
Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by u
09-05-2013 - 23:14 18-10-2010 - 13:00
CVE-2013-3500 7.5
The Foundation webapp admin interface in GroundWork Monitor Enterprise 6.7.0 uses the nagios account as the owner of writable files under /usr/local/groundwork, which allows context-dependent attackers to bypass intended filesystem restrictions by le
08-05-2013 - 00:00 08-05-2013 - 08:09
CVE-2013-3268 10.0
Novell iManager 2.7 before SP6 Patch 1 does not refresh a token after a logout action, which has unspecified impact and remote attack vectors.
03-05-2013 - 23:24 24-04-2013 - 06:28
CVE-2013-3267 4.3
Cross-site scripting (XSS) vulnerability in the highlighter plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
03-05-2013 - 14:23 03-05-2013 - 07:57
CVE-2013-3059 4.3
Cross-site scripting (XSS) vulnerability in the Voting plugin in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
03-05-2013 - 14:19 03-05-2013 - 07:57
CVE-2013-3058 4.3
Cross-site scripting (XSS) vulnerability in Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
03-05-2013 - 00:00 03-05-2013 - 07:57
CVE-2013-3057 4.0
Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and list the privileges of arbitrary users via unspecified vectors.
03-05-2013 - 00:00 03-05-2013 - 07:57
CVE-2013-3056 4.0
Joomla! 2.5.x before 2.5.10 and 3.0.x before 3.0.4 allows remote authenticated users to bypass intended privilege requirements and delete the private messages of arbitrary users via unspecified vectors.
03-05-2013 - 00:00 03-05-2013 - 07:57
CVE-2012-5671 6.8
Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers t
18-04-2013 - 23:26 31-10-2012 - 12:55
CVE-2012-4596 4.3
Directory traversal vulnerability in McAfee Email Gateway (MEG) 7.0.0 and 7.0.1 allows remote authenticated users to bypass intended access restrictions and download arbitrary files via a crafted URL.
10-04-2013 - 23:31 22-08-2012 - 06:42
CVE-2012-6534 4.3
Novell Sentinel Log Manager before 1.2.0.3 allows remote attackers to create data retention policies via a crafted text/x-gwt-rpc request to novelllogmanager/datastorageservice.rpc, and allows remote authenticated Report Administrators to create data
04-04-2013 - 00:00 29-03-2013 - 12:08
CVE-2013-1083 10.0
Unspecified vulnerability in the login functionality in the Reporting Module in Novell Identity Manager (aka IDM) Roles Based Provisioning Module 4.0.2 before Field Patch C has unknown impact and attack vectors.
02-04-2013 - 00:00 29-03-2013 - 12:09
CVE-2012-0410 5.0
Directory traversal vulnerability in WebAccess in Novell GroupWise before 8.03 allows remote attackers to read arbitrary files via the User.interface parameter.
01-04-2013 - 23:14 05-07-2012 - 10:55
CVE-2013-0452 6.8
Cross-site request forgery (CSRF) vulnerability in the Software Use Analysis (SUA) application before 1.3.3 in IBM Tivoli Endpoint Manager 8.2 allows remote attackers to hijack the authentication of arbitrary users via a web site that contains crafte
29-03-2013 - 00:00 29-03-2013 - 12:08
CVE-2013-0316 5.0
The Image module in Drupal 7.x before 7.20 allows remote attackers to cause a denial of service (CPU and disk space consumption) via a large number of new derivative requests.
28-03-2013 - 00:00 27-03-2013 - 17:55
CVE-2013-1454 5.0
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to "Coding errors."
26-03-2013 - 00:00 12-02-2013 - 20:55
CVE-2013-0453 3.5
Cross-site scripting (XSS) vulnerability in Web Reports in IBM Tivoli Endpoint Manager (TEM) before 8.2.1372 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
22-03-2013 - 00:00 21-03-2013 - 16:55
CVE-2013-2263 5.0
Unspecified vulnerability in Citrix Access Gateway Standard Edition 5.0.x before 5.0.4.223524 allows remote attackers to access network resources via unknown attack vectors.
21-03-2013 - 00:00 19-03-2013 - 10:55
CVE-2013-2560 7.8
Directory traversal vulnerability in the web interface on Foscam devices with firmware before 11.37.2.49 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI, as demonstrated by discovering (1) web credentials or (2) Wi-Fi cr
20-03-2013 - 00:00 15-03-2013 - 16:55
CVE-2013-1081 7.5
Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter.
18-03-2013 - 00:00 11-03-2013 - 17:55
CVE-2013-1453 7.5
plugins/system/highlight/highlight.php in Joomla! 3.0.x through 3.0.2 and 2.5.x through 2.5.8 allows attackers to unserialize arbitrary PHP objects to obtain sensitive information, delete arbitrary directories, conduct SQL injection attacks, and poss
06-03-2013 - 00:00 12-02-2013 - 20:55
CVE-2012-3001 8.5
Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection vulnerability."
01-03-2013 - 23:42 22-10-2012 - 12:55
CVE-2012-4933 7.8
The rtrlet web application in the Web Console in Novell ZENworks Asset Management (ZAM) 7.5 uses a hard-coded username of Ivanhoe and a hard-coded password of Scott for the (1) GetFile_Password and (2) GetConfigInfo_Password operations, which allows
13-02-2013 - 23:57 20-10-2012 - 14:55
CVE-2013-1455 5.0
Joomla! 3.0.x through 3.0.2 allows attackers to obtain sensitive information via unspecified vectors related to an "Undefined variable."
13-02-2013 - 13:01 12-02-2013 - 20:55
CVE-2012-1581 5.0
MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 uses weak random numbers for password reset tokens, which makes it easier for remote attackers to change the passwords of arbitrary users.
29-01-2013 - 23:49 09-09-2012 - 17:55
CVE-2012-1578 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allow remote attackers to hijack the authentication of users with the block permission for requests that (1) block a user via a requ
29-01-2013 - 23:48 09-09-2012 - 17:55
CVE-2013-0209 7.5
lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct eval injection and SQL injection attacks via crafted
29-01-2013 - 00:00 22-01-2013 - 20:55
CVE-2012-5967 6.5
SQL injection vulnerability in menuXML.php in Centreon 2.3.3 through 2.3.9-4 allows remote authenticated users to execute arbitrary SQL commands via the menu parameter.
29-01-2013 - 00:00 19-12-2012 - 06:55
CVE-2008-3498 7.5
SQL injection vulnerability in the nBill (com_netinvoice) component 1.2.0 SP1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the cid parameter in an orders action to index.php. NOTE: some of these details are obtained from
24-01-2013 - 00:00 06-08-2008 - 14:41
CVE-2012-5930 6.4
The pa_modify_accounts function in auth.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 does not require authentication for the modifyAccounts method, which allows remote attackers to change the passwords of administrative a
08-01-2013 - 00:00 24-12-2012 - 13:55
CVE-2012-6495 6.0
Multiple directory traversal vulnerabilities in the (1) twikidraw (action/twikidraw.py) and (2) anywikidraw (action/anywikidraw.py) actions in MoinMoin before 1.9.6 allow remote authenticated users with write permissions to overwrite arbitrary files
07-01-2013 - 00:00 02-01-2013 - 20:55
CVE-2012-6082 4.3
Cross-site scripting (XSS) vulnerability in the rsslink function in theme/__init__.py in MoinMoin 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the page name in a rss link.
07-01-2013 - 00:00 02-01-2013 - 20:55
CVE-2012-6080 6.4
Directory traversal vulnerability in the _do_attachment_move function in the AttachFile action (action/AttachFile.py) in MoinMoin 1.9.3 through 1.9.5 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a file name.
03-01-2013 - 00:00 02-01-2013 - 20:55
CVE-2009-1383 7.5
The getdirective function in mathtex.cgi in mathTeX, when downloaded before 20090713, allows remote attackers to execute arbitrary commands via shell metacharacters in the dpi tag.
03-01-2013 - 00:00 14-07-2009 - 16:30
CVE-2006-2356 5.0
NmConsole/utility/RenderMap.asp in Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to obtain sensitive information about network nodes via a modified nDeviceGroupID parameter.
03-01-2013 - 00:00 15-05-2006 - 06:02
CVE-2012-4616 5.0
Directory traversal vulnerability in the Web UI in EMC Data Protection Advisor (DPA) 5.6 through SP1, 5.7 through SP1, and 5.8 through SP4 allows remote attackers to read arbitrary files via unspecified vectors.
27-12-2012 - 11:42 26-12-2012 - 15:55
CVE-2012-0130 5.0
HP Onboard Administrator (OA) before 3.50 allows remote attackers to obtain sensitive information via unspecified vectors.
