| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in (1) the domain parameter to the dgettext function, the message parameter to the (2) dcgettext or (3) gettext function, the msgid1 parameter to the (4) dngettext or (5) ngettext function, or (6) the classname parameter to the stream_wrapper_register function. NOTE: this might not be a vulnerability in most web server environments that support multiple threads, unless this issue can be demonstrated for code execution. |
| Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID cookie. |
| SQL injection vulnerability in refer.php in the astatsPRO (com_astatspro) 1.0 component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775. |
| SQL injection vulnerability in threads.php in Nuboard 0.5 allows remote attackers to execute arbitrary SQL commands via the ssid parameter. |
| Cross-site scripting (XSS) vulnerability in gallery.php in XeroXer Simple one-file gallery allows remote attackers to inject arbitrary web script or HTML via the f parameter. |
| Eval injection vulnerability in poll_frame.php in Vote! Pro 4.0, and possibly other scripts, allows remote attackers to execute arbitrary code via the poll_id parameter, which is supplied to an eval function call, a different vulnerability type than CVE-2005-4632. |
| Directory traversal vulnerability in index.php in xtcommerce allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter. |
| Multiple unspecified vulnerabilities in web-app.net WebAPP have unknown impact and attack vectors, described as "[having] other [security] issues too, not as bad as letting users take over your admin account, but bad too." |
| shopkitplus allows remote attackers to obtain sensitive information via a request to (1) events.php with a curmonth[]=01 query string or (2) enc/stylecss.php with a changetheme[]= query string, which reveals the path in various error messages. |
| web-app.org WebAPP before 0.9.9.6 allows remote authenticated users to open files and write "wrong data" via a crafted QUERY_STRING. |
| Multiple unrestricted file upload vulnerabilities in MTCMS 3.2 allow remote attackers to upload and execute files via (1) an avatar upload in an add_down action, or (2) an add_link action. |
| The Skinny Call Control Protocol (SCCP) implementation in Cisco Unified CallManager (CUCM) 3.3 before 3.3(5)SR2a, 4.1 before 4.1(3)SR4, 4.2 before 4.2(3)SR1, and 5.0 before 5.0(4a)SU1 allows remote attackers to cause a denial of service (loss of voice services) by sending crafted packets to the (1) SCCP (2000/tcp) or (2) SCCPS (2443/tcp) port. |
| Cross-site scripting (XSS) vulnerability in NetCommons before 1.0.11, and 1.1.x before 1.1.2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2006-4165. |
| Unrestricted file upload vulnerability in the Project issue tracking 4.7.0 through 5.x before 20070123, a module for Drupal, allows remote authenticated users to execute arbitrary code by attaching a file with executable or multiple extensions to a project issue. |
| Unspecified vulnerability in Watchtower (WT) before 0.12 has unknown impact and attack vectors, related to "unauthorized accounts." |
| Multiple cross-site scripting (XSS) vulnerabilities in examples/servlet/CookieExample in Apache Tomcat 3.3 through 3.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Value field, related to error messages. |
| PHP remote file inclusion vulnerability in includes/functions_weblog.php in mxBB mx_blogs 2.0.0 beta allows remote attackers to execute arbitrary PHP code via a URL in the mx_root_path parameter. |
| putmail.py in Putmail before 1.4 does not detect when a user attempts to use TLS with a server that does not support it, which causes putmail.py to send the username and password in plaintext while the user believes encryption is in use, and allows remote attackers to obtain sensitive information. |
| Cisco Unified CallManager (CUCM) 5.0 before 5.0(4a)SU1 and Cisco Unified Presence Server (CUPS) 1.0 before 1.0(3) allow remote attackers to cause a denial of service (loss of voice services) via a flood of ICMP echo requests, aka bug ID CSCsf12698. |
