| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| WRQ Reflection for Secure IT Windows Server 6.0 (formerly known as F-Secure SSH server) processes access and deny lists in a case-sensitive manner, when previous versions were case-insensitive, which might allow remote attackers to bypass intended restrictions and login to accounts that should be denied. |
| PHP remote file inclusion vulnerability in al_initialize.php for AutoLinks Pro 2.1 allows remote attackers to execute arbitrary PHP code via an "ftp://" URL in the alpath parameter, which bypasses the incomplete blacklist that only checks for "http" and "https" URLs. |
| Cross-site scripting (XSS) vulnerability in Orion 1.3.8 and 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting 404 error page. |
| cosmoshop 8.10.78 and earlier stores passwords in plaintext in the database, which allows local users to obtain sensitive information. |
| SQL injection vulnerability in search_result.php in AEwebworks aeDating Script 4.0 and earlier allows remote attackers to execute arbitrary SQL statements via the Country parameter. |
| BFCommand & Control Server Manager BFCC 1.22_A and earlier, and BFVCC 2.14_B and earlier, allows remote attackers to bypass authentication via (1) an unknown attack vector or (2) a NULL (0x00) as a username. |
| SQL injection vulnerability in login.php in Digital Scribe 1.4 allows remote attackers to execute arbitrary SQL commands via the username parameter. |
| Multiple SQL injection vulnerabilities in DeluxeBB 1.0 and 1.0.5 allow remote attackers to execute arbitrary SQL commands via the (1) tid parameter to topic.php, the uid parameter to (2) misc.php or (3) pm.php, or the fid parameter to (3) forums.php or (4) newpost.php. |
| ncompress 4.2.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files using (1) zdiff or (2) zcmp, a different vulnerability than CVE-2004-0970. |
| arc 5.21j and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different type of vulnerability than CVE-2005-2945. |
| silc daemon (silcd.c) in Secure Internet Live Conferencing (SILC) 1.0 and earlier allows local users to overwrite arbitrary files via a symlink attack on the silcd.[PID].stats temporary file. |
| Unspecified vulnerability in the FTP Daemon (ftpd) for HP Tru64 UNIX 4.0F PK8 and other versions up to HP Tru64 UNIX 5.1B-3, and HP-UX B.11.00, B.11.04, B.11.11, and B.11.23, allows remote authenticated users to cause a denial of service (hang). |
| Helpdesk Software Hesk allows remote attackers to bypass authentication for (1) admin.php and (2) admin_main.php by modifying the PHPSESSID session ID parameter or cookie. |
| Simple Machines Forum (SMF) 1-0-5 and earlier supports the use of URLs for avatar images, which allows remote attackers to monitor sensitive information of forum visitors such as IP address and user agent, as demonstrated using a PHP script on a malicious server. |
| Multiple design errors in Microsoft Internet Explorer 5.01, 5.5, and 6 allow user-assisted attackers to execute arbitrary code by (1) overlaying a malicious new window above a file download box, then (2) using a keyboard shortcut and delaying the display of the file download box until the user hits a shortcut that activates the "Run" button, aka "File Download Dialog Box Manipulation Vulnerability." |
| The mail client in Opera before 8.50 opens attached files from the user's cache directory without warning the user, which might allow remote attackers to inject arbitrary web script and spoof attachment filenames. |
| smb4k 0.4 and other versions before 0.6.3 allows local users to read sensitive files via a symlink attack on the (1) smb4k.tmp or (2) sudoers temporary files. |
| Cross-site scripting (XSS) vulnerability in CuteNews allows remote attackers to inject arbitrary web script or HTML via the mod parameter to index.php. |
| Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 3.0.7 and earlier allow remote attackers to inject arbitrary web script or HTML via the loc parameter to (1) modcp/index.php or (2) admincp/index.php, or the ip parameter to (3) modcp/user.php or (4) admincp/usertitle.php. |
| ADSL Road Runner modem in the Annex A family has a service running on port 224, which allows remote attackers to login to the modem with a blank password and gain unauthorized access. |