05-12-2012 - 23:15 05-04-2012 - 09:25
CVE-2012-0129 7.6
HP Onboard Administrator (OA) before 3.50 allows remote attackers to bypass intended access restrictions and execute arbitrary code via unspecified vectors.
05-12-2012 - 23:15 05-04-2012 - 09:25
CVE-2012-0128 5.8
HP Onboard Administrator (OA) before 3.50 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
05-12-2012 - 23:15 05-04-2012 - 09:25
CVE-2006-5031 5.0
Directory traversal vulnerability in app/webroot/js/vendors.php in Cake Software Foundation CakePHP before 1.1.8.3544 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, followed by a filename ending with "%00" a
15-11-2012 - 00:00 27-09-2006 - 19:07
CVE-2010-1429 5.0
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demon
05-11-2012 - 23:39 28-04-2010 - 18:30
CVE-2008-3273 5.0
JBoss Enterprise Application Platform (aka JBossEAP or EAP) before 4.2.0.CP03, and 4.3.0 before 4.3.0.CP01, allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by
05-11-2012 - 23:05 10-08-2008 - 16:41
CVE-2007-4261 7.5
EZPhotoSales 1.9.3 and earlier stores sensitive information under the web root with insufficient access control, which allows remote attackers to download (1) a file containing cleartext passwords via a direct request for OnlineViewing/data/galleries
05-11-2012 - 22:44 08-08-2007 - 19:17
CVE-2007-0246 6.8
plugins/scmcvs/www/cvsweb.php in the CVSWeb CGI in GForge 4.5.16 before 20070524, aka gforge-plugin-scmcvs, allows remote attackers to execute arbitrary commands via shell metacharacters in the PATH_INFO.
05-11-2012 - 22:30 29-05-2007 - 17:30
CVE-2007-3621 7.5
Multiple CRLF injection vulnerabilities in callboth.php in AsteriDex 3.0 and earlier allow remote attackers to inject arbitrary shell commands via the (1) IN and (2) OUT parameters.
30-10-2012 - 22:39 09-07-2007 - 12:30
CVE-2007-3183 6.8
Multiple SQL injection vulnerabilities in Calendarix 0.7.20070307, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) month and (2) year parameters to calendar.php and the (3) search string to cal_
30-10-2012 - 22:37 26-06-2007 - 13:30
CVE-2008-2076 7.5
Directory traversal vulnerability in admin.php in ActualScripts ActualAnalyzer Lite 2.78 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the style parameter.
29-10-2012 - 23:11 05-05-2008 - 12:20
CVE-2007-6672 5.0
Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protection mechanisms and read the source of files via multiple '/' (slash) characters in the URI.
29-10-2012 - 23:04 08-01-2008 - 06:46
CVE-2005-1123 5.0
Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service (memory corruption) via a request for a zero byte file.
24-10-2012 - 11:15 02-05-2005 - 00:00
CVE-2007-3273 7.5
SQL injection vulnerability in index.cfm in FuseTalk 2.0 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party informat
24-10-2012 - 00:00 19-06-2007 - 17:30
CVE-2005-1122 7.5
Format string vulnerability in cgi.c for Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request containing double-encoded format string specifiers (aka "do
24-10-2012 - 00:00 14-04-2005 - 00:00
CVE-2011-4932 7.5
Eval injection vulnerability in ip_cms/modules/standard/content_management/actions.php in ImpressPages CMS 1.0.12 and possibly other versons before 1.0.13 allows remote attackers to execute arbitrary code via the cm_group parameter.
08-10-2012 - 00:00 06-10-2012 - 17:55
CVE-2010-5278 4.3
Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_ke
08-10-2012 - 00:00 07-10-2012 - 16:55
CVE-2012-0209 7.5
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, w
26-09-2012 - 00:00 25-09-2012 - 18:55
CVE-2012-4885 5.0
The wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to cause a denial of service (infinite loop) via certain input, as demonstrated by the padleft function.
10-09-2012 - 14:27 09-09-2012 - 17:55
CVE-2012-1582 4.3
Cross-site scripting (XSS) vulnerability in the wikitext parser in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to inject arbitrary web script or HTML via a crafted page with "forged strip item markers," as demonstr
10-09-2012 - 13:18 09-09-2012 - 17:55
CVE-2012-1580 6.8
Cross-site request forgery (CSRF) vulnerability in Special:Upload in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload files.
10-09-2012 - 13:07 09-09-2012 - 17:55
CVE-2012-1579 5.0
The resource loader in MediaWiki 1.17.x before 1.17.3 and 1.18.x before 1.18.2 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information.
10-09-2012 - 13:02 09-09-2012 - 17:55
CVE-2012-4747 5.0
Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to rea
04-09-2012 - 00:00 04-09-2012 - 07:04
CVE-2012-0744 5.0
IBM Rational ClearQuest 7.1.x through 7.1.2.7 and 8.x through 8.0.0.3 allows remote attackers to obtain potentially sensitive information via a request to a (1) snoop, (2) hello, (3) ivt/, (4) hitcount, (5) HitCount.jsp, (6) HelloHTMLError.jsp, (7) H
20-08-2012 - 00:00 17-08-2012 - 16:55
CVE-2012-2395 7.5
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
21-07-2012 - 23:37 15-06-2012 - 20:55
CVE-2012-3240 7.5
The Walrus service in Eucalyptus 2.0.3 and 3.0.x before 3.0.2 allows remote attackers to gain administrator privileges via a crafted REST request.
18-07-2012 - 00:00 17-07-2012 - 17:55
CVE-2012-3399 7.5
Config/diff.php in Basilic 1.5.14 allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter.
16-07-2012 - 00:00 12-07-2012 - 15:55
CVE-2012-2041 4.3
CRLF injection vulnerability in the Component Browser in Adobe ColdFusion 8.0 through 9.0.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
13-06-2012 - 00:00 13-06-2012 - 00:46
CVE-2009-1418 4.3
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 3.0.1.73 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
23-03-2012 - 00:00 19-05-2009 - 15:30
CVE-2012-1195 7.5
Unrestricted file upload vulnerability in andesk/managementsuite/core/core.anonymous/ServerSetup.asmx in the ServerSetup web service in Lenovo ThinkManagement Console 9.0.3 allows remote attackers to execute arbitrary code by uploading a file with an
29-02-2012 - 00:00 17-02-2012 - 19:55
CVE-2010-4851 7.5
Multiple SQL injection vulnerabilities in Eclime 1.1.2b allow remote attackers to execute arbitrary SQL commands via the (1) ref or (2) poll_id parameter to index.php, or the (3) country parameter to create_account.php.
13-02-2012 - 23:02 27-09-2011 - 06:55
CVE-2009-3999 10.0
Stack-based buffer overflow in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to execute arbitrary code via a long fileName parameter.
13-02-2012 - 22:49 20-01-2010 - 17:30
CVE-2012-0077 3.5
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 9.2.4, 10.0.2, 10.3.3, 10.3.4, and 10.3.5 allows remote authenticated users to affect integrity, related to WLS-Console.
30-01-2012 - 23:08 18-01-2012 - 17:55
CVE-2011-4057 5.0
Wibu-Systems AG CodeMeter Runtime 4.30c, 4.10b, and possibly other versions before 4.40 allows remote attackers to cause a denial of service (CodeMeter.exe crash) via certain crafted packets to TCP port 22350.
16-01-2012 - 00:00 13-01-2012 - 13:55
CVE-2011-4169 7.5
Unspecified vulnerability in HP Managed Printing Administration before 2.6.4 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors.
27-12-2011 - 10:28 26-12-2011 - 23:01
CVE-2011-4168 7.5
Directory traversal vulnerability in hpmpa/jobDelivery/Default.asp in HP Managed Printing Administration before 2.6.4 allows remote attackers to create arbitrary files via crafted form data.
27-12-2011 - 00:00 26-12-2011 - 23:01
CVE-2011-4167 7.5
Stack-based buffer overflow in MPAUploader.dll in HP Managed Printing Administration before 2.6.4 allows remote attackers to execute arbitrary code via a long filename parameter in an uploadfile action to Default.asp.
27-12-2011 - 00:00 26-12-2011 - 23:01
CVE-2011-4166 7.5
Directory traversal vulnerability in the MPAUploader.Uploader.1.UploadFiles method in HP Managed Printing Administration before 2.6.4 allows remote attackers to create arbitrary files via crafted form data.
27-12-2011 - 00:00 26-12-2011 - 23:01
CVE-2006-6048 6.8
SQL injection vulnerability in index.php in Etomite CMS 0.6.1.2, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
08-12-2011 - 00:00 21-11-2006 - 19:07
CVE-2011-4046 5.0
The Dell KACE K2000 System Deployment Appliance stores the recovery account password in cleartext within a PHP script, which allows context-dependent attackers to obtain sensitive information by examining script source code.
