Total
5482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2008-3924 | 1 Hans Oesterholt | 1 Cmme | 2025-04-09 | 4.3 MEDIUM | N/A |
|
The "Make a backup" functionality in Content Management Made Easy (CMME) 1.12 stores sensitive information under the web root with insufficient access control, which allows remote attackers to discover (1) account names and (2) password hashes via a direct request for (a) backup/cmme_data.zip or (b) backup/cmme_cmme.zip. NOTE: it was later reported that vector a also affects CMME 1.19.
|
|||||
| CVE-2007-5442 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-04-09 | 3.5 LOW | N/A |
|
CMS Made Simple 1.1.3.1 does not check the permissions assigned to users who attempt uploads, which allows remote authenticated users to upload unspecified files via unknown vectors.
|
|||||
| CVE-2009-0011 | 1 Apple | 2 Mac Os X, Mac Os X Server | 2025-04-09 | 7.2 HIGH | N/A |
|
Certificate Assistant in Apple Mac OS X 10.5.6 allows local users to overwrite arbitrary files via unknown vectors related to an "insecure file operation" on a temporary file.
|
|||||
| CVE-2007-5236 | 1 Sun | 3 Jdk, Jre, Sdk | 2025-04-09 | 5.4 MEDIUM | N/A |
|
Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier, on Windows does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read local files via an untrusted application.
|
|||||
| CVE-2007-4669 | 1 Firebirdsql | 1 Firebird | 2025-04-09 | 4.0 MEDIUM | N/A |
|
The Services API in Firebird before 2.0.2 allows remote authenticated users without SYSDBA privileges to read the server log (firebird.log), aka CORE-1148.
|
|||||
| CVE-2007-6603 | 1 Hotscripts | 1 Hot Or Not Clone | 2025-04-09 | 5.0 MEDIUM | N/A |
|
Hot or Not Clone has insufficient access control for producing and reading database backups, which allows remote attackers to obtain the administrator username and password via a direct request to control/backup/backup.php, which generates a backup/dump/backup.sql file that can be downloaded via a direct request to control/downloadfile.php.
|
|||||
| CVE-2008-0245 | 1 Uploadscript | 2 Uploadimage, Uploadscript | 2025-04-09 | 7.5 HIGH | N/A |
|
admin.php in UploadImage 1.0 does not check for the original password before making a change to a new password, which allows remote attackers to gain administrator privileges via the pass parameter in a nopass (Set Password) action.
|
|||||
| CVE-2008-3920 | 1 Bitlbee | 1 Bitlbee | 2025-04-09 | 7.5 HIGH | N/A |
|
Unspecified vulnerability in BitlBee before 1.2.2 allows remote attackers to "recreate" and "hijack" existing accounts via unspecified vectors.
|
|||||
| CVE-2008-4405 | 1 Citrix | 1 Xen | 2025-04-09 | 7.2 HIGH | N/A |
|
xend in Xen 3.0.3 does not properly limit the contents of the /local/domain xenstore directory tree, and does not properly restrict a guest VM's write access within this tree, which allows guest OS users to cause a denial of service and possibly have unspecified other impact by writing to (1) console/tty, (2) console/limit, or (3) image/device-model-pid. NOTE: this issue was originally reported as an issue in libvirt 0.3.3 and xenstore, but CVE is considering the core issue to be related to Xen ...
Show More |
|||||
| CVE-2009-4044 | 2 Bruno Massa, Drupal | 2 Web Services, Drupal | 2025-04-09 | 7.5 HIGH | N/A |
|
The Web Services module 6.x for Drupal does not perform the expected access control, which allows remote attackers to make unspecified use of an API via unknown vectors.
|
|||||
| CVE-2007-5988 | 1 Bti-tracker | 1 Bti-tracker | 2025-04-09 | 7.5 HIGH | N/A |
|
blocks/shoutbox_block.php in BtiTracker 1.4.4 does not verify user accounts, which allows remote attackers to post shoutbox entries as arbitrary users via a modified nick field.
|
|||||
| CVE-2009-2649 | 1 Freebsd | 1 Freebsd | 2025-04-09 | 4.7 MEDIUM | N/A |
|
The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev is available, allows local users to cause a denial of service (kernel panic) via a certain IOCTL request with a large count, which triggers a malloc call with a large value.
|
|||||
| CVE-2008-4294 | 1 Ibm | 1 Tivoli Netcool Webtop | 2025-04-09 | 7.2 HIGH | N/A |
|
IBM Tivoli Netcool/Webtop 2.1 before 2.1.0.5 preserves cached user privileges after logout, which allows physically proximate attackers to hijack a session by visiting an unattended workstation, as demonstrated by a root session that is still valid after a subsequent read-only session has begun.
|
|||||
| CVE-2009-0835 | 1 Linux | 1 Linux Kernel | 2025-04-09 | 3.6 LOW | N/A |
|
The __secure_computing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x86_64 platform, when CONFIG_SECCOMP is enabled, does not properly handle (1) a 32-bit process making a 64-bit syscall or (2) a 64-bit process making a 32-bit syscall, which allows local users to bypass intended access restrictions via crafted syscalls that are misinterpreted as (a) stat or (b) chmod, a related issue to CVE-2009-0342 and CVE-2009-0343.
