CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
14551 CVE-2007-0405 +Priv 2007-01-22 2017-07-28
6.5
User Remote Low Single system Partial Partial Partial
The LazyUser class in the AuthenticationMiddleware for Django 0.95 does not properly cache the user name across requests, which allows remote authenticated users to gain the privileges of a different user.
14552 CVE-2007-0402 XSS 2007-01-22 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in admin/edit_member.php in Easebay Resources Paypal Subscription Manager allows remote attackers to inject arbitrary web script or HTML via the username parameter.
14553 CVE-2007-0400 XSS 2007-01-22 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in admin/memberlist.php in Easebay Resources Login Manager 3.0 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter.
14554 CVE-2007-0399 XSS 2007-01-22 2018-10-16
6.0
User Remote Medium Single system Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action.
14555 CVE-2007-0398 XSS 2007-01-22 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in forum.php3 in Arnaud Guyonne (aka Arnotic) a-forum allow remote attackers to inject arbitrary web script or HTML via the (1) Sujet or (2) Pseudo field.
14556 CVE-2007-0397 +Info 2007-01-19 2018-10-30
6.4
None Remote Low Not required Partial Partial None
The Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.3 and Adaptive Security Device Manager (ASDM) before 5.2(2.54) do not validate the SSL/TLS certificates or SSH public keys when connecting to devices, which allows remote attackers to spoof those devices to obtain sensitive information or generate incorrect information.
14557 CVE-2007-0390 XSS 2007-01-19 2018-10-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in sabros.us 1.7 allows remote attackers to inject arbitrary web script or HTML via the tag parameter.
14558 CVE-2007-0379 XSS 2007-01-19 2008-11-13
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in DocMan 1.3 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14559 CVE-2007-0376 XSS 2007-01-19 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Virtuemart 1.0.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
14560 CVE-2007-0373 Exec Code Sql 2007-01-19 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Joomla! 1.5.0 Beta allow remote attackers to execute arbitrary SQL commands via (1) the searchword parameter in certain files; the where parameter in (2) plugins/search/content.php or (3) plugins/search/weblinks.php; the text parameter in (4) plugins/search/contacts.php, (5) plugins/search/categories.php, or (6) plugins/search/sections.php; or (7) the email parameter in database/table/user.php, which is not properly handled by the check function.
14561 CVE-2007-0365 XSS 2007-01-19 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in All In One Control Panel (AIOCP) 1.3.009 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this is probably a different vulnerability than CVE-2006-5830.
14562 CVE-2007-0363 XSS 2007-01-18 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in admin-search.php in (1) Openads for PostgreSQL (aka phpPgAds) before 2.0.10 and (2) Openads (aka phpAdsNew) before 2.0.10 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
14563 CVE-2007-0362 XSS 2007-01-18 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in the RSS feed component in FreshReader before 1.0.07010600 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to tag attributes.
14564 CVE-2007-0353 XSS 2007-01-18 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in (1) index.php and (2) login.php in myBloggie 2.1.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO string.
14565 CVE-2007-0351 +Priv 2007-01-18 2018-10-16
6.2
Admin Local High Not required Complete Complete Complete
Microsoft Windows XP and Windows Server 2003 do not properly handle user logoff, which might allow local users to gain the privileges of a previous system user, possibly related to user profile unload failure. NOTE: it is not clear whether this is an issue in Windows itself, or an interaction with another product. The issue might involve ZoneAlarm not being able to terminate processes when it cannot prompt the user.
14566 CVE-2007-0345 +Priv 2007-01-17 2017-10-18
6.8
Admin Local Low Single system Complete Complete Complete
The (1) Activity Monitor.app/Contents/Resources/pmTool, (2) Keychain Access.app/Contents/Resources/kcproxy, and (3) ODBC Administrator.app/Contents/Resources/iodbcadmintool programs in /Applications/Utilities/ in Mac OS X 10.4.8 have weak permissions (writable by admin group), which allows local admin users to gain root privileges by modifying a program and then performing permissions repair via diskutil.
14567 CVE-2007-0341 XSS 2007-01-17 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.8.1 and earlier, when Microsoft Internet Explorer 6 is used, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in a CSS style in the convcharset parameter to the top-level URI, a different vulnerability than CVE-2005-0992.
14568 CVE-2007-0335 Dir. Trav. 2007-01-17 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Multiple directory traversal vulnerabilities in Jax Petition Book 1.0.3.06 allow remote attackers to include and execute arbitrary local files via a .. (dot dot) in the languagepack parameter to (1) jax_petitionbook.php or (2) smileys.php.
14569 CVE-2007-0331 XSS 2007-01-17 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in liens.php3 in liens_dynamiques 2.1 allows remote attackers to inject arbitrary web script or HTML by using the ajouter=1 query string and the add menu.