15-11-2011 - 00:00 11-11-2011 - 19:55
CVE-2011-4436 3.5
Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface on the Dell KACE K2000 System Deployment Appliance allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14-11-2011 - 00:00 11-11-2011 - 19:55
CVE-2011-4047 9.3
The Dell KACE K2000 System Deployment Appliance allows remote attackers to execute arbitrary commands by leveraging database write access.
14-11-2011 - 00:00 11-11-2011 - 19:55
CVE-2008-1119 5.0
Directory traversal vulnerability in include/doc/get_image.php in Centreon 1.4.2.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter.
10-11-2011 - 00:00 03-03-2008 - 17:44
CVE-2007-6485 7.5
Multiple PHP remote file inclusion vulnerabilities in Centreon 1.4.1 (aka Oreon 1.4) allow remote attackers to execute arbitrary PHP code via a URL in the fileOreonConf parameter to (1) MakeXML.php or (2) MakeXML4statusCounter.php in include/monitori
10-11-2011 - 00:00 20-12-2007 - 15:46
CVE-2005-4320 5.0
Limbo CMS 1.0.4.2 and earlier allows remote attackers to obtain the installation path of the application via a direct request to (1) doc.inc.php, (2) element.inc.php, and (3) node.inc.php, which leaks the path in an error message.
07-10-2011 - 00:00 17-12-2005 - 06:03
CVE-2011-2738 10.0
Multiple unspecified vulnerabilities in Cisco Unified Service Monitor before 8.6, as used in Unified Operations Manager before 8.6 and CiscoWorks LAN Management Solution 3.x and 4.x before 4.1; and multiple EMC Ionix products including Application Co
06-10-2011 - 00:00 19-09-2011 - 08:02
CVE-2011-3011 5.0
BaseServiceImpl.class in CA ARCserve D2D r15 does not properly handle sessions, which allows remote attackers to obtain credentials, and consequently execute arbitrary commands, via unspecified vectors.
21-09-2011 - 23:32 15-08-2011 - 15:55
CVE-2011-2403 6.5
SQL injection vulnerability in HP Network Automation 7.2x, 7.5x, 7.6x, 9.0, and 9.10 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
21-09-2011 - 23:31 01-08-2011 - 15:55
CVE-2011-2402 4.3
Cross-site scripting (XSS) vulnerability in HP Network Automation 7.2x, 7.5x, 7.6x, 9.0, and 9.10 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
21-09-2011 - 23:31 01-08-2011 - 15:55
CVE-2011-1077 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
21-09-2011 - 23:29 02-06-2011 - 16:55
CVE-2011-1026 6.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to hijack the authentication of administrators.
21-09-2011 - 23:29 02-06-2011 - 16:55
CVE-2011-0807 10.0
Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server 2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Admin
21-09-2011 - 23:28 19-04-2011 - 23:14
CVE-2011-0276 10.0
HP OpenView Performance Insight Server 5.2, 5.3, 5.31, 5.4, and 5.41 contains a "hidden account" in the com.trinagy.security.XMLUserManager Java class, which allows remote attackers to execute arbitrary code via the doPost method in the com.trinagy.s
21-09-2011 - 23:27 01-02-2011 - 20:00
CVE-2011-0063 5.0
The _list_file_get function in lib/Majordomo.pm in Majordomo 2 20110203 and earlier allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ./.../ sequence in the "extra" parameter to the help command, which caus
21-09-2011 - 23:27 15-03-2011 - 13:55
CVE-2009-0932 6.4
Directory traversal vulnerability in framework/Image/Image.php in Horde before 3.2.4 and 3.3.3 and Horde Groupware before 1.1.5 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the Horde_Image
21-09-2011 - 23:07 17-03-2009 - 17:30
CVE-2008-3922 9.3
awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote attackers to execute arbitrary code via PHP sequences in the sort parameter, which is used by the multisort function when dynamically creating an anonymous PHP function.
21-09-2011 - 22:58 04-09-2008 - 14:41
CVE-2008-6189 7.5
SQL injection vulnerability in GForge 4.5.19 allows remote attackers to execute arbitrary SQL commands via the offset parameter to (1) new/index.php, (2) news/index.php, and (3) top/topusers.php, which is not properly handled in database-pgsql.php.
21-09-2011 - 00:00 19-02-2009 - 13:30
CVE-2006-2351 4.3
Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allow remote attackers to inject arbitrary web script or HTML via the (1) sDeviceView or (2) nDeviceID parameter to (a) Nm
13-09-2011 - 00:00 15-05-2006 - 06:02
CVE-2006-5629 7.5
Multiple SQL injection vulnerabilities in Hosting Controller 6.1 before Hotfix 3.3 allow remote attackers to execute arbitrary SQL commands via the ForumID parameter in (1) DisableForum.asp and (2) enableForum.asp. NOTE: it was later reported that t
08-09-2011 - 00:00 31-10-2006 - 17:07
CVE-2006-2286 6.8
Multiple PHP remote file inclusion vulnerabilities in claro_init_global.inc.php in Dokeos 1.6.3 and earlier, and Dokeos community release 2.0.3, allow remote attackers to execute arbitrary PHP code via a URL in the (1) rootSys and (2) clarolineReposi
08-09-2011 - 00:00 09-05-2006 - 22:14
CVE-2006-1890 7.5
Multiple PHP remote file inclusion vulnerabilities in myWebland myEvent 1.2 allow remote attackers to execute arbitrary PHP code via a URL in the myevent_path parameter in (1) event.php and (2) initialize.php. NOTE: vector 2 was later reported to af
08-09-2011 - 00:00 20-04-2006 - 06:02
CVE-2005-4199 7.5
Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) sho
08-09-2011 - 00:00 13-12-2005 - 06:03
CVE-2006-2685 4.0
PHP remote file inclusion vulnerability in Basic Analysis and Security Engine (BASE) 1.2.4 and earlier, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the BASE_path parameter to (1) base_qry_common.p
23-08-2011 - 00:00 31-05-2006 - 06:06
CVE-2006-4195 6.8
PHP remote file inclusion vulnerability in param.peoplebook.php in the Peoplebook Component for Mambo (com_peoplebook) 1.0 and earlier, and possibly 1.1.2, when register_globals and allow_url_fopen are enabled, allows remote attackers to execute arbi
22-08-2011 - 00:00 17-08-2006 - 17:04
CVE-2006-1781 7.5
PHP remote file inclusion vulnerability in functions.php in Circle R Monster Top List (MTL) 1.4 allows remote attackers to execute arbitrary PHP code via a URL in the root_path parameter. NOTE: It was later reported that 1.4.2 and earlier are affect
22-08-2011 - 00:00 13-04-2006 - 06:02
CVE-2006-3775 7.5
SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by in
08-08-2011 - 00:00 24-07-2006 - 08:19
CVE-2006-2416 5.1
SQL injection vulnerability in class2.php in e107 0.7.2 and earlier allows remote attackers to execute arbitrary SQL commands via a cookie as defined in $pref['cookie_name'].
08-08-2011 - 00:00 16-05-2006 - 06:02
CVE-2006-4785 7.5
SQL injection vulnerability in blog/edit.php in Moodle 1.6.1 and earlier allows remote attackers to execute arbitrary SQL commands via the format parameter as stored in the $blogEntry variable, which is not properly handled by the insert_record funct
05-08-2011 - 00:00 14-09-2006 - 06:07
CVE-2006-0959 7.5
SQL injection vulnerability in misc.php in MyBulletinBoard (MyBB) 1.03, when register_globals is enabled, allows remote attackers to execute arbitrary SQL commands by setting the comma variable value via the comma parameter in a cookie. NOTE: 1.04 h
05-08-2011 - 00:00 02-03-2006 - 18:02
CVE-2010-2826 9.0
SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0.x before 6.0.196.0 allows remote authenticated users to execute arbitrary SQL commands via vectors related to the ORDER BY clause of the Client List screens, aka Bug ID CSCtf37019
26-07-2011 - 00:00 17-08-2010 - 01:41
CVE-2009-4104 7.5
SQL injection vulnerability in Lyften Designs LyftenBloggie (com_lyftenbloggie) component 1.0.4 for Joomla! allows remote attackers to execute arbitrary SQL commands via the author parameter to index.php.
26-07-2011 - 00:00 29-11-2009 - 08:08
CVE-2011-2757 5.0
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310
19-07-2011 - 00:00 17-07-2011 - 16:55
CVE-2011-2756 5.0
FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attackers to read files from a specific directory via unspecified vectors.
19-07-2011 - 00:00 17-07-2011 - 16:55
CVE-2011-2755 5.0
Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attackers to read arbitrary files via unspecified vectors.
