| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Buffer overflow in vsybase.c in vpopmail 5.4.2 and earlier might allow attackers to cause a denial of service or execute arbitrary code. |
| Cross-site scripting (XSS) vulnerability in Brown Bear iCal 3.10 allows remote attackers to inject arbitrary web script or HTML via the Calendar Text field when a new event is added. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| Multiple SQL injection vulnerabilities in Phorum 5.0.11 and earlier allow remote attackers to modify SQL statements via (1) the query string in read.php or (2) unknown vectors in file.php. |
| Internet Explorer 6.0 in Windows XP SP2 allows remote attackers to bypass the Information Bar prompt for ActiveX and Javascript via an XHTML page that contains an Internet Explorer formatted comment between the DOCTYPE tag and the HTML tag, as demonstrated using the DesignScience MathPlayer ActiveX plugin. |
| Incomplete blacklist vulnerability in include.php in PHPKIT 1.6.1 Release 2 and earlier, with allow_url_fopen enabled, allows remote attackers to conduct PHP remote file include attacks via a path parameter that specifies a (1) UNC share or (2) ftps URL, which bypasses the check for "http://", "ftp://", and "https://" URLs. |
| Opera allows remote attackers to cause a denial of service (invalid memory reference and application crash) via a web page or HTML email that contains a TBODY tag with a large COL SPAN value, as demonstrated by mangleme. |
| wimpy_trackplays.php in Plaino Wimpy MP3 Player, possibly 5.2 and earlier, allows remote attackers to insert arbitrary strings into trackme.txt via the (1) trackFile, (2) trackArtist, and (3) trackTitle parameters, which can result in providing false information about songs, occupying excessive disk space with very long parameter values, and storing executable code that might be invoked through a different vulnerability. NOTE: since this issue, as described by the original researcher, is entirely dependent on the presence of another vulnerability, it could be argued that Wimpy cannot be responsible for how its data file is processed by applications outside of its control. Since this issue might only be useful as a facilitator manipulation in another vulnerability, perhaps it should not be included in CVE. |
| Lynx, lynx-ssl, and lynx-cur before 2.8.6dev.8 allow remote attackers to cause a denial of service (infinite loop) via a web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag with a large COLS value and (2) a large tag name in an element that is not terminated, as demonstrated by mangleme. NOTE: a followup suggests that the relevant trigger for this issue is the large COLS value. |
| Cross-site scripting (XSS) vulnerability in preferences.personal.php in V-webmail 1.6.2 allows remote attackers to inject arbitrary web script or HTML via the newid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
| CRLF injection vulnerability in Serendipity before 0.7rc1 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the url parameter in (1) index.php and (2) exit.php, or (3) the HTTP Referer field in comment.php. |
| The WAV file property handler in Windows XP SP1 allows remote attackers to cause a denial of service (infinite loop in Explorer) via a WAV file with an invalid file header whose fmt chunk length is set to 0xFFFFFFFF. |
| pGina 1.7.6 and possibly older versions, when the Restart or Shutdown options are enabled on the login screen, allows remote attackers to cause a denial of service by connecting via Remote Desktop and clicking restart or shutdown. |
| Absolute path traversal vulnerability in convert.cgi in Quirex 2.0.2 and earlier allows remote attackers to read arbitrary files, and possibly execute arbitrary code, via the (1) quiz_head, (2) quiz_foot, and (3) template variables. |
| Multiple SQL injection vulnerabilities in Dwc_articles 1.6 and earlier allow remote attackers to execute arbitrary SQL statements. |
| Off-by-one error in TIN 1.8.0 and earlier might allow attackers to execute arbitrary code via unknown vectors that trigger a buffer overflow. |
| Cross-site scripting (XSS) vulnerability in the login form in Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to execute arbitrary web script or HTML via the url parameter. |
| Multiple cross-site scripting (XSS) vulnerabilities in ADOdb 4.71, as used in multiple packages such as phpESP, allow remote attackers to inject arbitrary web script or HTML via (1) the next_page parameter in adodb-pager.inc.php and (2) other unspecified vectors related to PHP_SELF. |
| Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to conduct port scans of remote hosts by specifying the target in an rmi:// Worklist URL, then using the response times to infer the results. |
| Cross-site scripting (XSS) vulnerability in wiki.php in MoniWiki 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the arguments to wiki.php. |
| Bugzilla 2.17.1 through 2.18rc2 and 2.19 from cvs, when using the insidergroup feature, does not sufficiently protect private attachments when there are changes to the metadata, such as filename, description, MIME type, or review flags, which allows remote authenticated users to obtain sensitive information when (1) viewing the bug activity log or (2) receiving bug change notification mails. |