14570 CVE-2007-0319 Exec Code Overflow 2007-08-15 2018-10-12
6.8
None Remote Medium Not required Partial Partial Partial
Multiple stack-based buffer overflows in the Motive ActiveEmailTest.EmailData (ActiveUtils EmailData) ActiveX control in ActiveUtils.dll in Motive Service Activation Manager 5.1 and Self Service Manager 5.1 and earlier allow remote attackers to execute arbitrary code via unspecified vectors.
14571 CVE-2007-0308 XSS 2007-01-17 2008-11-15
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Plain Black WebGUI before 7.3.4 (beta) allows remote attackers to inject arbitrary web script or HTML via Wiki Page titles.
14572 CVE-2007-0302 XSS 2007-01-17 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in InstantASP 4.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) SessionID parameter to (a) Logon.aspx, and the (2) Username and (3) Update parameters to (b) Members1.aspx.
14573 CVE-2007-0301 Exec Code File Inclusion 2007-01-17 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in _admin/admin_menu.php in FdWeB Espace Membre 2.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the path parameter.
14574 CVE-2007-0300 Exec Code File Inclusion 2007-01-17 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in i-accueil.php in TLM CMS 1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the chemin parameter.
14575 CVE-2007-0298 Exec Code File Inclusion 2007-01-17 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
PHP remote file inclusion vulnerability in show.php in LunarPoll, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the PollDir parameter.
14576 CVE-2007-0293 2007-01-16 2017-07-28
6.4
None Remote Low Not required Partial Partial None
Multiple unspecified vulnerabilities in Oracle Enterprise Manager 10.1.0.5 and 10.2.0.1 have unknown impact and attack vectors related to (1) Oracle Agent (EM03) and (2) EM04 and (3) EM05 in Enterprise Manager Console. NOTE: EM05 might be related to CVE-2007-0222.
14577 CVE-2007-0289 2007-01-16 2017-07-28
6.4
None Remote Low Not required Partial Partial None
Multiple unspecified vulnerabilities in Oracle Collaboration Suite 9.0.4.2 have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J01, (2) OC4J05, and (3) OC4J06.
14578 CVE-2007-0284 2007-01-16 2017-07-28
6.4
None Remote Low Not required Partial Partial None
Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.3 and 10.1.2.0.0, and Collaboration Suite 9.0.4.2, have unknown impact and attack vectors related to Oracle Containers for J2EE, aka (1) OC4J03 and (2) OC4J04.
14579 CVE-2007-0278 2007-01-16 2017-07-28
6.8
None Local Low Single system Complete Complete Complete
Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) NLS Runtime and lmsgen (DB12), and (2) Oracle Text and ctxkbtc (DB14).
14580 CVE-2007-0277 2007-01-16 2017-07-28
6.8
None Local Low Single system Complete Complete Complete
Unspecified vulnerability in Oracle Database client-only 10.1.0.4 has unknown impact and attack vectors related to the Export component and expdp or impdp, aka DB11.
14581 CVE-2007-0276 2007-01-16 2017-07-28
6.8
None Local Low Single system Complete Complete Complete
Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4 and 9.0.1.5 have unknown impact and attack vectors related to (1) Advanced Security Option and oklist or okdstry (DB10), (2) Oracle Net Services (DB13), and (3) Recovery Manager and oklist (DB16).
14582 CVE-2007-0274 Overflow 2007-01-16 2018-10-16
6.5
None Remote Low Single system Partial Partial Partial
Multiple unspecified vulnerabilities in Oracle Database 9.2.0.7 and 10.1.0.5 have unknown impact and attack vectors related to (1) Export and sys.dbms_logrep_util (DB08), and (2) Oracle Streams and sys.dbms_capture_adm_internal privileges (DB09). NOTE: Oracle has not disputed reliable researcher claims that DB08 is for a buffer overflow in the GET_OBJECT_NAME procedure in the DBMS_LOGREP_UTIL package, and DB09 is for buffer overflows in the CREATE_CAPTURE, ALTER_CAPTURE, and ABORT_TABLE_INSTANTIATION procedures in SYS.DBMS_CAPTURE_ADM_INTERNAL.
14583 CVE-2007-0271 Exec Code Overflow 2007-01-16 2018-10-16
6.5
User Remote Low Single system Partial Partial Partial
Unspecified vulnerability in Oracle Database 9.0.1.5 and 9.2.0.7 has unknown impact and attack vectors related to the Log Miner component and sys.dbms_log_mnr privileges, aka DB04. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the ADD_LOGFILE procedure for the SYS.DBMS_LOGMNR package that allows code execution.