19-07-2011 - 00:00 17-07-2011 - 16:55
CVE-2011-1264 4.3
Cross-site scripting (XSS) vulnerability in Active Directory Certificate Services Web Enrollment in Microsoft Windows Server 2003 SP2 and Server 2008 Gold, SP2, R2, and R2 SP1 allows remote attackers to inject arbitrary web script or HTML via an unsp
18-07-2011 - 22:44 16-06-2011 - 16:55
CVE-2010-2731 6.8
Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 on Windows XP SP3, when directory-based Basic Authentication is enabled, allows remote attackers to bypass intended access restrictions and execute ASP files via a crafted
18-07-2011 - 22:38 15-09-2010 - 15:00
CVE-2007-0626 7.6
The comment_form_add_preview function in comment.module in Drupal before 4.7.6, and 5.x before 5.1, and vbDrupal, allows remote attackers with "post comments" privileges and access to multiple input filters to execute arbitrary code by previewing com
13-07-2011 - 00:00 31-01-2007 - 13:28
CVE-2008-5517 7.5
The web interface in git (gitweb) 1.5.x before 1.5.6 allows remote attackers to execute arbitrary commands via shell metacharacters related to (1) git_snapshot and (2) git_object.
06-06-2011 - 00:00 13-01-2009 - 12:00
CVE-2008-5516 7.5
The web interface in git (gitweb) 1.5.x before 1.5.5 allows remote attackers to execute arbitrary commands via shell metacharacters related to git_search.
06-06-2011 - 00:00 20-01-2009 - 11:30
CVE-2011-1571 9.3
Unspecified vulnerability in the XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote attackers to execute arbitrary commands via unknown vectors.
31-05-2011 - 00:00 07-05-2011 - 15:55
CVE-2011-1570 3.5
Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to inject arbitrary web script or HTML via a message title, a different vulnerability
31-05-2011 - 00:00 07-05-2011 - 15:55
CVE-2011-1504 3.5
Cross-site scripting (XSS) vulnerability in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA allows remote authenticated users to inject arbitrary web script or HTML via a blog title.
31-05-2011 - 00:00 07-05-2011 - 15:55
CVE-2011-1503 3.5
The XSL Content portlet in Liferay Portal Community Edition (CE) 5.x and 6.x before 6.0.6 GA, when Apache Tomcat or Oracle GlassFish is used, allows remote authenticated users to read arbitrary (1) XSL and (2) XML files via a file:/// URL.
31-05-2011 - 00:00 07-05-2011 - 15:55
CVE-2011-1502 4.0
Liferay Portal Community Edition (CE) 6.x before 6.0.6 GA, when Apache Tomcat is used, allows remote authenticated users to read arbitrary files via an entity declaration in conjunction with an entity reference, related to an XML External Entity (aka
31-05-2011 - 00:00 07-05-2011 - 15:55
CVE-2011-0966 6.8
Directory traversal vulnerability in cwhp/auditLog.do in the Homepage Auditing component in Cisco CiscoWorks Common Services 3.3 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter, aka Bug ID CSCto355
24-05-2011 - 00:00 20-05-2011 - 18:55
CVE-2011-0962 4.3
Cross-site scripting (XSS) vulnerability in CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine in the Common Services Device Center in Cisco Unified Operations Manager (CUOM) before 8.6 allows remote attackers to inject arbitrary web script or HTML vi
24-05-2011 - 00:00 20-05-2011 - 18:55
CVE-2011-0960 7.5
Multiple SQL injection vulnerabilities in Cisco Unified Operations Manager (CUOM) before 8.6 allow remote attackers to execute arbitrary SQL commands via (1) the CCMs parameter to iptm/PRTestCreation.do or (2) the ccm parameter to iptm/TelePresenceRe
24-05-2011 - 00:00 20-05-2011 - 18:55
CVE-2011-0959 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified Operations Manager (CUOM) before 8.6 allow remote attackers to inject arbitrary web script or HTML via (1) the extn parameter to iptm/advancedfind.do, (2) the deviceInstanceName par
24-05-2011 - 00:00 20-05-2011 - 18:55
CVE-2006-5858 5.0
Adobe ColdFusion MX 7 through 7.0.2, and JRun 4, when run on Microsoft IIS, allows remote attackers to read arbitrary files, list directories, or read source code via a double URL-encoded NULL byte in a ColdFusion filename, such as a CFM file.
17-05-2011 - 00:00 31-12-2006 - 00:00
CVE-2006-1491 7.5
Eval injection vulnerability in Horde Application Framework versions 3.0 before 3.0.10 and 3.1 before 3.1.1 allows remote attackers to execute arbitrary code via the help viewer.
13-05-2011 - 00:00 29-03-2006 - 17:02
CVE-2009-4625 7.5
SQL injection vulnerability in the updateOnePage function in components/com_bfsurvey_pro/controller.php in BF Survey Pro Free (com_bfsurvey_profree) 1.2.4, and other versions before 1.2.6, a component for Joomla!, allows remote attackers to execute a
28-04-2011 - 00:00 18-01-2010 - 15:30
CVE-2009-4000 10.0
Directory traversal vulnerability in goform/formExportDataLogs in HP Power Manager before 4.2.10 allows remote attackers to overwrite arbitrary files, and execute arbitrary code, via directory traversal sequences in the fileName parameter.
28-04-2011 - 00:00 20-01-2010 - 17:30
CVE-2011-1715 5.0
Directory traversal vulnerability in framework/source/resource/qx/test/part/delay.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to read arbitrary files via ..%2f (enc
19-04-2011 - 00:00 18-04-2011 - 14:55
CVE-2008-1318 5.0
Unspecified vulnerability in MediaWiki 1.11 before 1.11.2 allows remote attackers to obtain sensitive "cross-site" information via the callback parameter in an API call for JavaScript Object Notation (JSON) formatted results.
18-04-2011 - 00:00 13-03-2008 - 10:44
CVE-2006-5872 7.5
login.pl in SQL-Ledger before 2.6.21 and LedgerSMB before 1.1.5 allows remote attackers to execute arbitrary Perl code via the "-e" flag in the script parameter, which is used as an argument to the perl program.
18-04-2011 - 00:00 17-12-2006 - 19:28
CVE-2011-0388 7.8
Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x do not properly restrict remote access to the Java servlet RMI interface, which allow
08-04-2011 - 23:32 25-02-2011 - 07:00
CVE-2011-0385 10.0
The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite ar
08-04-2011 - 23:32 25-02-2011 - 07:00
CVE-2011-0383 10.0
The Java Servlet framework on Cisco TelePresence Recording Server devices with software 1.6.x before 1.6.2 and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentica
08-04-2011 - 23:32 25-02-2011 - 07:00
CVE-2011-0379 7.9
Buffer overflow on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 1.6.x; Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x; Cisco TelePresence endpoint devices with software 1
08-04-2011 - 23:32 25-02-2011 - 07:00
CVE-2006-5045 6.8
Unspecified vulnerability in PollXT component (com_pollxt) 1.22.07 and earlier for Joomla! has unspecified impact and attack vectors, probably related to PHP remote file inclusion in the mosConfig_absolute_path to conf.pollxt.php.
08-04-2011 - 00:00 27-09-2006 - 19:07
CVE-2006-5048 6.8
Multiple PHP remote file inclusion vulnerabilities in Security Images (com_securityimages) component 3.0.5 and earlier for Joomla! allow remote attackers to execute arbitrary code via a URL in the mosConfig_absolute_path parameter in (1) configinsert
07-04-2011 - 00:00 27-09-2006 - 19:07
CVE-2011-0390 7.8
The XML-RPC implementation on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, 1.6.x, and 1.7.0 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka Bug ID CSCtj44534.
17-03-2011 - 22:56 25-02-2011 - 07:00
CVE-2011-0389 7.8
Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allow remote attackers to cause a denial of service (process crash) via a crafted Real-Time Transport Control Protocol (RTCP) UDP packet, aka Bug ID CSCt
17-03-2011 - 22:56 25-02-2011 - 07:00
CVE-2011-0387 8.0
The administrative web interface on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote authenticated users to cause a denial of service or have unspecified other impact via vectors involving
17-03-2011 - 22:56 25-02-2011 - 07:00
CVE-2011-0384 10.0
The Java Servlet framework on Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x does not require administrative authentication for unspecified actions, which allows remote attackers to execute arbitrary
17-03-2011 - 22:56 25-02-2011 - 07:00
CVE-2011-0453 5.0
F-Secure Internet Gatekeeper for Linux 3.x before 3.03 does not require authentication for reading access logs, which allows remote attackers to obtain potentially sensitive information via a TCP session on the admin UI port.
