| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Absolute path traversal vulnerability in the EDraw Flowchart ActiveX control in EDImage.ocx 2.0.2005.1104 allows remote attackers to create or overwrite arbitrary files with arbitrary contents via a full pathname in the second argument to the HttpDownloadFile method, a different product than CVE-2007-4420. |
| iSCSI Enterprise Target (iscsitarget) 0.4.15 uses weak permissions for /etc/ietd.conf, which allows local users to obtain passwords. |
| Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module |
| The Disk Mount scanner in Symantec AntiVirus for Macintosh 9.x and 10.x, Norton AntiVirus for Macintosh 10.0 and 10.1, and Norton Internet Security for Macintosh 3.x, uses a directory with weak permissions (group writable), which allows local admin users to gain root privileges by replacing unspecified files, which are executed when a user with physical access inserts a disk and the "Show Progress During Mount Scans" option is enabled. |
| Unspecified vulnerability in the administrative interface in Avaya Messaging Storage Server (MSS) 3.1 before SP1, and Message Networking (MN) 3.1, allows remote attackers to cause a denial of service via unspecified vectors related to "input validation." |
| Directory traversal vulnerability in fileSystem.do in SSL-Explorer before 0.2.14 allows remote attackers to access arbitrary files via directory traversal sequences in the path parameter. NOTE: some of these details are obtained from third party information. |
| Unspecified vulnerability in selectLanguage.do in SSL-Explorer before 0.2.15 allows remote attackers to inject (1) headers or (2) body data in an HTTP transaction, a different vulnerability than CVE-2007-2907. NOTE: some of these details are obtained from third party information. |
| Multiple cross-site scripting (XSS) vulnerabilities in BosDev BosMarket Business Directory System allow remote authenticated users to inject arbitrary web script or HTML via (1) user info (account details) or (2) a post. |
| Cross-site scripting (XSS) vulnerability in BosDev BosNews 4 allows remote attackers to inject arbitrary web script or HTML via a SCRIPT element in a news post. |
| Install.php in BosDev BosNews 4 and 5 does not require authentication for replacing an existing product installation or creating a new admin account, which allows remote attackers to cause a denial of service (overwritten files) and possibly obtain administrative access. |
| SQL injection vulnerability in Amazing Flash AFCommerce allows remote attackers to execute arbitrary SQL commands via the firstname parameter to an unspecified component, a different issue than CVE-2006-3794. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| GUI.pm in yarssr 0.2.2, when Gnome default URL handling is disabled, allows remote attackers to execute arbitrary commands via shell metacharacters in a link element in a feed. |
| Aclient in Symantec Altiris Deployment Solution 6.x before 6.8.380.0 allows local users to gain local System privileges via the "Enable key-based authentication to Deployment server" browser option, a different issue than CVE-2007-4380. |
| The e_hostname function in commands.c in BitchX 1.1a allows local users to overwrite arbitrary files via a symlink attack on temporary files when using the (1) HOSTNAME or (2) IRCHOST command. |
| PHP remote file inclusion vulnerability in starnet/themes/c-sky/main.inc.php in Fred Stuurman SyndeoCMS 2.5.01 allows remote attackers to execute arbitrary PHP code via a URL in the cmsdir parameter, a different vector than CVE-2006-4920.2. |
| PHP remote file inclusion vulnerability in admin/index.php in nuBoard 0.5 allows remote attackers to execute arbitrary PHP code via a URL in the site parameter. |
| Multiple PHP remote file inclusion vulnerabilities in Vortex Portal 1.0.42 allow remote attackers to execute arbitrary PHP code via a URL in the cfgProgDir parameter to (1) admincp/auth/secure.php or (2) admincp/auth/checklogin.php. |
| PHP remote file inclusion vulnerability in includes/common.php in scWiki 1.0 Beta 2 allows remote attackers to execute arbitrary PHP code via a URL in the pathdot parameter. |
| Directory traversal vulnerability in inc/includes.inc in GuppY 4.6.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the selskin parameter to index.php. NOTE: this can be leveraged for remote file inclusion by including inc/boxleft.inc and specifying a URL in the xposbox[L][] array parameter. |
| Directory traversal vulnerability in error.php in GuppY 4.6.3, 4.5.16, and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the id parameter. NOTE: this can be leveraged to bypass authentication and upload arbitrary files by including admin/inc/upload.inc and specifying certain multipart/form-data input for admin/inc/upload.inc. |