14584 CVE-2007-0270 119 DoS Exec Code Overflow 2007-01-16 2018-10-16
6.5
User Remote Low Single system Partial Partial Partial
Buffer overflow in SYS.DBMS_DRS in Oracle Database 9.2.0.7 and 10.1.0.4 allows remote authenticated users to cause a denial of service (crash) or execute arbitrary code via the GET_PROPERTY function in SYS.DBMS_DRS, aka DB03.
14585 CVE-2007-0268 Overflow Sql 2007-01-16 2018-10-16
6.5
None Remote Low Single system Partial Partial Partial
Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unknown impact and attack vectors related to (1) the Advanced Queuing component and sys.dbms_aqsys.dbms_aq privileges (DB01), (2) Advanced Replication and sys.dbms_repcat_untrusted (DB07), and (3) Oracle Text and ctxload (DB15). NOTE: Oracle has not publicly claims by reliable researchers that DB01 is for SQL injection in the SYS.DBMS_AQ_INV package, and DB07 is for a buffer overflow in the UNREGISTER_SNAPSHOT procedure in the DBMS_REPCAT_UNTRUSTED package.
14586 CVE-2007-0267 399 DoS 2007-01-16 2011-06-10
6.6
None Local Low Not required None Complete Complete
The ufs_lookup function in the Mac OS X 10.4.8 and FreeBSD 6.1 kernels allows local users to cause a denial of service (kernel panic) and possibly corrupt other filesystems by mounting a crafted UNIX File System (UFS) DMG image that contains a corrupted directory entry (struct direct), related to the ufs_dirbad function. NOTE: a third party states that the FreeBSD issue does not cross privilege boundaries.
14587 CVE-2007-0265 XSS 2007-01-16 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in Ezboxx Portal System Beta 0.7.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the pic parameter to custom/piczoom.asp, (2) the nocatname parameter to boxx/user-upload.asp, or (3) the iid parameter to indexes/newscomments.asp.
14588 CVE-2007-0264 DoS Exec Code Overflow 2007-01-16 2008-11-15
6.6
Admin Local Medium Single system Complete Complete Complete
Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information.
14589 CVE-2007-0258 XSS 2007-01-16 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in (1) Fastilo 2.0 and (2) Open Solution Quick.Cart 2.0 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: some of these details are obtained from third party information.
14590 CVE-2007-0249 XSS 2007-01-16 2018-10-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in index.php in Nwom topsites 3.0 allows remote attackers to inject arbitrary web script or HTML via the o parameter.
14591 CVE-2007-0246 Exec Code 2007-05-29 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
plugins/scmcvs/www/cvsweb.php in the CVSWeb CGI in GForge 4.5.16 before 20070524, aka gforge-plugin-scmcvs, allows remote attackers to execute arbitrary commands via shell metacharacters in the PATH_INFO.
14592 CVE-2007-0243 119 Overflow +Priv Mem. Corr. 2007-01-17 2018-10-30
6.8
User Remote Medium Not required Partial Partial Partial
Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption.
14593 CVE-2007-0231 XSS 2007-01-12 2008-11-15
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Movable Type (MT) 3.33, when nofollow is disabled and unmoderated comments are enabled, allows remote attackers to inject arbitrary web script or HTML via the Comments field.
14594 CVE-2007-0225 XSS 2007-01-12 2017-10-18
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in shopcustadmin.asp in VP-ASP Shopping Cart 6.09 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.
14595 CVE-2007-0220 Exec Code XSS +Info 2007-05-08 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2000 SP3, and 2003 SP1 and SP2 allows remote attackers to execute arbitrary scripts, spoof content, or obtain sensitive information via certain UTF-encoded, script-based e-mail attachments, involving an "incorrectly handled UTF character set label".
14596 CVE-2007-0204 XSS 2007-01-11 2017-07-28
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before 2.9.2-rc1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: some of these details are obtained from third party information.
14597 CVE-2007-0197 20 DoS Exec Code Mem. Corr. 2007-01-11 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Finder 10.4.6 on Apple Mac OS X 10.4.8 allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a long volume name in a DMG disk image, which results in memory corruption.
14598 CVE-2007-0191 XSS 2007-01-12 2018-10-16
6.8
User Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in admin.php in MKPortal allows remote attackers to inject arbitrary web script or HTML via two certain fields in a contents_new operation in the ad_contents section.
14599 CVE-2007-0188 2007-01-12 2008-09-05
6.5
User Remote Low Single system Partial Partial Partial
F5 FirePass 5.4 through 5.5.1 does not properly enforce host access restrictions when a client uses a single integer (dword) representation of an IP address ("dotless IP address"), which allows remote authenticated users to connect to the FirePass administrator console and certain other network resources.
14600 CVE-2007-0186 XSS 2007-01-12 2008-09-05
6.8
User Remote Medium Not required Partial Partial Partial
Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.