Microsoft Internet Explorer 7 and earlier allows remote attackers to bypass the "File Download - Security Warning" dialog box and download arbitrary .exe files by placing a '?' (question mark) followed by a non-.exe filename after the .exe filename,

PlaNet Concept planetNews allows remote attackers to bypass authentication and execute arbitrary code via a direct request to news/admin/planetnews.php.

Cross-site scripting (XSS) vulnerability in Atom feeds in Bugzilla 2.20.3, 2.22.1, and 2.23.3, and earlier versions down to 2.20.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Les News 2.2 allows remote attackers to bypass authentication and gain administrative access via a direct request for adminews/index_fr.php3, and possibly the adminews index documents for other localizations.

Chicken of the VNC (cotv) 2.0 allows remote attackers to cause a denial of service (application crash) via a large computer-name size value in a ServerInit packet, which triggers a failed malloc and a resulting NULL dereference.

The mod_perl initialization script in Bugzilla 2.23.3 does not set the Bugzilla Apache configuration to allow .htaccess permissions to override file permissions, which allows remote attackers to obtain the database username and password via a direct

SQL injection vulnerability in login.asp for tPassword in the Raymond BERTHOU script collection (aka RBL - ASP) allows remote attackers to execute arbitrary SQL commands via the (1) User and (2) Password parameters.

PHP remote file inclusion vulnerability in affichearticles.php3 in MySQLNewsEngine allows remote attackers to execute arbitrary PHP code via a URL in the newsenginedir parameter.

Cross-site scripting (XSS) vulnerability in info.php in flashChat 4.7.8 allows remote attackers to inject arbitrary web script or HTML via a channel title (aka room name) that is not properly handled by the "who's online" feature.

Cross-site scripting (XSS) vulnerability in images_archive.asp in Uapplication Uphotogallery 1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the s parameter. NOTE: the thumbnails.asp vector is already covere

PHP remote file inclusion vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary PHP code via a URL in the config parameter.

PHP remote file inclusion vulnerability in includes/includes.php in Guernion Sylvain Portail Web Php (aka Gsylvain35 Portail Web, PwP) before 2.5.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the site_path parameter.

Multiple SQL injection vulnerabilities in the log-in form in Truworth Flex Timesheet allow remote attackers to execute arbitrary SQL commands via the (1) Username and (2) Password fields.

SQL injection vulnerability in the search module in Edgewall Trac before 0.9.2 allows remote attackers to execute arbitrary SQL commands via unknown vectors.

Cross-site scripting (XSS) vulnerability in BizDirectory 2.04 and earlier allows remote attackers to inject arbitrary web script or HTML via the page parameter in a search action to the default URI.