10-03-2011 - 22:50 18-02-2011 - 12:00
CVE-2006-6239 7.5
webadmin in MailEnable NetWebAdmin Professional 2.32 and Enterprise 2.32 allows remote attackers to authenticate using an empty password.
10-03-2011 - 00:00 03-12-2006 - 14:28
CVE-2009-0348 5.0
The login module in Sun Java System Access Manager 6 2005Q1 (aka 6.3), 7 2005Q4 (aka 7.0), and 7.1 responds differently to a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames
07-03-2011 - 22:18 29-01-2009 - 14:30
CVE-2008-5692 5.0
Ipswitch WS_FTP Server Manager before 6.1.1, and possibly other Ipswitch products, allows remote attackers to bypass authentication and read logs via a logLogout action to FTPLogServer/login.asp followed by a request to FTPLogServer/LogViewer.asp wit
07-03-2011 - 22:14 19-12-2008 - 13:30
CVE-2008-5642 5.0
Directory traversal vulnerability in admin/login.php in CMS Made Simple 1.4.1 allows remote attackers to read arbitrary files via a .. (dot dot) in a cms_language cookie.
07-03-2011 - 22:14 17-12-2008 - 12:30
CVE-2008-4620 7.5
SQL injection vulnerability in Meeting Room Booking System (MRBS) before 1.4 allows remote attackers to execute arbitrary SQL commands via the area parameter to (1) month.php, and possibly (2) day.php and (3) week.php.
07-03-2011 - 22:12 20-10-2008 - 21:18
CVE-2008-4485 4.3
Cross-site scripting (XSS) vulnerability in the ICAP patience page in Blue Coat Security Gateway OS (SGOS) 4.2 before 4.2.9, 5.2 before 5.2.5, and 5.3 before 5.3.1.7 allows remote attackers to inject arbitrary web script or HTML via the URL.
07-03-2011 - 22:12 07-10-2008 - 22:00
CVE-2008-3488 7.5
Unspecified vulnerability in Novell iManager before 2.7 SP1 (2.7.1) allows remote attackers to delete Plug-in Studio created Property Book Pages via unknown vectors.
07-03-2011 - 22:10 06-08-2008 - 13:41
CVE-2008-3166 9.3
PHP remote file inclusion vulnerability in modules/global/inc/content.inc.php in BoonEx Ray 3.5, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the sIncPath parameter.
07-03-2011 - 22:10 14-07-2008 - 19:41
CVE-2008-2512 5.0
Directory traversal vulnerability in Symantec Backup Exec System Recovery Manager 7.x before 7.0.4 and 8.x before 8.0.2 allows remote attackers to read arbitrary files via unspecified vectors.
07-03-2011 - 22:09 02-06-2008 - 17:30
CVE-2008-2384 7.5
SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x, when configured to use a multibyte character set that allows a \ (backslash) as part of the character encodin
07-03-2011 - 22:09 22-01-2009 - 13:30
CVE-2008-2271 7.5
The Site Documentation Drupal module 5.x before 5.x-1.8 and 6.x before 6.x-1.1 allows remote authenticated users to gain privileges of other users by leveraging the "access content" permission to list tables and obtain session IDs from the database.
07-03-2011 - 22:08 16-05-2008 - 08:54
CVE-2008-1357 5.4
Format string vulnerability in the logDetail function of applib.dll in McAfee Common Management Agent (CMA) 3.6.0.574 (Patch 3) and earlier, as used in ePolicy Orchestrator 4.0.0 build 1015, allows remote attackers to cause a denial of service (crash
07-03-2011 - 22:06 17-03-2008 - 13:44
CVE-2008-1322 7.8
The File Check Utility (fcheck.exe) in ASG-Sentry Network Manager 7.0.0 and earlier allows remote attackers to cause a denial of service (CPU consumption) or overwrite arbitrary files via a query string that specifies the -b option, probably due to a
07-03-2011 - 22:06 13-03-2008 - 10:44
CVE-2008-0850 7.5
Multiple SQL injection vulnerabilities in Dokeos 1.8.4 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to whoisonline.php, (2) tracking_list_coaches_column parameter to main/mySpace/index.php, (3) tutor_name paramete
07-03-2011 - 22:05 20-02-2008 - 19:44
CVE-2008-0785 7.5
Multiple SQL injection vulnerabilities in Cacti 0.8.7 before 0.8.7b and 0.8.6 before 0.8.6k allow remote authenticated users to execute arbitrary SQL commands via the (1) graph_list parameter to graph_view.php, (2) leaf_id and id parameters to tree.p
07-03-2011 - 22:05 14-02-2008 - 18:00
CVE-2008-0782 5.0
Directory traversal vulnerability in MoinMoin 1.5.8 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the MOIN_ID user ID in a cookie for a userform action. NOTE: this issue can be leveraged for PHP code executio
07-03-2011 - 22:05 14-02-2008 - 16:00
CVE-2008-0422 7.5
SQL injection vulnerability in mail.php in boastMachine (aka bMachine) 3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
07-03-2011 - 22:04 23-01-2008 - 17:00
CVE-2008-0396 7.8
Directory traversal vulnerability in BitDefender Update Server (http.exe), as used in BitDefender products including Security for Fileservers and Enterprise Manager (BDEM), allows remote attackers to read arbitrary files via .. (dot dot) sequences in
07-03-2011 - 22:04 23-01-2008 - 07:00
CVE-2007-6319 10.0
Multiple unspecified vulnerabilities in Lyris ListManager 8.x before 8.95d, 9.2 before 9.2c, and 9.3 before 9.3b allow remote attackers to (1) gain list administrator privileges or (2) access arbitrary mailing lists via unknown vectors related to mod
07-03-2011 - 22:02 19-02-2008 - 17:44
CVE-2007-5844 7.5
Directory traversal vulnerability in inc/includes.inc in GuppY 4.6.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the selskin parameter to index.php. NOTE: this can be leveraged for remote file inclusion
07-03-2011 - 22:01 06-11-2007 - 16:46
CVE-2007-5363 6.8
PHP remote file inclusion vulnerability in admin.panoramic.php in the Panoramic Picture Viewer (com_panoramic) mambot (plugin) 1.0 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter. NOTE
07-03-2011 - 22:00 10-10-2007 - 21:17
CVE-2007-5309 6.8
PHP remote file inclusion vulnerability in admin.wmtgallery.php in the webmaster-tips.net Flash Image Gallery (com_wmtgallery) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parame
07-03-2011 - 22:00 09-10-2007 - 17:17
CVE-2007-5056 6.8
Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequ
07-03-2011 - 22:00 24-09-2007 - 18:17
CVE-2007-4923 6.8
PHP remote file inclusion vulnerability in admin.joomlaradiov5.php in the Joomla Radio 5 (com_joomlaradiov5) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
07-03-2011 - 21:59 17-09-2007 - 13:17
CVE-2007-4718 5.1
Directory traversal vulnerability in inc/lib/language.lib.php in Claroline before 1.8.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
07-03-2011 - 21:59 05-09-2007 - 15:17
CVE-2007-4651 5.0
Unspecified vulnerability in Adobe Connect Enterprise Server 6 allows remote attackers to read certain pages that are restricted to the administrator via unknown vectors.
07-03-2011 - 21:58 11-09-2007 - 21:17
CVE-2007-4542 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MapServer before 4.10.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the (1) processLine function in maptemplate.c and the (2) writeError functi
07-03-2011 - 21:58 27-08-2007 - 17:17
CVE-2007-4128 7.5
SQL injection vulnerability in index.php in the Firestorm Technologies GMaps (com_gmaps) 1.00 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the mapId parameter in a viewmap action.
07-03-2011 - 21:57 01-08-2007 - 12:17
CVE-2007-4053 7.5
SQL injection vulnerability in include/img_view.class.php in LinPHA 1.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the order parameter to new_images.php.
07-03-2011 - 21:57 30-07-2007 - 13:30
CVE-2007-3619 5.0
Directory traversal vulnerability in login.php in Maia Mailguard 1.0.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.
07-03-2011 - 21:56 09-07-2007 - 12:30
CVE-2007-3502 7.5
Unspecified vulnerability in the web-based product configuration system in Kaspersky Anti-Spam before 3.0 MP1 allows remote attackers to obtain access to certain directories.
07-03-2011 - 21:56 29-06-2007 - 21:30
CVE-2007-2426 7.5
PHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the myPath parameter.
