| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication scheme available as required by RFC2617, which might cause credentials to be sent in plaintext even if an encrypted channel is available. |
| PHP-Fusion allows remote attackers to inject arbitrary Cascading Style Sheets (CSS) via the BBCode color tag. |
| Cross-site scripting (XSS) vulnerability in search.php in PHPSiteSearch 1.7.7d allows remote attackers to inject arbitrary web script or HTML via the query parameter. |
| The login protocol in RealChat 3.5.1b does not use authentication, which allows remote attackers to log on as other users by sniffing the beginning of a chat session and replaying it via a modified username. |
| Cross-Site Request Forgery (CSRF) vulnerability in tDiary 2.1.1, and tDiary 2.0.1 and earlier, allows remote attackers to conduct actions as another user, and execute commands on the server, via a URL that is activated by the user. |
| PHP remote file inclusion vulnerability in apa_phpinclude.inc.php in Atomic Photo Album (APA) allows remote attackers to execute arbitrary PHP code via the apa_module_basedir parameter. |
| Multiple SQL injection vulnerabilities in index.php and other pages in Beehive Forum allow remote attackers to execute arbitrary SQL commands via the webtag parameter. |
| The (1) lost password and (2) account pending features in GForge 4.5 do not properly set a limit on the number of e-mails sent to an e-mail address, which allows remote attackers to send a large number of messages to arbitrary e-mail addresses (aka mail bomb). |
| Buffer overflow in the FTP client in the Debian GNU/Linux netstd package. |
| SQL injection vulnerability in PhpList allows remote attackers to modify SQL statements via the id argument to admin pages such as (1) members or (2) admin. |
| SQL injection vulnerability in UseBB 0.5.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the search function. |
| libtiff up to 3.7.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image header with a zero "YCbCr subsampling" value, which causes a divide-by-zero error in (1) tif_strip.c and (2) tif_tile.c, a different vulnerability than CVE-2004-0804. |
| URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack. |
| Cross-site scripting (XSS) vulnerability in NetworkActiv Web Server 1.0, 2.0.0.6, 3.0.1.1, and 3.5.13, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the query string. |
| Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of service (oops or deadlock) and possibly execute arbitrary code via a p->dir value that is larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy array. |
| Multiple SQL injection vulnerabilities in the calendar feature in Kayako liveResponse 2.x allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) date parameter. |
| WebTrends software stores account names and passwords in a file which does not have restricted access permissions. |
| Kayako liveResponse 2.x allows remote attackers to obtain sensitive information via a direct request to addressbook.php and other include scripts, which reveals the path in an error message. |
| login.php in PCXP/TOPPE CMS allows remote attackers to bypass authentication and gain privileges by modifying the cookie to match the target userid. |
| Multiple cross-site scripting (XSS) vulnerabilities in MySQL Eventum 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to view.php, (2) release parameter to list.php, or (3) F parameter to get_jsrs_data.php. |