|
|||||
| CVE-2009-2673 | 1 Sun | 2 Jdk, Jre | 2025-04-09 | 7.5 HIGH | N/A |
|
The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unspecified vectors, related to a declaration that lacks the final keyword.
|
|||||
| CVE-2007-3997 | 1 Php | 1 Php | 2025-04-09 | 7.5 HIGH | N/A |
|
The (1) MySQL and (2) MySQLi extensions in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, allow remote attackers to bypass safe_mode and open_basedir restrictions via MySQL LOCAL INFILE operations, as demonstrated by a query with LOAD DATA LOCAL INFILE.
|
|||||
| CVE-2008-3836 | 1 Mozilla | 1 Firefox | 2025-04-09 | 7.5 HIGH | N/A |
|
feedWriter in Mozilla Firefox before 2.0.0.17 allows remote attackers to execute scripts with chrome privileges via vectors related to feed preview and the (1) elem.doCommand, (2) elem.dispatchEvent, (3) _setTitleText, (4) _setTitleImage, and (5) _initSubscriptionUI functions.
|
|||||
| CVE-2009-0613 | 1 Trendmicro | 1 Interscan Web Security Suite | 2025-04-09 | 6.0 MEDIUM | N/A |
|
Trend Micro InterScan Web Security Suite (IWSS) 3.1 before build 1237 allows remote authenticated Auditor and Report Only users to bypass intended permission settings, and modify the system configuration, via requests to unspecified JSP pages.
|
|||||
| CVE-2007-5289 | 1 Hp | 2 Mercury Quality Center, Testdirector | 2025-04-09 | 7.6 HIGH | N/A |
|
HP Mercury Quality Center (QC) 9.2 and earlier, and possibly TestDirector, relies on cached client-side scripts to implement "workflow" and decisions about the "capability" of a user, which allows remote attackers to execute arbitrary code via crafted use of the Open Test Architecture (OTA) API, as demonstrated by modifying (1) common.tds, (2) defects.tds, (3) manrun.tds, (4) req.tds, (5) testlab.tds, or (6) testplan.tds in %tmp%\TD_80, and then setting the file's properties to read-only.
|
|||||
| CVE-2008-6799 | 1 Tufat | 1 Flashchat | 2025-04-09 | 7.5 HIGH | N/A |
|
connection.php in FlashChat 5.0.8 allows remote attackers to bypass the role filter mechanism and gain administrative privileges by setting the s parameter to "7."
|
|||||
| CVE-2009-4455 | 1 Cisco | 1 Adaptive Security Appliance 5500 | 2025-04-09 | 6.5 MEDIUM | N/A |
|
The default configuration of Cisco ASA 5500 Series Adaptive Security Appliance (Cisco ASA) 7.0, 7.1, 7.2, 8.0, 8.1, and 8.2 allows portal traffic to access arbitrary backend servers, which might allow remote authenticated users to bypass intended access restrictions and access unauthorized web sites via a crafted URL obfuscated with ROT13 and a certain encoding. NOTE: this issue was originally reported as a vulnerability related to lack of restrictions to URLs listed in the Cisco WebVPN bookmar ...
Show More |
|||||
| CVE-2008-1710 | 1 Ibm | 1 Aix | 2025-04-09 | 7.2 HIGH | N/A |
|
Untrusted search path vulnerability in chnfsmnt in IBM AIX 6.1 allows local users to gain privileges via a modified PATH environment variable.
|
|||||
| CVE-2008-6613 | 1 Abweb | 1 Minimal-ablog | 2025-04-09 | 7.5 HIGH | N/A |
|
uploader.php in minimal-ablog 0.4 does not properly restrict access, which allows remote attackers to gain administrative privileges via a direct request.
|
|||||
| CVE-2008-1638 | 1 Nik Software Inc | 1 Nik Sharpener Pro | 2025-04-09 | 6.8 MEDIUM | N/A |
|
Nik Sharpener Pro, possibly 2.0, uses world-writable permissions for plug-in files, which allows local users to gain privileges by replacing a plug-in with a Trojan horse.
|
|||||
| CVE-2008-3872 | 1 Adobe | 1 Flash Player | 2025-04-09 | 9.3 HIGH | N/A |
|
Adobe Flash Player 8.0.39.0 and earlier, and 9.x up to 9.0.115.0, allows remote attackers to bypass the allowScriptAccess parameter setting via a crafted SWF file with unspecified "Filter evasion" manipulations.
|
|||||
| CVE-2007-5342 | 1 Apache | 1 Tomcat | 2025-04-09 | 6.4 MEDIUM | N/A |
|
The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.
|
|||||
| CVE-2008-3855 | 1 Ibm | 1 Db2 Universal Database | 2025-04-09 | 4.6 MEDIUM | N/A |
|
Unspecified vulnerability in the DB2 Administration Server (DAS) in the Core DAS function component in IBM DB2 9.1 before Fixpak 5 allows local users to gain privileges, aka a "FILE CREATION VULNERABILITY." NOTE: this may be the same as CVE-2007-5664.