07-03-2011 - 21:54 01-05-2007 - 20:19
CVE-2007-2319 6.8
PHP remote file inclusion vulnerability in the AutoStand 1.1 and earlier module for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to mod_as_category.php in (1) modules/mod_as_category
07-03-2011 - 21:53 26-04-2007 - 17:19
CVE-2007-2144 6.8
PHP remote file inclusion vulnerability in includes/CAltInstaller.php in the JoomlaPack (com_jpack) 1.0.4a2 RE component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:53 19-04-2007 - 06:19
CVE-2007-2005 6.8
Multiple PHP remote file inclusion vulnerabilities in the Taskhopper 1.1 component for Mambo and Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter to (1) contact_type.php, (2) itemstatus_t
07-03-2011 - 21:53 12-04-2007 - 15:19
CVE-2007-1703 7.5
SQL injection vulnerability in index.php in the RWCards (com_rwcards) 2.4.3 and earlier component for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter.
07-03-2011 - 21:52 26-03-2007 - 21:19
CVE-2007-1702 6.8
PHP remote file inclusion vulnerability in mod_flatmenu.php in the Flatmenu 1.07 and earlier Mambo module allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:52 26-03-2007 - 21:19
CVE-2007-1035 7.5
Unspecified vulnerability in certain demonstration scripts in getID3 1.7.1, as used in the Mediafield and Audio modules for Drupal, allows remote attackers to read and delete arbitrary files, list arbitrary directories, and write to empty files or .m
07-03-2011 - 21:51 21-02-2007 - 06:28
CVE-2007-0979 5.0
Unspecified vulnerability in LifeType before 1.1.6, and 1.2 before 1.2-beta2, allows remote attackers to obtain sensitive information (file contents) via a "crafted URL."
07-03-2011 - 21:51 15-02-2007 - 20:28
CVE-2007-0845 7.5
admin/index.php in Advanced Poll 2.0.0 through 2.0.5-dev allows remote attackers to bypass authentication and gain administrator privileges by obtaining a valid session identifier and setting the uid parameter to 1.
07-03-2011 - 21:50 08-02-2007 - 13:28
CVE-2007-0774 7.5
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitr
07-03-2011 - 21:50 04-03-2007 - 17:19
CVE-2007-0676 6.8
SQL injection vulnerability in faq.php in ExoPHPDesk 1.2.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
07-03-2011 - 21:50 02-02-2007 - 20:28
CVE-2007-0658 5.0
The (1) Textimage 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal and the (2) Captcha 4.7.x before 4.7-1.2 and 5.x before 5.x-1.1 module for Drupal allow remote attackers to bypass the CAPTCHA test via an empty captcha element in $_SESS
07-03-2011 - 21:50 01-02-2007 - 17:28
CVE-2007-0652 5.1
Cross-site request forgery (CSRF) vulnerability in MailEnable Professional before 2.37 allows remote attackers to modify arbitrary configurations and perform unauthorized actions as arbitrary users via a link or IMG tag.
07-03-2011 - 21:50 15-02-2007 - 18:28
CVE-2007-0651 4.3
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Professional before 2.37 allow remote attackers to inject arbitrary Javascript script via (1) e-mail messages and (2) the ID parameter to (a) right.asp, (b) Forms/MAI/list.asp, and (c)
07-03-2011 - 21:50 15-02-2007 - 18:28
CVE-2007-0609 5.1
Directory traversal vulnerability in Advanced Guestbook 2.4.2 allows remote attackers to bypass .htaccess settings, and execute arbitrary PHP local files or read arbitrary local templates, via a .. (dot dot) in a lang cookie, followed by a filename w
07-03-2011 - 21:50 09-05-2007 - 13:19
CVE-2007-0388 7.5
SQL injection vulnerability in search.php in Woltlab Burning Board (wBB) 1.0.2 and earlier, and 2.3.6 and earlier in the 2.x series, allows remote attackers to execute arbitrary SQL commands via the boardids[1] and other boardids[] parameters.
07-03-2011 - 21:49 19-01-2007 - 18:28
CVE-2007-0347 4.3
The is_eow function in format.c in CVSTrac before 2.0.1 does not properly check for the "'" (quote) character, which allows remote authenticated users to execute limited SQL injection attacks and cause a denial of service (database error) via a ' cha
07-03-2011 - 21:49 29-01-2007 - 15:28
CVE-2006-7071 7.5
SQL injection vulnerability in classes/class_session.php in Invision Power Board (IPB) 2.1 up to 2.1.6 allows remote attackers to execute arbitrary SQL commands via the CLIENT_IP parameter.
07-03-2011 - 21:47 02-03-2007 - 16:18
CVE-2006-6962 6.8
PHP remote file inclusion vulnerability in rsgallery2.html.php in the RS Gallery2 component (com_rsgallery2) 1.11.2 for Joomla! allows attackers to execute arbitrary PHP code via the mosConfig_absolute_path parameter. NOTE: this issue may overlap CV
07-03-2011 - 21:47 29-01-2007 - 11:28
CVE-2006-6812 7.5
Multiple PHP remote file inclusion vulnerabilities in myPHPCalendar 10.1 allow remote attackers to execute arbitrary PHP code via a URL in the cal_dir parameter to (1) admin.php, (2) contacts.php, or (3) convert-date.php.
07-03-2011 - 21:47 29-12-2006 - 06:28
CVE-2006-6799 7.5
SQL injection vulnerability in Cacti 0.8.6i and earlier, when register_argc_argv is enabled, allows remote attackers to execute arbitrary SQL commands via the (1) second or (2) third arguments to cmd.php. NOTE: this issue can be leveraged to execute
07-03-2011 - 21:47 28-12-2006 - 16:28
CVE-2006-6795 7.5
PHP remote file inclusion vulnerability in gallery/displayCategory.php in the My_eGallery 2.5.6 module in myPHPNuke (MPN) allows remote attackers to execute arbitrary PHP code via a URL in the basepath parameter.
07-03-2011 - 21:46 27-12-2006 - 19:28
CVE-2006-6770 6.8
Multiple PHP remote file inclusion vulnerabilities in Jinzora Media Jukebox 2.7 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter in (1) popup.php, (2) rss.php,
07-03-2011 - 21:46 27-12-2006 - 18:28
CVE-2006-6701 7.5
Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51, and util.php in 5.x before 5.03, allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a set
07-03-2011 - 21:46 22-12-2006 - 20:28
CVE-2006-6419 7.5
jce.php in the JCE Admin Component in Ryan Demmer Joomla Content Editor (JCE) 1.1.0 beta 2 and earlier for Joomla! (com_jce) allows remote attackers to include and possibly execute arbitrary local files via the (1) plugin or (2) file parameter. NOTE
07-03-2011 - 21:45 10-12-2006 - 06:28
CVE-2006-6365 7.5
SQL injection vulnerability in detail.asp in DUware DUpaypal 3.1, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the iType parameter. NOTE: the iState parameter is already covered by CVE-2005-3976 and the iPro pa
07-03-2011 - 21:45 07-12-2006 - 06:28
CVE-2006-6354 7.5
Multiple SQL injection vulnerabilities in detail.asp in DuWare DuNews allow remote attackers to execute arbitrary SQL commands via the (1) iNews, (2) iType, or (3) Action parameter. NOTE: the iType parameter in type.asp is covered by CVE-2005-3976.
07-03-2011 - 21:45 06-12-2006 - 20:28
CVE-2006-6343 6.8
SQL injection vulnerability in polls.php in Neocrome Seditio 1.10 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
07-03-2011 - 21:45 06-12-2006 - 20:28
CVE-2006-6318 5.0
The show_elog_list function in elogd.c in elog 2.6.2 and earlier allows remote authenticated users to cause a denial of service (daemon crash) by attempting to access a logbook whose name begins with "global," which results in a NULL pointer derefere
07-03-2011 - 21:45 28-12-2006 - 15:28
CVE-2006-6237 7.5
SQL injection vulnerability in the decode_cookie function in thread.php in Woltlab Burning Board Lite 1.0.2 allows remote attackers to execute arbitrary SQL commands via the threadvisit Cookie parameter.
07-03-2011 - 21:45 03-12-2006 - 14:28
CVE-2006-6225 5.1
Multiple PHP remote file inclusion vulnerabilities in GeekLog 1.4 allow remote attackers to execute arbitrary code via a URL in the _CONF[path] parameter to (1) links/functions.inc, (2) polls/functions.inc, (3) spamx/BlackList.Examine.class.php, (4)
07-03-2011 - 21:45 01-12-2006 - 21:28
CVE-2006-6104 5.0
The System.Web class in the XSP for ASP.NET server 1.1 through 2.0 in Mono does not properly verify local pathnames, which allows remote attackers to (1) read source code by appending a space (%20) to a URI, and (2) read credentials via a request for
07-03-2011 - 21:45 21-12-2006 - 14:28
CVE-2006-5786 7.5
Directory traversal vulnerability in class2.php in e107 0.7.5 and earlier allows remote attackers to read and execute PHP code in arbitrary files via ".." sequences in the e107language_e107cookie cookie to gsitemap.php.
07-03-2011 - 21:43 07-11-2006 - 18:07
CVE-2006-5730 5.1
PHP remote file inclusion vulnerability in manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php in Modx CMS 0.9.2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the base_path parameter. NOTE: it is poss
07-03-2011 - 21:43 06-11-2006 - 13:07
CVE-2006-5673 6.8
PHP remote file inclusion vulnerability in bb_func_txt.php in miniBB 2.0.2 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the pathToFiles parameter.
07-03-2011 - 21:43 02-11-2006 - 20:07
CVE-2006-5519 6.8
PHP remote file inclusion vulnerability in Savant2/Savant2_Plugin_options.php in the MambWeather 1.8.1 and earlier component for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:43 26-10-2006 - 12:07
CVE-2006-5449 6.5
procmail in Ingo H3 before 1.1.2 Horde module allows remote authenticated users to execute arbitrary commands via shell metacharacters in the mailbox destination of a filter rule.
07-03-2011 - 21:43 23-10-2006 - 13:07
CVE-2006-5428 5.0
rpc.php in Cerberus Helpdesk 3.2.1 does not verify a client's privileges for a display_get_requesters operation, which allows remote attackers to bypass the GUI login and obtain sensitive information (ticket data) via a direct request.
07-03-2011 - 21:43 20-10-2006 - 13:07
CVE-2006-5274 7.6
Integer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, and Common Management Agent (CMA) 3.5.5.438 allows remote attackers to cause a denial of service (CMA Framework service crash) and possibly execute arbi
07-03-2011 - 21:42 11-07-2007 - 20:30
CVE-2006-5273 7.6
Heap-based buffer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, and Common Management Agent (CMA) 3.5.5.438 through 3.6.0.453 allows remote attackers to execute arbitrary code via a crafted packet.
07-03-2011 - 21:42 11-07-2007 - 20:30
CVE-2006-5272 7.5
Stack-based buffer overflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, and Common Management Agent (CMA) 3.6.0.453 and earlier allows remote attackers to execute arbitrary code via a crafted ping packet.
07-03-2011 - 21:42 11-07-2007 - 20:30
CVE-2006-5271 7.6
Integer underflow in McAfee ePolicy Orchestrator 3.5 through 3.6.1, ProtectionPilot 1.1.1 and 1.5, and Common Management Agent (CMA) 3.6.0.453 and earlier allows remote attackers to execute arbitrary code via a crafted UDP packet, which causes stack
07-03-2011 - 21:42 11-07-2007 - 20:30
CVE-2006-5210 5.0
Directory traversal vulnerability in IronWebMail before 6.1.1 HotFix-17 allows remote attackers to read arbitrary files via a GET request to the IM_FILE identifier with double-url-encoded "../" sequences ("%252e%252e/").
07-03-2011 - 21:42 16-10-2006 - 19:07
CVE-2006-5200 5.0
Unspecified vulnerability in Adobe Breeze 5 Licensed Server and Breeze 5.1 Licensed Server allows attackers to read arbitrary files via unknown vectors related to "URL parsing."
07-03-2011 - 21:42 10-10-2006 - 18:07
CVE-2006-5185 7.5
Eval injection vulnerability in Template.php in HAMweather 3.9.8.4 and earlier allows remote attackers to execute arbitrary code via a modified query string, which is supplied to an eval function call within the do_parse_code function.
07-03-2011 - 21:42 10-10-2006 - 00:06
CVE-2006-5099 7.5
lib/exec/fetch.php in DokuWiki before 2006-03-09e, when conf[imconvert] is configured to use ImageMagick, allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) w and (2) h parameters, which are not filtered when in
07-03-2011 - 21:42 29-09-2006 - 19:07
CVE-2006-5098 5.0
lib/exec/fetch.php in DokuWiki before 2006-03-09e allows remote attackers to cause a denial of service (CPU consumption) via large w and h parameters, when resizing an image.
07-03-2011 - 21:42 29-09-2006 - 19:07
CVE-2006-4963 6.4
Directory traversal vulnerability in index.php in Exponent CMS 0.96.3 allows remote attackers to read and execute arbitrary local files via a .. (dot dot) sequence in the view parameter in the show_view action in the calendarmodule module, as demonst
07-03-2011 - 21:42 23-09-2006 - 06:07
CVE-2006-4957 7.5
SQL injection vulnerability in the GetMember function in functions.php in MyReview 1.9.4 allows remote attackers to execute arbitrary SQL commands via the email parameter to Admin.php.
07-03-2011 - 21:42 23-09-2006 - 06:07
CVE-2006-4859 7.5
Unrestricted file upload vulnerability in contact.html.php in the Contact (com_contact) component in Limbo (aka Lite Mambo) CMS 1.0.4.2L and earlier allows remote attackers to upload PHP code to the images/contact folder via a filename with a double
07-03-2011 - 21:42 19-09-2006 - 14:07
CVE-2006-4858 6.8
PHP remote file inclusion vulnerability in install.serverstat.php in the Serverstat (com_serverstat) 0.4.4 and earlier component for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:42 19-09-2006 - 14:07
CVE-2006-4786 5.0
Moodle 1.6.1 and earlier allows remote attackers to obtain sensitive information via (1) help.php and (2) other unspecified vectors involving scheduled backups.
07-03-2011 - 21:42 14-09-2006 - 06:07
CVE-2006-4784 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Moodle 1.6.1 and earlier might allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) doc/index.php or (2) files/index.php.
07-03-2011 - 21:42 14-09-2006 - 06:07
CVE-2006-4624 2.6
CRLF injection vulnerability in Utils.py in Mailman before 2.1.9rc1 allows remote attackers to spoof messages in the error log and possibly trick the administrator into visiting malicious URLs via CRLF sequences in the URI.
07-03-2011 - 21:41 07-09-2006 - 15:04
CVE-2006-4469 7.5
Unspecified vulnerability in PEAR.php in Joomla! before 1.0.11 allows remote attackers to perform "remote execution," related to "Injection Flaws."
07-03-2011 - 21:40 31-08-2006 - 16:04
CVE-2006-4468 6.8
Multiple unspecified vulnerabilities in Joomla! before 1.0.11, related to unvalidated input, allow attackers to have an unknown impact via unspecified vectors involving the (1) mosMail, (2) JosIsValidEmail, and (3) josSpoofValue functions; (4) the la
07-03-2011 - 21:40 31-08-2006 - 16:04
CVE-2006-4288 6.8
PHP remote file inclusion vulnerability in admin.a6mambocredits.php in the a6mambocredits component (com_a6mambocredits) 2.0.0 and earlier for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
07-03-2011 - 21:40 22-08-2006 - 13:04
CVE-2006-4270 6.8
PHP remote file inclusion vulnerability in mambelfish.class.php in the mambelfish component (com_mambelfish) 1.1 and earlier for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:40 21-08-2006 - 17:04
CVE-2006-4268 6.8
Multiple cross-site scripting (XSS) vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) file, (2) x, and (3) y parameters in (a) admin/filemanager/preview.php; and the (4) email par
07-03-2011 - 21:40 21-08-2006 - 17:04
CVE-2006-4267 7.5
Multiple SQL injection vulnerabilities in CubeCart 3.0.11 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) oid parameter in modules/gateway/Protx/confirmed.php and the (2) x_invoice_num parameter in modules/gateway/Aut
07-03-2011 - 21:40 21-08-2006 - 17:04
CVE-2006-4234 7.5
PHP remote file inclusion vulnerability in classes/query.class.php in dotProject 2.0.4 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the baseDir parameter.
07-03-2011 - 21:40 18-08-2006 - 16:04
CVE-2006-4140 5.0
Directory traversal vulnerability in IPCheck Server Monitor before 5.3.3.639/640 allows remote attackers to read arbitrary files via modified .. (dot dot) sequences in the URL, including (1) "..%2f" (encoded "/" slash), "..../" (multiple dot), and ".
07-03-2011 - 21:40 14-08-2006 - 19:04
CVE-2006-4130 6.8
PHP remote file inclusion vulnerability in admin.remository.php in the Remository Component (com_remository) 3.25 and earlier for Mambo and Joomla!, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in
07-03-2011 - 21:40 14-08-2006 - 19:04
CVE-2006-4110 4.3
Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters that bypass the case-sensitive ScriptAlias directive, but allow access to the file
07-03-2011 - 21:40 14-08-2006 - 16:04
CVE-2006-4074 6.8
PHP remote file inclusion vulnerability in lib/tpl/default/main.php in the JD-Wiki Component (com_jd-wiki) 1.0.2 and earlier for Joomla!, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConf
07-03-2011 - 21:40 10-08-2006 - 21:04
CVE-2006-4001 7.5
Login.pm in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 contains a hard-coded password for the guest account, which allows remote attackers to read sensitive information such as e-mail logs, and possibly e-mail contents and the admin
07-03-2011 - 21:40 04-08-2006 - 21:04
CVE-2006-4000 4.0
Directory traversal vulnerability in cgi-bin/preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.