|
|||||
| CVE-2007-4699 | 1 Apple | 3 Mac Os X, Mac Os X Server, Safari | 2025-04-09 | 7.5 HIGH | N/A |
|
The default configuration of Safari in Apple Mac OS X 10.4 through 10.4.10 adds a private key to the keychain with permissions that allow other applications to access the key without warning the user, which might allow other applications to bypass intended access restrictions.
|
|||||
| CVE-2008-3450 | 1 Sun | 1 Sunos | 2025-04-09 | 7.2 HIGH | N/A |
|
Unspecified vulnerability in the namefs kernel module in Sun Solaris 8 through 10 allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors.
|
|||||
| CVE-2007-2108 | 2 Microsoft, Oracle | 2 Windows, Database Server | 2025-04-09 | 6.8 MEDIUM | N/A |
|
Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.2 on Windows allows remote attackers to have an unknown impact, aka DB01. NOTE: as of 20070424, Oracle has not disputed reliable claims that this issue occurs because the NTLM SSPI AcceptSecurityContext function grants privileges based on the username provided even though all users are authenticated as Guest, which allows remote attackers to gain privileges.
|
|||||
| CVE-2009-0438 | 2 Ibm, Microsoft | 2 Websphere Application Server, Windows | 2025-04-09 | 5.0 MEDIUM | N/A |
|
IBM WebSphere Application Server (WAS) 7 before 7.0.0.1 on Windows allows remote attackers to bypass "Authorization checking" and obtain sensitive information from JSP pages via a crafted request. NOTE: this is probably a duplicate of CVE-2008-5412.
|
|||||
| CVE-2008-5606 | 1 Gazatem Technologies | 1 Qmail Mailing List Manager | 2025-04-09 | 5.0 MEDIUM | N/A |
|
Gazatem QMail Mailing List Manager 1.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file via a direct request for qmail.mdb.
|
|||||
| CVE-2008-0580 | 1 Geert Moernaut | 2 Lsrunase, Supercrypt | 2025-04-09 | 2.1 LOW | N/A |
|
Geert Moernaut LSrunasE and Supercrypt use an encryption key composed of an SHA1 hash of a fixed string embedded in the executable file, which makes it easier for local users to obtain this key without reverse engineering.
|
|||||
| CVE-2008-2147 | 1 Videolan | 1 Vlc | 2025-04-09 | 4.6 MEDIUM | N/A |
|
Untrusted search path vulnerability in VideoLAN VLC before 0.9.0 allows local users to execute arbitrary code via a malicious library under the modules/ or plugins/ subdirectories of the current working directory.
|
|||||
| CVE-2007-5134 | 1 Cisco | 9 Catalyst 6500, Catalyst 6500 Ws-svc-nam-1, Catalyst 6500 Ws-svc-nam-2 and 6 more | 2025-04-09 | 5.0 MEDIUM | N/A |
|
Cisco Catalyst 6500 and Cisco 7600 series devices use 127/8 IP addresses for Ethernet Out-of-Band Channel (EOBC) internal communication, which might allow remote attackers to send packets to an interface for which network exposure was unintended.
|
|||||
| CVE-2008-4921 | 1 Chipmunk Scripts | 1 Chipmunk Cms | 2025-04-09 | 7.5 HIGH | N/A |
|
board/admin/reguser.php in Chipmunk CMS 1.3 allows remote attackers to bypass authentication and gain administrator privileges via a direct request. NOTE: some of these details are obtained from third party information.
|
|||||
| CVE-2007-3804 | 1 Clavister | 1 Clavister Coreplus | 2025-04-09 | 5.0 MEDIUM | N/A |
|
The AntiVirus engine in the HTTP-ALG in Clavister CorePlus before 8.81.00 and 8.80.03 might allow remote attackers to bypass scanning via small files.
|
|||||
| CVE-2008-6098 | 1 Mozilla | 1 Bugzilla | 2025-04-09 | 4.0 MEDIUM | N/A |
|
Bugzilla 3.2 before 3.2 RC2, 3.0 before 3.0.6, 2.22 before 2.22.6, 2.20 before 2.20.7, and other versions after 2.17.4 allows remote authenticated users to bypass moderation to approve and disapprove quips via a direct request to quips.cgi with the action parameter set to "approve."
|
|||||
| CVE-2007-3782 | 1 Mysql | 1 Community Server | 2025-04-09 | 3.5 LOW | N/A |
|
MySQL Community Server before 5.0.45 allows remote authenticated users to gain update privileges for a table in another database via a view that refers to this external table.
|
|||||
| CVE-2008-6137 | 1 Drupal | 2 Drupal, Everyblog | 2025-04-09 | 7.5 HIGH | N/A |
|
EveryBlog 5.x and 6.x, a module for Drupal, allows remote attackers to bypass access restrictions via unknown vectors.
|
|||||