07-03-2011 - 21:40 04-08-2006 - 21:04
CVE-2006-3995 6.8
Multiple PHP remote file inclusion vulnerabilities in (1) uhp_config.php, and possibly (2) footer.php, (3) functions.php, (4) install.uhp.php, (5) toolbar.uhp.html.php, (6) uhp.class.php, and (7) uninstall.uhp.php, in the UHP (User Home Pages) 0.5 co
07-03-2011 - 21:40 04-08-2006 - 20:04
CVE-2006-3980 6.8
PHP remote file inclusion vulnerability in administrator/components/com_mgm/help.mgm.php in Mambo Gallery Manager (MGM) 0.95r2 and earlier for Mambo 4.5 allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path pa
07-03-2011 - 21:39 04-08-2006 - 20:04
CVE-2006-3947 6.8
PHP remote file inclusion vulnerability in components/com_mambatstaff/mambatstaff.php in the Mambatstaff 3.1b and earlier component for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:39 01-08-2006 - 17:04
CVE-2006-3846 6.8
PHP remote file inclusion vulnerability in extadminmenus.class.php in the MultiBanners 1.0.1 for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:39 25-07-2006 - 19:04
CVE-2006-3832 7.5
SQL injection vulnerability in index.php in Gerrit van Aaken Loudblog 0.5 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.
07-03-2011 - 21:39 25-07-2006 - 09:22
CVE-2006-3774 6.8
PHP remote file inclusion vulnerability in performs.php in the perForms component (com_performs) 1.0 and earlier for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:39 24-07-2006 - 08:19
CVE-2006-3773 6.8
PHP remote file inclusion vulnerability in smf.php in the SMF-Forum 1.3.1.3 Bridge Component (com_smf) For Joomla! and Mambo 4.5.3+ allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:39 24-07-2006 - 08:19
CVE-2006-3750 6.8
PHP remote file inclusion vulnerability in server.php in the Hashcash Component (com_hashcash) 1.2.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:39 21-07-2006 - 10:03
CVE-2006-3749 6.8
PHP remote file inclusion vulnerability in sitemap.xml.php in Sitemap component (com_sitemap) 2.0.0 for Mambo 4.5.1 CMS, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path
07-03-2011 - 21:39 21-07-2006 - 10:03
CVE-2006-3748 6.8
PHP remote file inclusion vulnerability in includes/abbc/abbc.class.php in the LoudMouth Component for Mambo 4.0j, and possibly other versions including 4.1, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_pa
07-03-2011 - 21:39 21-07-2006 - 10:03
CVE-2006-3623 5.0
Directory traversal vulnerability in Framework Service component in McAfee ePolicy Orchestrator agent 3.5.0.x and earlier allows remote attackers to create arbitrary files via a .. (dot dot) in the directory and filename in a PropsResponse (PackageTy
07-03-2011 - 21:39 18-07-2006 - 11:46
CVE-2006-3556 6.8
PHP remote file inclusion vulnerability in extcalendar.php in Mohamed Moujami ExtCalendar 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:38 12-07-2006 - 20:05
CVE-2006-3530 6.8
PHP remote file inclusion vulnerability in com_pccookbook/pccookbook.php in the PccookBook Component for Mambo and Joomla 0.3 and possibly up to 1.3.1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the mo
07-03-2011 - 21:38 12-07-2006 - 17:05
CVE-2006-3396 6.8
PHP remote file inclusion vulnerability in galleria.html.php in Galleria Mambo Module 1.0 and earlier for Mambo allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
07-03-2011 - 21:38 06-07-2006 - 16:05
CVE-2006-3362 5.1
Unrestricted file upload vulnerability in connectors/php/connector.php in FCKeditor mcpuk file manager, as used in (1) Geeklog 1.4.0 through 1.4.0sr3, (2) toendaCMS 1.0.0 Shizouka Stable and earlier, (3) WeBid 0.5.4, and possibly other products, when
07-03-2011 - 21:38 06-07-2006 - 16:05
CVE-2006-3147 6.5
Unspecified vulnerability in Hosting Controller before 6.1 (aka Hotfix 3.2) allows remote authenticated attackers to gain host admin privileges, list all resellers, or change resellers' passwords via unspecified vectors. NOTE: due to the lack of pre
07-03-2011 - 21:37 22-06-2006 - 18:06
CVE-2006-2878 7.5
The spellchecker (spellcheck.php) in DokuWiki 2006/06/04 and earlier allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" that is inserted into a regular expression that is processed by preg_replace with the /e
07-03-2011 - 21:37 06-06-2006 - 20:02
CVE-2006-2868 5.1
Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.6 allow remote attackers to execute arbitrary PHP code via a URL in the includePath cookie to (1) auth/extauth/drivers/mambo.inc.php or (2) auth/extauth/drivers/postnuke.inc.php.
07-03-2011 - 21:37 06-06-2006 - 16:06
CVE-2006-2857 7.5
SQL injection vulnerability in index.php in LifeType 1.0.4 allows remote attackers to execute arbitrary SQL commands via the articleId parameter in a ViewArticle action (viewarticleaction.class.php).
07-03-2011 - 21:37 06-06-2006 - 16:06
CVE-2006-2700 5.1
SQL injection vulnerability in admin/auth.inc.php in Geeklog 1.4.0sr2 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via the loginname parameter.
07-03-2011 - 21:36 31-05-2006 - 06:06
CVE-2006-2591 5.0
Unspecified vulnerability in e107 before 0.7.5 has unknown impact and remote attack vectors related to an "emailing exploit".
07-03-2011 - 21:36 25-05-2006 - 06:02
CVE-2006-2583 5.1
PHP remote file inclusion vulnerability in nucleus/libs/PLUGINADMIN.php in Nucleus 3.22 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[DIR_LIBS] parameter.
07-03-2011 - 21:36 25-05-2006 - 06:02
CVE-2006-2576 5.1
Multiple PHP remote file inclusion vulnerabilities in Docebo 3.0.3 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in (1) GLOBALS[where_framework] to (a) lib.simplesel.php, (b) lib.filelis
07-03-2011 - 21:36 24-05-2006 - 19:02
CVE-2006-2531 7.5
Ipswitch WhatsUp Professional 2006 only verifies the user's identity via HTTP headers, which allows remote attackers to spoof being a trusted console and bypass authentication by setting HTTP User-Agent header to "Ipswitch/1.0" and the User-Applicati
07-03-2011 - 21:36 22-05-2006 - 19:10
CVE-2006-2529 5.0
editor/filemanager/upload/php/upload.php in FCKeditor before 2.3 Beta, when the upload feature is enabled, does not verify the Type parameter, which allows remote attackers to upload arbitrary file types. NOTE: It is not clear whether this is relate
07-03-2011 - 21:36 22-05-2006 - 19:10
CVE-2006-2357 5.0
Ipswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allows remote attackers to obtain source code for scripts via a trailing dot in a request to NmConsole/Login.asp.
07-03-2011 - 21:36 15-05-2006 - 06:02
CVE-2006-2352 4.3
Multiple cross-site scripting (XSS) vulnerabilities in IPswitch WhatsUp Professional 2006 and WhatsUp Professional 2006 Premium allow remote attackers to inject arbitrary web script or HTML via unknown vectors in (1) NmConsole/Tools.asp and (2) NmCon
07-03-2011 - 21:36 15-05-2006 - 06:02
CVE-2006-2321 4.3
Multiple cross-site scripting (XSS) vulnerabilities in Ideal Science Ideal BB 1.5.4a and earlier allow remote attackers to inject arbitrary web script or HTML via unknown vectors. NOTE: due to lack of details from the researcher, it is not clear whe
07-03-2011 - 21:35 11-05-2006 - 20:02
CVE-2006-2320 7.5
Multiple SQL injection vulnerabilities in Ideal Science Ideal BB 1.5.4a and earlier allow remote attackers to execute arbitrary SQL commands via multiple unspecified vectors related to stored procedure calls. NOTE: due to lack of details from the re
07-03-2011 - 21:35 11-05-2006 - 20:02
CVE-2006-2319 5.0
Ideal Science Ideal BB 1.5.4a and earlier does not properly check file extensions before permitting an upload, which allows remote attackers to upload and execute an ASP script via a 0x00 character before the ".asp" portion of the filename.
07-03-2011 - 21:35 11-05-2006 - 20:02